You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by pr...@apache.org on 2015/02/12 19:25:34 UTC
incubator-sentry git commit: SENTRY-650: Support drop privilege for
truncate table (Prasad Mujumdar, reviewed by Colin Ma)
Repository: incubator-sentry
Updated Branches:
refs/heads/master a4ca17d57 -> 1190a792b
SENTRY-650: Support drop privilege for truncate table (Prasad Mujumdar, reviewed by Colin Ma)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/1190a792
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/1190a792
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/1190a792
Branch: refs/heads/master
Commit: 1190a792bef043a7d94bbe0b5f873b6e7008761a
Parents: a4ca17d
Author: Prasad Mujumdar <pr...@cloudera.com>
Authored: Thu Feb 12 00:50:32 2015 -0800
Committer: Prasad Mujumdar <pr...@cloudera.com>
Committed: Thu Feb 12 00:50:32 2015 -0800
----------------------------------------------------------------------
.../hive/authz/HiveAuthzPrivilegesMap.java | 7 ++
.../e2e/hive/TestPrivilegesAtTableScope.java | 87 ++++++++++++++++++++
2 files changed, 94 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/1190a792/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
index cfa2ca9..6efeed6 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
@@ -186,6 +186,12 @@ public class HiveAuthzPrivilegesMap {
setOperationType(HiveOperationType.QUERY).
build();
+ HiveAuthzPrivileges truncateTablePrivilege = new HiveAuthzPrivileges.AuthzPrivilegeBuilder().
+ addOutputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.DROP)).
+ setOperationScope(HiveOperationScope.TABLE).
+ setOperationType(HiveOperationType.DDL).
+ build();
+
hiveAuthzStmtPrivMap.put(HiveOperation.CREATEDATABASE, createServerPrivilege);
hiveAuthzStmtPrivMap.put(HiveOperation.DROPDATABASE, dropDbPrivilege);
hiveAuthzStmtPrivMap.put(HiveOperation.CREATETABLE, tableCreatePrivilege);
@@ -284,6 +290,7 @@ public class HiveAuthzPrivilegesMap {
hiveAuthzStmtPrivMap.put(HiveOperation.QUERY, tableQueryPrivilege);
hiveAuthzStmtPrivMap.put(HiveOperation.DESCDATABASE, dbMetaDataPrivilege);
hiveAuthzStmtPrivMap.put(HiveOperation.DESCTABLE, tableMetaDataPrivilege);
+ hiveAuthzStmtPrivMap.put(HiveOperation.TRUNCATETABLE, truncateTablePrivilege);
}
public static HiveAuthzPrivileges getHiveAuthzPrivileges(HiveOperation hiveStmtOp) {
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/1190a792/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScope.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScope.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScope.java
index bbac5c8..0c15389 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScope.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScope.java
@@ -660,4 +660,91 @@ public class TestPrivilegesAtTableScope extends AbstractTestWithStaticConfigurat
statement.close();
connection.close();
}
+
+ /***
+ * Verify truncate table permissions for different users with different
+ * privileges
+ * @throws Exception
+ */
+ @Test
+ public void testTruncateTable() throws Exception {
+ File dataDir = context.getDataDir();
+ // copy data file to test dir
+ File dataFile = new File(dataDir, MULTI_TYPE_DATA_FILE_NAME);
+ FileOutputStream to = new FileOutputStream(dataFile);
+ Resources.copy(Resources.getResource(MULTI_TYPE_DATA_FILE_NAME), to);
+ to.close();
+
+ policyFile
+ .addRolesToGroup(USERGROUP1, "all_tab1")
+ .addPermissionsToRole("all_tab1",
+ "server=server1->db=" + DB1 + "->table=" + TBL2)
+ .addRolesToGroup(USERGROUP2, "drop_tab1")
+ .addPermissionsToRole("drop_tab1",
+ "server=server1->db=" + DB1 + "->table=" + TBL3 + "->action=drop",
+ "server=server1->db=" + DB1 + "->table=" + TBL3 + "->action=select")
+ .addRolesToGroup(USERGROUP3, "select_tab1")
+ .addPermissionsToRole("select_tab1",
+ "server=server1->db=" + DB1 + "->table=" + TBL1 + "->action=select")
+ .setUserGroupMapping(StaticUserGroup.getStaticMapping());
+ writePolicyFile(policyFile);
+
+ // setup db objects needed by the test
+ Connection connection = context.createConnection(ADMIN1);
+ Statement statement = context.createStatement(connection);
+
+ statement.execute("USE " + DB1);
+ statement.execute("CREATE TABLE " + TBL1 + "(B INT, A STRING) "
+ + " row format delimited fields terminated by '|' stored as textfile");
+ statement.execute("CREATE TABLE " + TBL2 + "(B INT, A STRING) "
+ + " row format delimited fields terminated by '|' stored as textfile");
+ statement.execute("CREATE TABLE " + TBL3 + "(B INT, A STRING) "
+ + " row format delimited fields terminated by '|' stored as textfile");
+ statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath()
+ + "' INTO TABLE " + TBL1);
+ statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath()
+ + "' INTO TABLE " + TBL2);
+ statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath()
+ + "' INTO TABLE " + TBL3);
+
+ // verify admin can execute truncate table
+ statement.execute("TRUNCATE TABLE " + TBL1);
+ assertFalse(hasData(statement, TBL1));
+ statement.close();
+ connection.close();
+
+ connection = context.createConnection(USER1_1);
+ statement = context.createStatement(connection);
+ statement.execute("USE " + DB1);
+ // verify all on tab can truncate table
+ statement.execute("TRUNCATE TABLE " + TBL2);
+ assertFalse(hasData(statement, TBL2));
+ statement.close();
+ connection.close();
+
+ connection = context.createConnection(USER2_1);
+ statement = context.createStatement(connection);
+ statement.execute("USE " + DB1);
+ // verify drop on tab can truncate table
+ statement.execute("TRUNCATE TABLE " + TBL3);
+ assertFalse(hasData(statement, TBL3));
+ statement.close();
+ connection.close();
+
+ connection = context.createConnection(USER3_1);
+ statement = context.createStatement(connection);
+ statement.execute("USE " + DB1);
+ // verify select on tab can NOT truncate table
+ context.assertAuthzException(statement, "TRUNCATE TABLE " + TBL3);
+ statement.close();
+ connection.close();
+ }
+
+ // verify that the given table has data
+ private boolean hasData(Statement stmt, String tableName) throws Exception {
+ ResultSet rs1 = stmt.executeQuery("SELECT * FROM " + tableName);
+ boolean hasResults = rs1.next();
+ rs1.close();
+ return hasResults;
+ }
}