You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by ja...@apache.org on 2014/05/19 17:25:19 UTC

git commit: SENTRY-158: Hive bindings should enable MR level ACLs for session user

Repository: incubator-sentry
Updated Branches:
  refs/heads/master 5fc968e6c -> cbbb3bd7a


SENTRY-158: Hive bindings should enable MR level ACLs for session user

(Prasad Mujumdar via Jarek Jarcec Cecho)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/cbbb3bd7
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/cbbb3bd7
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/cbbb3bd7

Branch: refs/heads/master
Commit: cbbb3bd7ae1053ae3794fada66160aee10664014
Parents: 5fc968e
Author: Jarek Jarcec Cecho <ja...@apache.org>
Authored: Mon May 19 08:23:54 2014 -0700
Committer: Jarek Jarcec Cecho <ja...@apache.org>
Committed: Mon May 19 08:23:54 2014 -0700

----------------------------------------------------------------------
 .../hive/HiveAuthzBindingSessionHook.java       | 24 ++++++++++++++------
 .../apache/sentry/tests/e2e/hive/Context.java   | 22 ++++++++++++++++++
 .../tests/e2e/hive/TestUserManagement.java      | 10 ++++++++
 3 files changed, 49 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/cbbb3bd7/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
index 2e53acb..aacad66 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
@@ -18,6 +18,7 @@ package org.apache.sentry.binding.hive;
 
 import org.apache.hadoop.hive.conf.HiveConf;
 import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
+import org.apache.hadoop.mapreduce.JobContext;
 import org.apache.hive.service.cli.HiveSQLException;
 import org.apache.hive.service.cli.session.HiveSessionHookContext;
 import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
@@ -69,9 +70,11 @@ public class HiveAuthzBindingSessionHook
     // Add sentry hooks to the session configuration
     HiveConf sessionConf = sessionHookContext.getSessionConf();
 
-    appendConfVar(sessionConf, ConfVars.SEMANTIC_ANALYZER_HOOK, SEMANTIC_HOOK);
-    appendConfVar(sessionConf, ConfVars.PREEXECHOOKS, PRE_EXEC_HOOK);
-    appendConfVar(sessionConf, ConfVars.HIVE_EXEC_FILTER_HOOK, FILTER_HOOK);
+    appendConfVar(sessionConf, ConfVars.SEMANTIC_ANALYZER_HOOK.varname,
+        SEMANTIC_HOOK);
+    appendConfVar(sessionConf, ConfVars.PREEXECHOOKS.varname, PRE_EXEC_HOOK);
+    appendConfVar(sessionConf, ConfVars.HIVE_EXEC_FILTER_HOOK.varname,
+        FILTER_HOOK);
 
     // setup config
     sessionConf.setBoolVar(ConfVars.HIVE_EXTENDED_ENITITY_CAPTURE, true);
@@ -82,18 +85,25 @@ public class HiveAuthzBindingSessionHook
     sessionConf.set(HiveAuthzConf.HIVE_ACCESS_SUBJECT_NAME, sessionHookContext.getSessionUser());
     sessionConf.set(HiveAuthzConf.HIVE_SENTRY_SUBJECT_NAME, sessionHookContext.getSessionUser());
 
+    // Set MR ACLs to session user
+    appendConfVar(sessionConf, JobContext.JOB_ACL_VIEW_JOB,
+        sessionHookContext.getSessionUser());
+    appendConfVar(sessionConf, JobContext.JOB_ACL_MODIFY_JOB,
+        sessionHookContext.getSessionUser());
+
     // setup restrict list
     sessionConf.addToRestrictList(ACCESS_RESTRICT_LIST);
   }
 
   // Setup given sentry hooks
-  private void appendConfVar(HiveConf sessionConf, ConfVars confVar, String sentryConfVal) {
-    String currentValue = sessionConf.getVar(confVar);
-    if ((currentValue == null) || currentValue.isEmpty()) {
+  private void appendConfVar(HiveConf sessionConf, String confVar,
+      String sentryConfVal) {
+    String currentValue = sessionConf.get(confVar, "").trim();
+    if (currentValue.isEmpty()) {
       currentValue = sentryConfVal;
     } else {
       currentValue = sentryConfVal + "," + currentValue;
     }
-    sessionConf.setVar(confVar, currentValue);
+    sessionConf.set(confVar, currentValue);
   }
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/cbbb3bd7/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/Context.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/Context.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/Context.java
index 99ca16e..ce374c2 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/Context.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/Context.java
@@ -17,8 +17,10 @@
 
 package org.apache.sentry.tests.e2e.hive;
 
+import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
 
 import java.io.File;
 import java.io.FileNotFoundException;
@@ -27,6 +29,7 @@ import java.io.IOException;
 import java.io.PrintWriter;
 import java.net.URI;
 import java.sql.Connection;
+import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
 import java.util.Set;
@@ -226,4 +229,23 @@ public class Context {
   public String getConnectionURL() {
     return hiveServer.getURL();
   }
+
+  /**
+   * Execute "set x" and extract value from key=val format result Verify the
+   * extracted value
+   * 
+   * @param stmt
+   * @return
+   * @throws Exception
+   */
+  public void verifySessionConf(Connection con, String key, String expectedVal)
+      throws Exception {
+    Statement stmt = con.createStatement();
+    ResultSet res = stmt.executeQuery("set " + key);
+    assertTrue(res.next());
+    String resultValues[] = res.getString(1).split("="); // "key=val"
+    assertEquals("Result not in key = val format", 2, resultValues.length);
+    assertEquals("Conf value should be set by execute()", expectedVal,
+        resultValues[1]);
+  }
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/cbbb3bd7/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java
index d88609a..e1cf073 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java
@@ -26,6 +26,7 @@ import java.sql.Connection;
 import java.sql.ResultSet;
 import java.sql.Statement;
 
+import org.apache.hadoop.mapreduce.JobContext;
 import org.apache.sentry.provider.file.PolicyFile;
 import org.junit.After;
 import org.junit.Before;
@@ -339,4 +340,13 @@ public class TestUserManagement extends AbstractTestWithStaticConfiguration {
       connection.close();
     }
   }
+
+  @Test
+  public void testMrAclsSetting() throws Exception {
+    Connection connection = context.createConnection("admin1");
+    context
+        .verifySessionConf(connection, JobContext.JOB_ACL_VIEW_JOB, "admin1");
+    context
+        .verifySessionConf(connection, JobContext.JOB_ACL_VIEW_JOB, "admin1");
+  }
 }