You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sp...@apache.org on 2018/06/27 16:47:32 UTC
[05/17] sentry git commit: SENTRY-2282: Remove hive-authzv2 binding
and tests modules completely (Sergio Pena, reviewed by Na Li)
http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestPerDatabasePolicyFile.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestPerDatabasePolicyFile.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestPerDatabasePolicyFile.java
deleted file mode 100644
index c8712e7..0000000
--- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestPerDatabasePolicyFile.java
+++ /dev/null
@@ -1,118 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.tests.e2e.hive;
-
-import com.google.common.io.Resources;
-import org.apache.sentry.provider.file.PolicyFile;
-import org.junit.Before;
-import org.junit.Test;
-
-import java.io.File;
-import java.io.FileOutputStream;
-import java.sql.Connection;
-import java.sql.Statement;
-
-public class TestPerDatabasePolicyFile extends AbstractTestWithStaticConfiguration {
- private static final String SINGLE_TYPE_DATA_FILE_NAME = "kv1.dat";
- private PolicyFile policyFile;
- private File dataDir;
- private File dataFile;
-
- @Before
- public void setup() throws Exception {
- policyFile = PolicyFile.setAdminOnServer1(ADMINGROUP);
- writePolicyFile(policyFile);
- dataDir = context.getDataDir();
- dataFile = new File(dataDir, SINGLE_TYPE_DATA_FILE_NAME);
- FileOutputStream to = new FileOutputStream(dataFile);
- Resources.copy(Resources.getResource(SINGLE_TYPE_DATA_FILE_NAME), to);
- to.close();
- }
-
- private void createSampleDbTable(Statement statement, String db, String table)
- throws Exception {
- statement.execute("DROP DATABASE IF EXISTS " + db + " CASCADE");
- statement.execute("CREATE DATABASE " + db);
- statement.execute("USE " + db);
- statement.execute("CREATE TABLE " + table + "(a STRING)");
- statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() + "' INTO TABLE " + table);
-
- }
-
- /**
- * Ensure that db specific file cannot grant to other db
- */
- @Test
- public void testDbSpecificFileGrantsToOtherDb() throws Exception {
- doTestDbSpecificFileGrants("server=server1->db=" + DB1);
- }
- /**
- * Ensure that db specific file cannot grant to all db
- */
- @Test
- public void testDbSpecificFileGrantsToAllDb() throws Exception {
- doTestDbSpecificFileGrants("server=server1");
- }
- /**
- * Ensure that db specific file cannot grant to all servers
- */
- @Test
- public void testDbSpecificFileGrantsToAllServers() throws Exception {
- doTestDbSpecificFileGrants("server=*");
- }
- /**
- * Ensure that db specific file cannot grant to all
- */
- @Test
- public void testDbSpecificFileGrantsToAll() throws Exception {
- doTestDbSpecificFileGrants("*");
- }
-
- public void doTestDbSpecificFileGrants(String grant) throws Exception {
-
- policyFile
- .setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
-
-
- // setup db objects needed by the test
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- createSampleDbTable(statement, DB1, "tbl1");
- createSampleDbTable(statement, DB2, "tbl1");
- statement.close();
- connection.close();
-
- File specificPolicyFileFile = new File(baseDir, "db2-policy.ini");
-
- PolicyFile specificPolicyFile = new PolicyFile()
- .addPermissionsToRole("db1_role", grant)
- .addRolesToGroup("group1", "db1_role");
- specificPolicyFile.write(specificPolicyFileFile);
-
- policyFile.addDatabase(DB2, specificPolicyFileFile.getPath());
- writePolicyFile(policyFile);
-
- // test execution
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
- // test user can query table
- context.assertAuthzException(statement, "USE " + DB1);
- context.assertAuthzException(statement, "SELECT COUNT(a) FROM " + DB1 + ".tbl1");
- }
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestPolicyImportExport.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestPolicyImportExport.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestPolicyImportExport.java
deleted file mode 100644
index b6be09f..0000000
--- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestPolicyImportExport.java
+++ /dev/null
@@ -1,196 +0,0 @@
-/*
- * Copyright 2014 The Apache Software Foundation.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.tests.e2e.hive;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-
-import java.io.File;
-import java.io.FileOutputStream;
-import java.util.Map;
-import java.util.Set;
-
-
-import org.apache.sentry.binding.hive.SentryPolicyFileFormatFactory;
-import org.apache.sentry.binding.hive.SentryPolicyFileFormatter;
-import org.apache.sentry.binding.hive.authz.SentryConfigTool;
-import org.apache.sentry.core.common.utils.PolicyFileConstants;
-import org.apache.sentry.core.common.utils.SentryConstants;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-import com.google.common.collect.Maps;
-import com.google.common.collect.Sets;
-import com.google.common.io.Resources;
-
-public class TestPolicyImportExport extends AbstractTestWithStaticConfiguration {
-
- // resources/testPolicyImport.ini is used for the import test and all the following
- // privileges(PRIVILIEGE1...8) are defined the same as in testPolicyImport.ini, used for verifying
- // the test result.
- public static String PRIVILIEGE1 = "server=server1";
- public static String PRIVILIEGE2 = "server=server1->action=select->grantoption=false";
- public static String PRIVILIEGE3 = "server=server1->db=db2->action=insert->grantoption=true";
- public static String PRIVILIEGE4 = "server=server1->db=db1->table=tbl1->action=insert";
- public static String PRIVILIEGE5 = "server=server1->db=db1->table=tbl2->column=col1->action=insert";
- public static String PRIVILIEGE6 = "server=server1->db=db1->table=tbl3->column=col1->action=*->grantoption=true";
- public static String PRIVILIEGE7 = "server=server1->db=db1->table=tbl4->column=col1->action=all->grantoption=true";
- public static String PRIVILIEGE8 = "server=server1->uri=hdfs://testserver:9999/path2->action=insert";
-
- private SentryConfigTool configTool;
- private Map<String, Map<String, Set<String>>> policyFileMappingData;
-
- @BeforeClass
- public static void setupTestStaticConfiguration() throws Exception{
- useSentryService = true;
- // add current user to admin group to get the permission for import/export
- String requestorUserName = System.getProperty("user.name", "");
- StaticUserGroup.getStaticMapping().put(requestorUserName, ADMINGROUP);
- AbstractTestWithStaticConfiguration.setupTestStaticConfiguration();
- }
-
- @Before
- public void setup() throws Exception {
- configTool = new SentryConfigTool();
- configTool.setPolicyFile(context.getPolicyFile().getPath());
- configTool.setupConfig();
- importAdminPrivilege();
- }
-
- private void importAdminPrivilege() throws Exception {
- prepareForImport("testPolicyImportAdmin.ini");
- configTool.importPolicy();
- }
-
- private void prepareExceptedData() {
- // test data for:
- // [groups]
- // group1=roleImport1,roleImport2
- // group2=roleImport1,roleImport2,roleImport3
- // group3=roleImport2,roleImport3
- // [roles]
- // roleImport1=privilege1,privilege2,privilege3,privilege4
- // roleImport2=privilege3,privilege4,privilege5,privilege6
- // roleImport3=privilege5,privilege6,privilege7,privilege8
- policyFileMappingData = Maps.newHashMap();
- Map<String, Set<String>> groupRolesMap = Maps.newHashMap();
- Map<String, Set<String>> rolePrivilegesMap = Maps.newHashMap();
- groupRolesMap.put("group1", Sets.newHashSet("roleimport1", "roleimport2"));
- groupRolesMap.put("group2", Sets.newHashSet("roleimport1", "roleimport2", "roleimport3"));
- groupRolesMap.put("group3", Sets.newHashSet("roleimport2", "roleimport3"));
- // the adminrole is defined in testPolicyImportAdmin.ini
- groupRolesMap.put("admin", Sets.newHashSet("adminrole"));
- rolePrivilegesMap.put("roleimport1",
- Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4));
- rolePrivilegesMap.put("roleimport2",
- Sets.newHashSet(PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6));
- rolePrivilegesMap.put("roleimport3",
- Sets.newHashSet(PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
- // the adminrole is defined in testPolicyImportAdmin.ini
- rolePrivilegesMap.put("adminrole", Sets.newHashSet(PRIVILIEGE1));
- policyFileMappingData.put(PolicyFileConstants.GROUPS, groupRolesMap);
- policyFileMappingData.put(PolicyFileConstants.ROLES, rolePrivilegesMap);
-
- }
-
- @Test
- public void testImportExportPolicy() throws Exception {
- String importFileName = "testPolicyImport.ini";
- String exportFileName = "testPolicyExport.ini";
- File importFile = new File(dataDir, importFileName);
- File exportFile = new File(dataDir, exportFileName);
- FileOutputStream to = new FileOutputStream(importFile);
- Resources.copy(Resources.getResource(importFileName), to);
- to.close();
- configTool.setImportPolicyFilePath(importFile.getAbsolutePath());
- configTool.importPolicy();
-
- configTool.setExportPolicyFilePath(exportFile.getAbsolutePath());
- configTool.exportPolicy();
-
- SentryPolicyFileFormatter sentryPolicyFileFormatter = SentryPolicyFileFormatFactory
- .createFileFormatter(configTool.getAuthzConf());
- Map<String, Map<String, Set<String>>> exportMappingData = sentryPolicyFileFormatter.parse(
- exportFile.getAbsolutePath(), configTool.getAuthzConf());
-
- prepareExceptedData();
- validateSentryMappingData(exportMappingData, policyFileMappingData);
- }
-
- @Test
- public void testImportExportPolicyForError() throws Exception {
- prepareForImport("testPolicyImportError.ini");
- try {
- configTool.importPolicy();
- fail("IllegalArgumentException should be thrown for: Invalid key value: server [server]");
- } catch (IllegalArgumentException ex) {
- // ignore
- }
- }
-
- private void prepareForImport(String resorceName) throws Exception {
- File importFile = new File(dataDir, resorceName);
- FileOutputStream to = new FileOutputStream(importFile);
- Resources.copy(Resources.getResource(resorceName), to);
- to.close();
- configTool.setImportPolicyFilePath(importFile.getAbsolutePath());
- }
-
- // verify the mapping data
- public void validateSentryMappingData(Map<String, Map<String, Set<String>>> actualMappingData,
- Map<String, Map<String, Set<String>>> expectedMappingData) {
- validateGroupRolesMap(actualMappingData.get(PolicyFileConstants.GROUPS),
- expectedMappingData.get(PolicyFileConstants.GROUPS));
- validateRolePrivilegesMap(actualMappingData.get(PolicyFileConstants.ROLES),
- expectedMappingData.get(PolicyFileConstants.ROLES));
- }
-
- // verify the mapping data for [group,role]
- private void validateGroupRolesMap(Map<String, Set<String>> actualMap,
- Map<String, Set<String>> expectedMap) {
- assertEquals(expectedMap.keySet().size(), actualMap.keySet().size());
- for (String groupName : actualMap.keySet()) {
- Set<String> actualRoles = actualMap.get(groupName);
- Set<String> expectedRoles = expectedMap.get(groupName);
- assertEquals(actualRoles.size(), expectedRoles.size());
- assertTrue(actualRoles.equals(expectedRoles));
- }
- }
-
- // verify the mapping data for [role,privilege]
- private void validateRolePrivilegesMap(Map<String, Set<String>> actualMap,
- Map<String, Set<String>> expectedMap) {
- assertEquals(expectedMap.keySet().size(), actualMap.keySet().size());
- for (String roleName : actualMap.keySet()) {
- Set<String> actualPrivileges = actualMap.get(roleName);
- Set<String> exceptedPrivileges = expectedMap.get(roleName);
- assertEquals(exceptedPrivileges.size(), actualPrivileges.size());
- for (String actualPrivilege : actualPrivileges) {
- boolean isFound = exceptedPrivileges.contains(actualPrivilege);
- if (!isFound) {
- String withOptionPrivilege = SentryConstants.AUTHORIZABLE_JOINER.join(actualPrivilege,
- SentryConstants.KV_JOINER.join(PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME,
- "false"));
- isFound = exceptedPrivileges.contains(withOptionPrivilege);
- }
- assertTrue(isFound);
- }
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegeAtTransform.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegeAtTransform.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegeAtTransform.java
deleted file mode 100644
index 310610e..0000000
--- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegeAtTransform.java
+++ /dev/null
@@ -1,118 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.tests.e2e.hive;
-
-import static org.junit.Assert.assertTrue;
-
-import java.io.File;
-import java.io.FileOutputStream;
-import java.sql.Connection;
-import java.sql.Statement;
-
-import org.apache.sentry.provider.file.PolicyFile;
-import org.junit.Before;
-import org.junit.Test;
-
-import com.google.common.io.Resources;
-
-public class TestPrivilegeAtTransform extends AbstractTestWithStaticConfiguration {
- private final String SINGLE_TYPE_DATA_FILE_NAME = "kv1.dat";
- private File dataDir;
- private File dataFile;
- private PolicyFile policyFile;
-
- @Override
- @Before
- public void setup() throws Exception {
- dataDir = context.getDataDir();
- dataFile = new File(dataDir, SINGLE_TYPE_DATA_FILE_NAME);
- FileOutputStream to = new FileOutputStream(dataFile);
- Resources.copy(Resources.getResource(SINGLE_TYPE_DATA_FILE_NAME), to);
- to.close();
- policyFile = PolicyFile.setAdminOnServer1(ADMINGROUP);
- }
-
- /**
- * Steps:
- * 1. admin create database, create table, load data into it
- * 2. all@server can issue transforms command
- * 3. all@database cannot issue transform command
- * 4. insert@table select@table cannot issue transform command
- * 5. select@view cannot issue transform command
- * 6. transform@server can issue the transform command
- * 7. non-admin user with URI privilege on transform can execute query
- */
- @Test
- public void testTransform1() throws Exception {
- policyFile
- .addPermissionsToRole("all_db1", "server=server1->db=" + DB1)
- .addPermissionsToRole("transform_uri", "server=server1->uri=file:///bin/cat")
- .addRolesToGroup(USERGROUP1, "all_db1")
- .addRolesToGroup(USERGROUP2, "all_db1", "transform_uri")
- .setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
-
- // verify by SQL
- // 1, 2
- String tableName1 = "tb_1";
- String query = "select TRANSFORM(a.under_col, a.value) "
- + "USING '/bin/cat' AS (tunder_col, tvalue) FROM " + DB1 + "." + tableName1 + " a";
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- statement.execute("DROP DATABASE IF EXISTS " + DB1 + " CASCADE");
- statement.execute("CREATE DATABASE " + DB1);
- statement.execute("DROP TABLE IF EXISTS " + DB1 + "." + tableName1);
- statement.execute("create table " + DB1 + "." + tableName1
- + " (under_col int, value string)");
- statement.execute("load data local inpath '" + dataFile.getPath()
- + "' into table " + DB1 + "." + tableName1);
- assertTrue(query, statement.execute(query));
-
- statement.close();
- connection.close();
-
- // 3
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
- context.assertAuthzException(statement, query);
-
- // 4
- policyFile
- .addPermissionsToRole("select_tb1", "server=server1->db=" + DB1 + "->table=tb_1->action=select")
- .addPermissionsToRole("insert_tb1", "server=server1->db=" + DB1 + "->table=tb_1->action=insert")
- .addRolesToGroup(USERGROUP1, "select_tb1", "insert_tb1");
- writePolicyFile(policyFile);
- context.assertAuthzException(statement, query);
-
- // 5
- policyFile
- .addPermissionsToRole("all_server1", "server=server1")
- .addRolesToGroup(USERGROUP1, "all_server1");
- writePolicyFile(policyFile);
- assertTrue(query, statement.execute(query));
- statement.close();
- connection.close();
-
- connection = context.createConnection(USER2_1);
- statement = context.createStatement(connection);
- assertTrue(query, statement.execute(query));
- statement.close();
- connection.close();
-
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtColumnScope.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtColumnScope.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtColumnScope.java
deleted file mode 100644
index 9aac78c..0000000
--- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtColumnScope.java
+++ /dev/null
@@ -1,518 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.tests.e2e.hive;
-
-import java.io.File;
-import java.io.FileOutputStream;
-import java.sql.Connection;
-import java.sql.SQLException;
-import java.sql.Statement;
-
-import org.junit.Assert;
-
-import org.apache.sentry.provider.file.PolicyFile;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-import com.google.common.io.Resources;
-
-/* Tests privileges at column scope within a single database.
- */
-
-public class TestPrivilegesAtColumnScope extends AbstractTestWithStaticConfiguration {
-
- private static PolicyFile policyFile;
- private final static String MULTI_TYPE_DATA_FILE_NAME = "emp.dat";
-
- @Before
- public void setup() throws Exception {
- policyFile = super.setupPolicy();
- super.setup();
- prepareDBDataForTest();
- }
-
- @BeforeClass
- public static void setupTestStaticConfiguration() throws Exception {
- AbstractTestWithStaticConfiguration.setupTestStaticConfiguration();
- }
-
- private static void prepareDBDataForTest() throws Exception {
- // copy data file to test dir
- File dataDir = context.getDataDir();
- File dataFile = new File(dataDir, MULTI_TYPE_DATA_FILE_NAME);
- FileOutputStream to = new FileOutputStream(dataFile);
- Resources.copy(Resources.getResource(MULTI_TYPE_DATA_FILE_NAME), to);
- to.close();
-
- // setup db objects needed by the test
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
-
- statement.execute("DROP DATABASE IF EXISTS DB_1 CASCADE");
- statement.execute("CREATE DATABASE DB_1");
- statement.execute("USE DB_1");
- statement.execute("CREATE TABLE TAB_1(A STRING, B STRING)");
- statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() + "' INTO TABLE TAB_1");
- statement.execute("CREATE VIEW VIEW_1(A,B) AS SELECT A,B FROM TAB_1");
- statement.execute("CREATE TABLE TAB_2(A STRING, B STRING)");
- statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() + "' INTO TABLE TAB_2");
- statement.execute("CREATE VIEW VIEW_2(A,B) AS SELECT A,B FROM TAB_2");
- //create table with partitions
- statement.execute("CREATE TABLE TAB_3 (A STRING, B STRING) partitioned by (C STRING)");
- statement.execute("ALTER TABLE TAB_3 ADD PARTITION (C=1)");
- statement.execute("ALTER TABLE TAB_3 ADD PARTITION (C=2)");
- statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() + "' INTO TABLE TAB_3 PARTITION (C=1)");
- statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() + "' INTO TABLE TAB_3 PARTITION (C=2)");
- statement.close();
- connection.close();
- }
-
- /*
- * Admin creates database DB_1, table TAB_1, TAB_2 in DB_1, loads data into
- * TAB_1, TAB_2.
- * Admin grants SELECT on just one column of TAB_1, TAB_2 to USER_GROUP1 of which
- * user1 is a member.
- * Admin grants SELECT on all column of TAB_1, TAB_2 to USER_GROUP2 of which
- * user2 is a member.
- */
- @Test
- public void testSelectColumnOnTable() throws Exception {
- policyFile
- .addRolesToGroup(USERGROUP1, "select_tab1_A", "select_tab2_A")
- .addRolesToGroup(USERGROUP2, "select_tab1_A", "select_tab1_B", "select_tab2_A", "select_tab2_B")
- .addPermissionsToRole("select_tab1_A", "server=server1->db=DB_1->table=TAB_1->column=A->action=select")
- .addPermissionsToRole("select_tab1_B", "server=server1->db=DB_1->table=TAB_1->column=B->action=select")
- .addPermissionsToRole("select_tab2_A", "server=server1->db=DB_1->table=TAB_2->column=A->action=select")
- .addPermissionsToRole("select_tab2_B", "server=server1->db=DB_1->table=TAB_2->column=B->action=select")
- .setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
-
- // test execution on user1
- Connection connection = context.createConnection(USER1_1);
- Statement statement = context.createStatement(connection);
- statement.execute("USE DB_1");
-
- // test user can execute query count on column A on tab_1
- statement.executeQuery("SELECT COUNT(A) FROM TAB_1");
-
- // test user can execute query column A on tab_1
- statement.executeQuery("SELECT A FROM TAB_1");
-
- // negative test: test user can't execute query count of column B on tab_1
- try {
- statement.execute("SELECT COUNT(B) FROM TAB_1");
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- // negative test: test user can't execute query column B on tab_1
- try {
- statement.execute("SELECT B FROM TAB_1");
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- // negative test: test user can't query view
- try {
- statement.execute("SELECT COUNT(A) FROM VIEW_1");
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
- statement.close();
- connection.close();
-
- // test execution on user2
- connection = context.createConnection(USER2_1);
- statement = context.createStatement(connection);
- statement.execute("USE DB_1");
- // test user can execute query count of column A on tab_1
- statement.executeQuery("SELECT COUNT(A) FROM TAB_1");
-
- // test user can execute query count of column B on tab_1
- statement.executeQuery("SELECT COUNT(B) FROM TAB_1");
-
- // test user can't execute query count using * on tab_1
- try {
- statement.execute("SELECT COUNT(*) FROM TAB_1");
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- // test user can execute SELECT * on tab_1
- statement.executeQuery("SELECT * FROM TAB_1");
-
- statement.close();
- connection.close();
- }
-
- /*
- * Admin creates database DB_1, table TAB_1, TAB_2 in DB_1, loads data into
- * TAB_1, TAB_2. Admin view on TAB_1 and TAB_2
- * Admin grants SELECT on just one column of VIEW_1, VIEW_2 to USER_GROUP1 of which
- * user1 is a member.
- * Admin grants SELECT on all column of TAB_1, TAB_2 to USER_GROUP2 of which
- * user2 is a member.
- * Note: We don't support column level privilege on VIEW
- */
- @Test
- public void testSelectColumnOnView() throws Exception {
- policyFile
- .addRolesToGroup(USERGROUP1, "select_view1_A", "select_view2_A")
- .addRolesToGroup(USERGROUP2, "select_view1_A", "select_view1_B", "select_view2_A", "select_view2_B")
- .addPermissionsToRole("select_view1_A", "server=server1->db=DB_1->table=VIEW_1->column=A->action=select")
- .addPermissionsToRole("select_view1_B", "server=server1->db=DB_1->table=VIEW_1->column=B->action=select")
- .addPermissionsToRole("select_view2_A", "server=server1->db=DB_1->table=VIEW_2->column=A->action=select")
- .addPermissionsToRole("select_view2_B", "server=server1->db=DB_1->table=VIEW_2->column=B->action=select")
- .setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
-
- // test execution on user1
- Connection connection = context.createConnection(USER1_1);
- Statement statement = context.createStatement(connection);
- statement.execute("USE DB_1");
- // negative test: test user can't execute query count of column B on tab_1
- try {
- statement.execute("SELECT COUNT(B) FROM TAB_1");
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
- // negative test: test user can't execute query count of column A on tab_1
- try {
- statement.execute("SELECT COUNT(A) FROM TAB_1");
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- // negative test: test user can't query column of view
- try {
- statement.execute("SELECT COUNT(A) FROM VIEW_1");
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
- // negative test: test user can't query column of view
- try {
- statement.execute("SELECT COUNT(B) FROM VIEW_1");
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- statement.close();
- connection.close();
-
- // test execution on user2
- connection = context.createConnection(USER2_1);
- statement = context.createStatement(connection);
- statement.execute("USE DB_1");
- // test user can execute query count of column A on tab_1
- try {
- statement.execute("SELECT COUNT(A) FROM TAB_1");
- Assert.fail("Expected SQL Exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
- // test user can execute query count of column B on tab_1
- try {
- statement.execute("SELECT COUNT(B) FROM TAB_1");
- Assert.fail("Expected SQL Exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
- // test user can't execute query count using * on tab_1
- try {
- statement.execute("SELECT COUNT(*) FROM TAB_1");
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
- try {
- statement.execute("SELECT * FROM TAB_1");
- Assert.fail("Expected SQL Exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- // negative test: test user can't query view
- try {
- statement.execute("SELECT COUNT(A) FROM VIEW_1");
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
- try {
- statement.execute("SELECT COUNT(B) FROM VIEW_1");
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- // negative test: test user can't create a new view
- try {
- statement.execute("CREATE VIEW VIEW_2(A) AS SELECT A FROM TAB_1");
- Assert.fail("Expected SQL Exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
- statement.close();
- connection.close();
- }
-
- /*
- * Admin creates database DB_1, table TAB_1, TAB_2 in DB_1, VIEW_1 on TAB_1
- * loads data into TAB_1, TAB_2. Admin grants SELECT on TAB_1,TAB_2 to
- * USER_GROUPS. All test cases in this method will do the authorization on the condition of join
- * or where clause
- */
- @Test
- public void testSelectColumnOnTableJoin() throws Exception {
- policyFile
- .addRolesToGroup(USERGROUP1, "select_tab1_A", "select_tab1_B", "select_tab2_B")
- .addPermissionsToRole("select_tab1_A", "server=server1->db=DB_1->table=TAB_1->column=A->action=select")
- .addPermissionsToRole("select_tab1_B", "server=server1->db=DB_1->table=TAB_1->column=B->action=select")
- .addPermissionsToRole("select_tab2_B", "server=server1->db=DB_1->table=TAB_2->column=B->action=select")
- .setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
-
- // test execution user1
- Connection connection = context.createConnection(USER1_1);
- Statement statement = context.createStatement(connection);
- statement.execute("USE DB_1");
-
- // test user can execute query TAB_1 JOIN TAB_2, do the column authorization on the condition of
- // join clause
- statement
- .executeQuery("SELECT COUNT(T1.B) FROM TAB_1 T1 JOIN TAB_2 T2 ON T1.B = T2.B AND T1.A = '21' ");
-
- // negative test: test user can't execute query if do the column authorization on the condition
- // of join clause failed
- try {
- statement
- .execute("SELECT COUNT(T1.B) FROM TAB_1 T1 JOIN TAB_2 T2 ON T1.B = T2.B AND T1.A = '21' AND T2.A = '21'");
- Assert.fail("Expected SQL Exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- // test user can execute query TAB_1 JOIN TAB_2, do the column authorization on the condition of
- // where clause
- statement
- .executeQuery("SELECT T1.* FROM TAB_1 T1, TAB_2 T2 WHERE T1.B = T2.B AND T1.A = '21'");
-
- // negative test: test user can't execute query if do the column authorization on the condition
- // of where clause failed
- try {
- statement
- .execute("SELECT T1.* FROM TAB_1 T1, TAB_2 T2 WHERE T1.B = T2.B AND T1.A = '21' AND T2.A = '21'");
- Assert.fail("Expected SQL Exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- try {
- statement
- .execute("SELECT T1.* FROM TAB_1 T1, TAB_2 T2 WHERE T1.B = T2.B AND T1.A = '21' AND T2.A = '21'");
- Assert.fail("Expected SQL Exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- // negative test: test user can't execute query VIEW_1 JOIN TAB_2
- try {
- statement.executeQuery("SELECT COUNT(*) FROM VIEW_1 V1 JOIN TAB_2 T2 ON (V1.B = T2.B)");
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- statement.close();
- connection.close();
- }
-
- /*
- * Admin creates database DB_1, table TAB_1, TAB_2 in DB_1, loads data into
- * TAB_1, TAB_2. Admin view on TAB_1 and TAB_2
- * Admin grants SELECT on just one column of VIEW_1, VIEW_2 to USER_GROUP1 of which
- * user1 is a member.
- * Admin grants SELECT on all column of TAB_1, TAB_2 to USER_GROUP2 of which
- * user2 is a member.
- * Note: We don't support column level privilege on VIEW
- */
- @Test
- public void testSelectColumnOnViewJoin() throws Exception {
- policyFile
- .addRolesToGroup(USERGROUP1, "select_view1_A", "select_view1_B", "select_view2_B")
- .addRolesToGroup(USERGROUP2, "select_view1_B", "select_view2_B")
- .addRolesToGroup(USERGROUP3, "select_view1_B", "select_view2_A")
- .addPermissionsToRole("select_view1_A", "server=server1->db=DB_1->table=VIEW_1->column=A->action=select")
- .addPermissionsToRole("select_view1_B", "server=server1->db=DB_1->table=VIEW_1->column=B->action=select")
- .addPermissionsToRole("select_view2_A", "server=server1->db=DB_1->table=VIEW_2->column=A->action=select")
- .addPermissionsToRole("select_view2_B", "server=server1->db=DB_1->table=VIEW_2->column=B->action=select")
- .setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
-
- // test execution
- Connection connection = context.createConnection(USER1_1);
- Statement statement = context.createStatement(connection);
- statement.execute("USE DB_1");
-
- // test user can't execute query VIEW_1 JOIN VIEW_2
- try {
- statement.execute("SELECT COUNT(*) FROM VIEW_1 V1 JOIN VIEW_2 V2 ON (V1.B = V2.B)");
- Assert.fail("Expected SQL Exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- // test user can't execute query VIEW_1 JOIN TAB_2
- try {
- statement.execute("SELECT COUNT(*) FROM VIEW_1 V1 JOIN TAB_2 T2 ON (V1.B = T2.B)");
- Assert.fail("Expected SQL Exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- // test user can't execute query TAB_1 JOIN TAB_2
- try {
- statement.execute("SELECT COUNT(*) FROM TAB_1 T1 JOIN TAB_2 T2 ON (T1.B = T2.B)");
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- statement.close();
- connection.close();
- }
-
- /*
- * Admin creates database DB_1, table TAB_1, TAB_2 in DB_1, loads data into
- * TAB_1, TAB_2. Admin view on TAB_1 and TAB_2
- * Admin grants SELECT on just one column of VIEW_1, VIEW_2 to USER_GROUP1 of which
- * user1 is a member.
- * Admin grants SELECT on all column of TAB_1, TAB_2 to USER_GROUP2 of which
- * user2 is a member.
- * Note: We don't support column level privilege on VIEW
- */
- @Test
- public void testSelectColumnOnTableViewJoin() throws Exception {
- policyFile
- .addRolesToGroup(USERGROUP1, "select_tab1_A", "select_tab1_B", "select_view2_B")
- .addPermissionsToRole("select_tab1_A", "server=server1->db=DB_1->table=VIEW_1->column=A->action=select")
- .addPermissionsToRole("select_tab1_B", "server=server1->db=DB_1->table=VIEW_1->column=B->action=select")
- .addPermissionsToRole("select_view2_B", "server=server1->db=DB_1->table=VIEW_2->column=B->action=select")
- .setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
-
- // test execution
- Connection connection = context.createConnection(USER1_1);
- Statement statement = context.createStatement(connection);
- statement.execute("USE DB_1");
-
- // test user can't execute query VIEW_1 JOIN TAB_2
- try {
- statement.execute("SELECT COUNT(*) FROM VIEW_1 V1 JOIN TAB_2 T2 ON (V1.B = T2.B)");
- Assert.fail("Expected SQL Exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- // test user can't execute query VIEW_1 JOIN VIEW_2
- try {
- statement.execute("SELECT COUNT(*) FROM VIEW_1 V1 JOIN VIEW_2 V2 ON (V1.B = V2.B)");
- Assert.fail("Expected SQL Exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- // test user can't execute query TAB_1 JOIN TAB_2
- try {
- statement.execute("SELECT COUNT(*) FROM TAB_1 T1 JOIN TAB_2 T2 ON (T1.B = T2.B)");
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- statement.close();
- connection.close();
- }
-
- @Test
- public void testPartition() throws Exception{
- policyFile
- .addRolesToGroup(USERGROUP1, "select_tab3_A", "select_tab3_C")
- .addRolesToGroup(USERGROUP2, "select_tab3_A")
- .addRolesToGroup(USERGROUP3, "select_tab3_C")
- .addPermissionsToRole("select_tab3_A", "server=server1->db=DB_1->table=TAB_3->column=A->action=select")
- .addPermissionsToRole("select_tab3_C", "server=server1->db=DB_1->table=TAB_3->column=C->action=select")
- .setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
-
- // Users with privileges on partition column can access it
- String [] positiveUsers = {USER1_1, USER3_1};
- for(String user:positiveUsers) {
- Connection connection = context.createConnection(user);
- Statement statement = context.createStatement(connection);
- statement.execute("USE DB_1");
- statement.execute("SELECT C FROM TAB_3");
- statement.close();
- connection.close();
- }
-
- // Users with out privileges on partition column can not access it
- Connection connection = context.createConnection(USER2_1);
- Statement statement = context.createStatement(connection);
- statement.execute("USE DB_1");
- try {
- statement.execute("SELECT C FROM TAB_3");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
- statement.close();
- connection.close();
- }
-
- @Test
- public void testMultipleColsPerRole() throws Exception {
-
- policyFile
- .addRolesToGroup(USERGROUP1, "select_tab1_AB")
- .addPermissionsToRole("select_tab1_AB", "server=server1->db=DB_1->table=TAB_1->column=A->action=select")
- .addPermissionsToRole("select_tab1_AB", "server=server1->db=DB_1->table=TAB_1->column=B->action=select")
- .setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
-
- // test execution on user1
- Connection connection = context.createConnection(USER1_1);
- Statement statement = context.createStatement(connection);
- statement.execute("USE DB_1");
-
- // test user can execute query count on column A on tab_1
- statement.executeQuery("SELECT A,B FROM TAB_1");
-
- statement.close();
- connection.close();
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
deleted file mode 100644
index b28b6f4..0000000
--- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
+++ /dev/null
@@ -1,399 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.tests.e2e.hive;
-
-import org.apache.sentry.provider.file.PolicyFile;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-
-import java.io.File;
-import java.io.FileOutputStream;
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-import java.util.HashMap;
-import java.util.Map;
-
-import org.junit.Assert;
-
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-import com.google.common.io.Resources;
-
-/* Tests privileges at table scope within a single database.
- */
-
-public class TestPrivilegesAtDatabaseScope extends AbstractTestWithStaticConfiguration {
- private PolicyFile policyFile;
-
- Map <String, String >testProperties;
- private static final String SINGLE_TYPE_DATA_FILE_NAME = "kv1.dat";
-
- @BeforeClass
- public static void setupTestStaticConfiguration () throws Exception {
- AbstractTestWithStaticConfiguration.setupTestStaticConfiguration();
- }
-
- @Override
- @Before
- public void setup() throws Exception {
- policyFile = super.setupPolicy();
- super.setup();
- testProperties = new HashMap<String, String>();
- }
-
- // SENTRY-285 test
- @Test
- public void testAllOnDb() throws Exception {
- // setup db objects needed by the test
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- statement.execute("create database " + DB1);
- statement.execute("create table " + DB1 + ".tab1(a int)");
-
- policyFile
- .addRolesToGroup(USERGROUP1, "all_db1")
- .addPermissionsToRole("all_db1", "server=server1->db=" + DB1 + "->action=all")
- .setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
-
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
- statement.execute("use " + DB1);
- statement.execute("select * from tab1");
-
- policyFile
- .addPermissionsToRole("all_db1", "server=server1->db=" + DB1);
- writePolicyFile(policyFile);
- statement.execute("use " + DB1);
- statement.execute("select * from tab1");
- }
-
-
- /* Admin creates database DB_1
- * Admin grants ALL to USER_GROUP of which user1 is a member.
- */
- @Test
- public void testAllPrivilege() throws Exception {
-
- //copy data file to test dir
- File dataDir = context.getDataDir();
- File dataFile = new File(dataDir, SINGLE_TYPE_DATA_FILE_NAME);
- FileOutputStream to = new FileOutputStream(dataFile);
- Resources.copy(Resources.getResource(SINGLE_TYPE_DATA_FILE_NAME), to);
- to.close();
-
- // setup db objects needed by the test
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- statement.execute("CREATE DATABASE " + DB1);
- statement.execute("CREATE DATABASE " + DB2);
- statement.close();
- connection.close();
-
- policyFile
- .addRolesToGroup(USERGROUP1, "all_db1", "load_data")
- .addRolesToGroup(USERGROUP2, "all_db2")
- .addPermissionsToRole("all_db1", "server=server1->db=" + DB1)
- .addPermissionsToRole("all_db2", "server=server1->db=" + DB2)
- .addPermissionsToRole("load_data", "server=server1->uri=file://" + dataFile.getPath())
- .setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
-
- // test execution
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
- // test user can create table
- statement.execute("CREATE TABLE " + DB1 + ".TAB_1(A STRING)");
- // test user can execute load
- statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() + "' INTO TABLE " + DB1 + ".TAB_1");
- statement.execute("CREATE TABLE " + DB1 + ".TAB_2(A STRING)");
- statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() + "' INTO TABLE " + DB1 + ".TAB_2");
-
- // test CTAS can reference UDFs
- statement.execute("USE " + DB1);
- statement.execute("create table table2 as select A, count(A) from TAB_1 GROUP BY A");
-
- // test user can switch db
- statement.execute("USE " + DB1);
- //test user can create view
- statement.execute("CREATE VIEW VIEW_1(A) AS SELECT A FROM TAB_1");
-
- // test user can insert
- statement.execute("INSERT INTO TABLE TAB_1 SELECT A FROM TAB_2");
- // test user can query table
- ResultSet resultSet = statement.executeQuery("SELECT COUNT(A) FROM TAB_1");
- int count = 0;
- int countRows = 0;
-
- while (resultSet.next()) {
- count = resultSet.getInt(1);
- countRows++;
- }
- assertTrue("Incorrect row count", countRows == 1);
- assertTrue("Incorrect result", count == 1000);
-
- // test user can execute alter table rename
- statement.execute("ALTER TABLE TAB_1 RENAME TO TAB_3");
-
- // test user can execute create as select
- statement.execute("CREATE TABLE TAB_4 AS SELECT * FROM TAB_2");
-
- // test user can execute alter table rename cols
- statement.execute("ALTER TABLE TAB_3 ADD COLUMNS (B INT)");
-
- // test user can drop table
- statement.execute("DROP TABLE TAB_3");
-
- //negative test case: user can't drop another user's database
- try {
- statement.execute("DROP DATABASE " + DB2 + " CASCADE");
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- //negative test case: user can't switch into another user's database
- try {
- statement.execute("USE " + DB2);
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- //User can drop own database
- statement.execute("DROP DATABASE " + DB1 + " CASCADE");
-
- statement.close();
- connection.close();
- }
-
- /* Admin creates database DB_1, creates table TAB_1, loads data into it
- * Admin grants ALL to USER_GROUP of which user1 is a member.
- */
- @Test
- public void testAllPrivilegeOnObjectOwnedByAdmin() throws Exception {
-
- //copy data file to test dir
- File dataDir = context.getDataDir();
- File dataFile = new File(dataDir, SINGLE_TYPE_DATA_FILE_NAME);
- File externalTblDir = new File(dataDir, "exttab");
- FileOutputStream to = new FileOutputStream(dataFile);
- Resources.copy(Resources.getResource(SINGLE_TYPE_DATA_FILE_NAME), to);
- to.close();
-
- // setup db objects needed by the test
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- statement.execute("CREATE DATABASE " + DB1);
- statement.execute("CREATE DATABASE " + DB2);
- statement.execute("USE " + DB1);
- statement.execute("CREATE TABLE TAB_1(A STRING)");
- statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() + "' INTO TABLE TAB_1");
- statement.execute("CREATE TABLE PART_TAB_1(A STRING) partitioned by (B INT) STORED AS TEXTFILE");
- statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() + "' INTO TABLE PART_TAB_1 PARTITION(B=1)");
- statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() + "' INTO TABLE PART_TAB_1 PARTITION(B=2)");
- statement.close();
- connection.close();
-
- policyFile
- .addRolesToGroup(USERGROUP1, "all_db1", "load_data", "exttab")
- .addRolesToGroup(USERGROUP2, "all_db2")
- .addPermissionsToRole("all_db1", "server=server1->db=" + DB1)
- .addPermissionsToRole("all_db2", "server=server1->db=" + DB2)
- .addPermissionsToRole("exttab", "server=server1->uri=file://" + dataDir.getPath())
- .addPermissionsToRole("load_data", "server=server1->uri=file://" + dataFile.getPath())
- .setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
-
- // test execution
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
- // test user can switch db
- statement.execute("USE " + DB1);
- // test user can execute load
- statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() + "' INTO TABLE TAB_1");
- statement.execute("CREATE TABLE TAB_2(A STRING)");
- statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() + "' INTO TABLE TAB_2");
-
- //test user can create view
- statement.execute("CREATE VIEW VIEW_1(A) AS SELECT A FROM TAB_1");
-
- // test user can insert
- statement.execute("INSERT INTO TABLE TAB_1 SELECT A FROM TAB_2");
- // test user can query table
- ResultSet resultSet = statement.executeQuery("SELECT COUNT(A) FROM TAB_1");
- int count = 0;
- int countRows = 0;
-
- while (resultSet.next()) {
- count = resultSet.getInt(1);
- countRows++;
- }
- assertTrue("Incorrect row count", countRows == 1);
- assertTrue("Incorrect result", count == 1500);
-
- // test user can execute alter table rename
- statement.execute("ALTER TABLE TAB_1 RENAME TO TAB_3");
-
- // test user can drop table
- statement.execute("DROP TABLE TAB_3");
-
- //positive test case: user can create external tables at given location
- assertTrue("Unable to create directory for external table test" , externalTblDir.mkdir());
- statement.execute("CREATE EXTERNAL TABLE EXT_TAB_1(A STRING) STORED AS TEXTFILE LOCATION 'file:"+
- externalTblDir.getAbsolutePath() + "'");
-
- //negative test case: user can't execute alter table set location,
- // as the user does not have privileges on that location
- context.assertSentrySemanticException(statement, "ALTER TABLE TAB_2 SET LOCATION 'file:///tab2'", semanticException);
-
- statement.close();
- connection.close();
-
- connection = context.createConnection(USER2_1);
- statement = context.createStatement(connection);
- try {
- statement.execute("CREATE EXTERNAL TABLE EXT_TAB_1(A STRING) STORED AS TEXTFILE LOCATION 'file:"+
- externalTblDir.getAbsolutePath() + "'");
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- statement.close();
- connection.close();
- }
-
- /**
- * Test privileges for 'use <db>'
- * Admin should be able to run use <db> with server level access
- * User with db level access should be able to run use <db>
- * User with table level access should be able to run use <db>
- * User with no access to that db objects, should NOT be able run use <db>
- * @throws Exception
- */
- @Test
- public void testUseDbPrivilege() throws Exception {
- // setup db objects needed by the test
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- statement.execute("CREATE DATABASE " + DB1);
- statement.execute("use " + DB1);
- statement.execute("CREATE TABLE TAB_1(A STRING)");
- statement.execute("CREATE DATABASE " + DB2);
- statement.execute("use " + DB2);
- statement.execute("CREATE TABLE TAB_2(A STRING)");
- context.close();
-
- policyFile
- .addRolesToGroup(USERGROUP1, "all_db1")
- .addRolesToGroup(USERGROUP2, "select_db2")
- .addRolesToGroup(USERGROUP3, "all_db3")
- .addPermissionsToRole("all_db1", "server=server1->db=" + DB1)
- .addPermissionsToRole("select_db2", "server=server1->db=" + DB2 + "->table=tab_2->action=select")
- .addPermissionsToRole("all_db3", "server=server1->db=DB_3")
- .setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
-
- // user1 should be able to connect db_1
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
- statement.execute("use " + DB1);
- context.close();
-
- // user2 should not be able to connect db_1
- connection = context.createConnection(USER2_1);
- statement = context.createStatement(connection);
- try {
- statement.execute("use " + DB1);
- assertFalse("user2 shouldn't be able switch to " + DB1, true);
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
- statement.execute("use " + DB2);
- context.close();
-
- // user3 who is not listed in policy file should not be able to connect db_2
- connection = context.createConnection(USER3_1);
- statement = context.createStatement(connection);
- try {
- statement.execute("use " + DB2);
- assertFalse("user3 shouldn't be able switch to " + DB2, true);
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
- context.close();
- }
-
- /**
- * Test access to default DB with out of box authz config
- * All users should be able to switch to default, including the users that don't have any
- * privilege on default db objects via policy file
- * @throws Exception
- */
- @Test
- public void testDefaultDbPrivilege() throws Exception {
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- statement.execute("use default");
- statement.execute("create table tab1(a int)");
- statement.execute("CREATE DATABASE " + DB1);
- statement.execute("use " + DB1);
- statement.execute("CREATE TABLE TAB_1(A STRING)");
- statement.execute("CREATE DATABASE " + DB2);
- statement.execute("use " + DB2);
- statement.execute("CREATE TABLE TAB_2(A STRING)");
- context.close();
-
- policyFile
- .addRolesToGroup(USERGROUP1, "all_db1")
- .addRolesToGroup(USERGROUP2, "select_db2")
- .addRolesToGroup(USERGROUP3, "all_default")
- .addPermissionsToRole("all_db1", "server=server1->db=" + DB1)
- .addPermissionsToRole("select_db2", "server=server1->db=" + DB2 + "->table=tab_2->action=select")
- .addPermissionsToRole("all_default", "server=server1->db=default")
- .setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
-
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
- statement.execute("use default");
- try {
- statement.execute("select * from tab1");
- assertTrue("Should not be allowed !!", false);
- } catch (Exception e) {
- // Ignore
- }
- context.close();
-
- connection = context.createConnection(USER2_1);
- statement = context.createStatement(connection);
- statement.execute("use default");
- context.close();
-
- connection = context.createConnection(USER3_1);
- statement = context.createStatement(connection);
- statement.execute("use default");
- context.close();
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java
deleted file mode 100644
index 40d870f..0000000
--- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java
+++ /dev/null
@@ -1,262 +0,0 @@
-/*
-printf_test_3 * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.tests.e2e.hive;
-
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.fail;
-
-import java.io.File;
-import java.io.FileOutputStream;
-import java.security.CodeSource;
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-
-import org.apache.sentry.provider.file.PolicyFile;
-import org.junit.Before;
-import org.junit.Test;
-
-import com.google.common.io.Resources;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-public class TestPrivilegesAtFunctionScope extends AbstractTestWithStaticConfiguration {
- private static final Logger LOGGER = LoggerFactory
- .getLogger(TestPrivilegesAtFunctionScope.class);
-
- private final String SINGLE_TYPE_DATA_FILE_NAME = "kv1.dat";
- private File dataDir;
- private File dataFile;
- private PolicyFile policyFile;
-
- @Before
- public void setup() throws Exception {
- dataDir = context.getDataDir();
- dataFile = new File(dataDir, SINGLE_TYPE_DATA_FILE_NAME);
- FileOutputStream to = new FileOutputStream(dataFile);
- Resources.copy(Resources.getResource(SINGLE_TYPE_DATA_FILE_NAME), to);
- to.close();
- policyFile = PolicyFile.setAdminOnServer1(ADMINGROUP);
- policyFile.setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
- }
-
- /**
- * admin should be able to create/drop temp functions
- * user with db level access should be able to create/drop temp functions
- * user with table level access should be able to create/drop temp functions
- * user with no privilege should NOT be able to create/drop temp functions
- */
- @Test
- public void testFuncPrivileges1() throws Exception {
- String tableName1 = "tb_1";
- String udfClassName = "org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf";
- CodeSource udfSrc = Class.forName(udfClassName).getProtectionDomain().getCodeSource();
- String udfLocation = System.getProperty(EXTERNAL_HIVE_LIB);
- if(udfLocation == null) {
- udfLocation = udfSrc.getLocation().getPath();
- }
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- statement.execute("DROP DATABASE IF EXISTS " + DB1 + " CASCADE");
- statement.execute("CREATE DATABASE " + DB1);
- statement.execute("USE " + DB1);
- statement.execute("create table " + DB1 + "." + tableName1
- + " (under_col int comment 'the under column', value string)");
- statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() + "' INTO TABLE "
- + DB1 + "." + tableName1);
- statement.execute("DROP TEMPORARY FUNCTION IF EXISTS printf_test");
- statement.execute("DROP TEMPORARY FUNCTION IF EXISTS printf_test_2");
- context.close();
-
- policyFile
- .addRolesToGroup(USERGROUP1, "db1_all", "UDF_JAR", "data_read")
- .addRolesToGroup(USERGROUP2, "db1_tab1", "UDF_JAR")
- .addRolesToGroup(USERGROUP3, "db1_tab1")
- .addPermissionsToRole("db1_all", "server=server1->db=" + DB1)
- .addPermissionsToRole("db1_tab1", "server=server1->db=" + DB1 + "->table=" + tableName1)
- .addPermissionsToRole("UDF_JAR", "server=server1->uri=file://" + udfLocation)
- .addPermissionsToRole("data_read", "server=server1->URI=" + "file:///tmp");
- writePolicyFile(policyFile);
-
- // user1 should be able create/drop temp functions
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
- statement.execute("USE " + DB1);
-
- try {
- statement.execute("CREATE TEMPORARY FUNCTION printf_test AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'");
- LOGGER.info("Testing select from temp func printf_test");
- ResultSet res = statement.executeQuery("SELECT printf_test('%d', under_col) FROM " + tableName1);
- while (res.next()) {
- LOGGER.info(res.getString(1));
- }
- res.close();
- statement.execute("DROP TEMPORARY FUNCTION printf_test");
- } catch (Exception ex) {
- LOGGER.error("test temp func printf_test failed with reason: ", ex);
- fail("fail to test temp func printf_test");
- }
-
- statement.execute(
- "CREATE FUNCTION printf_test_perm AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf' ");
- statement.execute("SELECT printf_test_perm(value) FROM " + tableName1);
- statement.execute("DROP FUNCTION printf_test_perm");
-
- // test perm UDF with 'using file' syntax
- statement
- .execute("CREATE FUNCTION printf_test_perm AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf' "
- + " using file 'file:///tmp'");
- statement.execute("DROP FUNCTION printf_test_perm");
-
- context.close();
-
- // user2 has select privilege on one of the tables in db1, should be able create/drop temp functions
- connection = context.createConnection(USER2_1);
- statement = context.createStatement(connection);
- statement.execute("USE " + DB1);
- statement.execute(
- "CREATE TEMPORARY FUNCTION printf_test_2 AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'");
- statement.execute("SELECT printf_test_2(value) FROM " + tableName1);
- statement.execute("DROP TEMPORARY FUNCTION printf_test_2");
-
- statement.execute(
- "CREATE FUNCTION " + DB1 + ".printf_test_2_perm AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'");
- statement.execute("SELECT printf_test_2_perm(value) FROM " + tableName1);
- statement.execute("DROP FUNCTION printf_test_2_perm");
-
- // USER2 doesn't have URI perm on dataFile
- try {
- statement
- .execute("CREATE FUNCTION "
- + DB1
- + ".printf_test_2_perm AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'"
- + " using file '" + "file://" + dataFile.getPath() + "'");
- assertFalse("CREATE TEMPORARY FUNCTION should fail for user3", true);
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- context.close();
-
- // user3 shouldn't be able to create/drop temp functions since it doesn't have permission for jar
- connection = context.createConnection(USER3_1);
- statement = context.createStatement(connection);
- statement.execute("USE " + DB1);
- try {
- statement.execute(
- "CREATE TEMPORARY FUNCTION printf_test_bad AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'");
- assertFalse("CREATE TEMPORARY FUNCTION should fail for user3", true);
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- try {
- statement.execute(
- "CREATE FUNCTION printf_test_perm_bad AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'");
- assertFalse("CREATE FUNCTION should fail for user3", true);
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- context.close();
-
- // user4 (not part of any group ) shouldn't be able to create/drop temp functions
- connection = context.createConnection(USER4_1);
- statement = context.createStatement(connection);
- try {
- statement.execute("USE default");
- statement.execute(
- "CREATE TEMPORARY FUNCTION printf_test_bad AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'");
- assertFalse("CREATE TEMPORARY FUNCTION should fail for user4", true);
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
- context.close();
-
- }
-
- @Test
- public void testUdfWhiteList () throws Exception {
- String tableName1 = "tab1";
-
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = connection.createStatement();
- statement.execute("DROP DATABASE IF EXISTS " + DB1 + " CASCADE");
- statement.execute("CREATE DATABASE " + DB1);
- statement.execute("USE " + DB1);
- statement.execute("create table " + tableName1
- + " (under_col int comment 'the under column', value string)");
-
- policyFile
- .addRolesToGroup(USERGROUP1, "db1_all", "UDF_JAR")
- .addRolesToGroup(USERGROUP2, "db1_tab1", "UDF_JAR")
- .addRolesToGroup(USERGROUP3, "db1_tab1")
- .addPermissionsToRole("db1_all", "server=server1->db=" + DB1)
- .addPermissionsToRole("db1_tab1", "server=server1->db=" + DB1 + "->table=" + tableName1)
- .addPermissionsToRole("UDF_JAR", "server=server1->uri=file://${user.home}/.m2");
- writePolicyFile(policyFile);
-
- statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() + "' INTO TABLE "
- + DB1 + "." + tableName1);
- statement.execute("SELECT rand(), concat(value, '_foo') FROM " + tableName1);
-
- context.assertAuthzException(statement,
- "SELECT reflect('java.net.URLDecoder', 'decode', 'http://www.apache.org', 'utf-8'), value FROM " + tableName1);
- context.assertAuthzException(statement,
- "SELECT java_method('java.net.URLDecoder', 'decode', 'http://www.apache.org', 'utf-8'), value FROM " + tableName1);
- statement.close();
- connection.close();
- }
-
- /**
- * User with db level access should be able to create/alter tables with buildin Serde.
- */
- @Test
- public void testSerdePrivileges() throws Exception {
- String tableName1 = "tab1";
- String tableName2 = "tab2";
-
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- statement.execute("DROP DATABASE IF EXISTS " + DB1 + " CASCADE");
- statement.execute("CREATE DATABASE " + DB1);
-
- context.close();
-
- policyFile
- .addRolesToGroup(USERGROUP1, "db1_all")
- .addPermissionsToRole("db1_all", "server=server1->db=" + DB1);
- writePolicyFile(policyFile);
-
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
- statement.execute("USE " + DB1);
- statement.execute("create table " + DB1 + "." + tableName1
- + " (a string, b string) ROW FORMAT SERDE 'org.apache.hadoop.hive.serde2.OpenCSVSerde' "
- + " STORED AS TEXTFILE");
-
- statement.execute("create table " + DB1 + "." + tableName2 + " (a string, b string)");
- statement.execute("alter table " + DB1 + "." + tableName2
- + " SET SERDE 'org.apache.hadoop.hive.serde2.OpenCSVSerde'");
-
- context.close();
- }
-}