You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by ja...@apache.org on 2014/06/04 04:59:33 UTC
git commit: SENTRY-255: Revoke on Server privilege fails
Repository: incubator-sentry
Updated Branches:
refs/heads/master 112dd60bc -> bc755d77d
SENTRY-255: Revoke on Server privilege fails
(Sravya Tirukkovalur via Jarek Jarcec Cecho)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/bc755d77
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/bc755d77
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/bc755d77
Branch: refs/heads/master
Commit: bc755d77d28691f1ff522b53633adb5da83c3e1a
Parents: 112dd60
Author: Jarek Jarcec Cecho <ja...@apache.org>
Authored: Tue Jun 3 19:59:01 2014 -0700
Committer: Jarek Jarcec Cecho <ja...@apache.org>
Committed: Tue Jun 3 19:59:01 2014 -0700
----------------------------------------------------------------------
.../hive/ql/exec/SentryGrantRevokeTask.java | 6 +-
.../e2e/dbprovider/TestDatabaseProvider.java | 121 +++++++++++++++++++
2 files changed, 126 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/bc755d77/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
index 4a50bd0..54c9a41 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
@@ -531,7 +531,11 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable
tableName, toSentryAction(privDesc.getPrivilege().getPriv()));
}
} else {
- if (tableName == null) {
+ if (serverName != null) {
+ sentryClient.revokeServerPrivilege(subject, princ.getName(), serverName);
+ } else if (uriPath != null) {
+ sentryClient.revokeURIPrivilege(subject, princ.getName(), server, uriPath);
+ } else if (tableName == null) {
sentryClient.revokeDatabasePrivilege(subject, princ.getName(), server, dbName);
} else {
sentryClient.revokeTablePrivilege(subject, princ.getName(), server, dbName,
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/bc755d77/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java
index 05e5218..84223a9 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java
@@ -17,6 +17,8 @@
package org.apache.sentry.tests.e2e.dbprovider;
+import org.apache.sentry.SentryUserException;
+import org.apache.sentry.provider.db.SentryAccessDeniedException;
import org.apache.sentry.tests.e2e.hive.StaticUserGroup;
import static org.hamcrest.Matchers.equalToIgnoringCase;
import static org.hamcrest.Matchers.is;
@@ -103,6 +105,125 @@ public class TestDatabaseProvider extends AbstractTestWithDbProvider {
connection.close();
}
+
+ /**
+ * Revoke privilege
+ * @throws Exception
+ */
+ @Test
+ public void testRevokePrivileges() throws Exception {
+ Connection connection;
+ Statement statement;
+ ResultSet resultSet;
+
+ connection = context.createConnection(ADMIN1);
+ statement = context.createStatement(connection);
+ statement.execute("CREATE ROLE role1");
+
+ //Revoke All on server by admin
+ statement.execute("GRANT ALL ON SERVER server1 to role role1");
+ resultSet = statement.executeQuery("SHOW GRANT ROLE role1");
+ assertResultSize(resultSet, 1);
+ statement.execute("REVOKE ALL ON SERVER server1 from role role1");
+ resultSet = statement.executeQuery("SHOW GRANT ROLE role1");
+ assertResultSize(resultSet, 0);
+
+ //Revoke All on database by admin
+ statement.execute("GRANT ALL ON DATABASE default to role role1");
+ resultSet = statement.executeQuery("SHOW GRANT ROLE role1");
+ assertResultSize(resultSet, 1);
+ statement.execute("REVOKE ALL ON DATABASE default from role role1");
+ resultSet = statement.executeQuery("SHOW GRANT ROLE role1");
+ assertResultSize(resultSet, 0);
+
+ //Revoke All on URI by admin
+ statement.execute("GRANT ALL ON URI 'file:///path' to role role1");
+ resultSet = statement.executeQuery("SHOW GRANT ROLE role1");
+ assertResultSize(resultSet, 1);
+ statement.execute("REVOKE ALL ON URI 'file:///path' from role role1");
+ resultSet = statement.executeQuery("SHOW GRANT ROLE role1");
+ assertResultSize(resultSet, 0);
+
+ //Revoke All on table by admin
+ statement.execute("GRANT ALL ON TABLE tab1 to role role1");
+ resultSet = statement.executeQuery("SHOW GRANT ROLE role1");
+ assertResultSize(resultSet, 1);
+ statement.execute("REVOKE ALL ON TABLE tab1 from role role1");
+ resultSet = statement.executeQuery("SHOW GRANT ROLE role1");
+ assertResultSize(resultSet, 0);
+
+ //Revoke INSERT on table by admin
+ statement.execute("GRANT INSERT ON TABLE tab1 to role role1");
+ resultSet = statement.executeQuery("SHOW GRANT ROLE role1");
+ assertResultSize(resultSet, 1);
+ statement.execute("REVOKE INSERT ON TABLE tab1 from role role1");
+ resultSet = statement.executeQuery("SHOW GRANT ROLE role1");
+ assertResultSize(resultSet, 0);
+
+ //Revoke SELECT on table by admin
+ statement.execute("GRANT SELECT ON TABLE tab1 to role role1");
+ resultSet = statement.executeQuery("SHOW GRANT ROLE role1");
+ assertResultSize(resultSet, 1);
+ statement.execute("REVOKE SELECT ON TABLE tab1 from role role1");
+ resultSet = statement.executeQuery("SHOW GRANT ROLE role1");
+ assertResultSize(resultSet, 0);
+
+ //Revoke Partial privilege on table by admin
+ statement.execute("GRANT ALL ON TABLE tab1 to role role1");
+ resultSet = statement.executeQuery("SHOW GRANT ROLE role1");
+ assertResultSize(resultSet, 1);
+ statement.execute("REVOKE INSERT ON TABLE tab1 from role role1");
+ resultSet = statement.executeQuery("SHOW GRANT ROLE role1");
+ assertResultSize(resultSet, 1);
+ while(resultSet.next()) {
+ assertThat(resultSet.getString(1), equalToIgnoringCase("default"));
+ assertThat(resultSet.getString(2), equalToIgnoringCase("tab1"));
+ assertThat(resultSet.getString(3), equalToIgnoringCase(""));//partition
+ assertThat(resultSet.getString(4), equalToIgnoringCase(""));//column
+ assertThat(resultSet.getString(5), equalToIgnoringCase("role1"));//principalName
+ assertThat(resultSet.getString(6), equalToIgnoringCase("role"));//principalType
+ assertThat(resultSet.getString(7), equalToIgnoringCase("select"));
+ assertThat(resultSet.getBoolean(8), is(new Boolean("False")));//grantOption
+ //Create time is not tested
+ //assertThat(resultSet.getLong(9), is(new Long(0)));
+ assertThat(resultSet.getString(10), equalToIgnoringCase(ADMIN1));//grantor
+
+ }
+
+ //Revoke Partial privilege on table by admin
+ statement.execute("GRANT ALL ON TABLE tab1 to role role1");
+ resultSet = statement.executeQuery("SHOW GRANT ROLE role1");
+ assertResultSize(resultSet, 1);
+ statement.execute("REVOKE SELECT ON TABLE tab1 from role role1");
+ resultSet = statement.executeQuery("SHOW GRANT ROLE role1");
+ assertResultSize(resultSet, 1);
+ while(resultSet.next()) {
+ assertThat(resultSet.getString(1), equalToIgnoringCase("default"));
+ assertThat(resultSet.getString(2), equalToIgnoringCase("tab1"));
+ assertThat(resultSet.getString(3), equalToIgnoringCase(""));//partition
+ assertThat(resultSet.getString(4), equalToIgnoringCase(""));//column
+ assertThat(resultSet.getString(5), equalToIgnoringCase("role1"));//principalName
+ assertThat(resultSet.getString(6), equalToIgnoringCase("role"));//principalType
+ assertThat(resultSet.getString(7), equalToIgnoringCase("insert"));
+ assertThat(resultSet.getBoolean(8), is(new Boolean("False")));//grantOption
+ //Create time is not tested
+ //assertThat(resultSet.getLong(9), is(new Long(0)));
+ assertThat(resultSet.getString(10), equalToIgnoringCase(ADMIN1));//grantor
+
+ }
+
+ statement.close();
+ connection.close();
+ }
+
+ private void assertResultSize(ResultSet resultSet, int expected) throws SQLException{
+ int count = 0;
+ while(resultSet.next()) {
+ count++;
+ }
+ assertThat(count, is(expected));
+ }
+
/**
* SHOW ROLES
* @throws Exception