You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by ak...@apache.org on 2017/03/11 02:10:14 UTC
[2/2] sentry git commit: SENTRY-1390: Add test cases to ensure
usability of URI privileges for HMS binding (Hao Hao,
Reviewed by: Sravya Tirukkovalur)
SENTRY-1390: Add test cases to ensure usability of URI privileges for HMS binding (Hao Hao, Reviewed by: Sravya Tirukkovalur)
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/c8de9a90
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/c8de9a90
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/c8de9a90
Branch: refs/heads/sentry-ha-redesign
Commit: c8de9a907f06c5ab08836e816176cb2a1598199b
Parents: f71e2e8
Author: Alexander Kolbasov <ak...@cloudera.com>
Authored: Fri Mar 10 18:10:03 2017 -0800
Committer: Alexander Kolbasov <ak...@cloudera.com>
Committed: Fri Mar 10 18:10:03 2017 -0800
----------------------------------------------------------------------
.../AbstractTestWithStaticConfiguration.java | 5 +
.../tests/e2e/metastore/TestURIMetastore.java | 178 +++++++++++++++++++
2 files changed, 183 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/sentry/blob/c8de9a90/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java
index 47be188..4994cf8 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java
@@ -160,6 +160,7 @@ public abstract class AbstractTestWithStaticConfiguration {
private static final String ENABLE_NOTIFICATION_LOG = "sentry.e2etest.enable.notification.log";
protected static boolean policyOnHdfs = false;
+ protected static boolean defaultFSOnHdfs = false;
protected static boolean useSentryService = false;
protected static boolean setMetastoreListener = true;
protected static boolean useDbNotificationListener = false;
@@ -330,6 +331,10 @@ public abstract class AbstractTestWithStaticConfiguration {
setupSentryService();
}
+ if (defaultFSOnHdfs) {
+ properties.put("fs.defaultFS", fileSystem.getUri().toString());
+ }
+
hiveServer = create(properties, baseDir, confDir, logDir, policyURI, fileSystem);
hiveServer.start();
http://git-wip-us.apache.org/repos/asf/sentry/blob/c8de9a90/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestURIMetastore.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestURIMetastore.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestURIMetastore.java
new file mode 100644
index 0000000..667df51
--- /dev/null
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestURIMetastore.java
@@ -0,0 +1,178 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.tests.e2e.metastore;
+
+import com.google.common.collect.Lists;
+import com.google.common.io.Resources;
+import org.apache.hadoop.hive.metastore.HiveMetaStoreClient;
+import org.apache.hadoop.hive.metastore.api.FieldSchema;
+import org.apache.hadoop.hive.metastore.api.MetaException;
+import org.apache.hadoop.hive.metastore.api.Table;
+import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.tests.e2e.hive.Context;
+import org.apache.sentry.tests.e2e.hive.StaticUserGroup;
+import org.apache.sentry.tests.e2e.hive.hiveserver.HiveServerFactory;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.net.URI;
+import java.util.ArrayList;
+
+import static org.junit.Assert.fail;
+
+/**
+ * This clase is to test URI privileges usability for Hive MetaStore binding.
+ */
+public class TestURIMetastore extends
+ AbstractMetastoreTestWithStaticConfiguration {
+
+ private PolicyFile policyFile;
+ private File dataFile;
+ private static final String dbName = "db_1";
+ private static final String db_all_role = "all_db1";
+ private static final String uri_role = "uri_role";
+
+
+ @BeforeClass
+ public static void setupTestStaticConfiguration() throws Exception {
+ setMetastoreListener = false;
+ defaultFSOnHdfs = true;
+ AbstractMetastoreTestWithStaticConfiguration.setupTestStaticConfiguration();
+ }
+
+ @Override
+ @Before
+ public void setup() throws Exception {
+
+ policyFile = setAdminOnServer1(ADMINGROUP);
+ policyFile.setUserGroupMapping(StaticUserGroup.getStaticMapping());
+ writePolicyFile(policyFile);
+ super.setup();
+
+ dataFile = new File(dataDir, SINGLE_TYPE_DATA_FILE_NAME);
+ FileOutputStream to = new FileOutputStream(dataFile);
+ Resources.copy(Resources.getResource(SINGLE_TYPE_DATA_FILE_NAME), to);
+ to.close();
+
+ HiveMetaStoreClient client = context.getMetaStoreClient(ADMIN1);
+ client.dropDatabase(dbName, true, true, true);
+ createMetastoreDB(client, dbName);
+ client.close();
+
+ policyFile
+ .addRolesToGroup(USERGROUP1, db_all_role)
+ .addPermissionsToRole(db_all_role, "server=server1->db=" + dbName)
+ .setUserGroupMapping(StaticUserGroup.getStaticMapping());
+ writePolicyFile(policyFile);
+ }
+
+ @After
+ public void tearDown() throws Exception {
+ if (context != null) {
+ context.close();
+ }
+ }
+
+ /**
+ * Verify URI privileges for create table DDL without scheme and authority
+ * @throws Exception
+ */
+ @Test
+ public void testCreateTableWithURINoSchemeAndAuthority() throws Exception {
+
+ String tabName1 = "tab1";
+ String tabDir1 = hiveServer.getProperty(HiveServerFactory.WAREHOUSE_DIR) + File.separator + tabName1;
+
+ // URI location that contains no scheme and authority.
+ String tabDir1Path = new URI(tabDir1).getPath();
+
+ policyFile.addRolesToGroup(USERGROUP1, uri_role)
+ .addRolesToGroup(USERGROUP2, db_all_role)
+ .addPermissionsToRole(uri_role, "server=server1->URI=" + tabDir1);
+ writePolicyFile(policyFile);
+
+ // user with URI privileges should be able to add table to URI locations which has no authority and scheme.
+ HiveMetaStoreClient client = context.getMetaStoreClient(USER1_1);
+ createMetastoreTableWithLocation(client, dbName, tabName1, Lists.newArrayList(new FieldSchema("col1", "int", "")), tabDir1Path);
+
+ client.close();
+
+ // user without URI privileges should be NOT able to create table to a specific location
+ client = context.getMetaStoreClient(USER2_1);
+ try {
+ createMetastoreTableWithLocation(client, dbName, "fooTab", Lists.newArrayList(new FieldSchema("col1", "int", "")), tabDir1Path);
+ fail("Create table with location should fail without URI privilege");
+ } catch (MetaException e) {
+ Context.verifyMetastoreAuthException(e);
+ }
+ client.close();
+ }
+
+ /**
+ * Verify URI privileges for alter table DDL without scheme and authority
+ * @throws Exception
+ */
+ @Test
+ public void testAlterTableWithURINoSchemeAndAuthority() throws Exception {
+ String tabName1 = "tab1";
+ String newPath1 = "fooTab1";
+ String newPath2 = "fooTab2";
+ ArrayList<String> partVals1 = Lists.newArrayList("part1");
+ ArrayList<String> partVals2 = Lists.newArrayList("part2");
+ ArrayList<String> partVals3 = Lists.newArrayList("part3");
+
+ String tabDir1 = hiveServer.getProperty(HiveServerFactory.WAREHOUSE_DIR)
+ + File.separator + tabName1 + newPath1;
+ String tabDir2 = hiveServer.getProperty(HiveServerFactory.WAREHOUSE_DIR)
+ + File.separator + tabName1 + newPath2;
+ // URI location that contains no scheme and authority.
+ String tabDir1Path = new URI(tabDir1).getPath();
+ String tabDir2Path = new URI(tabDir2).getPath();
+
+ policyFile.addRolesToGroup(USERGROUP1, uri_role)
+ .addRolesToGroup(USERGROUP2, db_all_role)
+ .addPermissionsToRole(uri_role, "server=server1->URI=" + tabDir1);
+ writePolicyFile(policyFile);
+
+ // user with URI privileges should be able to alter partition to set that specific location
+ HiveMetaStoreClient client = context.getMetaStoreClient(USER1_1);
+ Table tbl1 = createMetastoreTableWithPartition(client, dbName, tabName1,
+ Lists.newArrayList(new FieldSchema("col1", "int", "")),
+ Lists.newArrayList(new FieldSchema("part_col1", "string", "")));
+ addPartition(client, dbName, tabName1, partVals1, tbl1);
+ addPartitionWithLocation(client, dbName, tabName1, partVals2, tbl1, tabDir1Path);
+ client.close();
+
+ // user without URI privileges should be NOT able to alter partition to set
+ // that specific location
+ client = context.getMetaStoreClient(USER2_1);
+ try {
+ tbl1 = client.getTable(dbName, tabName1);
+ addPartitionWithLocation(client, dbName, tabName1, partVals3, tbl1, tabDir2Path);
+ fail("Add partition with location should have failed");
+ } catch (MetaException e) {
+ Context.verifyMetastoreAuthException(e);
+ }
+ client.close();
+ }
+}