You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lens.apache.org by ra...@apache.org on 2018/09/06 08:01:19 UTC
lens git commit: LENS-1529: Authorization test cases and LENS-1532 :
Authorization conf fix.
Repository: lens
Updated Branches:
refs/heads/master 5a73df0d2 -> 1c3dff25b
LENS-1529: Authorization test cases and LENS-1532 : Authorization conf fix.
Project: http://git-wip-us.apache.org/repos/asf/lens/repo
Commit: http://git-wip-us.apache.org/repos/asf/lens/commit/1c3dff25
Tree: http://git-wip-us.apache.org/repos/asf/lens/tree/1c3dff25
Diff: http://git-wip-us.apache.org/repos/asf/lens/diff/1c3dff25
Branch: refs/heads/master
Commit: 1c3dff25b6547478d66cae13ac795d63f0e54c10
Parents: 5a73df0
Author: Rajitha R <ra...@apache.org>
Authored: Thu Sep 6 13:30:32 2018 +0530
Committer: Rajitha.R <ra...@IM0318-L0.corp.inmobi.com>
Committed: Thu Sep 6 13:30:32 2018 +0530
----------------------------------------------------------------------
.../cube/authorization/AuthorizationUtil.java | 16 +++---
.../lens/cube/metadata/CubeMetastoreClient.java | 5 +-
.../cube/parse/QueryAuthorizationResolver.java | 4 +-
.../cube/metadata/TestCubeMetastoreClient.java | 60 ++++++++++++++------
.../resources/schema/cubes/base/basecube.xml | 1 +
5 files changed, 59 insertions(+), 27 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/lens/blob/1c3dff25/lens-cube/src/main/java/org/apache/lens/cube/authorization/AuthorizationUtil.java
----------------------------------------------------------------------
diff --git a/lens-cube/src/main/java/org/apache/lens/cube/authorization/AuthorizationUtil.java b/lens-cube/src/main/java/org/apache/lens/cube/authorization/AuthorizationUtil.java
index ccd46a3..5ae2cfd 100644
--- a/lens-cube/src/main/java/org/apache/lens/cube/authorization/AuthorizationUtil.java
+++ b/lens-cube/src/main/java/org/apache/lens/cube/authorization/AuthorizationUtil.java
@@ -38,24 +38,26 @@ public class AuthorizationUtil {
private AuthorizationUtil(){}
public static boolean isAuthorized(Authorizer authorizer, String tableName,
- LensPrivilegeObject.LensPrivilegeObjectType privilegeObjectType, ActionType actionType, Configuration configuration)
+ LensPrivilegeObject.LensPrivilegeObjectType privilegeObjectType, ActionType actionType, Configuration hconf,
+ Configuration sessionConf)
throws LensException {
- return isAuthorized(authorizer, tableName, null, privilegeObjectType, actionType, configuration);
+ return isAuthorized(authorizer, tableName, null, privilegeObjectType, actionType, hconf, sessionConf);
}
public static boolean isAuthorized(Authorizer authorizer, String tableName, String colName,
- LensPrivilegeObject.LensPrivilegeObjectType privilegeObjectType, ActionType actionType, Configuration configuration)
+ LensPrivilegeObject.LensPrivilegeObjectType privilegeObjectType, ActionType actionType, Configuration hconf,
+ Configuration sessionConf)
throws LensException {
String user = null;
Set<String> userGroups = new HashSet<>();
- if (configuration.getBoolean(LensConfConstants.USER_NAME_BASED_AUTHORIZATION,
+ if (hconf.getBoolean(LensConfConstants.USER_NAME_BASED_AUTHORIZATION,
LensConfConstants.DEFAULT_USER_NAME_AUTHORIZATION)){
- user = configuration.get(LensConfConstants.SESSION_LOGGEDIN_USER);
+ user = sessionConf.get(LensConfConstants.SESSION_LOGGEDIN_USER);
}
- if (configuration.getBoolean(LensConfConstants.USER_GROUPS_BASED_AUTHORIZATION,
+ if (hconf.getBoolean(LensConfConstants.USER_GROUPS_BASED_AUTHORIZATION,
LensConfConstants.DEFAULT_USER_GROUPS_AUTHORIZATION)) {
userGroups = (Set<String>)
- configuration.getTrimmedStringCollection(LensConfConstants.SESSION_USER_GROUPS);
+ sessionConf.getTrimmedStringCollection(LensConfConstants.SESSION_USER_GROUPS);
}
LensPrivilegeObject lp = new LensPrivilegeObject(privilegeObjectType, tableName, colName);
if (!authorizer.authorize(lp, actionType, user, userGroups)) {
http://git-wip-us.apache.org/repos/asf/lens/blob/1c3dff25/lens-cube/src/main/java/org/apache/lens/cube/metadata/CubeMetastoreClient.java
----------------------------------------------------------------------
diff --git a/lens-cube/src/main/java/org/apache/lens/cube/metadata/CubeMetastoreClient.java b/lens-cube/src/main/java/org/apache/lens/cube/metadata/CubeMetastoreClient.java
index e6afcff..b1c1ae4 100644
--- a/lens-cube/src/main/java/org/apache/lens/cube/metadata/CubeMetastoreClient.java
+++ b/lens-cube/src/main/java/org/apache/lens/cube/metadata/CubeMetastoreClient.java
@@ -129,7 +129,7 @@ public class CubeMetastoreClient {
return completenessChecker;
}
- public Authorizer getAuthorizer() {
+ private Authorizer getAuthorizer() {
if (authorizer == null) {
authorizer = ReflectionUtils.newInstance(config.getClass(MetastoreConstants.AUTHORIZER_CLASS,
LensConfConstants.DEFAULT_AUTHORIZER, Authorizer.class), this.config);
@@ -157,7 +157,8 @@ public class CubeMetastoreClient {
if (isAuthorizationEnabled()) {
String currentdb = SessionState.get().getCurrentDatabase();
AuthorizationUtil.isAuthorized(getAuthorizer(), currentdb,
- LensPrivilegeObject.LensPrivilegeObjectType.DATABASE, ActionType.UPDATE, getConf());
+ LensPrivilegeObject.LensPrivilegeObjectType.DATABASE, ActionType.UPDATE, getConf(),
+ SessionState.getSessionConf());
}
}
http://git-wip-us.apache.org/repos/asf/lens/blob/1c3dff25/lens-cube/src/main/java/org/apache/lens/cube/parse/QueryAuthorizationResolver.java
----------------------------------------------------------------------
diff --git a/lens-cube/src/main/java/org/apache/lens/cube/parse/QueryAuthorizationResolver.java b/lens-cube/src/main/java/org/apache/lens/cube/parse/QueryAuthorizationResolver.java
index 78dd642..f1376ca 100644
--- a/lens-cube/src/main/java/org/apache/lens/cube/parse/QueryAuthorizationResolver.java
+++ b/lens-cube/src/main/java/org/apache/lens/cube/parse/QueryAuthorizationResolver.java
@@ -29,6 +29,7 @@ import org.apache.lens.server.api.authorization.LensPrivilegeObject;
import org.apache.lens.server.api.error.LensException;
import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hive.ql.session.SessionState;
import org.apache.hadoop.util.ReflectionUtils;
import lombok.Getter;
@@ -69,7 +70,8 @@ public class QueryAuthorizationResolver implements ContextRewriter {
if (restrictedFieldsQueried != null && !restrictedFieldsQueried.isEmpty()) {
for (String col : restrictedFieldsQueried) {
AuthorizationUtil.isAuthorized(getAuthorizer(), tbl.getName(), col,
- LensPrivilegeObject.LensPrivilegeObjectType.COLUMN, ActionType.SELECT, cubeql.getConf());
+ LensPrivilegeObject.LensPrivilegeObjectType.COLUMN, ActionType.SELECT, cubeql.getConf(),
+ SessionState.getSessionConf());
}
}
}
http://git-wip-us.apache.org/repos/asf/lens/blob/1c3dff25/lens-cube/src/test/java/org/apache/lens/cube/metadata/TestCubeMetastoreClient.java
----------------------------------------------------------------------
diff --git a/lens-cube/src/test/java/org/apache/lens/cube/metadata/TestCubeMetastoreClient.java b/lens-cube/src/test/java/org/apache/lens/cube/metadata/TestCubeMetastoreClient.java
index 6f054c4..9499f0c 100644
--- a/lens-cube/src/test/java/org/apache/lens/cube/metadata/TestCubeMetastoreClient.java
+++ b/lens-cube/src/test/java/org/apache/lens/cube/metadata/TestCubeMetastoreClient.java
@@ -38,7 +38,9 @@ import org.apache.lens.cube.metadata.timeline.EndsAndHolesPartitionTimeline;
import org.apache.lens.cube.metadata.timeline.PartitionTimeline;
import org.apache.lens.cube.metadata.timeline.StoreAllPartitionTimeline;
import org.apache.lens.cube.metadata.timeline.TestPartitionTimelines;
+import org.apache.lens.server.api.LensConfConstants;
import org.apache.lens.server.api.error.LensException;
+import org.apache.lens.server.api.query.save.exception.PrivilegeException;
import org.apache.lens.server.api.util.LensUtil;
import org.apache.hadoop.hive.conf.HiveConf;
@@ -63,6 +65,7 @@ import com.google.common.collect.ImmutableMap;
import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
+
public class TestCubeMetastoreClient {
private static CubeMetastoreClient client;
@@ -143,6 +146,10 @@ public class TestCubeMetastoreClient {
Hive.get(conf).createDatabase(database);
SessionState.get().setCurrentDatabase(TestCubeMetastoreClient.class.getSimpleName());
client = CubeMetastoreClient.getInstance(conf);
+ client.getConf().setBoolean(LensConfConstants.ENABLE_METASTORE_SCHEMA_AUTHORIZATION_CHECK, true);
+ client.getConf().setBoolean(LensConfConstants.USER_GROUPS_BASED_AUTHORIZATION, true);
+ client.getConf().set(MetastoreConstants.AUTHORIZER_CLASS, "org.apache.lens.cube.parse.MockAuthorizer");
+ SessionState.getSessionConf().set(LensConfConstants.SESSION_USER_GROUPS, "lens-auth-test1");
defineCube(CUBE_NAME, CUBE_NAME_WITH_PROPS, DERIVED_CUBE_NAME, DERIVED_CUBE_NAME_WITH_PROPS);
defineUberDims();
}
@@ -154,8 +161,8 @@ public class TestCubeMetastoreClient {
client.dropCube(VIRTUAL_CUBE_NAME);
client = CubeMetastoreClient.getInstance(conf);
assertFalse(client.tableExists(CUBE_NAME));
-
Hive.get().dropDatabase(TestCubeMetastoreClient.class.getSimpleName(), true, true, true);
+
CubeMetastoreClient.close();
}
@@ -350,12 +357,12 @@ public class TestCubeMetastoreClient {
cube = new Cube(cubeName, cubeMeasures, cubeDimensions, cubeExpressions, joinChains, emptyHashMap, 0.0);
measures = Sets.newHashSet("msr1", "msr2", "msr3");
moreMeasures.addAll(measures);
- for(CubeMeasure measure: dummyMeasure) {
+ for (CubeMeasure measure : dummyMeasure) {
moreMeasures.add(measure.getName());
}
dimensions = Sets.newHashSet("dim1", "dim2", "dim3");
moreDimensions.addAll(dimensions);
- for(CubeDimAttribute dimAttribute: dummyDimAttributes) {
+ for (CubeDimAttribute dimAttribute : dummyDimAttributes) {
moreDimensions.add(dimAttribute.getName());
}
derivedCube = new DerivedCube(derivedCubeName, measures, dimensions, cube);
@@ -854,25 +861,25 @@ public class TestCubeMetastoreClient {
tag2.put("is_ui_visible", "true");
Set<CubeMeasure> cubeMeasures = new HashSet<>();
cubeMeasures.add(new ColumnMeasure(
- new FieldSchema("msr1", "int", "measure1 with tag"), null, null, null, null, null, null, null, 0.0,
- 9999.0, tag1));
+ new FieldSchema("msr1", "int", "measure1 with tag"), null, null, null, null, null, null, null, 0.0,
+ 9999.0, tag1));
cubeMeasures.add(new ColumnMeasure(
- new FieldSchema("msr2", "int", "measure2 with tag"),
- "measure2 with tag", null, null, null, NOW, null, null, 0.0, 999999.0, tag2));
+ new FieldSchema("msr2", "int", "measure2 with tag"),
+ "measure2 with tag", null, null, null, NOW, null, null, 0.0, 999999.0, tag2));
Set<CubeDimAttribute> cubeDimensions = new HashSet<>();
cubeDimensions.add(new BaseDimAttribute(new FieldSchema("dim1", "id", "ref dim"), "dim with tag",
- null, null, null, null, null, tag1));
+ null, null, null, null, null, tag1));
ExprSpec expr1 = new ExprSpec("avg(msr1 + msr2)", null, null);
ExprSpec expr2 = new ExprSpec("avg(msr2 + msr1)", null, null);
Set<ExprColumn> cubeExpressions = new HashSet<>();
cubeExpressions.add(new ExprColumn(new FieldSchema("expr_measure", "double", "expression measure"),
- "expr with tag", tag2, expr1, expr2));
+ "expr with tag", tag2, expr1, expr2));
client.createCube(cubename,
- cubeMeasures, cubeDimensions, cubeExpressions, null, null);
+ cubeMeasures, cubeDimensions, cubeExpressions, null, null);
Table cubeTbl = client.getHiveTable(cubename);
assertTrue(client.isCube(cubeTbl));
Cube cube2 = new Cube(cubeTbl);
@@ -983,7 +990,7 @@ public class TestCubeMetastoreClient {
factColumns.add(new FieldSchema("zipcode", "int", "zip"));
FieldSchema itPart = new FieldSchema("it", "string", "date part");
FieldSchema etPart = new FieldSchema("et", "string", "date part");
- String[] partColNames = new String[] { getDatePartitionKey(), itPart.getName(), etPart.getName() };
+ String[] partColNames = new String[]{getDatePartitionKey(), itPart.getName(), etPart.getName()};
StorageTableDesc s1 = new StorageTableDesc(TextInputFormat.class, HiveIgnoreKeyTextOutputFormat.class,
Lists.newArrayList(getDatePartition(), itPart, etPart),
@@ -1034,7 +1041,7 @@ public class TestCubeMetastoreClient {
EndsAndHolesPartitionTimeline.class.getCanonicalName());
client.pushHiveTable(c2TableHourly);
- assertSameTimelines(factName, new String[] { c1, c2 }, HOURLY, partColNames);
+ assertSameTimelines(factName, new String[]{c1, c2}, HOURLY, partColNames);
StoreAllPartitionTimeline timelineDtC1 = ((StoreAllPartitionTimeline) client.partitionTimelineCache
.get(factName, c1, HOURLY, getDatePartitionKey()));
@@ -1076,7 +1083,7 @@ public class TestCubeMetastoreClient {
assertEquals(client.getAllParts(c1TableNameHourly).size(), 3);
assertEquals(client.getAllParts(c2TableNameHourly).size(), 3);
- assertSameTimelines(factName, new String[] { c1, c2 }, HOURLY, partColNames);
+ assertSameTimelines(factName, new String[]{c1, c2}, HOURLY, partColNames);
assertTimeline(timelineDt, timelineDtC1, HOURLY, 0, 0);
assertTimeline(timelineEt, timelineEtC1, HOURLY, 0, 1);
@@ -1361,7 +1368,7 @@ public class TestCubeMetastoreClient {
}
private void assertRangeValidityForStorageTable(String storageTable) throws HiveException, LensException {
- Object[][] testCases = new Object[][] {
+ Object[][] testCases = new Object[][]{
{"now - 15 days", "now - 11 days", false},
{"now - 15 days", "now.day - 10 days", false},
{"now - 15 days", "now - 1 hour", true},
@@ -1868,7 +1875,7 @@ public class TestCubeMetastoreClient {
StoreAllPartitionTimeline storeAllPartitionTimeline, UpdatePeriod updatePeriod,
int firstOffset, int latestOffset, int... holeOffsets) throws LensException {
Date[] holeDates = new Date[holeOffsets.length];
- for(int i = 0; i < holeOffsets.length; i++) {
+ for (int i = 0; i < holeOffsets.length; i++) {
holeDates[i] = getDateWithOffset(HOURLY, holeOffsets[i]);
}
assertTimeline(endsAndHolesPartitionTimeline, storeAllPartitionTimeline, updatePeriod,
@@ -2191,9 +2198,9 @@ public class TestCubeMetastoreClient {
// test partition
List<StoragePartitionDesc> storageDescs = new ArrayList<>();
StoragePartitionDesc sPartSpecNow =
- new StoragePartitionDesc(cubeFactWithParts.getName(), timePartsNow, partSpec, HOURLY);
+ new StoragePartitionDesc(cubeFactWithParts.getName(), timePartsNow, partSpec, HOURLY);
StoragePartitionDesc sPartSpecTwoMonthsBack =
- new StoragePartitionDesc(cubeFactWithParts.getName(), timePartsBeforeTwoMonths, partSpec, HOURLY);
+ new StoragePartitionDesc(cubeFactWithParts.getName(), timePartsBeforeTwoMonths, partSpec, HOURLY);
storageDescs.add(sPartSpecNow);
storageDescs.add(sPartSpecTwoMonthsBack);
@@ -2981,4 +2988,23 @@ public class TestCubeMetastoreClient {
conf.setBoolean(MetastoreConstants.METASTORE_ENABLE_CACHING, true);
client = CubeMetastoreClient.getInstance(conf);
}
+
+ @Test(priority = 4)
+ public void testMetastoreAuthorization() throws HiveException, LensException {
+
+ client = CubeMetastoreClient.getInstance(new HiveConf(TestCubeMetastoreClient.class));
+ SessionState.getSessionConf().set(LensConfConstants.SESSION_USER_GROUPS, "lens-auth-test2");
+ try {
+ client.createCube("testcache5", cubeMeasures, cubeDimensions);
+ fail("Privilege exception supposed to be thrown for updating TestCubeMetastoreClient"
+ + " database, however not seeing expected behaviour");
+ } catch (PrivilegeException actualException) {
+ PrivilegeException expectedException =
+ new PrivilegeException("DATABASE", "TestCubeMetastoreClient", "UPDATE");
+ assertEquals(expectedException, actualException);
+ }
+ SessionState.getSessionConf().set(LensConfConstants.SESSION_USER_GROUPS, "lens-auth-test1");
+ client.createCube("testcache5", cubeMeasures, cubeDimensions);
+ }
+
}
http://git-wip-us.apache.org/repos/asf/lens/blob/1c3dff25/lens-cube/src/test/resources/schema/cubes/base/basecube.xml
----------------------------------------------------------------------
diff --git a/lens-cube/src/test/resources/schema/cubes/base/basecube.xml b/lens-cube/src/test/resources/schema/cubes/base/basecube.xml
index 6cc3201..c8a015e 100644
--- a/lens-cube/src/test/resources/schema/cubes/base/basecube.xml
+++ b/lens-cube/src/test/resources/schema/cubes/base/basecube.xml
@@ -21,6 +21,7 @@
-->
<x_base_cube name="basecube" xmlns="uri:lens:cube:0.1">
<properties>
+ <property name="cube.basecube.restricted.columns" value="dim11"/>
<property name="cube.timedim.partition.et" value="et"/>
<property name="cube.timedim.partition.it" value="it"/>
<property name="cube.timedim.partition.d_time" value="dt"/>