You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sp...@apache.org on 2018/06/27 16:47:31 UTC
[04/17] sentry git commit: SENTRY-2282: Remove hive-authzv2 binding
and tests modules completely (Sergio Pena, reviewed by Na Li)
http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScope.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScope.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScope.java
deleted file mode 100644
index 4c1cd8e..0000000
--- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScope.java
+++ /dev/null
@@ -1,662 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.tests.e2e.hive;
-
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.assertTrue;
-
-import java.io.File;
-import java.io.FileOutputStream;
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-
-import org.junit.Assert;
-
-import org.apache.sentry.provider.file.PolicyFile;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-import com.google.common.io.Resources;
-
-/* Tests privileges at table scope within a single database.
- */
-
-public class TestPrivilegesAtTableScope extends AbstractTestWithStaticConfiguration {
-
- private static PolicyFile policyFile;
- private final static String MULTI_TYPE_DATA_FILE_NAME = "emp.dat";
-
- @Before
- public void setup() throws Exception {
- policyFile = super.setupPolicy();
- super.setup();
- prepareDBDataForTest();
- }
-
- @BeforeClass
- public static void setupTestStaticConfiguration() throws Exception {
- AbstractTestWithStaticConfiguration.setupTestStaticConfiguration();
- }
-
- protected static void prepareDBDataForTest() throws Exception {
- // copy data file to test dir
- File dataDir = context.getDataDir();
- File dataFile = new File(dataDir, MULTI_TYPE_DATA_FILE_NAME);
- FileOutputStream to = new FileOutputStream(dataFile);
- Resources.copy(Resources.getResource(MULTI_TYPE_DATA_FILE_NAME), to);
- to.close();
-
- // setup db objects needed by the test
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
-
- statement.execute("DROP DATABASE IF EXISTS DB_1 CASCADE");
- statement.execute("CREATE DATABASE DB_1");
- statement.execute("USE DB_1");
-
- statement.execute("CREATE TABLE " + TBL1 + "(B INT, A STRING) "
- + " row format delimited fields terminated by '|' stored as textfile");
- statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() + "' INTO TABLE " + TBL1);
- statement.execute("CREATE TABLE " + TBL2 + "(B INT, A STRING) "
- + " row format delimited fields terminated by '|' stored as textfile");
- statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() + "' INTO TABLE " + TBL2);
- statement.execute("CREATE VIEW VIEW_1 AS SELECT A, B FROM " + TBL1);
-
- statement.close();
- connection.close();
- }
-
- /*
- * Admin creates database DB_1, table TBL1, TBL2 in DB_1, loads data into
- * TBL1, TBL2 Admin grants SELECT on TBL1, TBL2, INSERT on TBL1 to
- * USER_GROUP of which user1 is a member.
- */
- @Test
- public void testInsertAndSelect() throws Exception {
- policyFile
- .addRolesToGroup(USERGROUP1, "select_tab1", "insert_tab1", "select_tab2")
- .addPermissionsToRole("select_tab1", "server=server1->db=DB_1->table=" + TBL1 + "->action=select")
- .addPermissionsToRole("insert_tab1", "server=server1->db=DB_1->table=" + TBL1 + "->action=insert")
- .addPermissionsToRole("select_tab2", "server=server1->db=DB_1->table=" + TBL2 + "->action=select")
- .setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
-
- // test execution
- Connection connection = context.createConnection(USER1_1);
- Statement statement = context.createStatement(connection);
- statement.execute("USE DB_1");
- // test user can insert
- statement.execute("INSERT INTO TABLE " + TBL1 + " SELECT A, B FROM " + TBL2);
- // test user can query table
- statement.executeQuery("SELECT A FROM " + TBL2);
- // negative test: test user can't drop
- try {
- statement.execute("DROP TABLE " + TBL1);
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
- statement.close();
- connection.close();
-
- // connect as admin and drop TBL1
- connection = context.createConnection(ADMIN1);
- statement = context.createStatement(connection);
- statement.execute("USE DB_1");
- statement.execute("DROP TABLE " + TBL1);
- statement.close();
- connection.close();
-
- // negative test: connect as user1 and try to recreate TBL1
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
- statement.execute("USE DB_1");
- try {
- statement.execute("CREATE TABLE " + TBL1 + "(A STRING)");
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- statement.close();
- connection.close();
-
- // connect as admin to restore the TBL1
- connection = context.createConnection(ADMIN1);
- statement = context.createStatement(connection);
- statement.execute("USE DB_1");
- statement.execute("CREATE TABLE " + TBL1 + "(B INT, A STRING) "
- + " row format delimited fields terminated by '|' stored as textfile");
- statement.execute("INSERT INTO TABLE " + TBL1 + " SELECT A, B FROM " + TBL2);
- statement.close();
- connection.close();
-
- }
-
- /*
- * Admin creates database DB_1, table TBL1, TBL2 in DB_1, loads data into
- * TBL1, TBL2. Admin grants INSERT on TBL1, SELECT on TBL2 to USER_GROUP
- * of which user1 is a member.
- */
- @Test
- public void testInsert() throws Exception {
- policyFile
- .addRolesToGroup(USERGROUP1, "insert_tab1", "select_tab2")
- .addPermissionsToRole("insert_tab1", "server=server1->db=DB_1->table=" + TBL1 + "->action=insert")
- .addPermissionsToRole("select_tab2", "server=server1->db=DB_1->table=" + TBL2 + "->action=select")
- .setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
-
- // test execution
- Connection connection = context.createConnection(USER1_1);
- Statement statement = context.createStatement(connection);
- statement.execute("USE " + DB1);
- // test user can execute insert on table
- statement.execute("INSERT INTO TABLE " + TBL1 + " SELECT A, B FROM " + TBL2);
-
- // negative test: user can't query table
- try {
- statement.executeQuery("SELECT A FROM " + TBL1);
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- // negative test: test user can't query view
- try {
- statement.executeQuery("SELECT A FROM VIEW_1");
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- // negative test case: show tables shouldn't list VIEW_1
- ResultSet resultSet = statement.executeQuery("SHOW TABLES");
- while (resultSet.next()) {
- String tableName = resultSet.getString(1);
- assertNotNull("table name is null in result set", tableName);
- assertFalse("Found VIEW_1 in the result set",
- "VIEW_1".equalsIgnoreCase(tableName));
- }
-
- // negative test: test user can't create a new view
- try {
- statement.executeQuery("CREATE VIEW VIEW_2(A) AS SELECT A FROM " + TBL1);
- Assert.fail("Expected SQL Exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
- statement.close();
- connection.close();
- }
-
- /*
- * Admin creates database DB_1, table TBL1, TBL2 in DB_1, loads data into
- * TBL1, TBL2. Admin grants SELECT on TBL1, TBL2 to USER_GROUP of which
- * user1 is a member.
- */
- @Test
- public void testSelect() throws Exception {
- policyFile
- .addRolesToGroup(USERGROUP1, "select_tab1", "select_tab2")
- .addPermissionsToRole("select_tab1", "server=server1->db=DB_1->table=" + TBL1 + "->action=select")
- .addPermissionsToRole("insert_tab1", "server=server1->db=DB_1->table=" + TBL1 + "->action=insert")
- .addPermissionsToRole("select_tab2", "server=server1->db=DB_1->table=" + TBL2 + "->action=select")
- .setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
-
- // test execution
- Connection connection = context.createConnection(USER1_1);
- Statement statement = context.createStatement(connection);
- statement.execute("USE " + DB1);
- // test user can execute query on table
- statement.executeQuery("SELECT A FROM " + TBL1);
-
- // negative test: test insert into table
- try {
- statement.executeQuery("INSERT INTO TABLE " + TBL1 + " SELECT A, B FROM " + TBL2);
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- // negative test: test user can't query view
- try {
- statement.executeQuery("SELECT A FROM VIEW_1");
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- // negative test: test user can't create a new view
- try {
- statement.executeQuery("CREATE VIEW VIEW_2(A) AS SELECT A FROM " + TBL1);
- Assert.fail("Expected SQL Exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
- statement.close();
- connection.close();
- }
-
- /*
- * Admin creates database DB_1, table TBL1, TBL2 in DB_1, VIEW_1 on TBL1
- * loads data into TBL1, TBL2. Admin grants SELECT on TBL1,TBL2 to
- * USER_GROUP of which user1 is a member.
- */
- @Test
- public void testTableViewJoin() throws Exception {
- policyFile
- .addRolesToGroup(USERGROUP1, "select_tab1", "select_tab2")
- .addPermissionsToRole("select_tab1", "server=server1->db=DB_1->table=" + TBL1 + "->action=select")
- .addPermissionsToRole("select_tab2", "server=server1->db=DB_1->table=" + TBL2 + "->action=select")
- .setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
-
- // test execution
- Connection connection = context.createConnection(USER1_1);
- Statement statement = context.createStatement(connection);
- statement.execute("USE " + DB1);
- // test user can execute query TBL1 JOIN TBL2
- statement.executeQuery("SELECT T1.B FROM " + TBL1 + " T1 JOIN " + TBL2 + " T2 ON (T1.B = T2.B)");
-
- // negative test: test user can't execute query VIEW_1 JOIN TBL2
- try {
- statement.executeQuery("SELECT V1.B FROM VIEW_1 V1 JOIN " + TBL2 + " T2 ON (V1.B = T2.B)");
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- statement.close();
- connection.close();
- }
-
- /*
- * Admin creates database DB_1, table TBL1, TBL2 in DB_1, VIEW_1 on TBL1
- * loads data into TBL1, TBL2. Admin grants SELECT on TBL2 to USER_GROUP of
- * which user1 is a member.
- */
- @Test
- public void testTableViewJoin2() throws Exception {
- policyFile
- .addRolesToGroup(USERGROUP1, "select_tab2")
- .addPermissionsToRole("select_tab1", "server=server1->db=DB_1->table=" + TBL1 + "->action=select")
- .addPermissionsToRole("select_tab2", "server=server1->db=DB_1->table=" + TBL2 + "->action=select")
- .setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
-
- // test execution
- Connection connection = context.createConnection(USER1_1);
- Statement statement = context.createStatement(connection);
- statement.execute("USE " + DB1);
- // test user can execute query on TBL2
- statement.executeQuery("SELECT A FROM " + TBL2);
-
- // negative test: test user can't execute query VIEW_1 JOIN TBL2
- try {
- statement.executeQuery("SELECT VIEW_1.B FROM VIEW_1 JOIN " + TBL2 + " ON (VIEW_1.B = " + TBL2 + ".B)");
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- // negative test: test user can't execute query TBL1 JOIN TBL2
- try {
- statement.executeQuery("SELECT " + TBL1 + ".B FROM " + TBL1 + " JOIN " + TBL2 + " ON (" + TBL1 + ".B = " + TBL2 + ".B)");
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- statement.close();
- connection.close();
- }
-
- /*
- * Admin creates database DB_1, table TBL1, TBL2 in DB_1, VIEW_1 on TBL1
- * loads data into TBL1, TBL2. Admin grants SELECT on TBL2, VIEW_1 to
- * USER_GROUP of which user1 is a member.
- */
- @Test
- public void testTableViewJoin3() throws Exception {
- policyFile
- .addRolesToGroup(USERGROUP1, "select_tab2", "select_view1")
- .addPermissionsToRole("select_view1", "server=server1->db=DB_1->table=VIEW_1->action=select")
- .addPermissionsToRole("select_tab2", "server=server1->db=DB_1->table=" + TBL2 + "->action=select")
- .setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
-
- // test execution
- Connection connection = context.createConnection(USER1_1);
- Statement statement = context.createStatement(connection);
- statement.execute("USE " + DB1);
- // test user can execute query on TBL2
- statement.executeQuery("SELECT A FROM " + TBL2);
-
- // test user can execute query VIEW_1 JOIN TBL2
- statement.executeQuery("SELECT V1.B FROM VIEW_1 V1 JOIN " + TBL2 + " T2 ON (V1.B = T2.B)");
-
- // test user can execute query on VIEW_1
- statement.executeQuery("SELECT A FROM VIEW_1");
-
- // negative test: test user can't execute query TBL1 JOIN TBL2
- try {
- statement.executeQuery("SELECT T1.B FROM " + TBL1 + " T1 JOIN " + TBL2 + " T2 ON (T1.B = T2.B)");
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- statement.close();
- connection.close();
- }
-
- /*
- * Admin creates database DB_1, table TBL1, TBL2 in DB_1, VIEW_1 on TBL1
- * loads data into TBL1, TBL2. Admin grants SELECT on TBL1, VIEW_1 to
- * USER_GROUP of which user1 is a member.
- */
- @Test
- public void testTableViewJoin4() throws Exception {
- policyFile
- .addRolesToGroup(USERGROUP1, "select_tab1", "select_view1")
- .addPermissionsToRole("select_view1", "server=server1->db=DB_1->table=VIEW_1->action=select")
- .addPermissionsToRole("select_tab1", "server=server1->db=DB_1->table=" + TBL1 + "->action=select")
- .setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
-
- // test execution
- Connection connection = context.createConnection(USER1_1);
- Statement statement = context.createStatement(connection);
- statement.execute("USE " + DB1);
-
- // test user can execute query VIEW_1 JOIN TBL1
- statement.executeQuery("SELECT VIEW_1.B FROM VIEW_1 JOIN " + TBL1 + " ON (VIEW_1.B = " + TBL1 + ".B)");
-
- // negative test: test user can't execute query TBL1 JOIN TBL2
- try {
- statement.executeQuery("SELECT " + TBL1 + ".B FROM " + TBL1 + " JOIN " + TBL2 + " ON (" + TBL1 + ".B = " + TBL2 + ".B)");
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- statement.close();
- connection.close();
- }
-
- /***
- * Verify truncate table permissions for different users with different
- * privileges
- * @throws Exception
- */
- @Test
- public void testTruncateTable() throws Exception {
- File dataDir = context.getDataDir();
- // copy data file to test dir
- File dataFile = new File(dataDir, MULTI_TYPE_DATA_FILE_NAME);
- FileOutputStream to = new FileOutputStream(dataFile);
- Resources.copy(Resources.getResource(MULTI_TYPE_DATA_FILE_NAME), to);
- to.close();
-
- policyFile.setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
-
- // setup db objects needed by the test
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
-
- statement.execute("USE " + DB1);
- statement.execute("DROP TABLE if exists " + TBL1);
- statement.execute("DROP TABLE if exists " + TBL2);
- statement.execute("DROP TABLE if exists " + TBL3);
- statement.execute("CREATE TABLE " + TBL1 + "(B INT, A STRING) "
- + " row format delimited fields terminated by '|' stored as textfile");
- statement.execute("CREATE TABLE " + TBL2 + "(B INT, A STRING) "
- + " row format delimited fields terminated by '|' stored as textfile");
- statement.execute("CREATE TABLE " + TBL3 + "(B INT, A STRING) "
- + " row format delimited fields terminated by '|' stored as textfile");
- statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath()
- + "' INTO TABLE " + TBL1);
- statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath()
- + "' INTO TABLE " + TBL2);
- statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath()
- + "' INTO TABLE " + TBL3);
-
- // verify admin can execute truncate table
- statement.execute("TRUNCATE TABLE " + TBL1);
- assertFalse(hasData(statement, TBL1));
-
- statement.close();
- connection.close();
-
- // add roles and grant permissions
- updatePolicyFile();
-
- // test truncate table without partitions
- truncateTableTests(false);
- }
-
- /***
- * Verify truncate partitioned permissions for different users with different
- * privileges
- * @throws Exception
- */
- @Test
- public void testTruncatePartitionedTable() throws Exception {
- File dataDir = context.getDataDir();
- // copy data file to test dir
- File dataFile = new File(dataDir, MULTI_TYPE_DATA_FILE_NAME);
- FileOutputStream to = new FileOutputStream(dataFile);
- Resources.copy(Resources.getResource(MULTI_TYPE_DATA_FILE_NAME), to);
- to.close();
-
- policyFile.setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
-
- // create partitioned tables
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- statement.execute("USE " + DB1);
- statement.execute("DROP TABLE if exists " + TBL1);
- statement.execute("CREATE TABLE " + TBL1 + " (i int) PARTITIONED BY (j int)");
- statement.execute("DROP TABLE if exists " + TBL2);
- statement.execute("CREATE TABLE " + TBL2 + " (i int) PARTITIONED BY (j int)");
- statement.execute("DROP TABLE if exists " + TBL3);
- statement.execute("CREATE TABLE " + TBL3 + " (i int) PARTITIONED BY (j int)");
-
- // verify admin can execute truncate empty partitioned table
- statement.execute("TRUNCATE TABLE " + TBL1);
- assertFalse(hasData(statement, TBL1));
- statement.close();
- connection.close();
-
- // add roles and grant permissions
- updatePolicyFile();
-
- // test truncate empty partitioned tables
- truncateTableTests(false);
-
- // add partitions to tables
- connection = context.createConnection(ADMIN1);
- statement = context.createStatement(connection);
- statement.execute("USE " + DB1);
- statement.execute("ALTER TABLE " + TBL1 + " ADD PARTITION (j=1) PARTITION (j=2)");
- statement.execute("ALTER TABLE " + TBL2 + " ADD PARTITION (j=1) PARTITION (j=2)");
- statement.execute("ALTER TABLE " + TBL3 + " ADD PARTITION (j=1) PARTITION (j=2)");
-
- // verify admin can execute truncate NOT empty partitioned table
- statement.execute("TRUNCATE TABLE " + TBL1 + " partition (j=1)");
- statement.execute("TRUNCATE TABLE " + TBL1);
- assertFalse(hasData(statement, TBL1));
- statement.close();
- connection.close();
-
- // test truncate NOT empty partitioned tables
- truncateTableTests(true);
- }
-
- /**
- * Test queries without from clause. Hive rewrites the queries with dummy db and table
- * entities which should not trip authorization check.
- * @throws Exception
- */
- @Test
- public void testSelectWithoutFrom() throws Exception {
- policyFile
- .addRolesToGroup(USERGROUP1, "all_tab1")
- .addPermissionsToRole("all_tab1",
- "server=server1->db=" + DB1 + "->table=" + TBL1)
- .addRolesToGroup(USERGROUP2, "select_tab1")
- .addPermissionsToRole("select_tab1",
- "server=server1->db=" + DB1 + "->table=" + TBL1)
- .setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
-
- Connection connection = context.createConnection(USER1_1);
- Statement statement = context.createStatement(connection);
-
- // test with implicit default database
- assertTrue(statement.executeQuery("SELECT 1 ").next());
- assertTrue(statement.executeQuery("SELECT current_database()").next());
-
- // test after switching database
- statement.execute("USE " + DB1);
- assertTrue(statement.executeQuery("SELECT 1 ").next());
- assertTrue(statement.executeQuery("SELECT current_database() ").next());
- statement.close();
- connection.close();
- }
-
- // verify that the given table has data
- private boolean hasData(Statement stmt, String tableName) throws Exception {
- ResultSet rs1 = stmt.executeQuery("SELECT * FROM " + tableName);
- boolean hasResults = rs1.next();
- rs1.close();
- return hasResults;
- }
-
- @Test
- public void testDummyPartition() throws Exception {
-
- policyFile.setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
-
- // setup db objects needed by the test
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
-
- statement.execute("USE " + DB1);
-
- statement.execute("DROP TABLE if exists " + TBL1);
- statement.execute("CREATE table " + TBL1 + " (a int) PARTITIONED BY (b string, c string)");
- statement.execute("DROP TABLE if exists " + TBL3);
- statement.execute("CREATE table " + TBL3 + " (a2 int) PARTITIONED BY (b2 string, c2 string)");
- statement.close();
- connection.close();
-
- policyFile
- .addRolesToGroup(USERGROUP1, "select_tab1", "select_tab2")
- .addPermissionsToRole("select_tab1", "server=server1->db=DB_1->table=" + TBL1 + "->action=select")
- .addPermissionsToRole("select_tab2", "server=server1->db=DB_1->table=" + TBL3 + "->action=insert");
- writePolicyFile(policyFile);
-
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
-
- statement.execute("USE " + DB1);
- statement.execute("INSERT OVERWRITE TABLE " + TBL3 + " PARTITION(b2='abc', c2) select a, b as c2 from " + TBL1);
- statement.close();
- connection.close();
-
- }
-
- /**
- * update policy file for truncate table tests
- */
- private void updatePolicyFile() throws Exception{
- policyFile
- .addRolesToGroup(USERGROUP1, "all_tab1")
- .addPermissionsToRole("all_tab1",
- "server=server1->db=" + DB1 + "->table=" + TBL2)
- .addRolesToGroup(USERGROUP2, "drop_tab1")
- .addPermissionsToRole("drop_tab1",
- "server=server1->db=" + DB1 + "->table=" + TBL3 + "->action=drop",
- "server=server1->db=" + DB1 + "->table=" + TBL3 + "->action=select")
- .addRolesToGroup(USERGROUP3, "select_tab1")
- .addPermissionsToRole("select_tab1",
- "server=server1->db=" + DB1 + "->table=" + TBL1 + "->action=select");
- writePolicyFile(policyFile);
- }
-
- /**
- * Test truncate table with or without partitions for users with different privileges.
- * Only test truncate table partition if truncPartition is true.
- */
- private void truncateTableTests(boolean truncPartition) throws Exception{
- Connection connection = null;
- Statement statement = null;
- try {
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
- statement.execute("USE " + DB1);
- // verify all privileges on table can truncate table
- if (truncPartition) {
- statement.execute("TRUNCATE TABLE " + TBL2 + " PARTITION (j=1)");
- }
- statement.execute("TRUNCATE TABLE " + TBL2);
- assertFalse(hasData(statement, TBL2));
- statement.close();
- connection.close();
-
- connection = context.createConnection(USER2_1);
- statement = context.createStatement(connection);
- statement.execute("USE " + DB1);
- // verify drop privilege on table can truncate table
- if (truncPartition) {
- statement.execute("TRUNCATE TABLE " + TBL3 + " partition (j=1)");
- }
- statement.execute("TRUNCATE TABLE " + TBL3);
- assertFalse(hasData(statement, TBL3));
- statement.close();
- connection.close();
-
- connection = context.createConnection(USER3_1);
- statement = context.createStatement(connection);
- statement.execute("USE " + DB1);
- // verify select privilege on table can NOT truncate table
- if (truncPartition) {
- context.assertAuthzException(
- statement, "TRUNCATE TABLE " + TBL1 + " PARTITION (j=1)");
- }
- context.assertAuthzException(statement, "TRUNCATE TABLE " + TBL1);
- } finally {
- if (statement != null) {
- statement.close();
- }
- if (connection != null) {
- connection.close();
- }
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestReloadPrivileges.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestReloadPrivileges.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestReloadPrivileges.java
deleted file mode 100644
index 6d4e8d3..0000000
--- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestReloadPrivileges.java
+++ /dev/null
@@ -1,54 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.tests.e2e.hive;
-
-import java.sql.Connection;
-import java.sql.Statement;
-
-import org.apache.sentry.provider.file.PolicyFile;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-public class TestReloadPrivileges extends AbstractTestWithStaticConfiguration {
- private PolicyFile policyFile;
-
- @BeforeClass
- public static void setupTestStaticConfiguration() throws Exception {
- AbstractTestWithStaticConfiguration.setupTestStaticConfiguration();
- }
-
- @Before
- public void setup() throws Exception {
- policyFile =
- PolicyFile.setAdminOnServer1(ADMINGROUP).setUserGroupMapping(
- StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
- }
-
- @Test
- public void testReload() throws Exception {
- Connection connection = context.createConnection(USER1_1);
- Statement statement = context.createStatement(connection);
- statement.execute("RELOAD");
- statement.close();
- connection.close();
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestRuntimeMetadataRetrieval.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestRuntimeMetadataRetrieval.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestRuntimeMetadataRetrieval.java
deleted file mode 100644
index efb588e..0000000
--- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestRuntimeMetadataRetrieval.java
+++ /dev/null
@@ -1,429 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.tests.e2e.hive;
-
-import java.io.File;
-import java.io.FileOutputStream;
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.List;
-
-import org.apache.sentry.provider.file.PolicyFile;
-import org.junit.Assert;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-import com.google.common.io.Resources;
-
-/**
- * Metadata tests for show tables and show databases. * Unlike rest of the
- * access privilege validation which is handled in semantic hooks, these
- * statements are validaed via a runtime fetch hook
- */
-public class TestRuntimeMetadataRetrieval extends AbstractTestWithStaticConfiguration {
- private PolicyFile policyFile;
- private final String SINGLE_TYPE_DATA_FILE_NAME = "kv1.dat";
- private File dataDir;
- private File dataFile;
-
- @BeforeClass
- public static void setupTestStaticConfiguration () throws Exception {
- AbstractTestWithStaticConfiguration.setupTestStaticConfiguration();
- }
-
- @Before
- public void setup() throws Exception {
- policyFile = super.setupPolicy();
- super.setup();
- dataDir = context.getDataDir();
- dataFile = new File(dataDir, SINGLE_TYPE_DATA_FILE_NAME);
- FileOutputStream to = new FileOutputStream(dataFile);
- Resources.copy(Resources.getResource(SINGLE_TYPE_DATA_FILE_NAME), to);
- to.close();
- }
-
- /**
- * Steps: 1. admin create db_1 and db_1.tb_1
- * 2. admin should see all tables
- * 3. user1 should only see the tables it has any level of privilege
- */
- @Test
- public void testShowTables1() throws Exception {
- // tables visible to user1 (not access to tb_4
- String tableNames[] = {"tb_1", "tb_2", "tb_3", "tb_4"};
- List<String> tableNamesValidation = new ArrayList<String>();
-
- String user1TableNames[] = {"tb_1", "tb_2", "tb_3"};
-
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- statement.execute("CREATE DATABASE " + DB1);
- statement.execute("USE " + DB1);
- createTabs(statement, DB1, tableNames);
- // Admin should see all tables
- ResultSet rs = statement.executeQuery("SHOW TABLES");
- tableNamesValidation.addAll(Arrays.asList(tableNames));
-
- validateTables(rs, tableNamesValidation);
- statement.close();
-
- policyFile
- .addRolesToGroup(USERGROUP1, "tab1_priv,tab2_priv,tab3_priv")
- .addPermissionsToRole("tab1_priv", "server=server1->db=" + DB1 + "->table="
- + tableNames[0] + "->action=select")
- .addPermissionsToRole("tab2_priv", "server=server1->db=" + DB1 + "->table="
- + tableNames[1] + "->action=insert")
- .addPermissionsToRole("tab3_priv", "server=server1->db=" + DB1 + "->table="
- + tableNames[2] + "->action=select")
- .setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
-
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
- statement.execute("USE " + DB1);
- // User1 should see tables with any level of access
- rs = statement.executeQuery("SHOW TABLES");
- tableNamesValidation.addAll(Arrays.asList(user1TableNames));
- validateTables(rs, tableNamesValidation);
- statement.close();
- }
-
- /**
- * Steps: 1. admin create db_1 and tables
- * 2. admin should see all tables
- * 3. user1 should only see the all tables with db level privilege
- */
- @Test
- public void testShowTables2() throws Exception {
- // tables visible to user1 (not access to tb_4
- String tableNames[] = {"tb_1", "tb_2", "tb_3", "tb_4"};
- List<String> tableNamesValidation = new ArrayList<String>();
-
- String user1TableNames[] = {"tb_1", "tb_2", "tb_3", "tb_4"};
-
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- statement.execute("CREATE DATABASE " + DB1);
- statement.execute("USE " + DB1);
- createTabs(statement, DB1, tableNames);
- // Admin should see all tables
- ResultSet rs = statement.executeQuery("SHOW TABLES");
- tableNamesValidation.addAll(Arrays.asList(tableNames));
- validateTables(rs, tableNamesValidation);
- statement.close();
-
- policyFile
- .addRolesToGroup(USERGROUP1, "db_priv")
- .addPermissionsToRole("db_priv", "server=server1->db=" + DB1)
- .setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
-
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
- statement.execute("USE " + DB1);
- // User1 should see tables with any level of access
- rs = statement.executeQuery("SHOW TABLES");
- tableNamesValidation.addAll(Arrays.asList(user1TableNames));
- validateTables(rs, tableNamesValidation);
- statement.close();
- }
-
- /**
- * Steps: 1. admin create db_1 and db_1.tb_1
- * 2. admin should see all tables
- * 3. user1 should only see the tables he/she has any level of privilege
- */
- @Test
- public void testShowTables3() throws Exception {
- // tables visible to user1 (not access to tb_4
- String tableNames[] = {"tb_1", "tb_2", "tb_3", "newtab_3"};
- List<String> tableNamesValidation = new ArrayList<String>();
-
- String adminTableNames[] = {"tb_3", "newtab_3", "tb_2", "tb_1"};
- String user1TableNames[] = {"newtab_3"};
-
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- statement.execute("CREATE DATABASE " + DB1);
- statement.execute("USE " + DB1);
- createTabs(statement, DB1, tableNames);
- // Admin should see all tables
- ResultSet rs = statement.executeQuery("SHOW TABLES");
- tableNamesValidation.addAll(Arrays.asList(adminTableNames));
- validateTables(rs, tableNamesValidation);
- statement.close();
-
- policyFile
- .addRolesToGroup(USERGROUP1, "tab_priv")
- .addPermissionsToRole("tab_priv", "server=server1->db=" + DB1 + "->table="
- + tableNames[3] + "->action=insert")
- .setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
-
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
- statement.execute("USE " + DB1);
- // User1 should see tables with any level of access
- rs = statement.executeQuery("SHOW TABLES");
- tableNamesValidation.addAll(Arrays.asList(user1TableNames));
- validateTables(rs, tableNamesValidation);
- statement.close();
- }
-
- /**
- * Steps: 1. admin create db_1 and db_1.tb_1
- * 2. admin should see all tables
- * 3. user1 should only see the tables with db level privilege
- */
- @Test
- public void testShowTables4() throws Exception {
- String tableNames[] = {"tb_1", "tb_2", "tb_3", "newtab_3"};
- List<String> tableNamesValidation = new ArrayList<String>();
-
- String adminTableNames[] = {"tb_3", "newtab_3", "tb_1", "tb_2"};
- String user1TableNames[] = {"tb_3", "newtab_3", "tb_1", "tb_2"};
-
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- statement.execute("CREATE DATABASE " + DB1);
- statement.execute("USE " + DB1);
- createTabs(statement, DB1, tableNames);
- // Admin should be able to see all tables
- ResultSet rs = statement.executeQuery("SHOW TABLES");
- tableNamesValidation.addAll(Arrays.asList(adminTableNames));
- validateTables(rs, tableNamesValidation);
- statement.close();
-
- policyFile
- .addRolesToGroup(USERGROUP1, "tab_priv")
- .addPermissionsToRole("tab_priv", "server=server1->db=" + DB1)
- .setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
-
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
- statement.execute("USE " + DB1);
- // User1 should see tables with any level of access
- rs = statement.executeQuery("SHOW TABLES");
- tableNamesValidation.addAll(Arrays.asList(user1TableNames));
- validateTables(rs, tableNamesValidation);
- statement.close();
- }
-
- /**
- * Steps: 1. admin creates tables in default db
- * 2. user1 shouldn't see any table when he/she doesn't have any privilege on default
- */
- @Test
- public void testShowTables5() throws Exception {
- String tableNames[] = {"tb_1", "tb_2", "tb_3", "tb_4"};
-
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- createTabs(statement, "default", tableNames);
-
- policyFile
- .setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
-
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
- // User1 should see tables with any level of access
- ResultSet rs = statement.executeQuery("SHOW TABLES");
- // user1 doesn't have access to any tables in default db
- Assert.assertFalse(rs.next());
- statement.close();
- }
-
- /**
- * Steps: 1. admin create db_1 and tb_1, tb_2, tb_3, tb_4 and table_5
- * 2. admin should see all tables except table_5 which does not match tb*
- * 3. user1 should only see the matched tables it has any level of privilege
- */
- @Test
- public void testShowTablesExtended() throws Exception {
- // tables visible to user1 (not access to tb_4
- String tableNames[] = {"tb_1", "tb_2", "tb_3", "tb_4", "table_5"};
- List<String> tableNamesValidation = new ArrayList<String>();
-
- String user1TableNames[] = {"tb_1", "tb_2", "tb_3"};
-
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- statement.execute("CREATE DATABASE " + DB1);
- statement.execute("USE " + DB1);
- createTabs(statement, DB1, tableNames);
-
- policyFile
- .addRolesToGroup(USERGROUP1, "tab1_priv,tab2_priv,tab3_priv")
- .addPermissionsToRole("tab1_priv", "server=server1->db=" + DB1 + "->table="
- + tableNames[0] + "->action=select")
- .addPermissionsToRole("tab2_priv", "server=server1->db=" + DB1 + "->table="
- + tableNames[1] + "->action=insert")
- .addPermissionsToRole("tab3_priv", "server=server1->db=" + DB1 + "->table="
- + tableNames[2] + "->action=select")
- .setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
-
- // Admin should see all tables except table_5, the one does not match the pattern
- ResultSet rs = statement.executeQuery("SHOW TABLE EXTENDED IN " + DB1 + " LIKE 'tb*'");
- tableNamesValidation.addAll(Arrays.asList(tableNames).subList(0, 4));
- validateTablesInRs(rs, tableNamesValidation);
- statement.close();
-
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
- statement.execute("USE " + DB1);
- // User1 should see tables with any level of access
- rs = statement.executeQuery("SHOW TABLE EXTENDED IN " + DB1 + " LIKE 'tb*'");
- tableNamesValidation.addAll(Arrays.asList(user1TableNames));
- validateTablesInRs(rs, tableNamesValidation);
- statement.close();
- }
-
- /**
- * Steps: 1. admin create few dbs
- * 2. admin can do show databases
- * 3. users with db level permissions should only those dbs on 'show database'
- */
- @Test
- public void testShowDatabases1() throws Exception {
- List<String> dbNamesValidation = new ArrayList<String>();
- String[] dbNames = {DB1, DB2, DB3};
- String[] user1DbNames = {DB1};
-
- createDb(ADMIN1, dbNames);
- dbNamesValidation.addAll(Arrays.asList(dbNames));
- dbNamesValidation.add("default");
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- ResultSet rs = statement.executeQuery("SHOW DATABASES");
- validateDBs(rs, dbNamesValidation); // admin should see all dbs
- rs.close();
-
- policyFile
- .addRolesToGroup(USERGROUP1, "db1_all")
- .addPermissionsToRole("db1_all", "server=server1->db=" + DB1)
- .setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
-
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
- rs = statement.executeQuery("SHOW DATABASES");
- dbNamesValidation.addAll(Arrays.asList(user1DbNames));
- dbNamesValidation.add("default");
- // user should see only dbs with access
- validateDBs(rs, dbNamesValidation);
- rs.close();
- }
-
- /**
- * Steps: 1. admin create few dbs
- * 2. admin can do show databases
- * 3. users with table level permissions should should only those parent dbs on 'show
- * database'
- */
- @Test
- public void testShowDatabases2() throws Exception {
- String[] dbNames = {DB1, DB2, DB3};
- List<String> dbNamesValidation = new ArrayList<String>();
- String[] user1DbNames = {DB1, DB2};
- String tableNames[] = {"tb_1"};
-
- // verify by SQL
- // 1, 2
- createDb(ADMIN1, dbNames);
- dbNamesValidation.addAll(Arrays.asList(dbNames));
- dbNamesValidation.add("default");
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- createTabs(statement, DB1, tableNames);
- createTabs(statement, DB2, tableNames);
- ResultSet rs = statement.executeQuery("SHOW DATABASES");
- validateDBs(rs, dbNamesValidation); // admin should see all dbs
- rs.close();
-
- policyFile
- .addRolesToGroup(USERGROUP1, "db1_tab,db2_tab")
- .addPermissionsToRole("db1_tab", "server=server1->db=" + DB1 + "->table=tb_1->action=select")
- .addPermissionsToRole("db2_tab", "server=server1->db=" + DB2 + "->table=tb_1->action=insert")
- .setUserGroupMapping(StaticUserGroup.getStaticMapping());
- writePolicyFile(policyFile);
-
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
- rs = statement.executeQuery("SHOW DATABASES");
- dbNamesValidation.addAll(Arrays.asList(user1DbNames));
- dbNamesValidation.add("default");
- // user should see only dbs with access
- validateDBs(rs, dbNamesValidation);
- rs.close();
- }
-
- // compare the table resultset with given array of table names
- private void validateDBs(ResultSet rs, List<String> dbNames)
- throws SQLException {
- while (rs.next()) {
- String dbName = rs.getString(1);
- //There might be non test related dbs in the system
- if(dbNames.contains(dbName.toLowerCase())) {
- dbNames.remove(dbName.toLowerCase());
- }
- }
- Assert.assertTrue(dbNames.toString(), dbNames.isEmpty());
- }
-
- // Create the give tables
- private void createTabs(Statement statement, String dbName,
- String tableNames[]) throws SQLException {
- for (String tabName : tableNames) {
- statement.execute("DROP TABLE IF EXISTS " + dbName + "." + tabName);
- statement.execute("create table " + dbName + "." + tabName
- + " (under_col int comment 'the under column', value string)");
- }
- }
-
- // compare the table resultset with given array of table names
- private void validateTables(ResultSet rs, List<String> tableNames) throws SQLException {
- while (rs.next()) {
- String tableName = rs.getString(1);
- Assert.assertTrue(tableName, tableNames.remove(tableName.toLowerCase()));
- }
- Assert.assertTrue(tableNames.toString(), tableNames.isEmpty());
- rs.close();
- }
-
- // compare the tables in resultset with given array of table names
- // for some hive query like 'show table extended ...', the resultset does
- // not only contains tableName (See HIVE-8109)
- private void validateTablesInRs(ResultSet rs, List<String> tableNames) throws SQLException {
- while (rs.next()) {
- String tableName = rs.getString(1);
- if (tableName.startsWith("tableName:")) {
- Assert.assertTrue("Expected table " + tableName.substring(10),
- tableNames.remove(tableName.substring(10).toLowerCase()));
- }
- }
- Assert.assertTrue(tableNames.toString(), tableNames.isEmpty());
- rs.close();
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestSandboxOps.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestSandboxOps.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestSandboxOps.java
deleted file mode 100644
index 017adea..0000000
--- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestSandboxOps.java
+++ /dev/null
@@ -1,529 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.tests.e2e.hive;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-
-import java.io.File;
-import java.io.FileOutputStream;
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.Statement;
-
-import org.apache.hadoop.fs.Path;
-import org.apache.sentry.core.common.utils.PolicyFiles;
-import org.apache.sentry.provider.file.PolicyFile;
-import org.junit.Before;
-import org.junit.Test;
-
-import com.google.common.io.Resources;
-
-public class TestSandboxOps extends AbstractTestWithStaticConfiguration {
- private PolicyFile policyFile;
- private File dataFile;
- private String loadData;
- private static final String DB2_POLICY_FILE = "db2-policy-file.ini";
-
-
- @Before
- public void setup() throws Exception {
- policyFile = super.setupPolicy();
- super.setup();
- dataFile = new File(dataDir, SINGLE_TYPE_DATA_FILE_NAME);
- FileOutputStream to = new FileOutputStream(dataFile);
- Resources.copy(Resources.getResource(SINGLE_TYPE_DATA_FILE_NAME), to);
- to.close();
- loadData = "server=server1->uri=file://" + dataFile.getPath();
- }
-
- private PolicyFile addTwoUsersWithAllDb() throws Exception {
- policyFile
- .addPermissionsToRole("db1_all", "server=server1->db=" + DB1)
- .addPermissionsToRole("db2_all", "server=server1->db=" + DB2)
- .addRolesToGroup(USERGROUP1, "db1_all", "db2_all");
- return policyFile;
- }
- /**
- * Tests to ensure that users with all@db can create tables
- * and that they cannot create databases or load data
- */
- @Test
- public void testDbPrivileges() throws Exception {
- String[] dbs = new String[] { DB1, DB2 };
- for (String dbName : dbs) {
- createDb(ADMIN1, dbName);
- }
-
- addTwoUsersWithAllDb();
- writePolicyFile(policyFile);
-
- for (String user : new String[] { USER1_1, USER1_2 }) {
- for (String dbName : dbs) {
- Connection userConn = context.createConnection(user);
- String tabName = user + "_tab1";
- Statement userStmt = context.createStatement(userConn);
- // Positive case: test user1 and user2 has
- // permissions to access db1 and db2
- userStmt.execute("use " + dbName);
- userStmt.execute("create table " + tabName + " (id int)");
- context.assertAuthzException(userStmt, "load data local inpath '" + dataFile + "' into table " + tabName);
- assertTrue(userStmt.execute("select * from " + tabName));
- // negative users cannot create databases
- context.assertAuthzException(userStmt, "CREATE DATABASE " + DB3);
- userStmt.close();
- userConn.close();
- }
- }
- }
-
- /**
- * Test Case 2.11 admin user create a new database DB_1 and grant ALL to
- * himself on DB_1 should work
- */
- @Test
- public void testAdminDbPrivileges() throws Exception {
- Connection adminCon = context.createConnection(ADMIN1);
- Statement adminStmt = context.createStatement(adminCon);
- adminStmt.execute("use default");
- adminStmt.execute("CREATE DATABASE " + DB1);
-
- // access the new databases
- adminStmt.execute("use " + DB1);
- String tabName = "admin_tab1";
- adminStmt.execute("create table " + tabName + "(c1 string)");
- adminStmt.execute("load data local inpath '" + dataFile.getPath() + "' into table "
- + tabName);
- adminStmt.execute("select * from " + tabName);
- }
-
- /**
- * Test Case 2.16 admin user create a new database DB_1 create TABLE_1 and
- * TABLE_2 (same schema) in DB_1 admin user grant SELECT, INSERT to user1's
- * group on TABLE_2 negative test case: user1 try to do following on TABLE_1
- * will fail: --insert overwrite TABLE_2 select * from TABLE_1
- */
- @Test
- public void testNegativeUserDMLPrivileges() throws Exception {
- Connection adminCon = context.createConnection(ADMIN1);
- Statement adminStmt = context.createStatement(adminCon);
- adminStmt.execute("use default");
- adminStmt.execute("CREATE DATABASE " + DB1);
- adminStmt.execute("use " + DB1);
- adminStmt.execute("create table table_1 (id int)");
- adminStmt.execute("create table table_2 (id int)");
- adminStmt.close();
- adminCon.close();
-
- policyFile
- .addPermissionsToRole("db1_tab2_all", "server=server1->db=" + DB1 + "->table=table_2")
- .addRolesToGroup(USERGROUP1, "db1_tab2_all");
- writePolicyFile(policyFile);
-
- Connection userConn = context.createConnection(USER1_1);
- Statement userStmt = context.createStatement(userConn);
- userStmt.execute("use " + DB1);
- // user1 doesn't have select privilege on table_1, so insert/select should fail
- context.assertAuthzException(userStmt, "insert overwrite table table_2 select * from table_1");
- context.assertAuthzException(userStmt, "insert overwrite directory '" + baseDir.getPath() + "' select * from table_1");
- userConn.close();
- userStmt.close();
- }
-
- /**
- * Test Case 2.17 Execution steps a) Admin user creates a new database DB_1,
- * b) Admin user grants ALL on DB_1 to group GROUP_1 c) User from GROUP_1
- * creates table TAB_1, TAB_2 in DB_1 d) Admin user grants SELECT on TAB_1 to
- * group GROUP_2
- *
- * 1) verify users from GROUP_2 have only SELECT privileges on TAB_1. They
- * shouldn't be able to perform any operation other than those listed as
- * requiring SELECT in the privilege model.
- *
- * 2) verify users from GROUP_2 can't perform queries involving join between
- * TAB_1 and TAB_2.
- *
- * 3) verify users from GROUP_1 can't perform operations requiring ALL @
- * SERVER scope. Refer to list
- */
- @Test
- public void testNegUserPrivilegesAll() throws Exception {
- // create dbs
- Connection adminCon = context.createConnection(ADMIN1);
- Statement adminStmt = context.createStatement(adminCon);
- adminStmt.execute("use default");
- adminStmt.execute("CREATE DATABASE " + DB1);
- adminStmt.execute("use " + DB1);
- adminStmt.execute("create table table_1 (name string)");
- adminStmt.execute("load data local inpath '" + dataFile.getPath() + "' into table table_1");
- adminStmt.execute("create table table_2 (name string)");
- adminStmt.execute("load data local inpath '" + dataFile.getPath() + "' into table table_2");
- adminStmt.execute("create view v1 AS select * from table_1");
- adminStmt.execute("create table table_part_1 (name string) PARTITIONED BY (year INT)");
- adminStmt.execute("ALTER TABLE table_part_1 ADD PARTITION (year = 2012)");
- adminStmt.execute("ALTER TABLE table_1 SET TBLPROPERTIES (\"createTime\"=\"1375824555\")");
- adminStmt.close();
- adminCon.close();
-
- policyFile
- .addRolesToGroup(USERGROUP1, "db1_all")
- .addRolesToGroup(USERGROUP2, "db1_tab1_select")
- .addPermissionsToRole("db1_tab1_select", "server=server1->db="+ DB1 + "->table=table_1->action=select")
- .addPermissionsToRole("db1_all", "server=server1->db=" + DB1);
- writePolicyFile(policyFile);
-
- Connection userConn = context.createConnection(USER2_1);
- Statement userStmt = context.createStatement(userConn);
- userStmt.execute("use " + DB1);
-
- context.assertAuthzException(userStmt, "alter table table_2 add columns (id int)");
- context.assertAuthzException(userStmt, "drop database " + DB1);
- context.assertAuthzException(userStmt, "CREATE INDEX x ON TABLE table_1(name) AS 'org.apache.hadoop.hive.ql.index.compact.CompactIndexHandler'");
- context.assertAuthzException(userStmt, "CREATE TEMPORARY FUNCTION strip AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'");
- context.assertAuthzException(userStmt, "create table foo(id int)");
- context.assertAuthzException(userStmt, "create table c_tab_2 as select * from table_2"); // no select or create privilege
- context.assertAuthzException(userStmt, "create table c_tab_1 as select * from table_1"); // no create privilege
- context.assertAuthzException(userStmt, "ALTER DATABASE " + DB1 + " SET DBPROPERTIES ('foo' = 'bar')");
- context.assertAuthzException(userStmt, "ALTER VIEW v1 SET TBLPROPERTIES ('foo' = 'bar')");
- context.assertAuthzException(userStmt, "DROP VIEW IF EXISTS v1");
- context.assertAuthzException(userStmt, "create table table_5 (name string)");
- context.assertAuthzException(userStmt, "ALTER TABLE table_1 RENAME TO table_99");
- context.assertAuthzException(userStmt, "insert overwrite table table_2 select * from table_1");
- context.assertAuthzException(userStmt, "ALTER TABLE table_part_1 ADD IF NOT EXISTS PARTITION (year = 2012)");
- context.assertAuthzException(userStmt, "ALTER TABLE table_part_1 PARTITION (year = 2012) SET LOCATION '" + baseDir.getPath() + "'");
- context.assertAuthzException(userStmt, "ALTER TABLE table_1 SET TBLPROPERTIES (\"createTime\"=\"1375824555\")");
- }
-
- /**
- * Steps:
- * 1. admin user create databases, DB_1 and DB_2, no table or other
- * object in database
- * 2. admin grant all to user1's group on DB_1 and DB_2
- * positive test case:
- * a)user1 has the privilege to create table, load data,
- * drop table, create view, insert more data on both databases
- * b) user1 can switch between DB_1 and DB_2 without
- * exception negative test case:
- * c) user1 cannot drop database
- * 3. admin remove all to group1 on DB_2
- * positive test case:
- * d) user1 has the privilege to create view on tables in DB_1
- * negative test case:
- * e) user1 cannot create view on tables in DB_1 that select
- * from tables in DB_2
- * 4. admin grant select to group1 on DB_2.ta_2
- * positive test case:
- * f) user1 has the privilege to create view to select from
- * DB_1.tb_1 and DB_2.tb_2
- * negative test case:
- * g) user1 cannot create view to select from DB_1.tb_1
- * and DB_2.tb_3
- * @throws Exception
- */
- @Test
- public void testSandboxOpt9() throws Exception {
- createDb(ADMIN1, DB1, DB2);
-
- policyFile
- .addPermissionsToRole(GROUP1_ROLE, ALL_DB1, ALL_DB2, loadData)
- .addRolesToGroup(USERGROUP1, GROUP1_ROLE);
- writePolicyFile(policyFile);
-
- Connection connection = context.createConnection(USER1_1);
- Statement statement = context.createStatement(connection);
-
- // a
- statement.execute("USE " + DB1);
- createTable(USER1_1, DB1, dataFile, TBL1);
- statement.execute("DROP VIEW IF EXISTS " + VIEW1);
- statement.execute("CREATE VIEW " + VIEW1 + " (value) AS SELECT value from " + TBL1 + " LIMIT 10");
-
- createTable(USER1_1, DB2, dataFile, TBL2, TBL3);
- // d
- statement.execute("USE " + DB1);
- policyFile.removePermissionsFromRole(GROUP1_ROLE, ALL_DB2);
- writePolicyFile(policyFile);
- // e
- // create db1.view1 as select from db2.tbl2
- statement.execute("DROP VIEW IF EXISTS " + VIEW2);
- context.assertAuthzException(statement, "CREATE VIEW " + VIEW2 +
- " (value) AS SELECT value from " + DB2 + "." + TBL2 + " LIMIT 10");
- // create db1.tbl2 as select from db2.tbl2
- statement.execute("DROP TABLE IF EXISTS " + TBL2);
- context.assertAuthzException(statement, "CREATE TABLE " + TBL2 +
- " AS SELECT value from " + DB2 + "." + TBL2 + " LIMIT 10");
- context.assertAuthzException(statement, "CREATE TABLE " + DB2 + "." + TBL2 +
- " AS SELECT value from " + DB2 + "." + TBL2 + " LIMIT 10");
-
- // f
- policyFile.addPermissionsToRole(GROUP1_ROLE, SELECT_DB2_TBL2);
- writePolicyFile(policyFile);
- statement.execute("DROP VIEW IF EXISTS " + VIEW2);
- statement.execute("CREATE VIEW " + VIEW2
- + " (value) AS SELECT value from " + DB2 + "." + TBL2 + " LIMIT 10");
-
- // g
- statement.execute("DROP VIEW IF EXISTS " + VIEW3);
- context.assertAuthzException(statement, "CREATE VIEW " + VIEW3
- + " (value) AS SELECT value from " + DB2 + "." + TBL3 + " LIMIT 10");
- statement.close();
- connection.close();
- }
-
- /**
- * Tests select on table with index.
- *
- * Steps:
- * 1. admin user create a new database DB_1
- * 2. admin create TABLE_1 in DB_1
- * 3. admin create INDEX_1 for COLUMN_1 in TABLE_1 in DB_1
- * 4. admin user grant INSERT and SELECT to user1's group on TABLE_1
- *
- * negative test case:
- * a) user1 try to SELECT * FROM TABLE_1 WHERE COLUMN_1 == ...
- * should NOT work
- * b) user1 should not be able to check the list of view or
- * index in DB_1
- * @throws Exception
- */
- @Test
- public void testSandboxOpt13() throws Exception {
- createDb(ADMIN1, DB1);
- createTable(ADMIN1, DB1, dataFile, TBL1);
- createTable(ADMIN1, DB1, dataFile, TBL2);
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- statement.execute("USE " + DB1);
- statement.execute("DROP INDEX IF EXISTS " + INDEX1 + " ON " + TBL1);
- statement.execute("CREATE INDEX " + INDEX1 + " ON TABLE " + TBL1
- + " (under_col) as 'COMPACT' WITH DEFERRED REBUILD");
- statement.close();
- connection.close();
-
- // unrelated permission to allow user1 to connect to db1
- policyFile
- .addPermissionsToRole(GROUP1_ROLE, SELECT_DB1_TBL2)
- .addRolesToGroup(USERGROUP1, GROUP1_ROLE);
- writePolicyFile(policyFile);
-
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
- statement.execute("USE " + DB1);
- context.assertAuthzException(statement, "SELECT * FROM " + TBL1 + " WHERE under_col == 5");
- context.assertAuthzException(statement, "SHOW INDEXES ON " + TBL1);
- policyFile.addPermissionsToRole(GROUP1_ROLE, SELECT_DB1_TBL1, INSERT_DB1_TBL1, loadData);
- writePolicyFile(policyFile);
- statement.execute("USE " + DB1);
- assertTrue(statement.execute("SELECT * FROM " + TBL1 + " WHERE under_col == 5"));
- assertTrue(statement.execute("SHOW INDEXES ON " + TBL1));
- }
-
- /**
- * Steps:
- * 1. Admin user creates a new database DB_1
- * 2. Admin user grants ALL on DB_1 to group GROUP_1
- * 3. User from GROUP_1 creates table TAB_1, TAB_2 in DB_1
- * 4. Admin user grants SELECT/INSERT on TAB_1 to group GROUP_2
- * a) verify users from GROUP_2 have only SELECT/INSERT
- * privileges on TAB_1. They shouldn't be able to perform
- * any operation other than those listed as
- * requiring SELECT in the privilege model.
- * b) verify users from GROUP_2 can't perform queries
- * involving join between TAB_1 and TAB_2.
- * c) verify users from GROUP_1 can't perform operations
- * requiring ALL @SERVER scope:
- * *) create database
- * *) drop database
- * *) show databases
- * *) show locks
- * *) execute ALTER TABLE .. SET LOCATION on a table in DB_1
- * *) execute ALTER PARTITION ... SET LOCATION on a table in DB_1
- * *) execute CREATE EXTERNAL TABLE ... in DB_1
- * *) execute ADD JAR
- * *) execute a query with TRANSOFORM
- * @throws Exception
- */
- @Test
- public void testSandboxOpt17() throws Exception {
- createDb(ADMIN1, DB1);
- createTable(ADMIN1, DB1, dataFile, TBL1, TBL2);
-
- policyFile
- .addRolesToGroup(USERGROUP1, "all_db1", "load_data")
- .addRolesToGroup(USERGROUP2, "select_tb1")
- .addPermissionsToRole("select_tb1", "server=server1->db=" + DB1 + "->table=" + TBL1 + "->action=select")
- .addPermissionsToRole("all_db1", "server=server1->db=" + DB1)
- .addPermissionsToRole("load_data", "server=server1->uri=file://" + dataFile.toString());
- writePolicyFile(policyFile);
-
- Connection connection = context.createConnection(USER1_1);
- Statement statement = context.createStatement(connection);
- // c
- statement.execute("USE " + DB1);
- context.assertAuthzException(statement, "CREATE DATABASE " + DB3);
- ResultSet rs = statement.executeQuery("SHOW DATABASES");
- assertTrue(rs.next());
- assertEquals(DB1, rs.getString(1));
- context.assertAuthzException(statement, "ALTER TABLE " + TBL1 +
- " ADD PARTITION (value = 10) LOCATION '" + dataDir.getPath() + "'");
- context.assertAuthzException(statement, "ALTER TABLE " + TBL1
- + " PARTITION (value = 10) SET LOCATION '" + dataDir.getPath() + "'");
- context.assertAuthzException(statement, "CREATE EXTERNAL TABLE " + TBL3
- + " (under_col int, value string) LOCATION '" + dataDir.getPath() + "'");
- statement.close();
- connection.close();
-
- connection = context.createConnection(USER2_1);
- statement = context.createStatement(connection);
-
- // a
- statement.execute("USE " + DB1);
- context.assertAuthzException(statement, "SELECT * FROM TABLE " + TBL2 + " LIMIT 10");
- context.assertAuthzException(statement, "EXPLAIN SELECT * FROM TABLE " + TBL2 + " WHERE under_col > 5 LIMIT 10");
- context.assertAuthzException(statement, "DESCRIBE " + TBL2);
- context.assertAuthzException(statement, "LOAD DATA LOCAL INPATH '" + dataFile.getPath() + "' INTO TABLE " + TBL2);
- context.assertAuthzException(statement, "analyze table " + TBL2 + " compute statistics for columns under_col, value");
- // b
- context.assertAuthzException(statement, "SELECT " + TBL1 + ".* FROM " + TBL1 + " JOIN " + TBL2 +
- " ON (" + TBL1 + ".value = " + TBL2 + ".value)");
- statement.close();
- connection.close();
- }
-
- /**
- * Positive and negative tests for INSERT OVERWRITE [LOCAL] DIRECTORY and
- * LOAD DATA [LOCAL] INPATH. EXPORT/IMPORT are handled in separate junit class.
- * Formerly testSandboxOpt18
- */
- @Test
- public void testInsertOverwriteAndLoadData() throws Exception {
- long counter = System.currentTimeMillis();
- File allowedDir = assertCreateDir(new File(baseDir,
- "test-" + (counter++)));
- File restrictedDir = assertCreateDir(new File(baseDir,
- "test-" + (counter++)));
- Path allowedDfsDir = dfs.assertCreateDir("test-" + (counter++));
- Path restrictedDfsDir = dfs.assertCreateDir("test-" + (counter++));
- //Hive needs write permissions on this local directory
- baseDir.setWritable(true, false);
-
- createDb(ADMIN1, DB1);
- createTable(ADMIN1, DB1, dataFile, TBL1);
-
- policyFile
- .addRolesToGroup(USERGROUP1, "all_db1", "load_data")
- .addPermissionsToRole("all_db1", "server=server1->db=" + DB1)
- .addPermissionsToRole("load_data", "server=server1->uri=file://" + allowedDir.getPath() +
- ", server=server1->uri=file://" + allowedDir.getPath() +
- ", server=server1->uri=" + allowedDfsDir.toString());
- writePolicyFile(policyFile);
-
- Connection connection = context.createConnection(USER1_1);
- Statement statement = context.createStatement(connection);
- statement.execute("USE " + DB1);
- statement.execute("INSERT OVERWRITE LOCAL DIRECTORY 'file://" + allowedDir.getPath() + "' SELECT * FROM " + TBL1);
- statement.execute("INSERT OVERWRITE DIRECTORY '" + allowedDfsDir + "' SELECT * FROM " + TBL1);
- statement.execute("LOAD DATA LOCAL INPATH 'file://" + allowedDir.getPath() + "' INTO TABLE " + TBL1);
- statement.execute("LOAD DATA INPATH '" + allowedDfsDir + "' INTO TABLE " + TBL1);
- context.assertAuthzException(statement, "INSERT OVERWRITE LOCAL DIRECTORY 'file://" + restrictedDir.getPath() + "' SELECT * FROM " + TBL1);
- context.assertAuthzException(statement, "INSERT OVERWRITE DIRECTORY '" + restrictedDfsDir + "' SELECT * FROM " + TBL1);
- context.assertAuthzException(statement, "LOAD DATA INPATH 'file://" + restrictedDir.getPath() + "' INTO TABLE " + TBL1);
- context.assertAuthzException(statement, "LOAD DATA LOCAL INPATH 'file://" + restrictedDir.getPath() + "' INTO TABLE " + TBL1);
- statement.close();
- connection.close();
- }
-
- /**
- * test create table as with cross database ref
- * @throws Exception
- */
- @Test
- public void testSandboxOpt10() throws Exception {
- String rTab1 = "rtab_1";
- String rTab2 = "rtab_2";
-
- createDb(ADMIN1, DB1, DB2);
- createTable(ADMIN1, DB1, dataFile, TBL1);
- createTable(ADMIN1, DB2, dataFile, TBL2, TBL3);
-
- policyFile
- .addPermissionsToRole(GROUP1_ROLE, ALL_DB1, SELECT_DB2_TBL2, loadData)
- .addRolesToGroup(USERGROUP1, GROUP1_ROLE);
- writePolicyFile(policyFile);
-
- // a
- Connection connection = context.createConnection(USER1_1);
- Statement statement = context.createStatement(connection);
- statement.execute("USE " + DB1);
- statement.execute("CREATE TABLE " + rTab1 + " AS SELECT * FROM " + DB2 + "." + TBL2);
- // user1 doesn't have access to db2, so following create table as should fail
- context.assertAuthzException(statement, "CREATE TABLE " + rTab2 + " AS SELECT * FROM " + DB2 + "." + TBL3);
-
- statement.close();
- connection.close();
- }
-
- // Create per-db policy file on hdfs and global policy on local.
- @Test
- public void testPerDbPolicyOnDFS() throws Exception {
- File db2PolicyFileHandle = new File(baseDir.getPath(), DB2_POLICY_FILE);
-
- PolicyFile db2PolicyFile = new PolicyFile();
- db2PolicyFile
- .addRolesToGroup(USERGROUP2, "select_tbl2")
- .addPermissionsToRole("select_tbl2", "server=server1->db=" + DB2 + "->table=tbl2->action=select")
- .write(db2PolicyFileHandle);
- PolicyFiles.copyFilesToDir(fileSystem, dfs.getBaseDir(), db2PolicyFileHandle);
-
- // setup db objects needed by the test
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
-
- statement.execute("CREATE DATABASE " + DB1);
- statement.execute("USE " + DB1);
- statement.execute("CREATE TABLE tbl1(B INT, A STRING) " +
- " row format delimited fields terminated by '|' stored as textfile");
- statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() + "' INTO TABLE tbl1");
- statement.execute("CREATE DATABASE " + DB2);
- statement.execute("USE " + DB2);
- statement.execute("CREATE TABLE tbl2(B INT, A STRING) " +
- " row format delimited fields terminated by '|' stored as textfile");
- statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() + "' INTO TABLE tbl2");
- statement.close();
- connection.close();
-
- policyFile
- .addRolesToGroup(USERGROUP1, "select_tbl1")
- .addRolesToGroup(USERGROUP2, "select_tbl2")
- .addPermissionsToRole("select_tbl1", "server=server1->db=" + DB1 + "->table=tbl1->action=select")
- .addDatabase(DB2, dfs.getBaseDir().toUri().toString() + "/" + DB2_POLICY_FILE);
- writePolicyFile(policyFile);
-
- // test per-db file for db2
-
- connection = context.createConnection(USER2_1);
- statement = context.createStatement(connection);
- // test user2 can use db2
- statement.execute("USE " + DB2);
- statement.execute("select * from tbl2");
-
- statement.close();
- connection.close();
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestSentryOnFailureHookLoading.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestSentryOnFailureHookLoading.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestSentryOnFailureHookLoading.java
deleted file mode 100644
index f1fd15e..0000000
--- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestSentryOnFailureHookLoading.java
+++ /dev/null
@@ -1,134 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.tests.e2e.hive;
-
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-
-import java.io.File;
-import java.io.FileOutputStream;
-import java.sql.Connection;
-import java.sql.SQLException;
-import java.sql.Statement;
-import java.util.HashMap;
-import java.util.Map;
-
-import org.junit.Assert;
-
-import org.apache.hadoop.hive.conf.HiveConf;
-import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
-import org.apache.sentry.provider.file.PolicyFile;
-import org.apache.sentry.tests.e2e.hive.hiveserver.HiveServerFactory;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-
-import com.google.common.io.Resources;
-
-public class TestSentryOnFailureHookLoading extends AbstractTestWithHiveServer {
-
- private Context context;
- private PolicyFile policyFile;
-
- Map<String, String > testProperties;
- private static final String SINGLE_TYPE_DATA_FILE_NAME = "kv1.dat";
-
- @Before
- public void setup() throws Exception {
- testProperties = new HashMap<String, String>();
- testProperties.put(HiveAuthzConf.AuthzConfVars.AUTHZ_ONFAILURE_HOOKS.getVar(),
- DummySentryOnFailureHook.class.getName());
- testProperties.put(HiveConf.ConfVars.METASTORE_AUTO_CREATE_ALL.varname, "true");
- policyFile = PolicyFile.setAdminOnServer1(ADMINGROUP);
- }
-
- @After
- public void teardown() throws Exception {
- if (context != null) {
- context.close();
- }
- }
-
- /* Admin creates database DB_2
- * user1 tries to drop DB_2, but it has permissions for DB_1.
- */
- @Test
- public void testOnFailureHookLoading() throws Exception {
-
- // Do not run this test if run with external HiveServer2
- // This test checks for a static member, which will not
- // be set if HiveServer2 and the test run in different JVMs
- String hiveServer2Type = System.getProperty(
- HiveServerFactory.HIVESERVER2_TYPE);
- if (hiveServer2Type != null &&
- !HiveServerFactory.isInternalServer(HiveServerFactory.HiveServer2Type
- .valueOf(hiveServer2Type.trim()))) {
- return;
- }
-
- context = createContext(testProperties);
-
- File dataDir = context.getDataDir();
- //copy data file to test dir
- File dataFile = new File(dataDir, SINGLE_TYPE_DATA_FILE_NAME);
- FileOutputStream to = new FileOutputStream(dataFile);
- Resources.copy(Resources.getResource(SINGLE_TYPE_DATA_FILE_NAME), to);
- to.close();
-
- policyFile
- .addRolesToGroup(USERGROUP1, "all_db1", "load_data")
- .addPermissionsToRole("all_db1", "server=server1->db=DB_1")
- .setUserGroupMapping(StaticUserGroup.getStaticMapping())
- .write(context.getPolicyFile());
-
- // setup db objects needed by the test
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- statement.execute("DROP DATABASE IF EXISTS DB_1 CASCADE");
- statement.execute("DROP DATABASE IF EXISTS DB_2 CASCADE");
- statement.execute("CREATE DATABASE DB_1");
- statement.execute("CREATE DATABASE DB_2");
- statement.close();
- connection.close();
-
- // test execution
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
-
- //negative test case: user can't drop another user's database
- assertFalse(DummySentryOnFailureHook.invoked);
- try {
- statement.execute("DROP DATABASE DB_2 CASCADE");
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- assertTrue(DummySentryOnFailureHook.invoked);
- }
-
- statement.close();
- connection.close();
-
- //test cleanup
- connection = context.createConnection(ADMIN1);
- statement = context.createStatement(connection);
- statement.execute("DROP DATABASE DB_1 CASCADE");
- statement.execute("DROP DATABASE DB_2 CASCADE");
- statement.close();
- connection.close();
- context.close();
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestServerConfiguration.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestServerConfiguration.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestServerConfiguration.java
deleted file mode 100644
index f489b63..0000000
--- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestServerConfiguration.java
+++ /dev/null
@@ -1,265 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.tests.e2e.hive;
-
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.assertTrue;
-
-import java.io.File;
-import java.io.FileOutputStream;
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-import java.util.Map;
-
-import org.apache.hadoop.hive.conf.HiveConf;
-import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
-import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
-import org.apache.sentry.binding.hive.v2.HiveAuthzBindingSessionHookV2;
-import org.apache.sentry.binding.hive.v2.SentryAuthorizerFactory;
-import org.apache.sentry.provider.file.PolicyFile;
-import org.apache.sentry.tests.e2e.hive.hiveserver.HiveServerFactory;
-import org.junit.After;
-import org.junit.Assert;
-import org.junit.Before;
-import org.junit.Test;
-
-import com.google.common.base.Charsets;
-import com.google.common.collect.Maps;
-
-public class TestServerConfiguration extends AbstractTestWithHiveServer {
-
- // Context is created inside individual test cases, because the
- // test cases for server configuration are properties based.
- private static Context context;
- private static Map<String, String> properties;
- private PolicyFile policyFile;
-
- @Before
- public void setupPolicyFile() throws Exception {
- properties = Maps.newHashMap();
- properties.put(HiveConf.ConfVars.METASTORE_AUTO_CREATE_ALL.varname, "true");
- policyFile = PolicyFile.setAdminOnServer1(ADMINGROUP);
- }
-
- @After
- public void tearDown() throws Exception {
- if(context != null) {
- context.close();
- }
-
- if(hiveServer != null) {
- hiveServer.shutdown();
- hiveServer = null;
- }
- }
-
- /**
- * hive.server2.enable.impersonation must be disabled
- */
- @Test
- public void testImpersonationIsDisabled() throws Exception {
- properties.put(HiveServerFactory.ACCESS_TESTING_MODE, "false");
- properties.put("hive.server2.enable.impersonation", "true");
- verifyInvalidConfigurationException(properties);
- }
-
- /**
- * hive.server2.authentication must be set to LDAP or KERBEROS
- */
- @Test
- public void testAuthenticationIsStrong() throws Exception {
- properties.put(HiveServerFactory.ACCESS_TESTING_MODE, "false");
- properties.put("hive.server2.authentication", "NONE");
- verifyInvalidConfigurationException(properties);
- }
-
- private void verifyInvalidConfigurationException(Map<String, String> properties) throws Exception{
- context = createContext(properties);
- policyFile
- .setUserGroupMapping(StaticUserGroup.getStaticMapping())
- .write(context.getPolicyFile());
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- try {
- statement.execute("create table test (a string)");
- Assert.fail("Expected SQLException");
- } catch (SQLException e) {
- context.verifyInvalidConfigurationException(e);
- } finally {
- if (context != null) {
- context.close();
- }
- }
- }
-
- /**
- * Test removal of policy file
- */
- @Test
- public void testRemovalOfPolicyFile() throws Exception {
- context = createContext(properties);
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- try {
- statement.execute("DROP TABLE IF EXISTS test CASCADE");
- statement.execute("create table test (a string)");
- Assert.fail("Expected SQLException");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
- }
-
- /**
- * Test corruption of policy file
- */
- @Test
- public void testCorruptionOfPolicyFile() throws Exception {
- context = createContext(properties);
- File policyFile = context.getPolicyFile();
- FileOutputStream out = new FileOutputStream(policyFile);
- out.write("this is not valid".getBytes(Charsets.UTF_8));
- out.close();
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- try {
- statement.execute("DROP TABLE IF EXISTS test CASCADE");
- statement.execute("create table test (a string)");
- Assert.fail("Expected SQLException");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
- }
-
- @Test
- public void testAddDeleteDFSRestriction() throws Exception {
- context = createContext(properties);
- policyFile
- .addRolesToGroup(USERGROUP1, "all_db1")
- .addRolesToGroup(USERGROUP2, "select_tb1")
- .addPermissionsToRole("select_tb1", "server=server1->db=db_1->table=tbl_1->action=select")
- .addPermissionsToRole("all_db1", "server=server1->db=db_1")
- .setUserGroupMapping(StaticUserGroup.getStaticMapping())
- .write(context.getPolicyFile());
-
- Connection connection = context.createConnection(USER1_1);
- Statement statement = context.createStatement(connection);
-
- // disallow external executables. The external.exec is set to false by session hooks
- context.assertAuthzException(statement, "ADD JAR /usr/lib/hive/lib/hbase.jar");
- context.assertAuthzException(statement, "ADD FILE /tmp/tt.py");
- context.assertAuthzException(statement, "DFS -ls");
- context.assertAuthzException(statement, "DELETE JAR /usr/lib/hive/lib/hbase.jar");
- context.assertAuthzException(statement, "DELETE FILE /tmp/tt.py");
- statement.close();
- connection.close();
- }
-
- /**
- * Test that the required access configs are set by session hook
- */
- @Test
- public void testAccessConfigRestrictions() throws Exception {
- context = createContext(properties);
- policyFile
- .setUserGroupMapping(StaticUserGroup.getStaticMapping())
- .write(context.getPolicyFile());
-
- String testUser = USER1_1;
- // verify the config is set correctly by session hook
- verifyConfig(testUser, ConfVars.HIVE_AUTHORIZATION_ENABLED.varname, "true");
- verifyConfig(testUser, ConfVars.HIVE_SERVER2_ENABLE_DOAS.varname, "false");
- verifyConfig(testUser, ConfVars.HIVE_AUTHENTICATOR_MANAGER.varname,
- "org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator");
- verifyConfig(testUser, ConfVars.HIVE_AUTHORIZATION_MANAGER.varname,
- SentryAuthorizerFactory.class.getName());
- verifyConfig(testUser, ConfVars.HIVE_CAPTURE_TRANSFORM_ENTITY.varname, "true");
- verifyConfig(testUser, ConfVars.HIVE_SECURITY_COMMAND_WHITELIST.varname, "set");
- verifyConfig(testUser, ConfVars.SCRATCHDIRPERMISSION.varname,
- HiveAuthzBindingSessionHookV2.SCRATCH_DIR_PERMISSIONS);
- verifyConfig(testUser, HiveConf.ConfVars.HIVE_CONF_RESTRICTED_LIST.varname,
- HiveAuthzBindingSessionHookV2.ACCESS_RESTRICT_LIST);
- verifyConfig(testUser, HiveAuthzConf.HIVE_ACCESS_SUBJECT_NAME, testUser);
- }
-
- private void verifyConfig(String userName, String confVar, String expectedValue) throws Exception {
- Connection connection = context.createConnection(userName);
- Statement statement = context.createStatement(connection);
- statement.execute("set " + confVar);
- ResultSet res = statement.getResultSet();
- assertTrue(res.next());
- String configValue = res.getString(1);
- assertNotNull(configValue);
- String restrictListValues = (configValue.split("="))[1];
- assertFalse(restrictListValues.isEmpty());
- for (String restrictConfig: expectedValue.split(",")) {
- assertTrue(restrictListValues.toLowerCase().contains(restrictConfig.toLowerCase()));
- }
-
- }
-
- /**
- * Test access to default DB with explicit privilege requirement
- * Admin should be able to run use default with server level access
- * User with db level access should be able to run use default
- * User with table level access should be able to run use default
- * User with no access to default db objects, should NOT be able run use default
- * @throws Exception
- */
- @Test
- public void testDefaultDbRestrictivePrivilege() throws Exception {
- properties.put(HiveAuthzConf.AuthzConfVars.AUTHZ_RESTRICT_DEFAULT_DB.getVar(), "true");
- context = createContext(properties);
-
- policyFile
- .addRolesToGroup(USERGROUP1, "all_default")
- .addRolesToGroup(USERGROUP2, "select_default")
- .addRolesToGroup(USERGROUP3, "all_db1")
- .addPermissionsToRole("all_default", "server=server1->db=default")
- .addPermissionsToRole("select_default", "server=server1->db=default->table=tab_2->action=select")
- .addPermissionsToRole("all_db1", "server=server1->db=DB_1")
- .setUserGroupMapping(StaticUserGroup.getStaticMapping())
- .write(context.getPolicyFile());
-
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- statement.execute("use default");
-
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
- statement.execute("use default");
-
- connection = context.createConnection(USER2_1);
- statement = context.createStatement(connection);
- statement.execute("use default");
-
- connection = context.createConnection(USER3_1);
- statement = context.createStatement(connection);
- try {
- // user3 doesn't have any implicit permission for default
- statement.execute("use default");
- assertFalse("user3 shouldn't be able switch to default", true);
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
- context.close();
- }
-
-}