You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by co...@apache.org on 2016/03/15 07:43:45 UTC
[1/4] incubator-sentry git commit: SENTRY-1127: Move test cases from
sentry-policy-xxx to sentry-binding-xxx(Colin Ma, Reviewed by Dapeng Sun)
Repository: incubator-sentry
Updated Branches:
refs/heads/SENTRY-999 fbb906099 -> 0c0065174
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderGeneralCases.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderGeneralCases.java b/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderGeneralCases.java
deleted file mode 100644
index 1e97b62..0000000
--- a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderGeneralCases.java
+++ /dev/null
@@ -1,224 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.policy.sqoop;
-
-import java.io.File;
-import java.io.IOException;
-import java.util.Arrays;
-import java.util.List;
-import java.util.Set;
-
-import junit.framework.Assert;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.common.Action;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.common.Subject;
-import org.apache.sentry.core.model.sqoop.Connector;
-import org.apache.sentry.core.model.sqoop.Job;
-import org.apache.sentry.core.model.sqoop.Link;
-import org.apache.sentry.core.model.sqoop.Server;
-import org.apache.sentry.core.model.sqoop.SqoopActionConstant;
-import org.apache.sentry.core.model.sqoop.SqoopActionFactory.SqoopAction;
-import org.apache.sentry.provider.common.ResourceAuthorizationProvider;
-import org.apache.sentry.provider.common.HadoopGroupResourceAuthorizationProvider;
-import org.apache.sentry.provider.file.PolicyFiles;
-import org.junit.After;
-import org.junit.Test;
-
-import com.google.common.base.Objects;
-import com.google.common.collect.HashMultimap;
-import com.google.common.collect.Multimap;
-import com.google.common.collect.Sets;
-import com.google.common.io.Files;
-
-public class TestSqoopAuthorizationProviderGeneralCases {
- private static final Multimap<String, String> USER_TO_GROUP_MAP = HashMultimap.create();
-
- private static final Subject SUB_ADMIN = new Subject("admin1");
- private static final Subject SUB_DEVELOPER = new Subject("developer1");
- private static final Subject SUB_ANALYST = new Subject("analyst1");
- private static final Subject SUB_JOB_OPERATOR = new Subject("job_operator1");
- private static final Subject SUB_LINK_OPERATOR = new Subject("link_operator1");
- private static final Subject SUB_CONNECTOR_OPERATOR = new Subject("connector_operator1");
-
-
-
- private static final Server server1 = new Server("server1");
- private static final Connector jdbc_connector = new Connector("generic-jdbc-connector");
- private static final Connector hdfs_connector = new Connector("hdfs-connector");
- private static final Connector kafka_connector = new Connector("kafka-connector");
- private static final Connector kite_connector = new Connector("kite-connector");
- private static final Link link1 = new Link("link1");
- private static final Link link2 = new Link("link2");
- private static final Job job1 = new Job("job1");
- private static final Job job2 = new Job("job2");
-
- private static final SqoopAction ALL = new SqoopAction(SqoopActionConstant.ALL);
- private static final SqoopAction READ = new SqoopAction(SqoopActionConstant.READ);
- private static final SqoopAction WRITE = new SqoopAction(SqoopActionConstant.WRITE);
-
- private static final String ADMIN = "admin";
- private static final String DEVELOPER = "developer";
- private static final String ANALYST = "analyst";
- private static final String JOB_OPERATOR = "job1_2_operator";
- private static final String LINK_OPERATOR ="link1_2_operator";
- private static final String CONNECTOR_OPERATOR = "connectors_operator";
-
- static {
- USER_TO_GROUP_MAP.putAll(SUB_ADMIN.getName(), Arrays.asList(ADMIN));
- USER_TO_GROUP_MAP.putAll(SUB_DEVELOPER.getName(), Arrays.asList(DEVELOPER));
- USER_TO_GROUP_MAP.putAll(SUB_ANALYST.getName(), Arrays.asList(ANALYST));
- USER_TO_GROUP_MAP.putAll(SUB_JOB_OPERATOR.getName(),Arrays.asList(JOB_OPERATOR));
- USER_TO_GROUP_MAP.putAll(SUB_LINK_OPERATOR.getName(),Arrays.asList(LINK_OPERATOR));
- USER_TO_GROUP_MAP.putAll(SUB_CONNECTOR_OPERATOR.getName(),Arrays.asList(CONNECTOR_OPERATOR));
- }
-
- private final ResourceAuthorizationProvider authzProvider;
- private File baseDir;
-
- public TestSqoopAuthorizationProviderGeneralCases() throws IOException {
- baseDir = Files.createTempDir();
- PolicyFiles.copyToDir(baseDir, "test-authz-provider.ini");
- authzProvider = new HadoopGroupResourceAuthorizationProvider(
- SqoopPolicyTestUtil.createPolicyEngineForTest(server1.getName(),
- new File(baseDir, "test-authz-provider.ini").getPath()),
- new MockGroupMappingServiceProvider(USER_TO_GROUP_MAP));
- }
-
- @After
- public void teardown() {
- if(baseDir != null) {
- FileUtils.deleteQuietly(baseDir);
- }
- }
-
- private void doTestResourceAuthorizationProvider(Subject subject, List<? extends Authorizable> authorizableHierarchy,
- Set<? extends Action> actions, boolean expected) throws Exception {
- Objects.ToStringHelper helper = Objects.toStringHelper("TestParameters");
- helper.add("Subject", subject).add("authzHierarchy", authorizableHierarchy).add("action", actions);
- Assert.assertEquals(helper.toString(), expected,
- authzProvider.hasAccess(subject, authorizableHierarchy, actions, ActiveRoleSet.ALL));
- }
-
- @Test
- public void testAdmin() throws Exception {
- Set<? extends Action> allActions = Sets.newHashSet(ALL, READ, WRITE);
- doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1), allActions, true);
- doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1,hdfs_connector), allActions, true);
- doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1,jdbc_connector), allActions, true);
- doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1,kafka_connector), allActions, true);
- doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1,kite_connector), allActions, true);
- doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1,link1), allActions, true);
- doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1,link2), allActions, true);
- doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1,job1), allActions, true);
- doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1,job2), allActions, true);
- }
-
- @Test
- public void testDeveloper() throws Exception {
- Set<SqoopAction> allActions = Sets.newHashSet(ALL, READ, WRITE);
- for (SqoopAction action : allActions) {
- //developer only has the read action on all connectors
- for (Connector connector : Sets.newHashSet(jdbc_connector, hdfs_connector, kafka_connector, kite_connector))
- doTestResourceAuthorizationProvider(SUB_DEVELOPER, Arrays.asList(server1, connector), Sets.newHashSet(action), READ.equals(action));
- }
-
- for (Link link : Sets.newHashSet(link1, link2)) {
- //developer has the all action on all links
- doTestResourceAuthorizationProvider(SUB_DEVELOPER, Arrays.asList(server1, link), allActions, true);
- }
-
- for (Job job : Sets.newHashSet(job1,job2)) {
- //developer has the all action on all jobs
- doTestResourceAuthorizationProvider(SUB_DEVELOPER, Arrays.asList(server1, job), allActions, true);
- }
- }
-
- @Test
- public void testAnalyst() throws Exception {
- Set<SqoopAction> allActions = Sets.newHashSet(ALL, READ, WRITE);
- for (SqoopAction action : allActions) {
- //analyst has not the any action on all connectors
- for (Connector connector : Sets.newHashSet(jdbc_connector, hdfs_connector, kafka_connector, kite_connector))
- doTestResourceAuthorizationProvider(SUB_ANALYST, Arrays.asList(server1, connector), Sets.newHashSet(action), false);
- }
-
- for (Link link : Sets.newHashSet(link1, link2)) {
- //analyst has the all action on all links
- doTestResourceAuthorizationProvider(SUB_ANALYST, Arrays.asList(server1, link), allActions, true);
- }
-
- for (Job job : Sets.newHashSet(job1,job2)) {
- //analyst has the all action on all jobs
- doTestResourceAuthorizationProvider(SUB_ANALYST, Arrays.asList(server1, job), allActions, true);
- }
- }
-
- @Test
- public void testJobOperator() throws Exception {
- Set<SqoopAction> allActions = Sets.newHashSet(ALL, READ, WRITE);
- for (SqoopAction action : allActions) {
- for (Job job : Sets.newHashSet(job1,job2)) {
- //Job operator has the read action on all jobs
- doTestResourceAuthorizationProvider(SUB_JOB_OPERATOR, Arrays.asList(server1, job), Sets.newHashSet(action), READ.equals(action));
- }
- for (Link link : Sets.newHashSet(link1, link2)) {
- doTestResourceAuthorizationProvider(SUB_JOB_OPERATOR, Arrays.asList(server1, link), Sets.newHashSet(action), false);
- }
- for (Connector connector : Sets.newHashSet(jdbc_connector, hdfs_connector, kafka_connector, kite_connector)) {
- doTestResourceAuthorizationProvider(SUB_JOB_OPERATOR, Arrays.asList(server1, connector), Sets.newHashSet(action), false);
- }
- }
- }
-
- @Test
- public void testLinkOperator() throws Exception {
- Set<SqoopAction> allActions = Sets.newHashSet(ALL, READ, WRITE);
- for (SqoopAction action : allActions) {
- for (Link link : Sets.newHashSet(link1, link2)) {
- //Link operator has the read action on all links
- doTestResourceAuthorizationProvider(SUB_LINK_OPERATOR, Arrays.asList(server1, link), Sets.newHashSet(action), READ.equals(action));
- }
- for (Job job : Sets.newHashSet(job1,job2)) {
- doTestResourceAuthorizationProvider(SUB_LINK_OPERATOR, Arrays.asList(server1, job), Sets.newHashSet(action), false);
- }
- for (Connector connector : Sets.newHashSet(jdbc_connector, hdfs_connector, kafka_connector, kite_connector)) {
- doTestResourceAuthorizationProvider(SUB_LINK_OPERATOR, Arrays.asList(server1, connector), Sets.newHashSet(action), false);
- }
- }
- }
-
- @Test
- public void testConnectorOperator() throws Exception {
- Set<SqoopAction> allActions = Sets.newHashSet(ALL, READ, WRITE);
- for (SqoopAction action : allActions) {
- for (Connector connector : Sets.newHashSet(jdbc_connector, hdfs_connector, kafka_connector, kite_connector)) {
- doTestResourceAuthorizationProvider(SUB_CONNECTOR_OPERATOR, Arrays.asList(server1, connector), Sets.newHashSet(action), READ.equals(action));
- }
- for (Job job : Sets.newHashSet(job1,job2)) {
- doTestResourceAuthorizationProvider(SUB_CONNECTOR_OPERATOR, Arrays.asList(server1, job), Sets.newHashSet(action), false);
- }
- for (Link link : Sets.newHashSet(link1, link2)) {
- doTestResourceAuthorizationProvider(SUB_CONNECTOR_OPERATOR, Arrays.asList(server1, link), Sets.newHashSet(action), false);
- }
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderSpecialCases.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderSpecialCases.java b/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderSpecialCases.java
deleted file mode 100644
index 99eaf18..0000000
--- a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderSpecialCases.java
+++ /dev/null
@@ -1,88 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.policy.sqoop;
-
-import java.io.File;
-import java.io.IOException;
-import java.util.List;
-import java.util.Set;
-
-import junit.framework.Assert;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.common.Action;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.common.Subject;
-import org.apache.sentry.core.model.sqoop.Connector;
-import org.apache.sentry.core.model.sqoop.Server;
-import org.apache.sentry.core.model.sqoop.SqoopActionConstant;
-import org.apache.sentry.core.model.sqoop.SqoopActionFactory.SqoopAction;
-import org.apache.sentry.policy.common.PolicyEngine;
-import org.apache.sentry.provider.common.AuthorizationProvider;
-import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider;
-import org.apache.sentry.provider.file.PolicyFile;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-
-import com.google.common.collect.ImmutableList;
-import com.google.common.collect.Sets;
-import com.google.common.io.Files;
-
-public class TestSqoopAuthorizationProviderSpecialCases {
- private AuthorizationProvider authzProvider;
- private PolicyFile policyFile;
- private File baseDir;
- private File iniFile;
- private String initResource;
- @Before
- public void setup() throws IOException {
- baseDir = Files.createTempDir();
- iniFile = new File(baseDir, "policy.ini");
- initResource = "file://" + iniFile.getPath();
- policyFile = new PolicyFile();
- }
-
- @After
- public void teardown() throws IOException {
- if(baseDir != null) {
- FileUtils.deleteQuietly(baseDir);
- }
- }
-
- @Test
- public void testDuplicateEntries() throws Exception {
- Subject user1 = new Subject("user1");
- Server server1 = new Server("server1");
- Connector connector1 = new Connector("c1");
- Set<? extends Action> actions = Sets.newHashSet(new SqoopAction(SqoopActionConstant.READ));
- policyFile.addGroupsToUser(user1.getName(), true, "group1", "group1")
- .addRolesToGroup("group1", true, "role1", "role1")
- .addPermissionsToRole("role1", true, "server=server1->connector=c1->action=read",
- "server=server1->connector=c1->action=read");
- policyFile.write(iniFile);
- PolicyEngine policy = SqoopPolicyTestUtil.createPolicyEngineForTest(server1.getName(), initResource);
- authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy);
- List<? extends Authorizable> authorizableHierarchy = ImmutableList.of(server1, connector1);
- Assert.assertTrue(authorizableHierarchy.toString(),
- authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL));
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopModelAuthorizables.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopModelAuthorizables.java b/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopModelAuthorizables.java
deleted file mode 100644
index c393d0e..0000000
--- a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopModelAuthorizables.java
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.policy.sqoop;
-import static junit.framework.Assert.assertEquals;
-import static junit.framework.Assert.assertNull;
-
-import org.apache.sentry.core.model.sqoop.Server;
-import org.apache.sentry.core.model.sqoop.SqoopModelAuthorizables;
-import org.junit.Test;
-
-public class TestSqoopModelAuthorizables {
-
- @Test
- public void testServer() throws Exception {
- Server server1 = (Server) SqoopModelAuthorizables.from("SERVER=server1");
- assertEquals("server1", server1.getName());
- }
-
- @Test(expected=IllegalArgumentException.class)
- public void testNoKV() throws Exception {
- System.out.println(SqoopModelAuthorizables.from("nonsense"));
- }
-
- @Test(expected=IllegalArgumentException.class)
- public void testEmptyKey() throws Exception {
- System.out.println(SqoopModelAuthorizables.from("=server1"));
- }
-
- @Test(expected=IllegalArgumentException.class)
- public void testEmptyValue() throws Exception {
- System.out.println(SqoopModelAuthorizables.from("SERVER="));
- }
-
- @Test
- public void testNotAuthorizable() throws Exception {
- assertNull(SqoopModelAuthorizables.from("k=v"));
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyEngineDFS.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyEngineDFS.java b/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyEngineDFS.java
deleted file mode 100644
index 9611ad8..0000000
--- a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyEngineDFS.java
+++ /dev/null
@@ -1,75 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.policy.sqoop;
-
-import java.io.File;
-import java.io.IOException;
-
-import junit.framework.Assert;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.FileSystem;
-import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.hdfs.MiniDFSCluster;
-import org.apache.sentry.provider.file.PolicyFiles;
-import org.junit.AfterClass;
-import org.junit.BeforeClass;
-
-public class TestSqoopPolicyEngineDFS extends AbstractTestSqoopPolicyEngine {
- private static MiniDFSCluster dfsCluster;
- private static FileSystem fileSystem;
- private static Path root;
- private static Path etc;
-
- @BeforeClass
- public static void setupLocalClazz() throws IOException {
- File baseDir = getBaseDir();
- Assert.assertNotNull(baseDir);
- File dfsDir = new File(baseDir, "dfs");
- Assert.assertTrue(dfsDir.isDirectory() || dfsDir.mkdirs());
- Configuration conf = new Configuration();
- conf.set(MiniDFSCluster.HDFS_MINIDFS_BASEDIR, dfsDir.getPath());
- dfsCluster = new MiniDFSCluster.Builder(conf).numDataNodes(2).build();
- fileSystem = dfsCluster.getFileSystem();
- root = new Path(fileSystem.getUri().toString());
- etc = new Path(root, "/etc");
- fileSystem.mkdirs(etc);
- }
-
- @AfterClass
- public static void teardownLocalClazz() {
- if(dfsCluster != null) {
- dfsCluster.shutdown();
- }
- }
-
- @Override
- protected void afterSetup() throws IOException {
- fileSystem.delete(etc, true);
- fileSystem.mkdirs(etc);
- PolicyFiles.copyToDir(fileSystem, etc, "test-authz-provider.ini");
- setPolicy(SqoopPolicyTestUtil.createPolicyEngineForTest(sqoopServerName, new Path(etc,
- "test-authz-provider.ini").toString()));
- }
-
- @Override
- protected void beforeTeardown() throws IOException {
- fileSystem.delete(etc, true);
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyEngineLocalFS.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyEngineLocalFS.java b/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyEngineLocalFS.java
deleted file mode 100644
index a4a874b..0000000
--- a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyEngineLocalFS.java
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.policy.sqoop;
-
-import java.io.File;
-import java.io.IOException;
-
-import junit.framework.Assert;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.provider.file.PolicyFiles;
-
-public class TestSqoopPolicyEngineLocalFS extends AbstractTestSqoopPolicyEngine {
- @Override
- protected void afterSetup() throws IOException {
- File baseDir = getBaseDir();
- Assert.assertNotNull(baseDir);
- Assert.assertTrue(baseDir.isDirectory() || baseDir.mkdirs());
- PolicyFiles.copyToDir(baseDir, "test-authz-provider.ini");
- setPolicy(SqoopPolicyTestUtil.createPolicyEngineForTest(sqoopServerName,
- new File(baseDir, "test-authz-provider.ini").getPath()));
- }
- @Override
- protected void beforeTeardown() throws IOException {
- File baseDir = getBaseDir();
- Assert.assertNotNull(baseDir);
- FileUtils.deleteQuietly(baseDir);
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyNegative.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyNegative.java b/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyNegative.java
deleted file mode 100644
index 646a3c8..0000000
--- a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyNegative.java
+++ /dev/null
@@ -1,121 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.sqoop;
-
-import java.io.File;
-import java.io.IOException;
-
-import junit.framework.Assert;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.policy.common.PolicyEngine;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.base.Charsets;
-import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.Sets;
-import com.google.common.io.Files;
-
-public class TestSqoopPolicyNegative {
- @SuppressWarnings("unused")
- private static final Logger LOGGER = LoggerFactory
- .getLogger(TestSqoopPolicyNegative.class);
-
- private File baseDir;
- private File globalPolicyFile;
-
- @Before
- public void setup() {
- baseDir = Files.createTempDir();
- globalPolicyFile = new File(baseDir, "global.ini");
- }
-
- @After
- public void teardown() {
- if(baseDir != null) {
- FileUtils.deleteQuietly(baseDir);
- }
- }
-
- private void append(String from, File to) throws IOException {
- Files.append(from + "\n", to, Charsets.UTF_8);
- }
-
- @Test
- public void testauthorizedSqoopInPolicyFile() throws Exception {
- append("[groups]", globalPolicyFile);
- append("other_group = other_role", globalPolicyFile);
- append("[roles]", globalPolicyFile);
- append("other_role = server=server1->connector=c1->action=read, server=server1->link=l1->action=read", globalPolicyFile);
- PolicyEngine policy = SqoopPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
- //malicious_group has no privilege
- ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("malicious_group"), ActiveRoleSet.ALL);
- Assert.assertTrue(permissions.toString(), permissions.isEmpty());
- //other_group has two privileges
- permissions = policy.getAllPrivileges(Sets.newHashSet("other_group"), ActiveRoleSet.ALL);
- Assert.assertTrue(permissions.toString(), permissions.size() == 2);
- }
-
- @Test
- public void testNoServerNameConfig() throws Exception {
- append("[groups]", globalPolicyFile);
- append("other_group = malicious_role", globalPolicyFile);
- append("[roles]", globalPolicyFile);
- append("malicious_role = connector=c1->action=read,link=l1->action=read", globalPolicyFile);
- PolicyEngine policy = SqoopPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
- ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("other_group"), ActiveRoleSet.ALL);
- Assert.assertTrue(permissions.toString(), permissions.isEmpty());
- }
-
- @Test
- public void testServerAllName() throws Exception {
- append("[groups]", globalPolicyFile);
- append("group = malicious_role", globalPolicyFile);
- append("[roles]", globalPolicyFile);
- append("malicious_role = server=*", globalPolicyFile);
- PolicyEngine policy = SqoopPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
- ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
- Assert.assertTrue(permissions.toString(), permissions.isEmpty());
- }
-
- @Test
- public void testServerIncorrect() throws Exception {
- append("[groups]", globalPolicyFile);
- append("group = malicious_role", globalPolicyFile);
- append("[roles]", globalPolicyFile);
- append("malicious_role = server=server2", globalPolicyFile);
- PolicyEngine policy = SqoopPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
- ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
- Assert.assertTrue(permissions.toString(), permissions.isEmpty());
- }
-
- @Test
- public void testAll() throws Exception {
- append("[groups]", globalPolicyFile);
- append("group = malicious_role", globalPolicyFile);
- append("[roles]", globalPolicyFile);
- append("malicious_role = *", globalPolicyFile);
- PolicyEngine policy = SqoopPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
- ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
- Assert.assertTrue(permissions.toString(), permissions.isEmpty());
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-sqoop/src/test/resources/test-authz-provider.ini
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-sqoop/src/test/resources/test-authz-provider.ini b/sentry-policy/sentry-policy-sqoop/src/test/resources/test-authz-provider.ini
deleted file mode 100644
index a4ab5d1..0000000
--- a/sentry-policy/sentry-policy-sqoop/src/test/resources/test-authz-provider.ini
+++ /dev/null
@@ -1,40 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-[groups]
-developer = jdbc_connector_role, hdfs_connector_role,kafka_connector_role,kite_connector_role,\
- jobs_analyst_role,links_analyst_role
-analyst = jobs_analyst_role,links_analyst_role
-connectors_operator = jdbc_connector_role, hdfs_connector_role,kafka_connector_role,kite_connector_role
-jobs_analyst = jobs_analyst_role
-job1_2_operator = job1_role,job2_role
-links_analyst = links_analyst_role
-link1_2_operator = link1_role,link2_role
-admin = admin_role
-
-[roles]
-admin_role = server=server1->action=*
-jdbc_connector_role = server=server1->connector=generic-jdbc-connector->action=read
-hdfs_connector_role = server=server1->connector=hdfs-connector->action=read
-kafka_connector_role = server=server1->connector=kafka-connector->action=read
-kite_connector_role = server=server1->connector=kite-connector->action=read
-jobs_analyst_role = server=server1->job=all->action=*
-job1_role = server=server1->job=job1->action=read
-job2_role = server=server1->job=job2->action=read
-links_analyst_role = server=server1->link=all->action=*
-link1_role = server=server1->link=link1->action=read
-link2_role = server=server1->link=link2->action=read
\ No newline at end of file
[3/4] incubator-sentry git commit: SENTRY-1127: Move test cases from
sentry-policy-xxx to sentry-binding-xxx(Colin Ma, Reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyEngineLocalFS.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyEngineLocalFS.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyEngineLocalFS.java
new file mode 100644
index 0000000..0505432
--- /dev/null
+++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyEngineLocalFS.java
@@ -0,0 +1,43 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.solr;
+
+import java.io.File;
+import java.io.IOException;
+
+import junit.framework.Assert;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.sentry.provider.file.PolicyFiles;
+
+public class TestSearchPolicyEngineLocalFS extends AbstractTestSearchPolicyEngine {
+
+ @Override
+ protected void afterSetup() throws IOException {
+ File baseDir = getBaseDir();
+ Assert.assertNotNull(baseDir);
+ Assert.assertTrue(baseDir.isDirectory() || baseDir.mkdirs());
+ PolicyFiles.copyToDir(baseDir, "solr-policy-test-authz-provider.ini");
+ setPolicy(SearchPolicyTestUtil.createPolicyEngineForTest(new File(baseDir, "solr-policy-test-authz-provider.ini").getPath()));
+ }
+ @Override
+ protected void beforeTeardown() throws IOException {
+ File baseDir = getBaseDir();
+ Assert.assertNotNull(baseDir);
+ FileUtils.deleteQuietly(baseDir);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyNegative.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyNegative.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyNegative.java
new file mode 100644
index 0000000..8db1eef
--- /dev/null
+++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyNegative.java
@@ -0,0 +1,101 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.solr;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.Collections;
+
+import junit.framework.Assert;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.policy.common.PolicyEngine;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.base.Charsets;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Sets;
+import com.google.common.io.Files;
+
+public class TestSearchPolicyNegative {
+
+ @SuppressWarnings("unused")
+ private static final Logger LOGGER = LoggerFactory
+ .getLogger(TestSearchPolicyNegative.class);
+
+ private File baseDir;
+ private File globalPolicyFile;
+ private File otherPolicyFile;
+
+ @Before
+ public void setup() {
+ baseDir = Files.createTempDir();
+ globalPolicyFile = new File(baseDir, "global.ini");
+ otherPolicyFile = new File(baseDir, "other.ini");
+ }
+
+ @After
+ public void teardown() {
+ if(baseDir != null) {
+ FileUtils.deleteQuietly(baseDir);
+ }
+ }
+
+ private void append(String from, File to) throws IOException {
+ Files.append(from + "\n", to, Charsets.UTF_8);
+ }
+
+ @Test
+ public void testPerDbFileException() throws Exception {
+ append("[databases]", globalPolicyFile);
+ append("other_group_db = " + otherPolicyFile.getPath(), globalPolicyFile);
+ append("[groups]", otherPolicyFile);
+ append("other_group = some_role", otherPolicyFile);
+ append("[roles]", otherPolicyFile);
+ append("some_role = collection=c1", otherPolicyFile);
+ PolicyEngine policy = SearchPolicyTestUtil.createPolicyEngineForTest(globalPolicyFile.getPath());
+ Assert.assertEquals(Collections.emptySet(),
+ policy.getPrivileges(Sets.newHashSet("other_group"), ActiveRoleSet.ALL));
+ }
+
+ @Test
+ public void testCollectionRequiredInRole() throws Exception {
+ append("[groups]", globalPolicyFile);
+ append("group = some_role", globalPolicyFile);
+ append("[roles]", globalPolicyFile);
+ append("some_role = action=query", globalPolicyFile);
+ PolicyEngine policy = SearchPolicyTestUtil.createPolicyEngineForTest(globalPolicyFile.getPath());
+ ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
+ Assert.assertTrue(permissions.toString(), permissions.isEmpty());
+ }
+
+ @Test
+ public void testGroupIncorrect() throws Exception {
+ append("[groups]", globalPolicyFile);
+ append("group = malicious_role", globalPolicyFile);
+ append("[roles]", globalPolicyFile);
+ append("malicious_role = collection=*", globalPolicyFile);
+ PolicyEngine policy = SearchPolicyTestUtil.createPolicyEngineForTest(globalPolicyFile.getPath());
+ ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("incorrectGroup"), ActiveRoleSet.ALL);
+ Assert.assertTrue(permissions.toString(), permissions.isEmpty());
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-solr/src/test/resources/solr-policy-test-authz-provider.ini
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/test/resources/solr-policy-test-authz-provider.ini b/sentry-binding/sentry-binding-solr/src/test/resources/solr-policy-test-authz-provider.ini
new file mode 100644
index 0000000..8af8162
--- /dev/null
+++ b/sentry-binding/sentry-binding-solr/src/test/resources/solr-policy-test-authz-provider.ini
@@ -0,0 +1,31 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+[groups]
+manager = analyst_role, junior_analyst_role
+analyst = analyst_role
+jranalyst = junior_analyst_role
+admin = admin
+
+[roles]
+analyst_role = collection=purchases->action=update, \
+ collection=analyst1, \
+ collection=jranalyst1->action=*, \
+ collection=tmpcollection->action=update, \
+ collection=tmpcollection->action=query
+junior_analyst_role = collection=jranalyst1, collection=purchases_partial->action=query
+admin = collection=*
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-sqoop/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-sqoop/pom.xml b/sentry-binding/sentry-binding-sqoop/pom.xml
index 20cbda0..a3a6a77 100644
--- a/sentry-binding/sentry-binding-sqoop/pom.xml
+++ b/sentry-binding/sentry-binding-sqoop/pom.xml
@@ -68,12 +68,17 @@ limitations under the License.
<scope>provided</scope>
</dependency>
<dependency>
- <groupId>org.apache.sqoop</groupId>
- <artifactId>sqoop-common</artifactId>
+ <groupId>org.apache.sqoop</groupId>
+ <artifactId>sqoop-common</artifactId>
</dependency>
<dependency>
- <groupId>org.apache.sqoop</groupId>
- <artifactId>sqoop-security</artifactId>
+ <groupId>org.apache.sqoop</groupId>
+ <artifactId>sqoop-security</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.hadoop</groupId>
+ <artifactId>hadoop-minicluster</artifactId>
+ <scope>test</scope>
</dependency>
</dependencies>
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/AbstractTestSqoopPolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/AbstractTestSqoopPolicyEngine.java b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/AbstractTestSqoopPolicyEngine.java
new file mode 100644
index 0000000..1389fca
--- /dev/null
+++ b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/AbstractTestSqoopPolicyEngine.java
@@ -0,0 +1,145 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sentry.policy.sqoop;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.Set;
+import java.util.TreeSet;
+
+import junit.framework.Assert;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.policy.common.PolicyEngine;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import com.google.common.collect.Sets;
+import com.google.common.io.Files;
+
+public abstract class AbstractTestSqoopPolicyEngine {
+ private static final String OPERATOR_JDBC_CONNECTORS_READ = "server=server1->connector=generic-jdbc-connector->action=read";
+ private static final String OPERATOR_HDFS_CONNECTORS_READ = "server=server1->connector=hdfs-connector->action=read";
+ private static final String OPERATOR_KAFKA_CONNECTORS_READ = "server=server1->connector=kafka-connector->action=read";
+ private static final String OPERATOR_KITE_CONNECTORS_READ = "server=server1->connector=kite-connector->action=read";
+ private static final String ANALYST_JOBS_ALL = "server=server1->job=all->action=*";
+ private static final String OPERATOR_JOB1_READ = "server=server1->job=job1->action=read";
+ private static final String OPERATOR_JOB2_READ = "server=server1->job=job2->action=read";
+ private static final String ANALYST_LINKS_ALL = "server=server1->link=all->action=*";
+ private static final String OPERATOR_LINK1_READ = "server=server1->link=link1->action=read";
+ private static final String OPERATOR_LINK2_READ = "server=server1->link=link2->action=read";
+ private static final String ADMIN = "server=server1->action=*";
+
+ private PolicyEngine policy;
+ private static File baseDir;
+
+ protected String sqoopServerName = "server1";
+
+ @BeforeClass
+ public static void setupClazz() throws IOException {
+ baseDir = Files.createTempDir();
+ }
+
+ @AfterClass
+ public static void teardownClazz() throws IOException {
+ if(baseDir != null) {
+ FileUtils.deleteQuietly(baseDir);
+ }
+ }
+
+ protected void setPolicy(PolicyEngine policy) {
+ this.policy = policy;
+ }
+ protected static File getBaseDir() {
+ return baseDir;
+ }
+ @Before
+ public void setup() throws IOException {
+ afterSetup();
+ }
+ @After
+ public void teardown() throws IOException {
+ beforeTeardown();
+ }
+ protected void afterSetup() throws IOException {
+
+ }
+
+ protected void beforeTeardown() throws IOException {
+
+ }
+
+ @Test
+ public void testDeveloper() throws Exception {
+ Set<String> expected = Sets.newTreeSet(Sets.newHashSet(
+ OPERATOR_JDBC_CONNECTORS_READ, OPERATOR_HDFS_CONNECTORS_READ,
+ OPERATOR_KAFKA_CONNECTORS_READ, OPERATOR_KITE_CONNECTORS_READ,
+ ANALYST_JOBS_ALL, ANALYST_LINKS_ALL));
+ Assert.assertEquals(expected.toString(),
+ Sets.newTreeSet(policy.getPrivileges(set("developer"), ActiveRoleSet.ALL))
+ .toString());
+ }
+
+ @Test
+ public void testAnalyst() throws Exception {
+ Set<String> expected = Sets.newTreeSet(Sets.newHashSet(ANALYST_JOBS_ALL, ANALYST_LINKS_ALL));
+ Assert.assertEquals(expected.toString(),
+ new TreeSet<String>(policy.getPrivileges(set("analyst"), ActiveRoleSet.ALL))
+ .toString());
+ }
+
+ @Test
+ public void testConnectorOperator() throws Exception {
+
+ }
+
+ @Test
+ public void testJobOperator() throws Exception {
+ Set<String> expected = Sets.newTreeSet(Sets
+ .newHashSet(OPERATOR_JOB1_READ,OPERATOR_JOB2_READ));
+ Assert.assertEquals(expected.toString(),
+ new TreeSet<String>(policy.getPrivileges(set("job1_2_operator"), ActiveRoleSet.ALL))
+ .toString());
+ }
+
+ @Test
+ public void testLinkOperator() throws Exception {
+ Set<String> expected = Sets.newTreeSet(Sets
+ .newHashSet(OPERATOR_LINK1_READ, OPERATOR_LINK2_READ));
+ Assert.assertEquals(expected.toString(),
+ new TreeSet<String>(policy.getPrivileges(set("link1_2_operator"), ActiveRoleSet.ALL))
+ .toString());
+ }
+
+ @Test
+ public void testAdmin() throws Exception {
+ Set<String> expected = Sets.newTreeSet(Sets.newHashSet(ADMIN));
+ Assert.assertEquals(expected.toString(),
+ new TreeSet<String>(policy.getPrivileges(set("admin"), ActiveRoleSet.ALL))
+ .toString());
+ }
+
+ private static Set<String> set(String... values) {
+ return Sets.newHashSet(values);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/SqoopPolicyTestUtil.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/SqoopPolicyTestUtil.java b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/SqoopPolicyTestUtil.java
new file mode 100644
index 0000000..a76554e
--- /dev/null
+++ b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/SqoopPolicyTestUtil.java
@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.sqoop;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.model.sqoop.SqoopPrivilegeModel;
+import org.apache.sentry.policy.common.PolicyEngine;
+import org.apache.sentry.provider.common.ProviderBackend;
+import org.apache.sentry.provider.common.ProviderBackendContext;
+import org.apache.sentry.provider.file.SimpleFileProviderBackend;
+
+import java.io.IOException;
+
+public class SqoopPolicyTestUtil {
+
+ public static PolicyEngine createPolicyEngineForTest(String server, String resource) throws IOException {
+
+ ProviderBackend providerBackend = new SimpleFileProviderBackend(new Configuration(), resource);
+
+ // create backendContext
+ ProviderBackendContext context = new ProviderBackendContext();
+ context.setAllowPerDatabase(false);
+ context.setValidators(SqoopPrivilegeModel.getInstance().getPrivilegeValidators(server));
+ // initialize the backend with the context
+ providerBackend.initialize(context);
+
+
+ return new SimpleSqoopPolicyEngine(providerBackend);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestServerNameRequiredMatch.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestServerNameRequiredMatch.java b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestServerNameRequiredMatch.java
new file mode 100644
index 0000000..218a2da
--- /dev/null
+++ b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestServerNameRequiredMatch.java
@@ -0,0 +1,57 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sentry.policy.sqoop;
+
+import junit.framework.Assert;
+
+import org.apache.sentry.core.common.validator.PrivilegeValidatorContext;
+import org.apache.sentry.core.model.sqoop.validator.ServerNameRequiredMatch;
+import org.apache.shiro.config.ConfigurationException;
+import org.junit.Test;
+
+public class TestServerNameRequiredMatch {
+ @Test
+ public void testWithoutServerName() {
+ ServerNameRequiredMatch serverNameMatch = new ServerNameRequiredMatch("server1");
+ try {
+ serverNameMatch.validate(new PrivilegeValidatorContext("connector=c1->action=read"));
+ Assert.fail("Expected ConfigurationException");
+ } catch (ConfigurationException ex) {
+ }
+ }
+ @Test
+ public void testServerNameNotMatch() throws Exception {
+ ServerNameRequiredMatch serverNameMatch = new ServerNameRequiredMatch("server1");
+ try {
+ serverNameMatch.validate(new PrivilegeValidatorContext("server=server2->connector=c1->action=read"));
+ Assert.fail("Expected ConfigurationException");
+ } catch (ConfigurationException ex) {
+ }
+ }
+ @Test
+ public void testServerNameMatch() throws Exception {
+ ServerNameRequiredMatch serverNameMatch = new ServerNameRequiredMatch("server1");
+ try {
+ serverNameMatch.validate(new PrivilegeValidatorContext("server=server1->connector=c1->action=read"));
+ } catch (ConfigurationException ex) {
+ Assert.fail("Not expected ConfigurationException");
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderGeneralCases.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderGeneralCases.java b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderGeneralCases.java
new file mode 100644
index 0000000..b01b88f
--- /dev/null
+++ b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderGeneralCases.java
@@ -0,0 +1,238 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sentry.policy.sqoop;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.List;
+import java.util.Set;
+
+import junit.framework.Assert;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.sentry.core.common.Action;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.Subject;
+import org.apache.sentry.core.model.sqoop.Connector;
+import org.apache.sentry.core.model.sqoop.Job;
+import org.apache.sentry.core.model.sqoop.Link;
+import org.apache.sentry.core.model.sqoop.Server;
+import org.apache.sentry.core.model.sqoop.SqoopActionConstant;
+import org.apache.sentry.core.model.sqoop.SqoopActionFactory.SqoopAction;
+import org.apache.sentry.provider.common.GroupMappingService;
+import org.apache.sentry.provider.common.ResourceAuthorizationProvider;
+import org.apache.sentry.provider.common.HadoopGroupResourceAuthorizationProvider;
+import org.apache.sentry.provider.file.PolicyFiles;
+import org.junit.After;
+import org.junit.Test;
+
+import com.google.common.base.Objects;
+import com.google.common.collect.HashMultimap;
+import com.google.common.collect.Multimap;
+import com.google.common.collect.Sets;
+import com.google.common.io.Files;
+
+public class TestSqoopAuthorizationProviderGeneralCases {
+ private static final Multimap<String, String> USER_TO_GROUP_MAP = HashMultimap.create();
+
+ private static final Subject SUB_ADMIN = new Subject("admin1");
+ private static final Subject SUB_DEVELOPER = new Subject("developer1");
+ private static final Subject SUB_ANALYST = new Subject("analyst1");
+ private static final Subject SUB_JOB_OPERATOR = new Subject("job_operator1");
+ private static final Subject SUB_LINK_OPERATOR = new Subject("link_operator1");
+ private static final Subject SUB_CONNECTOR_OPERATOR = new Subject("connector_operator1");
+
+
+
+ private static final Server server1 = new Server("server1");
+ private static final Connector jdbc_connector = new Connector("generic-jdbc-connector");
+ private static final Connector hdfs_connector = new Connector("hdfs-connector");
+ private static final Connector kafka_connector = new Connector("kafka-connector");
+ private static final Connector kite_connector = new Connector("kite-connector");
+ private static final Link link1 = new Link("link1");
+ private static final Link link2 = new Link("link2");
+ private static final Job job1 = new Job("job1");
+ private static final Job job2 = new Job("job2");
+
+ private static final SqoopAction ALL = new SqoopAction(SqoopActionConstant.ALL);
+ private static final SqoopAction READ = new SqoopAction(SqoopActionConstant.READ);
+ private static final SqoopAction WRITE = new SqoopAction(SqoopActionConstant.WRITE);
+
+ private static final String ADMIN = "admin";
+ private static final String DEVELOPER = "developer";
+ private static final String ANALYST = "analyst";
+ private static final String JOB_OPERATOR = "job1_2_operator";
+ private static final String LINK_OPERATOR ="link1_2_operator";
+ private static final String CONNECTOR_OPERATOR = "connectors_operator";
+
+ static {
+ USER_TO_GROUP_MAP.putAll(SUB_ADMIN.getName(), Arrays.asList(ADMIN));
+ USER_TO_GROUP_MAP.putAll(SUB_DEVELOPER.getName(), Arrays.asList(DEVELOPER));
+ USER_TO_GROUP_MAP.putAll(SUB_ANALYST.getName(), Arrays.asList(ANALYST));
+ USER_TO_GROUP_MAP.putAll(SUB_JOB_OPERATOR.getName(),Arrays.asList(JOB_OPERATOR));
+ USER_TO_GROUP_MAP.putAll(SUB_LINK_OPERATOR.getName(),Arrays.asList(LINK_OPERATOR));
+ USER_TO_GROUP_MAP.putAll(SUB_CONNECTOR_OPERATOR.getName(),Arrays.asList(CONNECTOR_OPERATOR));
+ }
+
+ private final ResourceAuthorizationProvider authzProvider;
+ private File baseDir;
+
+ public TestSqoopAuthorizationProviderGeneralCases() throws IOException {
+ baseDir = Files.createTempDir();
+ PolicyFiles.copyToDir(baseDir, "sqoop-policy-test-authz-provider.ini");
+ authzProvider = new HadoopGroupResourceAuthorizationProvider(
+ SqoopPolicyTestUtil.createPolicyEngineForTest(server1.getName(),
+ new File(baseDir, "sqoop-policy-test-authz-provider.ini").getPath()),
+ new MockGroupMappingServiceProvider(USER_TO_GROUP_MAP));
+ }
+
+ @After
+ public void teardown() {
+ if(baseDir != null) {
+ FileUtils.deleteQuietly(baseDir);
+ }
+ }
+
+ private void doTestResourceAuthorizationProvider(Subject subject, List<? extends Authorizable> authorizableHierarchy,
+ Set<? extends Action> actions, boolean expected) throws Exception {
+ Objects.ToStringHelper helper = Objects.toStringHelper("TestParameters");
+ helper.add("Subject", subject).add("authzHierarchy", authorizableHierarchy).add("action", actions);
+ Assert.assertEquals(helper.toString(), expected,
+ authzProvider.hasAccess(subject, authorizableHierarchy, actions, ActiveRoleSet.ALL));
+ }
+
+ @Test
+ public void testAdmin() throws Exception {
+ Set<? extends Action> allActions = Sets.newHashSet(ALL, READ, WRITE);
+ doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1), allActions, true);
+ doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1,hdfs_connector), allActions, true);
+ doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1,jdbc_connector), allActions, true);
+ doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1,kafka_connector), allActions, true);
+ doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1,kite_connector), allActions, true);
+ doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1,link1), allActions, true);
+ doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1,link2), allActions, true);
+ doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1,job1), allActions, true);
+ doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1,job2), allActions, true);
+ }
+
+ @Test
+ public void testDeveloper() throws Exception {
+ Set<SqoopAction> allActions = Sets.newHashSet(ALL, READ, WRITE);
+ for (SqoopAction action : allActions) {
+ //developer only has the read action on all connectors
+ for (Connector connector : Sets.newHashSet(jdbc_connector, hdfs_connector, kafka_connector, kite_connector))
+ doTestResourceAuthorizationProvider(SUB_DEVELOPER, Arrays.asList(server1, connector), Sets.newHashSet(action), READ.equals(action));
+ }
+
+ for (Link link : Sets.newHashSet(link1, link2)) {
+ //developer has the all action on all links
+ doTestResourceAuthorizationProvider(SUB_DEVELOPER, Arrays.asList(server1, link), allActions, true);
+ }
+
+ for (Job job : Sets.newHashSet(job1,job2)) {
+ //developer has the all action on all jobs
+ doTestResourceAuthorizationProvider(SUB_DEVELOPER, Arrays.asList(server1, job), allActions, true);
+ }
+ }
+
+ @Test
+ public void testAnalyst() throws Exception {
+ Set<SqoopAction> allActions = Sets.newHashSet(ALL, READ, WRITE);
+ for (SqoopAction action : allActions) {
+ //analyst has not the any action on all connectors
+ for (Connector connector : Sets.newHashSet(jdbc_connector, hdfs_connector, kafka_connector, kite_connector))
+ doTestResourceAuthorizationProvider(SUB_ANALYST, Arrays.asList(server1, connector), Sets.newHashSet(action), false);
+ }
+
+ for (Link link : Sets.newHashSet(link1, link2)) {
+ //analyst has the all action on all links
+ doTestResourceAuthorizationProvider(SUB_ANALYST, Arrays.asList(server1, link), allActions, true);
+ }
+
+ for (Job job : Sets.newHashSet(job1,job2)) {
+ //analyst has the all action on all jobs
+ doTestResourceAuthorizationProvider(SUB_ANALYST, Arrays.asList(server1, job), allActions, true);
+ }
+ }
+
+ @Test
+ public void testJobOperator() throws Exception {
+ Set<SqoopAction> allActions = Sets.newHashSet(ALL, READ, WRITE);
+ for (SqoopAction action : allActions) {
+ for (Job job : Sets.newHashSet(job1,job2)) {
+ //Job operator has the read action on all jobs
+ doTestResourceAuthorizationProvider(SUB_JOB_OPERATOR, Arrays.asList(server1, job), Sets.newHashSet(action), READ.equals(action));
+ }
+ for (Link link : Sets.newHashSet(link1, link2)) {
+ doTestResourceAuthorizationProvider(SUB_JOB_OPERATOR, Arrays.asList(server1, link), Sets.newHashSet(action), false);
+ }
+ for (Connector connector : Sets.newHashSet(jdbc_connector, hdfs_connector, kafka_connector, kite_connector)) {
+ doTestResourceAuthorizationProvider(SUB_JOB_OPERATOR, Arrays.asList(server1, connector), Sets.newHashSet(action), false);
+ }
+ }
+ }
+
+ @Test
+ public void testLinkOperator() throws Exception {
+ Set<SqoopAction> allActions = Sets.newHashSet(ALL, READ, WRITE);
+ for (SqoopAction action : allActions) {
+ for (Link link : Sets.newHashSet(link1, link2)) {
+ //Link operator has the read action on all links
+ doTestResourceAuthorizationProvider(SUB_LINK_OPERATOR, Arrays.asList(server1, link), Sets.newHashSet(action), READ.equals(action));
+ }
+ for (Job job : Sets.newHashSet(job1,job2)) {
+ doTestResourceAuthorizationProvider(SUB_LINK_OPERATOR, Arrays.asList(server1, job), Sets.newHashSet(action), false);
+ }
+ for (Connector connector : Sets.newHashSet(jdbc_connector, hdfs_connector, kafka_connector, kite_connector)) {
+ doTestResourceAuthorizationProvider(SUB_LINK_OPERATOR, Arrays.asList(server1, connector), Sets.newHashSet(action), false);
+ }
+ }
+ }
+
+ @Test
+ public void testConnectorOperator() throws Exception {
+ Set<SqoopAction> allActions = Sets.newHashSet(ALL, READ, WRITE);
+ for (SqoopAction action : allActions) {
+ for (Connector connector : Sets.newHashSet(jdbc_connector, hdfs_connector, kafka_connector, kite_connector)) {
+ doTestResourceAuthorizationProvider(SUB_CONNECTOR_OPERATOR, Arrays.asList(server1, connector), Sets.newHashSet(action), READ.equals(action));
+ }
+ for (Job job : Sets.newHashSet(job1,job2)) {
+ doTestResourceAuthorizationProvider(SUB_CONNECTOR_OPERATOR, Arrays.asList(server1, job), Sets.newHashSet(action), false);
+ }
+ for (Link link : Sets.newHashSet(link1, link2)) {
+ doTestResourceAuthorizationProvider(SUB_CONNECTOR_OPERATOR, Arrays.asList(server1, link), Sets.newHashSet(action), false);
+ }
+ }
+ }
+
+ public class MockGroupMappingServiceProvider implements GroupMappingService {
+ private final Multimap<String, String> userToGroupMap;
+
+ public MockGroupMappingServiceProvider(Multimap<String, String> userToGroupMap) {
+ this.userToGroupMap = userToGroupMap;
+ }
+
+ @Override
+ public Set<String> getGroups(String user) {
+ return Sets.newHashSet(userToGroupMap.get(user));
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderSpecialCases.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderSpecialCases.java b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderSpecialCases.java
new file mode 100644
index 0000000..99eaf18
--- /dev/null
+++ b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderSpecialCases.java
@@ -0,0 +1,88 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sentry.policy.sqoop;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.List;
+import java.util.Set;
+
+import junit.framework.Assert;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.sentry.core.common.Action;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.Subject;
+import org.apache.sentry.core.model.sqoop.Connector;
+import org.apache.sentry.core.model.sqoop.Server;
+import org.apache.sentry.core.model.sqoop.SqoopActionConstant;
+import org.apache.sentry.core.model.sqoop.SqoopActionFactory.SqoopAction;
+import org.apache.sentry.policy.common.PolicyEngine;
+import org.apache.sentry.provider.common.AuthorizationProvider;
+import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider;
+import org.apache.sentry.provider.file.PolicyFile;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.Sets;
+import com.google.common.io.Files;
+
+public class TestSqoopAuthorizationProviderSpecialCases {
+ private AuthorizationProvider authzProvider;
+ private PolicyFile policyFile;
+ private File baseDir;
+ private File iniFile;
+ private String initResource;
+ @Before
+ public void setup() throws IOException {
+ baseDir = Files.createTempDir();
+ iniFile = new File(baseDir, "policy.ini");
+ initResource = "file://" + iniFile.getPath();
+ policyFile = new PolicyFile();
+ }
+
+ @After
+ public void teardown() throws IOException {
+ if(baseDir != null) {
+ FileUtils.deleteQuietly(baseDir);
+ }
+ }
+
+ @Test
+ public void testDuplicateEntries() throws Exception {
+ Subject user1 = new Subject("user1");
+ Server server1 = new Server("server1");
+ Connector connector1 = new Connector("c1");
+ Set<? extends Action> actions = Sets.newHashSet(new SqoopAction(SqoopActionConstant.READ));
+ policyFile.addGroupsToUser(user1.getName(), true, "group1", "group1")
+ .addRolesToGroup("group1", true, "role1", "role1")
+ .addPermissionsToRole("role1", true, "server=server1->connector=c1->action=read",
+ "server=server1->connector=c1->action=read");
+ policyFile.write(iniFile);
+ PolicyEngine policy = SqoopPolicyTestUtil.createPolicyEngineForTest(server1.getName(), initResource);
+ authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy);
+ List<? extends Authorizable> authorizableHierarchy = ImmutableList.of(server1, connector1);
+ Assert.assertTrue(authorizableHierarchy.toString(),
+ authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL));
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopModelAuthorizables.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopModelAuthorizables.java b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopModelAuthorizables.java
new file mode 100644
index 0000000..c393d0e
--- /dev/null
+++ b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopModelAuthorizables.java
@@ -0,0 +1,54 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sentry.policy.sqoop;
+import static junit.framework.Assert.assertEquals;
+import static junit.framework.Assert.assertNull;
+
+import org.apache.sentry.core.model.sqoop.Server;
+import org.apache.sentry.core.model.sqoop.SqoopModelAuthorizables;
+import org.junit.Test;
+
+public class TestSqoopModelAuthorizables {
+
+ @Test
+ public void testServer() throws Exception {
+ Server server1 = (Server) SqoopModelAuthorizables.from("SERVER=server1");
+ assertEquals("server1", server1.getName());
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testNoKV() throws Exception {
+ System.out.println(SqoopModelAuthorizables.from("nonsense"));
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testEmptyKey() throws Exception {
+ System.out.println(SqoopModelAuthorizables.from("=server1"));
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testEmptyValue() throws Exception {
+ System.out.println(SqoopModelAuthorizables.from("SERVER="));
+ }
+
+ @Test
+ public void testNotAuthorizable() throws Exception {
+ assertNull(SqoopModelAuthorizables.from("k=v"));
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyEngineDFS.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyEngineDFS.java b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyEngineDFS.java
new file mode 100644
index 0000000..318a267
--- /dev/null
+++ b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyEngineDFS.java
@@ -0,0 +1,75 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sentry.policy.sqoop;
+
+import java.io.File;
+import java.io.IOException;
+
+import junit.framework.Assert;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.hdfs.MiniDFSCluster;
+import org.apache.sentry.provider.file.PolicyFiles;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+
+public class TestSqoopPolicyEngineDFS extends AbstractTestSqoopPolicyEngine {
+ private static MiniDFSCluster dfsCluster;
+ private static FileSystem fileSystem;
+ private static Path root;
+ private static Path etc;
+
+ @BeforeClass
+ public static void setupLocalClazz() throws IOException {
+ File baseDir = getBaseDir();
+ Assert.assertNotNull(baseDir);
+ File dfsDir = new File(baseDir, "dfs");
+ Assert.assertTrue(dfsDir.isDirectory() || dfsDir.mkdirs());
+ Configuration conf = new Configuration();
+ conf.set(MiniDFSCluster.HDFS_MINIDFS_BASEDIR, dfsDir.getPath());
+ dfsCluster = new MiniDFSCluster.Builder(conf).numDataNodes(2).build();
+ fileSystem = dfsCluster.getFileSystem();
+ root = new Path(fileSystem.getUri().toString());
+ etc = new Path(root, "/etc");
+ fileSystem.mkdirs(etc);
+ }
+
+ @AfterClass
+ public static void teardownLocalClazz() {
+ if(dfsCluster != null) {
+ dfsCluster.shutdown();
+ }
+ }
+
+ @Override
+ protected void afterSetup() throws IOException {
+ fileSystem.delete(etc, true);
+ fileSystem.mkdirs(etc);
+ PolicyFiles.copyToDir(fileSystem, etc, "sqoop-policy-test-authz-provider.ini");
+ setPolicy(SqoopPolicyTestUtil.createPolicyEngineForTest(sqoopServerName, new Path(etc,
+ "sqoop-policy-test-authz-provider.ini").toString()));
+ }
+
+ @Override
+ protected void beforeTeardown() throws IOException {
+ fileSystem.delete(etc, true);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyEngineLocalFS.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyEngineLocalFS.java b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyEngineLocalFS.java
new file mode 100644
index 0000000..2c9b300
--- /dev/null
+++ b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyEngineLocalFS.java
@@ -0,0 +1,45 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sentry.policy.sqoop;
+
+import java.io.File;
+import java.io.IOException;
+
+import junit.framework.Assert;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.sentry.provider.file.PolicyFiles;
+
+public class TestSqoopPolicyEngineLocalFS extends AbstractTestSqoopPolicyEngine {
+ @Override
+ protected void afterSetup() throws IOException {
+ File baseDir = getBaseDir();
+ Assert.assertNotNull(baseDir);
+ Assert.assertTrue(baseDir.isDirectory() || baseDir.mkdirs());
+ PolicyFiles.copyToDir(baseDir, "sqoop-policy-test-authz-provider.ini");
+ setPolicy(SqoopPolicyTestUtil.createPolicyEngineForTest(sqoopServerName,
+ new File(baseDir, "sqoop-policy-test-authz-provider.ini").getPath()));
+ }
+ @Override
+ protected void beforeTeardown() throws IOException {
+ File baseDir = getBaseDir();
+ Assert.assertNotNull(baseDir);
+ FileUtils.deleteQuietly(baseDir);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyNegative.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyNegative.java b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyNegative.java
new file mode 100644
index 0000000..646a3c8
--- /dev/null
+++ b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyNegative.java
@@ -0,0 +1,121 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.sqoop;
+
+import java.io.File;
+import java.io.IOException;
+
+import junit.framework.Assert;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.policy.common.PolicyEngine;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.base.Charsets;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Sets;
+import com.google.common.io.Files;
+
+public class TestSqoopPolicyNegative {
+ @SuppressWarnings("unused")
+ private static final Logger LOGGER = LoggerFactory
+ .getLogger(TestSqoopPolicyNegative.class);
+
+ private File baseDir;
+ private File globalPolicyFile;
+
+ @Before
+ public void setup() {
+ baseDir = Files.createTempDir();
+ globalPolicyFile = new File(baseDir, "global.ini");
+ }
+
+ @After
+ public void teardown() {
+ if(baseDir != null) {
+ FileUtils.deleteQuietly(baseDir);
+ }
+ }
+
+ private void append(String from, File to) throws IOException {
+ Files.append(from + "\n", to, Charsets.UTF_8);
+ }
+
+ @Test
+ public void testauthorizedSqoopInPolicyFile() throws Exception {
+ append("[groups]", globalPolicyFile);
+ append("other_group = other_role", globalPolicyFile);
+ append("[roles]", globalPolicyFile);
+ append("other_role = server=server1->connector=c1->action=read, server=server1->link=l1->action=read", globalPolicyFile);
+ PolicyEngine policy = SqoopPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
+ //malicious_group has no privilege
+ ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("malicious_group"), ActiveRoleSet.ALL);
+ Assert.assertTrue(permissions.toString(), permissions.isEmpty());
+ //other_group has two privileges
+ permissions = policy.getAllPrivileges(Sets.newHashSet("other_group"), ActiveRoleSet.ALL);
+ Assert.assertTrue(permissions.toString(), permissions.size() == 2);
+ }
+
+ @Test
+ public void testNoServerNameConfig() throws Exception {
+ append("[groups]", globalPolicyFile);
+ append("other_group = malicious_role", globalPolicyFile);
+ append("[roles]", globalPolicyFile);
+ append("malicious_role = connector=c1->action=read,link=l1->action=read", globalPolicyFile);
+ PolicyEngine policy = SqoopPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
+ ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("other_group"), ActiveRoleSet.ALL);
+ Assert.assertTrue(permissions.toString(), permissions.isEmpty());
+ }
+
+ @Test
+ public void testServerAllName() throws Exception {
+ append("[groups]", globalPolicyFile);
+ append("group = malicious_role", globalPolicyFile);
+ append("[roles]", globalPolicyFile);
+ append("malicious_role = server=*", globalPolicyFile);
+ PolicyEngine policy = SqoopPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
+ ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
+ Assert.assertTrue(permissions.toString(), permissions.isEmpty());
+ }
+
+ @Test
+ public void testServerIncorrect() throws Exception {
+ append("[groups]", globalPolicyFile);
+ append("group = malicious_role", globalPolicyFile);
+ append("[roles]", globalPolicyFile);
+ append("malicious_role = server=server2", globalPolicyFile);
+ PolicyEngine policy = SqoopPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
+ ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
+ Assert.assertTrue(permissions.toString(), permissions.isEmpty());
+ }
+
+ @Test
+ public void testAll() throws Exception {
+ append("[groups]", globalPolicyFile);
+ append("group = malicious_role", globalPolicyFile);
+ append("[roles]", globalPolicyFile);
+ append("malicious_role = *", globalPolicyFile);
+ PolicyEngine policy = SqoopPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
+ ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
+ Assert.assertTrue(permissions.toString(), permissions.isEmpty());
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-sqoop/src/test/resources/sqoop-policy-test-authz-provider.ini
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-sqoop/src/test/resources/sqoop-policy-test-authz-provider.ini b/sentry-binding/sentry-binding-sqoop/src/test/resources/sqoop-policy-test-authz-provider.ini
new file mode 100644
index 0000000..a4ab5d1
--- /dev/null
+++ b/sentry-binding/sentry-binding-sqoop/src/test/resources/sqoop-policy-test-authz-provider.ini
@@ -0,0 +1,40 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+[groups]
+developer = jdbc_connector_role, hdfs_connector_role,kafka_connector_role,kite_connector_role,\
+ jobs_analyst_role,links_analyst_role
+analyst = jobs_analyst_role,links_analyst_role
+connectors_operator = jdbc_connector_role, hdfs_connector_role,kafka_connector_role,kite_connector_role
+jobs_analyst = jobs_analyst_role
+job1_2_operator = job1_role,job2_role
+links_analyst = links_analyst_role
+link1_2_operator = link1_role,link2_role
+admin = admin_role
+
+[roles]
+admin_role = server=server1->action=*
+jdbc_connector_role = server=server1->connector=generic-jdbc-connector->action=read
+hdfs_connector_role = server=server1->connector=hdfs-connector->action=read
+kafka_connector_role = server=server1->connector=kafka-connector->action=read
+kite_connector_role = server=server1->connector=kite-connector->action=read
+jobs_analyst_role = server=server1->job=all->action=*
+job1_role = server=server1->job=job1->action=read
+job2_role = server=server1->job=job2->action=read
+links_analyst_role = server=server1->link=all->action=*
+link1_role = server=server1->link=link1->action=read
+link2_role = server=server1->link=link2->action=read
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java
deleted file mode 100644
index d1151e3..0000000
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java
+++ /dev/null
@@ -1,156 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.db;
-
-import java.io.File;
-import java.io.IOException;
-import java.util.Set;
-import java.util.TreeSet;
-
-import junit.framework.Assert;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.policy.common.PolicyEngine;
-import org.junit.After;
-import org.junit.AfterClass;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-import com.google.common.collect.Sets;
-import com.google.common.io.Files;
-
-public abstract class AbstractTestSimplePolicyEngine {
- private static final String PERM_SERVER1_CUSTOMERS_SELECT = "server=server1->db=customers->table=purchases->action=select";
- private static final String PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT = "server=server1->db=customers->table=purchases_partial->action=select";
- private static final String PERM_SERVER1_ANALYST_ALL = "server=server1->db=analyst1";
- private static final String PERM_SERVER1_JUNIOR_ANALYST_ALL = "server=server1->db=jranalyst1";
- private static final String PERM_SERVER1_JUNIOR_ANALYST_READ = "server=server1->db=jranalyst1->table=*->action=select";
- private static final String PERM_SERVER1_OTHER_GROUP_DB_CUSTOMERS_SELECT = "server=server1->db=other_group_db->table=purchases->action=select";
-
- private static final String PERM_SERVER1_ADMIN = "server=server1";
- private PolicyEngine policy;
- private static File baseDir;
-
- @BeforeClass
- public static void setupClazz() throws IOException {
- baseDir = Files.createTempDir();
- }
-
- @AfterClass
- public static void teardownClazz() throws IOException {
- if(baseDir != null) {
- FileUtils.deleteQuietly(baseDir);
- }
- }
-
- protected void setPolicy(PolicyEngine policy) {
- this.policy = policy;
- }
- protected static File getBaseDir() {
- return baseDir;
- }
- @Before
- public void setup() throws IOException {
- afterSetup();
- }
- @After
- public void teardown() throws IOException {
- beforeTeardown();
- }
- protected void afterSetup() throws IOException {
-
- }
-
- protected void beforeTeardown() throws IOException {
-
- }
-
- @Test
- public void testManager() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets.newHashSet(
- PERM_SERVER1_CUSTOMERS_SELECT, PERM_SERVER1_ANALYST_ALL,
- PERM_SERVER1_JUNIOR_ANALYST_ALL, PERM_SERVER1_JUNIOR_ANALYST_READ,
- PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT
- ));
- Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getAllPrivileges(set("manager"), ActiveRoleSet.ALL))
- .toString());
- }
-
- @Test
- public void testAnalyst() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets.newHashSet(
- PERM_SERVER1_CUSTOMERS_SELECT, PERM_SERVER1_ANALYST_ALL,
- PERM_SERVER1_JUNIOR_ANALYST_READ));
- Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getAllPrivileges(set("analyst"), ActiveRoleSet.ALL))
- .toString());
- }
-
- @Test
- public void testJuniorAnalyst() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets
- .newHashSet(PERM_SERVER1_JUNIOR_ANALYST_ALL,
- PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT));
- Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getAllPrivileges(set("jranalyst"), ActiveRoleSet.ALL))
- .toString());
- }
-
- @Test
- public void testAdmin() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets.newHashSet(PERM_SERVER1_ADMIN));
- Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getAllPrivileges(set("admin"), ActiveRoleSet.ALL))
- .toString());
- }
-
-
- @Test
- public void testOtherGroup() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets.newHashSet(
- PERM_SERVER1_OTHER_GROUP_DB_CUSTOMERS_SELECT));
- Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getAllPrivileges(set("other_group"), ActiveRoleSet.ALL))
- .toString());
- }
-
- @Test
- public void testDbAll() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets
- .newHashSet(PERM_SERVER1_JUNIOR_ANALYST_ALL,
- PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT));
- Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getAllPrivileges(set("jranalyst"), ActiveRoleSet.ALL))
- .toString());
- }
-
- @Test
- public void testDbAllforOtherGroup() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets.newHashSet(
- PERM_SERVER1_OTHER_GROUP_DB_CUSTOMERS_SELECT));
- Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getAllPrivileges(set("other_group"), ActiveRoleSet.ALL))
- .toString());
- }
-
- private static Set<String> set(String... values) {
- return Sets.newHashSet(values);
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/DBPolicyTestUtil.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/DBPolicyTestUtil.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/DBPolicyTestUtil.java
deleted file mode 100644
index c46df8f..0000000
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/DBPolicyTestUtil.java
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.db;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.core.model.db.HivePrivilegeModel;
-import org.apache.sentry.policy.common.PolicyEngine;
-import org.apache.sentry.provider.common.ProviderBackend;
-import org.apache.sentry.provider.common.ProviderBackendContext;
-import org.apache.sentry.provider.file.SimpleFileProviderBackend;
-
-import java.io.IOException;
-
-public class DBPolicyTestUtil {
-
- public static PolicyEngine createPolicyEngineForTest(String server, String resource) throws IOException {
-
- ProviderBackend providerBackend = new SimpleFileProviderBackend(new Configuration(), resource);
-
- // create backendContext
- ProviderBackendContext context = new ProviderBackendContext();
- context.setAllowPerDatabase(true);
- context.setValidators(HivePrivilegeModel.getInstance().getPrivilegeValidators(server));
- // initialize the backend with the context
- providerBackend.initialize(context);
-
-
- return new SimpleDBPolicyEngine(providerBackend);
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBModelAuthorizables.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBModelAuthorizables.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBModelAuthorizables.java
deleted file mode 100644
index 4c123b5..0000000
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBModelAuthorizables.java
+++ /dev/null
@@ -1,76 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.policy.db;
-import static junit.framework.Assert.assertEquals;
-import static junit.framework.Assert.assertNull;
-
-import org.apache.sentry.core.model.db.AccessURI;
-import org.apache.sentry.core.model.db.DBModelAuthorizables;
-import org.apache.sentry.core.model.db.Database;
-import org.apache.sentry.core.model.db.Server;
-import org.apache.sentry.core.model.db.Table;
-import org.apache.sentry.core.model.db.View;
-import org.junit.Test;
-
-public class TestDBModelAuthorizables {
-
- @Test
- public void testServer() throws Exception {
- Server server = (Server) DBModelAuthorizables.from("SeRvEr=server1");
- assertEquals("server1", server.getName());
- }
- @Test
- public void testDb() throws Exception {
- Database db = (Database)DBModelAuthorizables.from("dB=db1");
- assertEquals("db1", db.getName());
- }
- @Test
- public void testTable() throws Exception {
- Table table = (Table)DBModelAuthorizables.from("tAbLe=t1");
- assertEquals("t1", table.getName());
- }
- @Test
- public void testView() throws Exception {
- View view = (View)DBModelAuthorizables.from("vIeW=v1");
- assertEquals("v1", view.getName());
- }
- @Test
- public void testURI() throws Exception {
- AccessURI uri = (AccessURI)DBModelAuthorizables.from("UrI=hdfs://uri1:8200/blah");
- assertEquals("hdfs://uri1:8200/blah", uri.getName());
- }
-
- @Test(expected=IllegalArgumentException.class)
- public void testNoKV() throws Exception {
- System.out.println(DBModelAuthorizables.from("nonsense"));
- }
-
- @Test(expected=IllegalArgumentException.class)
- public void testEmptyKey() throws Exception {
- System.out.println(DBModelAuthorizables.from("=v"));
- }
- @Test(expected=IllegalArgumentException.class)
- public void testEmptyValue() throws Exception {
- System.out.println(DBModelAuthorizables.from("k="));
- }
- @Test
- public void testNotAuthorizable() throws Exception {
- assertNull(DBModelAuthorizables.from("k=v"));
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDatabaseRequiredInRole.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDatabaseRequiredInRole.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDatabaseRequiredInRole.java
deleted file mode 100644
index 7fbef36..0000000
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDatabaseRequiredInRole.java
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.policy.db;
-
-import junit.framework.Assert;
-
-import org.apache.sentry.core.common.validator.PrivilegeValidatorContext;
-import org.apache.sentry.core.model.db.validator.DatabaseRequiredInPrivilege;
-import org.apache.shiro.config.ConfigurationException;
-import org.junit.Test;
-
-public class TestDatabaseRequiredInRole {
-
- @Test
- public void testURIInPerDbPolicyFile() throws Exception {
- DatabaseRequiredInPrivilege dbRequiredInRole = new DatabaseRequiredInPrivilege();
- System.setProperty("sentry.allow.uri.db.policyfile", "true");
- dbRequiredInRole.validate(new PrivilegeValidatorContext("db1",
- "server=server1->URI=file:///user/db/warehouse/tab1"));
- System.setProperty("sentry.allow.uri.db.policyfile", "false");
- }
-
- @Test
- public void testURIWithDBInPerDbPolicyFile() throws Exception {
- DatabaseRequiredInPrivilege dbRequiredInRole = new DatabaseRequiredInPrivilege();
- try {
- dbRequiredInRole.validate(new PrivilegeValidatorContext("db1",
- "server=server1->db=db1->URI=file:///user/db/warehouse/tab1"));
- Assert.fail("Expected ConfigurationException");
- } catch (ConfigurationException e) {
- ;
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestPolicyParsingNegative.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestPolicyParsingNegative.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestPolicyParsingNegative.java
deleted file mode 100644
index 8bc511d..0000000
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestPolicyParsingNegative.java
+++ /dev/null
@@ -1,194 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.db;
-
-import java.io.File;
-import java.io.IOException;
-
-import junit.framework.Assert;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.policy.common.PolicyEngine;
-import org.apache.sentry.provider.file.PolicyFile;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.base.Charsets;
-import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.Sets;
-import com.google.common.io.Files;
-
-public class TestPolicyParsingNegative {
-
- @SuppressWarnings("unused")
- private static final Logger LOGGER = LoggerFactory
- .getLogger(TestPolicyParsingNegative.class);
-
- private File baseDir;
- private File globalPolicyFile;
- private File otherPolicyFile;
-
- @Before
- public void setup() {
- baseDir = Files.createTempDir();
- globalPolicyFile = new File(baseDir, "global.ini");
- otherPolicyFile = new File(baseDir, "other.ini");
- }
-
- @After
- public void teardown() {
- if(baseDir != null) {
- FileUtils.deleteQuietly(baseDir);
- }
- }
-
- private void append(String from, File to) throws IOException {
- Files.append(from + "\n", to, Charsets.UTF_8);
- }
-
- @Test
- public void testUnauthorizedDbSpecifiedInDBPolicyFile() throws Exception {
- append("[databases]", globalPolicyFile);
- append("other_group_db = " + otherPolicyFile.getPath(), globalPolicyFile);
- append("[groups]", otherPolicyFile);
- append("other_group = malicious_role", otherPolicyFile);
- append("[roles]", otherPolicyFile);
- append("malicious_role = server=server1->db=customers->table=purchases->action=select", otherPolicyFile);
- PolicyEngine policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
- ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("other_group"), ActiveRoleSet.ALL);
- Assert.assertTrue(permissions.toString(), permissions.isEmpty());
- }
- @Test
- public void testPerDbFileCannotContainUsersOrDatabases() throws Exception {
- PolicyEngine policy;
- ImmutableSet<String> permissions;
- PolicyFile policyFile;
- // test sanity
- policyFile = PolicyFile.setAdminOnServer1("admin");
- policyFile.addGroupsToUser("admin1", "admin");
- policyFile.write(globalPolicyFile);
- policyFile.write(otherPolicyFile);
- policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
- permissions = policy.getAllPrivileges(Sets.newHashSet("admin"), ActiveRoleSet.ALL);
- Assert.assertEquals(permissions.toString(), "[server=server1]");
- // test to ensure [users] fails parsing of per-db file
- policyFile.addDatabase("other", otherPolicyFile.getPath());
- policyFile.write(globalPolicyFile);
- policyFile.write(otherPolicyFile);
- policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
- permissions = policy.getAllPrivileges(Sets.newHashSet("admin"), ActiveRoleSet.ALL);
- Assert.assertEquals(permissions.toString(), "[server=server1]");
- // test to ensure [databases] fails parsing of per-db file
- // by removing the user mapping from the per-db policy file
- policyFile.removeGroupsFromUser("admin1", "admin")
- .write(otherPolicyFile);
- policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
- permissions = policy.getAllPrivileges(Sets.newHashSet("admin"), ActiveRoleSet.ALL);
- Assert.assertEquals(permissions.toString(), "[server=server1]");
- }
-
- @Test
- public void testDatabaseRequiredInRole() throws Exception {
- append("[databases]", globalPolicyFile);
- append("other_group_db = " + otherPolicyFile.getPath(), globalPolicyFile);
- append("[groups]", otherPolicyFile);
- append("other_group = malicious_role", otherPolicyFile);
- append("[roles]", otherPolicyFile);
- append("malicious_role = server=server1", otherPolicyFile);
- PolicyEngine policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
- ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("other_group"), ActiveRoleSet.ALL);
- Assert.assertTrue(permissions.toString(), permissions.isEmpty());
- }
-
- @Test
- public void testServerAll() throws Exception {
- append("[groups]", globalPolicyFile);
- append("group = malicious_role", globalPolicyFile);
- append("[roles]", globalPolicyFile);
- append("malicious_role = server=*", globalPolicyFile);
- PolicyEngine policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
- ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
- Assert.assertTrue(permissions.toString(), permissions.isEmpty());
- }
-
- @Test
- public void testServerIncorrect() throws Exception {
- append("[groups]", globalPolicyFile);
- append("group = malicious_role", globalPolicyFile);
- append("[roles]", globalPolicyFile);
- append("malicious_role = server=server2", globalPolicyFile);
- PolicyEngine policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
- ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
- Assert.assertTrue(permissions.toString(), permissions.isEmpty());
- }
-
- @Test
- public void testAll() throws Exception {
- append("[groups]", globalPolicyFile);
- append("group = malicious_role", globalPolicyFile);
- append("[roles]", globalPolicyFile);
- append("malicious_role = *", globalPolicyFile);
- PolicyEngine policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
- ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
- Assert.assertTrue(permissions.toString(), permissions.isEmpty());
- }
-
- /**
- * Create policy file with multiple per db files.
- * Verify that a file with bad format is the only one that's ignored
- * @throws Exception
- */
- @Test
- public void testMultiDbWithErrors() throws Exception {
- File db1PolicyFile = new File(baseDir, "db1.ini");
- File db2PolicyFile = new File(baseDir, "db2.ini");
-
- // global policy file
- append("[databases]", globalPolicyFile);
- append("db1 = " + db1PolicyFile.getPath(), globalPolicyFile);
- append("db2 = " + db2PolicyFile.getPath(), globalPolicyFile);
- append("[groups]", globalPolicyFile);
- append("db3_group = db3_rule", globalPolicyFile);
- append("[roles]", globalPolicyFile);
- append("db3_rule = server=server1->db=db3->table=sales->action=select", globalPolicyFile);
-
- //db1 policy file with badly formatted rule
- append("[groups]", db1PolicyFile);
- append("db1_group = bad_rule", db1PolicyFile);
- append("[roles]", db1PolicyFile);
- append("bad_rule = server=server1->db=customers->=purchases->action=", db1PolicyFile);
-
- //db2 policy file with proper rule
- append("[groups]", db2PolicyFile);
- append("db2_group = db2_rule", db2PolicyFile);
- append("[roles]", db2PolicyFile);
- append("db2_rule = server=server1->db=db2->table=purchases->action=select", db2PolicyFile);
-
- PolicyEngine policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
-
- // verify that the db1 rule is empty
- ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("db1_group"), ActiveRoleSet.ALL);
- Assert.assertTrue(permissions.toString(), permissions.isEmpty());
-
- permissions = policy.getAllPrivileges(Sets.newHashSet("db2_group"), ActiveRoleSet.ALL);
- Assert.assertEquals(permissions.toString(), 1, permissions.size());
- }
-}
[4/4] incubator-sentry git commit: SENTRY-1127: Move test cases from
sentry-policy-xxx to sentry-binding-xxx(Colin Ma, Reviewed by Dapeng Sun)
Posted by co...@apache.org.
SENTRY-1127: Move test cases from sentry-policy-xxx to sentry-binding-xxx(Colin Ma, Reviewed by Dapeng Sun)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/0c006517
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/0c006517
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/0c006517
Branch: refs/heads/SENTRY-999
Commit: 0c0065174528fd5783e85e156637dbcc175088e6
Parents: fbb9060
Author: Colin Ma <co...@apache.org>
Authored: Tue Mar 15 15:16:10 2016 +0800
Committer: Colin Ma <co...@apache.org>
Committed: Tue Mar 15 15:16:10 2016 +0800
----------------------------------------------------------------------
sentry-binding/sentry-binding-hive/pom.xml | 5 +
.../hive/AbstractTestSimplePolicyEngine.java | 156 ++++++++++++
.../sentry/policy/hive/DBPolicyTestUtil.java | 45 ++++
.../policy/hive/TestDBModelAuthorizables.java | 76 ++++++
.../policy/hive/TestDatabaseRequiredInRole.java | 50 ++++
.../policy/hive/TestPolicyParsingNegative.java | 194 +++++++++++++++
...sourceAuthorizationProviderGeneralCases.java | 195 +++++++++++++++
...sourceAuthorizationProviderSpecialCases.java | 123 ++++++++++
.../hive/TestSimpleDBPolicyEngineDFS.java | 115 +++++++++
.../hive/TestSimpleDBPolicyEngineLocalFS.java | 44 ++++
...e-policy-test-authz-provider-other-group.ini | 22 ++
.../hive-policy-test-authz-provider.ini | 32 +++
.../solr/AbstractTestSearchPolicyEngine.java | 129 ++++++++++
.../policy/solr/SearchPolicyTestUtil.java | 45 ++++
.../solr/TestCollectionRequiredInRole.java | 64 +++++
...SearchAuthorizationProviderGeneralCases.java | 192 +++++++++++++++
...SearchAuthorizationProviderSpecialCases.java | 83 +++++++
.../solr/TestSearchModelAuthorizables.java | 54 +++++
.../policy/solr/TestSearchPolicyEngineDFS.java | 74 ++++++
.../solr/TestSearchPolicyEngineLocalFS.java | 43 ++++
.../policy/solr/TestSearchPolicyNegative.java | 101 ++++++++
.../solr-policy-test-authz-provider.ini | 31 +++
sentry-binding/sentry-binding-sqoop/pom.xml | 13 +-
.../sqoop/AbstractTestSqoopPolicyEngine.java | 145 +++++++++++
.../policy/sqoop/SqoopPolicyTestUtil.java | 44 ++++
.../sqoop/TestServerNameRequiredMatch.java | 57 +++++
...tSqoopAuthorizationProviderGeneralCases.java | 238 +++++++++++++++++++
...tSqoopAuthorizationProviderSpecialCases.java | 88 +++++++
.../sqoop/TestSqoopModelAuthorizables.java | 54 +++++
.../policy/sqoop/TestSqoopPolicyEngineDFS.java | 75 ++++++
.../sqoop/TestSqoopPolicyEngineLocalFS.java | 45 ++++
.../policy/sqoop/TestSqoopPolicyNegative.java | 121 ++++++++++
.../sqoop-policy-test-authz-provider.ini | 40 ++++
.../db/AbstractTestSimplePolicyEngine.java | 156 ------------
.../sentry/policy/db/DBPolicyTestUtil.java | 44 ----
.../policy/db/TestDBModelAuthorizables.java | 76 ------
.../policy/db/TestDatabaseRequiredInRole.java | 50 ----
.../policy/db/TestPolicyParsingNegative.java | 194 ---------------
...sourceAuthorizationProviderGeneralCases.java | 180 --------------
...sourceAuthorizationProviderSpecialCases.java | 123 ----------
.../policy/db/TestSimpleDBPolicyEngineDFS.java | 115 ---------
.../db/TestSimpleDBPolicyEngineLocalFS.java | 44 ----
.../test-authz-provider-other-group.ini | 22 --
.../src/test/resources/test-authz-provider.ini | 32 ---
.../search/AbstractTestSearchPolicyEngine.java | 129 ----------
.../policy/search/SearchPolicyTestUtil.java | 44 ----
.../search/TestCollectionRequiredInRole.java | 64 -----
...SearchAuthorizationProviderGeneralCases.java | 178 --------------
...SearchAuthorizationProviderSpecialCases.java | 83 -------
.../search/TestSearchModelAuthorizables.java | 54 -----
.../search/TestSearchPolicyEngineDFS.java | 74 ------
.../search/TestSearchPolicyEngineLocalFS.java | 43 ----
.../policy/search/TestSearchPolicyNegative.java | 101 --------
.../src/test/resources/test-authz-provider.ini | 31 ---
.../sqoop/AbstractTestSqoopPolicyEngine.java | 145 -----------
.../sqoop/MockGroupMappingServiceProvider.java | 39 ---
.../policy/sqoop/SqoopPolicyTestUtil.java | 44 ----
.../sqoop/TestServerNameRequiredMatch.java | 57 -----
...tSqoopAuthorizationProviderGeneralCases.java | 224 -----------------
...tSqoopAuthorizationProviderSpecialCases.java | 88 -------
.../sqoop/TestSqoopModelAuthorizables.java | 54 -----
.../policy/sqoop/TestSqoopPolicyEngineDFS.java | 75 ------
.../sqoop/TestSqoopPolicyEngineLocalFS.java | 45 ----
.../policy/sqoop/TestSqoopPolicyNegative.java | 121 ----------
.../src/test/resources/test-authz-provider.ini | 40 ----
65 files changed, 2789 insertions(+), 2773 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-hive/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/pom.xml b/sentry-binding/sentry-binding-hive/pom.xml
index fb5f214..4a25670 100644
--- a/sentry-binding/sentry-binding-hive/pom.xml
+++ b/sentry-binding/sentry-binding-hive/pom.xml
@@ -97,6 +97,11 @@ limitations under the License.
<artifactId>mockito-all</artifactId>
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>org.apache.hadoop</groupId>
+ <artifactId>hadoop-minicluster</artifactId>
+ <scope>test</scope>
+ </dependency>
</dependencies>
</project>
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/AbstractTestSimplePolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/AbstractTestSimplePolicyEngine.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/AbstractTestSimplePolicyEngine.java
new file mode 100644
index 0000000..019a5ab
--- /dev/null
+++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/AbstractTestSimplePolicyEngine.java
@@ -0,0 +1,156 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.hive;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.Set;
+import java.util.TreeSet;
+
+import junit.framework.Assert;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.policy.common.PolicyEngine;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import com.google.common.collect.Sets;
+import com.google.common.io.Files;
+
+public abstract class AbstractTestSimplePolicyEngine {
+ private static final String PERM_SERVER1_CUSTOMERS_SELECT = "server=server1->db=customers->table=purchases->action=select";
+ private static final String PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT = "server=server1->db=customers->table=purchases_partial->action=select";
+ private static final String PERM_SERVER1_ANALYST_ALL = "server=server1->db=analyst1";
+ private static final String PERM_SERVER1_JUNIOR_ANALYST_ALL = "server=server1->db=jranalyst1";
+ private static final String PERM_SERVER1_JUNIOR_ANALYST_READ = "server=server1->db=jranalyst1->table=*->action=select";
+ private static final String PERM_SERVER1_OTHER_GROUP_DB_CUSTOMERS_SELECT = "server=server1->db=other_group_db->table=purchases->action=select";
+
+ private static final String PERM_SERVER1_ADMIN = "server=server1";
+ private PolicyEngine policy;
+ private static File baseDir;
+
+ @BeforeClass
+ public static void setupClazz() throws IOException {
+ baseDir = Files.createTempDir();
+ }
+
+ @AfterClass
+ public static void teardownClazz() throws IOException {
+ if(baseDir != null) {
+ FileUtils.deleteQuietly(baseDir);
+ }
+ }
+
+ protected void setPolicy(PolicyEngine policy) {
+ this.policy = policy;
+ }
+ protected static File getBaseDir() {
+ return baseDir;
+ }
+ @Before
+ public void setup() throws IOException {
+ afterSetup();
+ }
+ @After
+ public void teardown() throws IOException {
+ beforeTeardown();
+ }
+ protected void afterSetup() throws IOException {
+
+ }
+
+ protected void beforeTeardown() throws IOException {
+
+ }
+
+ @Test
+ public void testManager() throws Exception {
+ Set<String> expected = Sets.newTreeSet(Sets.newHashSet(
+ PERM_SERVER1_CUSTOMERS_SELECT, PERM_SERVER1_ANALYST_ALL,
+ PERM_SERVER1_JUNIOR_ANALYST_ALL, PERM_SERVER1_JUNIOR_ANALYST_READ,
+ PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT
+ ));
+ Assert.assertEquals(expected.toString(),
+ new TreeSet<String>(policy.getAllPrivileges(set("manager"), ActiveRoleSet.ALL))
+ .toString());
+ }
+
+ @Test
+ public void testAnalyst() throws Exception {
+ Set<String> expected = Sets.newTreeSet(Sets.newHashSet(
+ PERM_SERVER1_CUSTOMERS_SELECT, PERM_SERVER1_ANALYST_ALL,
+ PERM_SERVER1_JUNIOR_ANALYST_READ));
+ Assert.assertEquals(expected.toString(),
+ new TreeSet<String>(policy.getAllPrivileges(set("analyst"), ActiveRoleSet.ALL))
+ .toString());
+ }
+
+ @Test
+ public void testJuniorAnalyst() throws Exception {
+ Set<String> expected = Sets.newTreeSet(Sets
+ .newHashSet(PERM_SERVER1_JUNIOR_ANALYST_ALL,
+ PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT));
+ Assert.assertEquals(expected.toString(),
+ new TreeSet<String>(policy.getAllPrivileges(set("jranalyst"), ActiveRoleSet.ALL))
+ .toString());
+ }
+
+ @Test
+ public void testAdmin() throws Exception {
+ Set<String> expected = Sets.newTreeSet(Sets.newHashSet(PERM_SERVER1_ADMIN));
+ Assert.assertEquals(expected.toString(),
+ new TreeSet<String>(policy.getAllPrivileges(set("admin"), ActiveRoleSet.ALL))
+ .toString());
+ }
+
+
+ @Test
+ public void testOtherGroup() throws Exception {
+ Set<String> expected = Sets.newTreeSet(Sets.newHashSet(
+ PERM_SERVER1_OTHER_GROUP_DB_CUSTOMERS_SELECT));
+ Assert.assertEquals(expected.toString(),
+ new TreeSet<String>(policy.getAllPrivileges(set("other_group"), ActiveRoleSet.ALL))
+ .toString());
+ }
+
+ @Test
+ public void testDbAll() throws Exception {
+ Set<String> expected = Sets.newTreeSet(Sets
+ .newHashSet(PERM_SERVER1_JUNIOR_ANALYST_ALL,
+ PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT));
+ Assert.assertEquals(expected.toString(),
+ new TreeSet<String>(policy.getAllPrivileges(set("jranalyst"), ActiveRoleSet.ALL))
+ .toString());
+ }
+
+ @Test
+ public void testDbAllforOtherGroup() throws Exception {
+ Set<String> expected = Sets.newTreeSet(Sets.newHashSet(
+ PERM_SERVER1_OTHER_GROUP_DB_CUSTOMERS_SELECT));
+ Assert.assertEquals(expected.toString(),
+ new TreeSet<String>(policy.getAllPrivileges(set("other_group"), ActiveRoleSet.ALL))
+ .toString());
+ }
+
+ private static Set<String> set(String... values) {
+ return Sets.newHashSet(values);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/DBPolicyTestUtil.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/DBPolicyTestUtil.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/DBPolicyTestUtil.java
new file mode 100644
index 0000000..c390b66
--- /dev/null
+++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/DBPolicyTestUtil.java
@@ -0,0 +1,45 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.hive;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.model.db.HivePrivilegeModel;
+import org.apache.sentry.policy.common.PolicyEngine;
+import org.apache.sentry.policy.db.SimpleDBPolicyEngine;
+import org.apache.sentry.provider.common.ProviderBackend;
+import org.apache.sentry.provider.common.ProviderBackendContext;
+import org.apache.sentry.provider.file.SimpleFileProviderBackend;
+
+import java.io.IOException;
+
+public class DBPolicyTestUtil {
+
+ public static PolicyEngine createPolicyEngineForTest(String server, String resource) throws IOException {
+
+ ProviderBackend providerBackend = new SimpleFileProviderBackend(new Configuration(), resource);
+
+ // create backendContext
+ ProviderBackendContext context = new ProviderBackendContext();
+ context.setAllowPerDatabase(true);
+ context.setValidators(HivePrivilegeModel.getInstance().getPrivilegeValidators(server));
+ // initialize the backend with the context
+ providerBackend.initialize(context);
+
+
+ return new SimpleDBPolicyEngine(providerBackend);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestDBModelAuthorizables.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestDBModelAuthorizables.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestDBModelAuthorizables.java
new file mode 100644
index 0000000..03b6be3
--- /dev/null
+++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestDBModelAuthorizables.java
@@ -0,0 +1,76 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sentry.policy.hive;
+import static junit.framework.Assert.assertEquals;
+import static junit.framework.Assert.assertNull;
+
+import org.apache.sentry.core.model.db.AccessURI;
+import org.apache.sentry.core.model.db.DBModelAuthorizables;
+import org.apache.sentry.core.model.db.Database;
+import org.apache.sentry.core.model.db.Server;
+import org.apache.sentry.core.model.db.Table;
+import org.apache.sentry.core.model.db.View;
+import org.junit.Test;
+
+public class TestDBModelAuthorizables {
+
+ @Test
+ public void testServer() throws Exception {
+ Server server = (Server) DBModelAuthorizables.from("SeRvEr=server1");
+ assertEquals("server1", server.getName());
+ }
+ @Test
+ public void testDb() throws Exception {
+ Database db = (Database)DBModelAuthorizables.from("dB=db1");
+ assertEquals("db1", db.getName());
+ }
+ @Test
+ public void testTable() throws Exception {
+ Table table = (Table)DBModelAuthorizables.from("tAbLe=t1");
+ assertEquals("t1", table.getName());
+ }
+ @Test
+ public void testView() throws Exception {
+ View view = (View)DBModelAuthorizables.from("vIeW=v1");
+ assertEquals("v1", view.getName());
+ }
+ @Test
+ public void testURI() throws Exception {
+ AccessURI uri = (AccessURI)DBModelAuthorizables.from("UrI=hdfs://uri1:8200/blah");
+ assertEquals("hdfs://uri1:8200/blah", uri.getName());
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testNoKV() throws Exception {
+ System.out.println(DBModelAuthorizables.from("nonsense"));
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testEmptyKey() throws Exception {
+ System.out.println(DBModelAuthorizables.from("=v"));
+ }
+ @Test(expected=IllegalArgumentException.class)
+ public void testEmptyValue() throws Exception {
+ System.out.println(DBModelAuthorizables.from("k="));
+ }
+ @Test
+ public void testNotAuthorizable() throws Exception {
+ assertNull(DBModelAuthorizables.from("k=v"));
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestDatabaseRequiredInRole.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestDatabaseRequiredInRole.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestDatabaseRequiredInRole.java
new file mode 100644
index 0000000..9c361e3
--- /dev/null
+++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestDatabaseRequiredInRole.java
@@ -0,0 +1,50 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sentry.policy.hive;
+
+import junit.framework.Assert;
+
+import org.apache.sentry.core.common.validator.PrivilegeValidatorContext;
+import org.apache.sentry.core.model.db.validator.DatabaseRequiredInPrivilege;
+import org.apache.shiro.config.ConfigurationException;
+import org.junit.Test;
+
+public class TestDatabaseRequiredInRole {
+
+ @Test
+ public void testURIInPerDbPolicyFile() throws Exception {
+ DatabaseRequiredInPrivilege dbRequiredInRole = new DatabaseRequiredInPrivilege();
+ System.setProperty("sentry.allow.uri.db.policyfile", "true");
+ dbRequiredInRole.validate(new PrivilegeValidatorContext("db1",
+ "server=server1->URI=file:///user/db/warehouse/tab1"));
+ System.setProperty("sentry.allow.uri.db.policyfile", "false");
+ }
+
+ @Test
+ public void testURIWithDBInPerDbPolicyFile() throws Exception {
+ DatabaseRequiredInPrivilege dbRequiredInRole = new DatabaseRequiredInPrivilege();
+ try {
+ dbRequiredInRole.validate(new PrivilegeValidatorContext("db1",
+ "server=server1->db=db1->URI=file:///user/db/warehouse/tab1"));
+ Assert.fail("Expected ConfigurationException");
+ } catch (ConfigurationException e) {
+ ;
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestPolicyParsingNegative.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestPolicyParsingNegative.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestPolicyParsingNegative.java
new file mode 100644
index 0000000..80d284b
--- /dev/null
+++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestPolicyParsingNegative.java
@@ -0,0 +1,194 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.hive;
+
+import java.io.File;
+import java.io.IOException;
+
+import junit.framework.Assert;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.policy.common.PolicyEngine;
+import org.apache.sentry.provider.file.PolicyFile;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.base.Charsets;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Sets;
+import com.google.common.io.Files;
+
+public class TestPolicyParsingNegative {
+
+ @SuppressWarnings("unused")
+ private static final Logger LOGGER = LoggerFactory
+ .getLogger(TestPolicyParsingNegative.class);
+
+ private File baseDir;
+ private File globalPolicyFile;
+ private File otherPolicyFile;
+
+ @Before
+ public void setup() {
+ baseDir = Files.createTempDir();
+ globalPolicyFile = new File(baseDir, "global.ini");
+ otherPolicyFile = new File(baseDir, "other.ini");
+ }
+
+ @After
+ public void teardown() {
+ if(baseDir != null) {
+ FileUtils.deleteQuietly(baseDir);
+ }
+ }
+
+ private void append(String from, File to) throws IOException {
+ Files.append(from + "\n", to, Charsets.UTF_8);
+ }
+
+ @Test
+ public void testUnauthorizedDbSpecifiedInDBPolicyFile() throws Exception {
+ append("[databases]", globalPolicyFile);
+ append("other_group_db = " + otherPolicyFile.getPath(), globalPolicyFile);
+ append("[groups]", otherPolicyFile);
+ append("other_group = malicious_role", otherPolicyFile);
+ append("[roles]", otherPolicyFile);
+ append("malicious_role = server=server1->db=customers->table=purchases->action=select", otherPolicyFile);
+ PolicyEngine policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
+ ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("other_group"), ActiveRoleSet.ALL);
+ Assert.assertTrue(permissions.toString(), permissions.isEmpty());
+ }
+ @Test
+ public void testPerDbFileCannotContainUsersOrDatabases() throws Exception {
+ PolicyEngine policy;
+ ImmutableSet<String> permissions;
+ PolicyFile policyFile;
+ // test sanity
+ policyFile = PolicyFile.setAdminOnServer1("admin");
+ policyFile.addGroupsToUser("admin1", "admin");
+ policyFile.write(globalPolicyFile);
+ policyFile.write(otherPolicyFile);
+ policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
+ permissions = policy.getAllPrivileges(Sets.newHashSet("admin"), ActiveRoleSet.ALL);
+ Assert.assertEquals(permissions.toString(), "[server=server1]");
+ // test to ensure [users] fails parsing of per-db file
+ policyFile.addDatabase("other", otherPolicyFile.getPath());
+ policyFile.write(globalPolicyFile);
+ policyFile.write(otherPolicyFile);
+ policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
+ permissions = policy.getAllPrivileges(Sets.newHashSet("admin"), ActiveRoleSet.ALL);
+ Assert.assertEquals(permissions.toString(), "[server=server1]");
+ // test to ensure [databases] fails parsing of per-db file
+ // by removing the user mapping from the per-db policy file
+ policyFile.removeGroupsFromUser("admin1", "admin")
+ .write(otherPolicyFile);
+ policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
+ permissions = policy.getAllPrivileges(Sets.newHashSet("admin"), ActiveRoleSet.ALL);
+ Assert.assertEquals(permissions.toString(), "[server=server1]");
+ }
+
+ @Test
+ public void testDatabaseRequiredInRole() throws Exception {
+ append("[databases]", globalPolicyFile);
+ append("other_group_db = " + otherPolicyFile.getPath(), globalPolicyFile);
+ append("[groups]", otherPolicyFile);
+ append("other_group = malicious_role", otherPolicyFile);
+ append("[roles]", otherPolicyFile);
+ append("malicious_role = server=server1", otherPolicyFile);
+ PolicyEngine policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
+ ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("other_group"), ActiveRoleSet.ALL);
+ Assert.assertTrue(permissions.toString(), permissions.isEmpty());
+ }
+
+ @Test
+ public void testServerAll() throws Exception {
+ append("[groups]", globalPolicyFile);
+ append("group = malicious_role", globalPolicyFile);
+ append("[roles]", globalPolicyFile);
+ append("malicious_role = server=*", globalPolicyFile);
+ PolicyEngine policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
+ ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
+ Assert.assertTrue(permissions.toString(), permissions.isEmpty());
+ }
+
+ @Test
+ public void testServerIncorrect() throws Exception {
+ append("[groups]", globalPolicyFile);
+ append("group = malicious_role", globalPolicyFile);
+ append("[roles]", globalPolicyFile);
+ append("malicious_role = server=server2", globalPolicyFile);
+ PolicyEngine policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
+ ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
+ Assert.assertTrue(permissions.toString(), permissions.isEmpty());
+ }
+
+ @Test
+ public void testAll() throws Exception {
+ append("[groups]", globalPolicyFile);
+ append("group = malicious_role", globalPolicyFile);
+ append("[roles]", globalPolicyFile);
+ append("malicious_role = *", globalPolicyFile);
+ PolicyEngine policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
+ ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
+ Assert.assertTrue(permissions.toString(), permissions.isEmpty());
+ }
+
+ /**
+ * Create policy file with multiple per db files.
+ * Verify that a file with bad format is the only one that's ignored
+ * @throws Exception
+ */
+ @Test
+ public void testMultiDbWithErrors() throws Exception {
+ File db1PolicyFile = new File(baseDir, "db1.ini");
+ File db2PolicyFile = new File(baseDir, "db2.ini");
+
+ // global policy file
+ append("[databases]", globalPolicyFile);
+ append("db1 = " + db1PolicyFile.getPath(), globalPolicyFile);
+ append("db2 = " + db2PolicyFile.getPath(), globalPolicyFile);
+ append("[groups]", globalPolicyFile);
+ append("db3_group = db3_rule", globalPolicyFile);
+ append("[roles]", globalPolicyFile);
+ append("db3_rule = server=server1->db=db3->table=sales->action=select", globalPolicyFile);
+
+ //db1 policy file with badly formatted rule
+ append("[groups]", db1PolicyFile);
+ append("db1_group = bad_rule", db1PolicyFile);
+ append("[roles]", db1PolicyFile);
+ append("bad_rule = server=server1->db=customers->=purchases->action=", db1PolicyFile);
+
+ //db2 policy file with proper rule
+ append("[groups]", db2PolicyFile);
+ append("db2_group = db2_rule", db2PolicyFile);
+ append("[roles]", db2PolicyFile);
+ append("db2_rule = server=server1->db=db2->table=purchases->action=select", db2PolicyFile);
+
+ PolicyEngine policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
+
+ // verify that the db1 rule is empty
+ ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("db1_group"), ActiveRoleSet.ALL);
+ Assert.assertTrue(permissions.toString(), permissions.isEmpty());
+
+ permissions = policy.getAllPrivileges(Sets.newHashSet("db2_group"), ActiveRoleSet.ALL);
+ Assert.assertEquals(permissions.toString(), 1, permissions.size());
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderGeneralCases.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderGeneralCases.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderGeneralCases.java
new file mode 100644
index 0000000..05dc449
--- /dev/null
+++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderGeneralCases.java
@@ -0,0 +1,195 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.hive;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.EnumSet;
+import java.util.List;
+import java.util.Set;
+
+import com.google.common.collect.Sets;
+import junit.framework.Assert;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.sentry.core.common.Action;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.Subject;
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.core.model.db.DBModelAction;
+import org.apache.sentry.core.model.db.Database;
+import org.apache.sentry.core.model.db.Server;
+import org.apache.sentry.core.model.db.Table;
+import org.apache.sentry.provider.common.GroupMappingService;
+import org.apache.sentry.provider.common.ResourceAuthorizationProvider;
+import org.apache.sentry.provider.file.HadoopGroupResourceAuthorizationProvider;
+import org.apache.sentry.provider.file.PolicyFiles;
+import org.junit.After;
+import org.junit.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.base.Objects;
+import com.google.common.collect.HashMultimap;
+import com.google.common.collect.Multimap;
+import com.google.common.io.Files;
+
+
+public class TestResourceAuthorizationProviderGeneralCases {
+
+ private static final Logger LOGGER = LoggerFactory
+ .getLogger(TestResourceAuthorizationProviderGeneralCases.class);
+
+ private static final Multimap<String, String> USER_TO_GROUP_MAP = HashMultimap
+ .create();
+
+ private static final Subject SUB_ADMIN = new Subject("admin1");
+ private static final Subject SUB_MANAGER = new Subject("manager1");
+ private static final Subject SUB_ANALYST = new Subject("analyst1");
+ private static final Subject SUB_JUNIOR_ANALYST = new Subject("jranalyst1");
+
+ private static final Server SVR_SERVER1 = new Server("server1");
+ private static final Server SVR_ALL = new Server(AccessConstants.ALL);
+
+ private static final Database DB_CUSTOMERS = new Database("customers");
+ private static final Database DB_ANALYST = new Database("analyst1");
+ private static final Database DB_JR_ANALYST = new Database("jranalyst1");
+
+ private static final Table TBL_PURCHASES = new Table("purchases");
+
+ private static final Set<? extends Action> ALL = EnumSet.of(DBModelAction.ALL);
+ private static final Set<? extends Action> SELECT = EnumSet.of(DBModelAction.SELECT);
+ private static final Set<? extends Action> INSERT = EnumSet.of(DBModelAction.INSERT);
+
+ static {
+ USER_TO_GROUP_MAP.putAll(SUB_ADMIN.getName(), Arrays.asList("admin"));
+ USER_TO_GROUP_MAP.putAll(SUB_MANAGER.getName(), Arrays.asList("manager"));
+ USER_TO_GROUP_MAP.putAll(SUB_ANALYST.getName(), Arrays.asList("analyst"));
+ USER_TO_GROUP_MAP.putAll(SUB_JUNIOR_ANALYST.getName(),
+ Arrays.asList("jranalyst"));
+ }
+
+ private final ResourceAuthorizationProvider authzProvider;
+ private File baseDir;
+
+ public TestResourceAuthorizationProviderGeneralCases() throws IOException {
+ baseDir = Files.createTempDir();
+ PolicyFiles.copyToDir(baseDir, "hive-policy-test-authz-provider.ini", "hive-policy-test-authz-provider-other-group.ini");
+ authzProvider = new HadoopGroupResourceAuthorizationProvider(
+ DBPolicyTestUtil.createPolicyEngineForTest("server1",
+ new File(baseDir, "hive-policy-test-authz-provider.ini").getPath()),
+ new MockGroupMappingServiceProvider(USER_TO_GROUP_MAP));
+
+ }
+
+ @After
+ public void teardown() {
+ if(baseDir != null) {
+ FileUtils.deleteQuietly(baseDir);
+ }
+ }
+
+ private void doTestAuthorizables(
+ Subject subject, Set<? extends Action> privileges, boolean expected,
+ Authorizable... authorizables) throws Exception {
+ List<Authorizable> authzHierarchy = Arrays.asList(authorizables);
+ Objects.ToStringHelper helper = Objects.toStringHelper("TestParameters");
+ helper.add("authorizables", authzHierarchy).add("Privileges", privileges);
+ LOGGER.info("Running with " + helper.toString());
+ Assert.assertEquals(helper.toString(), expected,
+ authzProvider.hasAccess(subject, authzHierarchy, privileges, ActiveRoleSet.ALL));
+ LOGGER.info("Passed " + helper.toString());
+ }
+
+ private void doTestResourceAuthorizationProvider(Subject subject,
+ Server server, Database database, Table table,
+ Set<? extends Action> privileges, boolean expected) throws Exception {
+ List<Authorizable> authzHierarchy = Arrays.asList(new Authorizable[] {
+ server, database, table
+ });
+ Objects.ToStringHelper helper = Objects.toStringHelper("TestParameters");
+ helper.add("Subject", subject).add("Server", server).add("DB", database)
+ .add("Table", table).add("Privileges", privileges).add("authzHierarchy", authzHierarchy);
+ LOGGER.info("Running with " + helper.toString());
+ Assert.assertEquals(helper.toString(), expected,
+ authzProvider.hasAccess(subject, authzHierarchy, privileges, ActiveRoleSet.ALL));
+ LOGGER.info("Passed " + helper.toString());
+ }
+
+ @Test
+ public void testAdmin() throws Exception {
+ doTestResourceAuthorizationProvider(SUB_ADMIN, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, ALL, true);
+ doTestResourceAuthorizationProvider(SUB_ADMIN, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, SELECT, true);
+ doTestResourceAuthorizationProvider(SUB_ADMIN, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, INSERT, true);
+ doTestAuthorizables(SUB_ADMIN, SELECT, true, SVR_ALL, DB_CUSTOMERS, TBL_PURCHASES);
+
+ }
+ @Test
+ public void testManager() throws Exception {
+ doTestResourceAuthorizationProvider(SUB_MANAGER, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, ALL, false);
+ doTestResourceAuthorizationProvider(SUB_MANAGER, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, SELECT, true);
+ doTestResourceAuthorizationProvider(SUB_MANAGER, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, INSERT, false);
+ doTestResourceAuthorizationProvider(SUB_MANAGER, SVR_ALL, DB_CUSTOMERS, TBL_PURCHASES, SELECT, true);
+ }
+ @Test
+ public void testAnalyst() throws Exception {
+ doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, ALL, false);
+ doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, SELECT, true);
+ doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, INSERT, false);
+ doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_ALL, DB_CUSTOMERS, TBL_PURCHASES, SELECT, true);
+
+ // analyst sandbox
+ doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_ANALYST, TBL_PURCHASES, ALL, true);
+ doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_ANALYST, TBL_PURCHASES, SELECT, true);
+ doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_ANALYST, TBL_PURCHASES, INSERT, true);
+ doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_ALL, DB_ANALYST, TBL_PURCHASES, SELECT, true);
+
+ // jr analyst sandbox
+ doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_JR_ANALYST, TBL_PURCHASES, ALL, false);
+ doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_JR_ANALYST, TBL_PURCHASES, SELECT, true);
+ doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_JR_ANALYST, TBL_PURCHASES, INSERT, false);
+ doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_ALL, DB_JR_ANALYST, TBL_PURCHASES, SELECT, true);
+ }
+ @Test
+ public void testJuniorAnalyst() throws Exception {
+ doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, ALL, false);
+ doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, SELECT, false);
+ doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, INSERT, false);
+ doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_ALL, DB_CUSTOMERS, TBL_PURCHASES, SELECT, false);
+ // jr analyst sandbox
+ doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_SERVER1, DB_JR_ANALYST, TBL_PURCHASES, ALL, true);
+ doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_SERVER1, DB_JR_ANALYST, TBL_PURCHASES, SELECT, true);
+ doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_SERVER1, DB_JR_ANALYST, TBL_PURCHASES, INSERT, true);
+ doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_ALL, DB_JR_ANALYST, TBL_PURCHASES, SELECT, true);
+ }
+
+ public class MockGroupMappingServiceProvider implements GroupMappingService {
+ private final Multimap<String, String> userToGroupMap;
+
+ public MockGroupMappingServiceProvider(Multimap<String, String> userToGroupMap) {
+ this.userToGroupMap = userToGroupMap;
+ }
+
+ @Override
+ public Set<String> getGroups(String user) {
+ return Sets.newHashSet(userToGroupMap.get(user));
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderSpecialCases.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderSpecialCases.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderSpecialCases.java
new file mode 100644
index 0000000..bf57bf2
--- /dev/null
+++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderSpecialCases.java
@@ -0,0 +1,123 @@
+ /*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.hive;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.EnumSet;
+import java.util.List;
+import java.util.Set;
+
+import junit.framework.Assert;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.sentry.core.common.Action;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.Subject;
+import org.apache.sentry.core.model.db.AccessURI;
+import org.apache.sentry.core.model.db.DBModelAction;
+import org.apache.sentry.core.model.db.Server;
+import org.apache.sentry.policy.common.PolicyEngine;
+import org.apache.sentry.provider.common.AuthorizationProvider;
+import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider;
+import org.apache.sentry.provider.file.PolicyFile;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import com.google.common.collect.ImmutableList;
+import com.google.common.io.Files;
+
+public class TestResourceAuthorizationProviderSpecialCases {
+ private AuthorizationProvider authzProvider;
+ private PolicyFile policyFile;
+ private File baseDir;
+ private File iniFile;
+ private String initResource;
+ @Before
+ public void setup() throws IOException {
+ baseDir = Files.createTempDir();
+ iniFile = new File(baseDir, "policy.ini");
+ initResource = "file://" + iniFile.getPath();
+ policyFile = new PolicyFile();
+ }
+
+ @After
+ public void teardown() throws IOException {
+ if(baseDir != null) {
+ FileUtils.deleteQuietly(baseDir);
+ }
+ }
+
+ @Test
+ public void testDuplicateEntries() throws Exception {
+ Subject user1 = new Subject("user1");
+ Server server1 = new Server("server1");
+ AccessURI uri = new AccessURI("file:///path/to/");
+ Set<? extends Action> actions = EnumSet.of(DBModelAction.ALL, DBModelAction.SELECT, DBModelAction.INSERT);
+ policyFile.addGroupsToUser(user1.getName(), true, "group1", "group1")
+ .addRolesToGroup("group1", true, "role1", "role1")
+ .addPermissionsToRole("role1", true, "server=" + server1.getName() + "->uri=" + uri.getName(),
+ "server=" + server1.getName() + "->uri=" + uri.getName());
+ policyFile.write(iniFile);
+ PolicyEngine policy = DBPolicyTestUtil.createPolicyEngineForTest(server1.getName(), initResource);
+ authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy);
+ List<? extends Authorizable> authorizableHierarchy = ImmutableList.of(server1, uri);
+ Assert.assertTrue(authorizableHierarchy.toString(),
+ authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL));
+ }
+ @Test
+ public void testNonAbolutePath() throws Exception {
+ Subject user1 = new Subject("user1");
+ Server server1 = new Server("server1");
+ AccessURI uri = new AccessURI("file:///path/to/");
+ Set<? extends Action> actions = EnumSet.of(DBModelAction.ALL, DBModelAction.SELECT, DBModelAction.INSERT);
+ policyFile.addGroupsToUser(user1.getName(), "group1")
+ .addRolesToGroup("group1", "role1")
+ .addPermissionsToRole("role1", "server=" + server1.getName() + "->uri=" + uri.getName());
+ policyFile.write(iniFile);
+ PolicyEngine policy = DBPolicyTestUtil.createPolicyEngineForTest(server1.getName(), initResource);
+ authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy);
+ // positive test
+ List<? extends Authorizable> authorizableHierarchy = ImmutableList.of(server1, uri);
+ Assert.assertTrue(authorizableHierarchy.toString(),
+ authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL));
+ // negative tests
+ // TODO we should support the case of /path/to/./ but let's to that later
+ uri = new AccessURI("file:///path/to/./");
+ authorizableHierarchy = ImmutableList.of(server1, uri);
+ Assert.assertFalse(authorizableHierarchy.toString(),
+ authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL));
+ uri = new AccessURI("file:///path/to/../");
+ authorizableHierarchy = ImmutableList.of(server1, uri);
+ Assert.assertFalse(authorizableHierarchy.toString(),
+ authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL));
+ uri = new AccessURI("file:///path/to/../../");
+ authorizableHierarchy = ImmutableList.of(server1, uri);
+ Assert.assertFalse(authorizableHierarchy.toString(),
+ authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL));
+ uri = new AccessURI("file:///path/to/dir/../../");
+ authorizableHierarchy = ImmutableList.of(server1, uri);
+ Assert.assertFalse(authorizableHierarchy.toString(),
+ authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL));
+ }
+ @Test(expected=IllegalArgumentException.class)
+ public void testInvalidPath() throws Exception {
+ new AccessURI(":invaliduri");
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestSimpleDBPolicyEngineDFS.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestSimpleDBPolicyEngineDFS.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestSimpleDBPolicyEngineDFS.java
new file mode 100644
index 0000000..5d48280
--- /dev/null
+++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestSimpleDBPolicyEngineDFS.java
@@ -0,0 +1,115 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.hive;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.Set;
+
+import junit.framework.Assert;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.hdfs.MiniDFSCluster;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.policy.common.PolicyEngine;
+import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.provider.file.PolicyFiles;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Sets;
+import com.google.common.io.Files;
+
+public class TestSimpleDBPolicyEngineDFS extends AbstractTestSimplePolicyEngine {
+
+ private static MiniDFSCluster dfsCluster;
+ private static FileSystem fileSystem;
+ private static Path root;
+ private static Path etc;
+
+ @BeforeClass
+ public static void setupLocalClazz() throws IOException {
+ File baseDir = getBaseDir();
+ Assert.assertNotNull(baseDir);
+ File dfsDir = new File(baseDir, "dfs");
+ Assert.assertTrue(dfsDir.isDirectory() || dfsDir.mkdirs());
+ Configuration conf = new Configuration();
+ conf.set(MiniDFSCluster.HDFS_MINIDFS_BASEDIR, dfsDir.getPath());
+ dfsCluster = new MiniDFSCluster.Builder(conf).numDataNodes(2).build();
+ fileSystem = dfsCluster.getFileSystem();
+ root = new Path(fileSystem.getUri().toString());
+ etc = new Path(root, "/etc");
+ fileSystem.mkdirs(etc);
+ }
+ @AfterClass
+ public static void teardownLocalClazz() {
+ if(dfsCluster != null) {
+ dfsCluster.shutdown();
+ }
+ }
+
+ @Override
+ protected void afterSetup() throws IOException {
+ fileSystem.delete(etc, true);
+ fileSystem.mkdirs(etc);
+ PolicyFiles.copyToDir(fileSystem, etc, "hive-policy-test-authz-provider.ini", "hive-policy-test-authz-provider-other-group.ini");
+ setPolicy(DBPolicyTestUtil.createPolicyEngineForTest("server1",
+ new Path(etc, "hive-policy-test-authz-provider.ini").toString()));
+ }
+ @Override
+ protected void beforeTeardown() throws IOException {
+ fileSystem.delete(etc, true);
+ }
+
+ @Test
+ public void testMultiFSPolicy() throws Exception {
+ File globalPolicyFile = new File(Files.createTempDir(), "global-policy.ini");
+ File dbPolicyFile = new File(Files.createTempDir(), "db11-policy.ini");
+
+ // Create global policy file
+ PolicyFile dbPolicy = new PolicyFile()
+ .addPermissionsToRole("db11_role", "server=server1->db=db11")
+ .addRolesToGroup("group1", "db11_role");
+
+ dbPolicy.write(dbPolicyFile);
+ Path dbPolicyPath = new Path(etc, "db11-policy.ini");
+
+ // create per-db policy file
+ PolicyFile globalPolicy = new PolicyFile()
+ .addPermissionsToRole("admin_role", "server=server1")
+ .addRolesToGroup("admin_group", "admin_role")
+ .addGroupsToUser("db", "admin_group");
+ globalPolicy.addDatabase("db11", dbPolicyPath.toUri().toString());
+ globalPolicy.write(globalPolicyFile);
+
+
+ PolicyFiles.copyFilesToDir(fileSystem, etc, globalPolicyFile);
+ PolicyFiles.copyFilesToDir(fileSystem, etc, dbPolicyFile);
+ PolicyEngine multiFSEngine =
+ DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
+
+ Set<String> dbGroups = Sets.newHashSet();
+ dbGroups.add("group1");
+ ImmutableSet<String> dbPerms =
+ multiFSEngine.getAllPrivileges(dbGroups, ActiveRoleSet.ALL);
+ Assert.assertEquals("No DB permissions found", 1, dbPerms.size());
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestSimpleDBPolicyEngineLocalFS.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestSimpleDBPolicyEngineLocalFS.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestSimpleDBPolicyEngineLocalFS.java
new file mode 100644
index 0000000..b134c6d
--- /dev/null
+++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestSimpleDBPolicyEngineLocalFS.java
@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.hive;
+
+import java.io.File;
+import java.io.IOException;
+
+import junit.framework.Assert;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.sentry.provider.file.PolicyFiles;
+
+public class TestSimpleDBPolicyEngineLocalFS extends AbstractTestSimplePolicyEngine {
+
+ @Override
+ protected void afterSetup() throws IOException {
+ File baseDir = getBaseDir();
+ Assert.assertNotNull(baseDir);
+ Assert.assertTrue(baseDir.isDirectory() || baseDir.mkdirs());
+ PolicyFiles.copyToDir(baseDir, "hive-policy-test-authz-provider.ini", "hive-policy-test-authz-provider-other-group.ini");
+ setPolicy(DBPolicyTestUtil.createPolicyEngineForTest("server1",
+ new File(baseDir, "hive-policy-test-authz-provider.ini").getPath()));
+ }
+ @Override
+ protected void beforeTeardown() throws IOException {
+ File baseDir = getBaseDir();
+ Assert.assertNotNull(baseDir);
+ FileUtils.deleteQuietly(baseDir);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-hive/src/test/resources/hive-policy-test-authz-provider-other-group.ini
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/test/resources/hive-policy-test-authz-provider-other-group.ini b/sentry-binding/sentry-binding-hive/src/test/resources/hive-policy-test-authz-provider-other-group.ini
new file mode 100644
index 0000000..cd3695c
--- /dev/null
+++ b/sentry-binding/sentry-binding-hive/src/test/resources/hive-policy-test-authz-provider-other-group.ini
@@ -0,0 +1,22 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+[groups]
+other_group = analyst_role
+
+[roles]
+analyst_role = server=server1->db=other_group_db->table=purchases->action=select
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-hive/src/test/resources/hive-policy-test-authz-provider.ini
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/test/resources/hive-policy-test-authz-provider.ini b/sentry-binding/sentry-binding-hive/src/test/resources/hive-policy-test-authz-provider.ini
new file mode 100644
index 0000000..e9114ef
--- /dev/null
+++ b/sentry-binding/sentry-binding-hive/src/test/resources/hive-policy-test-authz-provider.ini
@@ -0,0 +1,32 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+[databases]
+other_group_db = hive-policy-test-authz-provider-other-group.ini
+
+[groups]
+manager = analyst_role, junior_analyst_role
+analyst = analyst_role
+jranalyst = junior_analyst_role
+admin = admin
+
+[roles]
+analyst_role = server=server1->db=customers->table=purchases->action=select, \
+ server=server1->db=analyst1, \
+ server=server1->db=jranalyst1->table=*->action=select
+junior_analyst_role = server=server1->db=jranalyst1, server=server1->db=customers->table=purchases_partial->action=select
+admin = server=server1
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/AbstractTestSearchPolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/AbstractTestSearchPolicyEngine.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/AbstractTestSearchPolicyEngine.java
new file mode 100644
index 0000000..d92e1ad
--- /dev/null
+++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/AbstractTestSearchPolicyEngine.java
@@ -0,0 +1,129 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.solr;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.Set;
+import java.util.TreeSet;
+
+import junit.framework.Assert;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.policy.common.PolicyEngine;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import com.google.common.collect.Sets;
+import com.google.common.io.Files;
+
+public abstract class AbstractTestSearchPolicyEngine {
+ private static final String ANALYST_PURCHASES_UPDATE = "collection=purchases->action=update";
+ private static final String ANALYST_ANALYST1_ALL = "collection=analyst1";
+ private static final String ANALYST_JRANALYST1_ACTION_ALL = "collection=jranalyst1->action=*";
+ private static final String ANALYST_TMPCOLLECTION_UPDATE = "collection=tmpcollection->action=update";
+ private static final String ANALYST_TMPCOLLECTION_QUERY = "collection=tmpcollection->action=query";
+ private static final String JRANALYST_JRANALYST1_ALL = "collection=jranalyst1";
+ private static final String JRANALYST_PURCHASES_PARTIAL_QUERY = "collection=purchases_partial->action=query";
+ private static final String ADMIN_COLLECTION_ALL = "collection=*";
+
+ private PolicyEngine policy;
+ private static File baseDir;
+
+ @BeforeClass
+ public static void setupClazz() throws IOException {
+ baseDir = Files.createTempDir();
+ }
+
+ @AfterClass
+ public static void teardownClazz() throws IOException {
+ if(baseDir != null) {
+ FileUtils.deleteQuietly(baseDir);
+ }
+ }
+
+ protected void setPolicy(PolicyEngine policy) {
+ this.policy = policy;
+ }
+ protected static File getBaseDir() {
+ return baseDir;
+ }
+ @Before
+ public void setup() throws IOException {
+ afterSetup();
+ }
+ @After
+ public void teardown() throws IOException {
+ beforeTeardown();
+ }
+ protected void afterSetup() throws IOException {
+
+ }
+
+ protected void beforeTeardown() throws IOException {
+
+ }
+
+ @Test
+ public void testManager() throws Exception {
+ Set<String> expected = Sets.newTreeSet(Sets.newHashSet(
+ ANALYST_PURCHASES_UPDATE, ANALYST_ANALYST1_ALL,
+ ANALYST_JRANALYST1_ACTION_ALL, ANALYST_TMPCOLLECTION_UPDATE,
+ ANALYST_TMPCOLLECTION_QUERY, JRANALYST_JRANALYST1_ALL,
+ JRANALYST_PURCHASES_PARTIAL_QUERY));
+ Assert.assertEquals(expected.toString(),
+ new TreeSet<String>(policy.getPrivileges(set("manager"), ActiveRoleSet.ALL))
+ .toString());
+ }
+
+ @Test
+ public void testAnalyst() throws Exception {
+ Set<String> expected = Sets.newTreeSet(Sets.newHashSet(
+ ANALYST_PURCHASES_UPDATE, ANALYST_ANALYST1_ALL,
+ ANALYST_JRANALYST1_ACTION_ALL, ANALYST_TMPCOLLECTION_UPDATE,
+ ANALYST_TMPCOLLECTION_QUERY));
+ Assert.assertEquals(expected.toString(),
+ new TreeSet<String>(policy.getPrivileges(set("analyst"), ActiveRoleSet.ALL))
+ .toString());
+ }
+
+ @Test
+ public void testJuniorAnalyst() throws Exception {
+ Set<String> expected = Sets.newTreeSet(Sets
+ .newHashSet(JRANALYST_JRANALYST1_ALL,
+ JRANALYST_PURCHASES_PARTIAL_QUERY));
+ Assert.assertEquals(expected.toString(),
+ new TreeSet<String>(policy.getPrivileges(set("jranalyst"), ActiveRoleSet.ALL))
+ .toString());
+ }
+
+ @Test
+ public void testAdmin() throws Exception {
+ Set<String> expected = Sets.newTreeSet(Sets.newHashSet(ADMIN_COLLECTION_ALL));
+ Assert.assertEquals(expected.toString(),
+ new TreeSet<String>(policy.getPrivileges(set("admin"), ActiveRoleSet.ALL))
+ .toString());
+ }
+
+ private static Set<String> set(String... values) {
+ return Sets.newHashSet(values);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/SearchPolicyTestUtil.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/SearchPolicyTestUtil.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/SearchPolicyTestUtil.java
new file mode 100644
index 0000000..3856825
--- /dev/null
+++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/SearchPolicyTestUtil.java
@@ -0,0 +1,45 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.solr;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.model.search.SearchPrivilegeModel;
+import org.apache.sentry.policy.common.PolicyEngine;
+import org.apache.sentry.policy.search.SimpleSearchPolicyEngine;
+import org.apache.sentry.provider.common.ProviderBackend;
+import org.apache.sentry.provider.common.ProviderBackendContext;
+import org.apache.sentry.provider.file.SimpleFileProviderBackend;
+
+import java.io.IOException;
+
+public class SearchPolicyTestUtil {
+
+ public static PolicyEngine createPolicyEngineForTest(String resource) throws IOException {
+
+ ProviderBackend providerBackend = new SimpleFileProviderBackend(new Configuration(), resource);
+
+ // create backendContext
+ ProviderBackendContext context = new ProviderBackendContext();
+ context.setAllowPerDatabase(false);
+ context.setValidators(SearchPrivilegeModel.getInstance().getPrivilegeValidators());
+ // initialize the backend with the context
+ providerBackend.initialize(context);
+
+
+ return new SimpleSearchPolicyEngine(providerBackend);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestCollectionRequiredInRole.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestCollectionRequiredInRole.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestCollectionRequiredInRole.java
new file mode 100644
index 0000000..a14f520
--- /dev/null
+++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestCollectionRequiredInRole.java
@@ -0,0 +1,64 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sentry.policy.solr;
+
+import junit.framework.Assert;
+
+import org.apache.sentry.core.common.validator.PrivilegeValidatorContext;
+import org.apache.sentry.core.model.search.validator.CollectionRequiredInPrivilege;
+import org.apache.shiro.config.ConfigurationException;
+import org.junit.Test;
+
+public class TestCollectionRequiredInRole {
+
+ @Test
+ public void testEmptyRole() throws Exception {
+ CollectionRequiredInPrivilege collRequiredInRole = new CollectionRequiredInPrivilege();
+
+ // check no db
+ try {
+ collRequiredInRole.validate(new PrivilegeValidatorContext("index=index1"));
+ Assert.fail("Expected ConfigurationException");
+ } catch (ConfigurationException e) {
+ ;
+ }
+
+ // check with db
+ try {
+ collRequiredInRole.validate(new PrivilegeValidatorContext("db1","index=index2"));
+ Assert.fail("Expected ConfigurationException");
+ } catch (ConfigurationException e) {
+ ;
+ }
+ }
+
+ @Test
+ public void testCollectionWithoutAction() throws Exception {
+ CollectionRequiredInPrivilege collRequiredInRole = new CollectionRequiredInPrivilege();
+ collRequiredInRole.validate(new PrivilegeValidatorContext("collection=nodb"));
+ collRequiredInRole.validate(new PrivilegeValidatorContext("db2","collection=db"));
+ }
+
+ @Test
+ public void testCollectionWithAction() throws Exception {
+ CollectionRequiredInPrivilege collRequiredInRole = new CollectionRequiredInPrivilege();
+ collRequiredInRole.validate(new PrivilegeValidatorContext(null,"collection=nodb->action=query"));
+ collRequiredInRole.validate(new PrivilegeValidatorContext("db2","collection=db->action=update"));
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderGeneralCases.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderGeneralCases.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderGeneralCases.java
new file mode 100644
index 0000000..f460d7a
--- /dev/null
+++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderGeneralCases.java
@@ -0,0 +1,192 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.solr;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.EnumSet;
+import java.util.List;
+import java.util.Set;
+
+import com.google.common.collect.Sets;
+import junit.framework.Assert;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.sentry.core.common.Action;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.Subject;
+import org.apache.sentry.core.model.search.Collection;
+import org.apache.sentry.core.model.search.SearchModelAction;
+import org.apache.sentry.provider.common.GroupMappingService;
+import org.apache.sentry.provider.common.ResourceAuthorizationProvider;
+import org.apache.sentry.provider.file.HadoopGroupResourceAuthorizationProvider;
+import org.apache.sentry.provider.file.PolicyFiles;
+import org.junit.After;
+import org.junit.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.base.Objects;
+import com.google.common.collect.HashMultimap;
+import com.google.common.collect.Multimap;
+import com.google.common.io.Files;
+
+
+public class TestSearchAuthorizationProviderGeneralCases {
+
+ private static final Logger LOGGER = LoggerFactory
+ .getLogger(TestSearchAuthorizationProviderGeneralCases.class);
+
+ private static final Multimap<String, String> USER_TO_GROUP_MAP = HashMultimap
+ .create();
+
+ private static final Subject SUB_ADMIN = new Subject("admin1");
+ private static final Subject SUB_MANAGER = new Subject("manager1");
+ private static final Subject SUB_ANALYST = new Subject("analyst1");
+ private static final Subject SUB_JUNIOR_ANALYST = new Subject("jranalyst1");
+
+ private static final Collection COLL_PURCHASES = new Collection("purchases");
+ private static final Collection COLL_ANALYST1 = new Collection("analyst1");
+ private static final Collection COLL_JRANALYST1 = new Collection("jranalyst1");
+ private static final Collection COLL_TMP = new Collection("tmpcollection");
+ private static final Collection COLL_PURCHASES_PARTIAL = new Collection("purchases_partial");
+
+ private static final SearchModelAction QUERY = SearchModelAction.QUERY;
+ private static final SearchModelAction UPDATE = SearchModelAction.UPDATE;
+
+ static {
+ USER_TO_GROUP_MAP.putAll(SUB_ADMIN.getName(), Arrays.asList("admin"));
+ USER_TO_GROUP_MAP.putAll(SUB_MANAGER.getName(), Arrays.asList("manager"));
+ USER_TO_GROUP_MAP.putAll(SUB_ANALYST.getName(), Arrays.asList("analyst"));
+ USER_TO_GROUP_MAP.putAll(SUB_JUNIOR_ANALYST.getName(),
+ Arrays.asList("jranalyst"));
+ }
+
+ private final ResourceAuthorizationProvider authzProvider;
+ private File baseDir;
+
+ public TestSearchAuthorizationProviderGeneralCases() throws IOException {
+ baseDir = Files.createTempDir();
+ PolicyFiles.copyToDir(baseDir, "solr-policy-test-authz-provider.ini");
+ authzProvider = new HadoopGroupResourceAuthorizationProvider(
+ SearchPolicyTestUtil.createPolicyEngineForTest(new File(baseDir, "solr-policy-test-authz-provider.ini").getPath()),
+ new MockGroupMappingServiceProvider(USER_TO_GROUP_MAP));
+
+ }
+
+ @After
+ public void teardown() {
+ if(baseDir != null) {
+ FileUtils.deleteQuietly(baseDir);
+ }
+ }
+
+ private void doTestAuthProviderOnCollection(Subject subject,
+ Collection collection, Set<? extends Action> expectedPass) throws Exception {
+ Set<SearchModelAction> allActions = EnumSet.of(SearchModelAction.ALL, SearchModelAction.QUERY, SearchModelAction.UPDATE);
+ for(SearchModelAction action : allActions) {
+ doTestResourceAuthorizationProvider(subject, collection,
+ EnumSet.of(action), expectedPass.contains(action));
+ }
+ }
+
+ private void doTestResourceAuthorizationProvider(Subject subject,
+ Collection collection,
+ Set<? extends Action> privileges, boolean expected) throws Exception {
+ List<Authorizable> authzHierarchy = Arrays.asList(new Authorizable[] {
+ collection
+ });
+ Objects.ToStringHelper helper = Objects.toStringHelper("TestParameters");
+ helper.add("Subject", subject).add("Collection", collection)
+ .add("Privileges", privileges).add("authzHierarchy", authzHierarchy);
+ LOGGER.info("Running with " + helper.toString());
+ Assert.assertEquals(helper.toString(), expected,
+ authzProvider.hasAccess(subject, authzHierarchy, privileges, ActiveRoleSet.ALL));
+ LOGGER.info("Passed " + helper.toString());
+ }
+
+ @Test
+ public void testAdmin() throws Exception {
+ Set<SearchModelAction> allActions = EnumSet.allOf(SearchModelAction.class);
+ doTestAuthProviderOnCollection(SUB_ADMIN, COLL_PURCHASES, allActions);
+ doTestAuthProviderOnCollection(SUB_ADMIN, COLL_ANALYST1, allActions);
+ doTestAuthProviderOnCollection(SUB_ADMIN, COLL_JRANALYST1, allActions);
+ doTestAuthProviderOnCollection(SUB_ADMIN, COLL_TMP, allActions);
+ doTestAuthProviderOnCollection(SUB_ADMIN, COLL_PURCHASES_PARTIAL, allActions);
+ }
+
+ @Test
+ public void testManager() throws Exception {
+ Set<SearchModelAction> updateOnly = EnumSet.of(SearchModelAction.UPDATE);
+ doTestAuthProviderOnCollection(SUB_MANAGER, COLL_PURCHASES, updateOnly);
+
+ Set<SearchModelAction> allActions = EnumSet.allOf(SearchModelAction.class);
+ doTestAuthProviderOnCollection(SUB_MANAGER, COLL_ANALYST1, allActions);
+ doTestAuthProviderOnCollection(SUB_MANAGER, COLL_JRANALYST1, allActions);
+
+ Set<SearchModelAction> queryUpdateOnly = EnumSet.of(QUERY, UPDATE);
+ doTestAuthProviderOnCollection(SUB_MANAGER, COLL_TMP, queryUpdateOnly);
+
+ Set<SearchModelAction> queryOnly = EnumSet.of(SearchModelAction.QUERY);
+ doTestAuthProviderOnCollection(SUB_MANAGER, COLL_PURCHASES_PARTIAL, queryOnly);
+ }
+
+ @Test
+ public void testAnalyst() throws Exception {
+ Set<SearchModelAction> updateOnly = EnumSet.of(SearchModelAction.UPDATE);
+ doTestAuthProviderOnCollection(SUB_ANALYST, COLL_PURCHASES, updateOnly);
+
+ Set<SearchModelAction> allActions = EnumSet.allOf(SearchModelAction.class);
+ doTestAuthProviderOnCollection(SUB_ANALYST, COLL_ANALYST1, allActions);
+ doTestAuthProviderOnCollection(SUB_ANALYST, COLL_JRANALYST1, allActions);
+
+ Set<SearchModelAction> queryUpdateOnly = EnumSet.of(QUERY, UPDATE);
+ doTestAuthProviderOnCollection(SUB_ANALYST, COLL_TMP, queryUpdateOnly);
+
+ Set<SearchModelAction> noActions = EnumSet.noneOf(SearchModelAction.class);
+ doTestAuthProviderOnCollection(SUB_ANALYST, COLL_PURCHASES_PARTIAL, noActions);
+ }
+
+ @Test
+ public void testJuniorAnalyst() throws Exception {
+ Set<SearchModelAction> allActions = EnumSet.allOf(SearchModelAction.class);
+ doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_JRANALYST1, allActions);
+
+ Set<SearchModelAction> queryOnly = EnumSet.of(SearchModelAction.QUERY);
+ doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_PURCHASES_PARTIAL, queryOnly);
+
+ Set<SearchModelAction> noActions = EnumSet.noneOf(SearchModelAction.class);
+ doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_PURCHASES, noActions);
+ doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_ANALYST1, noActions);
+ doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_TMP, noActions);
+ }
+
+ public class MockGroupMappingServiceProvider implements GroupMappingService {
+ private final Multimap<String, String> userToGroupMap;
+
+ public MockGroupMappingServiceProvider(Multimap<String, String> userToGroupMap) {
+ this.userToGroupMap = userToGroupMap;
+ }
+
+ @Override
+ public Set<String> getGroups(String user) {
+ return Sets.newHashSet(userToGroupMap.get(user));
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderSpecialCases.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderSpecialCases.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderSpecialCases.java
new file mode 100644
index 0000000..6d51dee
--- /dev/null
+++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderSpecialCases.java
@@ -0,0 +1,83 @@
+ /*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.solr;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.EnumSet;
+import java.util.List;
+import java.util.Set;
+
+import junit.framework.Assert;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.sentry.core.common.Action;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.Subject;
+import org.apache.sentry.core.model.search.Collection;
+import org.apache.sentry.core.model.search.SearchModelAction;
+import org.apache.sentry.policy.common.PolicyEngine;
+import org.apache.sentry.provider.common.AuthorizationProvider;
+import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider;
+import org.apache.sentry.provider.file.PolicyFile;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import com.google.common.collect.ImmutableList;
+import com.google.common.io.Files;
+
+public class TestSearchAuthorizationProviderSpecialCases {
+ private AuthorizationProvider authzProvider;
+ private PolicyFile policyFile;
+ private File baseDir;
+ private File iniFile;
+ private String initResource;
+ @Before
+ public void setup() throws IOException {
+ baseDir = Files.createTempDir();
+ iniFile = new File(baseDir, "policy.ini");
+ initResource = "file://" + iniFile.getPath();
+ policyFile = new PolicyFile();
+ }
+
+ @After
+ public void teardown() throws IOException {
+ if(baseDir != null) {
+ FileUtils.deleteQuietly(baseDir);
+ }
+ }
+
+ @Test
+ public void testDuplicateEntries() throws Exception {
+ Subject user1 = new Subject("user1");
+ Collection collection1 = new Collection("collection1");
+ Set<? extends Action> actions = EnumSet.allOf(SearchModelAction.class);
+ policyFile.addGroupsToUser(user1.getName(), true, "group1", "group1")
+ .addRolesToGroup("group1", true, "role1", "role1")
+ .addPermissionsToRole("role1", true, "collection=" + collection1.getName(),
+ "collection=" + collection1.getName());
+ policyFile.write(iniFile);
+ PolicyEngine policy = SearchPolicyTestUtil.createPolicyEngineForTest(initResource);
+ authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy);
+ List<? extends Authorizable> authorizableHierarchy = ImmutableList.of(collection1);
+ Assert.assertTrue(authorizableHierarchy.toString(),
+ authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL));
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchModelAuthorizables.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchModelAuthorizables.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchModelAuthorizables.java
new file mode 100644
index 0000000..e7da13a
--- /dev/null
+++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchModelAuthorizables.java
@@ -0,0 +1,54 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sentry.policy.solr;
+import static junit.framework.Assert.assertEquals;
+import static junit.framework.Assert.assertNull;
+
+import org.apache.sentry.core.model.search.Collection;
+import org.apache.sentry.core.model.search.SearchModelAuthorizables;
+import org.junit.Test;
+
+public class TestSearchModelAuthorizables {
+
+ @Test
+ public void testCollection() throws Exception {
+ Collection coll = (Collection) SearchModelAuthorizables.from("CoLleCtiOn=collection1");
+ assertEquals("collection1", coll.getName());
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testNoKV() throws Exception {
+ System.out.println(SearchModelAuthorizables.from("nonsense"));
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testEmptyKey() throws Exception {
+ System.out.println(SearchModelAuthorizables.from("=v"));
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testEmptyValue() throws Exception {
+ System.out.println(SearchModelAuthorizables.from("k="));
+ }
+
+ @Test
+ public void testNotAuthorizable() throws Exception {
+ assertNull(SearchModelAuthorizables.from("k=v"));
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyEngineDFS.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyEngineDFS.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyEngineDFS.java
new file mode 100644
index 0000000..9813681
--- /dev/null
+++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyEngineDFS.java
@@ -0,0 +1,74 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.solr;
+
+import java.io.File;
+import java.io.IOException;
+
+import junit.framework.Assert;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.hdfs.MiniDFSCluster;
+import org.apache.sentry.provider.file.PolicyFiles;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+
+public class TestSearchPolicyEngineDFS extends AbstractTestSearchPolicyEngine {
+
+ private static MiniDFSCluster dfsCluster;
+ private static FileSystem fileSystem;
+ private static Path root;
+ private static Path etc;
+
+ @BeforeClass
+ public static void setupLocalClazz() throws IOException {
+ File baseDir = getBaseDir();
+ Assert.assertNotNull(baseDir);
+ File dfsDir = new File(baseDir, "dfs");
+ Assert.assertTrue(dfsDir.isDirectory() || dfsDir.mkdirs());
+ Configuration conf = new Configuration();
+ conf.set(MiniDFSCluster.HDFS_MINIDFS_BASEDIR, dfsDir.getPath());
+ dfsCluster = new MiniDFSCluster.Builder(conf).numDataNodes(2).build();
+ fileSystem = dfsCluster.getFileSystem();
+ root = new Path(fileSystem.getUri().toString());
+ etc = new Path(root, "/etc");
+ fileSystem.mkdirs(etc);
+ }
+
+ @AfterClass
+ public static void teardownLocalClazz() {
+ if(dfsCluster != null) {
+ dfsCluster.shutdown();
+ }
+ }
+
+ @Override
+ protected void afterSetup() throws IOException {
+ fileSystem.delete(etc, true);
+ fileSystem.mkdirs(etc);
+ PolicyFiles.copyToDir(fileSystem, etc, "solr-policy-test-authz-provider.ini");
+ setPolicy(SearchPolicyTestUtil.createPolicyEngineForTest(new Path(etc,
+ "solr-policy-test-authz-provider.ini").toString()));
+ }
+
+ @Override
+ protected void beforeTeardown() throws IOException {
+ fileSystem.delete(etc, true);
+ }
+}
[2/4] incubator-sentry git commit: SENTRY-1127: Move test cases from
sentry-policy-xxx to sentry-binding-xxx(Colin Ma, Reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderGeneralCases.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderGeneralCases.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderGeneralCases.java
deleted file mode 100644
index 2da4699..0000000
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderGeneralCases.java
+++ /dev/null
@@ -1,180 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.db;
-
-import java.io.File;
-import java.io.IOException;
-import java.util.Arrays;
-import java.util.EnumSet;
-import java.util.List;
-import java.util.Set;
-
-import junit.framework.Assert;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.common.Action;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.common.Subject;
-import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.core.model.db.DBModelAction;
-import org.apache.sentry.core.model.db.Database;
-import org.apache.sentry.core.model.db.Server;
-import org.apache.sentry.core.model.db.Table;
-import org.apache.sentry.provider.common.MockGroupMappingServiceProvider;
-import org.apache.sentry.provider.common.ResourceAuthorizationProvider;
-import org.apache.sentry.provider.file.HadoopGroupResourceAuthorizationProvider;
-import org.apache.sentry.provider.file.PolicyFiles;
-import org.junit.After;
-import org.junit.Test;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.base.Objects;
-import com.google.common.collect.HashMultimap;
-import com.google.common.collect.Multimap;
-import com.google.common.io.Files;
-
-
-public class TestResourceAuthorizationProviderGeneralCases {
-
- private static final Logger LOGGER = LoggerFactory
- .getLogger(TestResourceAuthorizationProviderGeneralCases.class);
-
- private static final Multimap<String, String> USER_TO_GROUP_MAP = HashMultimap
- .create();
-
- private static final Subject SUB_ADMIN = new Subject("admin1");
- private static final Subject SUB_MANAGER = new Subject("manager1");
- private static final Subject SUB_ANALYST = new Subject("analyst1");
- private static final Subject SUB_JUNIOR_ANALYST = new Subject("jranalyst1");
-
- private static final Server SVR_SERVER1 = new Server("server1");
- private static final Server SVR_ALL = new Server(AccessConstants.ALL);
-
- private static final Database DB_CUSTOMERS = new Database("customers");
- private static final Database DB_ANALYST = new Database("analyst1");
- private static final Database DB_JR_ANALYST = new Database("jranalyst1");
-
- private static final Table TBL_PURCHASES = new Table("purchases");
-
- private static final Set<? extends Action> ALL = EnumSet.of(DBModelAction.ALL);
- private static final Set<? extends Action> SELECT = EnumSet.of(DBModelAction.SELECT);
- private static final Set<? extends Action> INSERT = EnumSet.of(DBModelAction.INSERT);
-
- static {
- USER_TO_GROUP_MAP.putAll(SUB_ADMIN.getName(), Arrays.asList("admin"));
- USER_TO_GROUP_MAP.putAll(SUB_MANAGER.getName(), Arrays.asList("manager"));
- USER_TO_GROUP_MAP.putAll(SUB_ANALYST.getName(), Arrays.asList("analyst"));
- USER_TO_GROUP_MAP.putAll(SUB_JUNIOR_ANALYST.getName(),
- Arrays.asList("jranalyst"));
- }
-
- private final ResourceAuthorizationProvider authzProvider;
- private File baseDir;
-
- public TestResourceAuthorizationProviderGeneralCases() throws IOException {
- baseDir = Files.createTempDir();
- PolicyFiles.copyToDir(baseDir, "test-authz-provider.ini", "test-authz-provider-other-group.ini");
- authzProvider = new HadoopGroupResourceAuthorizationProvider(
- DBPolicyTestUtil.createPolicyEngineForTest("server1",
- new File(baseDir, "test-authz-provider.ini").getPath()),
- new MockGroupMappingServiceProvider(USER_TO_GROUP_MAP));
-
- }
-
- @After
- public void teardown() {
- if(baseDir != null) {
- FileUtils.deleteQuietly(baseDir);
- }
- }
-
- private void doTestAuthorizables(
- Subject subject, Set<? extends Action> privileges, boolean expected,
- Authorizable... authorizables) throws Exception {
- List<Authorizable> authzHierarchy = Arrays.asList(authorizables);
- Objects.ToStringHelper helper = Objects.toStringHelper("TestParameters");
- helper.add("authorizables", authzHierarchy).add("Privileges", privileges);
- LOGGER.info("Running with " + helper.toString());
- Assert.assertEquals(helper.toString(), expected,
- authzProvider.hasAccess(subject, authzHierarchy, privileges, ActiveRoleSet.ALL));
- LOGGER.info("Passed " + helper.toString());
- }
-
- private void doTestResourceAuthorizationProvider(Subject subject,
- Server server, Database database, Table table,
- Set<? extends Action> privileges, boolean expected) throws Exception {
- List<Authorizable> authzHierarchy = Arrays.asList(new Authorizable[] {
- server, database, table
- });
- Objects.ToStringHelper helper = Objects.toStringHelper("TestParameters");
- helper.add("Subject", subject).add("Server", server).add("DB", database)
- .add("Table", table).add("Privileges", privileges).add("authzHierarchy", authzHierarchy);
- LOGGER.info("Running with " + helper.toString());
- Assert.assertEquals(helper.toString(), expected,
- authzProvider.hasAccess(subject, authzHierarchy, privileges, ActiveRoleSet.ALL));
- LOGGER.info("Passed " + helper.toString());
- }
-
- @Test
- public void testAdmin() throws Exception {
- doTestResourceAuthorizationProvider(SUB_ADMIN, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, ALL, true);
- doTestResourceAuthorizationProvider(SUB_ADMIN, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, SELECT, true);
- doTestResourceAuthorizationProvider(SUB_ADMIN, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, INSERT, true);
- doTestAuthorizables(SUB_ADMIN, SELECT, true, SVR_ALL, DB_CUSTOMERS, TBL_PURCHASES);
-
- }
- @Test
- public void testManager() throws Exception {
- doTestResourceAuthorizationProvider(SUB_MANAGER, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, ALL, false);
- doTestResourceAuthorizationProvider(SUB_MANAGER, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, SELECT, true);
- doTestResourceAuthorizationProvider(SUB_MANAGER, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, INSERT, false);
- doTestResourceAuthorizationProvider(SUB_MANAGER, SVR_ALL, DB_CUSTOMERS, TBL_PURCHASES, SELECT, true);
- }
- @Test
- public void testAnalyst() throws Exception {
- doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, ALL, false);
- doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, SELECT, true);
- doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, INSERT, false);
- doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_ALL, DB_CUSTOMERS, TBL_PURCHASES, SELECT, true);
-
- // analyst sandbox
- doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_ANALYST, TBL_PURCHASES, ALL, true);
- doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_ANALYST, TBL_PURCHASES, SELECT, true);
- doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_ANALYST, TBL_PURCHASES, INSERT, true);
- doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_ALL, DB_ANALYST, TBL_PURCHASES, SELECT, true);
-
- // jr analyst sandbox
- doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_JR_ANALYST, TBL_PURCHASES, ALL, false);
- doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_JR_ANALYST, TBL_PURCHASES, SELECT, true);
- doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_JR_ANALYST, TBL_PURCHASES, INSERT, false);
- doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_ALL, DB_JR_ANALYST, TBL_PURCHASES, SELECT, true);
- }
- @Test
- public void testJuniorAnalyst() throws Exception {
- doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, ALL, false);
- doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, SELECT, false);
- doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, INSERT, false);
- doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_ALL, DB_CUSTOMERS, TBL_PURCHASES, SELECT, false);
- // jr analyst sandbox
- doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_SERVER1, DB_JR_ANALYST, TBL_PURCHASES, ALL, true);
- doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_SERVER1, DB_JR_ANALYST, TBL_PURCHASES, SELECT, true);
- doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_SERVER1, DB_JR_ANALYST, TBL_PURCHASES, INSERT, true);
- doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_ALL, DB_JR_ANALYST, TBL_PURCHASES, SELECT, true);
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderSpecialCases.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderSpecialCases.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderSpecialCases.java
deleted file mode 100644
index b166499..0000000
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderSpecialCases.java
+++ /dev/null
@@ -1,123 +0,0 @@
- /*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.db;
-
-import java.io.File;
-import java.io.IOException;
-import java.util.EnumSet;
-import java.util.List;
-import java.util.Set;
-
-import junit.framework.Assert;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.common.Action;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.common.Subject;
-import org.apache.sentry.core.model.db.AccessURI;
-import org.apache.sentry.core.model.db.DBModelAction;
-import org.apache.sentry.core.model.db.Server;
-import org.apache.sentry.policy.common.PolicyEngine;
-import org.apache.sentry.provider.common.AuthorizationProvider;
-import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider;
-import org.apache.sentry.provider.file.PolicyFile;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-
-import com.google.common.collect.ImmutableList;
-import com.google.common.io.Files;
-
-public class TestResourceAuthorizationProviderSpecialCases {
- private AuthorizationProvider authzProvider;
- private PolicyFile policyFile;
- private File baseDir;
- private File iniFile;
- private String initResource;
- @Before
- public void setup() throws IOException {
- baseDir = Files.createTempDir();
- iniFile = new File(baseDir, "policy.ini");
- initResource = "file://" + iniFile.getPath();
- policyFile = new PolicyFile();
- }
-
- @After
- public void teardown() throws IOException {
- if(baseDir != null) {
- FileUtils.deleteQuietly(baseDir);
- }
- }
-
- @Test
- public void testDuplicateEntries() throws Exception {
- Subject user1 = new Subject("user1");
- Server server1 = new Server("server1");
- AccessURI uri = new AccessURI("file:///path/to/");
- Set<? extends Action> actions = EnumSet.of(DBModelAction.ALL, DBModelAction.SELECT, DBModelAction.INSERT);
- policyFile.addGroupsToUser(user1.getName(), true, "group1", "group1")
- .addRolesToGroup("group1", true, "role1", "role1")
- .addPermissionsToRole("role1", true, "server=" + server1.getName() + "->uri=" + uri.getName(),
- "server=" + server1.getName() + "->uri=" + uri.getName());
- policyFile.write(iniFile);
- PolicyEngine policy = DBPolicyTestUtil.createPolicyEngineForTest(server1.getName(), initResource);
- authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy);
- List<? extends Authorizable> authorizableHierarchy = ImmutableList.of(server1, uri);
- Assert.assertTrue(authorizableHierarchy.toString(),
- authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL));
- }
- @Test
- public void testNonAbolutePath() throws Exception {
- Subject user1 = new Subject("user1");
- Server server1 = new Server("server1");
- AccessURI uri = new AccessURI("file:///path/to/");
- Set<? extends Action> actions = EnumSet.of(DBModelAction.ALL, DBModelAction.SELECT, DBModelAction.INSERT);
- policyFile.addGroupsToUser(user1.getName(), "group1")
- .addRolesToGroup("group1", "role1")
- .addPermissionsToRole("role1", "server=" + server1.getName() + "->uri=" + uri.getName());
- policyFile.write(iniFile);
- PolicyEngine policy = DBPolicyTestUtil.createPolicyEngineForTest(server1.getName(), initResource);
- authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy);
- // positive test
- List<? extends Authorizable> authorizableHierarchy = ImmutableList.of(server1, uri);
- Assert.assertTrue(authorizableHierarchy.toString(),
- authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL));
- // negative tests
- // TODO we should support the case of /path/to/./ but let's to that later
- uri = new AccessURI("file:///path/to/./");
- authorizableHierarchy = ImmutableList.of(server1, uri);
- Assert.assertFalse(authorizableHierarchy.toString(),
- authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL));
- uri = new AccessURI("file:///path/to/../");
- authorizableHierarchy = ImmutableList.of(server1, uri);
- Assert.assertFalse(authorizableHierarchy.toString(),
- authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL));
- uri = new AccessURI("file:///path/to/../../");
- authorizableHierarchy = ImmutableList.of(server1, uri);
- Assert.assertFalse(authorizableHierarchy.toString(),
- authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL));
- uri = new AccessURI("file:///path/to/dir/../../");
- authorizableHierarchy = ImmutableList.of(server1, uri);
- Assert.assertFalse(authorizableHierarchy.toString(),
- authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL));
- }
- @Test(expected=IllegalArgumentException.class)
- public void testInvalidPath() throws Exception {
- new AccessURI(":invaliduri");
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineDFS.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineDFS.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineDFS.java
deleted file mode 100644
index 901e5bf..0000000
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineDFS.java
+++ /dev/null
@@ -1,115 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.db;
-
-import java.io.File;
-import java.io.IOException;
-import java.util.Set;
-
-import junit.framework.Assert;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.FileSystem;
-import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.hdfs.MiniDFSCluster;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.policy.common.PolicyEngine;
-import org.apache.sentry.provider.file.PolicyFile;
-import org.apache.sentry.provider.file.PolicyFiles;
-import org.junit.AfterClass;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.Sets;
-import com.google.common.io.Files;
-
-public class TestSimpleDBPolicyEngineDFS extends AbstractTestSimplePolicyEngine {
-
- private static MiniDFSCluster dfsCluster;
- private static FileSystem fileSystem;
- private static Path root;
- private static Path etc;
-
- @BeforeClass
- public static void setupLocalClazz() throws IOException {
- File baseDir = getBaseDir();
- Assert.assertNotNull(baseDir);
- File dfsDir = new File(baseDir, "dfs");
- Assert.assertTrue(dfsDir.isDirectory() || dfsDir.mkdirs());
- Configuration conf = new Configuration();
- conf.set(MiniDFSCluster.HDFS_MINIDFS_BASEDIR, dfsDir.getPath());
- dfsCluster = new MiniDFSCluster.Builder(conf).numDataNodes(2).build();
- fileSystem = dfsCluster.getFileSystem();
- root = new Path(fileSystem.getUri().toString());
- etc = new Path(root, "/etc");
- fileSystem.mkdirs(etc);
- }
- @AfterClass
- public static void teardownLocalClazz() {
- if(dfsCluster != null) {
- dfsCluster.shutdown();
- }
- }
-
- @Override
- protected void afterSetup() throws IOException {
- fileSystem.delete(etc, true);
- fileSystem.mkdirs(etc);
- PolicyFiles.copyToDir(fileSystem, etc, "test-authz-provider.ini", "test-authz-provider-other-group.ini");
- setPolicy(DBPolicyTestUtil.createPolicyEngineForTest("server1",
- new Path(etc, "test-authz-provider.ini").toString()));
- }
- @Override
- protected void beforeTeardown() throws IOException {
- fileSystem.delete(etc, true);
- }
-
- @Test
- public void testMultiFSPolicy() throws Exception {
- File globalPolicyFile = new File(Files.createTempDir(), "global-policy.ini");
- File dbPolicyFile = new File(Files.createTempDir(), "db11-policy.ini");
-
- // Create global policy file
- PolicyFile dbPolicy = new PolicyFile()
- .addPermissionsToRole("db11_role", "server=server1->db=db11")
- .addRolesToGroup("group1", "db11_role");
-
- dbPolicy.write(dbPolicyFile);
- Path dbPolicyPath = new Path(etc, "db11-policy.ini");
-
- // create per-db policy file
- PolicyFile globalPolicy = new PolicyFile()
- .addPermissionsToRole("admin_role", "server=server1")
- .addRolesToGroup("admin_group", "admin_role")
- .addGroupsToUser("db", "admin_group");
- globalPolicy.addDatabase("db11", dbPolicyPath.toUri().toString());
- globalPolicy.write(globalPolicyFile);
-
-
- PolicyFiles.copyFilesToDir(fileSystem, etc, globalPolicyFile);
- PolicyFiles.copyFilesToDir(fileSystem, etc, dbPolicyFile);
- PolicyEngine multiFSEngine =
- DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
-
- Set<String> dbGroups = Sets.newHashSet();
- dbGroups.add("group1");
- ImmutableSet<String> dbPerms =
- multiFSEngine.getAllPrivileges(dbGroups, ActiveRoleSet.ALL);
- Assert.assertEquals("No DB permissions found", 1, dbPerms.size());
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineLocalFS.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineLocalFS.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineLocalFS.java
deleted file mode 100644
index 435e4d8..0000000
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineLocalFS.java
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.db;
-
-import java.io.File;
-import java.io.IOException;
-
-import junit.framework.Assert;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.provider.file.PolicyFiles;
-
-public class TestSimpleDBPolicyEngineLocalFS extends AbstractTestSimplePolicyEngine {
-
- @Override
- protected void afterSetup() throws IOException {
- File baseDir = getBaseDir();
- Assert.assertNotNull(baseDir);
- Assert.assertTrue(baseDir.isDirectory() || baseDir.mkdirs());
- PolicyFiles.copyToDir(baseDir, "test-authz-provider.ini", "test-authz-provider-other-group.ini");
- setPolicy(DBPolicyTestUtil.createPolicyEngineForTest("server1",
- new File(baseDir, "test-authz-provider.ini").getPath()));
- }
- @Override
- protected void beforeTeardown() throws IOException {
- File baseDir = getBaseDir();
- Assert.assertNotNull(baseDir);
- FileUtils.deleteQuietly(baseDir);
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-db/src/test/resources/test-authz-provider-other-group.ini
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/resources/test-authz-provider-other-group.ini b/sentry-policy/sentry-policy-db/src/test/resources/test-authz-provider-other-group.ini
deleted file mode 100644
index cd3695c..0000000
--- a/sentry-policy/sentry-policy-db/src/test/resources/test-authz-provider-other-group.ini
+++ /dev/null
@@ -1,22 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-[groups]
-other_group = analyst_role
-
-[roles]
-analyst_role = server=server1->db=other_group_db->table=purchases->action=select
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-db/src/test/resources/test-authz-provider.ini
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/resources/test-authz-provider.ini b/sentry-policy/sentry-policy-db/src/test/resources/test-authz-provider.ini
deleted file mode 100644
index 2d00699..0000000
--- a/sentry-policy/sentry-policy-db/src/test/resources/test-authz-provider.ini
+++ /dev/null
@@ -1,32 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-[databases]
-other_group_db = test-authz-provider-other-group.ini
-
-[groups]
-manager = analyst_role, junior_analyst_role
-analyst = analyst_role
-jranalyst = junior_analyst_role
-admin = admin
-
-[roles]
-analyst_role = server=server1->db=customers->table=purchases->action=select, \
- server=server1->db=analyst1, \
- server=server1->db=jranalyst1->table=*->action=select
-junior_analyst_role = server=server1->db=jranalyst1, server=server1->db=customers->table=purchases_partial->action=select
-admin = server=server1
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/AbstractTestSearchPolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/AbstractTestSearchPolicyEngine.java b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/AbstractTestSearchPolicyEngine.java
deleted file mode 100644
index d1c415b..0000000
--- a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/AbstractTestSearchPolicyEngine.java
+++ /dev/null
@@ -1,129 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.search;
-
-import java.io.File;
-import java.io.IOException;
-import java.util.Set;
-import java.util.TreeSet;
-
-import junit.framework.Assert;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.policy.common.PolicyEngine;
-import org.junit.After;
-import org.junit.AfterClass;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-import com.google.common.collect.Sets;
-import com.google.common.io.Files;
-
-public abstract class AbstractTestSearchPolicyEngine {
- private static final String ANALYST_PURCHASES_UPDATE = "collection=purchases->action=update";
- private static final String ANALYST_ANALYST1_ALL = "collection=analyst1";
- private static final String ANALYST_JRANALYST1_ACTION_ALL = "collection=jranalyst1->action=*";
- private static final String ANALYST_TMPCOLLECTION_UPDATE = "collection=tmpcollection->action=update";
- private static final String ANALYST_TMPCOLLECTION_QUERY = "collection=tmpcollection->action=query";
- private static final String JRANALYST_JRANALYST1_ALL = "collection=jranalyst1";
- private static final String JRANALYST_PURCHASES_PARTIAL_QUERY = "collection=purchases_partial->action=query";
- private static final String ADMIN_COLLECTION_ALL = "collection=*";
-
- private PolicyEngine policy;
- private static File baseDir;
-
- @BeforeClass
- public static void setupClazz() throws IOException {
- baseDir = Files.createTempDir();
- }
-
- @AfterClass
- public static void teardownClazz() throws IOException {
- if(baseDir != null) {
- FileUtils.deleteQuietly(baseDir);
- }
- }
-
- protected void setPolicy(PolicyEngine policy) {
- this.policy = policy;
- }
- protected static File getBaseDir() {
- return baseDir;
- }
- @Before
- public void setup() throws IOException {
- afterSetup();
- }
- @After
- public void teardown() throws IOException {
- beforeTeardown();
- }
- protected void afterSetup() throws IOException {
-
- }
-
- protected void beforeTeardown() throws IOException {
-
- }
-
- @Test
- public void testManager() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets.newHashSet(
- ANALYST_PURCHASES_UPDATE, ANALYST_ANALYST1_ALL,
- ANALYST_JRANALYST1_ACTION_ALL, ANALYST_TMPCOLLECTION_UPDATE,
- ANALYST_TMPCOLLECTION_QUERY, JRANALYST_JRANALYST1_ALL,
- JRANALYST_PURCHASES_PARTIAL_QUERY));
- Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getPrivileges(set("manager"), ActiveRoleSet.ALL))
- .toString());
- }
-
- @Test
- public void testAnalyst() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets.newHashSet(
- ANALYST_PURCHASES_UPDATE, ANALYST_ANALYST1_ALL,
- ANALYST_JRANALYST1_ACTION_ALL, ANALYST_TMPCOLLECTION_UPDATE,
- ANALYST_TMPCOLLECTION_QUERY));
- Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getPrivileges(set("analyst"), ActiveRoleSet.ALL))
- .toString());
- }
-
- @Test
- public void testJuniorAnalyst() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets
- .newHashSet(JRANALYST_JRANALYST1_ALL,
- JRANALYST_PURCHASES_PARTIAL_QUERY));
- Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getPrivileges(set("jranalyst"), ActiveRoleSet.ALL))
- .toString());
- }
-
- @Test
- public void testAdmin() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets.newHashSet(ADMIN_COLLECTION_ALL));
- Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getPrivileges(set("admin"), ActiveRoleSet.ALL))
- .toString());
- }
-
- private static Set<String> set(String... values) {
- return Sets.newHashSet(values);
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/SearchPolicyTestUtil.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/SearchPolicyTestUtil.java b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/SearchPolicyTestUtil.java
deleted file mode 100644
index 0f76050..0000000
--- a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/SearchPolicyTestUtil.java
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.search;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.core.model.search.SearchPrivilegeModel;
-import org.apache.sentry.policy.common.PolicyEngine;
-import org.apache.sentry.provider.common.ProviderBackend;
-import org.apache.sentry.provider.common.ProviderBackendContext;
-import org.apache.sentry.provider.file.SimpleFileProviderBackend;
-
-import java.io.IOException;
-
-public class SearchPolicyTestUtil {
-
- public static PolicyEngine createPolicyEngineForTest(String resource) throws IOException {
-
- ProviderBackend providerBackend = new SimpleFileProviderBackend(new Configuration(), resource);
-
- // create backendContext
- ProviderBackendContext context = new ProviderBackendContext();
- context.setAllowPerDatabase(false);
- context.setValidators(SearchPrivilegeModel.getInstance().getPrivilegeValidators());
- // initialize the backend with the context
- providerBackend.initialize(context);
-
-
- return new SimpleSearchPolicyEngine(providerBackend);
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestCollectionRequiredInRole.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestCollectionRequiredInRole.java b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestCollectionRequiredInRole.java
deleted file mode 100644
index 5da46f7..0000000
--- a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestCollectionRequiredInRole.java
+++ /dev/null
@@ -1,64 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.policy.search;
-
-import junit.framework.Assert;
-
-import org.apache.sentry.core.common.validator.PrivilegeValidatorContext;
-import org.apache.sentry.core.model.search.validator.CollectionRequiredInPrivilege;
-import org.apache.shiro.config.ConfigurationException;
-import org.junit.Test;
-
-public class TestCollectionRequiredInRole {
-
- @Test
- public void testEmptyRole() throws Exception {
- CollectionRequiredInPrivilege collRequiredInRole = new CollectionRequiredInPrivilege();
-
- // check no db
- try {
- collRequiredInRole.validate(new PrivilegeValidatorContext("index=index1"));
- Assert.fail("Expected ConfigurationException");
- } catch (ConfigurationException e) {
- ;
- }
-
- // check with db
- try {
- collRequiredInRole.validate(new PrivilegeValidatorContext("db1","index=index2"));
- Assert.fail("Expected ConfigurationException");
- } catch (ConfigurationException e) {
- ;
- }
- }
-
- @Test
- public void testCollectionWithoutAction() throws Exception {
- CollectionRequiredInPrivilege collRequiredInRole = new CollectionRequiredInPrivilege();
- collRequiredInRole.validate(new PrivilegeValidatorContext("collection=nodb"));
- collRequiredInRole.validate(new PrivilegeValidatorContext("db2","collection=db"));
- }
-
- @Test
- public void testCollectionWithAction() throws Exception {
- CollectionRequiredInPrivilege collRequiredInRole = new CollectionRequiredInPrivilege();
- collRequiredInRole.validate(new PrivilegeValidatorContext(null,"collection=nodb->action=query"));
- collRequiredInRole.validate(new PrivilegeValidatorContext("db2","collection=db->action=update"));
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderGeneralCases.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderGeneralCases.java b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderGeneralCases.java
deleted file mode 100644
index c9c8330..0000000
--- a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderGeneralCases.java
+++ /dev/null
@@ -1,178 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.search;
-
-import java.io.File;
-import java.io.IOException;
-import java.util.Arrays;
-import java.util.EnumSet;
-import java.util.List;
-import java.util.Set;
-
-import junit.framework.Assert;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.common.Action;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.common.Subject;
-import org.apache.sentry.core.model.search.Collection;
-import org.apache.sentry.core.model.search.SearchModelAction;
-import org.apache.sentry.provider.common.MockGroupMappingServiceProvider;
-import org.apache.sentry.provider.common.ResourceAuthorizationProvider;
-import org.apache.sentry.provider.file.HadoopGroupResourceAuthorizationProvider;
-import org.apache.sentry.provider.file.PolicyFiles;
-import org.junit.After;
-import org.junit.Test;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.base.Objects;
-import com.google.common.collect.HashMultimap;
-import com.google.common.collect.Multimap;
-import com.google.common.io.Files;
-
-
-public class TestSearchAuthorizationProviderGeneralCases {
-
- private static final Logger LOGGER = LoggerFactory
- .getLogger(TestSearchAuthorizationProviderGeneralCases.class);
-
- private static final Multimap<String, String> USER_TO_GROUP_MAP = HashMultimap
- .create();
-
- private static final Subject SUB_ADMIN = new Subject("admin1");
- private static final Subject SUB_MANAGER = new Subject("manager1");
- private static final Subject SUB_ANALYST = new Subject("analyst1");
- private static final Subject SUB_JUNIOR_ANALYST = new Subject("jranalyst1");
-
- private static final Collection COLL_PURCHASES = new Collection("purchases");
- private static final Collection COLL_ANALYST1 = new Collection("analyst1");
- private static final Collection COLL_JRANALYST1 = new Collection("jranalyst1");
- private static final Collection COLL_TMP = new Collection("tmpcollection");
- private static final Collection COLL_PURCHASES_PARTIAL = new Collection("purchases_partial");
-
- private static final SearchModelAction QUERY = SearchModelAction.QUERY;
- private static final SearchModelAction UPDATE = SearchModelAction.UPDATE;
-
- static {
- USER_TO_GROUP_MAP.putAll(SUB_ADMIN.getName(), Arrays.asList("admin"));
- USER_TO_GROUP_MAP.putAll(SUB_MANAGER.getName(), Arrays.asList("manager"));
- USER_TO_GROUP_MAP.putAll(SUB_ANALYST.getName(), Arrays.asList("analyst"));
- USER_TO_GROUP_MAP.putAll(SUB_JUNIOR_ANALYST.getName(),
- Arrays.asList("jranalyst"));
- }
-
- private final ResourceAuthorizationProvider authzProvider;
- private File baseDir;
-
- public TestSearchAuthorizationProviderGeneralCases() throws IOException {
- baseDir = Files.createTempDir();
- PolicyFiles.copyToDir(baseDir, "test-authz-provider.ini");
- authzProvider = new HadoopGroupResourceAuthorizationProvider(
- SearchPolicyTestUtil.createPolicyEngineForTest(new File(baseDir, "test-authz-provider.ini").getPath()),
- new MockGroupMappingServiceProvider(USER_TO_GROUP_MAP));
-
- }
-
- @After
- public void teardown() {
- if(baseDir != null) {
- FileUtils.deleteQuietly(baseDir);
- }
- }
-
- private void doTestAuthProviderOnCollection(Subject subject,
- Collection collection, Set<? extends Action> expectedPass) throws Exception {
- Set<SearchModelAction> allActions = EnumSet.of(SearchModelAction.ALL, SearchModelAction.QUERY, SearchModelAction.UPDATE);
- for(SearchModelAction action : allActions) {
- doTestResourceAuthorizationProvider(subject, collection,
- EnumSet.of(action), expectedPass.contains(action));
- }
- }
-
- private void doTestResourceAuthorizationProvider(Subject subject,
- Collection collection,
- Set<? extends Action> privileges, boolean expected) throws Exception {
- List<Authorizable> authzHierarchy = Arrays.asList(new Authorizable[] {
- collection
- });
- Objects.ToStringHelper helper = Objects.toStringHelper("TestParameters");
- helper.add("Subject", subject).add("Collection", collection)
- .add("Privileges", privileges).add("authzHierarchy", authzHierarchy);
- LOGGER.info("Running with " + helper.toString());
- Assert.assertEquals(helper.toString(), expected,
- authzProvider.hasAccess(subject, authzHierarchy, privileges, ActiveRoleSet.ALL));
- LOGGER.info("Passed " + helper.toString());
- }
-
- @Test
- public void testAdmin() throws Exception {
- Set<SearchModelAction> allActions = EnumSet.allOf(SearchModelAction.class);
- doTestAuthProviderOnCollection(SUB_ADMIN, COLL_PURCHASES, allActions);
- doTestAuthProviderOnCollection(SUB_ADMIN, COLL_ANALYST1, allActions);
- doTestAuthProviderOnCollection(SUB_ADMIN, COLL_JRANALYST1, allActions);
- doTestAuthProviderOnCollection(SUB_ADMIN, COLL_TMP, allActions);
- doTestAuthProviderOnCollection(SUB_ADMIN, COLL_PURCHASES_PARTIAL, allActions);
- }
-
- @Test
- public void testManager() throws Exception {
- Set<SearchModelAction> updateOnly = EnumSet.of(SearchModelAction.UPDATE);
- doTestAuthProviderOnCollection(SUB_MANAGER, COLL_PURCHASES, updateOnly);
-
- Set<SearchModelAction> allActions = EnumSet.allOf(SearchModelAction.class);
- doTestAuthProviderOnCollection(SUB_MANAGER, COLL_ANALYST1, allActions);
- doTestAuthProviderOnCollection(SUB_MANAGER, COLL_JRANALYST1, allActions);
-
- Set<SearchModelAction> queryUpdateOnly = EnumSet.of(QUERY, UPDATE);
- doTestAuthProviderOnCollection(SUB_MANAGER, COLL_TMP, queryUpdateOnly);
-
- Set<SearchModelAction> queryOnly = EnumSet.of(SearchModelAction.QUERY);
- doTestAuthProviderOnCollection(SUB_MANAGER, COLL_PURCHASES_PARTIAL, queryOnly);
- }
-
- @Test
- public void testAnalyst() throws Exception {
- Set<SearchModelAction> updateOnly = EnumSet.of(SearchModelAction.UPDATE);
- doTestAuthProviderOnCollection(SUB_ANALYST, COLL_PURCHASES, updateOnly);
-
- Set<SearchModelAction> allActions = EnumSet.allOf(SearchModelAction.class);
- doTestAuthProviderOnCollection(SUB_ANALYST, COLL_ANALYST1, allActions);
- doTestAuthProviderOnCollection(SUB_ANALYST, COLL_JRANALYST1, allActions);
-
- Set<SearchModelAction> queryUpdateOnly = EnumSet.of(QUERY, UPDATE);
- doTestAuthProviderOnCollection(SUB_ANALYST, COLL_TMP, queryUpdateOnly);
-
- Set<SearchModelAction> noActions = EnumSet.noneOf(SearchModelAction.class);
- doTestAuthProviderOnCollection(SUB_ANALYST, COLL_PURCHASES_PARTIAL, noActions);
- }
-
- @Test
- public void testJuniorAnalyst() throws Exception {
- Set<SearchModelAction> allActions = EnumSet.allOf(SearchModelAction.class);
- doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_JRANALYST1, allActions);
-
- Set<SearchModelAction> queryOnly = EnumSet.of(SearchModelAction.QUERY);
- doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_PURCHASES_PARTIAL, queryOnly);
-
- Set<SearchModelAction> noActions = EnumSet.noneOf(SearchModelAction.class);
- doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_PURCHASES, noActions);
- doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_ANALYST1, noActions);
- doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_TMP, noActions);
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderSpecialCases.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderSpecialCases.java b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderSpecialCases.java
deleted file mode 100644
index b3a68a7..0000000
--- a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderSpecialCases.java
+++ /dev/null
@@ -1,83 +0,0 @@
- /*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.search;
-
-import java.io.File;
-import java.io.IOException;
-import java.util.EnumSet;
-import java.util.List;
-import java.util.Set;
-
-import junit.framework.Assert;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.common.Action;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.common.Subject;
-import org.apache.sentry.core.model.search.Collection;
-import org.apache.sentry.core.model.search.SearchModelAction;
-import org.apache.sentry.policy.common.PolicyEngine;
-import org.apache.sentry.provider.common.AuthorizationProvider;
-import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider;
-import org.apache.sentry.provider.file.PolicyFile;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-
-import com.google.common.collect.ImmutableList;
-import com.google.common.io.Files;
-
-public class TestSearchAuthorizationProviderSpecialCases {
- private AuthorizationProvider authzProvider;
- private PolicyFile policyFile;
- private File baseDir;
- private File iniFile;
- private String initResource;
- @Before
- public void setup() throws IOException {
- baseDir = Files.createTempDir();
- iniFile = new File(baseDir, "policy.ini");
- initResource = "file://" + iniFile.getPath();
- policyFile = new PolicyFile();
- }
-
- @After
- public void teardown() throws IOException {
- if(baseDir != null) {
- FileUtils.deleteQuietly(baseDir);
- }
- }
-
- @Test
- public void testDuplicateEntries() throws Exception {
- Subject user1 = new Subject("user1");
- Collection collection1 = new Collection("collection1");
- Set<? extends Action> actions = EnumSet.allOf(SearchModelAction.class);
- policyFile.addGroupsToUser(user1.getName(), true, "group1", "group1")
- .addRolesToGroup("group1", true, "role1", "role1")
- .addPermissionsToRole("role1", true, "collection=" + collection1.getName(),
- "collection=" + collection1.getName());
- policyFile.write(iniFile);
- PolicyEngine policy = SearchPolicyTestUtil.createPolicyEngineForTest(initResource);
- authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy);
- List<? extends Authorizable> authorizableHierarchy = ImmutableList.of(collection1);
- Assert.assertTrue(authorizableHierarchy.toString(),
- authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL));
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchModelAuthorizables.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchModelAuthorizables.java b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchModelAuthorizables.java
deleted file mode 100644
index 1eb9576..0000000
--- a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchModelAuthorizables.java
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.policy.search;
-import static junit.framework.Assert.assertEquals;
-import static junit.framework.Assert.assertNull;
-
-import org.apache.sentry.core.model.search.Collection;
-import org.apache.sentry.core.model.search.SearchModelAuthorizables;
-import org.junit.Test;
-
-public class TestSearchModelAuthorizables {
-
- @Test
- public void testCollection() throws Exception {
- Collection coll = (Collection) SearchModelAuthorizables.from("CoLleCtiOn=collection1");
- assertEquals("collection1", coll.getName());
- }
-
- @Test(expected=IllegalArgumentException.class)
- public void testNoKV() throws Exception {
- System.out.println(SearchModelAuthorizables.from("nonsense"));
- }
-
- @Test(expected=IllegalArgumentException.class)
- public void testEmptyKey() throws Exception {
- System.out.println(SearchModelAuthorizables.from("=v"));
- }
-
- @Test(expected=IllegalArgumentException.class)
- public void testEmptyValue() throws Exception {
- System.out.println(SearchModelAuthorizables.from("k="));
- }
-
- @Test
- public void testNotAuthorizable() throws Exception {
- assertNull(SearchModelAuthorizables.from("k=v"));
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyEngineDFS.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyEngineDFS.java b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyEngineDFS.java
deleted file mode 100644
index 292685b..0000000
--- a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyEngineDFS.java
+++ /dev/null
@@ -1,74 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.search;
-
-import java.io.File;
-import java.io.IOException;
-
-import junit.framework.Assert;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.FileSystem;
-import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.hdfs.MiniDFSCluster;
-import org.apache.sentry.provider.file.PolicyFiles;
-import org.junit.AfterClass;
-import org.junit.BeforeClass;
-
-public class TestSearchPolicyEngineDFS extends AbstractTestSearchPolicyEngine {
-
- private static MiniDFSCluster dfsCluster;
- private static FileSystem fileSystem;
- private static Path root;
- private static Path etc;
-
- @BeforeClass
- public static void setupLocalClazz() throws IOException {
- File baseDir = getBaseDir();
- Assert.assertNotNull(baseDir);
- File dfsDir = new File(baseDir, "dfs");
- Assert.assertTrue(dfsDir.isDirectory() || dfsDir.mkdirs());
- Configuration conf = new Configuration();
- conf.set(MiniDFSCluster.HDFS_MINIDFS_BASEDIR, dfsDir.getPath());
- dfsCluster = new MiniDFSCluster.Builder(conf).numDataNodes(2).build();
- fileSystem = dfsCluster.getFileSystem();
- root = new Path(fileSystem.getUri().toString());
- etc = new Path(root, "/etc");
- fileSystem.mkdirs(etc);
- }
-
- @AfterClass
- public static void teardownLocalClazz() {
- if(dfsCluster != null) {
- dfsCluster.shutdown();
- }
- }
-
- @Override
- protected void afterSetup() throws IOException {
- fileSystem.delete(etc, true);
- fileSystem.mkdirs(etc);
- PolicyFiles.copyToDir(fileSystem, etc, "test-authz-provider.ini");
- setPolicy(SearchPolicyTestUtil.createPolicyEngineForTest(new Path(etc,
- "test-authz-provider.ini").toString()));
- }
-
- @Override
- protected void beforeTeardown() throws IOException {
- fileSystem.delete(etc, true);
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyEngineLocalFS.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyEngineLocalFS.java b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyEngineLocalFS.java
deleted file mode 100644
index 9d34460..0000000
--- a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyEngineLocalFS.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.search;
-
-import java.io.File;
-import java.io.IOException;
-
-import junit.framework.Assert;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.provider.file.PolicyFiles;
-
-public class TestSearchPolicyEngineLocalFS extends AbstractTestSearchPolicyEngine {
-
- @Override
- protected void afterSetup() throws IOException {
- File baseDir = getBaseDir();
- Assert.assertNotNull(baseDir);
- Assert.assertTrue(baseDir.isDirectory() || baseDir.mkdirs());
- PolicyFiles.copyToDir(baseDir, "test-authz-provider.ini");
- setPolicy(SearchPolicyTestUtil.createPolicyEngineForTest(new File(baseDir, "test-authz-provider.ini").getPath()));
- }
- @Override
- protected void beforeTeardown() throws IOException {
- File baseDir = getBaseDir();
- Assert.assertNotNull(baseDir);
- FileUtils.deleteQuietly(baseDir);
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyNegative.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyNegative.java b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyNegative.java
deleted file mode 100644
index 9155dad..0000000
--- a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyNegative.java
+++ /dev/null
@@ -1,101 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.search;
-
-import java.io.File;
-import java.io.IOException;
-import java.util.Collections;
-
-import junit.framework.Assert;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.policy.common.PolicyEngine;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.base.Charsets;
-import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.Sets;
-import com.google.common.io.Files;
-
-public class TestSearchPolicyNegative {
-
- @SuppressWarnings("unused")
- private static final Logger LOGGER = LoggerFactory
- .getLogger(TestSearchPolicyNegative.class);
-
- private File baseDir;
- private File globalPolicyFile;
- private File otherPolicyFile;
-
- @Before
- public void setup() {
- baseDir = Files.createTempDir();
- globalPolicyFile = new File(baseDir, "global.ini");
- otherPolicyFile = new File(baseDir, "other.ini");
- }
-
- @After
- public void teardown() {
- if(baseDir != null) {
- FileUtils.deleteQuietly(baseDir);
- }
- }
-
- private void append(String from, File to) throws IOException {
- Files.append(from + "\n", to, Charsets.UTF_8);
- }
-
- @Test
- public void testPerDbFileException() throws Exception {
- append("[databases]", globalPolicyFile);
- append("other_group_db = " + otherPolicyFile.getPath(), globalPolicyFile);
- append("[groups]", otherPolicyFile);
- append("other_group = some_role", otherPolicyFile);
- append("[roles]", otherPolicyFile);
- append("some_role = collection=c1", otherPolicyFile);
- PolicyEngine policy = SearchPolicyTestUtil.createPolicyEngineForTest(globalPolicyFile.getPath());
- Assert.assertEquals(Collections.emptySet(),
- policy.getPrivileges(Sets.newHashSet("other_group"), ActiveRoleSet.ALL));
- }
-
- @Test
- public void testCollectionRequiredInRole() throws Exception {
- append("[groups]", globalPolicyFile);
- append("group = some_role", globalPolicyFile);
- append("[roles]", globalPolicyFile);
- append("some_role = action=query", globalPolicyFile);
- PolicyEngine policy = SearchPolicyTestUtil.createPolicyEngineForTest(globalPolicyFile.getPath());
- ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
- Assert.assertTrue(permissions.toString(), permissions.isEmpty());
- }
-
- @Test
- public void testGroupIncorrect() throws Exception {
- append("[groups]", globalPolicyFile);
- append("group = malicious_role", globalPolicyFile);
- append("[roles]", globalPolicyFile);
- append("malicious_role = collection=*", globalPolicyFile);
- PolicyEngine policy = SearchPolicyTestUtil.createPolicyEngineForTest(globalPolicyFile.getPath());
- ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("incorrectGroup"), ActiveRoleSet.ALL);
- Assert.assertTrue(permissions.toString(), permissions.isEmpty());
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-search/src/test/resources/test-authz-provider.ini
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/test/resources/test-authz-provider.ini b/sentry-policy/sentry-policy-search/src/test/resources/test-authz-provider.ini
deleted file mode 100644
index 8af8162..0000000
--- a/sentry-policy/sentry-policy-search/src/test/resources/test-authz-provider.ini
+++ /dev/null
@@ -1,31 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-[groups]
-manager = analyst_role, junior_analyst_role
-analyst = analyst_role
-jranalyst = junior_analyst_role
-admin = admin
-
-[roles]
-analyst_role = collection=purchases->action=update, \
- collection=analyst1, \
- collection=jranalyst1->action=*, \
- collection=tmpcollection->action=update, \
- collection=tmpcollection->action=query
-junior_analyst_role = collection=jranalyst1, collection=purchases_partial->action=query
-admin = collection=*
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/AbstractTestSqoopPolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/AbstractTestSqoopPolicyEngine.java b/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/AbstractTestSqoopPolicyEngine.java
deleted file mode 100644
index 1389fca..0000000
--- a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/AbstractTestSqoopPolicyEngine.java
+++ /dev/null
@@ -1,145 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.policy.sqoop;
-
-import java.io.File;
-import java.io.IOException;
-import java.util.Set;
-import java.util.TreeSet;
-
-import junit.framework.Assert;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.policy.common.PolicyEngine;
-import org.junit.After;
-import org.junit.AfterClass;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-import com.google.common.collect.Sets;
-import com.google.common.io.Files;
-
-public abstract class AbstractTestSqoopPolicyEngine {
- private static final String OPERATOR_JDBC_CONNECTORS_READ = "server=server1->connector=generic-jdbc-connector->action=read";
- private static final String OPERATOR_HDFS_CONNECTORS_READ = "server=server1->connector=hdfs-connector->action=read";
- private static final String OPERATOR_KAFKA_CONNECTORS_READ = "server=server1->connector=kafka-connector->action=read";
- private static final String OPERATOR_KITE_CONNECTORS_READ = "server=server1->connector=kite-connector->action=read";
- private static final String ANALYST_JOBS_ALL = "server=server1->job=all->action=*";
- private static final String OPERATOR_JOB1_READ = "server=server1->job=job1->action=read";
- private static final String OPERATOR_JOB2_READ = "server=server1->job=job2->action=read";
- private static final String ANALYST_LINKS_ALL = "server=server1->link=all->action=*";
- private static final String OPERATOR_LINK1_READ = "server=server1->link=link1->action=read";
- private static final String OPERATOR_LINK2_READ = "server=server1->link=link2->action=read";
- private static final String ADMIN = "server=server1->action=*";
-
- private PolicyEngine policy;
- private static File baseDir;
-
- protected String sqoopServerName = "server1";
-
- @BeforeClass
- public static void setupClazz() throws IOException {
- baseDir = Files.createTempDir();
- }
-
- @AfterClass
- public static void teardownClazz() throws IOException {
- if(baseDir != null) {
- FileUtils.deleteQuietly(baseDir);
- }
- }
-
- protected void setPolicy(PolicyEngine policy) {
- this.policy = policy;
- }
- protected static File getBaseDir() {
- return baseDir;
- }
- @Before
- public void setup() throws IOException {
- afterSetup();
- }
- @After
- public void teardown() throws IOException {
- beforeTeardown();
- }
- protected void afterSetup() throws IOException {
-
- }
-
- protected void beforeTeardown() throws IOException {
-
- }
-
- @Test
- public void testDeveloper() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets.newHashSet(
- OPERATOR_JDBC_CONNECTORS_READ, OPERATOR_HDFS_CONNECTORS_READ,
- OPERATOR_KAFKA_CONNECTORS_READ, OPERATOR_KITE_CONNECTORS_READ,
- ANALYST_JOBS_ALL, ANALYST_LINKS_ALL));
- Assert.assertEquals(expected.toString(),
- Sets.newTreeSet(policy.getPrivileges(set("developer"), ActiveRoleSet.ALL))
- .toString());
- }
-
- @Test
- public void testAnalyst() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets.newHashSet(ANALYST_JOBS_ALL, ANALYST_LINKS_ALL));
- Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getPrivileges(set("analyst"), ActiveRoleSet.ALL))
- .toString());
- }
-
- @Test
- public void testConnectorOperator() throws Exception {
-
- }
-
- @Test
- public void testJobOperator() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets
- .newHashSet(OPERATOR_JOB1_READ,OPERATOR_JOB2_READ));
- Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getPrivileges(set("job1_2_operator"), ActiveRoleSet.ALL))
- .toString());
- }
-
- @Test
- public void testLinkOperator() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets
- .newHashSet(OPERATOR_LINK1_READ, OPERATOR_LINK2_READ));
- Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getPrivileges(set("link1_2_operator"), ActiveRoleSet.ALL))
- .toString());
- }
-
- @Test
- public void testAdmin() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets.newHashSet(ADMIN));
- Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getPrivileges(set("admin"), ActiveRoleSet.ALL))
- .toString());
- }
-
- private static Set<String> set(String... values) {
- return Sets.newHashSet(values);
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/MockGroupMappingServiceProvider.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/MockGroupMappingServiceProvider.java b/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/MockGroupMappingServiceProvider.java
deleted file mode 100644
index fd577d6..0000000
--- a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/MockGroupMappingServiceProvider.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.policy.sqoop;
-
-import java.util.Set;
-
-import org.apache.sentry.provider.common.GroupMappingService;
-
-import com.google.common.collect.Multimap;
-import com.google.common.collect.Sets;
-
-public class MockGroupMappingServiceProvider implements GroupMappingService {
- private final Multimap<String, String> userToGroupMap;
-
- public MockGroupMappingServiceProvider(Multimap<String, String> userToGroupMap) {
- this.userToGroupMap = userToGroupMap;
- }
- @Override
- public Set<String> getGroups(String user) {
- return Sets.newHashSet(userToGroupMap.get(user));
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/SqoopPolicyTestUtil.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/SqoopPolicyTestUtil.java b/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/SqoopPolicyTestUtil.java
deleted file mode 100644
index a76554e..0000000
--- a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/SqoopPolicyTestUtil.java
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.sqoop;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.core.model.sqoop.SqoopPrivilegeModel;
-import org.apache.sentry.policy.common.PolicyEngine;
-import org.apache.sentry.provider.common.ProviderBackend;
-import org.apache.sentry.provider.common.ProviderBackendContext;
-import org.apache.sentry.provider.file.SimpleFileProviderBackend;
-
-import java.io.IOException;
-
-public class SqoopPolicyTestUtil {
-
- public static PolicyEngine createPolicyEngineForTest(String server, String resource) throws IOException {
-
- ProviderBackend providerBackend = new SimpleFileProviderBackend(new Configuration(), resource);
-
- // create backendContext
- ProviderBackendContext context = new ProviderBackendContext();
- context.setAllowPerDatabase(false);
- context.setValidators(SqoopPrivilegeModel.getInstance().getPrivilegeValidators(server));
- // initialize the backend with the context
- providerBackend.initialize(context);
-
-
- return new SimpleSqoopPolicyEngine(providerBackend);
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestServerNameRequiredMatch.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestServerNameRequiredMatch.java b/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestServerNameRequiredMatch.java
deleted file mode 100644
index 218a2da..0000000
--- a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestServerNameRequiredMatch.java
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.policy.sqoop;
-
-import junit.framework.Assert;
-
-import org.apache.sentry.core.common.validator.PrivilegeValidatorContext;
-import org.apache.sentry.core.model.sqoop.validator.ServerNameRequiredMatch;
-import org.apache.shiro.config.ConfigurationException;
-import org.junit.Test;
-
-public class TestServerNameRequiredMatch {
- @Test
- public void testWithoutServerName() {
- ServerNameRequiredMatch serverNameMatch = new ServerNameRequiredMatch("server1");
- try {
- serverNameMatch.validate(new PrivilegeValidatorContext("connector=c1->action=read"));
- Assert.fail("Expected ConfigurationException");
- } catch (ConfigurationException ex) {
- }
- }
- @Test
- public void testServerNameNotMatch() throws Exception {
- ServerNameRequiredMatch serverNameMatch = new ServerNameRequiredMatch("server1");
- try {
- serverNameMatch.validate(new PrivilegeValidatorContext("server=server2->connector=c1->action=read"));
- Assert.fail("Expected ConfigurationException");
- } catch (ConfigurationException ex) {
- }
- }
- @Test
- public void testServerNameMatch() throws Exception {
- ServerNameRequiredMatch serverNameMatch = new ServerNameRequiredMatch("server1");
- try {
- serverNameMatch.validate(new PrivilegeValidatorContext("server=server1->connector=c1->action=read"));
- } catch (ConfigurationException ex) {
- Assert.fail("Not expected ConfigurationException");
- }
- }
-
-}