You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by ja...@apache.org on 2014/05/19 17:25:19 UTC
git commit: SENTRY-158: Hive bindings should enable MR level ACLs for
session user
Repository: incubator-sentry
Updated Branches:
refs/heads/master 5fc968e6c -> cbbb3bd7a
SENTRY-158: Hive bindings should enable MR level ACLs for session user
(Prasad Mujumdar via Jarek Jarcec Cecho)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/cbbb3bd7
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/cbbb3bd7
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/cbbb3bd7
Branch: refs/heads/master
Commit: cbbb3bd7ae1053ae3794fada66160aee10664014
Parents: 5fc968e
Author: Jarek Jarcec Cecho <ja...@apache.org>
Authored: Mon May 19 08:23:54 2014 -0700
Committer: Jarek Jarcec Cecho <ja...@apache.org>
Committed: Mon May 19 08:23:54 2014 -0700
----------------------------------------------------------------------
.../hive/HiveAuthzBindingSessionHook.java | 24 ++++++++++++++------
.../apache/sentry/tests/e2e/hive/Context.java | 22 ++++++++++++++++++
.../tests/e2e/hive/TestUserManagement.java | 10 ++++++++
3 files changed, 49 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/cbbb3bd7/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
index 2e53acb..aacad66 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
@@ -18,6 +18,7 @@ package org.apache.sentry.binding.hive;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
+import org.apache.hadoop.mapreduce.JobContext;
import org.apache.hive.service.cli.HiveSQLException;
import org.apache.hive.service.cli.session.HiveSessionHookContext;
import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
@@ -69,9 +70,11 @@ public class HiveAuthzBindingSessionHook
// Add sentry hooks to the session configuration
HiveConf sessionConf = sessionHookContext.getSessionConf();
- appendConfVar(sessionConf, ConfVars.SEMANTIC_ANALYZER_HOOK, SEMANTIC_HOOK);
- appendConfVar(sessionConf, ConfVars.PREEXECHOOKS, PRE_EXEC_HOOK);
- appendConfVar(sessionConf, ConfVars.HIVE_EXEC_FILTER_HOOK, FILTER_HOOK);
+ appendConfVar(sessionConf, ConfVars.SEMANTIC_ANALYZER_HOOK.varname,
+ SEMANTIC_HOOK);
+ appendConfVar(sessionConf, ConfVars.PREEXECHOOKS.varname, PRE_EXEC_HOOK);
+ appendConfVar(sessionConf, ConfVars.HIVE_EXEC_FILTER_HOOK.varname,
+ FILTER_HOOK);
// setup config
sessionConf.setBoolVar(ConfVars.HIVE_EXTENDED_ENITITY_CAPTURE, true);
@@ -82,18 +85,25 @@ public class HiveAuthzBindingSessionHook
sessionConf.set(HiveAuthzConf.HIVE_ACCESS_SUBJECT_NAME, sessionHookContext.getSessionUser());
sessionConf.set(HiveAuthzConf.HIVE_SENTRY_SUBJECT_NAME, sessionHookContext.getSessionUser());
+ // Set MR ACLs to session user
+ appendConfVar(sessionConf, JobContext.JOB_ACL_VIEW_JOB,
+ sessionHookContext.getSessionUser());
+ appendConfVar(sessionConf, JobContext.JOB_ACL_MODIFY_JOB,
+ sessionHookContext.getSessionUser());
+
// setup restrict list
sessionConf.addToRestrictList(ACCESS_RESTRICT_LIST);
}
// Setup given sentry hooks
- private void appendConfVar(HiveConf sessionConf, ConfVars confVar, String sentryConfVal) {
- String currentValue = sessionConf.getVar(confVar);
- if ((currentValue == null) || currentValue.isEmpty()) {
+ private void appendConfVar(HiveConf sessionConf, String confVar,
+ String sentryConfVal) {
+ String currentValue = sessionConf.get(confVar, "").trim();
+ if (currentValue.isEmpty()) {
currentValue = sentryConfVal;
} else {
currentValue = sentryConfVal + "," + currentValue;
}
- sessionConf.setVar(confVar, currentValue);
+ sessionConf.set(confVar, currentValue);
}
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/cbbb3bd7/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/Context.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/Context.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/Context.java
index 99ca16e..ce374c2 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/Context.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/Context.java
@@ -17,8 +17,10 @@
package org.apache.sentry.tests.e2e.hive;
+import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
import java.io.File;
import java.io.FileNotFoundException;
@@ -27,6 +29,7 @@ import java.io.IOException;
import java.io.PrintWriter;
import java.net.URI;
import java.sql.Connection;
+import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.Set;
@@ -226,4 +229,23 @@ public class Context {
public String getConnectionURL() {
return hiveServer.getURL();
}
+
+ /**
+ * Execute "set x" and extract value from key=val format result Verify the
+ * extracted value
+ *
+ * @param stmt
+ * @return
+ * @throws Exception
+ */
+ public void verifySessionConf(Connection con, String key, String expectedVal)
+ throws Exception {
+ Statement stmt = con.createStatement();
+ ResultSet res = stmt.executeQuery("set " + key);
+ assertTrue(res.next());
+ String resultValues[] = res.getString(1).split("="); // "key=val"
+ assertEquals("Result not in key = val format", 2, resultValues.length);
+ assertEquals("Conf value should be set by execute()", expectedVal,
+ resultValues[1]);
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/cbbb3bd7/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java
index d88609a..e1cf073 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java
@@ -26,6 +26,7 @@ import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.Statement;
+import org.apache.hadoop.mapreduce.JobContext;
import org.apache.sentry.provider.file.PolicyFile;
import org.junit.After;
import org.junit.Before;
@@ -339,4 +340,13 @@ public class TestUserManagement extends AbstractTestWithStaticConfiguration {
connection.close();
}
}
+
+ @Test
+ public void testMrAclsSetting() throws Exception {
+ Connection connection = context.createConnection("admin1");
+ context
+ .verifySessionConf(connection, JobContext.JOB_ACL_VIEW_JOB, "admin1");
+ context
+ .verifySessionConf(connection, JobContext.JOB_ACL_VIEW_JOB, "admin1");
+ }
}