You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sp...@apache.org on 2018/10/27 15:01:26 UTC
[1/2] sentry git commit: SENTRY-2372: SentryStore should not
implement grantOptionCheck (Sergio Pena, reviewed by Na Li)
Repository: sentry
Updated Branches:
refs/heads/master 6734686ac -> 8e0505703
http://git-wip-us.apache.org/repos/asf/sentry/blob/8e050570/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
index 1568dc1..f2f38a3 100644
--- a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
@@ -51,7 +51,6 @@ import org.apache.sentry.core.common.exception.SentryInvalidInputException;
import org.apache.sentry.core.common.utils.SentryConstants;
import org.apache.sentry.core.model.db.AccessConstants;
import org.apache.sentry.core.common.exception.SentryAlreadyExistsException;
-import org.apache.sentry.core.common.exception.SentryGrantDeniedException;
import org.apache.sentry.core.common.exception.SentryNoSuchObjectException;
import org.apache.sentry.hdfs.PathsUpdate;
import org.apache.sentry.hdfs.PermissionsUpdate;
@@ -249,8 +248,8 @@ public class TestSentryStore extends org.junit.Assert {
user = sentryStore.getMSentryUserByName(users.iterator().next(), false);
assertNull(user);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege, null);
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName, privilege, null);
+ sentryStore.alterSentryRevokePrivilege(SentryPrincipalType.ROLE, roleName, privilege, null);
}
@Test
@@ -266,8 +265,8 @@ public class TestSentryStore extends org.junit.Assert {
tSentryPrivilege1.setURI(uri1);
TSentryPrivilege tSentryPrivilege2 = new TSentryPrivilege("URI", "server1", "ALL");
tSentryPrivilege2.setURI(uri2);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName1, tSentryPrivilege1, null);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName2, tSentryPrivilege2, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName1, tSentryPrivilege1, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName2, tSentryPrivilege2, null);
TSentryAuthorizable tSentryAuthorizable1 = new TSentryAuthorizable();
tSentryAuthorizable1.setUri(uri1);
@@ -337,21 +336,20 @@ public class TestSentryStore extends org.junit.Assert {
@Test
public void testURIGrantRevokeOnEmptyPath() throws Exception {
String roleName = "test-empty-uri-role";
- String grantor = "g1";
String uri = "";
createRole(roleName);
TSentryPrivilege tSentryPrivilege = new TSentryPrivilege("URI", "server1", "ALL");
tSentryPrivilege.setURI(uri);
//Test grant on empty URI
try {
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, tSentryPrivilege, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName, tSentryPrivilege, null);
fail("Expected SentryInvalidInputException");
} catch(SentryInvalidInputException e) {
// expected
}
//Test revoke on empty URI
try {
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE, roleName, tSentryPrivilege, null);
+ sentryStore.alterSentryRevokePrivilege(SentryPrincipalType.ROLE, roleName, tSentryPrivilege, null);
fail("Expected SentryInvalidInputException");
} catch(SentryInvalidInputException e) {
// expected
@@ -373,11 +371,10 @@ public class TestSentryStore extends org.junit.Assert {
@Test
public void testCaseSensitiveScope() throws Exception {
String roleName = "role1";
- String grantor = "g1";
createRole(roleName);
TSentryPrivilege sentryPrivilege = new TSentryPrivilege("Database", "server1", "all");
sentryPrivilege.setDbName("db1");
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, sentryPrivilege, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName, sentryPrivilege, null);
}
/**
@@ -604,7 +601,6 @@ public class TestSentryStore extends org.junit.Assert {
@Test
public void testGrantRevokePrivilege() throws Exception {
String roleName = "test-privilege";
- String grantor = "g1";
String server = "server1";
String db = "db1";
String table = "tbl1";
@@ -616,12 +612,12 @@ public class TestSentryStore extends org.junit.Assert {
privilege.setTableName(table);
privilege.setAction(AccessConstants.ALL);
privilege.setCreateTime(System.currentTimeMillis());
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName, privilege, null);
MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
Set<MSentryPrivilege> privileges = role.getPrivileges();
assertEquals(privileges.toString(), 1, privileges.size());
privilege.setAction(AccessConstants.SELECT);
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege, null);
+ sentryStore.alterSentryRevokePrivilege(SentryPrincipalType.ROLE, roleName, privilege, null);
// after having ALL and revoking SELECT, we should have INSERT
role = sentryStore.getMSentryRoleByName(roleName);
privileges = role.getPrivileges();
@@ -651,7 +647,6 @@ public class TestSentryStore extends org.junit.Assert {
@Test
public void testPrivilegeCleanup() throws Exception {
final String roleName = "test-priv-cleanup";
- final String grantor = "g1";
final String server = "server";
final String dBase = "db";
final String table = "table-";
@@ -667,7 +662,7 @@ public class TestSentryStore extends org.junit.Assert {
priv.setCreateTime(System.currentTimeMillis());
priv.setTableName(table + i);
priv.setDbName(dBase);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, priv, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName, priv, null);
}
// Make sure we really have the expected number of privs in the database
@@ -696,7 +691,6 @@ public class TestSentryStore extends org.junit.Assert {
@Test
public void testPrivilegeCleanup2() throws Exception {
final String roleName = "test-priv-cleanup";
- final String grantor = "g1";
final String server = "server";
final String dBase = "db";
final String table = "table-";
@@ -714,11 +708,11 @@ public class TestSentryStore extends org.junit.Assert {
priv.setTableName(table + i);
priv.setDbName(dBase);
priv.setGrantOption(TSentryGrantOption.TRUE);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, priv, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName, priv, null);
priv.setAction(AccessConstants.SELECT);
priv.setGrantOption(TSentryGrantOption.UNSET);
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE, roleName, priv, null);
+ sentryStore.alterSentryRevokePrivilege(SentryPrincipalType.ROLE, roleName, priv, null);
// after having ALL and revoking SELECT, we should have INSERT
MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
Set<MSentryPrivilege> privileges = role.getPrivileges();
@@ -750,7 +744,6 @@ public class TestSentryStore extends org.junit.Assert {
@Test
public void testPrivilegeCleanup3() throws Exception {
final String roleName = "test-priv-cleanup";
- final String grantor = "g1";
final String server = "server";
final String dBase = "db";
final String table = "table-";
@@ -768,11 +761,11 @@ public class TestSentryStore extends org.junit.Assert {
priv.setTableName(table + i);
priv.setDbName(dBase);
priv.setGrantOption(TSentryGrantOption.TRUE);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, priv, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName, priv, null);
priv.setAction(AccessConstants.SELECT);
priv.setGrantOption(TSentryGrantOption.UNSET);
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE, roleName, priv, null);
+ sentryStore.alterSentryRevokePrivilege(SentryPrincipalType.ROLE, roleName, priv, null);
assertFalse(sentryStore.findOrphanedPrivileges());
@@ -780,25 +773,25 @@ public class TestSentryStore extends org.junit.Assert {
//Remove the INSERT privilege as well.
//There should not be any more privileges in the sentry store
priv.setAction(AccessConstants.INSERT);
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE, roleName, priv, null);
+ sentryStore.alterSentryRevokePrivilege(SentryPrincipalType.ROLE, roleName, priv, null);
MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
assertEquals("Privilege Count", 0, role.getPrivileges().size());
priv.setAction(AccessConstants.CREATE);
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE, roleName, priv, null);
+ sentryStore.alterSentryRevokePrivilege(SentryPrincipalType.ROLE, roleName, priv, null);
role = sentryStore.getMSentryRoleByName(roleName);
assertEquals("Privilege Count", 0, role.getPrivileges().size());
priv.setAction(AccessConstants.DROP);
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE, roleName, priv, null);
+ sentryStore.alterSentryRevokePrivilege(SentryPrincipalType.ROLE, roleName, priv, null);
role = sentryStore.getMSentryRoleByName(roleName);
assertEquals("Privilege Count", 0, role.getPrivileges().size());
priv.setAction(AccessConstants.ALTER);
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE, roleName, priv, null);
+ sentryStore.alterSentryRevokePrivilege(SentryPrincipalType.ROLE, roleName, priv, null);
role = sentryStore.getMSentryRoleByName(roleName);
assertEquals("Privilege Count", 0, role.getPrivileges().size());
@@ -825,7 +818,6 @@ public class TestSentryStore extends org.junit.Assert {
@Test
public void testPrivilegeCleanup4 () throws Exception {
final String roleName = "test-priv-cleanup";
- final String grantor = "g1";
final String server = "server";
final String dBase = "db";
final String table = "table-";
@@ -841,7 +833,7 @@ public class TestSentryStore extends org.junit.Assert {
priv.setCreateTime(System.currentTimeMillis());
priv.setTableName(table + i);
priv.setDbName(dBase);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, priv, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName, priv, null);
}
// Make sure we really have the expected number of privs in the database
@@ -855,7 +847,7 @@ public class TestSentryStore extends org.junit.Assert {
priv.setCreateTime(System.currentTimeMillis());
priv.setTableName(table + '0');
priv.setDbName(dBase);
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE, roleName, priv, null);
+ sentryStore.alterSentryRevokePrivilege(SentryPrincipalType.ROLE, roleName, priv, null);
//There should be SELECT privilege in the sentry store
priv = new TSentryPrivilege();
@@ -873,7 +865,7 @@ public class TestSentryStore extends org.junit.Assert {
// should have NUM_PRIVS - 1 ALL privileges, and 4 privileges (SELECT, CREATE, DROP, ALTER)
assertEquals("Privilege Count", NUM_PRIVS, role.getPrivileges().size());
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE, roleName, priv, null);
+ sentryStore.alterSentryRevokePrivilege(SentryPrincipalType.ROLE, roleName, priv, null);
role = sentryStore.getMSentryRoleByName(roleName);
assertEquals("Privilege Count", NUM_PRIVS - 1, role.getPrivileges().size());
@@ -891,7 +883,6 @@ public class TestSentryStore extends org.junit.Assert {
@Test
public void testPrivilegeCleanup5() throws Exception {
final String roleName = "test-priv-cleanup";
- final String grantor = "g1";
final String server = "server";
final String dBase = "db";
final String table = "table-";
@@ -909,10 +900,10 @@ public class TestSentryStore extends org.junit.Assert {
priv.setTableName(table + i);
priv.setDbName(dBase);
priv.setGrantOption(TSentryGrantOption.TRUE);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, priv, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName, priv, null);
priv.setAction(AccessConstants.ALTER);
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE, roleName, priv, null);
+ sentryStore.alterSentryRevokePrivilege( SentryPrincipalType.ROLE, roleName, priv, null);
MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
assertEquals("Privilege Count", 0, role.getPrivileges().size());
@@ -925,7 +916,6 @@ public class TestSentryStore extends org.junit.Assert {
@Test
public void testDropIndividualPrivilegesWhenGrantAllIsGranted() throws Exception {
- final String GRANTOR = "g1";
final String ROLE_NAME = "r1";
final String SERVER_NAME = "server1";
final String DB_NAME = "db1";
@@ -962,7 +952,7 @@ public class TestSentryStore extends org.junit.Assert {
// Grant individual privileges to a role
createRole(ROLE_NAME);
- sentryStore.alterSentryRoleGrantPrivileges(GRANTOR, ROLE_NAME, grantPrivileges);
+ sentryStore.alterSentryRoleGrantPrivileges(ROLE_NAME, grantPrivileges);
// Check those individual privileges are granted
Set<TSentryPrivilege> rolePrivileges = sentryStore.getAllTSentryPrivilegesByRoleName(ROLE_NAME);
@@ -973,7 +963,7 @@ public class TestSentryStore extends org.junit.Assert {
}
// Grant the ALL privilege (this should remove all individual privileges, and grant only ALL)
- sentryStore.alterSentryRoleGrantPrivileges(GRANTOR, ROLE_NAME, Sets.newHashSet(allPrivilege));
+ sentryStore.alterSentryRoleGrantPrivileges(ROLE_NAME, Sets.newHashSet(allPrivilege));
// Check the ALL and OWNER privileges are the only privileges
rolePrivileges = sentryStore.getAllTSentryPrivilegesByRoleName(ROLE_NAME);
@@ -982,13 +972,13 @@ public class TestSentryStore extends org.junit.Assert {
assertTrue("Privilege OWNER was dropped.", rolePrivileges.contains(ownerPrivilege));
// Check the ALL WITH GRANT privilege just replaces the ALL and keeps the OWNER privilege
- sentryStore.alterSentryRoleGrantPrivileges(GRANTOR, ROLE_NAME, Sets.newHashSet(allWithGrant));
+ sentryStore.alterSentryRoleGrantPrivileges(ROLE_NAME, Sets.newHashSet(allWithGrant));
rolePrivileges = sentryStore.getAllTSentryPrivilegesByRoleName(ROLE_NAME);
assertTrue("Privilege ALL WITH GRANT was not granted.", rolePrivileges.contains(allWithGrant));
assertTrue("Privilege OWNER was dropped.", rolePrivileges.contains(ownerPrivilege));
// Check the ALL privilege just replaces the ALL WITH GRANT and keeps the OWNER privilege
- sentryStore.alterSentryRoleGrantPrivileges(GRANTOR, ROLE_NAME, Sets.newHashSet(allPrivilege));
+ sentryStore.alterSentryRoleGrantPrivileges(ROLE_NAME, Sets.newHashSet(allPrivilege));
rolePrivileges = sentryStore.getAllTSentryPrivilegesByRoleName(ROLE_NAME);
assertTrue("Privilege ALL was not granted.", rolePrivileges.contains(allPrivilege));
assertTrue("Privilege OWNER was dropped.", rolePrivileges.contains(ownerPrivilege));
@@ -1003,7 +993,6 @@ public class TestSentryStore extends org.junit.Assert {
@Test
public void testGrantRevokeMultiPrivileges() throws Exception {
String roleName = "test-privilege";
- String grantor = "g1";
String server = "server1";
String db = "db1";
String table = "tbl1";
@@ -1021,7 +1010,7 @@ public class TestSentryStore extends org.junit.Assert {
privilege.setCreateTime(System.currentTimeMillis());
tPrivileges.add(privilege);
}
- sentryStore.alterSentryRoleGrantPrivileges(grantor, roleName, tPrivileges);
+ sentryStore.alterSentryRoleGrantPrivileges(roleName, tPrivileges);
MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
Set<MSentryPrivilege> privileges = role.getPrivileges();
assertEquals(privileges.toString(), 4, privileges.size());
@@ -1038,7 +1027,7 @@ public class TestSentryStore extends org.junit.Assert {
privilege.setCreateTime(System.currentTimeMillis());
tPrivileges.add(privilege);
}
- sentryStore.alterSentryRoleRevokePrivileges(grantor, roleName, tPrivileges);
+ sentryStore.alterSentryRoleRevokePrivileges(roleName, tPrivileges);
role = sentryStore.getMSentryRoleByName(roleName);
privileges = role.getPrivileges();
assertEquals(privileges.toString(), 2, privileges.size());
@@ -1050,7 +1039,7 @@ public class TestSentryStore extends org.junit.Assert {
privilege.setTableName(table);
privilege.setAction(AccessConstants.SELECT);
privilege.setCreateTime(System.currentTimeMillis());
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege, null);
+ sentryStore.alterSentryRevokePrivilege(SentryPrincipalType.ROLE, roleName, privilege, null);
// After revoking table scope, we will have 0 privileges
role = sentryStore.getMSentryRoleByName(roleName);
privileges = role.getPrivileges();
@@ -1063,7 +1052,6 @@ public class TestSentryStore extends org.junit.Assert {
@Test
public void testGrantRevokePrivilegeWithColumn() throws Exception {
String roleName = "test-col-privilege";
- String grantor = "g1";
String server = "server1";
String db = "db1";
String table = "tbl1";
@@ -1080,16 +1068,16 @@ public class TestSentryStore extends org.junit.Assert {
privilege.setCreateTime(System.currentTimeMillis());
// Grant ALL on c1 and c2
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName, privilege, null);
privilege.setColumnName(column2);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName, privilege, null);
MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
Set<MSentryPrivilege> privileges = role.getPrivileges();
assertEquals(privileges.toString(), 2, privileges.size());
// Revoke SELECT on c2
privilege.setAction(AccessConstants.SELECT);
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege, null);
+ sentryStore.alterSentryRevokePrivilege(SentryPrincipalType.ROLE, roleName, privilege, null);
// At this point c1 has ALL privileges and c2 should have (INSERT, CREATE, DROP, ALTER)
// after revoking SELECT
@@ -1120,7 +1108,7 @@ public class TestSentryStore extends org.junit.Assert {
privilege.setTableName(table);
privilege.setAction(AccessConstants.INSERT);
privilege.setCreateTime(System.currentTimeMillis());
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege, null);
+ sentryStore.alterSentryRevokePrivilege(SentryPrincipalType.ROLE, roleName, privilege, null);
role = sentryStore.getMSentryRoleByName(roleName);
privileges = role.getPrivileges();
assertEquals(privileges.toString(), 1, privileges.size());
@@ -1128,7 +1116,7 @@ public class TestSentryStore extends org.junit.Assert {
// Revoke ALL from the table should now remove all the column privileges.
privilege.setAction(AccessConstants.ALL);
privilege.setCreateTime(System.currentTimeMillis());
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege, null);
+ sentryStore.alterSentryRevokePrivilege(SentryPrincipalType.ROLE, roleName, privilege, null);
role = sentryStore.getMSentryRoleByName(roleName);
privileges = role.getPrivileges();
assertEquals(privileges.toString(), 0, privileges.size());
@@ -1140,7 +1128,6 @@ public class TestSentryStore extends org.junit.Assert {
@Test
public void testGrantRevokeTablePrivilegeDowngradeByDb() throws Exception {
String roleName = "test-table-db-downgrade-privilege";
- String grantor = "g1";
String server = "server1";
String db = "db1";
String table1 = "tbl1";
@@ -1157,15 +1144,15 @@ public class TestSentryStore extends org.junit.Assert {
privilegeTable2.setTableName(table2);
// Grant ALL on table1 and table2
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilegeTable1, null);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilegeTable2, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName, privilegeTable1, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName, privilegeTable2, null);
MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
Set<MSentryPrivilege> privileges = role.getPrivileges();
assertEquals(privileges.toString(), 2, privileges.size());
// Revoke SELECT on table2
privilegeTable2.setAction(AccessConstants.SELECT);
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilegeTable2, null);
+ sentryStore.alterSentryRevokePrivilege(SentryPrincipalType.ROLE, roleName, privilegeTable2, null);
// after having ALL and revoking SELECT, we should have (INSERT) at table2
role = sentryStore.getMSentryRoleByName(roleName);
privileges = role.getPrivileges();
@@ -1189,7 +1176,7 @@ public class TestSentryStore extends org.junit.Assert {
privilegeTable2.setAction(AccessConstants.INSERT);
privilegeTable2.setPrivilegeScope("DATABASE");
privilegeTable2.unsetTableName();
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilegeTable2, null);
+ sentryStore.alterSentryRevokePrivilege(SentryPrincipalType.ROLE, roleName, privilegeTable2, null);
role = sentryStore.getMSentryRoleByName(roleName);
privileges = role.getPrivileges();
@@ -1218,7 +1205,6 @@ public class TestSentryStore extends org.junit.Assert {
@Test
public void testGrantRevokeColumnPrivilegeDowngradeByDb() throws Exception {
String roleName = "test-column-db-downgrade-privilege";
- String grantor = "g1";
String server = "server1";
String db = "db1";
String table = "tbl1";
@@ -1237,15 +1223,15 @@ public class TestSentryStore extends org.junit.Assert {
privilegeCol2.setColumnName(column2);
// Grant ALL on column1 and column2
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilegeCol1, null);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilegeCol2, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName, privilegeCol1, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName, privilegeCol2, null);
MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
Set<MSentryPrivilege> privileges = role.getPrivileges();
assertEquals(privileges.toString(), 2, privileges.size());
// Revoke SELECT on column2
privilegeCol2.setAction(AccessConstants.SELECT);
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilegeCol2, null);
+ sentryStore.alterSentryRevokePrivilege(SentryPrincipalType.ROLE, roleName, privilegeCol2, null);
// after having ALL and revoking SELECT, we should have (INSERT)
role = sentryStore.getMSentryRoleByName(roleName);
privileges = role.getPrivileges();
@@ -1270,7 +1256,7 @@ public class TestSentryStore extends org.junit.Assert {
privilegeCol2.setPrivilegeScope("DATABASE");
privilegeCol2.unsetTableName();
privilegeCol2.unsetColumnName();
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilegeCol2, null);
+ sentryStore.alterSentryRevokePrivilege(SentryPrincipalType.ROLE, roleName, privilegeCol2, null);
role = sentryStore.getMSentryRoleByName(roleName);
privileges = role.getPrivileges();
@@ -1295,7 +1281,6 @@ public class TestSentryStore extends org.junit.Assert {
@Test
public void testGrantRevokePrivilegeWithGrantOption() throws Exception {
String roleName = "test-grantOption-table";
- String grantor = "g1";
String server = "server1";
String db = "db1";
String table = "tbl1";
@@ -1310,12 +1295,12 @@ public class TestSentryStore extends org.junit.Assert {
privilege.setAction(AccessConstants.ALL);
privilege.setCreateTime(System.currentTimeMillis());
privilege.setGrantOption(grantOption);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName, privilege, null);
MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
Set<MSentryPrivilege> privileges = role.getPrivileges();
assertEquals(privileges.toString(), 1, privileges.size());
assertEquals(Boolean.valueOf(privilege.getGrantOption().toString()), Iterables.get(privileges, 0).getGrantOption());
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege, null);
+ sentryStore.alterSentryRevokePrivilege(SentryPrincipalType.ROLE, roleName, privilege, null);
role = sentryStore.getMSentryRoleByName(roleName);
privileges = role.getPrivileges();
assertEquals(0, privileges.size());
@@ -1331,14 +1316,14 @@ public class TestSentryStore extends org.junit.Assert {
privilege.setGrantOption(TSentryGrantOption.TRUE);
privilege.setCreateTime(System.currentTimeMillis());
privilege.setGrantOption(grantOption);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName, privilege, null);
role = sentryStore.getMSentryRoleByName(roleName);
privileges = role.getPrivileges();
assertEquals(privileges.toString(), 1, privileges.size());
privilege.setAction(AccessConstants.SELECT);
privilege.setGrantOption(TSentryGrantOption.UNSET);
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege, null);
+ sentryStore.alterSentryRevokePrivilege(SentryPrincipalType.ROLE, roleName, privilege, null);
// after having ALL and revoking SELECT, we should have (INSERT)
role = sentryStore.getMSentryRoleByName(roleName);
privileges = role.getPrivileges();
@@ -1351,357 +1336,6 @@ public class TestSentryStore extends org.junit.Assert {
}
@Test
- public void testGrantCheckWithGroupAndUser() throws Exception {
- // 1. set local group mapping and group-role, user-role mapping
- // user0_0->group0
- // user0_1->group0
- // user1_0->group1
- // user1_1->group1
- // group0->roleG0
- // group1->roleG1
- // user0_0->roleU00
- // user0_1->roleU01
- // user1_0->roleU10
- // user1_1->roleU11
- String grantor = "g1";
- String[][] users = { { "user0_0", "user0_1" }, { "user1_0", "user1_1" } };
- String[] groups = { "group0", "group1" };
- String[] rolesForGroup = { "roleG0", "roleG1" };
- String[] rolesForUser = { "roleU0", "roleU1", "roleU2", "roleU3" };
- for (int i = 0; i < groups.length; i++) {
- for (int j = 0; j < users[i].length; j++) {
- addGroupsToUser(users[i][j], groups[i]);
- sentryStore.createSentryRole(rolesForUser[i * 2 + j]);
- sentryStore.alterSentryRoleAddUsers(rolesForUser[i * 2 + j], Sets.newHashSet(users[i][j]));
- }
- sentryStore.createSentryRole(rolesForGroup[i]);
- Set<TSentryGroup> tGroups = Sets.newHashSet();
- TSentryGroup tGroup = new TSentryGroup(groups[i]);
- tGroups.add(tGroup);
- sentryStore.alterSentryRoleAddGroups(grantor, rolesForGroup[i], tGroups);
- }
- writePolicyFile();
-
- // 2. g1 grant all on database db1 to roleG0, roleU0 without grant option
- String server = "server1";
- String db = "db1";
- grantor = "g1";
- TSentryPrivilege privilege1 = new TSentryPrivilege();
- privilege1.setPrivilegeScope("DATABASE");
- privilege1.setServerName(server);
- privilege1.setDbName(db);
- privilege1.setAction(AccessConstants.ALL);
- privilege1.setCreateTime(System.currentTimeMillis());
- privilege1.setGrantOption(TSentryGrantOption.FALSE);
- // user0_0 has the privilege without grant option
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, "roleG0", privilege1, null);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, "roleU0", privilege1, null);
- try {
- sentryStore.alterSentryGrantPrivilege("user0_0", SentryPrincipalType.ROLE, "roleG1", privilege1, null);
- fail("Expected SentryGrantDeniedException exception");
- } catch (SentryGrantDeniedException e) {
- // excepted exception
- }
- try {
- sentryStore.alterSentryRevokePrivilege("user0_0", SentryPrincipalType.ROLE, "roleG1", privilege1, null);
- fail("Expected SentryGrantDeniedException exception");
- } catch (SentryGrantDeniedException e) {
- // excepted exception
- }
-
- // 3. g1 grant all on database db1 to roleG0 with grant option
- TSentryPrivilege privilege2 = new TSentryPrivilege();
- privilege2.setPrivilegeScope("DATABASE");
- privilege2.setServerName(server);
- privilege2.setDbName(db);
- privilege2.setAction(AccessConstants.ALL);
- privilege2.setCreateTime(System.currentTimeMillis());
- privilege2.setGrantOption(TSentryGrantOption.TRUE);
- // user0_0, user0_1 can grant the same privilege to other roles
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, "roleG0", privilege2, null);
- sentryStore.alterSentryGrantPrivilege("user0_0", SentryPrincipalType.ROLE, "roleG1", privilege2, null);
- validatePrivilegeByRoleName("roleG1", privilege2);
- sentryStore.alterSentryRevokePrivilege("user0_0", SentryPrincipalType.ROLE, "roleG1", privilege2, null);
- validateEmptyPrivilegeByRoleName("roleG1");
- sentryStore.alterSentryGrantPrivilege("user0_1", SentryPrincipalType.ROLE, "roleG1", privilege2, null);
- validatePrivilegeByRoleName("roleG1", privilege2);
- sentryStore.alterSentryRevokePrivilege("user0_1", SentryPrincipalType.ROLE, "roleG1", privilege2, null);
- validateEmptyPrivilegeByRoleName("roleG1");
- // clear privilege for roleG0
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE, "roleG0", privilege2, null);
-
- // 4. g1 grant all on database db1 to roleU0 with grant option
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, "roleU0", privilege2, null);
- sentryStore.alterSentryGrantPrivilege("user0_0", SentryPrincipalType.ROLE, "roleG1", privilege2, null);
- validatePrivilegeByRoleName("roleG1", privilege2);
- sentryStore.alterSentryRevokePrivilege("user0_0", SentryPrincipalType.ROLE, "roleG1", privilege2, null);
- validateEmptyPrivilegeByRoleName("roleG1");
- try {
- sentryStore.alterSentryGrantPrivilege("user0_1", SentryPrincipalType.ROLE, "roleG1", privilege2, null);
- fail("Expected SentryGrantDeniedException exception");
- } catch (SentryGrantDeniedException e) {
- // excepted exception
- }
- try {
- sentryStore.alterSentryRevokePrivilege("user0_1", SentryPrincipalType.ROLE, "roleG1", privilege2, null);
- fail("Expected SentryGrantDeniedException exception");
- } catch (SentryGrantDeniedException e) {
- // excepted exception
- }
- // clear privilege for roleG0
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE, "roleU0", privilege2, null);
-
- // 5. g1 grant all on database db1 to roleU2, roleG0 with grant option
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, "roleU2", privilege2, null);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, "roleG0", privilege2, null);
- sentryStore.alterSentryGrantPrivilege("user0_0", SentryPrincipalType.ROLE, "roleG1", privilege2, null);
- validatePrivilegeByRoleName("roleG1", privilege2);
- sentryStore.alterSentryRevokePrivilege("user0_0", SentryPrincipalType.ROLE, "roleG1", privilege2, null);
- validateEmptyPrivilegeByRoleName("roleG1");
- sentryStore.alterSentryGrantPrivilege("user0_1", SentryPrincipalType.ROLE, "roleG1", privilege2, null);
- validatePrivilegeByRoleName("roleG1", privilege2);
- sentryStore.alterSentryRevokePrivilege("user0_1", SentryPrincipalType.ROLE, "roleG1", privilege2, null);
- validateEmptyPrivilegeByRoleName("roleG1");
-
- sentryStore.alterSentryGrantPrivilege("user1_0", SentryPrincipalType.ROLE, "roleG1", privilege2, null);
- validatePrivilegeByRoleName("roleG1", privilege2);
- sentryStore.alterSentryRevokePrivilege("user1_0", SentryPrincipalType.ROLE, "roleG1", privilege2, null);
- validateEmptyPrivilegeByRoleName("roleG1");
- try {
- sentryStore.alterSentryGrantPrivilege("user1_1", SentryPrincipalType.ROLE, "roleG1", privilege2, null);
- fail("Expected SentryGrantDeniedException exception");
- } catch (SentryGrantDeniedException e) {
- // excepted exception
- }
- try {
- sentryStore.alterSentryRevokePrivilege("user1_1", SentryPrincipalType.ROLE,"roleG1", privilege2, null);
- fail("Expected SentryGrantDeniedException exception");
- } catch (SentryGrantDeniedException e) {
- // excepted exception
- }
- // clear privilege for roleG0
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE,"roleG0", privilege2, null);
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE, "roleU2", privilege2, null);
- }
-
- private void validatePrivilegeByRoleName(String roleName, TSentryPrivilege exceptedTPrivelege)
- throws Exception {
- MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
- Set<MSentryPrivilege> privileges = role.getPrivileges();
- assertEquals(privileges.toString(), 1, privileges.size());
- MSentryPrivilege mPrivilege = Iterables.get(privileges, 0);
- assertEquals(exceptedTPrivelege.getServerName(), mPrivilege.getServerName());
- assertEquals(exceptedTPrivelege.getDbName(), mPrivilege.getDbName());
- assertEquals(AccessConstants.ALL, mPrivilege.getAction());
- }
-
- private void validateEmptyPrivilegeByRoleName(String roleName) throws Exception {
- MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
- Set<MSentryPrivilege> privileges = role.getPrivileges();
- assertEquals(privileges.toString(), 0, privileges.size());
- }
-
- @Test
- public void testGrantCheckWithGrantOption() throws Exception {
- // 1. set local group mapping
- // user0->group0->role0
- // user1->group1->role1
- // user2->group2->role2
- // user3->group3->role3
- // user4->group4->role4
- String grantor = "g1";
- String[] users = {"user0","user1","user2","user3","user4"};
- String[] groups = { "group0", "group1", "group2", "group3", "group4" };
- String[] roles = {"role0","role1","role2","role3","role4"};
- for (int i = 0; i < users.length; i++) {
- addGroupsToUser(users[i], groups[i]);
- sentryStore.createSentryRole(roles[i]);
- Set<TSentryGroup> tGroups = Sets.newHashSet();
- TSentryGroup tGroup = new TSentryGroup(groups[i]);
- tGroups.add(tGroup);
- sentryStore.alterSentryRoleAddGroups(grantor, roles[i], tGroups);
- }
- writePolicyFile();
-
- // 2. g1 grant all on database db1 to role0 with grant option
- String server = "server1";
- String db = "db1";
- String table = "tbl1";
- String roleName = roles[0];
- grantor = "g1";
- TSentryPrivilege privilege1 = new TSentryPrivilege();
- privilege1.setPrivilegeScope("DATABASE");
- privilege1.setServerName(server);
- privilege1.setDbName(db);
- privilege1.setAction(AccessConstants.ALL);
- privilege1.setCreateTime(System.currentTimeMillis());
- privilege1.setGrantOption(TSentryGrantOption.TRUE);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege1, null);
- MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
- Set<MSentryPrivilege> privileges = role.getPrivileges();
- assertEquals(privileges.toString(), 1, privileges.size());
-
- // 3. user0 grant select on database db1 to role1, with grant option
- roleName = roles[1];
- grantor = users[0];
- TSentryPrivilege privilege2 = new TSentryPrivilege();
- privilege2.setPrivilegeScope("DATABASE");
- privilege2.setServerName(server);
- privilege2.setDbName(db);
- privilege2.setAction(AccessConstants.SELECT);
- privilege2.setCreateTime(System.currentTimeMillis());
- privilege2.setGrantOption(TSentryGrantOption.TRUE);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege2, null);
-
- // 4. user0 grant all on table tb1 to role2, no grant option
- roleName = roles[2];
- grantor = users[0];
- TSentryPrivilege privilege3 = new TSentryPrivilege();
- privilege3.setPrivilegeScope("TABLE");
- privilege3.setServerName(server);
- privilege3.setDbName(db);
- privilege3.setTableName(table);
- privilege3.setAction(AccessConstants.ALL);
- privilege3.setCreateTime(System.currentTimeMillis());
- privilege3.setGrantOption(TSentryGrantOption.FALSE);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege3, null);
-
- // 5. user1 has role1, no insert privilege,
- // grant insert to role3, will throw no grant exception
- roleName = roles[3];
- grantor = users[1];
- TSentryPrivilege privilege4 = new TSentryPrivilege();
- privilege4.setPrivilegeScope("DATABASE");
- privilege4.setServerName(server);
- privilege4.setDbName(db);
- privilege4.setAction(AccessConstants.INSERT);
- privilege4.setCreateTime(System.currentTimeMillis());
- privilege4.setGrantOption(TSentryGrantOption.FALSE);
- try {
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege4, null);
- fail("Expected SentryGrantDeniedException exception");
- } catch (SentryGrantDeniedException e) {
- // excepted exception
- }
-
- // 6. user2 has role2, no grant option,
- // grant insert to role4, will throw no grant exception
- roleName = roles[4];
- grantor = users[2];
- TSentryPrivilege privilege5 = new TSentryPrivilege();
- privilege5.setPrivilegeScope("TABLE");
- privilege5.setServerName(server);
- privilege5.setDbName(db);
- privilege5.setTableName(table);
- privilege5.setAction(AccessConstants.INSERT);
- privilege5.setCreateTime(System.currentTimeMillis());
- privilege5.setGrantOption(TSentryGrantOption.FALSE);
- try {
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege5, null);
- fail("Expected SentryGrantDeniedException exception");
- } catch (SentryGrantDeniedException e) {
- // excepted exception
- }
- }
-
- @Test
- public void testRevokeCheckWithGrantOption() throws Exception {
- // 1. set local group mapping
- // user0->group0->role0
- // user1->group1->role1
- // user2->group2->role2
- String grantor = "g1";
- String[] users = {"user0","user1","user2"};
- String[] roles = {"role0","role1","role2"};
- String[] groups = {"group0","group1","group2"};
- for (int i = 0; i < users.length; i++) {
- addGroupsToUser(users[i], groups[i]);
- sentryStore.createSentryRole(roles[i]);
- Set<TSentryGroup> tGroups = Sets.newHashSet();
- TSentryGroup tGroup = new TSentryGroup(groups[i]);
- tGroups.add(tGroup);
- sentryStore.alterSentryRoleAddGroups(grantor, roles[i], tGroups);
- sentryStore.alterSentryRoleAddUsers(roles[i], Sets.newHashSet(users[i]));
- }
- writePolicyFile();
-
- // 2. g1 grant select on database db1 to role0, with grant option
- String server = "server1";
- String db = "db1";
- String table = "tbl1";
- String roleName = roles[0];
- grantor = "g1";
- TSentryPrivilege privilege1 = new TSentryPrivilege();
- privilege1.setPrivilegeScope("DATABASE");
- privilege1.setServerName(server);
- privilege1.setDbName(db);
- privilege1.setAction(AccessConstants.SELECT);
- privilege1.setCreateTime(System.currentTimeMillis());
- privilege1.setGrantOption(TSentryGrantOption.TRUE);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege1, null);
- MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
- Set<MSentryPrivilege> privileges = role.getPrivileges();
- assertEquals(privileges.toString(), 1, privileges.size());
-
- // 3. g1 grant all on table tb1 to role1, no grant option
- roleName = roles[1];
- grantor = "g1";
- TSentryPrivilege privilege2 = new TSentryPrivilege();
- privilege2.setPrivilegeScope("TABLE");
- privilege2.setServerName(server);
- privilege2.setDbName(db);
- privilege2.setTableName(table);
- privilege2.setAction(AccessConstants.ALL);
- privilege2.setCreateTime(System.currentTimeMillis());
- privilege2.setGrantOption(TSentryGrantOption.FALSE);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege2, null);
-
- // 4. g1 grant select on table tb1 to role2, no grant option
- roleName = roles[2];
- grantor = "g1";
- TSentryPrivilege privilege3 = new TSentryPrivilege();
- privilege3.setPrivilegeScope("TABLE");
- privilege3.setServerName(server);
- privilege3.setDbName(db);
- privilege3.setTableName(table);
- privilege3.setAction(AccessConstants.SELECT);
- privilege3.setCreateTime(System.currentTimeMillis());
- privilege3.setGrantOption(TSentryGrantOption.FALSE);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege3, null);
-
- // 5. user1 has role1, no grant option,
- // revoke from role2 will throw no grant exception
- roleName = roles[2];
- grantor = users[1];
- try {
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege3, null);
- fail("Expected SentryGrantDeniedException exception");
- } catch (SentryGrantDeniedException e) {
- // excepted exception
- }
-
- // 6. user0 has role0, only have select,
- // revoke all from role1 will throw no grant exception
- roleName = roles[1];
- grantor = users[0];
- try {
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege2, null);
- fail("Expected SentryGrantDeniedException exception");
- } catch (SentryGrantDeniedException e) {
- // excepted exception
- }
-
- // 7. user0 has role0, has select and grant option,
- // revoke select from role2
- roleName = roles[2];
- grantor = users[0];
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege3, null);
- role = sentryStore.getMSentryRoleByName(roleName);
- privileges = role.getPrivileges();
- assertEquals(0, privileges.size());
- }
-
- @Test
public void testRevokeAllGrantOption() throws Exception {
// 1. set local group mapping
// user0->group0->role0
@@ -1724,7 +1358,6 @@ public class TestSentryStore extends org.junit.Assert {
String db = "db1";
String table = "tbl1";
String roleName = roles[0];
- grantor = "g1";
TSentryPrivilege privilege = new TSentryPrivilege();
privilege.setPrivilegeScope("TABLE");
privilege.setServerName(server);
@@ -1733,100 +1366,25 @@ public class TestSentryStore extends org.junit.Assert {
privilege.setAction(AccessConstants.SELECT);
privilege.setCreateTime(System.currentTimeMillis());
privilege.setGrantOption(TSentryGrantOption.TRUE);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName, privilege, null);
// 3. g1 grant select on table tb1 to role0, no grant option
roleName = roles[0];
- grantor = "g1";
privilege.setGrantOption(TSentryGrantOption.FALSE);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName, privilege, null);
// 4. g1 revoke all privilege from role0
roleName = roles[0];
- grantor = "g1";
privilege.setGrantOption(TSentryGrantOption.UNSET);
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege, null);
+ sentryStore.alterSentryRevokePrivilege(SentryPrincipalType.ROLE, roleName, privilege, null);
MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
Set<MSentryPrivilege> privileges = role.getPrivileges();
assertEquals(privileges.toString(), 0, privileges.size());
}
@Test
- public void testGrantCheckWithColumn() throws Exception {
- // 1. set local group mapping
- // user0->group0->role0
- // user1->group1->role1
- String grantor = "g1";
- String[] users = {"user0","user1"};
- String[] roles = {"role0","role1"};
- String[] groups = {"group0","group1"};
- for (int i = 0; i < users.length; i++) {
- addGroupsToUser(users[i], groups[i]);
- sentryStore.createSentryRole(roles[i]);
- Set<TSentryGroup> tGroups = Sets.newHashSet();
- TSentryGroup tGroup = new TSentryGroup(groups[i]);
- tGroups.add(tGroup);
- sentryStore.alterSentryRoleAddGroups(grantor, roles[i], tGroups);
- }
- writePolicyFile();
-
- // 2. g1 grant select on table tb1 to role0, with grant option
- String server = "server1";
- String db = "db1";
- String table = "tbl1";
- String roleName = roles[0];
- grantor = "g1";
- TSentryPrivilege privilege1 = new TSentryPrivilege();
- privilege1.setPrivilegeScope("TABLE");
- privilege1.setServerName(server);
- privilege1.setDbName(db);
- privilege1.setTableName(table);
- privilege1.setAction(AccessConstants.SELECT);
- privilege1.setCreateTime(System.currentTimeMillis());
- privilege1.setGrantOption(TSentryGrantOption.TRUE);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege1, null);
- MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
- Set<MSentryPrivilege> privileges = role.getPrivileges();
- assertEquals(privileges.toString(), 1, privileges.size());
-
- // 3. user0 grant select on column tb1.c1 to role1, with grant option
- roleName = roles[1];
- grantor = users[0];
- String column = "c1";
- TSentryPrivilege privilege2 = new TSentryPrivilege();
- privilege2.setPrivilegeScope("COLUMN");
- privilege2.setServerName(server);
- privilege2.setDbName(db);
- privilege2.setTableName(table);
- privilege2.setColumnName(column);
- privilege2.setAction(AccessConstants.SELECT);
- privilege2.setCreateTime(System.currentTimeMillis());
- privilege2.setGrantOption(TSentryGrantOption.TRUE);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege2, null);
-
- // 4. user1 revoke table level privilege from user0, will throw grant denied exception
- roleName = roles[0];
- grantor = users[1];
- try {
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege1, null);
- fail("Expected SentryGrantDeniedException exception");
- } catch (SentryGrantDeniedException e) {
- // excepted exception
- }
-
- // 5. user0 revoke column level privilege from user1
- roleName = roles[1];
- grantor = users[0];
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege2, null);
- role = sentryStore.getMSentryRoleByName(roleName);
- privileges = role.getPrivileges();
- assertEquals(0, privileges.size());
- }
-
- @Test
public void testGrantDuplicatePrivilege() throws Exception {
String roleName = "test-privilege";
- String grantor = "g1";
String server = "server1";
String db = "db1";
String table = "tbl1";
@@ -1838,12 +1396,12 @@ public class TestSentryStore extends org.junit.Assert {
privilege.setTableName(table);
privilege.setAction(AccessConstants.ALL);
privilege.setCreateTime(System.currentTimeMillis());
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege, null);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName, privilege, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName, privilege, null);
privilege.setServerName("Server1");
privilege.setDbName("DB1");
privilege.setTableName("TBL1");
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName, privilege, null);
MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
Set<MSentryPrivilege> privileges = role.getPrivileges();
assertEquals(privileges.toString(), 1, privileges.size());
@@ -1866,13 +1424,13 @@ public class TestSentryStore extends org.junit.Assert {
privilege1.setTableName("tbl1");
privilege1.setAction("SELECT");
privilege1.setCreateTime(System.currentTimeMillis());
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName1, privilege1, null);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName2, privilege1, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName1, privilege1, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName2, privilege1, null);
TSentryPrivilege privilege2 = new TSentryPrivilege();
privilege2.setPrivilegeScope("SERVER");
privilege2.setServerName("server1");
privilege2.setCreateTime(System.currentTimeMillis());
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName2, privilege2, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName2, privilege2, null);
Set<TSentryGroup> groups = Sets.newHashSet();
Set<String> users = Sets.newHashSet();
TSentryGroup group = new TSentryGroup();
@@ -2024,7 +1582,6 @@ public class TestSentryStore extends org.junit.Assert {
public void testDropDbObject() throws Exception {
String roleName1 = "list-privs-r1", roleName2 = "list-privs-r2", roleName3 = "list-privs-r3";
String userName1 = "user-1", userName2 = "user-2";
- String grantor = "g1";
sentryStore.createSentryRole(roleName1);
sentryStore.createSentryRole(roleName2);
sentryStore.createSentryRole(roleName3);
@@ -2064,17 +1621,17 @@ public class TestSentryStore extends org.junit.Assert {
TSentryPrivilege privilege3_2 = new TSentryPrivilege(privilege_tbl2);
privilege3_2.setAction("INSERT");
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName1, privilege1, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName1, privilege1, null);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName2, privilege2_1, null);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName2, privilege_server, null);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName2, privilege2_3, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName2, privilege2_1, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName2, privilege_server, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName2, privilege2_3, null);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName3, privilege3_1, null);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName3, privilege3_2, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName3, privilege3_1, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName3, privilege3_2, null);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.USER, userName1, privilege1, null);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.USER, userName2, privilege2_3, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.USER, userName1, privilege1, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.USER, userName2, privilege2_3, null);
sentryStore.dropPrivilege(toTSentryAuthorizable(privilege_tbl1));
@@ -2117,7 +1674,6 @@ public class TestSentryStore extends org.junit.Assert {
public void testUpdateOwnerPrivilege() throws Exception {
String roleName1 = "list-privs-r1", roleName2 = "list-privs-r2", roleName3 = "list-privs-r3";
String userName1 = "user1", userName2 = "user2";
- String grantor = "g1";
List<SentryOwnerInfo> ownerInfoList = null;
sentryStore.createSentryRole(roleName1);
sentryStore.createSentryRole(roleName2);
@@ -2139,7 +1695,7 @@ public class TestSentryStore extends org.junit.Assert {
tSentryAuthorizable.setDb("db1");
tSentryAuthorizable.setTable("tbl1");
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName1, privilege_tbl1, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName1, privilege_tbl1, null);
assertEquals(1, sentryStore.getAllTSentryPrivilegesByRoleName(roleName1)
.size());
@@ -2169,7 +1725,7 @@ public class TestSentryStore extends org.junit.Assert {
privilege_tbl2.setTableName("tbl2");
// Change owner from a one user to another user
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.USER,userName1, privilege_tbl2, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.USER,userName1, privilege_tbl2, null);
assertEquals(1, sentryStore.getAllTSentryPrivilegesByUserName(userName1)
.size());
@@ -2192,7 +1748,7 @@ public class TestSentryStore extends org.junit.Assert {
//Add all privilege to roleName1 and make sure that owner privilege is not effected.
TSentryPrivilege privilege_tbl2_all = new TSentryPrivilege(privilege_tbl2);
privilege_tbl2_all.setAction(AccessConstants.ALL);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName1, privilege_tbl2_all, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName1, privilege_tbl2_all, null);
// Verify that there are two privileges.
assertEquals(2, sentryStore.getAllTSentryPrivilegesByRoleName(roleName1)
.size());
@@ -2202,12 +1758,12 @@ public class TestSentryStore extends org.junit.Assert {
TSentryPrivilege privilege_tbl3_all = new TSentryPrivilege(privilege_tbl2);
privilege_tbl3_all.setAction(AccessConstants.ALL);
privilege_tbl3_all.setTableName("tbl3");
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName3, privilege_tbl3_all, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName3, privilege_tbl3_all, null);
assertEquals(1, sentryStore.getAllTSentryPrivilegesByRoleName(roleName3)
.size());
TSentryPrivilege privilege_tbl3_owner = new TSentryPrivilege(privilege_tbl3_all);
privilege_tbl3_owner.setAction(AccessConstants.OWNER);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName3, privilege_tbl3_owner, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName3, privilege_tbl3_owner, null);
assertEquals(2, sentryStore.getAllTSentryPrivilegesByRoleName(roleName3)
.size());
@@ -2217,7 +1773,6 @@ public class TestSentryStore extends org.junit.Assert {
public void testListSentryOwnerPrivilegesByAuthorizable() throws Exception {
String roleName1 = "list-privs-r1";
String userName1 = "user1";
- String grantor = "g1";
sentryStore.createSentryRole(roleName1);
sentryStore.createSentryUser(userName1);
@@ -2235,7 +1790,7 @@ public class TestSentryStore extends org.junit.Assert {
tSentryAuthorizable.setDb("db1");
tSentryAuthorizable.setTable("tbl1");
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName1, privilege_tbl1, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName1, privilege_tbl1, null);
sentryStore.updateOwnerPrivilege(tSentryAuthorizable, userName1, SentryPrincipalType.USER, null);
assertEquals(1, sentryStore.getAllTSentryPrivilegesByUserName(userName1)
@@ -2247,7 +1802,6 @@ public class TestSentryStore extends org.junit.Assert {
String roleName1 = "list-privs-r1";
String userName1 = "user1";
- String grantor = "g1";
sentryStore.createSentryRole(roleName1);
sentryStore.createSentryUser(userName1);
@@ -2265,7 +1819,7 @@ public class TestSentryStore extends org.junit.Assert {
tSentryAuthorizable.setDb("db1");
tSentryAuthorizable.setTable("tbl1");
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName1, privilege_tbl1, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName1, privilege_tbl1, null);
sentryStore.revokeOwnerPrivileges(tSentryAuthorizable, null);
assertEquals(0, sentryStore.getAllTSentryPrivilegesByUserName(userName1)
@@ -2275,7 +1829,6 @@ public class TestSentryStore extends org.junit.Assert {
@Test
public void testDropUserOnUpdateOwnerPrivilege() throws Exception {
String userName1 = "user1", userName2 = "user2";
- String grantor = "g1";
sentryStore.createSentryUser(userName1);
sentryStore.createSentryUser(userName2);
@@ -2295,7 +1848,7 @@ public class TestSentryStore extends org.junit.Assert {
// Change owner from a one user to another user
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.USER, userName1, privilege_tbl1, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.USER, userName1, privilege_tbl1, null);
assertEquals(1, sentryStore.getAllTSentryPrivilegesByUserName(userName1)
.size());
@@ -2325,7 +1878,6 @@ public class TestSentryStore extends org.junit.Assert {
@Test
public void testDropTableWithMultiAction() throws Exception {
String roleName1 = "role1";
- String grantor = "g1";
sentryStore.createSentryRole(roleName1);
TSentryPrivilege privilege_tbl1 = new TSentryPrivilege();
@@ -2351,10 +1903,10 @@ public class TestSentryStore extends org.junit.Assert {
privilege_tbl1);
privilege_tbl1_drop.setAction(AccessConstants.DROP);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName1, privilege_tbl1_insert, null);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName1, privilege_tbl1_select, null);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName1, privilege_tbl1_alter, null);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName1, privilege_tbl1_drop, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName1, privilege_tbl1_insert, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName1, privilege_tbl1_select, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName1, privilege_tbl1_alter, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName1, privilege_tbl1_drop, null);
assertEquals(4, sentryStore.getAllTSentryPrivilegesByRoleName(roleName1).size());
@@ -2366,7 +1918,6 @@ public class TestSentryStore extends org.junit.Assert {
@Test
public void testDropTableWithColumn() throws Exception {
String roleName1 = "role1", roleName2 = "role2";
- String grantor = "g1";
String table1 = "tbl1";
sentryStore.createSentryRole(roleName1);
@@ -2395,9 +1946,9 @@ public class TestSentryStore extends org.junit.Assert {
privilege_tbl1_c3.setColumnName("c3");
privilege_tbl1_c3.setCreateTime(System.currentTimeMillis());
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName1, privilege_tbl1_c1, null);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName1, privilege_tbl1_c2, null);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName2, privilege_tbl1_c3, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName1, privilege_tbl1_c1, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName1, privilege_tbl1_c2, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName2, privilege_tbl1_c3, null);
Set<TSentryPrivilege> privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName1);
assertEquals(2, privilegeSet.size());
@@ -2416,7 +1967,6 @@ public class TestSentryStore extends org.junit.Assert {
@Test
public void testDropOverlappedPrivileges() throws Exception {
String roleName1 = "list-privs-r1";
- String grantor = "g1";
sentryStore.createSentryRole(roleName1);
TSentryPrivilege privilege_tbl1 = new TSentryPrivilege();
@@ -2433,8 +1983,8 @@ public class TestSentryStore extends org.junit.Assert {
TSentryPrivilege privilege_tbl1_all = new TSentryPrivilege(privilege_tbl1);
privilege_tbl1_all.setAction("*");
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName1, privilege_tbl1_insert, null);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName1, privilege_tbl1_all, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName1, privilege_tbl1_insert, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName1, privilege_tbl1_all, null);
sentryStore.dropPrivilege(toTSentryAuthorizable(privilege_tbl1));
assertEquals(0, sentryStore.getAllTSentryPrivilegesByRoleName(roleName1)
@@ -2460,7 +2010,6 @@ public class TestSentryStore extends org.junit.Assert {
public void testRenameTable() throws Exception {
String roleName1 = "role1", roleName2 = "role2", roleName3 = "role3";
String userName1 = "user-1", userName2 = "user-2", userName3 = "user-3";
- String grantor = "g1";
String table1 = "tbl1", table2 = "tbl2";
sentryStore.createSentryRole(roleName1);
@@ -2488,12 +2037,12 @@ public class TestSentryStore extends org.junit.Assert {
TSentryPrivilege privilege_tbl1_all = new TSentryPrivilege(privilege_tbl1);
privilege_tbl1_all.setAction(AccessConstants.ALL);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName1, privilege_tbl1_insert, null);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName2, privilege_tbl1_select, null);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName3, privilege_tbl1_all, null);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.USER, userName1, privilege_tbl1_insert, null);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.USER, userName2, privilege_tbl1_select, null);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.USER, userName3, privilege_tbl1_all, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName1, privilege_tbl1_insert, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName2, privilege_tbl1_select, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName3, privilege_tbl1_all, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.USER, userName1, privilege_tbl1_insert, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.USER, userName2, privilege_tbl1_select, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.USER, userName3, privilege_tbl1_all, null);
TSentryAuthorizable oldTable = toTSentryAuthorizable(privilege_tbl1);
TSentryAuthorizable newTable = toTSentryAuthorizable(privilege_tbl1);
@@ -2532,7 +2081,6 @@ public class TestSentryStore extends org.junit.Assert {
@Test
public void testRenameTableWithMultiAction() throws Exception {
String roleName1 = "role1";
- String grantor = "g1";
String table1 = "tbl1", table2 = "tbl2";
sentryStore.createSentryRole(roleName1);
@@ -2559,10 +2107,10 @@ public class TestSentryStore extends org.junit.Assert {
privilege_tbl1);
privilege_tbl1_drop.setAction(AccessConstants.DROP);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName1, privilege_tbl1_insert, null);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName1, privilege_tbl1_select, null);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName1, privilege_tbl1_alter, null);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName1, privilege_tbl1_drop, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName1, privilege_tbl1_insert, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName1, privilege_tbl1_select, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName1, privilege_tbl1_alter, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName1, privilege_tbl1_drop, null);
TSentryAuthorizable oldTable = toTSentryAuthorizable(privilege_tbl1);
TSentryAuthorizable newTable = toTSentryAuthorizable(privilege_tbl1);
@@ -2600,18 +2148,16 @@ public class TestSentryStore extends org.junit.Assert {
privilege.setTableName("tb1");
privilege.setCreateTime(System.currentTimeMillis());
- String grantor = "g1";
-
assertEquals(Long.valueOf(0), sentryStore.getPrivilegeCountGauge().getValue());
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, role1, privilege, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, role1, privilege, null);
assertEquals(Long.valueOf(1), sentryStore.getPrivilegeCountGauge().getValue());
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, role2, privilege, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, role2, privilege, null);
assertEquals(Long.valueOf(1), sentryStore.getPrivilegeCountGauge().getValue());
privilege.setTableName("tb2");
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, role2, privilege, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, role2, privilege, null);
assertEquals(Long.valueOf(2), sentryStore.getPrivilegeCountGauge().getValue());
}
@@ -2667,7 +2213,6 @@ public class TestSentryStore extends org.junit.Assert {
@Test
public void testRenameTableWithColumn() throws Exception {
String roleName1 = "role1", roleName2 = "role2";
- String grantor = "g1";
String table1 = "tbl1", table2 = "tbl2";
sentryStore.createSentryRole(roleName1);
@@ -2696,9 +2241,9 @@ public class TestSentryStore extends org.junit.Assert {
privilege_tbl1_c3.setColumnName("c3");
privilege_tbl1_c3.setCreateTime(System.currentTimeMillis());
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName1, privilege_tbl1_c1, null);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName1, privilege_tbl1_c2, null);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName2, privilege_tbl1_c3, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName1, privilege_tbl1_c1, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName1, privilege_tbl1_c2, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName2, privilege_tbl1_c3, null);
Set<TSentryPrivilege> privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName1);
assertEquals(2, privilegeSet.size());
@@ -2729,7 +2274,7 @@ public class TestSentryStore extends org.junit.Assert {
TSentryPrivilege tSentryPrivilege = new TSentryPrivilege("TABLE", "server1", "ALL");
tSentryPrivilege.setDbName(dbName);
tSentryPrivilege.setTableName(table);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, tSentryPrivilege, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName, tSentryPrivilege, null);
TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
tSentryAuthorizable.setDb(dbName);
@@ -2769,7 +2314,7 @@ public class TestSentryStore extends org.junit.Assert {
tSentryPrivilege.setDbName(dbName);
tSentryPrivilege.setTableName(table);
tSentryPrivilege.setColumnName(column);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, tSentryPrivilege, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName, tSentryPrivilege, null);
TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
tSentryAuthorizable.setDb(dbName);
@@ -2837,8 +2382,8 @@ public class TestSentryStore extends org.junit.Assert {
privilege1.setTableName("tbl1");
privilege1.setAction("SELECT");
privilege1.setCreateTime(System.currentTimeMillis());
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName1, privilege1, null);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName2, privilege1, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName1, privilege1, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName2, privilege1, null);
TSentryPrivilege privilege2 = new TSentryPrivilege();
privilege2.setPrivilegeScope("SERVER");
@@ -2846,7 +2391,7 @@ public class TestSentryStore extends org.junit.Assert {
privilege1.setDbName("db2");
privilege1.setAction("ALL");
privilege2.setCreateTime(System.currentTimeMillis());
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName2, privilege2, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName2, privilege2, null);
// Grant roles to the groups
Set<TSentryGroup> groups = Sets.newHashSet();
@@ -2864,8 +2409,8 @@ public class TestSentryStore extends org.junit.Assert {
privilege3.setTableName("tbl1");
privilege3.setAction("OWNER");
privilege3.setCreateTime(System.currentTimeMillis());
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName1, privilege3, null);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName2, privilege3, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName1, privilege3, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName2, privilege3, null);
PermissionsImage permImage = sentryStore.retrieveFullPermssionsImage();
Map<String, Map<TPrivilegePrincipal, String>> privs = permImage.getPrivilegeImage();
@@ -3499,7 +3044,6 @@ public class TestSentryStore extends org.junit.Assert {
@Test
public void testPrivilegesWithPermUpdate() throws Exception {
String roleName = "test-privilege";
- String grantor = "g1";
String server = "server1";
String db = "db1";
String table = "tbl1";
@@ -3522,7 +3066,7 @@ public class TestSentryStore extends org.junit.Assert {
// Grant the privilege to role test-privilege and verify it has been persisted.
Map<TSentryPrivilege, Updateable.Update> addPrivilegesUpdateMap = Maps.newHashMap();
addPrivilegesUpdateMap.put(privilege, addUpdate);
- sentryStore.alterSentryRoleGrantPrivileges(grantor, roleName, Sets.newHashSet(privilege), addPrivilegesUpdateMap);
+ sentryStore.alterSentryRoleGrantPrivileges(roleName, Sets.newHashSet(privilege), addPrivilegesUpdateMap);
MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
Set<MSentryPrivilege> privileges = role.getPrivileges();
assertEquals(privileges.toString(), 1, privileges.size());
@@ -3542,7 +3086,7 @@ public class TestSentryStore extends org.junit.Assert {
// Revoke the same privilege and verify it has been removed.
Map<TSentryPrivilege, Updateable.Update> delPrivilegesUpdateMap = Maps.newHashMap();
delPrivilegesUpdateMap.put(privilege, delUpdate);
- sentryStore.alterSentryRoleRevokePrivileges(grantor, roleName,
+ sentryStore.alterSentryRoleRevokePrivileges(roleName,
Sets.newHashSet(privilege), delPrivilegesUpdateMap);
role = sentryStore.getMSentryRoleByName(roleName);
privileges = role.getPrivileges();
@@ -3635,7 +3179,6 @@ public class TestSentryStore extends org.junit.Assert {
@Test
public void testDropObjWithPermUpdate() throws Exception {
String roleName1 = "list-privs-r1", roleName2 = "list-privs-r2";
- String grantor = "g1";
sentryStore.createSentryRole(roleName1);
sentryStore.createSentryRole(roleName2);
@@ -3648,7 +3191,7 @@ public class TestSentryStore extends org.junit.Assert {
privilege_tbl1.setCreateTime(System.currentTimeMillis());
privilege_tbl1.setAction("SELECT");
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName1, privilege_tbl1, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName1, privilege_tbl1, null);
// Generate the permission drop update for dropping privilege for "db1.tbl1"
PermissionsUpdate dropUpdate = new PermissionsUpdate(0, false);
@@ -3670,7 +3213,6 @@ public class TestSentryStore extends org.junit.Assert {
@Test
public void testRenameObjWithPermUpdate() throws Exception {
String roleName1 = "role1";
- String grantor = "g1";
String table1 = "tbl1", table2 = "tbl2";
sentryStore.createSentryRole(roleName1);
@@ -3683,7 +3225,7 @@ public class TestSentryStore extends org.junit.Assert {
privilege_tbl1.setCreateTime(System.currentTimeMillis());
privilege_tbl1.setAction(AccessConstants.ALL);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName1, privilege_tbl1, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName1, privilege_tbl1, null);
// Generate the permission rename update for renaming privilege for "db1.tbl1"
String oldAuthz = "db1.tbl1";
@@ -3722,7 +3264,6 @@ public class TestSentryStore extends org.junit.Assert {
@Test
public void testPurgeDeltaChanges() throws Exception {
String role = "purgeRole";
- String grantor = "g1";
String table = "purgeTable";
assertEquals(0, sentryStore.getMSentryPermChanges().size());
@@ -3744,7 +3285,7 @@ public class TestSentryStore extends org.junit.Assert {
privilege.setCreateTime(System.currentTimeMillis());
PermissionsUpdate update = new PermissionsUpdate(i + 1, false);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, role, privilege, update);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, role, privilege, update);
}
assertEquals(numPermChanges, sentryStore.getMSentryPermChanges().size());
@@ -4196,7 +3737,6 @@ public class TestSentryStore extends org.junit.Assert {
@Test
public void testGrantRevokePrivilegeForUser() throws Exception {
String userName = "test-privilege";
- String grantor = "g1";
String server = "server1";
String db = "db1";
String table = "tbl1";
@@ -4208,12 +3748,12 @@ public class TestSentryStore extends org.junit.Assert {
privilege.setTableName(table);
privilege.setAction(AccessConstants.ALL);
privilege.setCreateTime(System.currentTimeMillis());
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.USER, userName, privilege, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.USER, userName, privilege, null);
MSentryUser user = sentryStore.getMSentryUserByName(userName);
Set<MSentryPrivilege> privileges = user.getPrivileges();
assertEquals(privileges.toString(), 1, privileges.size());
privilege.setAction(AccessConstants.SELECT);
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.USER, userName, privilege, null);
+ sentryStore.alterSentryRevokePrivilege(SentryPrincipalType.USER, userName, privilege, null);
// after having ALL and revoking SELECT, we should have (INSERT)
user = sentryStore.getMSentryUserByName(userName);
privileges = user.getPrivileges();
@@ -4230,7 +3770,7 @@ public class TestSentryStore extends org.junit.Assert {
privilege.setAction(AccessConstants.INSERT);
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.USER, userName, privilege, null);
+ sentryStore.alterSentryRevokePrivilege(SentryPrincipalType.USER, userName, privilege, null);
user = sentryStore.getMSentryUserByName(userName, false);
assertNull(user);
}
@@ -4243,7 +3783,6 @@ public class TestSentryStore extends org.junit.Assert {
public void testGrantDuplicatePrivilegeHierchy() throws Exception {
// grant database all privilege
String roleName = "test-privilege";
- String grantor = "g1";
String server = "server1";
String db = "db1";
String table = "tbl1";
@@ -4254,7 +3793,7 @@ public class TestSentryStore extends org.junit.Assert {
privilege.setDbName(db);
privilege.setAction(AccessConstants.ALL);
privilege.setCreateTime(System.currentTimeMillis());
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName, privilege, null);
MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
Set<MSentryPrivilege> privileges = role.getPrivileges();
assertEquals(privileges.toString(), 1, privileges.size());
@@ -4264,7 +3803,7 @@ public class TestSentryStore extends org.junit.Assert {
privilege.setServerName(server.toUpperCase());
privilege.setDbName(db.toUpperCase());
privilege.setTableName(table.toUpperCase());
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName, privilege, null);
// check if the table privilege is created
role = sentryStore.getMSentryRoleByName(roleName);
@@ -4287,13 +3826,13 @@ public class TestSentryStore extends org.junit.Assert {
privilege1.setTableName("tbl1");
privilege1.setAction("SELECT");
privilege1.setCreateTime(System.currentTimeMillis());
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege1, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName, privilege1, null);
TSentryPrivilege privilege2 = new TSentryPrivilege();
privilege2.setPrivilegeScope("SERVER");
privilege2.setServerName("server1");
privilege2.setCreateTime(System.currentTimeMillis());
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.USER, userName, privilege2, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.USER, userName, privilege2, null);
Set<TSentryGroup> groups = Sets.newHashSet();
TSentryGroup group = new TSentryGroup();
@@ -4319,7 +3858,6 @@ public class TestSentryStore extends org.junit.Assert {
public void testListSentryPrivilegesForProviderForUser() throws Exception {
String userName1 = "list-privs-user1";
String userName2 = "list-privs-user2";
- String grantor = "g1";
sentryStore.createSentryUser(userName1);
sentryStore.createSentryUser(userName2);
@@ -4330,10 +3868,10 @@ public class TestSentryStore extends org.junit.Assert {
privilege1.setTableName("tbl1");
privilege1.setAction("SELECT");
privilege1.setCreateTime(System.currentTimeMillis());
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.USER, userName1, privilege1, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.USER, userName1, privilege1, null);
privilege1.setAction("ALL");
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.USER, userName2, privilege1, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.USER, userName2, privilege1, null);
assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"),
SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(
@@ -4345,7 +3883,6 @@ public class TestSentryStore extends org.junit.Assert {
@Test
public void testListSentryPrivilegesByAuthorizableForUser() throws Exception {
String userName1 = "list-privs-user1";
- String grantor = "g1";
sentryStore.createSentryUser(userName1);
TSentryPrivilege privilege1 = new TSentryPrivilege();
@@ -4355,7 +3892,7 @@ public class TestSentryStore extends org.junit.Assert {
privilege1.setTableName("tbl1");
privilege1.setAction("SELECT");
privilege1.setCreateTime(System.currentTimeMillis());
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.USER, userName1, privilege1, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.USER, userName1, privilege1, null);
TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
tSentryAuthorizable.setServer("server1");
@@ -4372,7 +3909,6 @@ public class TestSentryStore extends org.junit.Assert {
@Test
public void testGrantRevokePrivilegeMultipleTimesForRole() throws Exception {
String roleName = "test-privilege";
- String grantor = "g1";
String server = "server1";
String db = "db1";
String table = "tbl1";
@@ -4384,14 +3920,14 @@ public class TestSentryStore extends org.junit.Assert {
privilege.setTableName(table);
privilege.setAction(AccessConstants.ALL);
privilege.setCreateTime(System.currentTimeMillis());
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName, privilege, null);
MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
Set<MSentryPrivilege> privileges = role.getPrivileges();
assertEquals(privileges.toString(), 1, privileges.size());
privilege.setAction(AccessConstants.SELECT);
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege, null);
+ sentryStore.alterSentryRevokePrivilege(SentryPrincipalType.ROLE, roleName, privilege, null);
// after having ALL and revoking SELECT, we should have (INSERT)
role = sentryStore.getMSentryRoleByName(roleName);
privileges = role.getPrivileges();
@@ -4399,7 +3935,7 @@ public class TestSentryStore extends org.junit.Assert {
// second round
privilege.setAction(AccessConstants.ALL);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName, privilege, null);
List<MSentryPrivilege> totalPrivileges = sentryStore.getAllMSentryPrivileges();
assertEquals(totalPrivileges.toString(),1, totalPrivileges.size());
@@ -4408,7 +3944,7 @@ public class TestSentryStore extends org.junit.Assert {
assertEquals(privileges.toString(), 1, privileges.size());
privilege.setAction(AccessConstants.INSERT);
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege, null);
+ sentryStore.alterSentryRevokePrivilege(SentryPrincipalType.ROLE, roleName, privilege, null);
// after having ALL and revoking INSERT, we should have (SELECT)
totalPrivileges = sentryStore.getAllMSentryPrivileges();
assertEquals(totalPrivileges.toString(),1, totalPrivileges.size());
@@ -4422,7 +3958,6 @@ public class TestSentryStore extends org.junit.Assert {
@Test
public void testGrantRevokePrivilegeMultipleTimesForUser() throws Exception {
String userName = "test-privilege";
- String grantor = "g1";
String server = "server1";
String db = "db1";
String table = "tbl1";
@@ -4434,14 +3969,14 @@ public class TestSentryStore extends org.junit.Assert {
privilege.setTableName(table);
privilege.setAction(AccessConstants.ALL);
privilege.setCreateTime(System.currentTimeMillis());
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.USER, userName, privilege, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.USER, userName, privilege, null);
MSentryUser user = sentryStore.getMSentryUserByName(userName);
Set<MSentryPrivilege> privileges = user.getPrivileges();
assertEquals(privileges.toString(), 1, privileges.size());
privilege.setAction(AccessConstants.SELECT);
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.USER, userName, privilege, null);
+ sentryStore.alterSentryRevokePrivilege(SentryPrincipalType.USER, userName, privilege, null);
// after having ALL and revoking SELECT, we should have (INSERT)
user = sentryStore.getMSentryUserByName(userName);
privileges = user.getPrivileges();
@@ -4449,7 +3984,7 @@ public class TestSentryStore extends org.junit.Assert {
// second round
privilege.setAction(AccessConstants.ALL);
- sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.USER, userName, privilege, null);
+ sentryStore.alterSentryGrantPrivilege(SentryPrincipalType.USER, userName, privilege, null);
List<MSentryPrivilege> totalPrivileges = sentryStore.getAllMSentryPrivileges();
assertEquals(totalPrivileges.toString(),1, totalPrivileges.size());
@@ -4458,7 +3993,7 @@ public class TestSentryStore extends org.junit.Assert {
assertEquals(privileges.toString(), 1, privileges.size());
privilege.setAction(AccessConstants.INSERT);
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.USER, userName, privilege, null);
+ sentryStore.alterSentryRevokePrivilege(SentryPrincipalType.USER, userName, privilege, null);
// after having ALL and revoking INSERT, we should have (SELECT)
totalPrivileges = sentryStore.getAllMSentryPrivileges();
assertEquals(totalPrivileges.toString(),1, totalPrivileges.size());
@@ -4468,7 +4003,7 @@ public class TestSentryStore extends org.junit.Assert {
assertEquals(privileges.toString(), 1, privileges.size());
privilege.setAction(AccessConstants.SELECT);
- sentryStore.alterSentryRevokePrivilege(grantor, SentryPrincipalType.USER, userName, privilege, null);
+ sentryStore.alterSentryRevokePrivilege(SentryPrincipalType.USER, userName, privilege, null);
// after having ALL and revoking INSERT and SELECT, we should have NO privileges
// user should be removed automatically
user = sentryStore.getMSentryUserByName(userName, false);
@@ -4484,8 +4019,6 @@ public class TestSentryStore extends org.junit.Assert {
assertNotNull(allPrivileges);
assertTrue(allPrivileges.isEmpty());
- final String GRANTOR = "g1";
-
final String ROLE1 = "role1";
<TRUNCATED>
[2/2] sentry git commit: SENTRY-2372: SentryStore should not
implement grantOptionCheck (Sergio Pena, reviewed by Na Li)
Posted by sp...@apache.org.
SENTRY-2372: SentryStore should not implement grantOptionCheck (Sergio Pena, reviewed by Na Li)
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/8e050570
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/8e050570
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/8e050570
Branch: refs/heads/master
Commit: 8e0505703eaf7c75c268593f5f31a3e66bb04a56
Parents: 6734686
Author: Sergio Pena <se...@cloudera.com>
Authored: Sat Oct 27 10:00:59 2018 -0500
Committer: Sergio Pena <se...@cloudera.com>
Committed: Sat Oct 27 10:00:59 2018 -0500
----------------------------------------------------------------------
.../sentry/core/common/utils/SentryUtils.java | 12 +
.../org/apache/sentry/hdfs/SentryPlugin.java | 6 +-
.../thrift/SentryPolicyStoreProcessor.java | 77 +-
.../service/thrift/SentryPolicyStoreUtils.java | 93 +++
.../db/service/model/MSentryPrivilege.java | 3 +-
.../db/service/persistent/SentryStore.java | 288 +------
.../persistent/SentryStoreInterface.java | 18 +-
.../SentryPolicyStoreProcessorTestUtils.java | 238 ++++++
.../thrift/TestSentryPolicyStoreProcessor.java | 159 ++++
.../TestHMSFollowerSentryStoreIntegration.java | 18 +-
.../db/service/persistent/TestSentryStore.java | 741 ++++---------------
11 files changed, 763 insertions(+), 890 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/sentry/blob/8e050570/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/SentryUtils.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/SentryUtils.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/SentryUtils.java
index b225af0..f3394b8 100644
--- a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/SentryUtils.java
+++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/SentryUtils.java
@@ -18,6 +18,9 @@
package org.apache.sentry.core.common.utils;
+import static org.apache.sentry.core.common.utils.SentryConstants.NULL_COL;
+
+import com.google.common.base.Strings;
import java.util.ArrayList;
import java.util.List;
@@ -74,4 +77,13 @@ public final class SentryUtils {
return collapsedStrings.toString();
}
+
+ /**
+ * Function to check if a string is null, empty or @NULL_COLL specifier
+ * @param s string input, and can be null.
+ * @return True if the input string represents a NULL string - when it is null, empty or equals @NULL_COL
+ */
+ public static boolean isNULL(String s) {
+ return Strings.isNullOrEmpty(s) || s.equals(NULL_COL);
+ }
}
http://git-wip-us.apache.org/repos/asf/sentry/blob/8e050570/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/SentryPlugin.java
----------------------------------------------------------------------
diff --git a/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/SentryPlugin.java b/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/SentryPlugin.java
index b8f5ce7..0f3c162 100644
--- a/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/SentryPlugin.java
+++ b/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/SentryPlugin.java
@@ -27,6 +27,7 @@ import org.apache.hadoop.conf.Configuration;
import org.apache.sentry.api.common.ApiConstants.PrivilegeScope;
import org.apache.sentry.core.common.exception.SentryInvalidInputException;
import org.apache.sentry.core.common.utils.PubSub;
+import org.apache.sentry.core.common.utils.SentryUtils;
import org.apache.sentry.core.common.utils.SigUtils;
import org.apache.sentry.hdfs.ServiceConstants.ServerConfig;
import org.apache.sentry.hdfs.service.thrift.TPrivilegeChanges;
@@ -34,7 +35,6 @@ import org.apache.sentry.hdfs.service.thrift.TPrivilegePrincipal;
import org.apache.sentry.hdfs.service.thrift.TPrivilegePrincipalType;
import org.apache.sentry.hdfs.service.thrift.TRoleChanges;
import org.apache.sentry.provider.db.SentryPolicyStorePlugin;
-import org.apache.sentry.provider.db.service.persistent.SentryStore;
import org.apache.sentry.provider.db.service.persistent.SentryStoreInterface;
import org.apache.sentry.api.common.SentryServiceUtil;
import org.apache.sentry.api.service.thrift.TAlterSentryRoleAddGroupsRequest;
@@ -489,10 +489,10 @@ public class SentryPlugin implements SentryPolicyStorePlugin, SigUtils.SigListen
private String getAuthzObj(TSentryPrivilege privilege) {
String authzObj = null;
- if (!SentryStore.isNULL(privilege.getDbName())) {
+ if (!SentryUtils.isNULL(privilege.getDbName())) {
String dbName = privilege.getDbName();
String tblName = privilege.getTableName();
- if (SentryStore.isNULL(tblName)) {
+ if (SentryUtils.isNULL(tblName)) {
authzObj = dbName;
} else {
authzObj = dbName + "." + tblName;
http://git-wip-us.apache.org/repos/asf/sentry/blob/8e050570/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java
index 709434c..b9e3bf2 100644
--- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java
@@ -37,6 +37,7 @@ import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hive.metastore.messaging.EventMessage.EventType;
import org.apache.sentry.SentryOwnerInfo;
import org.apache.sentry.api.common.ThriftConstants;
+import org.apache.sentry.core.common.exception.SentryGrantDeniedException;
import org.apache.sentry.core.common.exception.SentryUserException;
import org.apache.sentry.core.common.exception.SentrySiteConfigurationException;
import org.apache.sentry.core.common.utils.SentryConstants;
@@ -245,6 +246,60 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
return response;
}
+ /**
+ * Throws an exception if one of the set of privileges passed as a parameter cannot be granted by
+ * the grantor user.
+ *
+ * <p/> The check is done by looking at the grant option flag each user or user/group role have
+ * stored on the DB, and compare it with set of privileges that the user is attempting to grant.
+ * If one of the privileges has the grant option disabled, then this method throws an exception
+ * to let the caller know it cannot continue with the grant of the privilege.
+ *
+ * @param grantorUser The user who is attempting to grant the set or privileges.
+ * @param checkPrivileges The set of privileges to check.
+ * @throws Exception If the user does not have grant privileges.
+ */
+ private void checkGrantOptionPrivileges(String grantorUser, Set<TSentryPrivilege> checkPrivileges)
+ throws Exception {
+ Preconditions.checkNotNull(checkPrivileges, "Privileges to check for grant option must not be null.");
+
+ Set<String> groups = getGroupsFromUserName(conf, grantorUser);
+ if (groups != null && inAdminGroups(groups)) {
+ // grantorUser is part of one of the admin groups, so we permit the grant action
+ return;
+ }
+
+ // Get all the privileges a user has (either directly granted to the user or through a role
+ // which the user belongs too)
+ Set<TSentryPrivilege> userPrivileges = sentryStore.listSentryPrivilegesByUsersAndGroups(
+ groups, Collections.singleton(grantorUser), new TSentryActiveRoleSet(true, null), null
+ );
+
+ if (userPrivileges == null || userPrivileges.isEmpty()) {
+ throw new SentryGrantDeniedException(
+ String.format("User %s does not have privileges to grant.", grantorUser));
+ }
+
+ // Check if each privilege grant will be permitted. Throws an exception in the first privilege
+ // that is not permitted.
+ for (TSentryPrivilege checkPrivilege : checkPrivileges) {
+ boolean hasGrant = false;
+ for (TSentryPrivilege p : userPrivileges) {
+ if (p.getGrantOption() == TSentryGrantOption.TRUE
+ && SentryPolicyStoreUtils.privilegeImplies(p, checkPrivilege)) {
+ hasGrant = true;
+ break;
+ }
+ }
+
+ if (!hasGrant) {
+ throw new SentryGrantDeniedException(
+ String.format("User %s does not have privileges to grant %s.", grantorUser,
+ checkPrivilege.getAction().toUpperCase()));
+ }
+ }
+ }
+
@Override
public TAlterSentryRoleGrantPrivilegeResponse alter_sentry_role_grant_privilege
(TAlterSentryRoleGrantPrivilegeRequest request) throws TException {
@@ -264,6 +319,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
// Throw an exception if one of the grants is not permitted.
SentryServiceUtil.checkDbExplicitGrantsPermitted(conf, request.getPrivileges());
+ // Throw an exception if the user has not rights to grant one of the grants requested
+ checkGrantOptionPrivileges(request.getRequestorUserName(), request.getPrivileges());
+
// TODO: now only has SentryPlugin. Once add more SentryPolicyStorePlugins,
// TODO: need to differentiate the updates for different Plugins.
Preconditions.checkState(sentryPlugins.size() <= 1);
@@ -273,11 +331,11 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
}
if (!privilegesUpdateMap.isEmpty()) {
- sentryStore.alterSentryRoleGrantPrivileges(request.getRequestorUserName(),
- request.getRoleName(), request.getPrivileges(), privilegesUpdateMap);
+ sentryStore.alterSentryRoleGrantPrivileges(request.getRoleName(),
+ request.getPrivileges(), privilegesUpdateMap);
} else {
- sentryStore.alterSentryRoleGrantPrivileges(request.getRequestorUserName(),
- request.getRoleName(), request.getPrivileges());
+ sentryStore.alterSentryRoleGrantPrivileges(request.getRoleName(),
+ request.getPrivileges());
}
GrantPrivilegeRequestValidator.validate(request);
response.setStatus(Status.OK());
@@ -332,6 +390,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
request.setPrivileges(Sets.newHashSet(request.getPrivilege()));
}
+ // Throw an exception if the user has not rights to revoke one of the revokes requested
+ checkGrantOptionPrivileges(request.getRequestorUserName(), request.getPrivileges());
+
// TODO: now only has SentryPlugin. Once add more SentryPolicyStorePlugins,
// TODO: need to differentiate the updates for different Plugins.
Preconditions.checkState(sentryPlugins.size() <= 1);
@@ -341,11 +402,11 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
}
if (!privilegesUpdateMap.isEmpty()) {
- sentryStore.alterSentryRoleRevokePrivileges(request.getRequestorUserName(),
- request.getRoleName(), request.getPrivileges(), privilegesUpdateMap);
+ sentryStore.alterSentryRoleRevokePrivileges(request.getRoleName(),
+ request.getPrivileges(), privilegesUpdateMap);
} else {
- sentryStore.alterSentryRoleRevokePrivileges(request.getRequestorUserName(),
- request.getRoleName(), request.getPrivileges());
+ sentryStore.alterSentryRoleRevokePrivileges(request.getRoleName(),
+ request.getPrivileges());
}
RevokePrivilegeRequestValidator.validate(request);
response.setStatus(Status.OK());
http://git-wip-us.apache.org/repos/asf/sentry/blob/8e050570/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreUtils.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreUtils.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreUtils.java
new file mode 100644
index 0000000..8d8b407
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreUtils.java
@@ -0,0 +1,93 @@
+/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ */
+package org.apache.sentry.api.service.thrift;
+
+import static org.apache.sentry.core.common.utils.SentryUtils.isNULL;
+
+import org.apache.sentry.core.common.utils.PathUtils;
+import org.apache.sentry.core.model.db.AccessConstants;
+
+/**
+ * Utilities for Sentry policy store functions.
+ */
+public class SentryPolicyStoreUtils {
+ // Private to avoid instantiate this class
+ private SentryPolicyStoreUtils() {
+ }
+
+ /**
+ * Return true if this privilege implies other privilege (copied from MSentryPrivilege.implies).
+ * Otherwise, return false
+ *
+ * @param privilege, privilege to compare against the other privilege
+ * @param other, the other privilege
+ * @return True if both privilege are the same; False otherwise.
+ */
+ static boolean privilegeImplies(TSentryPrivilege privilege, TSentryPrivilege other) {
+ // serverName never be null
+ if (isNULL(privilege.getServerName()) || isNULL(other.getServerName())) {
+ return false;
+ } else if (!privilege.getServerName().equals(other.getServerName())) {
+ return false;
+ }
+
+ // check URI implies
+ if (!isNULL(privilege.getURI()) && !isNULL(other.getURI())) {
+ if (!PathUtils.impliesURI(privilege.getURI(), other.getURI())) {
+ return false;
+ }
+ // if URI is NULL, check dbName and tableName
+ } else if (isNULL(privilege.getURI()) && isNULL(other.getURI())) {
+ if (!isNULL(privilege.getDbName())) {
+ if (isNULL(other.getDbName())) {
+ return false;
+ } else if (!privilege.getDbName().equals(other.getDbName())) {
+ return false;
+ }
+ }
+ if (!isNULL(privilege.getTableName())) {
+ if (isNULL(other.getTableName())) {
+ return false;
+ } else if (!privilege.getTableName().equals(other.getTableName())) {
+ return false;
+ }
+ }
+ if (!isNULL(privilege.getColumnName())) {
+ if (isNULL(other.getColumnName())) {
+ return false;
+ } else if (!privilege.getColumnName().equals(other.getColumnName())) {
+ return false;
+ }
+ }
+ // if URI is not NULL, but other's URI is NULL, return false
+ } else if (!isNULL(privilege.getURI()) && isNULL(other.getURI())){
+ return false;
+ }
+
+ // check action implies
+ String action = privilege.getAction();
+ if (!action.equalsIgnoreCase(AccessConstants.ALL)
+ && !action.equalsIgnoreCase(AccessConstants.OWNER)
+ && !action.equalsIgnoreCase(other.getAction())
+ && !action.equalsIgnoreCase(AccessConstants.ACTION_ALL)) {
+ return false;
+ }
+
+ return true;
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/8e050570/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java
index eba40d2..009b326 100644
--- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java
@@ -24,6 +24,7 @@ import java.util.Set;
import javax.jdo.annotations.PersistenceCapable;
import org.apache.sentry.core.common.utils.PathUtils;
+import org.apache.sentry.core.common.utils.SentryUtils;
import org.apache.sentry.core.model.db.AccessConstants;
import org.apache.sentry.provider.db.service.persistent.SentryStore;
import org.apache.sentry.provider.db.service.persistent.PrivilegePrincipal;
@@ -351,7 +352,7 @@ public class MSentryPrivilege {
}
private boolean isNULL(String s) {
- return SentryStore.isNULL(s);
+ return SentryUtils.isNULL(s);
}
public boolean isActionALL() {
http://git-wip-us.apache.org/repos/asf/sentry/blob/8e050570/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
index 869605e..01b3634 100644
--- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
@@ -54,11 +54,9 @@ import org.apache.hadoop.conf.Configuration;
import org.apache.sentry.SentryOwnerInfo;
import org.apache.sentry.core.common.exception.SentryAccessDeniedException;
import org.apache.sentry.core.common.exception.SentryAlreadyExistsException;
-import org.apache.sentry.core.common.exception.SentryGrantDeniedException;
import org.apache.sentry.core.common.exception.SentryInvalidInputException;
import org.apache.sentry.core.common.exception.SentryNoSuchObjectException;
import org.apache.sentry.core.common.exception.SentrySiteConfigurationException;
-import org.apache.sentry.core.common.exception.SentryUserException;
import org.apache.sentry.core.common.utils.PathUtils;
import org.apache.sentry.core.common.utils.SentryConstants;
import org.apache.sentry.core.model.db.AccessConstants;
@@ -83,7 +81,6 @@ import org.apache.sentry.provider.db.service.model.MSentryUtil;
import org.apache.sentry.provider.db.service.model.MPath;
import org.apache.sentry.hdfs.service.thrift.TPrivilegePrincipal;
import org.apache.sentry.api.common.ApiConstants.PrivilegeScope;
-import org.apache.sentry.api.service.thrift.SentryPolicyStoreProcessor;
import org.apache.sentry.api.service.thrift.TSentryActiveRoleSet;
import org.apache.sentry.api.service.thrift.TSentryAuthorizable;
import org.apache.sentry.api.service.thrift.TSentryGrantOption;
@@ -114,6 +111,7 @@ import static org.apache.sentry.core.common.utils.SentryConstants.NULL_COL;
import static org.apache.sentry.core.common.utils.SentryConstants.SERVER_NAME;
import static org.apache.sentry.core.common.utils.SentryConstants.TABLE_NAME;
import static org.apache.sentry.core.common.utils.SentryConstants.URI;
+import static org.apache.sentry.core.common.utils.SentryUtils.isNULL;
import static org.apache.sentry.hdfs.Updateable.Update;
/**
@@ -725,47 +723,25 @@ public class SentryStore implements SentryStoreInterface {
}
}
- /**
- * Alter a given sentry role to grant a set of privileges.
- * Internally calls alterSentryGrantPrivilege.
- *
- * @param grantorPrincipal User name
- * @param roleName Role name
- * @param privileges Set of privileges
- * @throws Exception
- */
- public void alterSentryRoleGrantPrivileges(final String grantorPrincipal,
- final String roleName, final Set<TSentryPrivilege> privileges) throws Exception {
+ @Override
+ public void alterSentryRoleGrantPrivileges(final String roleName,
+ final Set<TSentryPrivilege> privileges) throws Exception {
for (TSentryPrivilege privilege : privileges) {
- alterSentryGrantPrivilege(grantorPrincipal, SentryPrincipalType.ROLE, roleName, privilege, null);
+ alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName, privilege, null);
}
}
- /**
- * Alter a given sentry role/user to grant a privilege, as well as persist the corresponding
- * permission change to MSentryPermChange table in a single transaction.
- *
- * @param grantorPrincipal User name
- * @param type Type of principal to which privilege is granted.
- * @param name the name of the principal to which privilege is granted.
- * @param privilege the given privilege
- * @param update the corresponding permission delta update if any.
- * @throws Exception
- *
- */
- synchronized void alterSentryGrantPrivilege(final String grantorPrincipal, SentryPrincipalType type,
- final String name, final TSentryPrivilege privilege,
- final Update update) throws Exception {
+ synchronized void alterSentryGrantPrivilege(SentryPrincipalType type, final String name,
+ final TSentryPrivilege privilege,
+ final Update update) throws Exception {
execute(update, pm -> {
pm.setDetachAllOnCommit(false); // No need to detach objects
-
- // first do grant check
- grantOptionCheck(pm, grantorPrincipal, privilege);
+ String trimmedEntityName = trimAndLower(name);
// Alter sentry Role and grant Privilege.
MSentryPrivilege mPrivilege = alterSentryGrantPrivilegeCore(pm, type,
- name, privilege);
+ trimmedEntityName, privilege);
if (mPrivilege != null) {
// update the privilege to be the one actually updated.
@@ -775,27 +751,15 @@ public class SentryStore implements SentryStoreInterface {
});
}
- /**
- * Alter a given sentry role to grant a set of privileges, as well as persist the
- * corresponding permission change to MSentryPermChange table in a single transaction.
- * Internally calls alterSentryGrantPrivilege.
- *
- * @param grantorPrincipal User name
- * @param roleName the given role name
- * @param privileges a Set of privileges
- * @param privilegesUpdateMap the corresponding <privilege, DeltaTransactionBlock> map
- * @throws Exception
- *
- */
- public void alterSentryRoleGrantPrivileges(final String grantorPrincipal,
- final String roleName, final Set<TSentryPrivilege> privileges,
- final Map<TSentryPrivilege, Update> privilegesUpdateMap) throws Exception {
+ @Override
+ public void alterSentryRoleGrantPrivileges(final String roleName,
+ final Set<TSentryPrivilege> privileges,
+ final Map<TSentryPrivilege, Update> privilegesUpdateMap) throws Exception {
Preconditions.checkNotNull(privilegesUpdateMap);
for (TSentryPrivilege privilege : privileges) {
Update update = privilegesUpdateMap.get(privilege);
- alterSentryGrantPrivilege(grantorPrincipal, SentryPrincipalType.ROLE, roleName, privilege,
- update);
+ alterSentryGrantPrivilege(SentryPrincipalType.ROLE, roleName, privilege, update);
}
}
@@ -923,13 +887,12 @@ public class SentryStore implements SentryStoreInterface {
* Alter a given sentry user to grant a set of privileges.
* Internally calls alterSentryGrantPrivilege.
*
- * @param grantorPrincipal User name
* @param userName User name
* @param privileges Set of privileges
* @throws Exception
*/
- public void alterSentryUserGrantPrivileges(final String grantorPrincipal,
- final String userName, final Set<TSentryPrivilege> privileges) throws Exception {
+ public void alterSentryUserGrantPrivileges(final String userName,
+ final Set<TSentryPrivilege> privileges) throws Exception {
try {
MSentryUser userEntry = getMSentryUserByName(userName, false);
@@ -941,7 +904,7 @@ public class SentryStore implements SentryStoreInterface {
}
for (TSentryPrivilege privilege : privileges) {
- alterSentryGrantPrivilege(grantorPrincipal, SentryPrincipalType.USER, userName, privilege, null);
+ alterSentryGrantPrivilege(SentryPrincipalType.USER, userName, privilege, null);
}
}
@@ -975,39 +938,6 @@ public class SentryStore implements SentryStoreInterface {
}
/**
- * Alter a given sentry user to grant a set of privileges, as well as persist the
- * corresponding permission change to MSentryPermChange table in a single transaction.
- * Internally calls alterSentryGrantPrivilege.
- *
- * @param grantorPrincipal User name
- * @param userName the given user name
- * @param privileges a Set of privileges
- * @param privilegesUpdateMap the corresponding <privilege, DeltaTransactionBlock> map
- * @throws Exception
- *
- */
- public void alterSentryUserGrantPrivileges(final String grantorPrincipal,
- final String userName, final Set<TSentryPrivilege> privileges,
- final Map<TSentryPrivilege, Update> privilegesUpdateMap) throws Exception {
-
- try {
- MSentryUser userEntry = getMSentryUserByName(userName, false);
- if (userEntry == null) {
- createSentryUser(userName);
- }
- } catch (SentryAlreadyExistsException e) {
- // the user may be created by other thread, so swallow the exception and proeed
- }
-
- Preconditions.checkNotNull(privilegesUpdateMap);
- for (TSentryPrivilege privilege : privileges) {
- Update update = privilegesUpdateMap.get(privilege);
- alterSentryGrantPrivilege(grantorPrincipal, SentryPrincipalType.USER, userName, privilege,
- update);
- }
- }
-
- /**
* Get the user entry by user name
* @param userName the name of the user
* @return the user entry
@@ -1048,109 +978,48 @@ public class SentryStore implements SentryStoreInterface {
* Alter a given sentry user to revoke a set of privileges.
* Internally calls alterSentryRevokePrivilege.
*
- * @param grantorPrincipal User name
- * @param userName the given user name
- * @param tPrivileges a Set of privileges
- * @throws Exception
- *
- */
- public void alterSentryUserRevokePrivileges(final String grantorPrincipal,
- final String userName, final Set<TSentryPrivilege> tPrivileges) throws Exception {
- for (TSentryPrivilege tPrivilege : tPrivileges) {
- alterSentryRevokePrivilege(grantorPrincipal, SentryPrincipalType.USER, userName, tPrivilege, null);
- }
- }
-
- /**
- * Alter a given sentry user to revoke a set of privileges, as well as persist the
- * corresponding permission change to MSentryPermChange table in a single transaction.
- * Internally calls alterSentryRevokePrivilege.
- *
- * @param grantorPrincipal User name
* @param userName the given user name
* @param tPrivileges a Set of privileges
- * @param privilegesUpdateMap the corresponding <privilege, Update> map
* @throws Exception
*
*/
- public void alterSentryUserRevokePrivileges(final String grantorPrincipal,
- final String userName, final Set<TSentryPrivilege> tPrivileges,
- final Map<TSentryPrivilege, Update> privilegesUpdateMap)
- throws Exception {
-
- Preconditions.checkNotNull(privilegesUpdateMap);
+ public void alterSentryUserRevokePrivileges(final String userName,
+ final Set<TSentryPrivilege> tPrivileges) throws Exception {
for (TSentryPrivilege tPrivilege : tPrivileges) {
- Update update = privilegesUpdateMap.get(tPrivilege);
- alterSentryRevokePrivilege(grantorPrincipal, SentryPrincipalType.USER, userName,
- tPrivilege, update);
+ alterSentryRevokePrivilege(SentryPrincipalType.USER, userName, tPrivilege, null);
}
}
- /**
- * Alter a given sentry role to revoke a set of privileges.
- * Internally calls alterSentryRevokePrivilege.
- *
- * @param grantorPrincipal User name
- * @param roleName the given role name
- * @param tPrivileges a Set of privileges
- * @throws Exception
- *
- */
- public void alterSentryRoleRevokePrivileges(final String grantorPrincipal,
- final String roleName, final Set<TSentryPrivilege> tPrivileges) throws Exception {
+ @Override
+ public void alterSentryRoleRevokePrivileges(final String roleName,
+ final Set<TSentryPrivilege> tPrivileges)
+ throws Exception {
for (TSentryPrivilege tPrivilege : tPrivileges) {
- alterSentryRevokePrivilege(grantorPrincipal, SentryPrincipalType.ROLE, roleName, tPrivilege, null);
+ alterSentryRevokePrivilege(SentryPrincipalType.ROLE, roleName, tPrivilege, null);
}
}
- /**
- * Alter a given sentry role to revoke a privilege, as well as persist the corresponding
- * permission change to MSentryPermChange table in a single transaction.
- *
- * @param grantorPrincipal User name
- * @param type Type of principal to which privilege is granted.
- * @param principalName the name of the principal from which privilege is revoked.
- * @param tPrivilege the given privilege
- * @param update the corresponding permission delta update transaction block
- * @throws Exception
- *
- */
- synchronized void alterSentryRevokePrivilege(final String grantorPrincipal, SentryPrincipalType type,
- final String principalName, final TSentryPrivilege tPrivilege,
- final Update update) throws Exception {
+ synchronized void alterSentryRevokePrivilege(SentryPrincipalType type, final String principalName,
+ final TSentryPrivilege tPrivilege,
+ final Update update) throws Exception {
execute(update, pm -> {
pm.setDetachAllOnCommit(false); // No need to detach objects
+ String trimmedEntityName = safeTrimLower(principalName);
- // first do revoke check
- grantOptionCheck(pm, grantorPrincipal, tPrivilege);
-
- alterSentryRevokePrivilegeCore(pm, type, principalName, tPrivilege);
+ alterSentryRevokePrivilegeCore(pm, type, trimmedEntityName, tPrivilege);
return null;
});
}
- /**
- * Alter a given sentry role to revoke a set of privileges, as well as persist the
- * corresponding permission change to MSentryPermChange table in a single transaction.
- * Internally calls alterSentryRevokePrivilege.
- *
- * @param grantorPrincipal User name
- * @param roleName the given role name
- * @param tPrivileges a Set of privileges
- * @param privilegesUpdateMap the corresponding <privilege, Update> map
- * @throws Exception
- *
- */
- public void alterSentryRoleRevokePrivileges(final String grantorPrincipal,
- final String roleName, final Set<TSentryPrivilege> tPrivileges,
- final Map<TSentryPrivilege, Update> privilegesUpdateMap)
- throws Exception {
+ @Override
+ public void alterSentryRoleRevokePrivileges(final String roleName, final Set<TSentryPrivilege> tPrivileges,
+ final Map<TSentryPrivilege, Update> privilegesUpdateMap)
+ throws Exception {
Preconditions.checkNotNull(privilegesUpdateMap);
for (TSentryPrivilege tPrivilege : tPrivileges) {
Update update = privilegesUpdateMap.get(tPrivilege);
- alterSentryRevokePrivilege(grantorPrincipal, SentryPrincipalType.ROLE, roleName,
- tPrivilege, update);
+ alterSentryRevokePrivilege(SentryPrincipalType.ROLE, roleName, tPrivilege, update);
}
}
@@ -2144,12 +2013,6 @@ public class SentryStore implements SentryStoreInterface {
return mSentryUser.getPrivileges();
}
- private Set<MSentryPrivilege> getMSentryPrivilegesByUserNameIfExists(String userName)
- throws Exception {
- MSentryUser mSentryUser = getMSentryUserByName(userName, false);
- return mSentryUser != null ? mSentryUser.getPrivileges() : Collections.emptySet();
- }
-
/**
* Gets sentry privilege objects for a given userName from the persistence layer
* @param userName : userName to look up
@@ -2478,6 +2341,7 @@ public class SentryStore implements SentryStoreInterface {
return result;
}
+ @Override
public Set<TSentryPrivilege> listSentryPrivilegesByUsersAndGroups(
Set<String> groups, Set<String> users, TSentryActiveRoleSet roleSet,
TSentryAuthorizable authHierarchy) throws Exception {
@@ -3147,84 +3011,6 @@ public class SentryStore implements SentryStoreInterface {
}
/**
- * Function to check if a string is null, empty or @NULL_COLL specifier
- * @param s string input, and can be null.
- * @return True if the input string represents a NULL string - when it is null, empty or equals @NULL_COL
- */
- public static boolean isNULL(String s) {
- return Strings.isNullOrEmpty(s) || s.equals(NULL_COL);
- }
-
- /**
- * Grant option check
- * @param pm Persistence manager instance
- * @param grantorPrincipal User name
- * @param privilege Privilege to check
- * @throws SentryUserException
- */
- private void grantOptionCheck(PersistenceManager pm, String grantorPrincipal,
- TSentryPrivilege privilege)
- throws Exception {
- MSentryPrivilege mPrivilege = convertToMSentryPrivilege(privilege);
- if (grantorPrincipal == null) {
- throw new SentryInvalidInputException("grantorPrincipal should not be null");
- }
-
- Set<String> groups = SentryPolicyStoreProcessor.getGroupsFromUserName(conf, grantorPrincipal);
-
- // if grantor is in adminGroup, don't need to do check
- Set<String> admins = getAdminGroups();
- boolean isAdminGroup = false;
- if (groups != null && !admins.isEmpty()) {
- for (String g : groups) {
- if (admins.contains(g)) {
- isAdminGroup = true;
- break;
- }
- }
- }
-
- if (!isAdminGroup) {
- boolean hasGrant = false;
- Set<MSentryPrivilege> privilegeSet = new HashSet<>();
- Set<MSentryPrivilege> enityPrivilegeSet = null;
- // Collect the privileges granted to all roles to that user.
- Set<MSentryRole> roles = getRolesForGroups(pm, groups);
- roles.addAll(getRolesForUsers(pm, Sets.newHashSet(grantorPrincipal)));
- for (MSentryRole role : roles) {
- enityPrivilegeSet = role.getPrivileges();
- if(enityPrivilegeSet != null && !enityPrivilegeSet.isEmpty()) {
- privilegeSet.addAll(enityPrivilegeSet);
- }
- }
- // Collect the privileges granted to user
- enityPrivilegeSet = getMSentryPrivilegesByUserNameIfExists(grantorPrincipal.trim());
- if(enityPrivilegeSet != null && !enityPrivilegeSet.isEmpty()) {
- privilegeSet.addAll(enityPrivilegeSet);
-
- }
- // Compare the privileges that user has with the privilege he/she is trying to grant.
- for (MSentryPrivilege p : privilegeSet) {
- if (p.getGrantOption() && p.implies(mPrivilege)) {
- hasGrant = true;
- break;
- }
- }
-
- if (!hasGrant) {
- throw new SentryGrantDeniedException(grantorPrincipal
- + " has no grant!");
- }
- }
- }
-
- // get adminGroups from conf
- private Set<String> getAdminGroups() {
- return Sets.newHashSet(conf.getStrings(
- ServerConfig.ADMIN_GROUPS, new String[]{}));
- }
-
- /**
* Retrieves an up-to-date sentry permission snapshot.
* <p>
* It reads hiveObj to < role, privileges > mapping from {@link MSentryPrivilege}
http://git-wip-us.apache.org/repos/asf/sentry/blob/8e050570/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreInterface.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreInterface.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreInterface.java
index 6217719..97407ff 100644
--- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreInterface.java
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreInterface.java
@@ -96,31 +96,28 @@ public interface SentryStoreInterface {
*/
void alterSentryRoleDeleteUsers(final String roleName,
final Set<String> userNames) throws Exception;
+
/**
* Alter a given sentry role to grant a set of privileges.
* Internally calls alterSentryRoleGrantPrivilege.
*
- * @param grantorPrincipal User name
* @param roleName Role name
* @param privileges Set of privileges
* @throws Exception
*/
- void alterSentryRoleGrantPrivileges(final String grantorPrincipal,
- final String roleName,
+ void alterSentryRoleGrantPrivileges(final String roleName,
final Set<TSentryPrivilege> privileges) throws Exception;
/**
* Alter a given sentry role to revoke a set of privileges.
* Internally calls alterSentryRoleRevokePrivilege.
*
- * @param grantorPrincipal User name
* @param roleName the given role name
* @param tPrivileges a Set of privileges
* @throws Exception
*
*/
- void alterSentryRoleRevokePrivileges(final String grantorPrincipal,
- final String roleName,
+ void alterSentryRoleRevokePrivileges(final String roleName,
final Set<TSentryPrivilege> tPrivileges)
throws Exception;
@@ -515,33 +512,30 @@ public interface SentryStoreInterface {
* corresponding permission change to MSentryPermChange table in a single transaction.
* Internally calls alterSentryRoleGrantPrivilege.
*
- * @param grantorPrincipal User name
* @param roleName the given role name
* @param privileges a Set of privileges
* @param privilegesUpdateMap the corresponding <privilege, DeltaTransactionBlock> map
* @throws Exception
*
*/
- void alterSentryRoleGrantPrivileges(final String grantorPrincipal,
- final String roleName,
+ void alterSentryRoleGrantPrivileges(final String roleName,
final Set<TSentryPrivilege> privileges,
final Map<TSentryPrivilege, Update> privilegesUpdateMap)
throws Exception;
+
/**
* Alter a given sentry role to revoke a set of privileges, as well as persist the
* corresponding permission change to MSentryPermChange table in a single transaction.
* Internally calls alterSentryRoleRevokePrivilege.
*
- * @param grantorPrincipal User name
* @param roleName the given role name
* @param tPrivileges a Set of privileges
* @param privilegesUpdateMap the corresponding <privilege, Update> map
* @throws Exception
*
*/
- void alterSentryRoleRevokePrivileges(final String grantorPrincipal,
- final String roleName, final Set<TSentryPrivilege> tPrivileges,
+ void alterSentryRoleRevokePrivileges(final String roleName, final Set<TSentryPrivilege> tPrivileges,
final Map<TSentryPrivilege, Update> privilegesUpdateMap)
throws Exception;
http://git-wip-us.apache.org/repos/asf/sentry/blob/8e050570/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessorTestUtils.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessorTestUtils.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessorTestUtils.java
new file mode 100644
index 0000000..7a48cca
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessorTestUtils.java
@@ -0,0 +1,238 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.api.service.thrift;
+
+import static org.junit.Assert.assertEquals;
+
+import java.util.Collections;
+import java.util.Set;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.api.common.ApiConstants;
+import org.apache.sentry.api.common.ApiConstants.PrivilegeScope;
+import org.apache.sentry.api.common.Status;
+import org.apache.sentry.api.common.ThriftConstants;
+import org.apache.sentry.provider.db.service.persistent.SentryStoreInterface;
+import org.mockito.Mockito;
+
+// Test utils for the TestSentryPolicyStoreProcessor class
+class SentryPolicyStoreProcessorTestUtils {
+ // Constants variables
+ private static final int NO_TIME = 0;
+ private final Configuration conf;
+ private final SentryPolicyStoreProcessor processor;
+ private final SentryStoreInterface sentryStore;
+
+ SentryPolicyStoreProcessorTestUtils(Configuration conf, SentryStoreInterface sentryStore) throws Exception {
+ this.conf = conf;
+ this.sentryStore = sentryStore;
+ this.processor = new SentryPolicyStoreProcessor(
+ ApiConstants.SentryPolicyServiceConstants.SENTRY_POLICY_SERVICE_NAME, conf, sentryStore);
+ }
+
+ PolicyStoreProcessorTestVerifier givenUser(String userName) {
+ return new PolicyStoreProcessorTestVerifier(userName);
+ }
+
+ static TSentryPrivilege newPrivilegeOnDatabase(String action, String serverName, String dbName) {
+ TSentryPrivilege privilege = new TSentryPrivilege(){{
+ setPrivilegeScope(PrivilegeScope.DATABASE.toString());
+ setServerName(serverName);
+ setDbName(dbName);
+ setCreateTime(NO_TIME);
+ setAction(action);
+ }};
+
+ return privilege;
+ }
+
+ static TSentryPrivilege newPrivilegeOnDatabaseWithGrant(String action, String serverName, String dbName) {
+ TSentryPrivilege privilege = new TSentryPrivilege(){{
+ setPrivilegeScope(PrivilegeScope.DATABASE.toString());
+ setServerName(serverName);
+ setDbName(dbName);
+ setCreateTime(NO_TIME);
+ setAction(action);
+ setGrantOption(TSentryGrantOption.TRUE);
+ }};
+
+ return privilege;
+ }
+
+ static TSentryPrivilege newPrivilegeOnTable(String action, String serverName, String dbName, String tableName) {
+ TSentryPrivilege privilege = new TSentryPrivilege(){{
+ setPrivilegeScope(PrivilegeScope.TABLE.toString());
+ setServerName(serverName);
+ setDbName(dbName);
+ setTableName(tableName);
+ setCreateTime(NO_TIME);
+ setAction(action);
+ }};
+
+ return privilege;
+ }
+
+ static TSentryPrivilege newPrivilegeOnTableWithGrant(String action, String serverName, String dbName, String tableName) {
+ TSentryPrivilege privilege = new TSentryPrivilege(){{
+ setPrivilegeScope(PrivilegeScope.TABLE.toString());
+ setServerName(serverName);
+ setDbName(dbName);
+ setTableName(tableName);
+ setCreateTime(NO_TIME);
+ setAction(action);
+ setGrantOption(TSentryGrantOption.TRUE);
+ }};
+
+ return privilege;
+ }
+
+ static TSentryPrivilege newPrivilegeOnColumn(String action, String serverName, String dbName, String tableName, String column) {
+ TSentryPrivilege privilege = new TSentryPrivilege(){{
+ setPrivilegeScope(PrivilegeScope.COLUMN.toString());
+ setServerName(serverName);
+ setDbName(dbName);
+ setTableName(tableName);
+ setColumnName(column);
+ setCreateTime(NO_TIME);
+ setAction(action);
+ setGrantOption(TSentryGrantOption.FALSE);
+ }};
+
+ return privilege;
+ }
+
+ class PolicyStoreProcessorTestVerifier {
+ // Constant variables
+ private final String REQUESTOR_USER;
+
+ PolicyStoreProcessorTestVerifier(String requestorUser) {
+ this.REQUESTOR_USER = requestorUser;
+ }
+
+ PolicyGrantPrivilegeVerifier grantPrivilegeToRole(TSentryPrivilege privilege, String roleName) {
+ return new PolicyGrantPrivilegeVerifier(REQUESTOR_USER, privilege, roleName);
+ }
+
+ PolicyRevokePrivilegeVerifier revokePrivilegeFromRole(TSentryPrivilege privilege, String roleName) {
+ return new PolicyRevokePrivilegeVerifier(REQUESTOR_USER, privilege, roleName);
+ }
+ }
+
+ class PolicyRevokePrivilegeVerifier {
+ // Constant variables
+ private final String REQUESTOR_USER;
+ private final TSentryPrivilege privilege;
+
+ // Class variables
+ private String roleName;
+
+ PolicyRevokePrivilegeVerifier(String requestorUser, TSentryPrivilege privilege, String roleName) {
+ this.REQUESTOR_USER = requestorUser;
+ this.privilege = privilege;
+ this.roleName = roleName;
+ }
+
+ PolicyRevokePrivilegeVerifier whenRequestStorePrivilegesReturn(Set<TSentryPrivilege> privileges)
+ throws Exception {
+
+ Set<String> groups = SentryPolicyStoreProcessor.getGroupsFromUserName(conf, REQUESTOR_USER);
+ Mockito.when(sentryStore.listSentryPrivilegesByUsersAndGroups(
+ Mockito.eq(groups),
+ Mockito.eq(Collections.singleton(REQUESTOR_USER)),
+ Mockito.eq(Mockito.any()),
+ null)
+ ).thenReturn(privileges);
+
+ return this;
+ }
+
+ void verify(Status status) throws Exception {
+ TAlterSentryRoleRevokePrivilegeRequest revokeRequest = new TAlterSentryRoleRevokePrivilegeRequest();
+ revokeRequest.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
+ revokeRequest.setRequestorUserName(REQUESTOR_USER);
+ revokeRequest.setRoleName(roleName);
+ revokeRequest.setPrivilege(privilege);
+
+ TAlterSentryRoleRevokePrivilegeResponse response =
+ processor.alter_sentry_role_revoke_privilege(revokeRequest);
+ if (response.getStatus().getValue() == Status.OK.getCode()) {
+ Mockito.verify(sentryStore).alterSentryRoleRevokePrivileges(revokeRequest.getRoleName(),
+ revokeRequest.getPrivileges());
+ } else {
+ Mockito.verify(sentryStore, Mockito.times(0))
+ .alterSentryRoleRevokePrivileges(Mockito.anyString(), Mockito.anySet());
+ }
+
+ assertEquals("Revoke " + privilege.getAction() + " response is not valid",
+ status.getCode(), response.getStatus().getValue());
+
+ Mockito.reset(sentryStore);
+ }
+ }
+
+ class PolicyGrantPrivilegeVerifier {
+ // Constant variables
+ private final String REQUESTOR_USER;
+ private final TSentryPrivilege privilege;
+
+ // Class variables
+ private String roleName;
+
+ PolicyGrantPrivilegeVerifier(String requestorUser, TSentryPrivilege privilege, String roleName) {
+ this.REQUESTOR_USER = requestorUser;
+ this.privilege = privilege;
+ this.roleName = roleName;
+ }
+
+ PolicyGrantPrivilegeVerifier whenRequestStorePrivilegesReturn(Set<TSentryPrivilege> privileges)
+ throws Exception {
+
+ Set<String> groups = SentryPolicyStoreProcessor.getGroupsFromUserName(conf, REQUESTOR_USER);
+ Mockito.when(sentryStore.listSentryPrivilegesByUsersAndGroups(
+ Mockito.eq(groups),
+ Mockito.eq(Collections.singleton(REQUESTOR_USER)),
+ Mockito.eq(Mockito.any()),
+ null)
+ ).thenReturn(privileges);
+
+ return this;
+ }
+
+ void verify(Status status) throws Exception {
+ TAlterSentryRoleGrantPrivilegeRequest grantRequest = new TAlterSentryRoleGrantPrivilegeRequest();
+ grantRequest.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
+ grantRequest.setRequestorUserName(REQUESTOR_USER);
+ grantRequest.setRoleName(roleName);
+ grantRequest.setPrivilege(privilege);
+
+ TAlterSentryRoleGrantPrivilegeResponse response =
+ processor.alter_sentry_role_grant_privilege(grantRequest);
+ if (response.getStatus().getValue() == Status.OK.getCode()) {
+ Mockito.verify(sentryStore).alterSentryRoleGrantPrivileges(grantRequest.getRoleName(),
+ grantRequest.getPrivileges());
+ } else {
+ Mockito.verify(sentryStore, Mockito.times(0))
+ .alterSentryRoleGrantPrivileges(Mockito.anyString(), Mockito.anySet());
+ }
+
+ assertEquals("Grant " + privilege.getAction() + " response is not valid",
+ status.getCode(), response.getStatus().getValue());
+
+ Mockito.reset(sentryStore);
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/8e050570/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java
index 16ff79e..8cea339 100644
--- a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java
@@ -17,6 +17,8 @@
*/
package org.apache.sentry.api.service.thrift;
+import static org.apache.sentry.core.model.db.AccessConstants.ALL;
+import static org.apache.sentry.core.model.db.AccessConstants.SELECT;
import static org.apache.sentry.service.common.ServiceConstants.ServerConfig.SENTRY_DB_POLICY_STORE_OWNER_AS_PRIVILEGE;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
@@ -672,4 +674,161 @@ public class TestSentryPolicyStoreProcessor {
Assert.assertFalse("SELECT privileges should be permitted",
response.getStatus().getMessage().contains("SELECT"));
}
+
+ @Test
+ public void testGrantToRoleWithGrantCheck() throws Exception {
+ final String DB = "db";
+ final String ROLE = "role";
+ final String USER = "user";
+
+ SentryPolicyStoreProcessorTestUtils test = new SentryPolicyStoreProcessorTestUtils(conf, sentryStore);
+
+ final TSentryPrivilege ALL_ON_DB = test.newPrivilegeOnDatabase(ALL, SERVERNAME, DB);
+ final TSentryPrivilege ALL_ON_DB_WGRANT = test.newPrivilegeOnDatabaseWithGrant(ALL, SERVERNAME, DB);
+ final TSentryPrivilege SELECT_ON_DB = test.newPrivilegeOnDatabase(SELECT, SERVERNAME, DB);
+ final TSentryPrivilege SELECT_ON_DB_WGRANT = test.newPrivilegeOnDatabaseWithGrant(SELECT, SERVERNAME, DB);
+
+ // Admin user can grant privileges
+ test.givenUser(ADMIN_USER).grantPrivilegeToRole(ALL_ON_DB, ROLE)
+ .verify(Status.OK);
+ test.givenUser(ADMIN_USER).grantPrivilegeToRole(ALL_ON_DB_WGRANT, ROLE)
+ .verify(Status.OK);
+ test.givenUser(ADMIN_USER).grantPrivilegeToRole(SELECT_ON_DB, ROLE)
+ .verify(Status.OK);
+ test.givenUser(ADMIN_USER).grantPrivilegeToRole(SELECT_ON_DB_WGRANT, ROLE)
+ .verify(Status.OK);
+
+ // User without grant option cannot grant privileges
+ test.givenUser(USER).grantPrivilegeToRole(ALL_ON_DB, ROLE)
+ .whenRequestStorePrivilegesReturn(Collections.emptySet())
+ .verify(Status.ACCESS_DENIED);
+ test.givenUser(USER).grantPrivilegeToRole(ALL_ON_DB_WGRANT, ROLE)
+ .whenRequestStorePrivilegesReturn(Collections.emptySet())
+ .verify(Status.ACCESS_DENIED);
+ test.givenUser(USER).grantPrivilegeToRole(SELECT_ON_DB, ROLE)
+ .whenRequestStorePrivilegesReturn(Collections.emptySet())
+ .verify(Status.ACCESS_DENIED);
+ test.givenUser(USER).grantPrivilegeToRole(SELECT_ON_DB_WGRANT, ROLE)
+ .whenRequestStorePrivilegesReturn(Collections.emptySet())
+ .verify(Status.ACCESS_DENIED);
+ test.givenUser(USER).grantPrivilegeToRole(ALL_ON_DB, ROLE)
+ .whenRequestStorePrivilegesReturn(Collections.singleton(SELECT_ON_DB_WGRANT))
+ .verify(Status.ACCESS_DENIED);
+
+ // User with grant option can grant privileges
+ test.givenUser(USER).grantPrivilegeToRole(ALL_ON_DB, ROLE)
+ .whenRequestStorePrivilegesReturn(Collections.singleton(ALL_ON_DB_WGRANT))
+ .verify(Status.OK);
+ test.givenUser(USER).grantPrivilegeToRole(SELECT_ON_DB, ROLE)
+ .whenRequestStorePrivilegesReturn(Collections.singleton(ALL_ON_DB_WGRANT))
+ .verify(Status.OK);
+ test.givenUser(USER).grantPrivilegeToRole(SELECT_ON_DB, ROLE)
+ .whenRequestStorePrivilegesReturn(Collections.singleton(SELECT_ON_DB_WGRANT))
+ .verify(Status.OK);
+
+ // User with grant option can grant privileges with grant option
+ test.givenUser(USER).grantPrivilegeToRole(ALL_ON_DB_WGRANT, ROLE)
+ .whenRequestStorePrivilegesReturn(Collections.singleton(ALL_ON_DB_WGRANT))
+ .verify(Status.OK);
+ test.givenUser(USER).grantPrivilegeToRole(SELECT_ON_DB_WGRANT, ROLE)
+ .whenRequestStorePrivilegesReturn(Collections.singleton(ALL_ON_DB_WGRANT))
+ .verify(Status.OK);
+ test.givenUser(USER).grantPrivilegeToRole(SELECT_ON_DB_WGRANT, ROLE)
+ .whenRequestStorePrivilegesReturn(Collections.singleton(SELECT_ON_DB_WGRANT))
+ .verify(Status.OK);
+ }
+
+ @Test
+ public void testRevokeFromRoleWithGrantCheck() throws Exception {
+ final String DB = "db";
+ final String ROLE = "role";
+ final String USER = "user";
+
+ SentryPolicyStoreProcessorTestUtils test = new SentryPolicyStoreProcessorTestUtils(conf, sentryStore);
+
+ final TSentryPrivilege ALL_ON_DB = test.newPrivilegeOnDatabase(ALL, SERVERNAME, DB);
+ final TSentryPrivilege ALL_ON_DB_WGRANT = test.newPrivilegeOnDatabaseWithGrant(ALL, SERVERNAME, DB);
+ final TSentryPrivilege SELECT_ON_DB = test.newPrivilegeOnDatabase(SELECT, SERVERNAME, DB);
+ final TSentryPrivilege SELECT_ON_DB_WGRANT = test.newPrivilegeOnDatabaseWithGrant(SELECT, SERVERNAME, DB);
+
+ // Admin user can revoke privileges
+ test.givenUser(ADMIN_USER).revokePrivilegeFromRole(ALL_ON_DB, ROLE)
+ .verify(Status.OK);
+ test.givenUser(ADMIN_USER).revokePrivilegeFromRole(ALL_ON_DB_WGRANT, ROLE)
+ .verify(Status.OK);
+ test.givenUser(ADMIN_USER).revokePrivilegeFromRole(SELECT_ON_DB, ROLE)
+ .verify(Status.OK);
+ test.givenUser(ADMIN_USER).revokePrivilegeFromRole(SELECT_ON_DB_WGRANT, ROLE)
+ .verify(Status.OK);
+
+ // User without grant option cannot revoke privileges
+ test.givenUser(USER).revokePrivilegeFromRole(ALL_ON_DB, ROLE)
+ .whenRequestStorePrivilegesReturn(Collections.emptySet())
+ .verify(Status.ACCESS_DENIED);
+ test.givenUser(USER).revokePrivilegeFromRole(ALL_ON_DB_WGRANT, ROLE)
+ .whenRequestStorePrivilegesReturn(Collections.emptySet())
+ .verify(Status.ACCESS_DENIED);
+ test.givenUser(USER).revokePrivilegeFromRole(SELECT_ON_DB, ROLE)
+ .whenRequestStorePrivilegesReturn(Collections.emptySet())
+ .verify(Status.ACCESS_DENIED);
+ test.givenUser(USER).revokePrivilegeFromRole(SELECT_ON_DB_WGRANT, ROLE)
+ .whenRequestStorePrivilegesReturn(Collections.emptySet())
+ .verify(Status.ACCESS_DENIED);
+ test.givenUser(USER).revokePrivilegeFromRole(ALL_ON_DB, ROLE)
+ .whenRequestStorePrivilegesReturn(Collections.singleton(SELECT_ON_DB_WGRANT))
+ .verify(Status.ACCESS_DENIED);
+
+ // User with grant option can revoke privileges
+ test.givenUser(USER).revokePrivilegeFromRole(ALL_ON_DB, ROLE)
+ .whenRequestStorePrivilegesReturn(Collections.singleton(ALL_ON_DB_WGRANT))
+ .verify(Status.OK);
+ test.givenUser(USER).revokePrivilegeFromRole(SELECT_ON_DB, ROLE)
+ .whenRequestStorePrivilegesReturn(Collections.singleton(ALL_ON_DB_WGRANT))
+ .verify(Status.OK);
+ test.givenUser(USER).revokePrivilegeFromRole(SELECT_ON_DB, ROLE)
+ .whenRequestStorePrivilegesReturn(Collections.singleton(SELECT_ON_DB_WGRANT))
+ .verify(Status.OK);
+
+ // User with grant option can revoke privileges with grant option
+ test.givenUser(USER).revokePrivilegeFromRole(ALL_ON_DB_WGRANT, ROLE)
+ .whenRequestStorePrivilegesReturn(Collections.singleton(ALL_ON_DB_WGRANT))
+ .verify(Status.OK);
+ test.givenUser(USER).revokePrivilegeFromRole(SELECT_ON_DB_WGRANT, ROLE)
+ .whenRequestStorePrivilegesReturn(Collections.singleton(ALL_ON_DB_WGRANT))
+ .verify(Status.OK);
+ test.givenUser(USER).revokePrivilegeFromRole(SELECT_ON_DB_WGRANT, ROLE)
+ .whenRequestStorePrivilegesReturn(Collections.singleton(SELECT_ON_DB_WGRANT))
+ .verify(Status.OK);
+ }
+
+ @Test
+ public void testGrantCheckWithColumn() throws Exception {
+ final String DB = "db";
+ final String TABLE = "table";
+ final String COLUMN = "column";
+ final String ROLE = "role";
+ final String USER = "user";
+
+ SentryPolicyStoreProcessorTestUtils test = new SentryPolicyStoreProcessorTestUtils(conf, sentryStore);
+
+ final TSentryPrivilege SELECT_ON_TABLE = test.newPrivilegeOnTable(SELECT, SERVERNAME, DB, TABLE);
+ final TSentryPrivilege SELECT_ON_TABLE_WGRANT = test.newPrivilegeOnTableWithGrant(SELECT, SERVERNAME, DB, TABLE);
+ final TSentryPrivilege SELECT_ON_COLUMN = test.newPrivilegeOnColumn(SELECT, SERVERNAME, DB, TABLE, COLUMN);
+
+ // Admin user can revoke privileges
+ test.givenUser(ADMIN_USER).grantPrivilegeToRole(SELECT_ON_TABLE_WGRANT, ROLE)
+ .verify(Status.OK);
+ test.givenUser(ADMIN_USER).grantPrivilegeToRole(SELECT_ON_COLUMN, ROLE)
+ .verify(Status.OK);
+
+ // User with grant option on table can grant select on a column
+ test.givenUser(USER).grantPrivilegeToRole(SELECT_ON_COLUMN, ROLE)
+ .whenRequestStorePrivilegesReturn(Collections.singleton(SELECT_ON_TABLE_WGRANT))
+ .verify(Status.OK);
+
+ // User without grant option on table cannot grant select on a column
+ test.givenUser(USER).grantPrivilegeToRole(SELECT_ON_COLUMN, ROLE)
+ .whenRequestStorePrivilegesReturn(Collections.singleton(SELECT_ON_TABLE))
+ .verify(Status.ACCESS_DENIED);
+ }
}
http://git-wip-us.apache.org/repos/asf/sentry/blob/8e050570/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestHMSFollowerSentryStoreIntegration.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestHMSFollowerSentryStoreIntegration.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestHMSFollowerSentryStoreIntegration.java
index a886836..1d87b0b 100644
--- a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestHMSFollowerSentryStoreIntegration.java
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestHMSFollowerSentryStoreIntegration.java
@@ -154,7 +154,6 @@ public class TestHMSFollowerSentryStoreIntegration {
// configure permission of the table
String roleName1 = "list-privs-r1";
- String grantor = "g1";
sentryStore.createSentryRole(roleName1);
TSentryPrivilege privilege_tbl1 = new TSentryPrivilege();
@@ -177,11 +176,11 @@ public class TestHMSFollowerSentryStoreIntegration {
privilege_server.setServerName(serverName1);
privilege_server.setCreateTime(System.currentTimeMillis());
- sentryStore.alterSentryGrantPrivilege(grantor, ServiceConstants.SentryPrincipalType.ROLE, roleName1, privilege1, null);
+ sentryStore.alterSentryGrantPrivilege(ServiceConstants.SentryPrincipalType.ROLE, roleName1, privilege1, null);
- sentryStore.alterSentryGrantPrivilege(grantor, ServiceConstants.SentryPrincipalType.ROLE, roleName1, privilege1_2, null);
- sentryStore.alterSentryGrantPrivilege(grantor, ServiceConstants.SentryPrincipalType.ROLE, roleName1, privilege_server, null);
- sentryStore.alterSentryGrantPrivilege(grantor, ServiceConstants.SentryPrincipalType.ROLE, roleName1, privilege1_3, null);
+ sentryStore.alterSentryGrantPrivilege(ServiceConstants.SentryPrincipalType.ROLE, roleName1, privilege1_2, null);
+ sentryStore.alterSentryGrantPrivilege(ServiceConstants.SentryPrincipalType.ROLE, roleName1, privilege_server, null);
+ sentryStore.alterSentryGrantPrivilege(ServiceConstants.SentryPrincipalType.ROLE, roleName1, privilege1_3, null);
// Create notification events to drop the table
StorageDescriptor sd = new StorageDescriptor();
@@ -214,7 +213,6 @@ public class TestHMSFollowerSentryStoreIntegration {
// configure permission of the database
String roleName1 = "list-privs-r1";
- String grantor = "g1";
sentryStore.createSentryRole(roleName1);
TSentryPrivilege privilege_tbl1 = new TSentryPrivilege();
@@ -237,11 +235,11 @@ public class TestHMSFollowerSentryStoreIntegration {
privilege_server.setServerName(serverName1);
privilege_server.setCreateTime(System.currentTimeMillis());
- sentryStore.alterSentryGrantPrivilege(grantor, ServiceConstants.SentryPrincipalType.ROLE, roleName1, privilege1, null);
+ sentryStore.alterSentryGrantPrivilege(ServiceConstants.SentryPrincipalType.ROLE, roleName1, privilege1, null);
- sentryStore.alterSentryGrantPrivilege(grantor, ServiceConstants.SentryPrincipalType.ROLE, roleName1, privilege1_2, null);
- sentryStore.alterSentryGrantPrivilege(grantor, ServiceConstants.SentryPrincipalType.ROLE, roleName1, privilege_server, null);
- sentryStore.alterSentryGrantPrivilege(grantor, ServiceConstants.SentryPrincipalType.ROLE, roleName1, privilege1_3, null);
+ sentryStore.alterSentryGrantPrivilege(ServiceConstants.SentryPrincipalType.ROLE, roleName1, privilege1_2, null);
+ sentryStore.alterSentryGrantPrivilege(ServiceConstants.SentryPrincipalType.ROLE, roleName1, privilege_server, null);
+ sentryStore.alterSentryGrantPrivilege(ServiceConstants.SentryPrincipalType.ROLE, roleName1, privilege1_3, null);
// Create notification events to drop the database
NotificationEvent notificationEvent = new NotificationEvent(1, 0, EventType.DROP_DATABASE.toString(),