You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by bo...@apache.org on 2018/11/19 10:45:11 UTC
[04/33] impala git commit: IMPALA-7794: Rewrite flaky ownership
authorization tests
IMPALA-7794: Rewrite flaky ownership authorization tests
This patch rewrites the ownership authorization tests to not depend on
delay and timeout, which can help to avoid the flakiness. The patch also
refactors some tests to reuse Sentry and Impala instances without having
to restart them, which can speed up the tests. To keep the same test
coverage, no tests were removed.
Testing:
- Ran all authorization E2E tests multiple times.
Change-Id: Ic98f8dbec41360261fd0339d835f3ce6b504ee29
Reviewed-on: http://gerrit.cloudera.org:8080/11837
Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
Project: http://git-wip-us.apache.org/repos/asf/impala/repo
Commit: http://git-wip-us.apache.org/repos/asf/impala/commit/76160838
Tree: http://git-wip-us.apache.org/repos/asf/impala/tree/76160838
Diff: http://git-wip-us.apache.org/repos/asf/impala/diff/76160838
Branch: refs/heads/branch-3.1.0
Commit: 76160838899fefc4955e30332a19732af6ecee6d
Parents: 6684fe1
Author: Fredy Wijaya <fw...@cloudera.com>
Authored: Tue Oct 30 19:48:54 2018 -0700
Committer: Zoltan Borok-Nagy <bo...@cloudera.com>
Committed: Tue Nov 13 12:50:23 2018 +0100
----------------------------------------------------------------------
tests/authorization/test_grant_revoke.py | 247 +++++---------
tests/authorization/test_owner_privileges.py | 396 ++++++++++------------
tests/common/sentry_cache_test_suite.py | 66 ++--
3 files changed, 290 insertions(+), 419 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/impala/blob/76160838/tests/authorization/test_grant_revoke.py
----------------------------------------------------------------------
diff --git a/tests/authorization/test_grant_revoke.py b/tests/authorization/test_grant_revoke.py
index 949887b..f7299bf 100644
--- a/tests/authorization/test_grant_revoke.py
+++ b/tests/authorization/test_grant_revoke.py
@@ -16,14 +16,9 @@
# under the License.
#
# Client tests for SQL statement authorization
-# In these tests we run all the tests twice. Once with just using cache, hence the
-# long sentry poll, and once by ensuring refreshes happen from Sentry.
import grp
import pytest
-import os
-import sys
-import subprocess
from getpass import getuser
from os import getenv
from time import sleep
@@ -36,16 +31,8 @@ from tests.verifiers.metric_verifier import MetricVerifier
SENTRY_CONFIG_FILE = getenv('IMPALA_HOME') + \
'/fe/src/test/resources/sentry-site.xml'
-# The polling frequency used by catalogd to refresh Sentry privileges.
-# The long polling is so we can check updates just for the cache.
-# The other polling is so we can get the updates without having to wait.
-SENTRY_POLLING_FREQUENCY_S = 1
-SENTRY_LONG_POLLING_FREQUENCY_S = 120
-# The timeout, in seconds, when waiting for a refresh of Sentry privileges.
-# This is also used as a delay before executing a statement. The difference between
-# the two usages is one is used to check results and once successful can return before
-# the time is up. The other is to enforce a delay with no short circuit.
-SENTRY_REFRESH_TIMEOUT_S = SENTRY_POLLING_FREQUENCY_S * 3
+# Sentry long polling frequency to make Sentry refresh not run.
+SENTRY_LONG_POLLING_FREQUENCY_S = 3600
class TestGrantRevoke(SentryCacheTestSuite):
@@ -118,155 +105,99 @@ class TestGrantRevoke(SentryCacheTestSuite):
@pytest.mark.execute_serially
@SentryCacheTestSuite.with_args(
impalad_args="--server_name=server1",
- catalogd_args="--sentry_config=" + SENTRY_CONFIG_FILE +
- " --sentry_catalog_polling_frequency_s=" + str(SENTRY_POLLING_FREQUENCY_S),
+ catalogd_args="--sentry_config={0} --sentry_catalog_polling_frequency_s={1}"
+ .format(SENTRY_CONFIG_FILE, SENTRY_LONG_POLLING_FREQUENCY_S),
sentry_config=SENTRY_CONFIG_FILE)
def test_grant_revoke_with_sentry(self, vector):
- self.__execute_with_grant_option_tests(TestObject(TestObject.SERVER), "all",
- sentry_refresh_timeout_s=SENTRY_REFRESH_TIMEOUT_S)
- self.__execute_with_grant_option_tests(TestObject(TestObject.DATABASE,
- "grant_rev_db"), "all", sentry_refresh_timeout_s=SENTRY_REFRESH_TIMEOUT_S)
- self.__execute_with_grant_option_tests(TestObject(TestObject.TABLE,
- "grant_rev_db.tbl1"), "all", sentry_refresh_timeout_s=SENTRY_REFRESH_TIMEOUT_S)
- self.__execute_with_grant_option_tests(TestObject(TestObject.VIEW,
- "grant_rev_db.tbl1"), "all", sentry_refresh_timeout_s=SENTRY_REFRESH_TIMEOUT_S)
- self.__execute_with_grant_option_tests(TestObject(TestObject.SERVER), "select",
- sentry_refresh_timeout_s=SENTRY_REFRESH_TIMEOUT_S)
- self.__execute_with_grant_option_tests(TestObject(TestObject.DATABASE,
- "grant_rev_db"), "select", sentry_refresh_timeout_s=SENTRY_REFRESH_TIMEOUT_S)
- self.__execute_with_grant_option_tests(TestObject(TestObject.TABLE,
- "grant_rev_db.tbl1"), "select", sentry_refresh_timeout_s=SENTRY_REFRESH_TIMEOUT_S)
- self.__execute_with_grant_option_tests(TestObject(TestObject.VIEW,
- "grant_rev_db.tbl1"), "select", sentry_refresh_timeout_s=SENTRY_REFRESH_TIMEOUT_S)
-
- @pytest.mark.execute_serially
- @SentryCacheTestSuite.with_args(
- impalad_args="--server_name=server1",
- catalogd_args="--sentry_config=" + SENTRY_CONFIG_FILE +
- " --sentry_catalog_polling_frequency_s=" + str(SENTRY_LONG_POLLING_FREQUENCY_S),
- sentry_config=SENTRY_CONFIG_FILE)
- def test_grant_revoke_with_sentry_long_poll(self, vector):
- self.__execute_with_grant_option_tests(TestObject(TestObject.SERVER), "all")
- self.__execute_with_grant_option_tests(TestObject(TestObject.DATABASE,
- "grant_rev_db"), "all")
- self.__execute_with_grant_option_tests(TestObject(TestObject.TABLE,
- "grant_rev_db.tbl1"), "all")
- self.__execute_with_grant_option_tests(TestObject(TestObject.VIEW,
- "grant_rev_db.tbl1"), "all")
- self.__execute_with_grant_option_tests(TestObject(TestObject.SERVER), "select")
- self.__execute_with_grant_option_tests(TestObject(TestObject.DATABASE,
- "grant_rev_db"), "select")
- self.__execute_with_grant_option_tests(TestObject(TestObject.TABLE,
- "grant_rev_db.tbl1"), "select")
- self.__execute_with_grant_option_tests(TestObject(TestObject.VIEW,
- "grant_rev_db.tbl1"), "select")
-
- @pytest.mark.execute_serially
- @SentryCacheTestSuite.with_args(
- impalad_args="--server_name=server1",
- catalogd_args="--sentry_config=%s " % SENTRY_CONFIG_FILE +
- "--sentry_catalog_polling_frequency_s=%d" % SENTRY_POLLING_FREQUENCY_S,
- sentry_config=SENTRY_CONFIG_FILE)
- def test_grant_revoke_with_sentry_refresh(self):
- group_name = grp.getgrnam(getuser()).gr_name
- role_name = "grant_revoke_test_sentry_refresh"
- try:
- self.client.execute("create role %s" % role_name)
- self.client.execute("grant role %s to group `%s`" % (role_name, group_name))
- # Add select and insert into the catalog.
- self.client.execute("grant select on table functional.alltypes to %s" % role_name)
- self.client.execute("grant insert on table functional.alltypes to %s" % role_name)
- # Grant alter privilege and revoke insert privilege using Sentry CLI.
- subprocess.check_call(
- ["/bin/bash", "-c", "%s/bin/sentryShell "
- "--conf %s/sentry-site.xml -gpr "
- "-p 'server=server1->db=functional->table=alltypes->action=alter' "
- "-r %s" % (os.getenv("SENTRY_HOME"), os.getenv("SENTRY_CONF_DIR"), role_name)],
- stdout=sys.stdout, stderr=sys.stderr)
- subprocess.check_call(
- ["/bin/bash", "-c", "%s/bin/sentryShell "
- "--conf %s/sentry-site.xml -rpr "
- "-p 'server=server1->db=functional->table=alltypes->action=insert' "
- "-r %s" % (os.getenv("SENTRY_HOME"), os.getenv("SENTRY_CONF_DIR"), role_name)],
- stdout=sys.stdout, stderr=sys.stderr)
- # Wait for the catalog update with Sentry refresh.
- sleep(SENTRY_POLLING_FREQUENCY_S + 3)
- # Ensure alter privilege was granted and insert privilege was revoked.
- result = self.execute_query_expect_success(self.client, "show grant role %s" %
- role_name)
- assert len(result.data) == 2
- assert any('select' in x for x in result.data)
- assert any('alter' in x for x in result.data)
- finally:
- self.client.execute("drop role %s" % role_name)
-
- def __execute_with_grant_option_tests(self, test_obj, privilege,
- sentry_refresh_timeout_s=0):
+ """Tests grant and revoke for all objects. In these tests, we run tests twice. One
+ with just using cache, hence the long sentry poll, and another one by ensuring
+ refreshes happen from Sentry."""
+ for invalidate in [True, False]:
+ for priv in ["all", "select"]:
+ self._execute_with_grant_option_tests(TestObject(TestObject.SERVER), priv,
+ invalidate)
+ self._execute_with_grant_option_tests(TestObject(TestObject.DATABASE,
+ "grant_rev_db"), priv,
+ invalidate)
+ self._execute_with_grant_option_tests(TestObject(TestObject.TABLE,
+ "grant_rev_db.tbl1"), priv,
+ invalidate)
+ self._execute_with_grant_option_tests(TestObject(TestObject.VIEW,
+ "grant_rev_db.tbl1"), priv,
+ invalidate)
+
+ def _execute_with_grant_option_tests(self, test_obj, privilege, invalidate_metadata):
"""
- Executes grant/revoke tests with grant option
+ Executes grant/revoke tests with grant option.
"""
- # Do some initial setup only for this test.
- group_name = grp.getgrnam(getuser()).gr_name
- try:
- self.client.execute("create role grant_revoke_test_admin")
- except Exception:
- # Ignore this as it was already created on the last run.
- pass
- self.client.execute("grant all on server to grant_revoke_test_admin")
- self.client.execute("grant role grant_revoke_test_admin to group `%s`" % group_name)
- self.client.execute("create role grant_revoke_test_role")
- if test_obj.obj_type != TestObject.SERVER:
- self.user_query(self.client, "create %s if not exists %s %s %s"
- % (test_obj.obj_type, test_obj.obj_name, test_obj.table_def,
- test_obj.view_select), user="root")
-
- # Grant a basic privilege
- self.user_query(self.client, "grant %s on %s %s to role grant_revoke_test_role"
- % (privilege, test_obj.grant_name, test_obj.obj_name), user="root")
-
- # Ensure role has privilege.
- self.validate_privileges(self.client, "show grant role grant_revoke_test_role",
- test_obj, timeout_sec=sentry_refresh_timeout_s)
-
- # Try with grant option on existing privilege.
- test_obj.grant = True
- self.user_query(self.client, "grant %s on %s %s " % (privilege, test_obj.grant_name,
- test_obj.obj_name) + " to role grant_revoke_test_role with grant option",
- user="root")
- # Ensure role has updated privilege.
- self.validate_privileges(self.client, "show grant role grant_revoke_test_role",
- test_obj, timeout_sec=sentry_refresh_timeout_s)
-
- # Revoke the grant option
- self.user_query(self.client,
- "revoke grant option for %s on %s %s from role grant_revoke_test_role"
- % (privilege, test_obj.grant_name, test_obj.obj_name))
- # Ensure role has updated privilege.
- test_obj.grant = False
- self.validate_privileges(self.client, "show grant role grant_revoke_test_role",
- test_obj, delay_s=sentry_refresh_timeout_s)
-
- # Add the grant option back, then add a regular privilege
- self.user_query(self.client, "grant %s on %s %s to role grant_revoke_test_role"
- % (privilege, test_obj.grant_name, test_obj.obj_name) + " with grant option",
- user="root")
- self.user_query(self.client, "grant %s on %s %s to role grant_revoke_test_role"
- % (privilege, test_obj.grant_name, test_obj.obj_name), user="root")
- test_obj.grant = True
- self.validate_privileges(self.client, "show grant role grant_revoke_test_role",
- test_obj, timeout_sec=sentry_refresh_timeout_s)
+ def setup():
+ group_name = grp.getgrnam(getuser()).gr_name
+ try:
+ self.client.execute("create role grant_revoke_test_admin")
+ except Exception:
+ # Ignore this as it was already created on the last run.
+ pass
+ self.client.execute("grant all on server to grant_revoke_test_admin")
+ self.client.execute("grant role grant_revoke_test_admin to group `%s`" % group_name)
+ self.client.execute("create role grant_revoke_test_role")
- # Revoke the privilege
- self.user_query(self.client, "revoke %s on %s %s from role grant_revoke_test_role"
- % (privilege, test_obj.grant_name, test_obj.obj_name))
- result = self.user_query(self.client, "show grant role grant_revoke_test_role",
- delay_s=sentry_refresh_timeout_s)
- assert len(result.data) == 0
+ def cleanup():
+ # Reset the grant value
+ test_obj.grant = False
+ # Remove the role
+ self.client.execute("drop role grant_revoke_test_role")
- # Reset the grant value
- test_obj.grant = False
- # Remove the role
- self.client.execute("drop role grant_revoke_test_role")
+ try:
+ setup()
+ if test_obj.obj_type != TestObject.SERVER:
+ self.user_query(self.client, "create %s if not exists %s %s %s" %
+ (test_obj.obj_type, test_obj.obj_name, test_obj.table_def,
+ test_obj.view_select), user="root")
+
+ # Grant a basic privilege
+ self.user_query(self.client, "grant %s on %s %s to role grant_revoke_test_role" %
+ (privilege, test_obj.grant_name, test_obj.obj_name), user="root")
+
+ # Ensure role has privilege.
+ self.validate_privileges(self.client, "show grant role grant_revoke_test_role",
+ test_obj, invalidate_metadata=invalidate_metadata)
+
+ # Try with grant option on existing privilege.
+ test_obj.grant = True
+ self.user_query(self.client,
+ "grant %s on %s %s to role grant_revoke_test_role with grant option"
+ % (privilege, test_obj.grant_name, test_obj.obj_name), user="root")
+ # Ensure role has updated privilege.
+ self.validate_privileges(self.client, "show grant role grant_revoke_test_role",
+ test_obj, invalidate_metadata=invalidate_metadata)
+
+ # Revoke the grant option
+ self.user_query(self.client, "revoke grant option for %s on %s %s from role "
+ "grant_revoke_test_role" % (privilege,
+ test_obj.grant_name,
+ test_obj.obj_name))
+ # Ensure role has updated privilege.
+ test_obj.grant = False
+ self.validate_privileges(self.client, "show grant role grant_revoke_test_role",
+ test_obj, invalidate_metadata=invalidate_metadata)
+
+ # Add the grant option back, then add a regular privilege
+ self.user_query(self.client,
+ "grant %s on %s %s to role grant_revoke_test_role with grant option"
+ % (privilege, test_obj.grant_name, test_obj.obj_name), user="root")
+ self.user_query(self.client, "grant %s on %s %s to role grant_revoke_test_role" %
+ (privilege, test_obj.grant_name, test_obj.obj_name), user="root")
+ test_obj.grant = True
+ self.validate_privileges(self.client, "show grant role grant_revoke_test_role",
+ test_obj, invalidate_metadata=invalidate_metadata)
+
+ # Revoke the privilege
+ self.user_query(self.client, "revoke %s on %s %s from role grant_revoke_test_role" %
+ (privilege, test_obj.grant_name, test_obj.obj_name))
+ result = self.user_query(self.client, "show grant role grant_revoke_test_role")
+ assert len(result.data) == 0
+ finally:
+ cleanup()
@pytest.mark.execute_serially
@SentryCacheTestSuite.with_args(
http://git-wip-us.apache.org/repos/asf/impala/blob/76160838/tests/authorization/test_owner_privileges.py
----------------------------------------------------------------------
diff --git a/tests/authorization/test_owner_privileges.py b/tests/authorization/test_owner_privileges.py
index 1cbce98..26e7a97 100644
--- a/tests/authorization/test_owner_privileges.py
+++ b/tests/authorization/test_owner_privileges.py
@@ -15,29 +15,18 @@
# specific language governing permissions and limitations
# under the License.
#
-# Client tests to ensure object ownership functionality
-#
-# The tests uses two clients, one for oo_user1 and one for 'oo_user2'. oo_user2 is
-# used as a user to transfer ownership to. Additionally, in these tests we run all
-# the tests twice. Once with just using cache, hence the long sentry poll, and once
-# by ensuring refreshes happen from Sentry.
+# Client tests to ensure object ownership functionality.
import grp
import pytest
from getpass import getuser
from os import getenv
-from time import sleep, time
from tests.common.sentry_cache_test_suite import SentryCacheTestSuite, TestObject
from tests.common.test_dimensions import create_uncompressed_text_dimension
-# The polling frequency used by catalogd to refresh Sentry privileges.
-# The long polling is so we can check updates just for the cache.
-# The other polling is so we can get the updates without having to wait.
-SENTRY_LONG_POLLING_FREQUENCY_S = 60
-SENTRY_POLLING_FREQUENCY_S = 1
-# The timeout, in seconds, when waiting for a refresh of Sentry privileges.
-SENTRY_REFRESH_TIMEOUT_S = SENTRY_POLLING_FREQUENCY_S * 2
+# Sentry long polling frequency to make Sentry refresh not run.
+SENTRY_LONG_POLLING_FREQUENCY_S = 3600
SENTRY_CONFIG_DIR = getenv('IMPALA_HOME') + '/fe/src/test/resources/'
SENTRY_BASE_LOG_DIR = getenv('IMPALA_CLUSTER_LOGS_DIR') + "/sentry"
@@ -58,7 +47,14 @@ class TestOwnerPrivileges(SentryCacheTestSuite):
def setup_method(self, method):
super(TestOwnerPrivileges, self).setup_method(method)
- self._test_cleanup()
+ self._setup_admin()
+
+ def teardown_method(self, method):
+ self._cleanup_admin()
+ super(TestOwnerPrivileges, self).teardown_method(method)
+
+ def _setup_ownership_test(self):
+ self._cleanup_ownership_test()
# Base roles for enabling tests.
self.execute_query("create role owner_priv_test_oo_user1")
# Role for verifying grant.
@@ -70,10 +66,18 @@ class TestOwnerPrivileges(SentryCacheTestSuite):
self.execute_query("grant create on server to owner_priv_test_oo_user1")
self.execute_query("grant select on database functional to owner_priv_test_oo_user1")
- def teardown_method(self, method):
- self._test_cleanup()
- self.execute_query("drop role owner_priv_admin")
- super(TestOwnerPrivileges, self).teardown_method(method)
+ def _cleanup_ownership_test(self):
+ # Clean up the test artifacts.
+ try:
+ self.cleanup_db("owner_priv_db", sync_ddl=0)
+ except Exception:
+ # Ignore this if we can't show tables.
+ pass
+
+ # Clean up any old roles created by this test
+ for role_name in self.execute_query("show roles").data:
+ if "owner_priv_test" in role_name:
+ self.execute_query("drop role %s" % role_name)
@staticmethod
def count_user_privileges(result):
@@ -90,11 +94,12 @@ class TestOwnerPrivileges(SentryCacheTestSuite):
total += 1
return total
- def _validate_user_privilege_count(self, client, query, user, delay_s, count):
- result = self.user_query(client, query, user=user, delay_s=delay_s)
- return self.count_user_privileges(result) == count
+ def _validate_no_user_privileges(self, client, user, invalidate_metadata):
+ if invalidate_metadata: self.execute_query("invalidate metadata")
+ result = self.user_query(client, "show grant user %s" % user, user=user)
+ return TestOwnerPrivileges.count_user_privileges(result) == 0
- def _test_cleanup(self):
+ def _setup_admin(self):
# Admin for manipulation and cleaning up.
try:
self.execute_query("drop role owner_priv_admin")
@@ -105,38 +110,9 @@ class TestOwnerPrivileges(SentryCacheTestSuite):
self.execute_query("grant all on server to owner_priv_admin with grant option")
group_name = grp.getgrnam(getuser()).gr_name
self.execute_query("grant role owner_priv_admin to group `%s`" % group_name)
- # Clean up the test artifacts.
- try:
- self.cleanup_db("owner_priv_db", sync_ddl=0)
- except Exception:
- # Ignore this if we can't show tables.
- pass
-
- # Clean up any old roles created by this test
- for role_name in self.execute_query("show roles").data:
- if "owner_priv_test" in role_name:
- self.execute_query("drop role %s" % role_name)
- @pytest.mark.execute_serially
- @SentryCacheTestSuite.with_args(
- impalad_args="--server_name=server1 --sentry_config={0} "
- "--authorization_policy_provider_class="
- "org.apache.impala.service.CustomClusterResourceAuthorizationProvider "
- .format(SENTRY_CONFIG_FILE_OO),
- catalogd_args="--sentry_config={0} --authorization_policy_provider_class="
- "org.apache.impala.service.CustomClusterResourceAuthorizationProvider"
- " --sentry_catalog_polling_frequency_s={1}"
- .format(SENTRY_CONFIG_FILE_OO, str(SENTRY_LONG_POLLING_FREQUENCY_S)),
- sentry_config=SENTRY_CONFIG_FILE_OO,
- sentry_log_dir="{0}/test_owner_privileges_with_grant_log_poll"
- .format(SENTRY_BASE_LOG_DIR))
- def test_owner_privileges_with_grant_long_poll(self, vector, unique_database):
- self.__execute_owner_privilege_tests(TestObject(TestObject.DATABASE, "owner_priv_db",
- grant=True))
- self.__execute_owner_privilege_tests(TestObject(TestObject.TABLE,
- unique_database + ".owner_priv_tbl", grant=True))
- self.__execute_owner_privilege_tests(TestObject(TestObject.VIEW,
- unique_database + ".owner_priv_view", grant=True))
+ def _cleanup_admin(self):
+ self.execute_query("drop role owner_priv_admin")
@pytest.mark.execute_serially
@SentryCacheTestSuite.with_args(
@@ -147,98 +123,118 @@ class TestOwnerPrivileges(SentryCacheTestSuite):
catalogd_args="--sentry_config={0} --sentry_catalog_polling_frequency_s={1} "
"--authorization_policy_provider_class="
"org.apache.impala.service.CustomClusterResourceAuthorizationProvider"
- .format(SENTRY_CONFIG_FILE_OO, str(SENTRY_POLLING_FREQUENCY_S)),
+ .format(SENTRY_CONFIG_FILE_OO, SENTRY_LONG_POLLING_FREQUENCY_S),
sentry_config=SENTRY_CONFIG_FILE_OO,
- sentry_log_dir="{0}/test_owner_privileges_with_grant"
- .format(SENTRY_BASE_LOG_DIR))
+ sentry_log_dir="{0}/test_owner_privileges_with_grant".format(SENTRY_BASE_LOG_DIR))
def test_owner_privileges_with_grant(self, vector, unique_database):
- self.__execute_owner_privilege_tests(TestObject(TestObject.DATABASE, "owner_priv_db",
- grant=True), sentry_refresh_timeout_s=SENTRY_REFRESH_TIMEOUT_S)
- self.__execute_owner_privilege_tests(TestObject(TestObject.TABLE,
- unique_database + ".owner_priv_tbl", grant=True),
- sentry_refresh_timeout_s=SENTRY_REFRESH_TIMEOUT_S)
- self.__execute_owner_privilege_tests(TestObject(TestObject.VIEW,
- unique_database + ".owner_priv_view", grant=True),
- sentry_refresh_timeout_s=SENTRY_REFRESH_TIMEOUT_S)
-
- def __execute_owner_privilege_tests(self, test_obj, sentry_refresh_timeout_s=0):
+ """Tests owner privileges with grant on database, table, and view.
+ - invalidate_metadata=True: With Sentry refresh to make sure privileges are really
+ stored in Sentry.
+ - invalidate_metadata=False: No Sentry refresh to make sure user can use owner
+ privileges right away without a Sentry refresh."""
+ for invalidate in [True, False]:
+ try:
+ self._setup_ownership_test()
+ self._execute_owner_privilege_tests(TestObject(TestObject.DATABASE,
+ "owner_priv_db",
+ grant=True),
+ invalidate_metadata=invalidate)
+ self._execute_owner_privilege_tests(TestObject(TestObject.TABLE,
+ unique_database +
+ ".owner_priv_tbl",
+ grant=True),
+ invalidate_metadata=invalidate)
+ self._execute_owner_privilege_tests(TestObject(TestObject.VIEW,
+ unique_database +
+ ".owner_priv_view",
+ grant=True),
+ invalidate_metadata=invalidate)
+ finally:
+ self._cleanup_ownership_test()
+
+ def _execute_owner_privilege_tests(self, test_obj, invalidate_metadata):
"""
Executes all the statements required to validate owner privileges work correctly
for a specific database, table, or view.
"""
# Create object and ensure oo_user1 gets owner privileges.
self.oo_user1_impalad_client = self.create_impala_client()
+ # oo_user2 is only used for transferring ownership.
self.oo_user2_impalad_client = self.create_impala_client()
- self.user_query(self.oo_user1_impalad_client, "create %s if not exists %s %s %s"
- % (test_obj.obj_type, test_obj.obj_name, test_obj.table_def,
- test_obj.view_select), user="oo_user1")
+ self.user_query(self.oo_user1_impalad_client, "create %s if not exists %s %s %s" %
+ (test_obj.obj_type, test_obj.obj_name, test_obj.table_def,
+ test_obj.view_select), user="oo_user1")
self.validate_privileges(self.oo_user1_impalad_client, "show grant user oo_user1",
- test_obj, sentry_refresh_timeout_s, "oo_user1")
+ test_obj, user="oo_user1",
+ invalidate_metadata=invalidate_metadata)
# Ensure grant works.
self.user_query(self.oo_user1_impalad_client,
- "grant all on %s %s to role owner_priv_test_all_role"
- % (test_obj.grant_name, test_obj.obj_name), user="oo_user1")
+ "grant all on %s %s to role owner_priv_test_all_role" %
+ (test_obj.grant_name, test_obj.obj_name), user="oo_user1")
self.user_query(self.oo_user1_impalad_client,
- "revoke all on %s %s from role owner_priv_test_all_role"
- % (test_obj.grant_name, test_obj.obj_name), user="oo_user1")
+ "revoke all on %s %s from role owner_priv_test_all_role" %
+ (test_obj.grant_name, test_obj.obj_name), user="oo_user1")
# Change the database owner and ensure oo_user1 does not have owner privileges.
- # Use a delay to avoid cache consistency issue that could occur after create.
- self.user_query(self.oo_user1_impalad_client, "alter %s %s set owner user oo_user2"
- % (test_obj.obj_type, test_obj.obj_name), user="oo_user1",
- delay_s=sentry_refresh_timeout_s)
- assert self._validate_user_privilege_count(self.oo_user1_impalad_client,
- "show grant user oo_user1", "oo_user1", sentry_refresh_timeout_s, 0)
+ self.user_query(self.oo_user1_impalad_client, "alter %s %s set owner user oo_user2" %
+ (test_obj.obj_type, test_obj.obj_name), user="oo_user1")
+ assert self._validate_no_user_privileges(self.oo_user1_impalad_client,
+ user="oo_user1",
+ invalidate_metadata=invalidate_metadata)
# Ensure oo_user1 cannot drop database after owner change.
# Use a delay to avoid cache consistency issue that could occur after alter.
- self.user_query(self.oo_user1_impalad_client, "drop %s %s" % (test_obj.obj_type,
- test_obj.obj_name), user="oo_user1", delay_s=sentry_refresh_timeout_s,
- error_msg="does not have privileges to execute 'DROP'")
+ self.user_query(self.oo_user1_impalad_client, "drop %s %s" %
+ (test_obj.obj_type, test_obj.obj_name), user="oo_user1",
+ error_msg="does not have privileges to execute 'DROP'")
# oo_user2 should have privileges for object now.
self.validate_privileges(self.oo_user2_impalad_client, "show grant user oo_user2",
- test_obj, sentry_refresh_timeout_s, "oo_user2")
+ test_obj, user="oo_user2",
+ invalidate_metadata=invalidate_metadata)
# Change the owner to a role and ensure oo_user2 doesn't have privileges.
# Set the owner back to oo_user1 since for views, oo_user2 doesn't have select
# privileges on the underlying table.
- self.execute_query("alter %s %s set owner user oo_user1" % (test_obj.obj_type,
- test_obj.obj_name))
- assert self._validate_user_privilege_count(self.oo_user2_impalad_client,
- "show grant user oo_user2", "oo_user2", sentry_refresh_timeout_s, 0)
- # Use a delay to avoid cache consistency issue that could occur after alter.
+ self.execute_query("alter %s %s set owner user oo_user1" %
+ (test_obj.obj_type, test_obj.obj_name),
+ query_options={"sync_ddl": 1})
+ assert self._validate_no_user_privileges(self.oo_user2_impalad_client,
+ user="oo_user2",
+ invalidate_metadata=invalidate_metadata)
self.user_query(self.oo_user1_impalad_client,
- "alter %s %s set owner role owner_priv_test_owner_role"
- % (test_obj.obj_type, test_obj.obj_name), user="oo_user1",
- delay_s=sentry_refresh_timeout_s)
+ "alter %s %s set owner role owner_priv_test_owner_role" %
+ (test_obj.obj_type, test_obj.obj_name), user="oo_user1")
# Ensure oo_user1 does not have user privileges.
- assert self._validate_user_privilege_count(self.oo_user1_impalad_client,
- "show grant user oo_user1", "oo_user1", sentry_refresh_timeout_s, 0)
+ assert self._validate_no_user_privileges(self.oo_user1_impalad_client,
+ user="oo_user1",
+ invalidate_metadata=invalidate_metadata)
# Ensure role has owner privileges.
self.validate_privileges(self.oo_user1_impalad_client,
- "show grant role owner_priv_test_owner_role", test_obj, sentry_refresh_timeout_s,
- "oo_user1")
+ "show grant role owner_priv_test_owner_role", test_obj,
+ user="oo_user1", invalidate_metadata=invalidate_metadata)
# Drop the object and ensure no role privileges.
# Use a delay to avoid cache consistency issue that could occur after alter.
- self.user_query(self.oo_user1_impalad_client, "drop %s %s " % (test_obj.obj_type,
- test_obj.obj_name), user="oo_user1", delay_s=sentry_refresh_timeout_s)
- assert self._validate_user_privilege_count(self.oo_user1_impalad_client,
- "show grant user oo_user1", "oo_user1", sentry_refresh_timeout_s, 0)
+ self.user_query(self.oo_user1_impalad_client, "drop %s %s " %
+ (test_obj.obj_type, test_obj.obj_name), user="oo_user1")
+ assert self._validate_no_user_privileges(self.oo_user1_impalad_client,
+ user="oo_user1",
+ invalidate_metadata=invalidate_metadata)
# Ensure user privileges are gone after drop.
# Use a delay to avoid cache consistency issue that could occur after drop.
- self.user_query(self.oo_user1_impalad_client, "create %s if not exists %s %s %s"
- % (test_obj.obj_type, test_obj.obj_name, test_obj.table_def,
- test_obj.view_select), user="oo_user1", delay_s=sentry_refresh_timeout_s)
+ self.user_query(self.oo_user1_impalad_client, "create %s if not exists %s %s %s" %
+ (test_obj.obj_type, test_obj.obj_name, test_obj.table_def,
+ test_obj.view_select), user="oo_user1")
# Use a delay to avoid cache consistency issue that could occur after create.
- self.user_query(self.oo_user1_impalad_client, "drop %s %s " % (test_obj.obj_type,
- test_obj.obj_name), user="oo_user1", delay_s=sentry_refresh_timeout_s)
- assert self._validate_user_privilege_count(self.oo_user1_impalad_client,
- "show grant user oo_user1", "oo_user1", sentry_refresh_timeout_s, 0)
+ self.user_query(self.oo_user1_impalad_client, "drop %s %s " %
+ (test_obj.obj_type, test_obj.obj_name), user="oo_user1")
+ assert self._validate_no_user_privileges(self.oo_user1_impalad_client,
+ user="oo_user1",
+ invalidate_metadata=invalidate_metadata)
@pytest.mark.execute_serially
@SentryCacheTestSuite.with_args(
@@ -248,44 +244,25 @@ class TestOwnerPrivileges(SentryCacheTestSuite):
.format(SENTRY_CONFIG_FILE_NO_OO),
catalogd_args="--sentry_config={0} --authorization_policy_provider_class="
"org.apache.impala.service.CustomClusterResourceAuthorizationProvider"
- " --sentry_catalog_polling_frequency_s={1}"
- .format(SENTRY_CONFIG_FILE_NO_OO,
- str(SENTRY_LONG_POLLING_FREQUENCY_S)),
- sentry_config=SENTRY_CONFIG_FILE_NO_OO,
- sentry_log_dir="{0}/test_owner_privileges_disabled_log_poll"
- .format(SENTRY_BASE_LOG_DIR))
- def test_owner_privileges_disabled_long_poll(self, vector, unique_database):
- self.__execute_owner_privilege_tests_no_oo(TestObject(TestObject.DATABASE,
- "owner_priv_db"))
- self.__execute_owner_privilege_tests_no_oo(TestObject(TestObject.TABLE,
- unique_database + ".owner_priv_tbl"))
- self.__execute_owner_privilege_tests_no_oo(TestObject(TestObject.VIEW,
- unique_database + ".owner_priv_view"))
-
- @pytest.mark.execute_serially
- @SentryCacheTestSuite.with_args(
- impalad_args="--server_name=server1 --sentry_config={0} "
- "--authorization_policy_provider_class="
- "org.apache.impala.service.CustomClusterResourceAuthorizationProvider"
- .format(SENTRY_CONFIG_FILE_NO_OO),
- catalogd_args="--sentry_config={0} --sentry_catalog_polling_frequency_s={1} "
- "--authorization_policy_provider_class="
- "org.apache.impala.service.CustomClusterResourceAuthorizationProvider"
- .format(SENTRY_CONFIG_FILE_NO_OO, str(SENTRY_POLLING_FREQUENCY_S)),
+ .format(SENTRY_CONFIG_FILE_NO_OO),
sentry_config=SENTRY_CONFIG_FILE_NO_OO,
- sentry_log_dir="{0}/test_owner_privileges_disabled"
- .format(SENTRY_BASE_LOG_DIR))
+ sentry_log_dir="{0}/test_owner_privileges_disabled".format(SENTRY_BASE_LOG_DIR))
def test_owner_privileges_disabled(self, vector, unique_database):
- self.__execute_owner_privilege_tests_no_oo(TestObject(TestObject.DATABASE,
- "owner_priv_db"), sentry_refresh_timeout_s=SENTRY_REFRESH_TIMEOUT_S)
- self.__execute_owner_privilege_tests_no_oo(TestObject(TestObject.TABLE,
- unique_database + ".owner_priv_tbl"),
- sentry_refresh_timeout_s=SENTRY_REFRESH_TIMEOUT_S)
- self.__execute_owner_privilege_tests_no_oo(TestObject(TestObject.VIEW,
- unique_database + ".owner_priv_view"),
- sentry_refresh_timeout_s=SENTRY_REFRESH_TIMEOUT_S)
-
- def __execute_owner_privilege_tests_no_oo(self, test_obj, sentry_refresh_timeout_s=0):
+ """Tests that there should not be owner privileges."""
+ try:
+ self._setup_ownership_test()
+ self._execute_owner_privilege_tests_no_oo(TestObject(TestObject.DATABASE,
+ "owner_priv_db"))
+ self._execute_owner_privilege_tests_no_oo(TestObject(TestObject.TABLE,
+ unique_database +
+ ".owner_priv_tbl"))
+ self._execute_owner_privilege_tests_no_oo(TestObject(TestObject.VIEW,
+ unique_database +
+ ".owner_priv_view"))
+ finally:
+ self._cleanup_ownership_test()
+
+ def _execute_owner_privilege_tests_no_oo(self, test_obj):
"""
Executes all the statements required to validate owner privileges work correctly
for a specific database, table, or view.
@@ -293,53 +270,30 @@ class TestOwnerPrivileges(SentryCacheTestSuite):
# Create object and ensure oo_user1 gets owner privileges.
self.oo_user1_impalad_client = self.create_impala_client()
self.user_query(self.oo_user1_impalad_client, "create %s if not exists %s %s %s"
- % (test_obj.obj_type, test_obj.obj_name, test_obj.table_def,
- test_obj.view_select), user="oo_user1")
+ % (test_obj.obj_type, test_obj.obj_name, test_obj.table_def,
+ test_obj.view_select), user="oo_user1")
# Ensure grant doesn't work.
self.user_query(self.oo_user1_impalad_client,
- "grant all on %s %s to role owner_priv_test_all_role"
- % (test_obj.grant_name, test_obj.obj_name), user="oo_user1",
- error_msg="does not have privileges to execute: GRANT_PRIVILEGE")
+ "grant all on %s %s to role owner_priv_test_all_role" %
+ (test_obj.grant_name, test_obj.obj_name), user="oo_user1",
+ error_msg="does not have privileges to execute: GRANT_PRIVILEGE")
self.user_query(self.oo_user1_impalad_client,
- "revoke all on %s %s from role owner_priv_test_all_role"
- % (test_obj.grant_name, test_obj.obj_name), user="oo_user1",
- error_msg="does not have privileges to execute: REVOKE_PRIVILEGE")
+ "revoke all on %s %s from role owner_priv_test_all_role" %
+ (test_obj.grant_name, test_obj.obj_name), user="oo_user1",
+ error_msg="does not have privileges to execute: REVOKE_PRIVILEGE")
# Ensure changing the database owner doesn't work.
- self.user_query(self.oo_user1_impalad_client, "alter %s %s set owner user oo_user2"
- % (test_obj.obj_type, test_obj.obj_name), user="oo_user1",
- error_msg="does not have privileges with 'GRANT OPTION'")
+ self.user_query(self.oo_user1_impalad_client,
+ "alter %s %s set owner user oo_user2" %
+ (test_obj.obj_type, test_obj.obj_name), user="oo_user1",
+ error_msg="does not have privileges with 'GRANT OPTION'")
# Ensure oo_user1 cannot drop database.
- # Use a delay to avoid cache consistency issue that could occur after alter.
- self.user_query(self.oo_user1_impalad_client, "drop %s %s" % (test_obj.obj_type,
- test_obj.obj_name), user="oo_user1",
- error_msg="does not have privileges to execute 'DROP'",
- delay_s=sentry_refresh_timeout_s)
-
- @pytest.mark.execute_serially
- @SentryCacheTestSuite.with_args(
- impalad_args="--server_name=server1 --sentry_config={0} "
- "--authorization_policy_provider_class="
- "org.apache.impala.service.CustomClusterResourceAuthorizationProvider"
- .format(SENTRY_CONFIG_FILE_OO_NOGRANT),
- catalogd_args="--sentry_config={0} --authorization_policy_provider_class="
- "org.apache.impala.service.CustomClusterResourceAuthorizationProvider"
- " --sentry_catalog_polling_frequency_s={1}"
- .format(SENTRY_CONFIG_FILE_OO_NOGRANT,
- str(SENTRY_LONG_POLLING_FREQUENCY_S)),
- sentry_config=SENTRY_CONFIG_FILE_OO_NOGRANT,
- sentry_log_dir="{0}/test_owner_privileges_without_grant_log_poll"
- .format(SENTRY_BASE_LOG_DIR))
- def test_owner_privileges_without_grant_long_poll(self, vector, unique_database):
- self.__execute_owner_privilege_tests_oo_nogrant(TestObject(TestObject.DATABASE,
- "owner_priv_db"))
- self.__execute_owner_privilege_tests_oo_nogrant(TestObject(TestObject.TABLE,
- unique_database + ".owner_priv_tbl"))
- self.__execute_owner_privilege_tests_oo_nogrant(TestObject(TestObject.VIEW,
- unique_database + ".owner_priv_view"))
+ self.user_query(self.oo_user1_impalad_client, "drop %s %s" %
+ (test_obj.obj_type, test_obj.obj_name), user="oo_user1",
+ error_msg="does not have privileges to execute 'DROP'")
@pytest.mark.execute_serially
@SentryCacheTestSuite.with_args(
@@ -351,56 +305,68 @@ class TestOwnerPrivileges(SentryCacheTestSuite):
"--authorization_policy_provider_class="
"org.apache.impala.service.CustomClusterResourceAuthorizationProvider"
.format(SENTRY_CONFIG_FILE_OO_NOGRANT,
- str(SENTRY_POLLING_FREQUENCY_S)),
+ SENTRY_LONG_POLLING_FREQUENCY_S),
sentry_config=SENTRY_CONFIG_FILE_OO_NOGRANT,
sentry_log_dir="{0}/test_owner_privileges_without_grant"
.format(SENTRY_BASE_LOG_DIR))
def test_owner_privileges_without_grant(self, vector, unique_database):
- self.__execute_owner_privilege_tests_oo_nogrant(TestObject(TestObject.DATABASE,
- "owner_priv_db"), sentry_refresh_timeout_s=SENTRY_REFRESH_TIMEOUT_S)
- self.__execute_owner_privilege_tests_oo_nogrant(TestObject(TestObject.TABLE,
- unique_database + ".owner_priv_tbl"),
- sentry_refresh_timeout_s=SENTRY_REFRESH_TIMEOUT_S)
- self.__execute_owner_privilege_tests_oo_nogrant(TestObject(TestObject.VIEW,
- unique_database + ".owner_priv_view"),
- sentry_refresh_timeout_s=SENTRY_REFRESH_TIMEOUT_S)
-
- def __execute_owner_privilege_tests_oo_nogrant(self, test_obj,
- sentry_refresh_timeout_s=0):
+ """Tests owner privileges without grant on database, table, and view.
+ - invalidate_metadata=True: With Sentry refresh to make sure privileges are really
+ stored in Sentry.
+ - invalidate_metadata=False: No Sentry refresh to make sure user can use owner
+ privileges right away without a Sentry refresh."""
+ for invalidate in [True, False]:
+ try:
+ self._setup_ownership_test()
+ self._execute_owner_privilege_tests_oo_nogrant(TestObject(TestObject.DATABASE,
+ "owner_priv_db"),
+ invalidate_metadata=invalidate)
+ self._execute_owner_privilege_tests_oo_nogrant(TestObject(TestObject.TABLE,
+ unique_database +
+ ".owner_priv_tbl"),
+ invalidate_metadata=invalidate)
+ self._execute_owner_privilege_tests_oo_nogrant(TestObject(TestObject.VIEW,
+ unique_database +
+ ".owner_priv_view"),
+ invalidate_metadata=invalidate)
+ finally:
+ self._cleanup_ownership_test()
+
+ def _execute_owner_privilege_tests_oo_nogrant(self, test_obj, invalidate_metadata):
"""
Executes all the statements required to validate owner privileges work correctly
for a specific database, table, or view.
"""
# Create object and ensure oo_user1 gets owner privileges.
self.oo_user1_impalad_client = self.create_impala_client()
- self.user_query(self.oo_user1_impalad_client, "create %s if not exists %s %s %s"
- % (test_obj.obj_type, test_obj.obj_name, test_obj.table_def,
- test_obj.view_select), user="oo_user1")
+ self.user_query(self.oo_user1_impalad_client, "create %s if not exists %s %s %s" %
+ (test_obj.obj_type, test_obj.obj_name, test_obj.table_def,
+ test_obj.view_select), user="oo_user1")
self.validate_privileges(self.oo_user1_impalad_client, "show grant user oo_user1",
- test_obj, sentry_refresh_timeout_s, "oo_user1")
+ test_obj, user="oo_user1",
+ invalidate_metadata=invalidate_metadata)
# Ensure grant doesn't work.
self.user_query(self.oo_user1_impalad_client,
- "grant all on %s %s to role owner_priv_test_all_role"
- % (test_obj.grant_name, test_obj.obj_name), user="oo_user1",
- error_msg="does not have privileges to execute: GRANT_PRIVILEGE")
+ "grant all on %s %s to role owner_priv_test_all_role" %
+ (test_obj.grant_name, test_obj.obj_name), user="oo_user1",
+ error_msg="does not have privileges to execute: GRANT_PRIVILEGE")
self.user_query(self.oo_user1_impalad_client,
- "revoke all on %s %s from role owner_priv_test_all_role"
- % (test_obj.grant_name, test_obj.obj_name), user="oo_user1",
- error_msg="does not have privileges to execute: REVOKE_PRIVILEGE")
+ "revoke all on %s %s from role owner_priv_test_all_role" %
+ (test_obj.grant_name, test_obj.obj_name), user="oo_user1",
+ error_msg="does not have privileges to execute: REVOKE_PRIVILEGE")
- # Use a delay to avoid cache consistency issue that could occur after create.
- self.user_query(self.oo_user1_impalad_client, "alter %s %s set owner user oo_user2"
- % (test_obj.obj_type, test_obj.obj_name), user="oo_user1",
- delay_s=sentry_refresh_timeout_s,
- error_msg="does not have privileges with 'GRANT OPTION'")
+ self.user_query(self.oo_user1_impalad_client, "alter %s %s set owner user oo_user2" %
+ (test_obj.obj_type, test_obj.obj_name), user="oo_user1",
+ error_msg="does not have privileges with 'GRANT OPTION'")
# Use a delay to avoid cache consistency issue that could occur after alter.
- self.user_query(self.oo_user1_impalad_client, "drop %s %s " % (test_obj.obj_type,
- test_obj.obj_name), user="oo_user1", delay_s=sentry_refresh_timeout_s)
- assert self._validate_user_privilege_count(self.oo_user1_impalad_client,
- "show grant user oo_user1", "oo_user1", sentry_refresh_timeout_s, 0)
+ self.user_query(self.oo_user1_impalad_client, "drop %s %s " %
+ (test_obj.obj_type, test_obj.obj_name), user="oo_user1")
+ assert self._validate_no_user_privileges(self.oo_user1_impalad_client,
+ user="oo_user1",
+ invalidate_metadata=invalidate_metadata)
@pytest.mark.execute_serially
@SentryCacheTestSuite.with_args(
@@ -408,10 +374,10 @@ class TestOwnerPrivileges(SentryCacheTestSuite):
"--authorization_policy_provider_class="
"org.apache.impala.service.CustomClusterResourceAuthorizationProvider"
.format(SENTRY_CONFIG_FILE_OO),
- catalogd_args="--sentry_config={0} --sentry_catalog_polling_frequency_s={1} "
+ catalogd_args="--sentry_config={0} "
"--authorization_policy_provider_class="
"org.apache.impala.service.CustomClusterResourceAuthorizationProvider"
- .format(SENTRY_CONFIG_FILE_OO, str(SENTRY_POLLING_FREQUENCY_S)),
+ .format(SENTRY_CONFIG_FILE_OO),
sentry_config=SENTRY_CONFIG_FILE_OO,
sentry_log_dir="{0}/test_owner_privileges_different_cases"
.format(SENTRY_BASE_LOG_DIR))
http://git-wip-us.apache.org/repos/asf/impala/blob/76160838/tests/common/sentry_cache_test_suite.py
----------------------------------------------------------------------
diff --git a/tests/common/sentry_cache_test_suite.py b/tests/common/sentry_cache_test_suite.py
index 1a8aa24..4aca3be 100644
--- a/tests/common/sentry_cache_test_suite.py
+++ b/tests/common/sentry_cache_test_suite.py
@@ -17,20 +17,7 @@
#
# Base class for test that need to run with both just privilege
# cache as well as Sentry privilege refresh.
-# There are two variables (delay_s timeout) used in these methods.
-# The first is the timeout when validating privileges. This is
-# needed to ensure that the privileges returned have been updated
-# from Sentry. The second is the delay_s before executing a query.
-# This is needed to ensure Sentry has been updated before running
-# the query. The reason for both is because the timeout can
-# be short circuited upon successful results. Using the delay_s
-# for every query and test would add significant time. As an
-# example, if a revoke is called, the expectation is the privilege
-# would not be in the result. If the cache is updated correctly,
-# but Sentry was not, using the timeout check, we would miss that
-# Sentry was not updated correctly.
-from time import sleep, time
from tests.common.custom_cluster_test_suite import CustomClusterTestSuite
@@ -40,12 +27,10 @@ class SentryCacheTestSuite(CustomClusterTestSuite):
return val.lower() == 'true'
@staticmethod
- def __check_privileges(result, test_obj, null_create_date=True, show_user=False):
+ def check_privileges(result, test_obj, null_create_date, show_user):
"""
- This method validates privileges. Most validations are assertions, but for
- null_create_date, we just return False to indicate the privilege cannot
- be validated because it has not been refreshed from Sentry yet. If the query is
- for "show grant user" then we need to account for the two extra columns.
+ This method validates privileges. If the query is for "show grant user" then we need
+ to account for the two extra columns.
"""
# results should have the following columns for offset 0
# scope, database, table, column, uri, privilege, grant_option, create_time
@@ -69,41 +54,30 @@ class SentryCacheTestSuite(CustomClusterTestSuite):
return False
return True
- def validate_privileges(self, client, query, test_obj, timeout_sec=None, user=None,
- delay_s=0):
- """Validate privileges. If timeout_sec is > 0 then retry until create_date is not null
- or the timeout_sec is reached. If delay_s is > 0 then wait that long before running.
+ def validate_privileges(self, client, query, test_obj, user=None,
+ invalidate_metadata=False):
+ """Validate privileges. When invalidate_metadata is set to True, this function
+ will call "invalidate metadata" to ensure the privileges get refreshed from Sentry.
"""
show_user = True if 'show grant user' in query else False
- if delay_s > 0:
- sleep(delay_s)
- if timeout_sec is None or timeout_sec <= 0:
- self.__check_privileges(self.execute_query_expect_success(client, query,
- user=user), test_obj, show_user=show_user)
- else:
- start_time = time()
- while time() - start_time < timeout_sec:
- result = self.execute_query_expect_success(client, query, user=user)
- success = self.__check_privileges(result, test_obj, null_create_date=False,
- show_user=show_user)
- if success:
- return True
- sleep(1)
- return False
+ if invalidate_metadata: self.execute_query('invalidate metadata')
+ result = self.execute_query_expect_success(client, query, user=user)
+ return SentryCacheTestSuite.check_privileges(result, test_obj,
+ null_create_date=not invalidate_metadata,
+ show_user=show_user)
- def user_query(self, client, query, user=None, delay_s=0, error_msg=None):
+ def user_query(self, client, query, user=None, error_msg=None):
"""
- Executes a query with the root user client. If delay_s is > 0 then wait before
- running the query. This is used to wait for Sentry refresh. If error_msg is
- set, then expect a failure. Returns None when there is no error_msg.
+ Executes a query with the specified user client. If error_msg is set, then expect a
+ failure. Returns None when there is no error_msg.
"""
- if delay_s > 0:
- sleep(delay_s)
if error_msg is not None:
- e = self.execute_query_expect_failure(client, query, user=user)
- self.verify_exceptions(error_msg, str(e))
+ e = self.execute_query_expect_failure(client, query, query_options={"sync_ddl": 1},
+ user=user)
+ SentryCacheTestSuite.verify_exceptions(error_msg, str(e))
return None
- return self.execute_query_expect_success(client, query, user=user)
+ return self.execute_query_expect_success(client, query, query_options={"sync_ddl": 1},
+ user=user)
@staticmethod
def verify_exceptions(expected_str, actual_str):