You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sd...@apache.org on 2015/08/14 09:28:57 UTC
[23/50] [abbrv] incubator-sentry git commit: SENTRY-485: Add test
coverage for auditing in E2E, secure environment (Colin Ma,
Reviewed by: Guoquan Shen)
SENTRY-485: Add test coverage for auditing in E2E, secure environment (Colin Ma, Reviewed by: Guoquan Shen)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/806953c3
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/806953c3
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/806953c3
Branch: refs/heads/hive_plugin_v2
Commit: 806953c3d4a9ccfe985cdf90b5e868787f66ac5f
Parents: 0dc5aa4
Author: Colin Ma <co...@apache.org>
Authored: Wed Jul 22 09:23:02 2015 +0800
Committer: Colin Ma <co...@apache.org>
Committed: Wed Jul 22 09:23:02 2015 +0800
----------------------------------------------------------------------
.../hdfs/SentryHDFSServiceProcessorFactory.java | 51 +---
.../log/appender/AuditLoggerTestAppender.java | 52 ++++
.../db/log/entity/JsonLogEntityFactory.java | 5 +-
.../provider/db/log/util/CommandUtil.java | 46 ++-
.../service/thrift/SentryProcessorWrapper.java | 55 +---
.../provider/db/service/thrift/ThriftUtil.java | 108 +++++++
.../db/log/entity/TestJsonLogEntityFactory.java | 8 +-
.../TestAuthorizingDDLAuditLogWithKerberos.java | 295 +++++++++++++++++++
.../tests/e2e/dbprovider/TestDbDDLAuditLog.java | 65 ++--
9 files changed, 517 insertions(+), 168 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/806953c3/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/SentryHDFSServiceProcessorFactory.java
----------------------------------------------------------------------
diff --git a/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/SentryHDFSServiceProcessorFactory.java b/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/SentryHDFSServiceProcessorFactory.java
index 286dc29..db55b5a 100644
--- a/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/SentryHDFSServiceProcessorFactory.java
+++ b/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/SentryHDFSServiceProcessorFactory.java
@@ -18,21 +18,15 @@
package org.apache.sentry.hdfs;
-import java.net.Socket;
-
import org.apache.hadoop.conf.Configuration;
import org.apache.sentry.hdfs.service.thrift.SentryHDFSService;
import org.apache.sentry.hdfs.service.thrift.SentryHDFSService.Iface;
-import org.apache.sentry.provider.db.log.util.CommandUtil;
+import org.apache.sentry.provider.db.service.thrift.ThriftUtil;
import org.apache.sentry.service.thrift.ProcessorFactory;
import org.apache.thrift.TException;
import org.apache.thrift.TMultiplexedProcessor;
import org.apache.thrift.TProcessor;
import org.apache.thrift.protocol.TProtocol;
-import org.apache.thrift.transport.TSaslClientTransport;
-import org.apache.thrift.transport.TSaslServerTransport;
-import org.apache.thrift.transport.TSocket;
-import org.apache.thrift.transport.TTransport;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -47,49 +41,10 @@ public class SentryHDFSServiceProcessorFactory extends ProcessorFactory{
}
@Override
public boolean process(TProtocol in, TProtocol out) throws TException {
- setIpAddress(in);
- setImpersonator(in);
+ ThriftUtil.setIpAddress(in);
+ ThriftUtil.setImpersonator(in);
return super.process(in, out);
}
-
- private void setImpersonator(final TProtocol in) {
- TTransport transport = in.getTransport();
- if (transport instanceof TSaslServerTransport) {
- String impersonator = ((TSaslServerTransport) transport).getSaslServer().getAuthorizationID();
- CommandUtil.setImpersonator(impersonator);
- }
- }
-
- private void setIpAddress(final TProtocol in) {
- TTransport transport = in.getTransport();
- TSocket tSocket = getUnderlyingSocketFromTransport(transport);
- if (tSocket != null) {
- setIpAddress(tSocket.getSocket());
- } else {
- LOGGER.warn("Unknown Transport, cannot determine ipAddress");
- }
- }
-
- private void setIpAddress(Socket socket) {
- CommandUtil.setIpAddress(socket.getInetAddress().toString());
- }
-
- private TSocket getUnderlyingSocketFromTransport(TTransport transport) {
- if (transport != null) {
- if (transport instanceof TSaslServerTransport) {
- transport = ((TSaslServerTransport) transport).getUnderlyingTransport();
- } else if (transport instanceof TSaslClientTransport) {
- transport = ((TSaslClientTransport) transport).getUnderlyingTransport();
- } else {
- if (!(transport instanceof TSocket)) {
- LOGGER.warn("Transport class [" + transport.getClass().getName() + "] is not of type TSocket");
- return null;
- }
- }
- return (TSocket) transport;
- }
- return null;
- }
}
public SentryHDFSServiceProcessorFactory(Configuration conf) {
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/806953c3/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/appender/AuditLoggerTestAppender.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/appender/AuditLoggerTestAppender.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/appender/AuditLoggerTestAppender.java
new file mode 100644
index 0000000..6eb1f0a
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/appender/AuditLoggerTestAppender.java
@@ -0,0 +1,52 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.appender;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.log4j.AppenderSkeleton;
+import org.apache.log4j.Level;
+import org.apache.log4j.spi.LoggingEvent;
+
+import com.google.common.annotations.VisibleForTesting;
+
+@VisibleForTesting
+public class AuditLoggerTestAppender extends AppenderSkeleton {
+ public static List<LoggingEvent> events = new ArrayList<LoggingEvent>();
+
+ public void close() {
+ }
+
+ public boolean requiresLayout() {
+ return false;
+ }
+
+ @Override
+ protected void append(LoggingEvent event) {
+ events.add(event);
+ }
+
+ public static String getLastLogEvent() {
+ return events.get(events.size() - 1).getMessage().toString();
+ }
+
+ public static Level getLastLogLevel() {
+ return events.get(events.size() - 1).getLevel();
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/806953c3/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java
index 90308f4..3ad46c4 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java
@@ -36,6 +36,7 @@ import org.apache.sentry.provider.db.service.thrift.TCreateSentryRoleResponse;
import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleRequest;
import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleResponse;
import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+import org.apache.sentry.provider.db.service.thrift.ThriftUtil;
import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
import org.apache.sentry.service.thrift.Status;
import org.apache.sentry.service.thrift.TSentryResponseStatus;
@@ -158,8 +159,8 @@ public class JsonLogEntityFactory {
amle.setUserName(userName);
amle.setServiceName(conf.get(ServerConfig.SENTRY_SERVICE_NAME,
ServerConfig.SENTRY_SERVICE_NAME_DEFAULT).trim());
- amle.setImpersonator(CommandUtil.getImpersonator());
- amle.setIpAddress(CommandUtil.getIpAddress());
+ amle.setImpersonator(ThriftUtil.getImpersonator());
+ amle.setIpAddress(ThriftUtil.getIpAddress());
amle.setOperation(Constants.requestTypeToOperationMap.get(requestClassName));
amle.setEventTime(Long.toString(System.currentTimeMillis()));
amle.setAllowed(isAllowed(responseStatus));
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/806953c3/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java
index 9beef83..741cfdc 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java
@@ -18,6 +18,9 @@
package org.apache.sentry.provider.db.log.util;
+import java.net.InetAddress;
+import java.net.NetworkInterface;
+import java.util.Enumeration;
import java.util.Iterator;
import java.util.Set;
@@ -31,6 +34,8 @@ import org.apache.sentry.provider.db.service.thrift.TSentryGroup;
import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
+import com.google.common.annotations.VisibleForTesting;
+
public class CommandUtil {
public static String createCmdForCreateOrDropRole(String roleName,
@@ -154,33 +159,22 @@ public class CommandUtil {
return sb.toString();
}
- private static ThreadLocal<String> threadLocalIpAddress = new ThreadLocal<String>() {
- @Override
- protected synchronized String initialValue() {
- return "";
+ // Check if the given IP is one of the local IP.
+ @VisibleForTesting
+ public static boolean assertIPInAuditLog(String ipInAuditLog) throws Exception {
+ if (ipInAuditLog == null) {
+ return false;
}
- };
-
- public static void setIpAddress(String ipAddress) {
- threadLocalIpAddress.set(ipAddress);
- }
-
- public static String getIpAddress() {
- return threadLocalIpAddress.get();
- }
-
- private static ThreadLocal<String> threadLocalImpersonator = new ThreadLocal<String>() {
- @Override
- protected synchronized String initialValue() {
- return "";
+ Enumeration<NetworkInterface> netInterfaces = NetworkInterface.getNetworkInterfaces();
+ while (netInterfaces.hasMoreElements()) {
+ NetworkInterface ni = netInterfaces.nextElement();
+ Enumeration<InetAddress> ips = ni.getInetAddresses();
+ while (ips.hasMoreElements()) {
+ if (ipInAuditLog.indexOf(ips.nextElement().getHostAddress()) != -1) {
+ return true;
+ }
+ }
}
- };
-
- public static void setImpersonator(String impersonator) {
- threadLocalImpersonator.set(impersonator);
- }
-
- public static String getImpersonator() {
- return threadLocalImpersonator.get();
+ return false;
}
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/806953c3/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryProcessorWrapper.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryProcessorWrapper.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryProcessorWrapper.java
index 6f3508d..a5f11a9 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryProcessorWrapper.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryProcessorWrapper.java
@@ -18,71 +18,20 @@
package org.apache.sentry.provider.db.service.thrift;
-import java.net.Socket;
-
-import org.apache.sentry.provider.db.log.util.CommandUtil;
import org.apache.thrift.TException;
import org.apache.thrift.protocol.TProtocol;
-import org.apache.thrift.transport.TSaslClientTransport;
-import org.apache.thrift.transport.TSaslServerTransport;
-import org.apache.thrift.transport.TSocket;
-import org.apache.thrift.transport.TTransport;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.base.Preconditions;
public class SentryProcessorWrapper<I extends SentryPolicyService.Iface> extends
SentryPolicyService.Processor<SentryPolicyService.Iface> {
- private static final Logger LOGGER = LoggerFactory.getLogger(SentryProcessorWrapper.class);
-
public SentryProcessorWrapper(I iface) {
super(iface);
}
@Override
public boolean process(TProtocol in, TProtocol out) throws TException {
- setIpAddress(in);
- setImpersonator(in);
+ ThriftUtil.setIpAddress(in);
+ ThriftUtil.setImpersonator(in);
return super.process(in, out);
}
-
- private void setImpersonator(final TProtocol in) {
- TTransport transport = in.getTransport();
- if (transport instanceof TSaslServerTransport) {
- String impersonator = ((TSaslServerTransport) transport).getSaslServer().getAuthorizationID();
- CommandUtil.setImpersonator(impersonator);
- }
- }
-
- private void setIpAddress(final TProtocol in) {
- TTransport transport = in.getTransport();
- TSocket tSocket = getUnderlyingSocketFromTransport(transport);
- if (tSocket != null) {
- setIpAddress(tSocket.getSocket());
- } else {
- LOGGER.warn("Unknown Transport, cannot determine ipAddress");
- }
- }
-
- private void setIpAddress(Socket socket) {
- CommandUtil.setIpAddress(socket.getInetAddress().toString());
- }
-
- /**
- * Returns the underlying TSocket from the transport, or null of the transport type is
- * unknown.
- */
- private TSocket getUnderlyingSocketFromTransport(TTransport transport) {
- Preconditions.checkNotNull(transport);
- if (transport instanceof TSaslServerTransport) {
- return (TSocket) ((TSaslServerTransport) transport).getUnderlyingTransport();
- } else if (transport instanceof TSaslClientTransport) {
- return (TSocket) ((TSaslClientTransport) transport).getUnderlyingTransport();
- } else if (transport instanceof TSocket) {
- return (TSocket) transport;
- }
- return null;
- }
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/806953c3/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/ThriftUtil.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/ThriftUtil.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/ThriftUtil.java
new file mode 100644
index 0000000..a5d7ca9
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/ThriftUtil.java
@@ -0,0 +1,108 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.thrift;
+
+import org.apache.thrift.protocol.TProtocol;
+import org.apache.thrift.transport.TSaslClientTransport;
+import org.apache.thrift.transport.TSaslServerTransport;
+import org.apache.thrift.transport.TSocket;
+import org.apache.thrift.transport.TTransport;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.base.Preconditions;
+
+public class ThriftUtil {
+
+ private static final Logger LOGGER = LoggerFactory.getLogger(ThriftUtil.class);
+
+ public static void setImpersonator(final TProtocol in) {
+ try {
+ TTransport transport = in.getTransport();
+ if (transport instanceof TSaslServerTransport) {
+ String impersonator = ((TSaslServerTransport) transport).getSaslServer()
+ .getAuthorizationID();
+ setImpersonator(impersonator);
+ }
+ } catch (Exception e) {
+ // If there has exception when get impersonator info, log the error information.
+ LOGGER.warn("There is an error when get the impersonator:" + e.getMessage());
+ }
+ }
+
+ public static void setIpAddress(final TProtocol in) {
+ try {
+ TTransport transport = in.getTransport();
+ TSocket tSocket = getUnderlyingSocketFromTransport(transport);
+ if (tSocket != null) {
+ setIpAddress(tSocket.getSocket().getInetAddress().toString());
+ } else {
+ LOGGER.warn("Unknown Transport, cannot determine ipAddress");
+ }
+ } catch (Exception e) {
+ // If there has exception when get impersonator info, log the error information.
+ LOGGER.warn("There is an error when get the client's ip address:" + e.getMessage());
+ }
+ }
+
+ /**
+ * Returns the underlying TSocket from the transport, or null of the transport type is unknown.
+ */
+ private static TSocket getUnderlyingSocketFromTransport(TTransport transport) {
+ Preconditions.checkNotNull(transport);
+ if (transport instanceof TSaslServerTransport) {
+ return (TSocket) ((TSaslServerTransport) transport).getUnderlyingTransport();
+ } else if (transport instanceof TSaslClientTransport) {
+ return (TSocket) ((TSaslClientTransport) transport).getUnderlyingTransport();
+ } else if (transport instanceof TSocket) {
+ return (TSocket) transport;
+ }
+ return null;
+ }
+
+ private static ThreadLocal<String> threadLocalIpAddress = new ThreadLocal<String>() {
+ @Override
+ protected synchronized String initialValue() {
+ return "";
+ }
+ };
+
+ public static void setIpAddress(String ipAddress) {
+ threadLocalIpAddress.set(ipAddress);
+ }
+
+ public static String getIpAddress() {
+ return threadLocalIpAddress.get();
+ }
+
+ private static ThreadLocal<String> threadLocalImpersonator = new ThreadLocal<String>() {
+ @Override
+ protected synchronized String initialValue() {
+ return "";
+ }
+ };
+
+ public static void setImpersonator(String impersonator) {
+ threadLocalImpersonator.set(impersonator);
+ }
+
+ public static String getImpersonator() {
+ return threadLocalImpersonator.get();
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/806953c3/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java
index bce4717..199f7f5 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java
@@ -20,16 +20,13 @@ package org.apache.sentry.provider.db.log.entity;
import static junit.framework.Assert.assertEquals;
-import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.Set;
import org.apache.hadoop.conf.Configuration;
import org.apache.log4j.Logger;
import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.provider.db.log.util.CommandUtil;
import org.apache.sentry.provider.db.log.util.Constants;
-import org.apache.sentry.provider.db.service.model.MSentryPrivilege;
import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsRequest;
import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsResponse;
import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsRequest;
@@ -44,6 +41,7 @@ import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleRequest;
import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleResponse;
import org.apache.sentry.provider.db.service.thrift.TSentryGroup;
import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+import org.apache.sentry.provider.db.service.thrift.ThriftUtil;
import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
import org.apache.sentry.service.thrift.Status;
@@ -70,8 +68,8 @@ public class TestJsonLogEntityFactory {
conf = new Configuration();
conf.set(ServerConfig.SENTRY_SERVICE_NAME,
ServerConfig.SENTRY_SERVICE_NAME_DEFAULT);
- CommandUtil.setIpAddress(TEST_IP);
- CommandUtil.setImpersonator(TEST_IMPERSONATOR);
+ ThriftUtil.setIpAddress(TEST_IP);
+ ThriftUtil.setImpersonator(TEST_IMPERSONATOR);
}
@Test
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/806953c3/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestAuthorizingDDLAuditLogWithKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestAuthorizingDDLAuditLogWithKerberos.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestAuthorizingDDLAuditLogWithKerberos.java
new file mode 100644
index 0000000..426b2f7
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestAuthorizingDDLAuditLogWithKerberos.java
@@ -0,0 +1,295 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.thrift;
+
+import static org.hamcrest.core.Is.is;
+import static org.junit.Assert.assertThat;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.log4j.Level;
+import org.apache.log4j.Logger;
+import org.apache.sentry.provider.db.log.appender.AuditLoggerTestAppender;
+import org.apache.sentry.provider.db.log.util.CommandUtil;
+import org.apache.sentry.provider.db.log.util.Constants;
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.codehaus.jettison.json.JSONObject;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import com.google.common.collect.Sets;
+
+public class TestAuthorizingDDLAuditLogWithKerberos extends SentryServiceIntegrationBase {
+
+ @BeforeClass
+ public static void setupLog4j() throws Exception {
+ Logger logger = Logger.getLogger("sentry.hive.authorization.ddl.logger");
+ AuditLoggerTestAppender testAppender = new AuditLoggerTestAppender();
+ logger.addAppender(testAppender);
+ logger.setLevel(Level.INFO);
+ }
+
+ @Test
+ public void testBasic() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+
+ String roleName = "testRole";
+ String errorRoleName = "errorRole";
+ String serverName = "server1";
+ String groupName = "testGroup";
+ String dbName = "dbTest";
+ String tableName = "tableTest";
+ Map<String, String> fieldValueMap = new HashMap<String, String>();
+
+ // for successful audit log
+ client.createRole(requestorUserName, roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_CREATE_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "CREATE ROLE " + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ // for ip address, there is another logic to test the result
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ client.grantRoleToGroup(requestorUserName, groupName, roleName);
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_ADD_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ROLE " + roleName
+ + " TO GROUP " + groupName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ client.grantDatabasePrivilege(requestorUserName, roleName, serverName, dbName, "ALL");
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ALL ON DATABASE " + dbName
+ + " TO ROLE " + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_DATABASE_NAME, dbName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ client.grantTablePrivilege(requestorUserName, roleName, serverName, dbName, tableName,
+ "SELECT", true);
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT SELECT ON TABLE " + tableName
+ + " TO ROLE " + roleName + " WITH GRANT OPTION");
+ fieldValueMap.put(Constants.LOG_FIELD_TABLE_NAME, tableName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ // for error audit log
+ try {
+ client.createRole(requestorUserName, roleName);
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_CREATE_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "CREATE ROLE " + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+ try {
+ client.grantRoleToGroup(requestorUserName, groupName, errorRoleName);
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_ADD_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ROLE " + errorRoleName
+ + " TO GROUP " + groupName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+ try {
+ client
+ .grantDatabasePrivilege(requestorUserName, errorRoleName, serverName, dbName, "ALL");
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ALL ON DATABASE " + dbName
+ + " TO ROLE " + errorRoleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+ try {
+ client.grantDatabasePrivilege(requestorUserName, errorRoleName, serverName, dbName,
+ "INSERT");
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT INSERT ON DATABASE "
+ + dbName + " TO ROLE " + errorRoleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+ try {
+ client.grantDatabasePrivilege(requestorUserName, errorRoleName, serverName, dbName,
+ "SELECT");
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT SELECT ON DATABASE "
+ + dbName + " TO ROLE " + errorRoleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+ try {
+ client.grantTablePrivilege(requestorUserName, errorRoleName, serverName, dbName,
+ tableName, "SELECT");
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT SELECT ON TABLE "
+ + tableName + " TO ROLE " + errorRoleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+
+ client.revokeTablePrivilege(requestorUserName, roleName, serverName, dbName, tableName,
+ "SELECT");
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE SELECT ON TABLE " + tableName
+ + " FROM ROLE " + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_TABLE_NAME, tableName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ client.revokeDatabasePrivilege(requestorUserName, roleName, serverName, dbName, "ALL");
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE ALL ON DATABASE " + dbName
+ + " FROM ROLE " + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_DATABASE_NAME, dbName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ client.revokeRoleFromGroup(requestorUserName, groupName, roleName);
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DELETE_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE ROLE " + roleName
+ + " FROM GROUP " + groupName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ client.dropRole(requestorUserName, roleName);
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DROP_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "DROP ROLE " + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ // for error audit log
+ try {
+ client.revokeTablePrivilege(requestorUserName, errorRoleName, serverName, dbName,
+ tableName, "SELECT");
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE SELECT ON TABLE "
+ + tableName + " FROM ROLE " + errorRoleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+
+ try {
+ client.revokeDatabasePrivilege(requestorUserName, errorRoleName, serverName, dbName,
+ "ALL");
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE ALL ON DATABASE " + dbName
+ + " FROM ROLE " + errorRoleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+
+ try {
+ client.revokeRoleFromGroup(requestorUserName, groupName, errorRoleName);
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DELETE_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE ROLE " + errorRoleName
+ + " FROM GROUP " + groupName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+
+ try {
+ client.dropRole(requestorUserName, errorRoleName);
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DROP_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "DROP ROLE " + errorRoleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+ }
+ });
+ }
+
+ private void assertAuditLog(Map<String, String> fieldValueMap) throws Exception {
+ assertThat(AuditLoggerTestAppender.getLastLogLevel(), is(Level.INFO));
+ JSONObject jsonObject = new JSONObject(AuditLoggerTestAppender.getLastLogEvent());
+ if (fieldValueMap != null) {
+ for (Map.Entry<String, String> entry : fieldValueMap.entrySet()) {
+ String entryKey = entry.getKey();
+ if (Constants.LOG_FIELD_IP_ADDRESS.equals(entryKey)) {
+ assertTrue(CommandUtil.assertIPInAuditLog(jsonObject.get(entryKey).toString()));
+ } else {
+ assertTrue(entry.getValue().equalsIgnoreCase(jsonObject.get(entryKey).toString()));
+ }
+ }
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/806953c3/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbDDLAuditLog.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbDDLAuditLog.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbDDLAuditLog.java
index 2cecdfd..8613034 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbDDLAuditLog.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbDDLAuditLog.java
@@ -18,21 +18,19 @@
package org.apache.sentry.tests.e2e.dbprovider;
import static org.hamcrest.core.Is.is;
-import static org.hamcrest.text.IsEqualIgnoringCase.equalToIgnoringCase;
import static org.junit.Assert.assertThat;
+import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import java.sql.Connection;
import java.sql.Statement;
-import java.util.ArrayList;
import java.util.HashMap;
-import java.util.List;
import java.util.Map;
-import org.apache.log4j.AppenderSkeleton;
import org.apache.log4j.Level;
import org.apache.log4j.Logger;
-import org.apache.log4j.spi.LoggingEvent;
+import org.apache.sentry.provider.db.log.appender.AuditLoggerTestAppender;
+import org.apache.sentry.provider.db.log.util.CommandUtil;
import org.apache.sentry.provider.db.log.util.Constants;
import org.apache.sentry.tests.e2e.hive.AbstractTestWithStaticConfiguration;
import org.codehaus.jettison.json.JSONObject;
@@ -42,36 +40,12 @@ import org.junit.Test;
public class TestDbDDLAuditLog extends AbstractTestWithStaticConfiguration {
- public static class TestAppender extends AppenderSkeleton {
- public static List<LoggingEvent> events = new ArrayList<LoggingEvent>();
-
- public void close() {
- }
-
- public boolean requiresLayout() {
- return false;
- }
-
- @Override
- protected void append(LoggingEvent event) {
- events.add(event);
- }
-
- static String getLastLogEvent() {
- return events.get(events.size() - 1).getMessage().toString();
- }
-
- static Level getLastLogLevel() {
- return events.get(events.size() - 1).getLevel();
- }
- }
-
@BeforeClass
public static void setupTestStaticConfiguration() throws Exception {
useSentryService = true;
AbstractTestWithStaticConfiguration.setupTestStaticConfiguration();
Logger logger = Logger.getLogger("sentry.hive.authorization.ddl.logger");
- TestAppender testAppender = new TestAppender();
+ AuditLoggerTestAppender testAppender = new AuditLoggerTestAppender();
logger.addAppender(testAppender);
logger.setLevel(Level.INFO);
}
@@ -98,6 +72,7 @@ public class TestDbDDLAuditLog extends AbstractTestWithStaticConfiguration {
fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_CREATE_ROLE);
fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "CREATE ROLE " + roleName);
fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
assertAuditLog(fieldValueMap);
statement.execute("GRANT ROLE " + roleName + " TO GROUP " + groupName);
@@ -106,6 +81,7 @@ public class TestDbDDLAuditLog extends AbstractTestWithStaticConfiguration {
fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ROLE " + roleName + " TO GROUP "
+ groupName);
fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
assertAuditLog(fieldValueMap);
statement.execute("GRANT ALL ON DATABASE " + dbName + " TO ROLE " + roleName);
@@ -115,6 +91,7 @@ public class TestDbDDLAuditLog extends AbstractTestWithStaticConfiguration {
+ " TO ROLE " + roleName);
fieldValueMap.put(Constants.LOG_FIELD_DATABASE_NAME, dbName);
fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
assertAuditLog(fieldValueMap);
statement.execute("GRANT SELECT ON TABLE " + tableName + " TO ROLE " + roleName
@@ -125,6 +102,7 @@ public class TestDbDDLAuditLog extends AbstractTestWithStaticConfiguration {
+ " TO ROLE " + roleName + " WITH GRANT OPTION");
fieldValueMap.put(Constants.LOG_FIELD_TABLE_NAME, tableName);
fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
assertAuditLog(fieldValueMap);
// for error audit log
@@ -136,6 +114,7 @@ public class TestDbDDLAuditLog extends AbstractTestWithStaticConfiguration {
fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_CREATE_ROLE);
fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "CREATE ROLE " + roleName);
fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
assertAuditLog(fieldValueMap);
}
try {
@@ -147,6 +126,7 @@ public class TestDbDDLAuditLog extends AbstractTestWithStaticConfiguration {
fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ROLE errorROLE TO GROUP "
+ groupName);
fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
assertAuditLog(fieldValueMap);
}
try {
@@ -158,6 +138,7 @@ public class TestDbDDLAuditLog extends AbstractTestWithStaticConfiguration {
fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ALL ON DATABASE " + dbName
+ " TO ROLE errorRole");
fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
assertAuditLog(fieldValueMap);
}
try {
@@ -169,6 +150,7 @@ public class TestDbDDLAuditLog extends AbstractTestWithStaticConfiguration {
fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT INSERT ON DATABASE " + dbName
+ " TO ROLE errorRole");
fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
assertAuditLog(fieldValueMap);
}
try {
@@ -180,6 +162,7 @@ public class TestDbDDLAuditLog extends AbstractTestWithStaticConfiguration {
fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT SELECT ON DATABASE " + dbName
+ " TO ROLE errorRole");
fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
assertAuditLog(fieldValueMap);
}
try {
@@ -191,6 +174,7 @@ public class TestDbDDLAuditLog extends AbstractTestWithStaticConfiguration {
fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT SELECT ON TABLE " + tableName
+ " TO ROLE errorRole");
fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
assertAuditLog(fieldValueMap);
}
@@ -201,6 +185,7 @@ public class TestDbDDLAuditLog extends AbstractTestWithStaticConfiguration {
+ " FROM ROLE " + roleName);
fieldValueMap.put(Constants.LOG_FIELD_TABLE_NAME, tableName);
fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
assertAuditLog(fieldValueMap);
statement.execute("REVOKE ALL ON DATABASE " + dbName + " FROM ROLE " + roleName);
@@ -210,6 +195,7 @@ public class TestDbDDLAuditLog extends AbstractTestWithStaticConfiguration {
+ " FROM ROLE " + roleName);
fieldValueMap.put(Constants.LOG_FIELD_DATABASE_NAME, dbName);
fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
assertAuditLog(fieldValueMap);
statement.execute("REVOKE ROLE " + roleName + " FROM GROUP " + groupName);
@@ -218,14 +204,16 @@ public class TestDbDDLAuditLog extends AbstractTestWithStaticConfiguration {
fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE ROLE " + roleName
+ " FROM GROUP " + groupName);
fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
assertAuditLog(fieldValueMap);
statement.execute("DROP ROLE " + roleName);
fieldValueMap.clear();
fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DROP_ROLE);
fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "DROP ROLE " + roleName);
- assertAuditLog(fieldValueMap);
fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
// for error audit log
try {
@@ -237,6 +225,7 @@ public class TestDbDDLAuditLog extends AbstractTestWithStaticConfiguration {
fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE SELECT ON TABLE " + tableName
+ " FROM ROLE errorRole");
fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
assertAuditLog(fieldValueMap);
}
@@ -249,6 +238,7 @@ public class TestDbDDLAuditLog extends AbstractTestWithStaticConfiguration {
fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE ALL ON DATABASE " + dbName
+ " FROM ROLE errorRole");
fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
assertAuditLog(fieldValueMap);
}
@@ -261,6 +251,7 @@ public class TestDbDDLAuditLog extends AbstractTestWithStaticConfiguration {
fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE ROLE errorRole FROM GROUP "
+ groupName);
fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
assertAuditLog(fieldValueMap);
}
@@ -272,6 +263,7 @@ public class TestDbDDLAuditLog extends AbstractTestWithStaticConfiguration {
fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DROP_ROLE);
fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "DROP ROLE errorRole");
fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
assertAuditLog(fieldValueMap);
}
@@ -280,11 +272,16 @@ public class TestDbDDLAuditLog extends AbstractTestWithStaticConfiguration {
}
private void assertAuditLog(Map<String, String> fieldValueMap) throws Exception {
- assertThat(TestAppender.getLastLogLevel(), is(Level.INFO));
- JSONObject jsonObject = new JSONObject(TestAppender.getLastLogEvent());
+ assertThat(AuditLoggerTestAppender.getLastLogLevel(), is(Level.INFO));
+ JSONObject jsonObject = new JSONObject(AuditLoggerTestAppender.getLastLogEvent());
if (fieldValueMap != null) {
for (Map.Entry<String, String> entry : fieldValueMap.entrySet()) {
- assertThat(jsonObject.get(entry.getKey()).toString(), equalToIgnoringCase(entry.getValue()));
+ String entryKey = entry.getKey();
+ if (Constants.LOG_FIELD_IP_ADDRESS.equals(entryKey)) {
+ assertTrue(CommandUtil.assertIPInAuditLog(jsonObject.get(entryKey).toString()));
+ } else {
+ assertTrue(entry.getValue().equalsIgnoreCase(jsonObject.get(entryKey).toString()));
+ }
}
}
}