You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sp...@apache.org on 2018/05/29 18:06:49 UTC
[30/43] sentry git commit: SENTRY-2208: Refactor out Sentry service
into own module from sentry-provider-db (Anthony Young-Garner,
reviewed by Sergio Pena, Steve Moist, Na Li)
http://git-wip-us.apache.org/repos/asf/sentry/blob/b97f5c7a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestNotificationHandlerInvoker.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestNotificationHandlerInvoker.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestNotificationHandlerInvoker.java
deleted file mode 100644
index 92f3f8b..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestNotificationHandlerInvoker.java
+++ /dev/null
@@ -1,102 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.api.service.thrift;
-
-import org.apache.hadoop.conf.Configuration;
-import org.junit.Before;
-import org.junit.Test;
-import org.mockito.Mockito;
-
-import com.google.common.collect.Lists;
-
-public class TestNotificationHandlerInvoker {
-
- private Configuration conf;
- private NotificationHandler handler;
- private NotificationHandlerInvoker invoker;
-
- @Before
- public void setup() throws Exception {
- conf = new Configuration(false);
- handler = Mockito.spy(new NotificationHandler(conf) {});
- invoker = new NotificationHandlerInvoker(conf,
- Lists.newArrayList(new ThrowingNotificationHandler(conf), handler));
- }
-
- @Test
- public void testCreateSentryRole() throws Exception {
- TCreateSentryRoleRequest request = new TCreateSentryRoleRequest();
- TCreateSentryRoleResponse response = new TCreateSentryRoleResponse();
- invoker.create_sentry_role(request, response);
- Mockito.verify(handler).create_sentry_role(request, response);
- }
-
- @Test
- public void testDropSentryRole() throws Exception {
- TDropSentryRoleRequest request = new TDropSentryRoleRequest();
- TDropSentryRoleResponse response = new TDropSentryRoleResponse();
- invoker.drop_sentry_role(request, response);
- Mockito.verify(handler).drop_sentry_role(request, response);
- }
-
-
-
- @Test
- public void testAlterSentryRoleAddGroups() throws Exception {
- TAlterSentryRoleAddGroupsRequest request = new TAlterSentryRoleAddGroupsRequest();
- TAlterSentryRoleAddGroupsResponse response = new TAlterSentryRoleAddGroupsResponse();
- invoker.alter_sentry_role_add_groups(request, response);
- Mockito.verify(handler).alter_sentry_role_add_groups(request, response);
- }
-
- @Test
- public void testAlterSentryRoleDeleteGroups() throws Exception {
- TAlterSentryRoleDeleteGroupsRequest request = new TAlterSentryRoleDeleteGroupsRequest();
- TAlterSentryRoleDeleteGroupsResponse response = new TAlterSentryRoleDeleteGroupsResponse();
- invoker.alter_sentry_role_delete_groups(request, response);
- Mockito.verify(handler).alter_sentry_role_delete_groups(request, response);
- }
-
- public static class ThrowingNotificationHandler extends NotificationHandler {
- public ThrowingNotificationHandler(Configuration config) throws Exception {
- super(config);
- }
- @Override
- public void create_sentry_role(TCreateSentryRoleRequest request,
- TCreateSentryRoleResponse response) {
- throw new RuntimeException();
- }
- public void drop_sentry_role(TDropSentryRoleRequest request,
- TDropSentryRoleResponse response) {
- throw new RuntimeException();
- }
- @Override
- public void alter_sentry_role_add_groups(
- TAlterSentryRoleAddGroupsRequest request,
- TAlterSentryRoleAddGroupsResponse response) {
- throw new RuntimeException();
- }
- @Override
- public void alter_sentry_role_delete_groups(
- TAlterSentryRoleDeleteGroupsRequest request,
- TAlterSentryRoleDeleteGroupsResponse response) {
- throw new RuntimeException();
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/b97f5c7a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyServiceClient.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyServiceClient.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyServiceClient.java
deleted file mode 100644
index e845936..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyServiceClient.java
+++ /dev/null
@@ -1,64 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- * <p>
- * http://www.apache.org/licenses/LICENSE-2.0
- * <p>
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.api.service.thrift;
-
-import java.util.Set;
-
-import org.apache.sentry.service.thrift.SentryServiceFactory;
-import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-import com.google.common.collect.Sets;
-
-public class TestSentryPolicyServiceClient extends SentryServiceIntegrationBase {
-
- @BeforeClass
- public static void setup() throws Exception {
- beforeSetup();
- setupConf();
- startSentryService();
- afterSetup();
- kerberos = false;
- }
-
- @Test
- public void testConnectionWhenReconnect() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String roleName = "admin_r";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName);
- client.createRole(requestorUserName, roleName);
- client.listAllRoles(requestorUserName);
- stopSentryService();
- server = SentryServiceFactory.create(conf);
- startSentryService();
- client.listAllRoles(requestorUserName);
- client.dropRole(requestorUserName, roleName);
- }
- });
- }
-
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/b97f5c7a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java
deleted file mode 100644
index efacf19..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java
+++ /dev/null
@@ -1,81 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.api.service.thrift;
-
-import org.apache.sentry.api.common.ThriftConstants;
-import org.apache.sentry.core.common.exception.SentrySiteConfigurationException;
-import org.junit.Assert;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.core.common.exception.SentryThriftAPIMismatchException;
-import org.apache.sentry.core.common.utils.PolicyStoreConstants.PolicyStoreServerConfig;
-import org.junit.Before;
-import org.junit.Test;
-
-public class TestSentryPolicyStoreProcessor {
-
- private Configuration conf;
-
- @Before
- public void setup() {
- conf = new Configuration(false);
- }
- @Test(expected=SentrySiteConfigurationException.class)
- public void testConfigNotNotificationHandler() throws Exception {
- conf.set(PolicyStoreServerConfig.NOTIFICATION_HANDLERS, Object.class.getName());
- SentryPolicyStoreProcessor.createHandlers(conf);
- }
- @Test(expected=SentrySiteConfigurationException.class)
- public void testConfigCannotCreateNotificationHandler() throws Exception {
- conf.set(PolicyStoreServerConfig.NOTIFICATION_HANDLERS,
- ExceptionInConstructorNotificationHandler.class.getName());
- SentryPolicyStoreProcessor.createHandlers(conf);
- }
- @Test(expected=SentrySiteConfigurationException.class)
- public void testConfigNotAClassNotificationHandler() throws Exception {
- conf.set(PolicyStoreServerConfig.NOTIFICATION_HANDLERS, "junk");
- SentryPolicyStoreProcessor.createHandlers(conf);
- }
- @Test
- public void testConfigMultipleNotificationHandlers() throws Exception {
- conf.set(PolicyStoreServerConfig.NOTIFICATION_HANDLERS,
- NoopNotificationHandler.class.getName() + "," +
- NoopNotificationHandler.class.getName() + " " +
- NoopNotificationHandler.class.getName());
- Assert.assertEquals(3, SentryPolicyStoreProcessor.createHandlers(conf).size());
- }
- public static class ExceptionInConstructorNotificationHandler extends NotificationHandler {
- public ExceptionInConstructorNotificationHandler(Configuration config) throws Exception {
- super(config);
- throw new Exception();
- }
- }
- public static class NoopNotificationHandler extends NotificationHandler {
- public NoopNotificationHandler(Configuration config) throws Exception {
- super(config);
- }
- }
- @Test(expected=SentryThriftAPIMismatchException.class)
- public void testSentryThriftAPIMismatch() throws Exception {
- SentryPolicyStoreProcessor.validateClientVersion(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT -1);
- }
- @Test
- public void testSentryThriftAPIMatchVersion() throws Exception {
- SentryPolicyStoreProcessor.validateClientVersion(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/b97f5c7a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerForPoolWithoutKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerForPoolWithoutKerberos.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerForPoolWithoutKerberos.java
deleted file mode 100644
index 7330204..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerForPoolWithoutKerberos.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless createRequired by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.api.service.thrift;
-
-import org.junit.BeforeClass;
-
-public class TestSentryServerForPoolWithoutKerberos extends TestSentryServerWithoutKerberos {
-
- @BeforeClass
- public static void setup() throws Exception {
- kerberos = false;
- pooled = true;
- beforeSetup();
- setupConf();
- startSentryService();
- afterSetup();
- }
-
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/b97f5c7a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerLogLevel.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerLogLevel.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerLogLevel.java
deleted file mode 100644
index 6290fb7..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerLogLevel.java
+++ /dev/null
@@ -1,100 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.api.service.thrift;
-
-import org.apache.commons.io.IOUtils;
-import org.apache.log4j.LogManager;
-import org.apache.log4j.Logger;
-import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
-import org.junit.*;
-
-import java.net.HttpURLConnection;
-import java.net.URL;
-
-public class TestSentryServerLogLevel extends SentryServiceIntegrationBase {
- private final String CLASS_NAME = "org.eclipse.jetty.server.handler.ContextHandler";
-
- @BeforeClass
- public static void setup() throws Exception {
- webServerEnabled = true;
- webSecurity = false;
- SentryServiceIntegrationBase.setup();
- }
-
- @Override
- @Before
- public void before() throws Exception {
- }
-
- @Override
- @After
- public void after() {
- }
-
- /**
- * Get the log level for the specified class
- * @param className: Name of class
- * @return
- * Log level of the class
- */
- private String getLogLevel(String className) {
- Logger logInstance = LogManager.getLogger(className);
- return logInstance.getEffectiveLevel().toString();
- }
-
- /**
- * Send log level and class name via the HTTP interface and verify that it is set at the loogger.
- * @throws Exception
- */
- @Test
- public void testSetLogLevel() throws Exception {
- final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort + "/admin/logLevel?log="
- + CLASS_NAME + "&level=INFO");
- HttpURLConnection conn = (HttpURLConnection) url.openConnection();
- Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
- String response = IOUtils.toString(conn.getInputStream());
- Assert.assertTrue(response.contains("INFO"));
- Assert.assertEquals("INFO", getLogLevel(CLASS_NAME));
- }
-
- /**
- * Send class name via the HTTP interface and verify that it is get at the loogger.
- * @throws Exception
- */
- @Test
- public void testGetLogLevel() throws Exception {
- final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort + "/admin/logLevel?log=" + CLASS_NAME);
- HttpURLConnection conn = (HttpURLConnection) url.openConnection();
- Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
- String response = IOUtils.toString(conn.getInputStream());
- Assert.assertTrue(response.contains("INFO"));
- Assert.assertEquals("INFO", getLogLevel(CLASS_NAME));
- }
-
- /**
- * Send class name and invalid log level via the HTTP interface and verify that it returns error response.
- * @throws Exception
- */
- @Test
- public void testInvalidLogLevel() throws Exception {
- final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort + "/admin/logLevel?log="
- + CLASS_NAME + "&level=ABCD");
- HttpURLConnection conn = (HttpURLConnection) url.openConnection();
- Assert.assertEquals(HttpURLConnection.HTTP_BAD_REQUEST, conn.getResponseCode());
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/b97f5c7a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerPubSub.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerPubSub.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerPubSub.java
deleted file mode 100644
index 716109f..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerPubSub.java
+++ /dev/null
@@ -1,181 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.api.service.thrift;
-
-import org.apache.sentry.core.common.utils.PubSub;
-import org.apache.sentry.core.common.utils.PubSub.Topic;
-import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
-
-import org.junit.*;
-
-import java.net.HttpURLConnection;
-import java.net.URL;
-
-public class TestSentryServerPubSub extends SentryServiceIntegrationBase {
-
- private static final Topic[] topics = Topic.values();
- private static final String[] messages = { "message1", "message2", "message3", "" };
-
- private static volatile String REQUEST_URL;
-
- private final TestSubscriber testSubscriber = new TestSubscriber();
-
- private static final class TestSubscriber implements PubSub.Subscriber {
- private volatile Topic topic;
- private volatile String message;
- private volatile int count;
- @Override
- public void onMessage(Topic topic, String message) {
- this.topic = topic;
- this.message = message;
- this.count++;
- }
- }
-
- @BeforeClass
- public static void setup() throws Exception {
- webServerEnabled = true;
- webSecurity = false;
- SentryServiceIntegrationBase.setup();
- REQUEST_URL= "http://" + SERVER_HOST + ":" + webServerPort + "/admin/publishMessage?topic=%s&message=%s";
- }
-
- @Override
- @Before
- public void before() throws Exception {
-
- // Subscribe to all defined topics.
- // After each successfull HTTP-GET, testSubscriber.onMessage()
- // will be called and "topic" and "message" fields will be
- // set according to HTTP-GET parameters.
- testSubscriber.count = 0;
- for (Topic topic : topics) {
- PubSub.getInstance().subscribe(topic, testSubscriber);
- }
- Assert.assertEquals("Unexpected number of registered topics", topics.length, PubSub.getInstance().getTopics().size());
- }
-
- @Override
- @After
- public void after() {
- // unsubscribe
- for (Topic topic : topics) {
- PubSub.getInstance().unsubscribe(topic, testSubscriber);
- }
- testSubscriber.count = 0;
- Assert.assertTrue("Topics should have been removed after unsubscribe()", PubSub.getInstance().getTopics().isEmpty());
- }
-
- /**
- * Successfully publish notifications
- * @throws Exception
- */
- @Test
- public void testPubSub() throws Exception {
- int count = 0;
- for (Topic topic : topics) {
- for (String message : messages) {
- URL url = new URL(String.format(REQUEST_URL, topic.getName(), message));
- HttpURLConnection conn = null;
- try {
- conn = (HttpURLConnection) url.openConnection();
- Assert.assertEquals("Unexpected response code", HttpURLConnection.HTTP_OK, conn.getResponseCode());
- } finally {
- safeClose(conn);
- }
- Assert.assertEquals("Unexpected topic", topic, testSubscriber.topic);
- if (message.isEmpty()) {
- Assert.assertEquals("Unexpected message", null, testSubscriber.message);
- } else {
- Assert.assertEquals("Unexpected message", message, testSubscriber.message);
- }
- Assert.assertEquals("Unexpected number of PubSub.onMessage() callbacks", ++count, testSubscriber.count);
- }
- }
- }
-
- /**
- * Submit empty topic. It's ok, generates form page.
- * @throws Exception
- */
- @Test
- public void testPubSubEmptyTopic() throws Exception {
- URL url = new URL(String.format(REQUEST_URL, "", "message"));
- HttpURLConnection conn = null;
- try {
- conn = (HttpURLConnection) url.openConnection();
- Assert.assertEquals("Unexpected response code", HttpURLConnection.HTTP_OK, conn.getResponseCode());
- } finally {
- safeClose(conn);
- }
- Assert.assertEquals("Unexpected number of PubSub.onMessage() callbacks", 0, testSubscriber.count);
- }
-
- /**
- * Submit invalid topic
- * @throws Exception
- */
- @Test
- public void testPubSubInvalidTopic() throws Exception {
- String[] invalid_topics = { "invalid_topic_1", "invalid_topic_2", "invalid_topic_3" };
- for (String topic : invalid_topics) {
- URL url = new URL(String.format(REQUEST_URL, topic, "message"));
- HttpURLConnection conn = null;
- try {
- conn = (HttpURLConnection) url.openConnection();
- Assert.assertEquals("Unexpected response code", HttpURLConnection.HTTP_BAD_REQUEST, conn.getResponseCode());
- } finally {
- safeClose(conn);
- }
- Assert.assertEquals("Unexpected number of PubSub.onMessage() callbacks", 0, testSubscriber.count);
- }
- }
-
- /**
- * Submit topic that has no subscribers.
- * @throws Exception
- */
- @Test
- public void testPubSubNonSubscribedTopic() throws Exception {
- // At this point all valid Topic values have been subscribed to
- // in before() method.
- // Unsubscribe from one topic and then try publishing to it.
- PubSub.getInstance().unsubscribe(Topic.HDFS_SYNC_HMS, testSubscriber);
- Assert.assertEquals("Unexpected number of registered topics", topics.length-1, PubSub.getInstance().getTopics().size());
-
- URL url = new URL(String.format(REQUEST_URL, Topic.HDFS_SYNC_HMS.getName(), "message"));
- HttpURLConnection conn = null;
- try {
- conn = (HttpURLConnection) url.openConnection();
- Assert.assertEquals("Unexpected response code", HttpURLConnection.HTTP_BAD_REQUEST, conn.getResponseCode());
- } finally {
- safeClose(conn);
- }
- // re-subscribe, not to upset after() method which expects all topics to be subscribed to
- PubSub.getInstance().subscribe(Topic.HDFS_SYNC_HMS, testSubscriber);
- }
-
- private static void safeClose(HttpURLConnection conn) {
- if (conn != null) {
- try {
- conn.disconnect();
- } catch (Exception ignore) {
- }
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/b97f5c7a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerWithoutKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerWithoutKerberos.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerWithoutKerberos.java
deleted file mode 100644
index 3deadab..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerWithoutKerberos.java
+++ /dev/null
@@ -1,214 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless createRequired by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.api.service.thrift;
-import static org.junit.Assert.assertEquals;
-
-import java.util.ArrayList;
-import java.util.HashSet;
-import java.util.Set;
-
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.core.model.db.Database;
-import org.apache.sentry.core.model.db.Server;
-import org.apache.sentry.core.model.db.Table;
-import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-import com.google.common.collect.Lists;
-import com.google.common.collect.Sets;
-
-public class TestSentryServerWithoutKerberos extends SentryServiceIntegrationBase {
-
- @BeforeClass
- public static void setup() throws Exception {
- kerberos = false;
- beforeSetup();
- setupConf();
- startSentryService();
- afterSetup();
- }
-
- @Test
- public void testCreateRole() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName = "admin_r";
- client.dropRoleIfExists(requestorUserName, roleName);
- client.createRole(requestorUserName, roleName);
- client.dropRole(requestorUserName, roleName);
- }
-
- @Test
- public void testQueryPushDown() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- String roleName1 = "admin_r1";
- String roleName2 = "admin_r2";
-
- String group1 = "g1";
- String group2 = "g2";
-
- client.dropRoleIfExists(requestorUserName, roleName1);
- client.createRole(requestorUserName, roleName1);
- client.grantRoleToGroup(requestorUserName, group1, roleName1);
-
- client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL");
-
- client.dropRoleIfExists(requestorUserName, roleName2);
- client.createRole(requestorUserName, roleName2);
- client.grantRoleToGroup(requestorUserName, group1, roleName2);
- client.grantRoleToGroup(requestorUserName, group2, roleName2);
-
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db3", "table5", "ALL");
-
- Set<TSentryPrivilege> listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, null);
- assertEquals("Privilege not assigned to role2 !!", 5, listPrivilegesByRoleName.size());
-
- listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, new ArrayList<Authorizable>());
- assertEquals("Privilege not assigned to role2 !!", 5, listPrivilegesByRoleName.size());
-
- listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db1")));
- assertEquals("Privilege not assigned to role2 !!", 2, listPrivilegesByRoleName.size());
-
- listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db2"), new Table("table1")));
- assertEquals("Privilege not assigned to role2 !!", 0, listPrivilegesByRoleName.size());
-
- listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db1"), new Table("table1")));
- assertEquals("Privilege not assigned to role2 !!", 1, listPrivilegesByRoleName.size());
-
- listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db3")));
- assertEquals("Privilege not assigned to role2 !!", 1, listPrivilegesByRoleName.size());
-
- Set<String> listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), null, ActiveRoleSet.ALL, new Server("server"), new Database("db2"));
- assertEquals("Privilege not correctly assigned to roles !!",
- Sets.newHashSet("server=server->db=db2->table=table4->action=all", "server=server->db=db2->table=table3->action=all"),
- listPrivilegesForProvider);
-
- listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), null, ActiveRoleSet.ALL, new Server("server"), new Database("db3"));
- assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet("server=server->db=db3->table=table5->action=all"), listPrivilegesForProvider);
-
- listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), null, new ActiveRoleSet(Sets.newHashSet(roleName1)), new Server("server"), new Database("db3"));
- assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet("server=+"), listPrivilegesForProvider);
-
- listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), null, new ActiveRoleSet(Sets.newHashSet(roleName1)), new Server("server1"));
- assertEquals("Privilege not correctly assigned to roles !!", new HashSet<String>(), listPrivilegesForProvider);
- }
-
-
-
- /**
- * Create role, add privileges and grant it to a group drop the role and
- * verify the privileges are no longer visible recreate the role with same
- * name and verify the privileges again.
- * @throws Exception
- */
- @Test
- public void testDropRole() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName = "admin_r";
-
- // create role and add privileges
- client.dropRoleIfExists(requestorUserName, roleName);
- client.createRole(requestorUserName, roleName);
- client.grantRoleToGroup(requestorUserName, ADMIN_GROUP, roleName);
- client.grantDatabasePrivilege(requestorUserName, roleName, "server1", "db2", AccessConstants.ALL);
- client.grantTablePrivilege(requestorUserName, roleName, "server1", "db3", "tab3", "ALL");
- assertEquals(2, client.listPrivilegesForProvider(requestorUserGroupNames, null,
- ActiveRoleSet.ALL).size());
-
- // drop role and verify privileges
- client.dropRole(requestorUserName, roleName);
- assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, null,
- ActiveRoleSet.ALL).size());
-
- // recreate the role
- client.createRole(requestorUserName, roleName);
- client.grantRoleToGroup(requestorUserName, ADMIN_GROUP, roleName);
- assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, null,
- ActiveRoleSet.ALL).size());
-
- // grant different privileges and verify
- client.grantDatabasePrivilege(requestorUserName, roleName, "server1", "db2", AccessConstants.ALL);
- assertEquals(1, client.listPrivilegesForProvider(requestorUserGroupNames, null,
- ActiveRoleSet.ALL).size());
- client.dropRole(requestorUserName, roleName);
- assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, null,
- ActiveRoleSet.ALL).size());
- assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, null,
- ActiveRoleSet.ALL).size());
- }
-
- @Test
- public void testDropRoleOnUser() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- Set<String> requestorUserNames = Sets.newHashSet(ADMIN_USER);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName = "admin_r";
-
- // create role and add privileges
- client.dropRoleIfExists(requestorUserName, roleName);
- client.createRole(requestorUserName, roleName);
- client.grantRoleToUser(requestorUserName, ADMIN_USER, roleName);
- client.grantDatabasePrivilege(requestorUserName, roleName, "server1", "db2", AccessConstants.ALL);
- client.grantTablePrivilege(requestorUserName, roleName, "server1", "db3", "tab3", "ALL");
- assertEquals(2, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
- ActiveRoleSet.ALL).size());
-
- // drop role and verify privileges
- client.dropRole(requestorUserName, roleName);
- assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
- ActiveRoleSet.ALL).size());
-
- // recreate the role
- client.createRole(requestorUserName, roleName);
- client.grantRoleToGroup(requestorUserName, ADMIN_GROUP, roleName);
- assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
- ActiveRoleSet.ALL).size());
-
- // grant different privileges and verify
- client.grantDatabasePrivilege(requestorUserName, roleName, "server1", "db2", AccessConstants.ALL);
- assertEquals(1, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
- ActiveRoleSet.ALL).size());
- client.dropRole(requestorUserName, roleName);
- assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
- ActiveRoleSet.ALL).size());
- assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
- ActiveRoleSet.ALL).size());
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/b97f5c7a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceClientPool.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceClientPool.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceClientPool.java
deleted file mode 100644
index 6c88955..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceClientPool.java
+++ /dev/null
@@ -1,111 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.api.service.thrift;
-
-import static org.junit.Assert.assertTrue;
-
-import java.security.PrivilegedExceptionAction;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Set;
-import java.util.concurrent.Callable;
-import java.util.concurrent.ExecutorService;
-import java.util.concurrent.Executors;
-import java.util.concurrent.Future;
-import java.util.concurrent.FutureTask;
-
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.service.thrift.SentryServiceFactory;
-import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
-import org.junit.Test;
-
-import com.google.common.collect.Sets;
-
-public class TestSentryServiceClientPool extends SentryServiceIntegrationBase {
-
- @Test
- public void testConnectionWhenReconnect() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String roleName = "admin_r";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName);
- client.createRole(requestorUserName, roleName);
- client.listAllRoles(requestorUserName);
- stopSentryService();
- server = SentryServiceFactory.create(conf);
- startSentryService();
- client.listAllRoles(requestorUserName);
- client.dropRole(requestorUserName, roleName);
- }
- });
- }
-
- @Test
- public void testConnectionWithMultipleRetries() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- List<Future<Boolean>> tasks = new ArrayList<Future<Boolean>>();
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String roleName = "admin_r";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName);
- client.createRole(requestorUserName, roleName);
-
- ExecutorService executorService = Executors.newFixedThreadPool(20);
-
- Callable<Boolean> func = new Callable<Boolean>() {
- public Boolean call() throws Exception {
- return clientUgi.doAs(new PrivilegedExceptionAction<Boolean>() {
- @Override
- public Boolean run() throws Exception {
- try {
- client.listAllRoles(ADMIN_USER);
- return true;
- } catch (SentryUserException sue) {
- return false;
- }
- }
- });
- }
- };
-
- for (int i = 0; i < 30; i++) {
- FutureTask<Boolean> task = new FutureTask<Boolean>(func);
- tasks.add(task);
- executorService.submit(task);
- }
-
- for (Future<Boolean> task : tasks) {
- Boolean result = task.get();
- assertTrue("Some tasks are failed.", result);
- }
- }
- });
- }
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/b97f5c7a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceFailureCase.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceFailureCase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceFailureCase.java
deleted file mode 100644
index fa67f27..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceFailureCase.java
+++ /dev/null
@@ -1,75 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.api.service.thrift;
-
-import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
-import org.apache.sentry.service.common.ServiceConstants.ServerConfig;
-import org.junit.After;
-import org.junit.Assert;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.base.Strings;
-
-public class TestSentryServiceFailureCase extends SentryServiceIntegrationBase {
- private static final Logger LOGGER = LoggerFactory.getLogger(TestSentryServiceFailureCase.class);
- private static final String PEER_CALLBACK_FAILURE = "Peer indicated failure: Problem with callback handler";
-
- @BeforeClass
- public static void setup() throws Exception {
- kerberos = true;
- beforeSetup();
- setupConf();
- conf.set(ServerConfig.ALLOW_CONNECT, "");
- startSentryService();
- afterSetup();
- }
-
- @Override
- @Before
- public void before() throws Exception {
- }
-
- @Override
- @After
- public void after() {
- }
-
- @Test
- public void testClientServerConnectionFailure() throws Exception {
- try {
- connectToSentryService();
- String requestorUserName = ADMIN_USER;
- client.listAllRoles(requestorUserName);
- Assert.fail("Failed to receive Exception");
- } catch(Exception e) {
- LOGGER.info("Excepted exception", e);
- Throwable cause = e.getCause();
- if (cause == null) {
- throw e;
- }
- String msg = "Exception message: " + cause.getMessage();
- Assert.assertTrue(msg, Strings.nullToEmpty(cause.getMessage())
- .contains(PEER_CALLBACK_FAILURE));
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/b97f5c7a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceForPoolWithKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceForPoolWithKerberos.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceForPoolWithKerberos.java
deleted file mode 100644
index aa156f2..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceForPoolWithKerberos.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless createRequired by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.api.service.thrift;
-
-import org.junit.BeforeClass;
-
-public class TestSentryServiceForPoolWithKerberos extends TestSentryServiceWithKerberos {
-
- @BeforeClass
- public static void setup() throws Exception {
- kerberos = true;
- pooled = true;
- beforeSetup();
- setupConf();
- startSentryService();
- afterSetup();
- }
-
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/b97f5c7a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceImportExport.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceImportExport.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceImportExport.java
deleted file mode 100644
index cf1fdab..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceImportExport.java
+++ /dev/null
@@ -1,751 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.api.service.thrift;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-
-import java.util.Map;
-import java.util.Set;
-
-import org.apache.sentry.core.common.utils.SentryConstants;
-import org.apache.sentry.core.common.utils.PolicyFileConstants;
-import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-import com.google.common.collect.Maps;
-import com.google.common.collect.Sets;
-
-public class TestSentryServiceImportExport extends SentryServiceIntegrationBase {
-
- // define the privileges
- public static String PRIVILIEGE1 = "server=server1";
- public static String PRIVILIEGE2 = "server=server1->action=select->grantoption=false";
- public static String PRIVILIEGE3 = "server=server1->db=db2->action=insert->grantoption=true";
- public static String PRIVILIEGE4 = "server=server1->db=db1->table=tbl1->action=insert";
- public static String PRIVILIEGE5 = "server=server1->db=db1->table=tbl2->column=col1->action=insert";
- public static String PRIVILIEGE6 = "server=server1->db=db1->table=tbl3->column=col1->action=*->grantoption=true";
- public static String PRIVILIEGE7 = "server=server1->db=db1->table=tbl4->column=col1->action=all->grantoption=true";
- public static String PRIVILIEGE8 = "server=server1->uri=hdfs://testserver:9999/path2->action=insert";
- public static String PRIVILIEGE9 = "server=server1->db=db2->table=tbl1->action=insert";
-
- @BeforeClass
- public static void setup() throws Exception {
- kerberos = false;
- setupConf();
- startSentryService();
- }
-
- @Before
- public void preparePolicyFile() throws Exception {
- super.before();
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- }
-
- // Befor import, database is empty.
- // The following information is imported:
- // group1=role1,role2,role3
- // group2=role1,role2,role3
- // group3=role1,role2,role3
- // role1=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8
- // role2=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8
- // role3=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8
- // Both import API importPolicy and export API exportPoicy are tested.
- @Test
- public void testImportExportPolicy1() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- Map<String, Map<String, Set<String>>> policyFileMappingData = Maps.newHashMap();
- Map<String, Set<String>> groupRolesMap = Maps.newHashMap();
- Set<String> roles = Sets.newHashSet("role1", "role2", "role3");
- groupRolesMap.put("group1", roles);
- groupRolesMap.put("group2", roles);
- groupRolesMap.put("group3", roles);
- Map<String, Set<String>> rolePrivilegesMap = Maps.newHashMap();
- for (String roleName : roles) {
- rolePrivilegesMap.put(roleName, Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3,
- PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
- }
- policyFileMappingData.put(PolicyFileConstants.GROUPS, groupRolesMap);
- policyFileMappingData.put(PolicyFileConstants.ROLES, rolePrivilegesMap);
- client.importPolicy(policyFileMappingData, ADMIN_USER, false);
-
- Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null);
- validateSentryMappingData(sentryMappingData,
- policyFileMappingData);
- }
- });
- }
-
- // call import twice, and there has no duplicate data:
- // The data for 1st import:
- // group1=role1
- // role1=privilege1,privilege2,privilege3,privilege4
- // The data for 2nd import:
- // group2=role2,role3
- // group3=role2,role3
- // role2=privilege5,privilege6,privilege7,privilege8
- // role3=privilege5,privilege6,privilege7,privilege8
- // Both import API importPolicy and export API exportPoicy are tested.
- @Test
- public void testImportExportPolicy2() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap();
- Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap();
- groupRolesMap1.put("group1", Sets.newHashSet("role1"));
- Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap();
- rolePrivilegesMap1.put("role1",
- Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4));
- policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1);
- policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1);
- client.importPolicy(policyFileMappingData1, ADMIN_USER, false);
-
- Map<String, Map<String, Set<String>>> policyFileMappingData2 = Maps.newHashMap();
- Map<String, Set<String>> groupRolesMap2 = Maps.newHashMap();
- groupRolesMap2.put("group2", Sets.newHashSet("role2", "role3"));
- groupRolesMap2.put("group3", Sets.newHashSet("role2", "role3"));
- Map<String, Set<String>> rolePrivilegesMap2 = Maps.newHashMap();
- rolePrivilegesMap2.put("role2",
- Sets.newHashSet(PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
- rolePrivilegesMap2.put("role3",
- Sets.newHashSet(PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
- policyFileMappingData2.put(PolicyFileConstants.GROUPS, groupRolesMap2);
- policyFileMappingData2.put(PolicyFileConstants.ROLES, rolePrivilegesMap2);
- client.importPolicy(policyFileMappingData2, ADMIN_USER, false);
-
- Map<String, Map<String, Set<String>>> exceptedMappingData = Maps.newHashMap();
- // for exceptedMappingData, combine policyFileMappingData1 and policyFileMappingData2
- exceptedMappingData.put(PolicyFileConstants.GROUPS,
- policyFileMappingData1.get(PolicyFileConstants.GROUPS));
- exceptedMappingData.get(PolicyFileConstants.GROUPS).putAll(
- policyFileMappingData2.get(PolicyFileConstants.GROUPS));
- exceptedMappingData.put(PolicyFileConstants.ROLES,
- policyFileMappingData1.get(PolicyFileConstants.ROLES));
- exceptedMappingData.get(PolicyFileConstants.ROLES).putAll(
- policyFileMappingData2.get(PolicyFileConstants.ROLES));
-
- Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null);
- validateSentryMappingData(sentryMappingData, exceptedMappingData);
- }
- });
- }
-
- // Call import twice, and there has overlapping groups
- // The data for 1st import:
- // group1=role1, role2
- // group2=role1, role2
- // group3=role1, role2
- // role1=privilege1,privilege2,privilege3,privilege4,privilege5
- // role2=privilege1,privilege2,privilege3,privilege4,privilege5
- // The data for 2nd import:
- // group1=role2,role3
- // group2=role2,role3
- // group3=role2,role3
- // role2=privilege4,privilege5,privilege6,privilege7,privilege8
- // role3=privilege4,privilege5,privilege6,privilege7,privilege8
- // Both import API importPolicy and export API exportPoicy are tested.
- @Test
- public void testImportExportPolicy3() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap();
- Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap();
- groupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
- groupRolesMap1.put("group2", Sets.newHashSet("role1", "role2"));
- groupRolesMap1.put("group3", Sets.newHashSet("role1", "role2"));
- Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap();
- rolePrivilegesMap1.put("role1",
- Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5));
- rolePrivilegesMap1.put("role2",
- Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5));
- policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1);
- policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1);
- client.importPolicy(policyFileMappingData1, ADMIN_USER, false);
-
- Map<String, Map<String, Set<String>>> policyFileMappingData2 = Maps.newHashMap();
- Map<String, Set<String>> groupRolesMap2 = Maps.newHashMap();
- groupRolesMap2.put("group1", Sets.newHashSet("role2", "role3"));
- groupRolesMap2.put("group2", Sets.newHashSet("role2", "role3"));
- groupRolesMap2.put("group3", Sets.newHashSet("role2", "role3"));
- Map<String, Set<String>> rolePrivilegesMap2 = Maps.newHashMap();
- rolePrivilegesMap2.put("role2",
- Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
- rolePrivilegesMap2.put("role3",
- Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
- policyFileMappingData2.put(PolicyFileConstants.GROUPS, groupRolesMap2);
- policyFileMappingData2.put(PolicyFileConstants.ROLES, rolePrivilegesMap2);
- client.importPolicy(policyFileMappingData2, ADMIN_USER, false);
-
- Map<String, Map<String, Set<String>>> exceptedMappingData = Maps.newHashMap();
- Map<String, Set<String>> exceptedRolesMap = Maps.newHashMap();
- exceptedRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3"));
- exceptedRolesMap.put("group2", Sets.newHashSet("role1", "role2", "role3"));
- exceptedRolesMap.put("group3", Sets.newHashSet("role1", "role2", "role3"));
- Map<String, Set<String>> exceptedPrivilegesMap = Maps.newHashMap();
- exceptedPrivilegesMap.put("role1",
- Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5));
- exceptedPrivilegesMap.put("role2", Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3,
- PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
- exceptedPrivilegesMap.put("role3",
- Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
- exceptedMappingData.put(PolicyFileConstants.GROUPS, exceptedRolesMap);
- exceptedMappingData.put(PolicyFileConstants.ROLES, exceptedPrivilegesMap);
-
- Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null);
- validateSentryMappingData(sentryMappingData, exceptedMappingData);
- }
- });
- }
-
- // Only mapping data for [group,role] is imported:
- // group1=role1,role2
- @Test
- public void testImportExportPolicy4() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- Map<String, Map<String, Set<String>>> policyFileMappingData = Maps.newHashMap();
- Map<String, Set<String>> groupRolesMap = Maps.newHashMap();
- Set<String> roles = Sets.newHashSet("role1", "role2");
- groupRolesMap.put("group1", roles);
- Map<String, Set<String>> rolePrivilegesMap = Maps.newHashMap();
- policyFileMappingData.put(PolicyFileConstants.GROUPS, groupRolesMap);
- policyFileMappingData.put(PolicyFileConstants.ROLES, rolePrivilegesMap);
- client.importPolicy(policyFileMappingData, ADMIN_USER, false);
-
- Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null);
- validateSentryMappingData(sentryMappingData,
- policyFileMappingData);
- }
- });
- }
-
- // call import twice, and there has no duplicate data, the import will be with the overwrite mode:
- // The data for 1st import:
- // group1=role1
- // role1=privilege1
- // The data for 2nd import:
- // group2=role2,role3
- // group3=role2,role3
- // role2=privilege2
- // role3=privilege2
- // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap,
- // getPrivilegesList are tested.
- @Test
- public void testImportExportPolicy5() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap();
- Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap();
- groupRolesMap1.put("group1", Sets.newHashSet("role1"));
- Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap();
- rolePrivilegesMap1.put("role1", Sets.newHashSet(PRIVILIEGE1));
- policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1);
- policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1);
- client.importPolicy(policyFileMappingData1, ADMIN_USER, true);
-
- Map<String, Map<String, Set<String>>> policyFileMappingData2 = Maps.newHashMap();
- Map<String, Set<String>> groupRolesMap2 = Maps.newHashMap();
- groupRolesMap2.put("group2", Sets.newHashSet("role2", "role3"));
- groupRolesMap2.put("group3", Sets.newHashSet("role2", "role3"));
- Map<String, Set<String>> rolePrivilegesMap2 = Maps.newHashMap();
- rolePrivilegesMap2.put("role2", Sets.newHashSet(PRIVILIEGE2));
- rolePrivilegesMap2.put("role3", Sets.newHashSet(PRIVILIEGE2));
- policyFileMappingData2.put(PolicyFileConstants.GROUPS, groupRolesMap2);
- policyFileMappingData2.put(PolicyFileConstants.ROLES, rolePrivilegesMap2);
- client.importPolicy(policyFileMappingData2, ADMIN_USER, true);
-
- Map<String, Map<String, Set<String>>> exceptedMappingData = Maps.newHashMap();
- Map<String, Set<String>> exceptedRolesMap = Maps.newHashMap();
- exceptedRolesMap.put("group1", Sets.newHashSet("role1"));
- exceptedRolesMap.put("group2", Sets.newHashSet("role2", "role3"));
- exceptedRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
- Map<String, Set<String>> exceptedPrivilegesMap = Maps.newHashMap();
- exceptedPrivilegesMap.put("role1", Sets.newHashSet(PRIVILIEGE1));
- exceptedPrivilegesMap.put("role2", Sets.newHashSet(PRIVILIEGE2));
- exceptedPrivilegesMap.put("role3", Sets.newHashSet(PRIVILIEGE2));
- exceptedMappingData.put(PolicyFileConstants.GROUPS, exceptedRolesMap);
- exceptedMappingData.put(PolicyFileConstants.ROLES, exceptedPrivilegesMap);
-
- Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null);
- validateSentryMappingData(sentryMappingData, exceptedMappingData);
- }
- });
- }
-
- // call import twice, and there has data overlap, the import will be with the overwrite mode:
- // The data for 1st import:
- // group1=role1, role2
- // group2=role1, role2
- // group3=role1, role2
- // role1=privilege1,privilege2,privilege3,privilege4,privilege5
- // role2=privilege1,privilege2,privilege3,privilege4,privilege5
- // The data for 2nd import:
- // group1=role2,role3
- // group2=role2,role3
- // group3=role2,role3
- // role2=privilege4,privilege5,privilege6,privilege7,privilege8
- // role3=privilege4,privilege5,privilege6,privilege7,privilege8
- // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap,
- // getPrivilegesList are tested.
- @Test
- public void testImportExportPolicy6() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap();
- Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap();
- groupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
- groupRolesMap1.put("group2", Sets.newHashSet("role1", "role2"));
- groupRolesMap1.put("group3", Sets.newHashSet("role1", "role2"));
- Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap();
- rolePrivilegesMap1.put("role1",
- Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5));
- rolePrivilegesMap1.put("role2",
- Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5));
- policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1);
- policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1);
- client.importPolicy(policyFileMappingData1, ADMIN_USER, true);
-
- Map<String, Map<String, Set<String>>> policyFileMappingData2 = Maps.newHashMap();
- Map<String, Set<String>> groupRolesMap2 = Maps.newHashMap();
- groupRolesMap2.put("group1", Sets.newHashSet("role2", "role3"));
- groupRolesMap2.put("group2", Sets.newHashSet("role2", "role3"));
- groupRolesMap2.put("group3", Sets.newHashSet("role2", "role3"));
- Map<String, Set<String>> rolePrivilegesMap2 = Maps.newHashMap();
- rolePrivilegesMap2.put("role2",
- Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
- rolePrivilegesMap2.put("role3",
- Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
- policyFileMappingData2.put(PolicyFileConstants.GROUPS, groupRolesMap2);
- policyFileMappingData2.put(PolicyFileConstants.ROLES, rolePrivilegesMap2);
- client.importPolicy(policyFileMappingData2, ADMIN_USER, true);
-
- Map<String, Map<String, Set<String>>> exceptedMappingData = Maps.newHashMap();
- Map<String, Set<String>> exceptedRolesMap = Maps.newHashMap();
- exceptedRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3"));
- exceptedRolesMap.put("group2", Sets.newHashSet("role1", "role2", "role3"));
- exceptedRolesMap.put("group3", Sets.newHashSet("role1", "role2", "role3"));
- Map<String, Set<String>> exceptedPrivilegesMap = Maps.newHashMap();
- exceptedPrivilegesMap.put("role1",
- Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5));
- exceptedPrivilegesMap.put("role2",
- Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
- exceptedPrivilegesMap.put("role3",
- Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
- exceptedMappingData.put(PolicyFileConstants.GROUPS, exceptedRolesMap);
- exceptedMappingData.put(PolicyFileConstants.ROLES, exceptedPrivilegesMap);
-
- Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null);
- validateSentryMappingData(sentryMappingData, exceptedMappingData);
- }
- });
- }
-
- // test the import privileges with the action: All, *, select, insert
- // All and * should replace the select and insert
- // The data for import:
- // group1=role1, role2
- // role1=testPrivilege1,testPrivilege2,testPrivilege3,testPrivilege4
- // role2=testPrivilege5, testPrivilege6,testPrivilege7,testPrivilege8
- @Test
- public void testImportExportPolicy7() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- String testPrivilege1 = "server=server1->db=db1->table=tbl1->action=select->grantoption=true";
- String testPrivilege2 = "server=server1->db=db1->table=tbl1->action=insert->grantoption=false";
- String testPrivilege3 = "server=server1->db=db1->table=tbl1->action=all->grantoption=true";
- String testPrivilege4 = "server=server1->db=db1->table=tbl1->action=insert->grantoption=true";
- String testPrivilege5 = "server=server1->db=db1->table=tbl2->action=select->grantoption=true";
- String testPrivilege6 = "server=server1->db=db1->table=tbl2->action=insert->grantoption=false";
- String testPrivilege7 = "server=server1->db=db1->table=tbl2->action=*->grantoption=true";
- String testPrivilege8 = "server=server1->db=db1->table=tbl2->action=insert->grantoption=true";
-
- Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap();
- Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap();
- groupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
- Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap();
- rolePrivilegesMap1.put("role1",
- Sets.newHashSet(testPrivilege1, testPrivilege2, testPrivilege3, testPrivilege4));
- rolePrivilegesMap1.put("role2",
- Sets.newHashSet(testPrivilege5, testPrivilege6, testPrivilege7, testPrivilege8));
- policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1);
- policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1);
- client.importPolicy(policyFileMappingData1, ADMIN_USER, true);
-
- Map<String, Map<String, Set<String>>> exceptedMappingData = Maps.newHashMap();
- Map<String, Set<String>> exceptedRolesMap = Maps.newHashMap();
- exceptedRolesMap.put("group1", Sets.newHashSet("role1", "role2"));
- Map<String, Set<String>> exceptedPrivilegesMap = Maps.newHashMap();
- exceptedPrivilegesMap.put("role1", Sets.newHashSet(testPrivilege2, testPrivilege3));
- exceptedPrivilegesMap.put("role2", Sets.newHashSet(testPrivilege6, testPrivilege7));
- exceptedMappingData.put(PolicyFileConstants.GROUPS, exceptedRolesMap);
- exceptedMappingData.put(PolicyFileConstants.ROLES, exceptedPrivilegesMap);
-
- Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null);
- validateSentryMappingData(sentryMappingData, exceptedMappingData);
- }
- });
- }
-
- // Call import twice, and there has overlapping actions, all and * should replace the select and
- // insert
- // The data for 1st import:
- // group1=role1, role2
- // role1=privilege1(with select action),privilege2(with insert action)
- // role2=privilege4(with select action),privilege5(with insert action)
- // The data for 2nd import:
- // group1=role1, role2
- // role1=privilege3(with all action)
- // role2=privilege6(with * action)
- @Test
- public void testImportExportPolicy8() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- String testPrivilege1 = "server=server1->db=db1->table=tbl1->action=select->grantoption=true";
- String testPrivilege2 = "server=server1->db=db1->table=tbl1->action=insert->grantoption=true";
- String testPrivilege3 = "server=server1->db=db1->table=tbl1->action=all->grantoption=true";
- String testPrivilege4 = "server=server1->db=db1->table=tbl2->action=select->grantoption=true";
- String testPrivilege5 = "server=server1->db=db1->table=tbl2->action=insert->grantoption=true";
- String testPrivilege6 = "server=server1->db=db1->table=tbl2->action=*->grantoption=true";
-
- Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap();
- Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap();
- groupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
- Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap();
- rolePrivilegesMap1.put("role1", Sets.newHashSet(testPrivilege1, testPrivilege2));
- rolePrivilegesMap1.put("role2", Sets.newHashSet(testPrivilege4, testPrivilege5));
- policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1);
- policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1);
- client.importPolicy(policyFileMappingData1, ADMIN_USER, false);
-
- Map<String, Map<String, Set<String>>> policyFileMappingData2 = Maps.newHashMap();
- Map<String, Set<String>> groupRolesMap2 = Maps.newHashMap();
- groupRolesMap2.put("group1", Sets.newHashSet("role1", "role2"));
- Map<String, Set<String>> rolePrivilegesMap2 = Maps.newHashMap();
- rolePrivilegesMap2.put("role1", Sets.newHashSet(testPrivilege3));
- rolePrivilegesMap2.put("role2", Sets.newHashSet(testPrivilege6));
- policyFileMappingData2.put(PolicyFileConstants.GROUPS, groupRolesMap2);
- policyFileMappingData2.put(PolicyFileConstants.ROLES, rolePrivilegesMap2);
- client.importPolicy(policyFileMappingData2, ADMIN_USER, false);
-
- Map<String, Map<String, Set<String>>> exceptedMappingData = policyFileMappingData2;
- Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null);
- // all and * should replace the select and insert
- validateSentryMappingData(sentryMappingData, exceptedMappingData);
- }
- });
- }
-
- // test the user not in the admin group can't do the import/export
- @Test
- public void testImportExportPolicy9() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap();
- Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap();
- Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap();
- policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1);
- policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1);
- try {
- client.importPolicy(policyFileMappingData1, "no-admin-user", false);
- fail("non-admin can't do the import.");
- } catch (Exception e) {
- // excepted exception
- }
-
- try {
- client.exportPolicy("no-admin-user", null);
- fail("non-admin can't do the export.");
- } catch (Exception e) {
- // excepted exception
- }
- }
- });
- }
-
- // The following data is imported:
- // group1=role1
- // group2=role1,role2
- // group3=role2,role3
- // group4=role1,role2,role3
- // role1=privilege3,privilege4,privilege9
- // role2=privilege3,privilege4,privilege5,privilege6,privilege7
- // role3=privilege4,privilege5,privilege6,privilege7,privilege8
- // Export APIs getRoleNameTPrivilegesMap, getGroupNameRoleNamesMap are tested.
- @Test
- public void testExportPolicyWithSpecificObject() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- // import the test data
- Map<String, Map<String, Set<String>>> policyFileMappingData = Maps.newHashMap();
- Map<String, Set<String>> groupRolesMap = Maps.newHashMap();
- groupRolesMap.put("group1", Sets.newHashSet("role1"));
- groupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
- groupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
- groupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3"));
- Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap();
- rolePrivilegesMap1.put("role1",
- Sets.newHashSet(PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE9));
- rolePrivilegesMap1.put("role2",
- Sets.newHashSet(PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5,
- PRIVILIEGE6, PRIVILIEGE7));
- rolePrivilegesMap1.put("role3",
- Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6,
- PRIVILIEGE7, PRIVILIEGE8));
- policyFileMappingData.put(PolicyFileConstants.GROUPS, groupRolesMap);
- policyFileMappingData.put(PolicyFileConstants.ROLES, rolePrivilegesMap1);
- client.importPolicy(policyFileMappingData, ADMIN_USER, true);
-
- // verify the rolePrivilegesMap and groupRolesMap with null objectPath
- Map<String, Map<String, Set<String>>> expectedMappingData = Maps.newHashMap();
- Map<String, Set<String>> expectedGroupRoles = Maps.newHashMap();
- expectedGroupRoles.put("group1", Sets.newHashSet("role1"));
- expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2"));
- expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3"));
- expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2", "role3"));
- Map<String, Set<String>> expectedRolePrivileges = Maps.newHashMap();
- expectedRolePrivileges.put("role1", Sets.newHashSet(
- PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE9));
- expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE3, PRIVILIEGE4,
- PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7));
- expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE4,
- PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
- expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
- expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
-
- Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null);
- validateSentryMappingData(sentryMappingData, expectedMappingData);
-
- // verify the rolePrivilegesMap and groupRolesMap with empty objectPath
- expectedMappingData = Maps.newHashMap();
- expectedGroupRoles = Maps.newHashMap();
- expectedGroupRoles.put("group1", Sets.newHashSet("role1"));
- expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2"));
- expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3"));
- expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2", "role3"));
- expectedRolePrivileges = Maps.newHashMap();
- expectedRolePrivileges.put("role1", Sets.newHashSet(
- PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE9));
- expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE3, PRIVILIEGE4,
- PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7));
- expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE4,
- PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
- expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
- expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
-
- sentryMappingData = client.exportPolicy(ADMIN_USER, "");
- validateSentryMappingData(sentryMappingData, expectedMappingData);
-
- // verify the rolePrivilegesMap and groupRolesMap for db=db1
- expectedMappingData = Maps.newHashMap();
- expectedGroupRoles = Maps.newHashMap();
- expectedGroupRoles.put("group1", Sets.newHashSet("role1"));
- expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2"));
- expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3"));
- expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2", "role3"));
- expectedRolePrivileges = Maps.newHashMap();
- expectedRolePrivileges.put("role1", Sets.newHashSet(PRIVILIEGE4));
- expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE4,
- PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7));
- expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE4,
- PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7));
- expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
- expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
-
- sentryMappingData = client.exportPolicy(ADMIN_USER, "db=db1");
- validateSentryMappingData(sentryMappingData, expectedMappingData);
-
- // verify the rolePrivilegesMap and groupRolesMap for db=db2
- expectedMappingData = Maps.newHashMap();
- expectedGroupRoles = Maps.newHashMap();
- expectedGroupRoles.put("group1", Sets.newHashSet("role1"));
- expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2"));
- expectedGroupRoles.put("group3", Sets.newHashSet("role2"));
- expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2"));
- expectedRolePrivileges = Maps.newHashMap();
- expectedRolePrivileges.put("role1", Sets.newHashSet(PRIVILIEGE3, PRIVILIEGE9));
- expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE3));
- expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
- expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
-
- sentryMappingData = client.exportPolicy(ADMIN_USER, "db=db2");
- validateSentryMappingData(sentryMappingData, expectedMappingData);
-
- // verify the rolePrivilegesMap and groupRolesMap for db=db1->table=tbl1
- expectedMappingData = Maps.newHashMap();
- expectedGroupRoles = Maps.newHashMap();
- expectedGroupRoles.put("group1", Sets.newHashSet("role1"));
- expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2"));
- expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3"));
- expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2", "role3"));
- expectedRolePrivileges = Maps.newHashMap();
- expectedRolePrivileges.put("role1", Sets.newHashSet(PRIVILIEGE4));
- expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE4));
- expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE4));
- expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
- expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
-
- sentryMappingData = client.exportPolicy(ADMIN_USER, "db=db1->table=tbl1");
- validateSentryMappingData(sentryMappingData, expectedMappingData);
-
- // verify the rolePrivilegesMap and groupRolesMap for db=db1->table=tbl2
- expectedMappingData = Maps.newHashMap();
- expectedGroupRoles = Maps.newHashMap();
- expectedGroupRoles.put("group2", Sets.newHashSet("role2"));
- expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3"));
- expectedGroupRoles.put("group4", Sets.newHashSet("role2", "role3"));
- expectedRolePrivileges = Maps.newHashMap();
- expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE5));
- expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE5));
- expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
- expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
-
- sentryMappingData = client.exportPolicy(ADMIN_USER, "db=db1->table=tbl2");
- validateSentryMappingData(sentryMappingData, expectedMappingData);
-
- // verify the rolePrivilegesMap and groupRolesMap for db=db1->table=tbl1
- expectedMappingData = Maps.newHashMap();
- expectedGroupRoles = Maps.newHashMap();
- expectedGroupRoles.put("group1", Sets.newHashSet("role1"));
- expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2"));
- expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3"));
- expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2", "role3"));
- expectedRolePrivileges = Maps.newHashMap();
- expectedRolePrivileges.put("role1", Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE9));
- expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE4));
- expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE4));
- expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
- expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
-
- sentryMappingData = client.exportPolicy(ADMIN_USER, "table=tbl1");
- validateSentryMappingData(sentryMappingData, expectedMappingData);
-
- // verify the invalid exportObject string
- try {
- client.exportPolicy(ADMIN_USER, "invalidString");
- fail("RuntimeException should be thrown.");
- } catch (RuntimeException sue) {
- // excepted exception
- }
- }
- });
- }
-
- // Befor import, database is empty.
- // The following information is imported:
- // group1=role1,role2,role3
- // group2=role1,role2,role3
- // user1=role1,role2,role3
- // user2=role1,role2,role3
- // role1=privilege1,privilege2,privilege3,privilege4
- // role2=privilege1,privilege2,privilege3,privilege4
- // role3=privilege1,privilege2,privilege3,privilege4
- @Test
- public void testImportExportPolicyWithUser() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- Map<String, Map<String, Set<String>>> policyFileMappingData = Maps.newHashMap();
- Map<String, Set<String>> groupRolesMap = Maps.newHashMap();
- Map<String, Set<String>> userRolesMap = Maps.newHashMap();
- Set<String> roles = Sets.newHashSet("role1", "role2", "role3");
- groupRolesMap.put("group1", roles);
- groupRolesMap.put("group2", roles);
- userRolesMap.put("user1", roles);
- userRolesMap.put("user2", roles);
- Map<String, Set<String>> rolePrivilegesMap = Maps.newHashMap();
- for (String roleName : roles) {
- rolePrivilegesMap.put(roleName, Sets.newHashSet(PRIVILIEGE1,
- PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4));
- }
- policyFileMappingData.put(PolicyFileConstants.USER_ROLES, userRolesMap);
- policyFileMappingData.put(PolicyFileConstants.GROUPS, groupRolesMap);
- policyFileMappingData.put(PolicyFileConstants.ROLES, rolePrivilegesMap);
- client.importPolicy(policyFileMappingData, ADMIN_USER, false);
-
- Map<String, Map<String, Set<String>>> sentryMappingData =
- client.exportPolicy(ADMIN_USER, null);
- // validate the [user, role] mapping
- validateRolesMap(sentryMappingData.get(PolicyFileConstants.USER_ROLES),
- policyFileMappingData.get(PolicyFileConstants.USER_ROLES));
- validateSentryMappingData(sentryMappingData,
- policyFileMappingData);
- }
- });
- }
-
- // verify the mapping data
- public void validateSentryMappingData(
- Map<String, Map<String, Set<String>>> actualMappingData,
- Map<String, Map<String, Set<String>>> expectedMappingData) {
- validateRolesMap(actualMappingData.get(PolicyFileConstants.GROUPS),
- expectedMappingData.get(PolicyFileConstants.GROUPS));
- validateRolePrivilegesMap(actualMappingData.get(PolicyFileConstants.ROLES),
- expectedMappingData.get(PolicyFileConstants.ROLES));
- }
-
- // verify the mapping data for [group,role] and [user,role]
- private void validateRolesMap(Map<String, Set<String>> actualMap,
- Map<String, Set<String>> expectedMap) {
- assertEquals(expectedMap.keySet().size(), actualMap.keySet().size());
- for (String name : actualMap.keySet()) {
- Set<String> actualRoles = actualMap.get(name);
- Set<String> expectedRoles = expectedMap.get(name);
- assertEquals(actualRoles.size(), expectedRoles.size());
- assertTrue(actualRoles.equals(expectedRoles));
- }
- }
-
- // verify the mapping data for [role,privilege]
- private void validateRolePrivilegesMap(Map<String, Set<String>> actualMap,
- Map<String, Set<String>> expectedMap) {
- assertEquals(expectedMap.keySet().size(), actualMap.keySet().size());
- for (String roleName : actualMap.keySet()) {
- Set<String> actualPrivileges = actualMap.get(roleName);
- Set<String> exceptedPrivileges = expectedMap.get(roleName);
- assertEquals(exceptedPrivileges.size(), actualPrivileges.size());
- for (String actualPrivilege : actualPrivileges) {
- boolean isFound = exceptedPrivileges.contains(actualPrivilege);
- if (!isFound) {
- String withOptionPrivilege = SentryConstants.AUTHORIZABLE_JOINER.join(actualPrivilege,
- SentryConstants.KV_JOINER.join(PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME,
- "false"));
- isFound = exceptedPrivileges.contains(withOptionPrivilege);
- }
- assertTrue(isFound);
- }
- }
- }
-}