You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sp...@apache.org on 2018/05/29 18:06:47 UTC
[28/43] sentry git commit: SENTRY-2208: Refactor out Sentry service
into own module from sentry-provider-db (Anthony Young-Garner,
reviewed by Sergio Pena, Steve Moist, Na Li)
http://git-wip-us.apache.org/repos/asf/sentry/blob/b97f5c7a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestDelegateSentryStore.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestDelegateSentryStore.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestDelegateSentryStore.java
deleted file mode 100644
index 69d1623..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestDelegateSentryStore.java
+++ /dev/null
@@ -1,182 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.service.persistent;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.fail;
-
-import java.util.Set;
-
-import org.apache.sentry.core.common.exception.SentryAlreadyExistsException;
-import org.apache.sentry.core.common.exception.SentryNoSuchObjectException;
-import org.apache.sentry.provider.file.PolicyFile;
-import org.junit.Before;
-import org.junit.Test;
-
-import com.google.common.collect.Sets;
-
-public class TestDelegateSentryStore extends SentryStoreIntegrationBase{
- private static final String SEARCH = "solr";
-
- @Before
- public void configure() throws Exception {
- /**
- * add the admin user to admin groups
- */
- policyFile = new PolicyFile();
- addGroupsToUser("admin", getAdminGroups());
- writePolicyFile();
- }
-
- @Test
- public void testCreateDropRole() throws Exception {
- String roleName = "test-drop-role";
- String grantor = "grantor";
- sentryStore.createRole(SEARCH, roleName, grantor);
- sentryStore.dropRole(SEARCH, roleName, grantor);
- }
-
- @Test
- public void testCaseInsensitiveCreateDropRole() throws Exception {
- String roleName1 = "test";
- String roleName2 = "TeSt";
- String grantor = "grantor";
- sentryStore.createRole(SEARCH, roleName1, grantor);
- try {
- sentryStore.createRole(SEARCH, roleName2, grantor);
- fail("Fail to throw Exception");
- } catch (SentryAlreadyExistsException e) {
- //ignore the exception
- }
-
- try {
- sentryStore.dropRole(SEARCH, roleName2, grantor);
- } catch (SentryNoSuchObjectException e) {
- fail("Shouldn't throw SentryNoSuchObjectException");
- }
- }
-
- @Test(expected=Exception.class)
- public void testCreateDuplicateRole() throws Exception {
- String roleName = "test-dup-role";
- String grantor = "grantor";
- sentryStore.createRole(SEARCH, roleName, grantor);
- sentryStore.createRole(SEARCH, roleName, grantor);
- }
-
- @Test(expected=SentryNoSuchObjectException.class)
- public void testDropNotExistRole() throws Exception {
- String roleName = "not-exist";
- String grantor = "grantor";
- sentryStore.dropRole(SEARCH, roleName, grantor);
- }
-
- @Test(expected = SentryNoSuchObjectException.class)
- public void testAddGroupsNonExistantRole()
- throws Exception {
- String roleName = "non-existant-role";
- String grantor = "grantor";
- sentryStore.alterRoleAddGroups(SEARCH, roleName, Sets.newHashSet("g1"), grantor);
- }
-
- @Test(expected = SentryNoSuchObjectException.class)
- public void testDeleteGroupsNonExistantRole()
- throws Exception {
- String roleName = "non-existant-role";
- String grantor = "grantor";
- sentryStore.alterRoleDeleteGroups(SEARCH, roleName, Sets.newHashSet("g1"), grantor);
- }
-
- @Test
- public void testAddDeleteRoleToGroups() throws Exception {
- String role1 = "r1", role2 = "r2";
- Set<String> twoGroups = Sets.newHashSet("g1", "g2");
- Set<String> oneGroup = Sets.newHashSet("g3");
- String grantor = "grantor";
-
- sentryStore.createRole(SEARCH, role1, grantor);
- sentryStore.createRole(SEARCH, role2, grantor);
-
- sentryStore.alterRoleAddGroups(SEARCH, role1, twoGroups, grantor);
- assertEquals(twoGroups, sentryStore.getGroupsByRoles(SEARCH,Sets.newHashSet(role1)));
-
- assertEquals(Sets.newHashSet(role1), sentryStore.getRolesByGroups(SEARCH, twoGroups));
-
- sentryStore.alterRoleAddGroups(SEARCH, role2, oneGroup, grantor);
- assertEquals(oneGroup, sentryStore.getGroupsByRoles(SEARCH, Sets.newHashSet(role2)));
-
- sentryStore.alterRoleDeleteGroups(SEARCH, role1, Sets.newHashSet("g1"), grantor);
- assertEquals(Sets.newHashSet("g2"), sentryStore.getGroupsByRoles(SEARCH, Sets.newHashSet(role1)));
-
- sentryStore.alterRoleDeleteGroups(SEARCH, role2, oneGroup, grantor);
- assertEquals(Sets.newHashSet(), sentryStore.getGroupsByRoles(SEARCH, Sets.newHashSet(role2)));
- }
-
- @Test
- public void testGetRolesByGroupNames() throws Exception {
- String role1 = "r1", role2 = "r2";
- Set<String> twoGroups = Sets.newHashSet("g1", "g2");
- String grantor = "grantor";
-
- sentryStore.createRole(SEARCH, role1, grantor);
- sentryStore.createRole(SEARCH, role2, grantor);
-
- sentryStore.alterRoleAddGroups(SEARCH, role1, twoGroups, grantor);
- sentryStore.alterRoleAddGroups(SEARCH, role2, twoGroups, grantor);
-
- assertEquals(Sets.newHashSet(role1,role2), sentryStore.getRolesByGroups(SEARCH, twoGroups));
- }
-
- @Test
- public void testGetGroupsByRoleNames() throws Exception {
- String role1 = "r1", role2 = "r2";
- Set<String> twoGroups = Sets.newHashSet("g1", "g2");
- String grantor = "grantor";
-
- sentryStore.createRole(SEARCH, role1, grantor);
- sentryStore.createRole(SEARCH, role2, grantor);
-
- sentryStore.alterRoleAddGroups(SEARCH, role1, twoGroups, grantor);
- sentryStore.alterRoleAddGroups(SEARCH, role2, twoGroups, grantor);
-
- assertEquals(twoGroups, sentryStore.getGroupsByRoles(SEARCH, Sets.newHashSet(role1)));
- assertEquals(twoGroups, sentryStore.getGroupsByRoles(SEARCH, Sets.newHashSet(role2)));
- assertEquals(twoGroups, sentryStore.getGroupsByRoles(SEARCH, Sets.newHashSet(role1,role2)));
- }
-
- @Test
- public void testGetAllRoles() throws Exception {
- String role1 = "r1", role2 = "r2";
- Set<String> twoGroups = Sets.newHashSet("g1", "g2");
- String grantor = "grantor";
-
- sentryStore.createRole(SEARCH, role1, grantor);
- sentryStore.createRole(SEARCH, role2, grantor);
-
- sentryStore.alterRoleAddGroups(SEARCH, role1, twoGroups, grantor);
- sentryStore.alterRoleAddGroups(SEARCH, role2, twoGroups, grantor);
-
- //test get all roles by groupName=null
- String groupName = null;
- Set<String> groups = Sets.newHashSet(groupName);
- assertEquals(Sets.newHashSet(role1,role2), sentryStore.getRolesByGroups(SEARCH, groups));
-
- groups.clear();
- assertEquals(0, sentryStore.getRolesByGroups(SEARCH, groups).size());
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/b97f5c7a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestPrivilegeOperatePersistence.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestPrivilegeOperatePersistence.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestPrivilegeOperatePersistence.java
deleted file mode 100644
index 246b2be..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestPrivilegeOperatePersistence.java
+++ /dev/null
@@ -1,1138 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.service.persistent;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.fail;
-
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.List;
-
-import com.google.common.collect.Lists;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.common.BitFieldAction;
-import org.apache.sentry.core.common.BitFieldActionFactory;
-import org.apache.sentry.core.model.solr.Collection;
-import org.apache.sentry.core.model.solr.Field;
-import org.apache.sentry.core.model.solr.SolrConstants;
-import org.apache.sentry.core.model.sqoop.SqoopActionConstant;
-import org.apache.sentry.core.common.exception.SentryGrantDeniedException;
-import org.apache.sentry.provider.db.generic.service.persistent.PrivilegeObject.Builder;
-import org.apache.sentry.provider.file.PolicyFile;
-import org.apache.sentry.service.common.ServiceConstants;
-import org.junit.Before;
-import org.junit.Test;
-
-import com.google.common.collect.Sets;
-
-/**
- * The test cases are used for search component The authorizables are COLLECTION and Field
- * The actions of search privilege are ALL,QUERY and UPDATE
- */
-public class TestPrivilegeOperatePersistence extends SentryStoreIntegrationBase {
- private static final String SEARCH = "solr";
- private static final String ADMIN_USER = "solr";
- private static final String GRANT_OPTION_USER = "user_grant_option";
- private static final String[] GRANT_OPTION_GROUP = { "group_grant_option" };
- private static final String NO_GRANT_OPTION_USER = "user_no_grant_option";
- private static final String[] NO_GRANT_OPTION_GROUP = { "group_no_grant_option" };
-
- private static final String SERVICE = "service";
- private static final String COLLECTION_NAME = "collection1";
- private static final String NOT_COLLECTION_NAME = "not_collection1";
- private static final String FIELD_NAME = "field1";
- private static final String NOT_FIELD_NAME = "not_field1";
-
- @Before
- public void configure() throws Exception {
- /**
- * add the solr user to admin groups
- */
- policyFile = new PolicyFile();
- addGroupsToUser(ADMIN_USER, getAdminGroups());
- writePolicyFile();
- }
-
- /**
- * Grant query privilege to role r1
- */
- @Test
- public void testGrantPrivilege() throws Exception {
- testGrantPrivilege(sentryStore, SEARCH);
- }
-
- @Test
- public void testGrantPrivilegeTwice() throws Exception {
- String roleName = "r1";
- /**
- * grantor is admin, there is no need to check grant option
- */
- String grantor = ADMIN_USER;
- sentryStore.createRole(SEARCH, roleName, grantor);
-
- PrivilegeObject queryPrivilegeWithOption = new Builder()
- .setComponent(SEARCH)
- .setAction(SolrConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .withGrantOption(true)
- .build();
-
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilegeWithOption, grantor);
- assertEquals(1,sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)).size());
- //grant again
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilegeWithOption, grantor);
- assertEquals(1,sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)).size());
-
- PrivilegeObject queryPrivilegeWithNoOption = new Builder()
- .setComponent(SEARCH)
- .setAction(SolrConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .withGrantOption(false)
- .build();
-
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilegeWithNoOption, grantor);
- assertEquals(2,sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)).size());
- //grant again
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilegeWithNoOption, grantor);
- assertEquals(2,sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)).size());
-
- PrivilegeObject queryPrivilegeWithNullGrant = new Builder()
- .setComponent(SEARCH)
- .setAction(SolrConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .withGrantOption(null)
- .build();
-
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilegeWithNullGrant, grantor);
-
- assertEquals(3,sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)).size());
- //grant again
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilegeWithNullGrant, grantor);
- assertEquals(3,sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)).size());
-
- }
-
- /**
- * Grant query privilege to role r1 and there is ALL privilege related this
- * collection existed
- */
- @Test
- public void testGrantPrivilegeWithAllPrivilegeExist() throws Exception {
- String roleName = "r1";
- /**
- * grantor is admin, there is no need to check grant option
- */
- String grantor = ADMIN_USER;
- PrivilegeObject allPrivilege = new Builder()
- .setComponent(SEARCH)
- .setAction(SolrConstants.ALL)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .build();
-
- sentryStore.createRole(SEARCH, roleName, grantor);
- /**
- * grant all privilege to role r1
- */
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, allPrivilege, grantor);
- /**
- * check role r1 truly has the privilege been granted
- */
- assertEquals(Sets.newHashSet(allPrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
-
- PrivilegeObject queryPrivilege = new Builder(allPrivilege)
- .setAction(SolrConstants.QUERY)
- .build();
-
- /**
- * grant query privilege to role r1
- */
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilege, grantor);
- /**
- * all privilege has been existed, the query privilege will not persistent
- */
- assertEquals(Sets.newHashSet(allPrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
- }
-
- /**
- * Grant query privilege to role r1 and there are query and update privileges
- * related this collection existed
- */
- @Test
- public void testGrantALLPrivilegeWithOtherPrivilegesExist() throws Exception {
- String roleName1 = "r1";
- String roleName2 = "r2";
- /**
- * grantor is admin, there is no need to check grant option
- */
- String grantor = ADMIN_USER;
-
- PrivilegeObject queryPrivilege = new Builder()
- .setComponent(SEARCH)
- .setAction(SolrConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .build();
-
- PrivilegeObject updatePrivilege = new Builder(queryPrivilege)
- .setAction(SolrConstants.UPDATE)
- .build();
-
- sentryStore.createRole(SEARCH, roleName1, grantor);
- sentryStore.createRole(SEARCH, roleName2, grantor);
- /**
- * grant query and update privilege to role r1 and role r2
- */
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, updatePrivilege,grantor);
- assertEquals(Sets.newHashSet(queryPrivilege, updatePrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1)));
-
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, updatePrivilege,grantor);
- assertEquals(Sets.newHashSet(queryPrivilege, updatePrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
-
- PrivilegeObject allPrivilege = new Builder(queryPrivilege)
- .setAction(SolrConstants.ALL)
- .build();
-
- /**
- * grant all privilege to role r1
- */
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, allPrivilege, grantor);
-
- /**
- * check the query and update privileges of roleName1 will be removed because of ALl privilege
- * granted
- */
- assertEquals(Sets.newHashSet(allPrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1)));
-
- /**
- * check the query and update privileges of roleName2 will not affected and exist
- */
- assertEquals(Sets.newHashSet(queryPrivilege, updatePrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
- }
-
- @Test
- public void testGrantRevokeCheckWithGrantOption() throws Exception {
-
- addGroupsToUser(GRANT_OPTION_USER, GRANT_OPTION_GROUP);
- addGroupsToUser(NO_GRANT_OPTION_USER, NO_GRANT_OPTION_GROUP);
- writePolicyFile();
-
- String roleName1 = "r1";
- String roleName2 = "r2";
- String grantor = "g1";
- sentryStore.createRole(SEARCH, roleName1, grantor);
- sentryStore.createRole(SEARCH, roleName2, grantor);
- /**
- * grant query privilege to role r1 with grant option
- */
- PrivilegeObject queryPrivilege1 = new Builder()
- .setComponent(SEARCH)
- .setAction(SolrConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .withGrantOption(true)
- .build();
-
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege1,
- ADMIN_USER);
- assertEquals(Sets.newHashSet(queryPrivilege1),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1)));
- /**
- * grant query privilege to role r2 no grant option
- */
- PrivilegeObject queryPrivilege2 = new Builder()
- .setComponent(SEARCH)
- .setAction(SolrConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .withGrantOption(false).build();
-
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege2,
- ADMIN_USER);
- assertEquals(Sets.newHashSet(queryPrivilege2),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
-
- sentryStore.alterRoleAddGroups(SEARCH, roleName1,
- Sets.newHashSet(GRANT_OPTION_GROUP), grantor);
- sentryStore.alterRoleAddGroups(SEARCH, roleName2,
- Sets.newHashSet(NO_GRANT_OPTION_GROUP), grantor);
-
- String roleName3 = "r3";
- sentryStore.createRole(SEARCH, roleName3, grantor);
- /**
- * the user with grant option grant query privilege to rolr r3
- */
- try{
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName3, queryPrivilege1,
- GRANT_OPTION_USER);
- } catch (SentryGrantDeniedException e) {
- fail("SentryGrantDeniedException shouldn't have been thrown");
- }
-
- /**
- * the user with grant option revoke query privilege to rolr r3
- */
- try{
- sentryStore.alterRoleRevokePrivilege(SEARCH, roleName3, queryPrivilege1,
- GRANT_OPTION_USER);
- } catch (SentryGrantDeniedException e) {
- fail("SentryGrantDeniedException shouldn't have been thrown");
- }
-
- /**
- * the user with no grant option grant query privilege to rolr r3, it will
- * throw SentryGrantDeniedException
- */
- try {
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName3, queryPrivilege2,
- NO_GRANT_OPTION_USER);
- fail("SentryGrantDeniedException should have been thrown");
- } catch (SentryGrantDeniedException e) {
- //ignore the exception
- }
-
- /**
- * the user with no grant option revoke query privilege to rolr r3, it will
- * throw SentryGrantDeniedException
- */
- try {
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName3, queryPrivilege2,
- NO_GRANT_OPTION_USER);
- fail("SentryGrantDeniedException should have been thrown");
- } catch (SentryGrantDeniedException e) {
- //ignore the exception
- }
- }
-
- @Test
- public void testGrantWithGrantOption() throws Exception {
-
- addGroupsToUser(GRANT_OPTION_USER, GRANT_OPTION_GROUP);
- addGroupsToUser(NO_GRANT_OPTION_USER, NO_GRANT_OPTION_GROUP);
- writePolicyFile();
-
- String roleName1 = "r1";
- String grantor = "g1";
- sentryStore.createRole(SEARCH, roleName1, grantor);
- /**
- * grant query privilege to role r1 with grant option
- */
- PrivilegeObject queryPrivilege = new Builder()
- .setComponent(SEARCH)
- .setAction(SolrConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .withGrantOption(true)
- .build();
-
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege,ADMIN_USER);
- sentryStore.alterRoleAddGroups(SEARCH, roleName1,
- Sets.newHashSet(GRANT_OPTION_GROUP), grantor);
-
- /**
- * the user with grant option grant query privilege to rolr r2
- */
- String roleName2 = "r2";
- sentryStore.createRole(SEARCH, roleName2, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege, GRANT_OPTION_USER);
-
- assertEquals(Sets.newHashSet(queryPrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
-
- }
-
-
- /**
- * Grant query and update privileges to role r1 and revoke query privilege
- * there is left update privilege related to role r1
- */
- @Test
- public void testRevokePrivilege() throws Exception {
- String roleName = "r1";
- /**
- * grantor is admin, there is no need to check grant option
- */
- String grantor = ADMIN_USER;
- PrivilegeObject queryPrivilege = new Builder()
- .setComponent(SEARCH)
- .setAction(SolrConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME)))
- .build();
-
- PrivilegeObject updatePrivilege = new Builder(queryPrivilege)
- .setAction(SolrConstants.UPDATE)
- .build();
-
- sentryStore.createRole(SEARCH, roleName, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilege, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, updatePrivilege, grantor);
-
- assertEquals(Sets.newHashSet(queryPrivilege,updatePrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
- /**
- * revoke query privilege
- */
- sentryStore.alterRoleRevokePrivilege(SEARCH, roleName, queryPrivilege, grantor);
- assertEquals(Sets.newHashSet(updatePrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
- }
-
- /**
- * Grant query and update privileges to role r1 and revoke all privilege,
- * there is no privilege related to role r1
- */
- @Test
- public void testRevokeAllPrivilege() throws Exception {
- String roleName = "r1";
- /**
- * grantor is admin, there is no need to check grant option
- */
- String grantor = ADMIN_USER;
- PrivilegeObject queryPrivilege = new Builder()
- .setComponent(SEARCH)
- .setAction(SolrConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME),new Field(FIELD_NAME)))
- .build();
-
- PrivilegeObject updatePrivilege = new Builder(queryPrivilege)
- .setAction(SolrConstants.UPDATE)
- .build();
-
- sentryStore.createRole(SEARCH, roleName, grantor);
-
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilege, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, updatePrivilege, grantor);
-
- assertEquals(Sets.newHashSet(queryPrivilege,updatePrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
- /**
- * revoke all privilege
- */
- PrivilegeObject allPrivilege = new Builder(queryPrivilege)
- .setAction(SolrConstants.ALL)
- .build();
-
- sentryStore.alterRoleRevokePrivilege(SEARCH, roleName, allPrivilege, grantor);
-
- assertEquals(Sets.newHashSet(),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
- }
-
- /**
- * Grant all privilege to role r1 and revoke query privilege
- * there is update privilege related to role r1
- */
- @Test
- public void testRevokePrivilegeWithAllPrivilegeExist() throws Exception {
- String roleName = "r1";
- /**
- * grantor is admin, there is no need to check grant option
- */
- String grantor = ADMIN_USER;
- PrivilegeObject allPrivilege = new Builder()
- .setComponent(SEARCH)
- .setAction(SolrConstants.ALL)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME)))
- .build();
-
- sentryStore.createRole(SEARCH, roleName, grantor);
-
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, allPrivilege, grantor);
-
- assertEquals(Sets.newHashSet(allPrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
- /**
- * revoke update privilege
- */
- PrivilegeObject updatePrivilege = new Builder(allPrivilege)
- .setAction(SolrConstants.UPDATE)
- .build();
-
- PrivilegeObject queryPrivilege = new Builder(allPrivilege)
- .setAction(SolrConstants.QUERY)
- .build();
-
- sentryStore.alterRoleRevokePrivilege(SEARCH, roleName, updatePrivilege, grantor);
-
- assertEquals(Sets.newHashSet(queryPrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
- }
-
- /**
- * Grant update, query and all privilege to role r1
- * Revoke query privilege from role r1
- * there is update privilege related to role r1
- */
- @Test
- public void testRevokePrivilegeWithAllPrivilegesGranted() throws Exception {
- String roleName = "r1";
- /**
- * grantor is admin, there is no need to check grant option
- */
- String grantor = ADMIN_USER;
- PrivilegeObject allPrivilege = new Builder()
- .setComponent(SEARCH)
- .setAction(SolrConstants.ALL)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME)))
- .build();
-
- PrivilegeObject updatePrivilege = new Builder(allPrivilege)
- .setAction(SolrConstants.UPDATE)
- .build();
-
- PrivilegeObject queryPrivilege = new Builder(allPrivilege)
- .setAction(SolrConstants.QUERY)
- .build();
-
- sentryStore.createRole(SEARCH, roleName, grantor);
- //grant query to role r1
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilege, grantor);
- assertEquals(Sets.newHashSet(queryPrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
-
- //grant update to role r1
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, updatePrivilege, grantor);
- assertEquals(Sets.newHashSet(queryPrivilege, updatePrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
- /**
- * grant all action privilege to role r1, because all action includes query and update action,
- * The role r1 only has the action all privilege
- */
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, allPrivilege, grantor);
- assertEquals(Sets.newHashSet(allPrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
- /**
- * revoke update privilege from role r1, the query privilege has been left
- */
- sentryStore.alterRoleRevokePrivilege(SEARCH, roleName, updatePrivilege, grantor);
- assertEquals(Sets.newHashSet(queryPrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
- }
-
- @Test
- public void testRevokeParentPrivilegeWithChildsExist() throws Exception {
- String roleName = "r1";
- /**
- * grantor is admin, there is no need to check grant option
- */
- String grantor = ADMIN_USER;
- PrivilegeObject updatePrivilege1 = new Builder()
- .setComponent(SEARCH)
- .setAction(SolrConstants.UPDATE)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME)))
- .build();
-
- PrivilegeObject queryPrivilege1 = new Builder()
- .setComponent(SEARCH)
- .setAction(SolrConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME),new Field(FIELD_NAME)))
- .build();
-
- PrivilegeObject queryPrivilege2 = new Builder()
- .setComponent(SEARCH)
- .setAction(SolrConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(NOT_COLLECTION_NAME)))
- .build();
-
- sentryStore.createRole(SEARCH, roleName, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, updatePrivilege1, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilege1, grantor);
-
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilege2, grantor);
-
- /**
- * revoke all privilege with collection[COLLECTION_NAME=collection1] and its child privileges
- */
- PrivilegeObject allPrivilege = new Builder()
- .setComponent(SEARCH)
- .setAction(SolrConstants.ALL)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .build();
-
- sentryStore.alterRoleRevokePrivilege(SEARCH, roleName, allPrivilege, grantor);
- assertEquals(Sets.newHashSet(queryPrivilege2),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
- }
-
- @Test
- public void testRevokeWithGrantOption() throws Exception {
-
- addGroupsToUser(GRANT_OPTION_USER, GRANT_OPTION_GROUP);
- addGroupsToUser(NO_GRANT_OPTION_USER, NO_GRANT_OPTION_GROUP);
- writePolicyFile();
-
- String roleName1 = "r1";
- String grantor = "g1";
- sentryStore.createRole(SEARCH, roleName1, grantor);
- /**
- * grant query privilege to role r1 with grant option
- */
- PrivilegeObject queryPrivilege = new Builder()
- .setComponent(SEARCH)
- .setAction(SolrConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .withGrantOption(true)
- .build();
-
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege,
- ADMIN_USER);
- assertEquals(Sets.newHashSet(queryPrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1)));
-
- sentryStore.alterRoleAddGroups(SEARCH, roleName1,
- Sets.newHashSet(GRANT_OPTION_GROUP), grantor);
-
- String roleName2 = "r2";
- sentryStore.createRole(SEARCH, roleName2, grantor);
- /**
- * the user with grant option grant query privilege to rolr r2
- */
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege,
- GRANT_OPTION_USER);
- assertEquals(Sets.newHashSet(queryPrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
-
- /**
- * the user with grant option revoke query privilege to rolr r3
- */
- sentryStore.alterRoleRevokePrivilege(SEARCH, roleName2, queryPrivilege, GRANT_OPTION_USER);
- assertEquals(Sets.newHashSet(),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
- }
-
- @Test
- public void testDropPrivilege() throws Exception{
- String roleName1 = "r1";
- String roleName2 = "r2";
- String grantor = ADMIN_USER;
-
- PrivilegeObject queryPrivilege = new Builder()
- .setComponent(SEARCH)
- .setAction(SolrConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME)))
- .build();
-
- PrivilegeObject updatePrivilege = new Builder(queryPrivilege)
- .setAction(SolrConstants.UPDATE)
- .build();
-
- /**
- * grant query and update privilege to role r1 and r2
- */
- sentryStore.createRole(SEARCH, roleName1, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, updatePrivilege, grantor);
-
- sentryStore.createRole(SEARCH, roleName2, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, updatePrivilege, grantor);
-
- assertEquals(Sets.newHashSet(queryPrivilege,updatePrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1)));
-
- assertEquals(Sets.newHashSet(queryPrivilege,updatePrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
- /**
- * drop query privilege
- */
- sentryStore.dropPrivilege(SEARCH, queryPrivilege, grantor);
-
- assertEquals(Sets.newHashSet(updatePrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1)));
-
- assertEquals(Sets.newHashSet(updatePrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
-
- /**
- * drop ALL privilege
- */
- PrivilegeObject allPrivilege = new Builder(queryPrivilege)
- .setAction(SolrConstants.ALL)
- .build();
-
- sentryStore.dropPrivilege(SEARCH, allPrivilege, grantor);
-
- assertEquals(Sets.newHashSet(),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1)));
-
- assertEquals(Sets.newHashSet(),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
-
- /**
- * grant query and update field scope[collection1,field1] privilege to role r1
- * drop collection scope[collection1] privilege
- * there is no privilege
- */
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, updatePrivilege, grantor);
-
- PrivilegeObject parentPrivilege = new Builder()
- .setComponent(SEARCH)
- .setAction(SolrConstants.ALL)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .build();
-
- sentryStore.dropPrivilege(SEARCH, parentPrivilege, grantor);
- assertEquals(Sets.newHashSet(),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1)));
- }
-
- @Test
- public void testRenamePrivilege() throws Exception{
- String roleName1 = "r1";
- String roleName2 = "r2";
- String grantor = ADMIN_USER;
-
- List<? extends Authorizable> oldAuthoriables = Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME));
- List<? extends Authorizable> newAuthoriables = Arrays.asList(new Collection(COLLECTION_NAME), new Field(NOT_FIELD_NAME));
-
- PrivilegeObject oldQueryPrivilege = new Builder()
- .setComponent(SEARCH)
- .setAction(SolrConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(oldAuthoriables)
- .build();
-
- PrivilegeObject oldUpdatePrivilege = new Builder(oldQueryPrivilege)
- .setAction(SolrConstants.UPDATE)
- .build();
-
- PrivilegeObject oldALLPrivilege = new Builder(oldQueryPrivilege)
- .setAction(SolrConstants.ALL)
- .build();
-
-
- PrivilegeObject newQueryPrivilege = new Builder()
- .setComponent(SEARCH)
- .setAction(SolrConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(newAuthoriables)
- .build();
-
- PrivilegeObject newUpdatePrivilege = new Builder(newQueryPrivilege)
- .setAction(SolrConstants.UPDATE)
- .build();
-
- PrivilegeObject newALLPrivilege = new Builder(newQueryPrivilege)
- .setAction(SolrConstants.ALL)
- .build();
-
-
- /**
- * grant query and update privilege to role r1
- * grant all privilege to role r2
- */
- sentryStore.createRole(SEARCH, roleName1, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, oldQueryPrivilege, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, oldUpdatePrivilege, grantor);
-
- sentryStore.createRole(SEARCH, roleName2, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, oldALLPrivilege, grantor);
-
- assertEquals(Sets.newHashSet(oldQueryPrivilege,oldUpdatePrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1)));
-
- assertEquals(Sets.newHashSet(oldALLPrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
- /**
- * rename old query privilege to new query privilege
- */
- sentryStore.renamePrivilege(SEARCH, SERVICE,
- oldAuthoriables,
- newAuthoriables,
- grantor);
-
- assertEquals(Sets.newHashSet(newQueryPrivilege,newUpdatePrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1)));
-
- assertEquals(Sets.newHashSet(newALLPrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
- /**
- * rename collection scope[collection=collection1] privilege to [collection=not_collection1]
- * These privileges belong to collection scope[collection=collection1] will change to
- * [collection=not_collection1]
- */
-
- List<? extends Authorizable> newAuthoriables1 = Arrays.asList(new Collection(NOT_COLLECTION_NAME),new Field(NOT_FIELD_NAME));
-
- PrivilegeObject newQueryPrivilege1 = new Builder(newQueryPrivilege)
- .setAuthorizables(newAuthoriables1)
- .build();
-
- PrivilegeObject newUpdatePrivilege1 = new Builder(newUpdatePrivilege)
- .setAuthorizables(newAuthoriables1)
- .build();
-
- PrivilegeObject newALLPrivilege1 = new Builder(newALLPrivilege)
- .setAuthorizables(newAuthoriables1)
- .build();
-
- sentryStore.renamePrivilege(SEARCH, SERVICE,
- Arrays.asList(new Collection(COLLECTION_NAME)),
- Arrays.asList(new Collection(NOT_COLLECTION_NAME)),
- grantor);
-
- assertEquals(Sets.newHashSet(newQueryPrivilege1,newUpdatePrivilege1),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1)));
-
- assertEquals(Sets.newHashSet(newALLPrivilege1),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
- }
-
- @Test
- public void testGetPrivilegesByRoleName() throws Exception {
- String roleName1 = "r1";
- String roleName2 = "r2";
- String grantor = "g1";
-
- PrivilegeObject queryPrivilege = new Builder()
- .setComponent(SEARCH)
- .setAction(SolrConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .build();
-
- sentryStore.createRole(SEARCH, roleName1, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege,
- ADMIN_USER);
-
- PrivilegeObject updatePrivilege = new Builder()
- .setComponent(SEARCH)
- .setAction(SolrConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .build();
-
- sentryStore.createRole(SEARCH, roleName2, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, updatePrivilege,
- ADMIN_USER);
-
- assertEquals(Sets.newHashSet(queryPrivilege,updatePrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1,roleName2)));
-
- }
-
- @Test
- public void testGetPrivilegesByProvider() throws Exception {
- String roleName1 = "r1";
- String roleName2 = "r2";
- String roleName3 = "r3";
- String group = "g3";
- String grantor = ADMIN_USER;
-
- String service1 = "service1";
-
- PrivilegeObject queryPrivilege1 = new Builder()
- .setComponent(SEARCH)
- .setAction(SolrConstants.QUERY)
- .setService(service1)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .build();
-
- PrivilegeObject updatePrivilege1 = new Builder()
- .setComponent(SEARCH)
- .setAction(SolrConstants.UPDATE)
- .setService(service1)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME)))
- .build();
-
- PrivilegeObject queryPrivilege2 = new Builder()
- .setComponent(SEARCH)
- .setAction(SolrConstants.QUERY)
- .setService(service1)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .build();
-
- PrivilegeObject updatePrivilege2 = new Builder()
- .setComponent(SEARCH)
- .setAction(SolrConstants.UPDATE)
- .setService(service1)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME)))
- .build();
-
- sentryStore.createRole(SEARCH, roleName1, grantor);
- sentryStore.createRole(SEARCH, roleName2, grantor);
- sentryStore.createRole(SEARCH, roleName3, grantor);
-
- sentryStore.alterRoleAddGroups(SEARCH, roleName3, Sets.newHashSet(group), grantor);
-
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege1, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, updatePrivilege1, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege2, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName3, updatePrivilege2, grantor);
-
- assertEquals(Sets.newHashSet(updatePrivilege1, queryPrivilege1),
- sentryStore.getPrivilegesByProvider(SEARCH, service1, Sets.newHashSet(roleName1), null, null));
-
- assertEquals(Sets.newHashSet(updatePrivilege1, queryPrivilege1, queryPrivilege2),
- sentryStore.getPrivilegesByProvider(SEARCH, service1, Sets.newHashSet(roleName1,roleName2),
- null, null));
-
- assertEquals(Sets.newHashSet(updatePrivilege1, queryPrivilege1, queryPrivilege2, updatePrivilege2),
- sentryStore.getPrivilegesByProvider(SEARCH, service1, Sets.newHashSet(roleName1,roleName2),
- Sets.newHashSet(group), null));
-
- List<? extends Authorizable> authorizables = Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME));
- assertEquals(Sets.newHashSet(updatePrivilege1, updatePrivilege2),
- sentryStore.getPrivilegesByProvider(SEARCH, service1, Sets.newHashSet(roleName1,roleName2),
- Sets.newHashSet(group), authorizables));
- }
-
- @Test
- public void testGetPrivilegesByAuthorizable() throws Exception {
- String roleName1 = "r1";
- String roleName2 = "r2";
- String roleName3 = "r3";
- String grantor = ADMIN_USER;
-
- String service1 = "service1";
-
- PrivilegeObject queryPrivilege1 = new Builder()
- .setComponent(SEARCH)
- .setAction(SolrConstants.QUERY)
- .setService(service1)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .build();
-
- PrivilegeObject updatePrivilege1 = new Builder()
- .setComponent(SEARCH)
- .setAction(SolrConstants.UPDATE)
- .setService(service1)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME)))
- .build();
-
- PrivilegeObject queryPrivilege2 = new Builder()
- .setComponent(SEARCH)
- .setAction(SolrConstants.QUERY)
- .setService(service1)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .build();
-
- PrivilegeObject updatePrivilege2 = new Builder()
- .setComponent(SEARCH)
- .setAction(SolrConstants.UPDATE)
- .setService(service1)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME)))
- .build();
-
- sentryStore.createRole(SEARCH, roleName1, grantor);
- sentryStore.createRole(SEARCH, roleName2, grantor);
- sentryStore.createRole(SEARCH, roleName3, grantor);
-
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege1, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, updatePrivilege1, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege2, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName3, updatePrivilege2, grantor);
-
- assertEquals(0, sentryStore.getPrivilegesByAuthorizable(SEARCH, service1, null,
- Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME))).size());
- assertEquals(1, sentryStore.getPrivilegesByAuthorizable(SEARCH, service1, Sets.newHashSet(roleName1),
- Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME))).size());
- assertEquals(2, sentryStore.getPrivilegesByAuthorizable(SEARCH, service1,
- Sets.newHashSet(roleName1), null).size());
- assertEquals(2, sentryStore.getPrivilegesByAuthorizable(SEARCH, service1,
- Sets.newHashSet(roleName1,roleName2), null).size());
- assertEquals(2, sentryStore.getPrivilegesByAuthorizable(SEARCH, service1,
- Sets.newHashSet(roleName1,roleName2, roleName3), null).size());
- }
-
- @Test(expected = Exception.class)
- public void testGrantPrivilegeExternalComponentMissingConf() throws Exception {
- testGrantPrivilege(sentryStore, "externalComponent");
- }
-
- @Test(expected = Exception.class)
- public void testGrantPrivilegeExternalComponentInvalidConf() throws Exception {
- String externalComponent = "mycomponent";
- Configuration confCopy = new Configuration(conf);
- confCopy.set(String.format(ServiceConstants.ServerConfig.SENTRY_COMPONENT_ACTION_FACTORY_FORMAT, externalComponent),
- InvalidActionFactory.class.getName());
- SentryStoreLayer store = new DelegateSentryStore(confCopy);
- testGrantPrivilege(store, externalComponent);
- }
-
- @Test
- public void testGrantPrivilegeExternalComponent() throws Exception {
- String externalComponent = "mycomponent";
- Configuration confCopy = new Configuration(conf);
- confCopy.set(String.format(ServiceConstants.ServerConfig.SENTRY_COMPONENT_ACTION_FACTORY_FORMAT, externalComponent),
- MyComponentActionFactory.class.getName());
- SentryStoreLayer store = new DelegateSentryStore(confCopy);
- testGrantPrivilege(store, externalComponent);
- }
-
- @Test
- public void testGrantPrivilegeExternalComponentCaseInsensitivity() throws Exception {
- String externalComponent = "MyCoMpOnEnT";
- Configuration confCopy = new Configuration(conf);
- confCopy.set(String.format(ServiceConstants.ServerConfig.SENTRY_COMPONENT_ACTION_FACTORY_FORMAT, "mycomponent"),
- MyComponentActionFactory.class.getName());
- SentryStoreLayer store = new DelegateSentryStore(confCopy);
- testGrantPrivilege(store, externalComponent);
- }
-
- private void testGrantPrivilege(SentryStoreLayer sentryStore, String component) throws Exception {
- String roleName = "r1";
- /**
- * grantor is admin, there is no need to check grant option
- */
- String grantor = ADMIN_USER;
- PrivilegeObject queryPrivilege = new Builder()
- .setComponent(component)
- .setAction(SolrConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Collections.singletonList(new Collection(COLLECTION_NAME)))
- .withGrantOption(null)
- .build();
-
- sentryStore.createRole(component, roleName, grantor);
- sentryStore.alterRoleGrantPrivilege(component, roleName, queryPrivilege, grantor);
-
- assertEquals(Sets.newHashSet(queryPrivilege),
- sentryStore.getPrivilegesByRole(component, Sets.newHashSet(roleName)));
-
- PrivilegeObject queryPrivilegeWithOption = new Builder()
- .setComponent(component)
- .setAction(SolrConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Collections.singletonList(new Collection(COLLECTION_NAME)))
- .withGrantOption(true)
- .build();
-
- sentryStore.alterRoleGrantPrivilege(component, roleName, queryPrivilegeWithOption, grantor);
-
- assertEquals(Sets.newHashSet(queryPrivilege, queryPrivilegeWithOption),
- sentryStore.getPrivilegesByRole(component, Sets.newHashSet(roleName)));
-
- PrivilegeObject queryPrivilegeWithNoOption = new Builder()
- .setComponent(component)
- .setAction(SolrConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Collections.singletonList(new Collection(COLLECTION_NAME)))
- .withGrantOption(false)
- .build();
-
- sentryStore.alterRoleGrantPrivilege(component, roleName, queryPrivilegeWithNoOption, grantor);
-
- assertEquals(Sets.newHashSet(queryPrivilege, queryPrivilegeWithOption, queryPrivilegeWithNoOption),
- sentryStore.getPrivilegesByRole(component, Sets.newHashSet(roleName)));
- }
-
- public static final class InvalidActionFactory {
-
- }
-
- public static final class MyComponentActionFactory extends BitFieldActionFactory {
-
- public enum MyComponentActionType {
- FOO("foo", 1),
- BAR("bar", 2),
- QUERY(SolrConstants.QUERY, 4),
- ALL("*", FOO.getCode() | BAR.getCode() | QUERY.getCode());
-
- private String name;
- private int code;
- MyComponentActionType(String name, int code) {
- this.name = name;
- this.code = code;
- }
-
- public int getCode() {
- return code;
- }
-
- public String getName() {
- return name;
- }
-
- static MyComponentActionType getActionByName(String name) {
- for (MyComponentActionType action : MyComponentActionType.values()) {
- if (action.name.equalsIgnoreCase(name)) {
- return action;
- }
- }
- throw new RuntimeException("can't get MyComponentActionType by name:" + name);
- }
-
- static List<MyComponentActionType> getActionByCode(int code) {
- List<MyComponentActionType> actions = Lists.newArrayList();
- for (MyComponentActionType action : MyComponentActionType.values()) {
- if ((action.code & code) == action.code && action != MyComponentActionType.ALL) {
- //MyComponentActionType.ALL action should not return in the list
- actions.add(action);
- }
- }
- if (actions.isEmpty()) {
- throw new RuntimeException("can't get sqoopActionType by code:" + code);
- }
- return actions;
- }
- }
-
- public static class MyComponentAction extends BitFieldAction {
- public MyComponentAction(String name) {
- this(MyComponentActionType.getActionByName(name));
- }
- public MyComponentAction(MyComponentActionType myComponentActionType) {
- super(myComponentActionType.name, myComponentActionType.code);
- }
- }
-
- @Override
- public List<? extends BitFieldAction> getActionsByCode(int actionCode) {
- List<MyComponentAction> actions = Lists.newArrayList();
- for (MyComponentActionType action : MyComponentActionType.getActionByCode(actionCode)) {
- actions.add(new MyComponentAction(action));
- }
- return actions;
- }
-
- @Override
- public BitFieldAction getActionByName(String name) {
- // Check the name is All
- if (SqoopActionConstant.ALL_NAME.equalsIgnoreCase(name)) {
- return new MyComponentAction(MyComponentActionType.ALL);
- }
- return new MyComponentAction(name);
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/b97f5c7a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestSentryGMPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestSentryGMPrivilege.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestSentryGMPrivilege.java
deleted file mode 100644
index 03abb4e..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestSentryGMPrivilege.java
+++ /dev/null
@@ -1,207 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.service.persistent;
-
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.fail;
-
-import java.util.Arrays;
-
-import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.core.model.solr.Collection;
-import org.apache.sentry.core.model.solr.Field;
-import org.apache.sentry.core.model.solr.SolrConstants;
-import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege;
-import org.junit.Test;
-
-public class TestSentryGMPrivilege {
-
- @Test
- public void testValidateAuthorizables() throws Exception {
- try {
- new MSentryGMPrivilege("solr",
- "service1", Arrays.asList(new Collection("c1"), new Field("f1")),SolrConstants.QUERY, false);
- } catch (IllegalStateException e) {
- fail("unexpect happend: it is a validated privilege");
- }
-
- try {
- new MSentryGMPrivilege("solr",
- "service1", Arrays.asList(new Collection(""), new Field("f1")),SolrConstants.QUERY, false);
- fail("unexpect happend: it is not a validated privilege, The empty name of authorizable can't be empty");
- } catch (IllegalStateException e) {
- }
-
- try {
- new MSentryGMPrivilege("solr",
- "service1", Arrays.asList(null, new Field("f1")),SolrConstants.QUERY, false);
- fail("unexpect happend: it is not a validated privilege, The authorizable can't be null");
- } catch (IllegalStateException e) {
- }
- }
-
- @Test
- public void testImpliesWithServerScope() throws Exception {
- //The persistent privilege is server scope
- MSentryGMPrivilege serverPrivilege = new MSentryGMPrivilege("solr",
- "service1", null,SolrConstants.QUERY, false);
-
- MSentryGMPrivilege collectionPrivilege = new MSentryGMPrivilege("solr",
- "service1", Arrays.asList(new Collection("c1")),
- SolrConstants.QUERY, false);
- assertTrue(serverPrivilege.implies(collectionPrivilege));
-
- MSentryGMPrivilege fieldPrivilege = new MSentryGMPrivilege("solr",
- "service1", Arrays.asList(new Collection("c1"), new Field("f1")),
- SolrConstants.QUERY, false);
- assertTrue(serverPrivilege.implies(fieldPrivilege));
- assertTrue(collectionPrivilege.implies(fieldPrivilege));
-
- serverPrivilege.setAction(SolrConstants.UPDATE);
- assertFalse(serverPrivilege.implies(collectionPrivilege));
- assertFalse(serverPrivilege.implies(fieldPrivilege));
-
- serverPrivilege.setAction(SolrConstants.ALL);
- assertTrue(serverPrivilege.implies(collectionPrivilege));
- assertTrue(serverPrivilege.implies(fieldPrivilege));
- }
- /**
- * The requested privilege has the different authorizable size with the persistent privilege
- * @throws Exception
- */
- @Test
- public void testImpliesDifferentAuthorizable() throws Exception {
- /**
- * Test the scope of persistent privilege is the larger than the requested privilege
- */
- MSentryGMPrivilege serverPrivilege = new MSentryGMPrivilege("solr",
- "service1", null, SolrConstants.QUERY, false);
-
- MSentryGMPrivilege collectionPrivilege = new MSentryGMPrivilege("solr",
- "service1", Arrays.asList(new Collection("c1")),
- SolrConstants.QUERY, false);
-
- MSentryGMPrivilege fieldPrivilege = new MSentryGMPrivilege("solr",
- "service1", Arrays.asList(new Collection("c1"), new Field("f1")),
- SolrConstants.QUERY, false);
- assertTrue(serverPrivilege.implies(collectionPrivilege));
- assertTrue(serverPrivilege.implies(fieldPrivilege));
- assertTrue(collectionPrivilege.implies(fieldPrivilege));
- /**
- * Test the scope of persistent privilege is less than the request privilege
- */
- assertFalse(fieldPrivilege.implies(collectionPrivilege));
- assertFalse(fieldPrivilege.implies(serverPrivilege));
- assertFalse(collectionPrivilege.implies(serverPrivilege));
-
- /**
- * Test the scope of persistent privilege is less than the request privilege,
- * but the name of left authorizable is ALL
- */
- MSentryGMPrivilege fieldAllPrivilege = new MSentryGMPrivilege("solr",
- "service1", Arrays.asList(new Collection("c1"), new Field(AccessConstants.ALL)),
- SolrConstants.QUERY, false);
-
- assertTrue(fieldAllPrivilege.implies(collectionPrivilege));
-
- /**
- * Test the scope of persistent privilege has the same scope as request privilege
- */
- MSentryGMPrivilege fieldPrivilege1 = new MSentryGMPrivilege("solr",
- "service1", Arrays.asList(new Collection("c1"), new Field("f1")),
- SolrConstants.QUERY, false);
-
- MSentryGMPrivilege fieldPrivilege2 = new MSentryGMPrivilege("solr",
- "service1", Arrays.asList(new Collection("c2"), new Field("f2")),
- SolrConstants.QUERY, false);
- assertFalse(fieldPrivilege1.implies(fieldPrivilege2));
- }
-
- /**
- * The requested privilege has the same authorizable size as with the persistent privilege
- * @throws Exception
- */
- @Test
- public void testSearchImpliesEqualAuthorizable() throws Exception {
-
- MSentryGMPrivilege serverPrivilege1 = new MSentryGMPrivilege("solr",
- "service1", null,SolrConstants.QUERY, false);
-
- MSentryGMPrivilege serverPrivilege2 = new MSentryGMPrivilege("solr",
- "service2", null,SolrConstants.QUERY, false);
-
- assertFalse(serverPrivilege1.implies(serverPrivilege2));
-
- MSentryGMPrivilege collectionPrivilege1 = new MSentryGMPrivilege("solr",
- "service1", Arrays.asList(new Collection("c1")),
- SolrConstants.QUERY, false);
-
- MSentryGMPrivilege collectionPrivilege2 = new MSentryGMPrivilege("solr",
- "service1", Arrays.asList(new Collection("c2")),
- SolrConstants.QUERY, false);
-
- assertFalse(collectionPrivilege1.implies(collectionPrivilege2));
-
- MSentryGMPrivilege fieldPrivilege1 = new MSentryGMPrivilege("solr",
- "service1", Arrays.asList(new Collection("c1"), new Field("f1")),
- SolrConstants.QUERY, false);
-
- MSentryGMPrivilege fieldPrivilege2 = new MSentryGMPrivilege("solr",
- "service1", Arrays.asList(new Collection("c1"), new Field("f2")),
- SolrConstants.QUERY, false);
-
- assertFalse(fieldPrivilege1.implies(fieldPrivilege2));
-
- /**
- * The authorizables aren't equal,but the persistent privilege has the ALL name
- */
- collectionPrivilege2.setAuthorizables(Arrays.asList(new Collection(AccessConstants.ALL)));
- collectionPrivilege2.implies(collectionPrivilege1);
-
- fieldPrivilege2.setAuthorizables(Arrays.asList(new Collection("c1"), new Field(AccessConstants.ALL)));
- fieldPrivilege2.implies(fieldPrivilege1);
- }
-
- @Test
- public void testSearchImpliesAction() throws Exception {
- /**
- * action is equal
- */
- MSentryGMPrivilege fieldPrivilege1 = new MSentryGMPrivilege("solr",
- "service1", Arrays.asList(new Collection("c1"), new Field("f2")),
- SolrConstants.QUERY, false);
-
- MSentryGMPrivilege fieldPrivilege2 = new MSentryGMPrivilege("solr",
- "service1", Arrays.asList(new Collection("c1"), new Field("f2")),
- SolrConstants.QUERY, false);
-
- assertTrue(fieldPrivilege1.implies(fieldPrivilege2));
-
- /**
- * action isn't equal
- */
- fieldPrivilege2.setAction(SolrConstants.UPDATE);
- assertFalse(fieldPrivilege1.implies(fieldPrivilege2));
- /**
- * action isn't equal,but the persistent privilege has the ALL action
- */
- fieldPrivilege1.setAction(SolrConstants.ALL);
- assertTrue(fieldPrivilege1.implies(fieldPrivilege2));
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/b97f5c7a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestSentryRole.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestSentryRole.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestSentryRole.java
deleted file mode 100644
index 65d26c0..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestSentryRole.java
+++ /dev/null
@@ -1,542 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.service.persistent;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-
-import java.io.File;
-import java.util.Arrays;
-import java.util.Properties;
-import java.util.List;
-
-import javax.jdo.JDOHelper;
-import javax.jdo.PersistenceManager;
-import javax.jdo.PersistenceManagerFactory;
-import javax.jdo.Query;
-import javax.jdo.Transaction;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.model.solr.Collection;
-import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege;
-import org.apache.sentry.provider.db.service.model.MSentryPrivilege;
-import org.apache.sentry.provider.db.service.model.MSentryRole;
-import org.apache.sentry.provider.db.service.persistent.SentryStore;
-import org.apache.sentry.service.common.ServiceConstants.ServerConfig;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-
-import com.google.common.base.Preconditions;
-import com.google.common.io.Files;
-/**
- * The class tests that the new feature SENTRY-398 generic model adds the new field in the MSentryRole
- * will not affect the functionality of the origin hive/impala authorization model
- * Some Tests below make sure that privileges are removed from sentry storage the moment they are not associated to any role.
- * This avoid the need for PrivCleaner to perform periodic cleanup.
- */
-public class TestSentryRole {
- private static PersistenceManagerFactory pmf;
- private static File dataDir;
-
- @Before
- public void setup() throws Exception {
- dataDir = new File(Files.createTempDir(), "sentry_policy_db");
- Properties prop = new Properties();
- prop.setProperty(ServerConfig.JAVAX_JDO_URL, "jdbc:derby:;databaseName=" + dataDir.getPath() + ";create=true");
- prop.setProperty(ServerConfig.JAVAX_JDO_USER, "Sentry");
- prop.setProperty(ServerConfig.JAVAX_JDO_PASS, "Sentry");
- prop.setProperty(ServerConfig.JAVAX_JDO_DRIVER_NAME, "org.apache.derby.jdbc.EmbeddedDriver");
- prop.setProperty("datanucleus.schema.autoCreateAll", "true");
- prop.setProperty("datanucleus.NontransactionalRead", "false");
- prop.setProperty("datanucleus.NontransactionalWrite", "false");
- pmf = JDOHelper.getPersistenceManagerFactory(prop);
- }
-
- @After
- public void tearDown() throws Exception {
- pmf.close();
- FileUtils.deleteQuietly(dataDir);
- }
-
- @Test
- public void grantMixedPrivilegeTest() throws Exception {
- String roleName = "r1";
- //hive/impala privilege
- MSentryPrivilege hivePrivilege = new MSentryPrivilege();
- hivePrivilege.setServerName("hive.server1");
- hivePrivilege.setDbName("db1");
- hivePrivilege.setTableName("tb1");
- hivePrivilege.setPrivilegeScope("table");
- hivePrivilege.setAction("select");
- hivePrivilege.setGrantOption(true);
- //solr privilege
- MSentryGMPrivilege solrPrivilege = new MSentryGMPrivilege();
- solrPrivilege.setComponentName("solr");
- solrPrivilege.setServiceName("solr.server1");
- solrPrivilege.setAuthorizables(Arrays.asList(new Collection("c1")));
- solrPrivilege.setAction("query");
- solrPrivilege.setGrantOption(true);
-
- PersistenceManager pm = null;
- //create role
- pm = openTransaction();
- pm.makePersistent(new MSentryRole(roleName, System.currentTimeMillis()));
- commitTransaction(pm);
- //add hivePrivilege to role
- pm = openTransaction();
- MSentryRole role = getMSentryRole(pm, roleName);
- hivePrivilege.appendRole(role);
- pm.makePersistent(hivePrivilege);
- commitTransaction(pm);
- //check hivePrivlege and solrPrivilege
- pm = openTransaction();
- role = getMSentryRole(pm, roleName);
- pm.retrieve(role);
- assertEquals(1, role.getPrivileges().size());
- assertEquals(0, role.getGmPrivileges().size());
- commitTransaction(pm);
- //add solrPrivilege to role
- pm = openTransaction();
- role = getMSentryRole(pm, roleName);
- pm.retrieve(role);
- solrPrivilege.appendRole(role);
- pm.makePersistent(solrPrivilege);
- commitTransaction(pm);
- //check hivePrivlege and solrPrivilege
- pm = openTransaction();
- role = getMSentryRole(pm, roleName);
- pm.retrieve(role);
- assertEquals(1, role.getPrivileges().size());
- assertEquals(1, role.getGmPrivileges().size());
- commitTransaction(pm);
- }
-
- @Test
- public void testWantGrantPrivilegeTwice() throws Exception {
- String roleName = "r1";
- //hive/impala privilege
- MSentryPrivilege hivePrivilege = new MSentryPrivilege();
- hivePrivilege.setServerName("hive.server1");
- hivePrivilege.setDbName("db1");
- hivePrivilege.setTableName("tb1");
- hivePrivilege.setPrivilegeScope("table");
- hivePrivilege.setAction("select");
- hivePrivilege.setURI(SentryStore.NULL_COL);
- hivePrivilege.setColumnName(SentryStore.NULL_COL);
- hivePrivilege.setGrantOption(true);
- //The same hivePrivilege
- MSentryPrivilege hivePrivilege2 = new MSentryPrivilege(hivePrivilege);
- //solr privilege
- MSentryGMPrivilege solrPrivilege = new MSentryGMPrivilege();
- solrPrivilege.setComponentName("solr");
- solrPrivilege.setServiceName("solr.server1");
- solrPrivilege.setAuthorizables(Arrays.asList(new Collection("c1")));
- solrPrivilege.setAction("query");
- solrPrivilege.setGrantOption(true);
- //The same solrPrivilege
- MSentryGMPrivilege solrPrivilege2 = new MSentryGMPrivilege(solrPrivilege);
-
- PersistenceManager pm = null;
- //create role
- pm = openTransaction();
- pm.makePersistent(new MSentryRole(roleName, System.currentTimeMillis()));
- commitTransaction(pm);
-
- //grant hivePrivilege and solrPrivilege to role
- pm = openTransaction();
- MSentryRole role = getMSentryRole(pm, roleName);
- solrPrivilege.appendRole(role);
- hivePrivilege.appendRole(role);
- pm.makePersistent(solrPrivilege);
- pm.makePersistent(hivePrivilege);
- commitTransaction(pm);
- //check
- pm = openTransaction();
- role = getMSentryRole(pm, roleName);
- pm.retrieve(role);
- assertEquals(1, role.getPrivileges().size());
- assertEquals(1, role.getGmPrivileges().size());
- commitTransaction(pm);
-
- //want to grant the same hivePrivilege and solrPrivilege to role again
- //hivePrivilege2 is equal to hivePrivilege
- //solrPrivilege2 is equal to solrPrivilege
- pm = openTransaction();
- role = getMSentryRole(pm, roleName);
- pm.retrieve(role);
- if (!role.getGmPrivileges().contains(solrPrivilege2)) {
- fail("unexpect happend: the MSentryGMPrivilege:" + solrPrivilege2 + " already be granted");
- }
- if (!role.getPrivileges().contains(hivePrivilege2)) {
- fail("unexpect happend: the MSentryPrivilege:" + hivePrivilege2 + " already be granted");
- }
- commitTransaction(pm);
- }
-
- @Test
- public void testMixedRevokePrivilege() throws Exception {
- String roleName = "r1";
- //hive/impala privilege
- MSentryPrivilege hivePrivilege = new MSentryPrivilege();
- hivePrivilege.setServerName("hive.server1");
- hivePrivilege.setDbName("db1");
- hivePrivilege.setTableName("tb1");
- hivePrivilege.setPrivilegeScope("table");
- hivePrivilege.setAction("select");
- hivePrivilege.setURI(SentryStore.NULL_COL);
- hivePrivilege.setColumnName(SentryStore.NULL_COL);
- hivePrivilege.setGrantOption(true);
-
- //solr privilege
- MSentryGMPrivilege solrPrivilege = new MSentryGMPrivilege();
- solrPrivilege.setComponentName("solr");
- solrPrivilege.setServiceName("solr.server1");
- solrPrivilege.setAuthorizables(Arrays.asList(new Collection("c1")));
- solrPrivilege.setAction("query");
- solrPrivilege.setGrantOption(true);
-
- PersistenceManager pm = null;
- //create role
- pm = openTransaction();
- pm.makePersistent(new MSentryRole(roleName, System.currentTimeMillis()));
- commitTransaction(pm);
-
- //grant hivePrivilege and solrPrivilege to role
- pm = openTransaction();
- MSentryRole role = getMSentryRole(pm, roleName);
- hivePrivilege.appendRole(role);
- solrPrivilege.appendRole(role);
- pm.makePersistent(hivePrivilege);
- pm.makePersistent(solrPrivilege);
- commitTransaction(pm);
-
- //check
- pm = openTransaction();
- role = getMSentryRole(pm, roleName);
- pm.retrieve(role);
- assertEquals(1, role.getPrivileges().size());
- assertEquals(1, role.getGmPrivileges().size());
- commitTransaction(pm);
-
- //revoke solrPrivilege from role
- pm = openTransaction();
- role = getMSentryRole(pm, roleName);
- solrPrivilege = (MSentryGMPrivilege)role.getGmPrivileges().toArray()[0];
- solrPrivilege.removeRole(role);
- pm.makePersistent(solrPrivilege);
- commitTransaction(pm);
-
- //check
- pm = openTransaction();
- role = getMSentryRole(pm, roleName);
- pm.retrieve(role);
- assertEquals(1, role.getPrivileges().size());
- assertEquals(0, role.getGmPrivileges().size());
- commitTransaction(pm);
-
- //revoke hivePrivilege from role
- pm = openTransaction();
- role = getMSentryRole(pm, roleName);
- pm.retrieve(role);
- hivePrivilege = (MSentryPrivilege)role.getPrivileges().toArray()[0];
- hivePrivilege.removeRole(role);
- pm.makePersistent(hivePrivilege);
- commitTransaction(pm);
-
- //check
- pm = openTransaction();
- role = getMSentryRole(pm, roleName);
- pm.retrieve(role);
- assertEquals(0, role.getPrivileges().size());
- assertEquals(0, role.getGmPrivileges().size());
- commitTransaction(pm);
- }
-
- @Test
- public void testDeletePrivilegeAndRole() throws Exception {
- String roleName = "r1";
- //hive/impala privilege
- MSentryPrivilege hivePrivilege = new MSentryPrivilege();
- hivePrivilege.setServerName("hive.server1");
- hivePrivilege.setDbName("db1");
- hivePrivilege.setTableName("tb1");
- hivePrivilege.setPrivilegeScope("table");
- hivePrivilege.setAction("select");
- hivePrivilege.setURI(SentryStore.NULL_COL);
- hivePrivilege.setColumnName(SentryStore.NULL_COL);
- hivePrivilege.setGrantOption(true);
-
- //solr privilege
- MSentryGMPrivilege solrPrivilege = new MSentryGMPrivilege();
- solrPrivilege.setComponentName("solr");
- solrPrivilege.setServiceName("solr.server1");
- solrPrivilege.setAuthorizables(Arrays.asList(new Collection("c1")));
- solrPrivilege.setAction("query");
- solrPrivilege.setGrantOption(true);
-
- PersistenceManager pm = null;
- //create role
- pm = openTransaction();
- pm.makePersistent(new MSentryRole(roleName, System.currentTimeMillis()));
- commitTransaction(pm);
-
- //grant hivePrivilege and solrPrivilege to role
- pm = openTransaction();
- MSentryRole role = getMSentryRole(pm, roleName);
- hivePrivilege.appendRole(role);
- solrPrivilege.appendRole(role);
- pm.makePersistent(hivePrivilege);
- pm.makePersistent(solrPrivilege);
- commitTransaction(pm);
-
- //check
- pm = openTransaction();
- role = getMSentryRole(pm, roleName);
- pm.retrieve(role);
- assertEquals(1, role.getPrivileges().size());
- assertEquals(1, role.getGmPrivileges().size());
- commitTransaction(pm);
-
- //remove all privileges
- pm = openTransaction();
- role = getMSentryRole(pm, roleName);
- role.removeGMPrivileges();
- role.removePrivileges();
- pm.makePersistent(role);
- commitTransaction(pm);
-
- //check
- pm = openTransaction();
- role = getMSentryRole(pm, roleName);
- pm.retrieve(role);
- assertEquals(0, role.getPrivileges().size());
- assertEquals(0, role.getGmPrivileges().size());
- commitTransaction(pm);
-
- //delete role
- pm = openTransaction();
- role = getMSentryRole(pm, roleName);
- pm.deletePersistent(role);
- commitTransaction(pm);
-
- //check
- pm = openTransaction();
- role = getMSentryRole(pm, roleName);
- assertTrue(role == null);
- commitTransaction(pm);
- }
-
- /**
- * Removes a role and makes sure that privileges are removed from sentry storage
- * moment they are not associated to any role.
- * @throws Exception
- */
- @Test
- public void testDeleteRole() throws Exception {
- String roleName = "r1";
- //hive/impala privilege
- MSentryPrivilege hivePrivilege = new MSentryPrivilege();
- hivePrivilege.setServerName("hive.server1");
- hivePrivilege.setDbName("db1");
- hivePrivilege.setTableName("tb1");
- hivePrivilege.setPrivilegeScope("table");
- hivePrivilege.setAction("select");
- hivePrivilege.setURI(SentryStore.NULL_COL);
- hivePrivilege.setColumnName(SentryStore.NULL_COL);
- hivePrivilege.setGrantOption(true);
-
- //solr privilege
- MSentryGMPrivilege solrPrivilege = new MSentryGMPrivilege();
- solrPrivilege.setComponentName("solr");
- solrPrivilege.setServiceName("solr.server1");
- solrPrivilege.setAuthorizables(Arrays.asList(new Collection("c1")));
- solrPrivilege.setAction("query");
- solrPrivilege.setGrantOption(true);
-
- PersistenceManager pm = null;
- //create role
- pm = openTransaction();
- pm.makePersistent(new MSentryRole(roleName, System.currentTimeMillis()));
- commitTransaction(pm);
-
- //grant hivePrivilege and solrPrivilege to role
- pm = openTransaction();
- MSentryRole role = getMSentryRole(pm, roleName);
- hivePrivilege.appendRole(role);
- solrPrivilege.appendRole(role);
- pm.makePersistent(hivePrivilege);
- pm.makePersistent(solrPrivilege);
- pm.makePersistent(role);
- commitTransaction(pm);
-
- //check
- pm = openTransaction();
- role = getMSentryRole(pm, roleName);
- pm.retrieve(role);
- assertEquals(1, role.getPrivileges().size());
- assertEquals(1, role.getGmPrivileges().size());
- commitTransaction(pm);
-
- //delete role
- pm = openTransaction();
- role = getMSentryRole(pm, roleName);
-
- // pm.deletePersistent(role);
- role.removePrivileges();
- role.removeGMPrivileges();
- pm.deletePersistent(role);
- commitTransaction(pm);
-
- //check for privileges
- //There shouldn't be any privilages
- pm = openTransaction();
- Query query = pm.newQuery(MSentryPrivilege.class);
- List<MSentryPrivilege> results = (List<MSentryPrivilege>) query.execute();
- assertEquals(1, results.size());
- Query query1 = pm.newQuery(MSentryGMPrivilege.class);
- List<MSentryGMPrivilege> results1 = (List<MSentryGMPrivilege>) query1.execute();
- assertEquals(1, results1.size());
- commitTransaction(pm);
-
- //check
- pm = openTransaction();
- role = getMSentryRole(pm, roleName);
- assertTrue(role == null);
- commitTransaction(pm);
- }
-
- /**
- * Removes a role and makes sure that privileges are not removed from sentry storage if
- * they are associated to any other role as well.
- * @throws Exception
- */
- @Test
- public void testDeleteRole1() throws Exception {
- String roleName1 = "r1";
- String roleName2 = "r2";
- //hive/impala privilege
- MSentryPrivilege hivePrivilege = new MSentryPrivilege();
- hivePrivilege.setServerName("hive.server1");
- hivePrivilege.setDbName("db1");
- hivePrivilege.setTableName("tb1");
- hivePrivilege.setPrivilegeScope("table");
- hivePrivilege.setAction("select");
- hivePrivilege.setURI(SentryStore.NULL_COL);
- hivePrivilege.setColumnName(SentryStore.NULL_COL);
- hivePrivilege.setGrantOption(true);
-
- //solr privilege
- MSentryGMPrivilege solrPrivilege = new MSentryGMPrivilege();
- solrPrivilege.setComponentName("solr");
- solrPrivilege.setServiceName("solr.server1");
- solrPrivilege.setAuthorizables(Arrays.asList(new Collection("c1")));
- solrPrivilege.setAction("query");
- solrPrivilege.setGrantOption(true);
-
- PersistenceManager pm = null;
- //create role1
- pm = openTransaction();
- pm.makePersistent(new MSentryRole(roleName1, System.currentTimeMillis()));
- commitTransaction(pm);
-
- //create role2
- pm = openTransaction();
- pm.makePersistent(new MSentryRole(roleName2, System.currentTimeMillis()));
- commitTransaction(pm);
-
- //grant hivePrivilege and solrPrivilege to role1 and role2
- pm = openTransaction();
- MSentryRole role1 = getMSentryRole(pm, roleName1);
- MSentryRole role2 = getMSentryRole(pm, roleName2);
- hivePrivilege.appendRole(role1);
- solrPrivilege.appendRole(role1);
- hivePrivilege.appendRole(role2);
- solrPrivilege.appendRole(role2);
- pm.makePersistent(hivePrivilege);
- pm.makePersistent(solrPrivilege);
- pm.makePersistent(role1);
- pm.makePersistent(role2);
- commitTransaction(pm);
-
- //check
- pm = openTransaction();
- role1 = getMSentryRole(pm, roleName1);
- pm.retrieve(role1);
- assertEquals(1, role1.getPrivileges().size());
- assertEquals(1, role1.getGmPrivileges().size());
- role2 = getMSentryRole(pm, roleName2);
- pm.retrieve(role2);
- assertEquals(1, role2.getPrivileges().size());
- assertEquals(1, role2.getGmPrivileges().size());
- commitTransaction(pm);
-
- //delete role
- pm = openTransaction();
- role1 = getMSentryRole(pm, roleName1);
- role1.removePrivileges();
- role1.removeGMPrivileges();
- pm.deletePersistent(role1);
- commitTransaction(pm);
-
- //check for privileges
- //Privileges should be present
- pm = openTransaction();
- Query query = pm.newQuery(MSentryPrivilege.class);
- List<MSentryPrivilege> results = (List<MSentryPrivilege>) query.execute();
- assertEquals(1, results.size());
- Query query1 = pm.newQuery(MSentryGMPrivilege.class);
- List<MSentryGMPrivilege> results1 = (List<MSentryGMPrivilege>) query1.execute();
- assertEquals(1, results1.size());
- commitTransaction(pm);
-
- //check
- pm = openTransaction();
- role1 = getMSentryRole(pm, roleName1);
- assertTrue(role1 == null);
- commitTransaction(pm);
- }
- private PersistenceManager openTransaction() {
- PersistenceManager pm = pmf.getPersistenceManager();
- Transaction currentTransaction = pm.currentTransaction();
- currentTransaction.begin();
- return pm;
- }
-
- private void commitTransaction(PersistenceManager pm) {
- Transaction currentTransaction = pm.currentTransaction();
- try {
- Preconditions.checkState(currentTransaction.isActive(), "Transaction is not active");
- currentTransaction.commit();
- } finally {
- pm.close();
- }
- }
-
- private MSentryRole getMSentryRole(PersistenceManager pm, String roleName) {
- Query query = pm.newQuery(MSentryRole.class);
- query.setFilter("this.roleName == t");
- query.declareParameters("java.lang.String t");
- query.setUnique(true);
- MSentryRole sentryRole = (MSentryRole) query.execute(roleName);
- return sentryRole;
- }
-
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/b97f5c7a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/appender/TestRollingFileWithoutDeleteAppender.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/appender/TestRollingFileWithoutDeleteAppender.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/appender/TestRollingFileWithoutDeleteAppender.java
deleted file mode 100644
index ca9062b..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/appender/TestRollingFileWithoutDeleteAppender.java
+++ /dev/null
@@ -1,106 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.log.appender;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.fail;
-import static org.junit.Assert.assertTrue;
-
-import java.io.File;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.log4j.Logger;
-import org.apache.log4j.PatternLayout;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-
-import com.google.common.io.Files;
-
-public class TestRollingFileWithoutDeleteAppender {
- private Logger sentryLogger = Logger.getRootLogger();
- private File dataDir;
-
- @Before
- public void init() {
- dataDir = Files.createTempDir();
- }
-
- @Test
- public void testRollOver() throws Throwable {
- if (dataDir == null) {
- fail("Excepted temp folder for audit log is created.");
- }
- RollingFileWithoutDeleteAppender appender = new RollingFileWithoutDeleteAppender(
- new PatternLayout("%m%n"), dataDir.getPath() + "/auditLog.log");
- appender.setMaximumFileSize(100);
- sentryLogger.addAppender(appender);
- // Write exactly 10 bytes with each log
- for (int i = 0; i < 99; i++) {
- if (i < 10) {
- sentryLogger.debug("Hello---" + i);
- } else if (i < 100) {
- sentryLogger.debug("Hello--" + i);
- }
- }
-
- if (dataDir != null) {
- File[] files = dataDir.listFiles();
- if (files != null) {
- assertEquals(files.length, 10);
- } else {
- fail("Excepted 10 log files.");
- }
- } else {
- fail("Excepted 10 log files.");
- }
-
- }
-
- /***
- * Generate log enough to cause a single rollover. Verify the file name format
- * @throws Throwable
- */
- @Test
- public void testFileNamePattern() throws Throwable {
- if (dataDir == null) {
- fail("Excepted temp folder for audit log is created.");
- }
- RollingFileWithoutDeleteAppender appender = new RollingFileWithoutDeleteAppender(
- new PatternLayout("%m%n"), dataDir.getPath() + "/auditLog.log");
- appender.setMaximumFileSize(10);
- sentryLogger.addAppender(appender);
- sentryLogger.debug("123456789012345");
- File[] files = dataDir.listFiles();
- if (files != null) {
- assertEquals(files.length, 2);
- assertTrue(files[0].getName().contains("auditLog.log."));
- assertTrue(files[1].getName().contains("auditLog.log."));
- } else {
- fail("Excepted 2 log files.");
- }
- }
-
- @After
- public void destroy() {
- if (dataDir != null) {
- FileUtils.deleteQuietly(dataDir);
- }
- }
-}