You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by co...@apache.org on 2016/06/24 06:00:35 UTC
[06/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreImportExport.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreImportExport.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreImportExport.java
new file mode 100644
index 0000000..d1a88b0
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreImportExport.java
@@ -0,0 +1,1164 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.persistent;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.io.File;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.provider.db.service.model.MSentryGroup;
+import org.apache.sentry.provider.db.service.model.MSentryPrivilege;
+import org.apache.sentry.provider.db.service.model.MSentryRole;
+import org.apache.sentry.provider.db.service.model.MSentryUser;
+import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
+import org.apache.sentry.provider.db.service.thrift.TSentryMappingData;
+import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+import org.apache.sentry.core.common.utils.PolicyFile;
+import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import com.google.common.collect.Maps;
+import com.google.common.collect.Sets;
+import com.google.common.io.Files;
+
+public class TestSentryStoreImportExport {
+
+ private static File dataDir;
+ private static SentryStore sentryStore;
+ private static String[] adminGroups = { "adminGroup1" };
+ private static PolicyFile policyFile;
+ private static File policyFilePath;
+ private TSentryPrivilege tSentryPrivilege1;
+ private TSentryPrivilege tSentryPrivilege2;
+ private TSentryPrivilege tSentryPrivilege3;
+ private TSentryPrivilege tSentryPrivilege4;
+ private TSentryPrivilege tSentryPrivilege5;
+ private TSentryPrivilege tSentryPrivilege6;
+ private TSentryPrivilege tSentryPrivilege7;
+ private TSentryPrivilege tSentryPrivilege8;
+ private TSentryPrivilege tSentryPrivilege9;
+
+ @BeforeClass
+ public static void setupEnv() throws Exception {
+ dataDir = new File(Files.createTempDir(), "sentry_policy_db");
+ Configuration conf = new Configuration(false);
+ conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false");
+ conf.set(ServerConfig.SENTRY_STORE_JDBC_URL, "jdbc:derby:;databaseName=" + dataDir.getPath()
+ + ";create=true");
+ conf.set(ServerConfig.SENTRY_STORE_JDBC_PASS, "sentry");
+ conf.setStrings(ServerConfig.ADMIN_GROUPS, adminGroups);
+ conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING, ServerConfig.SENTRY_STORE_LOCAL_GROUP_MAPPING);
+ policyFilePath = new File(dataDir, "local_policy_file.ini");
+ conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING_RESOURCE, policyFilePath.getPath());
+ policyFile = new PolicyFile();
+ sentryStore = new SentryStore(conf);
+
+ String adminUser = "g1";
+ addGroupsToUser(adminUser, adminGroups);
+ writePolicyFile();
+ }
+
+ @Before
+ public void setupPrivilege() {
+ preparePrivilege();
+ }
+
+ @After
+ public void clearStore() {
+ sentryStore.clearAllTables();
+ }
+
+ // create the privileges instance for test case:
+ // privilege1=[server=server1]
+ // privilege2=[server=server1, action=select, grantOption=false]
+ // privilege3=[server=server1, db=db2, action=insert, grantOption=true]
+ // privilege4=[server=server1, db=db1, table=tbl1, action=insert, grantOption=false]
+ // privilege5=[server=server1, db=db1, table=tbl2, column=col1, action=insert, grantOption=false]
+ // privilege6=[server=server1, db=db1, table=tbl3, column=col1, action=*, grantOption=true]
+ // privilege7=[server=server1, db=db1, table=tbl4, column=col1, action=all, grantOption=true]
+ // privilege8=[server=server1, uri=hdfs://testserver:9999/path1, action=insert, grantOption=false]
+ // privilege9=[server=server1, db=db2, table=tbl1, action=insert, grantOption=false]
+ private void preparePrivilege() {
+ tSentryPrivilege1 = createTSentryPrivilege(PrivilegeScope.SERVER.name(), "server1", "", "", "",
+ "", "", TSentryGrantOption.UNSET);
+ tSentryPrivilege2 = createTSentryPrivilege(PrivilegeScope.SERVER.name(), "server1", "", "", "",
+ "", AccessConstants.SELECT, TSentryGrantOption.FALSE);
+ tSentryPrivilege3 = createTSentryPrivilege(PrivilegeScope.DATABASE.name(), "server1", "db2",
+ "", "", "", AccessConstants.INSERT, TSentryGrantOption.TRUE);
+ tSentryPrivilege4 = createTSentryPrivilege(PrivilegeScope.TABLE.name(), "server1", "db1",
+ "tbl1", "", "", AccessConstants.INSERT, TSentryGrantOption.FALSE);
+ tSentryPrivilege5 = createTSentryPrivilege(PrivilegeScope.COLUMN.name(), "server1", "db1",
+ "tbl2", "col1", "", AccessConstants.INSERT, TSentryGrantOption.FALSE);
+ tSentryPrivilege6 = createTSentryPrivilege(PrivilegeScope.COLUMN.name(), "server1", "db1",
+ "tbl3", "col1", "", AccessConstants.ALL, TSentryGrantOption.TRUE);
+ tSentryPrivilege7 = createTSentryPrivilege(PrivilegeScope.COLUMN.name(), "server1", "db1",
+ "tbl4", "col1", "", AccessConstants.ACTION_ALL, TSentryGrantOption.TRUE);
+ tSentryPrivilege8 = createTSentryPrivilege(PrivilegeScope.URI.name(), "server1", "", "", "",
+ "hdfs://testserver:9999/path1", AccessConstants.INSERT, TSentryGrantOption.FALSE);
+ tSentryPrivilege9 = createTSentryPrivilege(PrivilegeScope.TABLE.name(), "server1", "db2",
+ "tbl1", "", "", AccessConstants.INSERT, TSentryGrantOption.FALSE);
+ }
+
+ @AfterClass
+ public static void teardown() {
+ if (sentryStore != null) {
+ sentryStore.stop();
+ }
+ if (dataDir != null) {
+ FileUtils.deleteQuietly(dataDir);
+ }
+ }
+
+ protected static void addGroupsToUser(String user, String... groupNames) {
+ policyFile.addGroupsToUser(user, groupNames);
+ }
+
+ protected static void writePolicyFile() throws Exception {
+ policyFile.write(policyFilePath);
+ }
+
+ // Befor import, database is empty.
+ // The following information is imported:
+ // group1=role1,role2,role3
+ // group2=role1,role2,role3
+ // group3=role1,role2,role3
+ // role1=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8
+ // role2=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8
+ // role3=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8
+ // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap,
+ // getPrivilegesList are tested.
+ @Test
+ public void testImportExportPolicy1() throws Exception {
+ TSentryMappingData tSentryMappingData = new TSentryMappingData();
+ Map<String, Set<String>> sentryGroupRolesMap = Maps.newHashMap();
+ Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap = Maps.newHashMap();
+ sentryGroupRolesMap.put("group1", Sets.newHashSet("Role1", "role2", "role3"));
+ sentryGroupRolesMap.put("group2", Sets.newHashSet("Role1", "role2", "role3"));
+ sentryGroupRolesMap.put("group3", Sets.newHashSet("Role1", "role2", "role3"));
+ sentryRolePrivilegesMap.put("Role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+ sentryRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+ sentryRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+ tSentryMappingData.setGroupRolesMap(sentryGroupRolesMap);
+ tSentryMappingData.setRolePrivilegesMap(sentryRolePrivilegesMap);
+ sentryStore.importSentryMetaData(tSentryMappingData, false);
+
+ Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
+ Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
+ List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
+
+ // test the result data for the role
+ verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3"));
+
+ // test the result data for the group
+ verifyGroups(groupsMap, Sets.newHashSet("group1", "group2", "group3"));
+
+ // test the result data for the privilege
+ verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+
+ // test the mapping data for group and role
+ List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
+ Map<String, Set<String>> actualGroupRolesMap = mapList.get(
+ SentryStore.INDEX_GROUP_ROLES_MAP);
+ Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3"));
+ exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2", "role3"));
+ exceptedGroupRolesMap.put("group3", Sets.newHashSet("role1", "role2", "role3"));
+ verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ // test the mapping data for role and privilege
+ Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
+ .getRoleNameTPrivilegesMap();
+ Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+ exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+ exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+ }
+
+ // call import twice, and there has no duplicate data:
+ // The data for 1st import:
+ // group1=role1
+ // role1=privilege1,privilege2,privilege3,privilege4
+ // The data for 2nd import:
+ // group2=role2,role3
+ // group3=role2,role3
+ // role2=privilege5,privilege6,privilege7,privilege8
+ // role3=privilege5,privilege6,privilege7,privilege8
+ // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap,
+ // getPrivilegesList are tested.
+ @Test
+ public void testImportExportPolicy2() throws Exception {
+ TSentryMappingData tSentryMappingData1 = new TSentryMappingData();
+ Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap();
+ Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap();
+ sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1"));
+ sentryRolePrivilegesMap1
+ .put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, tSentryPrivilege3,
+ tSentryPrivilege4));
+ tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1);
+ tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1);
+ sentryStore.importSentryMetaData(tSentryMappingData1, false);
+
+ TSentryMappingData tSentryMappingData2 = new TSentryMappingData();
+ Map<String, Set<String>> sentryGroupRolesMap2 = Maps.newHashMap();
+ Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap2 = Maps.newHashMap();
+ sentryGroupRolesMap2.put("group2", Sets.newHashSet("role2", "role3"));
+ sentryGroupRolesMap2.put("group3", Sets.newHashSet("role2", "role3"));
+ sentryRolePrivilegesMap2
+ .put("role2", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7,
+ tSentryPrivilege8));
+ sentryRolePrivilegesMap2
+ .put("role3", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7,
+ tSentryPrivilege8));
+ tSentryMappingData2.setGroupRolesMap(sentryGroupRolesMap2);
+ tSentryMappingData2.setRolePrivilegesMap(sentryRolePrivilegesMap2);
+ sentryStore.importSentryMetaData(tSentryMappingData2, false);
+
+ Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
+ Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
+ List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
+
+ // test the result data for the role
+ verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3"));
+
+ // test the result data for the group
+ verifyGroups(groupsMap, Sets.newHashSet("group1", "group2", "group3"));
+
+ // test the result data for the privilege
+ verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+
+ // test the mapping data for group and role
+ List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
+ Map<String, Set<String>> actualGroupRolesMap = mapList.get(
+ SentryStore.INDEX_GROUP_ROLES_MAP);
+ Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
+ exceptedGroupRolesMap.put("group2", Sets.newHashSet("role2", "role3"));
+ exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
+ verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ // test the mapping data for role and privilege
+ Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
+ .getRoleNameTPrivilegesMap();
+ Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap
+ .put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, tSentryPrivilege3,
+ tSentryPrivilege4));
+ exceptedRolePrivilegesMap
+ .put("role2", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7,
+ tSentryPrivilege8));
+ exceptedRolePrivilegesMap
+ .put("role3", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7,
+ tSentryPrivilege8));
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+ }
+
+ // call import twice, and there has data overlap:
+ // The data for 1st import:
+ // group1=role1, role2
+ // group2=role1, role2
+ // group3=role1, role2
+ // role1=privilege1,privilege2,privilege3,privilege4,privilege5
+ // role2=privilege1,privilege2,privilege3,privilege4,privilege5
+ // The data for 2nd import:
+ // group1=role2,role3
+ // group2=role2,role3
+ // group3=role2,role3
+ // role2=privilege4,privilege5,privilege6,privilege7,privilege8
+ // role3=privilege4,privilege5,privilege6,privilege7,privilege8
+ // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap,
+ // getPrivilegesList are tested.
+ @Test
+ public void testImportExportPolicy3() throws Exception {
+ TSentryMappingData tSentryMappingData1 = new TSentryMappingData();
+ Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap();
+ Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap();
+ sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
+ sentryGroupRolesMap1.put("group2", Sets.newHashSet("role1", "role2"));
+ sentryGroupRolesMap1.put("group3", Sets.newHashSet("role1", "role2"));
+ sentryRolePrivilegesMap1.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5));
+ sentryRolePrivilegesMap1.put("role2", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5));
+ tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1);
+ tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1);
+ sentryStore.importSentryMetaData(tSentryMappingData1, false);
+
+ TSentryMappingData tSentryMappingData2 = new TSentryMappingData();
+ Map<String, Set<String>> sentryGroupRolesMap2 = Maps.newHashMap();
+ Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap2 = Maps.newHashMap();
+ sentryGroupRolesMap2.put("group1", Sets.newHashSet("role2", "role3"));
+ sentryGroupRolesMap2.put("group2", Sets.newHashSet("role2", "role3"));
+ sentryGroupRolesMap2.put("group3", Sets.newHashSet("role2", "role3"));
+ sentryRolePrivilegesMap2.put("role2", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5,
+ tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8));
+ sentryRolePrivilegesMap2.put("role3", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5,
+ tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8));
+ tSentryMappingData2.setGroupRolesMap(sentryGroupRolesMap2);
+ tSentryMappingData2.setRolePrivilegesMap(sentryRolePrivilegesMap2);
+ sentryStore.importSentryMetaData(tSentryMappingData2, false);
+
+ Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
+ Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
+ List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
+
+ // test the result data for the role
+ verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3"));
+
+ // test the result data for the group
+ verifyGroups(groupsMap, Sets.newHashSet("group1", "group2", "group3"));
+
+ // test the result data for the privilege
+ verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+
+ // test the mapping data for group and role
+ List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
+ Map<String, Set<String>> actualGroupRolesMap = mapList.get(
+ SentryStore.INDEX_GROUP_ROLES_MAP);
+ Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3"));
+ exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2", "role3"));
+ exceptedGroupRolesMap.put("group3", Sets.newHashSet("role1", "role2", "role3"));
+ verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ // test the mapping data for role and privilege
+ Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
+ .getRoleNameTPrivilegesMap();
+ Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5));
+ exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+ exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5,
+ tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8));
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+ }
+
+ // call import twice, and there has one role without group.
+ // The data for 1st import:
+ // group1=role1, role2
+ // role1=privilege1,privilege2
+ // role2=privilege3,privilege4
+ // The data for 2nd import:
+ // group2=role2
+ // role2=privilege5,privilege6
+ // role3=privilege7,privilege8
+ // role3 is without group, will be imported also
+ @Test
+ public void testImportExportPolicy4() throws Exception {
+ TSentryMappingData tSentryMappingData1 = new TSentryMappingData();
+ Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap();
+ Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap();
+ sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
+ sentryRolePrivilegesMap1.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2));
+ sentryRolePrivilegesMap1.put("role2", Sets.newHashSet(tSentryPrivilege3, tSentryPrivilege4));
+ tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1);
+ tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1);
+ sentryStore.importSentryMetaData(tSentryMappingData1, false);
+
+ TSentryMappingData tSentryMappingData2 = new TSentryMappingData();
+ Map<String, Set<String>> sentryGroupRolesMap2 = Maps.newHashMap();
+ Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap2 = Maps.newHashMap();
+ sentryGroupRolesMap2.put("group2", Sets.newHashSet("role2"));
+ sentryRolePrivilegesMap2.put("role2", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6));
+ sentryRolePrivilegesMap2.put("role3", Sets.newHashSet(tSentryPrivilege7, tSentryPrivilege8));
+ tSentryMappingData2.setGroupRolesMap(sentryGroupRolesMap2);
+ tSentryMappingData2.setRolePrivilegesMap(sentryRolePrivilegesMap2);
+ sentryStore.importSentryMetaData(tSentryMappingData2, false);
+
+ Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
+ Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
+ List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
+
+ // test the result data for the role
+ verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3"));
+
+ // test the result data for the group
+ verifyGroups(groupsMap, Sets.newHashSet("group1", "group2"));
+
+ // test the result data for the privilege
+ verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+
+ // test the mapping data for group and role
+ List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
+ Map<String, Set<String>> actualGroupRolesMap = mapList.get(
+ SentryStore.INDEX_GROUP_ROLES_MAP);
+ Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2"));
+ exceptedGroupRolesMap.put("group2", Sets.newHashSet("role2"));
+ verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ // test the mapping data for role and privilege
+ Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
+ .getRoleNameTPrivilegesMap();
+ Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2));
+ exceptedRolePrivilegesMap
+ .put("role2", Sets.newHashSet(tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5,
+ tSentryPrivilege6));
+ exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege7, tSentryPrivilege8));
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+ }
+
+ // test for import mapping data for [group,role] only:
+ // group1=role1, role2
+ @Test
+ public void testImportExportPolicy5() throws Exception {
+ TSentryMappingData tSentryMappingData1 = new TSentryMappingData();
+ Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap();
+ Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap();
+ sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
+ tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1);
+ tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1);
+ sentryStore.importSentryMetaData(tSentryMappingData1, false);
+
+ Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
+ Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
+ List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
+
+ // test the result data for the role
+ verifyRoles(rolesMap, Sets.newHashSet("role1", "role2"));
+
+ // test the result data for the group
+ verifyGroups(groupsMap, Sets.newHashSet("group1"));
+
+ // test the result data for the privilege
+ assertTrue(privilegesList.isEmpty());
+
+ // test the mapping data for group and role
+ List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
+ Map<String, Set<String>> actualGroupRolesMap = mapList.get(
+ SentryStore.INDEX_GROUP_ROLES_MAP);
+ Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2"));
+ verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ // test the mapping data for role and privilege
+ Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
+ .getRoleNameTPrivilegesMap();
+ assertTrue(actualRolePrivilegesMap.isEmpty());
+ }
+
+ // test for filter the orphaned group:
+ // group1=role1, role2
+ // group2=role2
+ @Test
+ public void testImportExportPolicy6() throws Exception {
+ TSentryMappingData tSentryMappingData1 = new TSentryMappingData();
+ Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap();
+ Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap();
+ sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
+ sentryGroupRolesMap1.put("group2", Sets.newHashSet("role2"));
+ tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1);
+ tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1);
+ sentryStore.importSentryMetaData(tSentryMappingData1, false);
+
+ // drop the role2, the group2 is orphaned group
+ sentryStore.dropSentryRole("role2");
+
+ Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
+ Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
+ List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
+
+ // test the result data for the role
+ verifyRoles(rolesMap, Sets.newHashSet("role1"));
+
+ // test the result data for the group
+ verifyGroups(groupsMap, Sets.newHashSet("group1", "group2"));
+
+ // test the result data for the privilege
+ assertTrue(privilegesList.isEmpty());
+
+ // test the mapping data for group and role
+ List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
+ Map<String, Set<String>> actualGroupRolesMap = mapList.get(
+ SentryStore.INDEX_GROUP_ROLES_MAP);
+ Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
+ verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ // test the mapping data for role and privilege
+ Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
+ .getRoleNameTPrivilegesMap();
+ assertTrue(actualRolePrivilegesMap.isEmpty());
+ }
+
+ // call import twice, and there has no duplicate data, the import will be with the overwrite mode:
+ // The data for 1st import:
+ // group1=role1
+ // role1=privilege1
+ // The data for 2nd import:
+ // group2=role2,role3
+ // group3=role2,role3
+ // role2=privilege2
+ // role3=privilege2
+ // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap,
+ // getPrivilegesList are tested.
+ @Test
+ public void testImportExportPolicy7() throws Exception {
+ TSentryMappingData tSentryMappingData1 = new TSentryMappingData();
+ Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap();
+ Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap();
+ sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1"));
+ sentryRolePrivilegesMap1.put("role1", Sets.newHashSet(tSentryPrivilege1));
+ tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1);
+ tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1);
+ // the import with overwrite mode
+ sentryStore.importSentryMetaData(tSentryMappingData1, true);
+
+ TSentryMappingData tSentryMappingData2 = new TSentryMappingData();
+ Map<String, Set<String>> sentryGroupRolesMap2 = Maps.newHashMap();
+ Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap2 = Maps.newHashMap();
+ sentryGroupRolesMap2.put("group2", Sets.newHashSet("role2", "role3"));
+ sentryGroupRolesMap2.put("group3", Sets.newHashSet("role2", "role3"));
+ sentryRolePrivilegesMap2.put("role2", Sets.newHashSet(tSentryPrivilege2));
+ sentryRolePrivilegesMap2.put("role3", Sets.newHashSet(tSentryPrivilege2));
+ tSentryMappingData2.setGroupRolesMap(sentryGroupRolesMap2);
+ tSentryMappingData2.setRolePrivilegesMap(sentryRolePrivilegesMap2);
+ // the import with overwrite mode
+ sentryStore.importSentryMetaData(tSentryMappingData2, true);
+
+ Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
+ Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
+ List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
+
+ // test the result data for the role
+ verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3"));
+
+ // test the result data for the group
+ verifyGroups(groupsMap, Sets.newHashSet("group1", "group2", "group3"));
+
+ // test the result data for the privilege
+ verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2));
+
+ // test the mapping data for group and role
+ List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
+ Map<String, Set<String>> actualGroupRolesMap = mapList.get(
+ SentryStore.INDEX_GROUP_ROLES_MAP);
+ Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
+ exceptedGroupRolesMap.put("group2", Sets.newHashSet("role2", "role3"));
+ exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
+ verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ // test the mapping data for role and privilege
+ Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
+ .getRoleNameTPrivilegesMap();
+ Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1));
+ exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege2));
+ exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege2));
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+ }
+
+ // call import twice, and there has data overlap, the import will be with the overwrite mode:
+ // The data for 1st import:
+ // group1=role1, role2
+ // group2=role1, role2
+ // group3=role1, role2
+ // role1=privilege1,privilege2,privilege3,privilege4,privilege5
+ // role2=privilege1,privilege2,privilege3,privilege4,privilege5
+ // The data for 2nd import:
+ // group1=role2,role3
+ // group2=role2,role3
+ // group3=role2,role3
+ // role2=privilege4,privilege5,privilege6,privilege7,privilege8
+ // role3=privilege4,privilege5,privilege6,privilege7,privilege8
+ // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap,
+ // getPrivilegesList are tested.
+ @Test
+ public void testImportExportPolicy8() throws Exception {
+ TSentryMappingData tSentryMappingData1 = new TSentryMappingData();
+ Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap();
+ Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap();
+ sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
+ sentryGroupRolesMap1.put("group2", Sets.newHashSet("role1", "role2"));
+ sentryGroupRolesMap1.put("group3", Sets.newHashSet("role1", "role2"));
+ sentryRolePrivilegesMap1.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5));
+ sentryRolePrivilegesMap1.put("role2", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5));
+ tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1);
+ tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1);
+ // the import with overwrite mode
+ sentryStore.importSentryMetaData(tSentryMappingData1, true);
+
+ TSentryMappingData tSentryMappingData2 = new TSentryMappingData();
+ Map<String, Set<String>> sentryGroupRolesMap2 = Maps.newHashMap();
+ Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap2 = Maps.newHashMap();
+ sentryGroupRolesMap2.put("group1", Sets.newHashSet("role2", "role3"));
+ sentryGroupRolesMap2.put("group2", Sets.newHashSet("role2", "role3"));
+ sentryGroupRolesMap2.put("group3", Sets.newHashSet("role2", "role3"));
+ sentryRolePrivilegesMap2.put("role2", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5,
+ tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8));
+ sentryRolePrivilegesMap2.put("role3", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5,
+ tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8));
+ tSentryMappingData2.setGroupRolesMap(sentryGroupRolesMap2);
+ tSentryMappingData2.setRolePrivilegesMap(sentryRolePrivilegesMap2);
+ // the import with overwrite mode
+ sentryStore.importSentryMetaData(tSentryMappingData2, true);
+
+ Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
+ Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
+ List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
+
+ // test the result data for the role
+ verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3"));
+
+ // test the result data for the group
+ verifyGroups(groupsMap, Sets.newHashSet("group1", "group2", "group3"));
+
+ // test the result data for the privilege
+ verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+
+ // test the mapping data for group and role
+ List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
+ Map<String, Set<String>> actualGroupRolesMap = mapList.get(
+ SentryStore.INDEX_GROUP_ROLES_MAP);
+ Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3"));
+ exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2", "role3"));
+ exceptedGroupRolesMap.put("group3", Sets.newHashSet("role1", "role2", "role3"));
+ verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ // test the mapping data for role and privilege
+ Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
+ .getRoleNameTPrivilegesMap();
+ Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5));
+ // role2 should be overwrite
+ exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5,
+ tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8));
+ exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5,
+ tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8));
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+ }
+
+ // test the import privileges with the action: All, *, select, insert
+ // All and * should replace the select and insert
+ // The data for import:
+ // group1=role1, role2
+ // role1=testPrivilege1,testPrivilege2,testPrivilege3,testPrivilege4
+ // role2=testPrivilege5, testPrivilege6,testPrivilege7,testPrivilege8
+ @Test
+ public void testImportExportPolicy9() throws Exception {
+ TSentryPrivilege testPrivilege1 = createTSentryPrivilege(PrivilegeScope.TABLE.name(),
+ "server1", "db1", "tbl1", "", "", AccessConstants.SELECT, TSentryGrantOption.TRUE);
+ TSentryPrivilege testPrivilege2 = createTSentryPrivilege(PrivilegeScope.TABLE.name(),
+ "server1", "db1", "tbl1", "", "", AccessConstants.INSERT, TSentryGrantOption.FALSE);
+ TSentryPrivilege testPrivilege3 = createTSentryPrivilege(PrivilegeScope.TABLE.name(),
+ "server1", "db1", "tbl1", "", "", AccessConstants.ACTION_ALL, TSentryGrantOption.TRUE);
+ TSentryPrivilege testPrivilege4 = createTSentryPrivilege(PrivilegeScope.TABLE.name(),
+ "server1", "db1", "tbl1", "", "", AccessConstants.INSERT, TSentryGrantOption.TRUE);
+ TSentryPrivilege testPrivilege5 = createTSentryPrivilege(PrivilegeScope.TABLE.name(),
+ "server1", "db1", "tbl2", "", "", AccessConstants.SELECT, TSentryGrantOption.TRUE);
+ TSentryPrivilege testPrivilege6 = createTSentryPrivilege(PrivilegeScope.TABLE.name(),
+ "server1", "db1", "tbl2", "", "", AccessConstants.INSERT, TSentryGrantOption.FALSE);
+ TSentryPrivilege testPrivilege7 = createTSentryPrivilege(PrivilegeScope.TABLE.name(),
+ "server1", "db1", "tbl2", "", "", AccessConstants.ALL, TSentryGrantOption.TRUE);
+ TSentryPrivilege testPrivilege8 = createTSentryPrivilege(PrivilegeScope.TABLE.name(),
+ "server1", "db1", "tbl2", "", "", AccessConstants.INSERT, TSentryGrantOption.TRUE);
+
+ TSentryMappingData tSentryMappingData1 = new TSentryMappingData();
+ Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap();
+ Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap();
+ sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
+ // after import there should be only testPrivilege2, testPrivilege3
+ sentryRolePrivilegesMap1.put("role1",
+ Sets.newHashSet(testPrivilege1, testPrivilege2, testPrivilege3, testPrivilege4));
+ // after import there should be only testPrivilege6,testPrivilege7
+ sentryRolePrivilegesMap1.put("role2",
+ Sets.newHashSet(testPrivilege5, testPrivilege6, testPrivilege7, testPrivilege8));
+ tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1);
+ tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1);
+ // the import with overwrite mode
+ sentryStore.importSentryMetaData(tSentryMappingData1, true);
+
+ Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
+ Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
+
+ // test the result data for the role
+ verifyRoles(rolesMap, Sets.newHashSet("role1", "role2"));
+
+ // test the result data for the group
+ verifyGroups(groupsMap, Sets.newHashSet("group1"));
+
+ // test the mapping data for group and role
+ List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
+ Map<String, Set<String>> actualGroupRolesMap = mapList.get(
+ SentryStore.INDEX_GROUP_ROLES_MAP);
+ Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2"));
+ verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ // test the mapping data for role and privilege
+ Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
+ .getRoleNameTPrivilegesMap();
+ Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(testPrivilege2, testPrivilege3));
+ exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(testPrivilege6, testPrivilege7));
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+ }
+
+ // The following data is imported:
+ // group1=role1
+ // group2=role1,role2
+ // group3=role2,role3
+ // group4=role1,role2,role3
+ // role1=privilege3,privilege4,privilege9
+ // role2=privilege3,privilege4,privilege5,privilege6,privilege7
+ // role3=privilege4,privilege5,privilege6,privilege7,privilege8
+ // Export APIs getRoleNameTPrivilegesMap, getGroupNameRoleNamesMap are tested.
+ @Test
+ public void testExportPolicyWithSpecificObject() throws Exception {
+ // import the data for test
+ TSentryMappingData tSentryMappingData = new TSentryMappingData();
+ Map<String, Set<String>> sentryGroupRolesMap = Maps.newHashMap();
+ Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap = Maps.newHashMap();
+ sentryGroupRolesMap.put("group1", Sets.newHashSet("role1"));
+ sentryGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
+ sentryGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
+ sentryGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3"));
+ sentryRolePrivilegesMap.put("role1", Sets.newHashSet(
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege9));
+ sentryRolePrivilegesMap.put("role2", Sets.newHashSet(
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7));
+ sentryRolePrivilegesMap.put("role3", Sets.newHashSet(
+ tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+ tSentryMappingData.setGroupRolesMap(sentryGroupRolesMap);
+ tSentryMappingData.setRolePrivilegesMap(sentryRolePrivilegesMap);
+ sentryStore.importSentryMetaData(tSentryMappingData, false);
+
+ // verify the rolePrivilegesMap and groupRolesMap for db=db1
+ Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap =
+ sentryStore.getRoleNameTPrivilegesMap("db1", "");
+ Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege4));
+ exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege4,
+ tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7));
+ exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4,
+ tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7));
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+
+ List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(
+ actualRolePrivilegesMap.keySet());
+ Map<String, Set<String>> actualGroupRolesMap = mapList.get(
+ SentryStore.INDEX_GROUP_ROLES_MAP);
+ Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
+ exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
+ exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
+ exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3"));
+ verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ // verify the rolePrivilegesMap and groupRolesMap for db=db2
+ actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("db2", "");
+ exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege3, tSentryPrivilege9));
+ exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege3));
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+
+ mapList = sentryStore.getGroupUserRoleMapList(actualRolePrivilegesMap.keySet());
+ actualGroupRolesMap = mapList.get(SentryStore.INDEX_GROUP_ROLES_MAP);
+ exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
+ exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
+ exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2"));
+ exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2"));
+ verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ // verify the rolePrivilegesMap and groupRolesMap for db=db1 and table=tbl1
+ actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("db1", "tbl1");
+ exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege4));
+ exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege4));
+ exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4));
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+
+ mapList = sentryStore.getGroupUserRoleMapList(actualRolePrivilegesMap.keySet());
+ actualGroupRolesMap = mapList.get(SentryStore.INDEX_GROUP_ROLES_MAP);
+ exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
+ exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
+ exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
+ exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3"));
+ verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ // verify the rolePrivilegesMap and groupRolesMap for db=db1 and table=tbl2
+ actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("db1", "tbl2");
+ exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege5));
+ exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege5));
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+
+ mapList = sentryStore.getGroupUserRoleMapList(actualRolePrivilegesMap.keySet());
+ actualGroupRolesMap = mapList.get(SentryStore.INDEX_GROUP_ROLES_MAP);
+ exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group2", Sets.newHashSet("role2"));
+ exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
+ exceptedGroupRolesMap.put("group4", Sets.newHashSet("role2", "role3"));
+ verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ // verify the rolePrivilegesMap and groupRolesMap for table=tbl1
+ actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("", "tbl1");
+ exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege9));
+ exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege4));
+ exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4));
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+
+ mapList = sentryStore.getGroupUserRoleMapList(actualRolePrivilegesMap.keySet());
+ actualGroupRolesMap = mapList.get(SentryStore.INDEX_GROUP_ROLES_MAP);
+ exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
+ exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
+ exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
+ exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3"));
+ verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ // verify the rolePrivilegesMap and groupRolesMap for empty parameter
+ actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("", "");
+ exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege3,
+ tSentryPrivilege4, tSentryPrivilege9));
+ exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege3,
+ tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7));
+ exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4,
+ tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+
+ mapList = sentryStore.getGroupUserRoleMapList(actualRolePrivilegesMap.keySet());
+ actualGroupRolesMap = mapList.get(SentryStore.INDEX_GROUP_ROLES_MAP);
+ exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
+ exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
+ exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
+ exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3"));
+ verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+ }
+
+ // Befor import, database is empty.
+ // The following information is imported:
+ // group1=role1,role2,role3
+ // user1=role1,role2
+ // user2=role2,role3
+ // role1=privilege1,privilege2,privilege3,privilege4
+ // role2=privilege5,privilege6,privilege7,privilege8
+ // role3=privilege3,privilege4,privilege5,privilege6
+ // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap,
+ // getUsersMap getPrivilegesList are tested.
+ @Test
+ public void testImportExportWithUser() throws Exception {
+ TSentryMappingData tSentryMappingData = new TSentryMappingData();
+ Map<String, Set<String>> groupRolesMap = Maps.newHashMap();
+ Map<String, Set<String>> userRolesMap = Maps.newHashMap();
+ Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap = Maps.newHashMap();
+ groupRolesMap.put("group1", Sets.newHashSet("Role1", "role2", "role3"));
+ userRolesMap.put("user1", Sets.newHashSet("Role1", "role2"));
+ userRolesMap.put("user2", Sets.newHashSet("role2", "role3"));
+ sentryRolePrivilegesMap.put("Role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4));
+ sentryRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+ sentryRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege3,
+ tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6));
+ tSentryMappingData.setGroupRolesMap(groupRolesMap);
+ tSentryMappingData.setRolePrivilegesMap(sentryRolePrivilegesMap);
+ tSentryMappingData.setUserRolesMap(userRolesMap);
+ sentryStore.importSentryMetaData(tSentryMappingData, false);
+
+ Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
+ Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
+ Map<String, MSentryUser> usersMap = sentryStore.getUserNameToUserMap();
+ List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
+
+ // test the result data for the role
+ verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3"));
+
+ // test the result data for the group
+ verifyGroups(groupsMap, Sets.newHashSet("group1"));
+
+ // test the result data for the user
+ verifyUsers(usersMap, Sets.newHashSet("user1", "user2"));
+
+ // test the result data for the privilege
+ verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+
+ // test the mapping data for group and role
+ List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
+ Map<String, Set<String>> actualGroupRolesMap = mapList.get(
+ SentryStore.INDEX_GROUP_ROLES_MAP);
+ Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3"));
+ verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ Map<String, Set<String>> actualUserRolesMap = mapList.get(
+ SentryStore.INDEX_USER_ROLES_MAP);
+ Map<String, Set<String>> exceptedUserRolesMap = Maps.newHashMap();
+ exceptedUserRolesMap.put("user1", Sets.newHashSet("role1", "role2"));
+ exceptedUserRolesMap.put("user2", Sets.newHashSet("role2", "role3"));
+ verifyUserGroupRolesMap(actualUserRolesMap, exceptedUserRolesMap);
+
+ // test the mapping data for role and privilege
+ Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
+ .getRoleNameTPrivilegesMap();
+ Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4));
+ exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+ exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege3,
+ tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6));
+
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+ }
+
+ private void verifyRoles(Map<String, MSentryRole> actualRoleMap, Set<String> expectedRoleNameSet) {
+ assertEquals(expectedRoleNameSet.size(), actualRoleMap.keySet().size());
+ for (String roleName : actualRoleMap.keySet()) {
+ assertTrue(expectedRoleNameSet.contains(roleName));
+ }
+ }
+
+ private void verifyGroups(Map<String, MSentryGroup> actualGroupsMap,
+ Set<String> expectedGroupNameSet) {
+ assertEquals(expectedGroupNameSet.size(), actualGroupsMap.keySet().size());
+ for (String groupName : actualGroupsMap.keySet()) {
+ assertTrue(expectedGroupNameSet.contains(groupName));
+ }
+ }
+
+ private void verifyUsers(Map<String, MSentryUser> actualUsersMap,
+ Set<String> expectedUserNameSet) {
+ assertEquals(expectedUserNameSet.size(), actualUsersMap.keySet().size());
+ for (String userName : actualUsersMap.keySet()) {
+ assertTrue(expectedUserNameSet.contains(userName));
+ }
+ }
+
+ private void verifyPrivileges(List<MSentryPrivilege> actualPrivileges,
+ Set<TSentryPrivilege> expectedTSentryPrivilegeSet) {
+ assertEquals(expectedTSentryPrivilegeSet.size(), actualPrivileges.size());
+ for (MSentryPrivilege mSentryPrivilege : actualPrivileges) {
+ boolean isFound = false;
+ for (TSentryPrivilege tSentryPrivilege : expectedTSentryPrivilegeSet) {
+ isFound = compareTSentryPrivilege(sentryStore.convertToTSentryPrivilege(mSentryPrivilege),
+ tSentryPrivilege);
+ if (isFound) {
+ break;
+ }
+ }
+ assertTrue(isFound);
+ }
+ }
+
+ private void verifyUserGroupRolesMap(Map<String, Set<String>> actualMap,
+ Map<String, Set<String>> exceptedMap) {
+ assertEquals(exceptedMap.keySet().size(), actualMap.keySet().size());
+ for (String name : actualMap.keySet()) {
+ Set<String> exceptedRoles = exceptedMap.get(name);
+ Set<String> actualRoles = actualMap.get(name);
+ assertEquals(actualRoles.size(), exceptedRoles.size());
+ assertTrue(actualRoles.equals(exceptedRoles));
+ }
+ }
+
+ private void verifyRolePrivilegesMap(Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap,
+ Map<String, Set<TSentryPrivilege>> expectedRolePrivilegesMap) {
+ assertEquals(expectedRolePrivilegesMap.keySet().size(), actualRolePrivilegesMap.keySet().size());
+ for (String roleName : expectedRolePrivilegesMap.keySet()) {
+ Set<TSentryPrivilege> exceptedTSentryPrivileges = expectedRolePrivilegesMap.get(roleName);
+ Set<TSentryPrivilege> actualTSentryPrivileges = actualRolePrivilegesMap.get(roleName);
+ assertEquals(exceptedTSentryPrivileges.size(), actualTSentryPrivileges.size());
+ for (TSentryPrivilege actualPrivilege : actualTSentryPrivileges) {
+ boolean isFound = false;
+ for (TSentryPrivilege expectedPrivilege : exceptedTSentryPrivileges) {
+ isFound = compareTSentryPrivilege(expectedPrivilege, actualPrivilege);
+ if (isFound) {
+ break;
+ }
+ }
+ assertTrue(isFound);
+ }
+ }
+ }
+
+ private TSentryPrivilege createTSentryPrivilege(String scope, String server, String dbName,
+ String tableName, String columnName, String uri, String action, TSentryGrantOption grantOption) {
+ TSentryPrivilege tSentryPrivilege = new TSentryPrivilege();
+ tSentryPrivilege.setPrivilegeScope(scope);
+ tSentryPrivilege.setServerName(server);
+ tSentryPrivilege.setDbName(dbName);
+ tSentryPrivilege.setTableName(tableName);
+ tSentryPrivilege.setColumnName(columnName);
+ tSentryPrivilege.setURI(uri);
+ tSentryPrivilege.setAction(action);
+ tSentryPrivilege.setGrantOption(grantOption);
+ return tSentryPrivilege;
+ }
+
+ // compare the TSentryPrivilege without the create time
+ private boolean compareTSentryPrivilege(TSentryPrivilege tSentryPrivilege1,
+ TSentryPrivilege tSentryPrivilege2) {
+ if (tSentryPrivilege1 == null) {
+ if (tSentryPrivilege2 == null) {
+ return true;
+ } else {
+ return false;
+ }
+ } else {
+ if (tSentryPrivilege2 == null) {
+ return false;
+ }
+ }
+
+ boolean this_present_privilegeScope = true && tSentryPrivilege1.isSetPrivilegeScope();
+ boolean that_present_privilegeScope = true && tSentryPrivilege2.isSetPrivilegeScope();
+ if (this_present_privilegeScope || that_present_privilegeScope) {
+ if (!(this_present_privilegeScope && that_present_privilegeScope)) {
+ return false;
+ }
+ if (!tSentryPrivilege1.getPrivilegeScope().equalsIgnoreCase(
+ tSentryPrivilege2.getPrivilegeScope())) {
+ return false;
+ }
+ }
+
+ boolean this_present_serverName = true && tSentryPrivilege1.isSetServerName();
+ boolean that_present_serverName = true && tSentryPrivilege2.isSetServerName();
+ if (this_present_serverName || that_present_serverName) {
+ if (!(this_present_serverName && that_present_serverName)) {
+ return false;
+ }
+ if (!tSentryPrivilege1.getServerName().equalsIgnoreCase(tSentryPrivilege2.getServerName())) {
+ return false;
+ }
+ }
+
+ boolean this_present_dbName = true && tSentryPrivilege1.isSetDbName();
+ boolean that_present_dbName = true && tSentryPrivilege2.isSetDbName();
+ if (this_present_dbName || that_present_dbName) {
+ if (!(this_present_dbName && that_present_dbName)) {
+ return false;
+ }
+ if (!tSentryPrivilege1.getDbName().equalsIgnoreCase(tSentryPrivilege2.getDbName())) {
+ return false;
+ }
+ }
+
+ boolean this_present_tableName = true && tSentryPrivilege1.isSetTableName();
+ boolean that_present_tableName = true && tSentryPrivilege2.isSetTableName();
+ if (this_present_tableName || that_present_tableName) {
+ if (!(this_present_tableName && that_present_tableName)) {
+ return false;
+ }
+ if (!tSentryPrivilege1.getTableName().equalsIgnoreCase(tSentryPrivilege2.getTableName())) {
+ return false;
+ }
+ }
+
+ boolean this_present_URI = true && tSentryPrivilege1.isSetURI();
+ boolean that_present_URI = true && tSentryPrivilege2.isSetURI();
+ if (this_present_URI || that_present_URI) {
+ if (!(this_present_URI && that_present_URI)) {
+ return false;
+ }
+ if (!tSentryPrivilege1.getURI().equalsIgnoreCase(tSentryPrivilege2.getURI())) {
+ return false;
+ }
+ }
+
+ boolean this_present_action = true && tSentryPrivilege1.isSetAction();
+ boolean that_present_action = true && tSentryPrivilege2.isSetAction();
+ if (this_present_action || that_present_action) {
+ if (!(this_present_action && that_present_action)) {
+ return false;
+ }
+ if (!tSentryPrivilege1.getAction().equalsIgnoreCase(tSentryPrivilege2.getAction())) {
+ return false;
+ }
+ }
+
+ boolean this_present_grantOption = true && tSentryPrivilege1.isSetGrantOption();
+ boolean that_present_grantOption = true && tSentryPrivilege2.isSetGrantOption();
+ if (this_present_grantOption || that_present_grantOption) {
+ if (!(this_present_grantOption && that_present_grantOption)) {
+ return false;
+ }
+ if (!tSentryPrivilege1.getGrantOption().equals(tSentryPrivilege2.getGrantOption())) {
+ return false;
+ }
+ }
+
+ boolean this_present_columnName = true && tSentryPrivilege1.isSetColumnName();
+ boolean that_present_columnName = true && tSentryPrivilege2.isSetColumnName();
+ if (this_present_columnName || that_present_columnName) {
+ if (!(this_present_columnName && that_present_columnName)) {
+ return false;
+ }
+ if (!tSentryPrivilege1.getColumnName().equalsIgnoreCase(tSentryPrivilege2.getColumnName())) {
+ return false;
+ }
+ }
+
+ return true;
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreToAuthorizable.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreToAuthorizable.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreToAuthorizable.java
new file mode 100644
index 0000000..25f94fa
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreToAuthorizable.java
@@ -0,0 +1,86 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.persistent;
+
+import static org.junit.Assert.assertEquals;
+
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.provider.db.service.model.MSentryPrivilege;
+import org.junit.Test;
+
+public class TestSentryStoreToAuthorizable {
+
+ private MSentryPrivilege privilege;
+
+ @Test
+ public void testServer() {
+ privilege = new MSentryPrivilege(null, "server1", null, null, null, null, null);
+ assertEquals("server=server1",
+ SentryStore.toAuthorizable(privilege));
+ privilege = new MSentryPrivilege(null, "server1", null, null, null, null,
+ AccessConstants.ALL);
+ assertEquals("server=server1",
+ SentryStore.toAuthorizable(privilege));
+ }
+
+ @Test
+ public void testTable() {
+ privilege = new MSentryPrivilege(null, "server1", "db1", "tbl1", null, null, null);
+ assertEquals("server=server1->db=db1->table=tbl1",
+ SentryStore.toAuthorizable(privilege));
+ privilege = new MSentryPrivilege(null, "server1", "db1", "tbl1", null, null,
+ AccessConstants.INSERT);
+ assertEquals("server=server1->db=db1->table=tbl1->action=insert",
+ SentryStore.toAuthorizable(privilege));
+ privilege = new MSentryPrivilege(null, "server1", "db1", "tbl1", null, null,
+ AccessConstants.SELECT);
+ assertEquals("server=server1->db=db1->table=tbl1->action=select",
+ SentryStore.toAuthorizable(privilege));
+ privilege = new MSentryPrivilege(null, "server1", "db1", "tbl1", null, null,
+ AccessConstants.ALL);
+ assertEquals("server=server1->db=db1->table=tbl1",
+ SentryStore.toAuthorizable(privilege));
+ }
+
+ @Test
+ public void testDb() {
+ privilege = new MSentryPrivilege(null, "server1", "db1", null, null, null, null);
+ assertEquals("server=server1->db=db1",
+ SentryStore.toAuthorizable(privilege));
+ privilege = new MSentryPrivilege(null, "server1", "db1", null, null, null,
+ AccessConstants.ALL);
+ assertEquals("server=server1->db=db1",
+ SentryStore.toAuthorizable(privilege));
+ }
+
+ @Test
+ public void testUri() {
+ privilege = new MSentryPrivilege(null, "server1", null, null, null, "file:///", null);
+ assertEquals("server=server1->uri=file:///",
+ SentryStore.toAuthorizable(privilege));
+ privilege = new MSentryPrivilege(null, "server1", null, null, null, "file:///",
+ AccessConstants.SELECT);
+ assertEquals("server=server1->uri=file:///->action=select",
+ SentryStore.toAuthorizable(privilege));
+ privilege = new MSentryPrivilege(null, "server1", null, null, null, "file:///",
+ AccessConstants.ALL);
+ assertEquals("server=server1->uri=file:///",
+ SentryStore.toAuthorizable(privilege));
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryVersion.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryVersion.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryVersion.java
new file mode 100644
index 0000000..103dbb6
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryVersion.java
@@ -0,0 +1,84 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.persistent;
+
+import static org.junit.Assert.assertEquals;
+
+import java.io.File;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.common.exception.SentryNoSuchObjectException;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.junit.Before;
+import org.junit.Test;
+
+import com.google.common.io.Files;
+
+public class TestSentryVersion {
+
+ private File dataDir;
+ private Configuration conf;
+
+ @Before
+ public void setup() throws Exception {
+ dataDir = new File(Files.createTempDir(), "sentry_policy_db");
+ conf = new Configuration(false);
+ conf.set(ServerConfig.SENTRY_STORE_JDBC_URL, "jdbc:derby:;databaseName="
+ + dataDir.getPath() + ";create=true");
+ conf.set(ServerConfig.SENTRY_STORE_JDBC_PASS, "dummy");
+ }
+
+ /**
+ * Create the schema using auto creation Create new sentry store without
+ * implicit schema creation on the same backend db and make sure it starts
+ *
+ * @throws Exception
+ */
+ @Test
+ public void testVerifySentryVersionCheck() throws Exception {
+ conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false");
+ SentryStore sentryStore = new SentryStore(conf);
+ sentryStore.stop();
+ conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "true");
+ }
+
+ /**
+ * Verify that store is not initialized by default without schema pre-created
+ *
+ * @throws Exception
+ */
+ @Test(expected = SentryNoSuchObjectException.class)
+ public void testNegSentrySchemaDefault() throws Exception {
+ new SentryStore(conf);
+ }
+
+ /**
+ * With schema verification turned off, Sentry Store should autoCreate the
+ * schema
+ * @throws Exception
+ */
+ @Test
+ public void testSentryImplicitVersion() throws Exception {
+ conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false");
+ SentryStore sentryStore = new SentryStore(conf);
+ assertEquals(SentryStoreSchemaInfo.getSentryVersion(),
+ sentryStore.getSentryVersion());
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/SentryMiniKdcTestcase.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/SentryMiniKdcTestcase.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/SentryMiniKdcTestcase.java
new file mode 100644
index 0000000..1114194
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/SentryMiniKdcTestcase.java
@@ -0,0 +1,68 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.thrift;
+
+import java.io.File;
+import java.util.Properties;
+
+import org.apache.hadoop.minikdc.MiniKdc;
+
+public class SentryMiniKdcTestcase {
+
+ private static File workDir;
+ private static Properties conf;
+ private static MiniKdc kdc;
+
+ public static void startMiniKdc(Properties confOverlay) throws Exception {
+ createTestDir();
+ createMiniKdcConf(confOverlay);
+ kdc = new MiniKdc(conf, workDir);
+ kdc.start();
+ }
+
+ private static void createMiniKdcConf(Properties confOverlay) {
+ conf = MiniKdc.createConf();
+ for ( Object property : confOverlay.keySet()) {
+ conf.put(property, confOverlay.get(property));
+ }
+ }
+
+ private static void createTestDir() {
+ workDir = new File(System.getProperty("test.dir", "target"));
+ }
+
+ public static void stopMiniKdc() {
+ if (kdc != null) {
+ kdc.stop();
+ }
+ }
+
+ public static MiniKdc getKdc() {
+ return kdc;
+ }
+
+ public static File getWorkDir() {
+ return workDir;
+ }
+
+ public Properties getConf() {
+ return conf;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestAuthorizingDDLAuditLogWithKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestAuthorizingDDLAuditLogWithKerberos.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestAuthorizingDDLAuditLogWithKerberos.java
new file mode 100644
index 0000000..48f25dd
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestAuthorizingDDLAuditLogWithKerberos.java
@@ -0,0 +1,295 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.thrift;
+
+import static org.hamcrest.core.Is.is;
+import static org.junit.Assert.assertThat;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.log4j.Level;
+import org.apache.log4j.Logger;
+import org.apache.sentry.provider.db.log.appender.AuditLoggerTestAppender;
+import org.apache.sentry.provider.db.log.util.CommandUtil;
+import org.apache.sentry.provider.db.log.util.Constants;
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.codehaus.jettison.json.JSONObject;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import com.google.common.collect.Sets;
+
+public class TestAuthorizingDDLAuditLogWithKerberos extends SentryServiceIntegrationBase {
+
+ @BeforeClass
+ public static void setupLog4j() throws Exception {
+ Logger logger = Logger.getLogger("sentry.hive.authorization.ddl.logger");
+ AuditLoggerTestAppender testAppender = new AuditLoggerTestAppender();
+ logger.addAppender(testAppender);
+ logger.setLevel(Level.INFO);
+ }
+
+ @Test
+ public void testBasic() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+
+ String roleName = "testRole";
+ String errorRoleName = "errorRole";
+ String serverName = "server1";
+ String groupName = "testGroup";
+ String dbName = "dbTest";
+ String tableName = "tableTest";
+ Map<String, String> fieldValueMap = new HashMap<String, String>();
+
+ // for successful audit log
+ client.createRole(requestorUserName, roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_CREATE_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "CREATE ROLE " + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ // for ip address, there is another logic to test the result
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ client.grantRoleToGroup(requestorUserName, groupName, roleName);
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_ADD_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ROLE " + roleName
+ + " TO GROUP " + groupName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ client.grantDatabasePrivilege(requestorUserName, roleName, serverName, dbName, "ALL");
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ALL ON DATABASE " + dbName
+ + " TO ROLE " + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_DATABASE_NAME, dbName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ client.grantTablePrivilege(requestorUserName, roleName, serverName, dbName, tableName,
+ "SELECT", true);
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT SELECT ON TABLE " + tableName
+ + " TO ROLE " + roleName + " WITH GRANT OPTION");
+ fieldValueMap.put(Constants.LOG_FIELD_TABLE_NAME, tableName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ // for error audit log
+ try {
+ client.createRole(requestorUserName, roleName);
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_CREATE_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "CREATE ROLE " + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+ try {
+ client.grantRoleToGroup(requestorUserName, groupName, errorRoleName);
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_ADD_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ROLE " + errorRoleName
+ + " TO GROUP " + groupName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+ try {
+ client
+ .grantDatabasePrivilege(requestorUserName, errorRoleName, serverName, dbName, "ALL");
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ALL ON DATABASE " + dbName
+ + " TO ROLE " + errorRoleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+ try {
+ client.grantDatabasePrivilege(requestorUserName, errorRoleName, serverName, dbName,
+ "INSERT");
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT INSERT ON DATABASE "
+ + dbName + " TO ROLE " + errorRoleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+ try {
+ client.grantDatabasePrivilege(requestorUserName, errorRoleName, serverName, dbName,
+ "SELECT");
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT SELECT ON DATABASE "
+ + dbName + " TO ROLE " + errorRoleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+ try {
+ client.grantTablePrivilege(requestorUserName, errorRoleName, serverName, dbName,
+ tableName, "SELECT");
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT SELECT ON TABLE "
+ + tableName + " TO ROLE " + errorRoleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+
+ client.revokeTablePrivilege(requestorUserName, roleName, serverName, dbName, tableName,
+ "SELECT");
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE SELECT ON TABLE " + tableName
+ + " FROM ROLE " + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_TABLE_NAME, tableName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ client.revokeDatabasePrivilege(requestorUserName, roleName, serverName, dbName, "ALL");
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE ALL ON DATABASE " + dbName
+ + " FROM ROLE " + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_DATABASE_NAME, dbName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ client.revokeRoleFromGroup(requestorUserName, groupName, roleName);
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DELETE_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE ROLE " + roleName
+ + " FROM GROUP " + groupName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ client.dropRole(requestorUserName, roleName);
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DROP_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "DROP ROLE " + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ // for error audit log
+ try {
+ client.revokeTablePrivilege(requestorUserName, errorRoleName, serverName, dbName,
+ tableName, "SELECT");
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE SELECT ON TABLE "
+ + tableName + " FROM ROLE " + errorRoleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+
+ try {
+ client.revokeDatabasePrivilege(requestorUserName, errorRoleName, serverName, dbName,
+ "ALL");
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE ALL ON DATABASE " + dbName
+ + " FROM ROLE " + errorRoleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+
+ try {
+ client.revokeRoleFromGroup(requestorUserName, groupName, errorRoleName);
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DELETE_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE ROLE " + errorRoleName
+ + " FROM GROUP " + groupName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+
+ try {
+ client.dropRole(requestorUserName, errorRoleName);
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DROP_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "DROP ROLE " + errorRoleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+ }
+ });
+ }
+
+ private void assertAuditLog(Map<String, String> fieldValueMap) throws Exception {
+ assertThat(AuditLoggerTestAppender.getLastLogLevel(), is(Level.INFO));
+ JSONObject jsonObject = new JSONObject(AuditLoggerTestAppender.getLastLogEvent());
+ if (fieldValueMap != null) {
+ for (Map.Entry<String, String> entry : fieldValueMap.entrySet()) {
+ String entryKey = entry.getKey();
+ if (Constants.LOG_FIELD_IP_ADDRESS.equals(entryKey)) {
+ assertTrue(CommandUtil.assertIPInAuditLog(jsonObject.get(entryKey).toString()));
+ } else {
+ assertTrue(entry.getValue().equalsIgnoreCase(jsonObject.get(entryKey).toString()));
+ }
+ }
+ }
+ }
+}