You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by ls...@apache.org on 2015/01/12 18:22:05 UTC
[1/2] incubator-sentry git commit: SENTRY-595: [UnitTest] In Kerberos
mode, client should run under clientSubject (Dapeng Sun via Lenni Kuff)
Repository: incubator-sentry
Updated Branches:
refs/heads/master 6cb65f9f3 -> 78b61c9af
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/78b61c9a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
index 4a6cac9..033af1c 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
@@ -50,548 +50,598 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase {
@Test
public void testCreateDropShowRole() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String roleName = "admin_r";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName);
-
- client.createRole(requestorUserName, roleName);
-
- Set<TSentryRole> roles = client.listRoles(requestorUserName);
- assertEquals("Incorrect number of roles", 1, roles.size());
-
- for (TSentryRole role:roles) {
- assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName));
- }
- client.dropRole(requestorUserName, roleName);
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ String roleName = "admin_r";
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+
+ client.dropRoleIfExists(requestorUserName, roleName);
+
+ client.createRole(requestorUserName, roleName);
+
+ Set<TSentryRole> roles = client.listRoles(requestorUserName);
+ assertEquals("Incorrect number of roles", 1, roles.size());
+
+ for (TSentryRole role:roles) {
+ assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName));
+ }
+ client.dropRole(requestorUserName, roleName);
+ }});
}
-
@Test
public void testGranRevokePrivilegeOnTableForRole() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName1 = "admin_r1";
- String roleName2 = "admin_r2";
-
- client.dropRoleIfExists(requestorUserName, roleName1);
- client.createRole(requestorUserName, roleName1);
-
- client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL");
-
-
- client.dropRoleIfExists(requestorUserName, roleName2);
- client.createRole(requestorUserName, roleName2);
-
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL");
-
- Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertEquals("Privilege not assigned to role1 !!", 4, listPrivilegesByRoleName.size());
-
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
- assertEquals("Privilege not assigned to role2 !!", 4, listPrivilegesByRoleName.size());
-
-
- client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL");
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 3);
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 4);
-
- client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL");
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 3);
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 3);
-
- client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL");
- client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL");
- client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL");
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0);
-
- client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL");
- client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL");
- client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL");
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0);
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+ String roleName1 = "admin_r1";
+ String roleName2 = "admin_r2";
+
+ client.dropRoleIfExists(requestorUserName, roleName1);
+ client.createRole(requestorUserName, roleName1);
+
+ client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL");
+
+
+ client.dropRoleIfExists(requestorUserName, roleName2);
+ client.createRole(requestorUserName, roleName2);
+
+ client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL");
+
+ Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
+ assertEquals("Privilege not assigned to role1 !!", 4, listPrivilegesByRoleName.size());
+
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
+ assertEquals("Privilege not assigned to role2 !!", 4, listPrivilegesByRoleName.size());
+
+
+ client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL");
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
+ assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 3);
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
+ assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 4);
+
+ client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL");
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
+ assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 3);
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
+ assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 3);
+
+ client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL");
+ client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL");
+ client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL");
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
+ assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0);
+
+ client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL");
+ client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL");
+ client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL");
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
+ assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0);
+ }});
}
@Test
public void testMultipleRolesSamePrivilege() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName1 = "admin_r1";
- String roleName2 = "admin_r2";
-
- client.dropRoleIfExists(requestorUserName, roleName1);
- client.createRole(requestorUserName, roleName1);
-
- client.dropRoleIfExists(requestorUserName, roleName2);
- client.createRole(requestorUserName, roleName2);
-
- client.grantTablePrivilege(requestorUserName, roleName1, "server", "db", "table", "ALL");
- Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertTrue("Privilege not assigned to role1 !!", listPrivilegesByRoleName.size() == 1);
-
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db", "table", "ALL");
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
- assertTrue("Privilege not assigned to role2 !!", listPrivilegesByRoleName.size() == 1);
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+ String roleName1 = "admin_r1";
+ String roleName2 = "admin_r2";
+
+ client.dropRoleIfExists(requestorUserName, roleName1);
+ client.createRole(requestorUserName, roleName1);
+
+ client.dropRoleIfExists(requestorUserName, roleName2);
+ client.createRole(requestorUserName, roleName2);
+
+ client.grantTablePrivilege(requestorUserName, roleName1, "server", "db", "table", "ALL");
+ Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
+ assertTrue("Privilege not assigned to role1 !!", listPrivilegesByRoleName.size() == 1);
+
+ client.grantTablePrivilege(requestorUserName, roleName2, "server", "db", "table", "ALL");
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
+ assertTrue("Privilege not assigned to role2 !!", listPrivilegesByRoleName.size() == 1);
+ }});
}
-
@Test
public void testShowRoleGrant() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String roleName = "admin_testdb";
- String groupName = "group1";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName);
- client.createRole(requestorUserName, roleName);
-
- Set<TSentryRole> roles = client.listRoles(requestorUserName);
- assertEquals("Incorrect number of roles", 1, roles.size());
-
- client.grantRoleToGroup(requestorUserName, groupName, roleName);
- Set<TSentryRole> groupRoles = client.listRolesByGroupName(requestorUserName, groupName);
- assertTrue(groupRoles.size() == 1);
- for (TSentryRole role:groupRoles) {
- assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName));
- assertTrue(role.getGroups().size() == 1);
- for (TSentryGroup group :role.getGroups()) {
- assertTrue(group.getGroupName(), group.getGroupName().equalsIgnoreCase(groupName));
- }
- }
-
- client.dropRole(requestorUserName, roleName);
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ String roleName = "admin_testdb";
+ String groupName = "group1";
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+
+ client.dropRoleIfExists(requestorUserName, roleName);
+ client.createRole(requestorUserName, roleName);
+
+ Set<TSentryRole> roles = client.listRoles(requestorUserName);
+ assertEquals("Incorrect number of roles", 1, roles.size());
+
+ client.grantRoleToGroup(requestorUserName, groupName, roleName);
+ Set<TSentryRole> groupRoles = client.listRolesByGroupName(requestorUserName, groupName);
+ assertTrue(groupRoles.size() == 1);
+ for (TSentryRole role:groupRoles) {
+ assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName));
+ assertTrue(role.getGroups().size() == 1);
+ for (TSentryGroup group :role.getGroups()) {
+ assertTrue(group.getGroupName(), group.getGroupName().equalsIgnoreCase(groupName));
+ }
+ }
+
+ client.dropRole(requestorUserName, roleName);
+ }});
}
@Test
public void testShowGrant() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String roleName = "admin_testdb";
- String server = "server1";
- String db = "testDB";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName);
- client.createRole(requestorUserName, roleName);
-
- Set<TSentryRole> roles = client.listRoles(requestorUserName);
- assertEquals("Incorrect number of roles", 1, roles.size());
-
- client.grantDatabasePrivilege(requestorUserName, roleName, server, db, AccessConstants.ALL);
- Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorUserName, roleName);
- assertTrue(privileges.size() == 1);
-
- client.revokeDatabasePrivilege(requestorUserName, roleName, server, db, AccessConstants.ALL);
- client.dropRole(requestorUserName, roleName);
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ String roleName = "admin_testdb";
+ String server = "server1";
+ String db = "testDB";
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+
+ client.dropRoleIfExists(requestorUserName, roleName);
+ client.createRole(requestorUserName, roleName);
+
+ Set<TSentryRole> roles = client.listRoles(requestorUserName);
+ assertEquals("Incorrect number of roles", 1, roles.size());
+
+ client.grantDatabasePrivilege(requestorUserName, roleName, server, db, AccessConstants.ALL);
+ Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorUserName, roleName);
+ assertTrue(privileges.size() == 1);
+
+ client.revokeDatabasePrivilege(requestorUserName, roleName, server, db, AccessConstants.ALL);
+ client.dropRole(requestorUserName, roleName);
+ }});
}
- // See SENTRY-166
+ //See SENTRY-166
@Test
public void testUriWithEquals() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String roleName = "admin_testdb";
- String server = "server1";
- String uri = "file://u/w/h/t/partition=value/";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- // Creating associated role
- client.dropRoleIfExists(requestorUserName, roleName);
- client.createRole(requestorUserName, roleName);
- Set<TSentryRole> roles = client.listRoles(requestorUserName);
- assertEquals("Incorrect number of roles", 1, roles.size());
-
- client.grantURIPrivilege(requestorUserName, roleName, server, uri);
- Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorUserName, roleName);
- assertTrue(privileges.size() == 1);
-
- // Revoking the same privilege
- client.revokeURIPrivilege(requestorUserName, roleName, server, uri);
- privileges = client.listAllPrivilegesByRoleName(requestorUserName, roleName);
- assertTrue(privileges.size() == 0);
-
- // Clean up
- client.dropRole(requestorUserName, roleName);
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ String roleName = "admin_testdb";
+ String server = "server1";
+ String uri = "file://u/w/h/t/partition=value/";
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+
+ // Creating associated role
+ client.dropRoleIfExists(requestorUserName, roleName);
+ client.createRole(requestorUserName, roleName);
+ Set<TSentryRole> roles = client.listRoles(requestorUserName);
+ assertEquals("Incorrect number of roles", 1, roles.size());
+
+ client.grantURIPrivilege(requestorUserName, roleName, server, uri);
+ Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorUserName, roleName);
+ assertTrue(privileges.size() == 1);
+
+ // Revoking the same privilege
+ client.revokeURIPrivilege(requestorUserName, roleName, server, uri);
+ privileges = client.listAllPrivilegesByRoleName(requestorUserName, roleName);
+ assertTrue(privileges.size() == 0);
+
+ // Clean up
+ client.dropRole(requestorUserName, roleName);
+ }});
}
- // See SENTRY-181
+
+ //See SENTRY-181
@Test
public void testSameGrantTwice() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName = "admin_r1";
-
- client.createRole(requestorUserName, roleName);
- client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL");
- assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+ String roleName = "admin_r1";
+
+ client.createRole(requestorUserName, roleName);
+ client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL");
+ assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
+ }});
}
@Test
public void testGrantRevokeWithGrantOption() throws Exception {
- // Grant a privilege with Grant Option
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName = "admin_r1";
- boolean grantOption = true;
- boolean withoutGrantOption = false;
-
- client.dropRoleIfExists(requestorUserName, roleName);
- client.createRole(requestorUserName, roleName);
-
- client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", grantOption);
- assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
-
- // Try to revoke the privilege without grantOption and can't revoke the privilege.
- client.revokeTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", withoutGrantOption);
- assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
-
- // Try to revoke the privilege with grantOption, the privilege will be revoked.
- client.revokeTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", grantOption);
- assertEquals(0, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
-
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ // Grant a privilege with Grant Option
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+ String roleName = "admin_r1";
+ boolean grantOption = true;
+ boolean withoutGrantOption = false;
+
+ client.dropRoleIfExists(requestorUserName, roleName);
+ client.createRole(requestorUserName, roleName);
+
+ client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", grantOption);
+ assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
+
+ // Try to revoke the privilege without grantOption and can't revoke the privilege.
+ client.revokeTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", withoutGrantOption);
+ assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
+
+ // Try to revoke the privilege with grantOption, the privilege will be revoked.
+ client.revokeTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", grantOption);
+ assertEquals(0, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
+ }});
}
@Test
public void testGrantTwoPrivilegeDiffInGrantOption() throws Exception {
- // Grant a privilege with 'Grant Option'.
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName = "admin_r1";
- boolean grantOption = true;
- boolean withoutGrantOption = false;
-
- client.dropRoleIfExists(requestorUserName, roleName);
- client.createRole(requestorUserName, roleName);
-
- client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", grantOption);
- assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
-
- // Grant a privilege without 'Grant Option'.
- client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", withoutGrantOption);
- assertEquals(2, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
-
- // Use 'grantOption = null', the two privileges will be revoked.
- client.revokeTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", null);
- assertEquals(0, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ // Grant a privilege with 'Grant Option'.
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+ String roleName = "admin_r1";
+ boolean grantOption = true;
+ boolean withoutGrantOption = false;
+
+ client.dropRoleIfExists(requestorUserName, roleName);
+ client.createRole(requestorUserName, roleName);
+
+ client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", grantOption);
+ assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
+
+ // Grant a privilege without 'Grant Option'.
+ client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", withoutGrantOption);
+ assertEquals(2, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
+
+ // Use 'grantOption = null', the two privileges will be revoked.
+ client.revokeTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", null);
+ assertEquals(0, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
+ }});
}
@Test
public void testGranRevokePrivilegeOnColumnForRole() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName1 = "admin_r1";
- String roleName2 = "admin_r2";
-
- client.dropRoleIfExists(requestorUserName, roleName1);
- client.createRole(requestorUserName, roleName1);
-
- client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table1", "col1", "ALL");
- client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table1", "col2", "ALL");
- client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table2", "col1", "ALL");
- client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table2", "col2", "ALL");
- client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table1", "col1", "ALL");
- client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table2", "col1", "ALL");
-
-
- client.dropRoleIfExists(requestorUserName, roleName2);
- client.createRole(requestorUserName, roleName2);
-
- client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table1", "col1", "ALL");
- client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table1", "col2", "ALL");
- client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col1", "ALL");
- client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col2", "ALL");
- client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table1", "col1", "ALL");
- client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table2", "col1", "ALL");
-
- Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertEquals("Privilege not assigned to role1 !!", 6, listPrivilegesByRoleName.size());
-
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
- assertEquals("Privilege not assigned to role2 !!", 6, listPrivilegesByRoleName.size());
-
-
- client.revokeColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table1", "col1", "ALL");
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 5);
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 6);
-
- client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL");
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 4);
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 5);
-
- client.revokeDatabasePrivilege(requestorUserName, roleName1, "server", "db1", "ALL");
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 2);
- client.revokeColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table1", "col1", "ALL");
- client.revokeColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table2", "col1", "ALL");
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0);
-
- client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col1", "ALL");
- client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col2", "ALL");
- client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table1", "col1", "ALL");
- client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table2", "col1", "ALL");
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0);
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+ String roleName1 = "admin_r1";
+ String roleName2 = "admin_r2";
+
+ client.dropRoleIfExists(requestorUserName, roleName1);
+ client.createRole(requestorUserName, roleName1);
+
+ client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table1", "col1", "ALL");
+ client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table1", "col2", "ALL");
+ client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table2", "col1", "ALL");
+ client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table2", "col2", "ALL");
+ client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table1", "col1", "ALL");
+ client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table2", "col1", "ALL");
+
+
+ client.dropRoleIfExists(requestorUserName, roleName2);
+ client.createRole(requestorUserName, roleName2);
+
+ client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table1", "col1", "ALL");
+ client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table1", "col2", "ALL");
+ client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col1", "ALL");
+ client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col2", "ALL");
+ client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table1", "col1", "ALL");
+ client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table2", "col1", "ALL");
+
+ Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
+ assertEquals("Privilege not assigned to role1 !!", 6, listPrivilegesByRoleName.size());
+
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
+ assertEquals("Privilege not assigned to role2 !!", 6, listPrivilegesByRoleName.size());
+
+
+ client.revokeColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table1", "col1", "ALL");
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
+ assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 5);
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
+ assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 6);
+
+ client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL");
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
+ assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 4);
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
+ assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 5);
+
+ client.revokeDatabasePrivilege(requestorUserName, roleName1, "server", "db1", "ALL");
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
+ assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 2);
+ client.revokeColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table1", "col1", "ALL");
+ client.revokeColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table2", "col1", "ALL");
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
+ assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0);
+
+ client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col1", "ALL");
+ client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col2", "ALL");
+ client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table1", "col1", "ALL");
+ client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table2", "col1", "ALL");
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
+ assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0);
+ }});
}
public void testListByAuthDB() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String roleName1 = "role1";
- String roleName2 = "role2";
- Set<String> testRoleSet = Sets.newHashSet(roleName1, roleName2);
- String group1 = "group1";
- String group2 = "group2";
- Set<String> testGroupSet = Sets.newHashSet(group1, group2);
- String server = "server1";
- String db = "testDB";
- String db2 = "testDB2";
- String tab = "testTab";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- String group1user = "group1user";
- setLocalGroupMapping(group1user, Sets.newHashSet(group1));
- String group2user = "group2user";
- setLocalGroupMapping(group2user, Sets.newHashSet(group2));
- setLocalGroupMapping("random", Sets.newHashSet("foo"));
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName1);
- client.createRole(requestorUserName, roleName1);
- client.dropRoleIfExists(requestorUserName, roleName2);
- client.createRole(requestorUserName, roleName2);
-
- TSentryPrivilege role1db1 = client.grantDatabasePrivilege(
- requestorUserName, roleName1, server, db, AccessConstants.SELECT);
- client.grantTablePrivilege(requestorUserName, roleName1, server, db, tab,
- AccessConstants.ALL);
- client.grantTablePrivilege(requestorUserName, roleName1, server, db2, tab,
- AccessConstants.SELECT);
- client.grantURIPrivilege(requestorUserName, roleName1, server, "hdfs:///fooUri");
- client.grantRoleToGroup(requestorUserName, group1, roleName1);
-
- TSentryPrivilege role2db1 = client.grantDatabasePrivilege(
- requestorUserName, roleName2, server, db,
- AccessConstants.ALL);
- client.grantDatabasePrivilege(requestorUserName, roleName2, server, db2,
- AccessConstants.SELECT);
- client.grantTablePrivilege(requestorUserName, roleName2, server, db2, tab,
- AccessConstants.ALL);
- client.grantRoleToGroup(requestorUserName, group2, roleName2);
-
- // build expected output
- TSentryPrivilegeMap db1RoleToPrivMap = new TSentryPrivilegeMap(
- new TreeMap<String, Set<TSentryPrivilege>>());
- db1RoleToPrivMap.getPrivilegeMap()
- .put(roleName1, Sets.newHashSet(role1db1));
- db1RoleToPrivMap.getPrivilegeMap()
- .put(roleName2, Sets.newHashSet(role2db1));
- Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults = Maps
- .newTreeMap();
- List<? extends Authorizable> db1Authrizable = Lists.newArrayList(
- new Server(server), new Database(db));
- expectedResults.put(
- SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(db1Authrizable),
- db1RoleToPrivMap);
-
- Set<List<? extends Authorizable>> authorizableSet = Sets.newHashSet();
- authorizableSet.add(db1Authrizable);
-
- // verify for null group and null roleset
- Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client
- .listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null, null);
- assertEquals(expectedResults, authPrivMap);
-
- // verify for null group and specific roleset
- authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet,
- null, new ActiveRoleSet(testRoleSet));
- assertEquals(expectedResults, authPrivMap);
-
- // verify for null group and specific roleset
- authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null,
- ActiveRoleSet.ALL);
- assertEquals(expectedResults, authPrivMap);
-
- // verify for specific group and null roleset
- authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet,
- testGroupSet, null);
- assertEquals(expectedResults, authPrivMap);
-
- // verify for specific group and specific roleset
- authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet,
- testGroupSet, new ActiveRoleSet(testRoleSet));
- assertEquals(expectedResults, authPrivMap);
-
- // verify for specific group and ALL roleset
- authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet,
- testGroupSet, ActiveRoleSet.ALL);
- assertEquals(expectedResults, authPrivMap);
-
- // verify users not belonging to any group are not shown anything
- authPrivMap = client
- .listPrivilegsbyAuthorizable("random", authorizableSet,
- new HashSet<String>(), ActiveRoleSet.ALL);
- expectedResults.clear();
- expectedResults.put(
- SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(db1Authrizable),
- new TSentryPrivilegeMap(new HashMap<String, Set<TSentryPrivilege>>()));
- assertEquals(expectedResults, authPrivMap);
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ String roleName1 = "role1";
+ String roleName2 = "role2";
+ Set<String> testRoleSet = Sets.newHashSet(roleName1, roleName2);
+ String group1 = "group1";
+ String group2 = "group2";
+ Set<String> testGroupSet = Sets.newHashSet(group1, group2);
+ String server = "server1";
+ String db = "testDB";
+ String db2 = "testDB2";
+ String tab = "testTab";
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ String group1user = "group1user";
+ setLocalGroupMapping(group1user, Sets.newHashSet(group1));
+ String group2user = "group2user";
+ setLocalGroupMapping(group2user, Sets.newHashSet(group2));
+ setLocalGroupMapping("random", Sets.newHashSet("foo"));
+ writePolicyFile();
+
+ client.dropRoleIfExists(requestorUserName, roleName1);
+ client.createRole(requestorUserName, roleName1);
+ client.dropRoleIfExists(requestorUserName, roleName2);
+ client.createRole(requestorUserName, roleName2);
+
+ TSentryPrivilege role1db1 = client.grantDatabasePrivilege(
+ requestorUserName, roleName1, server, db, AccessConstants.SELECT);
+ client.grantTablePrivilege(requestorUserName, roleName1, server, db, tab,
+ AccessConstants.ALL);
+ client.grantTablePrivilege(requestorUserName, roleName1, server, db2, tab,
+ AccessConstants.SELECT);
+ client.grantURIPrivilege(requestorUserName, roleName1, server, "hdfs:///fooUri");
+ client.grantRoleToGroup(requestorUserName, group1, roleName1);
+
+ TSentryPrivilege role2db1 = client.grantDatabasePrivilege(
+ requestorUserName, roleName2, server, db,
+ AccessConstants.ALL);
+ client.grantDatabasePrivilege(requestorUserName, roleName2, server, db2,
+ AccessConstants.SELECT);
+ client.grantTablePrivilege(requestorUserName, roleName2, server, db2, tab,
+ AccessConstants.ALL);
+ client.grantRoleToGroup(requestorUserName, group2, roleName2);
+
+ // build expected output
+ TSentryPrivilegeMap db1RoleToPrivMap = new TSentryPrivilegeMap(
+ new TreeMap<String, Set<TSentryPrivilege>>());
+ db1RoleToPrivMap.getPrivilegeMap()
+ .put(roleName1, Sets.newHashSet(role1db1));
+ db1RoleToPrivMap.getPrivilegeMap()
+ .put(roleName2, Sets.newHashSet(role2db1));
+ Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults = Maps
+ .newTreeMap();
+ List<? extends Authorizable> db1Authrizable = Lists.newArrayList(
+ new Server(server), new Database(db));
+ expectedResults.put(
+ SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(db1Authrizable),
+ db1RoleToPrivMap);
+
+ Set<List<? extends Authorizable>> authorizableSet = Sets.newHashSet();
+ authorizableSet.add(db1Authrizable);
+
+ // verify for null group and null roleset
+ Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client
+ .listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null, null);
+ assertEquals(expectedResults, authPrivMap);
+
+ // verify for null group and specific roleset
+ authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet,
+ null, new ActiveRoleSet(testRoleSet));
+ assertEquals(expectedResults, authPrivMap);
+
+ // verify for null group and specific roleset
+ authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null,
+ ActiveRoleSet.ALL);
+ assertEquals(expectedResults, authPrivMap);
+
+ // verify for specific group and null roleset
+ authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet,
+ testGroupSet, null);
+ assertEquals(expectedResults, authPrivMap);
+
+ // verify for specific group and specific roleset
+ authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet,
+ testGroupSet, new ActiveRoleSet(testRoleSet));
+ assertEquals(expectedResults, authPrivMap);
+
+ // verify for specific group and ALL roleset
+ authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet,
+ testGroupSet, ActiveRoleSet.ALL);
+ assertEquals(expectedResults, authPrivMap);
+
+ // verify users not belonging to any group are not shown anything
+ authPrivMap = client
+ .listPrivilegsbyAuthorizable("random", authorizableSet,
+ new HashSet<String>(), ActiveRoleSet.ALL);
+ expectedResults.clear();
+ expectedResults.put(
+ SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(db1Authrizable),
+ new TSentryPrivilegeMap(new HashMap<String, Set<TSentryPrivilege>>()));
+ assertEquals(expectedResults, authPrivMap);
+ }});
}
@Test
public void testListByAuthTab() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String roleName1 = "role1";
- String roleName2 = "role2";
- String server = "server1";
- String db = "testDB";
- String db2 = "testDB2";
- String tab = "testTab";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName1);
- client.createRole(requestorUserName, roleName1);
- client.dropRoleIfExists(requestorUserName, roleName2);
- client.createRole(requestorUserName, roleName2);
-
- client.grantDatabasePrivilege(
- requestorUserName, roleName1, server, db, AccessConstants.SELECT);
- client.grantTablePrivilege(requestorUserName, roleName1, server, db, tab,
- AccessConstants.ALL);
- TSentryPrivilege role1db2tab = client.grantTablePrivilege(
- requestorUserName, roleName1, server, db2, tab,
- AccessConstants.SELECT);
-
- client.grantDatabasePrivilege(
- requestorUserName, roleName2, server, db,
- AccessConstants.ALL);
- client.grantDatabasePrivilege(requestorUserName, roleName2, server, db2,
- AccessConstants.SELECT);
- TSentryPrivilege role2db2tab = client.grantTablePrivilege(
- requestorUserName, roleName2, server, db2, tab,
- AccessConstants.ALL);
- client.grantURIPrivilege(requestorUserName, roleName1, server,
- "hdfs:///fooUri");
-
- // build expected output
- TSentryPrivilegeMap db1RoleToPrivMap = new TSentryPrivilegeMap(
- new TreeMap<String, Set<TSentryPrivilege>>());
- db1RoleToPrivMap.getPrivilegeMap()
-.put(roleName1,
- Sets.newHashSet(role1db2tab));
- db1RoleToPrivMap.getPrivilegeMap()
-.put(roleName2,
- Sets.newHashSet(role2db2tab));
- Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults = Maps
- .newTreeMap();
- List<? extends Authorizable> db2TabAuthrizable = Lists.newArrayList(
- new Server(server), new Database(db2), new Table(tab));
- expectedResults.put(
- SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(db2TabAuthrizable),
- db1RoleToPrivMap);
-
- Set<List<? extends Authorizable>> authorizableSet = Sets.newHashSet();
- authorizableSet.add(db2TabAuthrizable);
- Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client
- .listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null, null);
-
- assertEquals(expectedResults, authPrivMap);
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ String roleName1 = "role1";
+ String roleName2 = "role2";
+ String server = "server1";
+ String db = "testDB";
+ String db2 = "testDB2";
+ String tab = "testTab";
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+
+ client.dropRoleIfExists(requestorUserName, roleName1);
+ client.createRole(requestorUserName, roleName1);
+ client.dropRoleIfExists(requestorUserName, roleName2);
+ client.createRole(requestorUserName, roleName2);
+
+ client.grantDatabasePrivilege(
+ requestorUserName, roleName1, server, db, AccessConstants.SELECT);
+ client.grantTablePrivilege(requestorUserName, roleName1, server, db, tab,
+ AccessConstants.ALL);
+ TSentryPrivilege role1db2tab = client.grantTablePrivilege(
+ requestorUserName, roleName1, server, db2, tab,
+ AccessConstants.SELECT);
+
+ client.grantDatabasePrivilege(
+ requestorUserName, roleName2, server, db,
+ AccessConstants.ALL);
+ client.grantDatabasePrivilege(requestorUserName, roleName2, server, db2,
+ AccessConstants.SELECT);
+ TSentryPrivilege role2db2tab = client.grantTablePrivilege(
+ requestorUserName, roleName2, server, db2, tab,
+ AccessConstants.ALL);
+ client.grantURIPrivilege(requestorUserName, roleName1, server,
+ "hdfs:///fooUri");
+
+ // build expected output
+ TSentryPrivilegeMap db1RoleToPrivMap = new TSentryPrivilegeMap(
+ new TreeMap<String, Set<TSentryPrivilege>>());
+ db1RoleToPrivMap.getPrivilegeMap()
+ .put(roleName1,
+ Sets.newHashSet(role1db2tab));
+ db1RoleToPrivMap.getPrivilegeMap()
+ .put(roleName2,
+ Sets.newHashSet(role2db2tab));
+ Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults = Maps
+ .newTreeMap();
+ List<? extends Authorizable> db2TabAuthrizable = Lists.newArrayList(
+ new Server(server), new Database(db2), new Table(tab));
+ expectedResults.put(
+ SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(db2TabAuthrizable),
+ db1RoleToPrivMap);
+
+ Set<List<? extends Authorizable>> authorizableSet = Sets.newHashSet();
+ authorizableSet.add(db2TabAuthrizable);
+ Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client
+ .listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null, null);
+
+ assertEquals(expectedResults, authPrivMap);
+ }});
}
@Test
public void testListByAuthUri() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String roleName1 = "role1";
- String roleName2 = "role2";
- String server = "server1";
- String db = "testDB";
- String db2 = "testDB2";
- String tab = "testTab";
- String uri1 = "hdfs:///fooUri";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName1);
- client.createRole(requestorUserName, roleName1);
- client.dropRoleIfExists(requestorUserName, roleName2);
- client.createRole(requestorUserName, roleName2);
-
- client.grantDatabasePrivilege(requestorUserName, roleName1, server, db,
- AccessConstants.SELECT);
- client.grantTablePrivilege(requestorUserName, roleName1, server, db, tab,
- AccessConstants.ALL);
- client.grantTablePrivilege(requestorUserName, roleName1, server, db2, tab,
- AccessConstants.SELECT);
- TSentryPrivilege role1uri1 = client.grantURIPrivilege(requestorUserName,
- roleName1, server, uri1);
-
- client.grantDatabasePrivilege(requestorUserName, roleName2, server, db,
- AccessConstants.ALL);
- client.grantDatabasePrivilege(requestorUserName, roleName2, server, db2,
- AccessConstants.SELECT);
- client.grantTablePrivilege(requestorUserName, roleName2, server, db2, tab,
- AccessConstants.ALL);
- TSentryPrivilege role2uri2 = client.grantURIPrivilege(requestorUserName,
- roleName2, server, uri1);
-
- // build expected output
- TSentryPrivilegeMap db1RoleToPrivMap = new TSentryPrivilegeMap(
- new TreeMap<String, Set<TSentryPrivilege>>());
- db1RoleToPrivMap.getPrivilegeMap().put(roleName1,
- Sets.newHashSet(role1uri1));
- db1RoleToPrivMap.getPrivilegeMap().put(roleName2,
- Sets.newHashSet(role2uri2));
- Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults = Maps
- .newTreeMap();
- List<? extends Authorizable> uri1Authrizable = Lists.newArrayList(
- new Server(server), new AccessURI(uri1));
- expectedResults.put(
- SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(uri1Authrizable),
- db1RoleToPrivMap);
-
- Set<List<? extends Authorizable>> authorizableSet = Sets.newHashSet();
- authorizableSet.add(uri1Authrizable);
- Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client
- .listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null, null);
-
- assertEquals(expectedResults, authPrivMap);
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ String roleName1 = "role1";
+ String roleName2 = "role2";
+ String server = "server1";
+ String db = "testDB";
+ String db2 = "testDB2";
+ String tab = "testTab";
+ String uri1 = "hdfs:///fooUri";
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+
+ client.dropRoleIfExists(requestorUserName, roleName1);
+ client.createRole(requestorUserName, roleName1);
+ client.dropRoleIfExists(requestorUserName, roleName2);
+ client.createRole(requestorUserName, roleName2);
+
+ client.grantDatabasePrivilege(requestorUserName, roleName1, server, db,
+ AccessConstants.SELECT);
+ client.grantTablePrivilege(requestorUserName, roleName1, server, db, tab,
+ AccessConstants.ALL);
+ client.grantTablePrivilege(requestorUserName, roleName1, server, db2, tab,
+ AccessConstants.SELECT);
+ TSentryPrivilege role1uri1 = client.grantURIPrivilege(requestorUserName,
+ roleName1, server, uri1);
+
+ client.grantDatabasePrivilege(requestorUserName, roleName2, server, db,
+ AccessConstants.ALL);
+ client.grantDatabasePrivilege(requestorUserName, roleName2, server, db2,
+ AccessConstants.SELECT);
+ client.grantTablePrivilege(requestorUserName, roleName2, server, db2, tab,
+ AccessConstants.ALL);
+ TSentryPrivilege role2uri2 = client.grantURIPrivilege(requestorUserName,
+ roleName2, server, uri1);
+
+ // build expected output
+ TSentryPrivilegeMap db1RoleToPrivMap = new TSentryPrivilegeMap(
+ new TreeMap<String, Set<TSentryPrivilege>>());
+ db1RoleToPrivMap.getPrivilegeMap().put(roleName1,
+ Sets.newHashSet(role1uri1));
+ db1RoleToPrivMap.getPrivilegeMap().put(roleName2,
+ Sets.newHashSet(role2uri2));
+ Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults = Maps
+ .newTreeMap();
+ List<? extends Authorizable> uri1Authrizable = Lists.newArrayList(
+ new Server(server), new AccessURI(uri1));
+ expectedResults.put(
+ SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(uri1Authrizable),
+ db1RoleToPrivMap);
+
+ Set<List<? extends Authorizable>> authorizableSet = Sets.newHashSet();
+ authorizableSet.add(uri1Authrizable);
+ Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client
+ .listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null, null);
+
+ assertEquals(expectedResults, authPrivMap);
+ }});
}
/**
@@ -601,105 +651,109 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase {
*/
@Test
public void testListByAuthTabForNonAdmin() throws Exception {
- String requestorUserName = ADMIN_USER;
- String user1 = "user1";
- String group1 = "group1";
- String group2 = "group2";
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- Set<String> userGroupNames1 = Sets.newHashSet(group1);
- Set<String> userGroupNames2 = Sets.newHashSet(group2);
- String roleName1 = "role1";
- String roleName2 = "role2";
- String server = "server1";
- String db = "testDB";
- String db2 = "testDB2";
- String tab = "testTab";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- setLocalGroupMapping(user1, userGroupNames1);
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName1);
- client.createRole(requestorUserName, roleName1);
- client.dropRoleIfExists(requestorUserName, roleName2);
- client.createRole(requestorUserName, roleName2);
-
- client.grantDatabasePrivilege(requestorUserName, roleName1, server, db,
- AccessConstants.SELECT);
- client.grantTablePrivilege(requestorUserName, roleName1, server, db, tab,
- AccessConstants.ALL);
- TSentryPrivilege role1db2tab = client.grantTablePrivilege(
- requestorUserName, roleName1, server, db2, tab, AccessConstants.SELECT);
- client.grantRoleToGroup(requestorUserName, group1, roleName1);
-
- client.grantDatabasePrivilege(requestorUserName, roleName2, server, db,
- AccessConstants.ALL);
- client.grantDatabasePrivilege(requestorUserName, roleName2, server, db2,
- AccessConstants.SELECT);
- client.grantTablePrivilege(requestorUserName, roleName2, server, db2, tab,
- AccessConstants.ALL);
- client.grantURIPrivilege(requestorUserName, roleName1, server,
- "hdfs:///fooUri");
-
- // build expected output. user1 should see privileges on tab1 from role1
- TSentryPrivilegeMap db1RoleToPrivMap = new TSentryPrivilegeMap(
- new TreeMap<String, Set<TSentryPrivilege>>());
- db1RoleToPrivMap.getPrivilegeMap().put(roleName1, Sets.newHashSet(role1db2tab));
- Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults = Maps.newTreeMap();
- List<? extends Authorizable> db2TabAuthorizable = Lists.newArrayList(
- new Server(server), new Database(db2), new Table(tab));
- expectedResults.put(
- SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(db2TabAuthorizable),
- db1RoleToPrivMap);
-
- Set<List<? extends Authorizable>> authorizableSet = Sets.newHashSet();
- authorizableSet.add(db2TabAuthorizable);
-
- // list privileges with null group and roles
- Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client
- .listPrivilegsbyAuthorizable(user1, authorizableSet, null, null);
- assertEquals(expectedResults, authPrivMap);
-
- // list privileges with empty group set and null roles
- authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet,
- new HashSet<String>(), null);
- assertEquals(expectedResults, authPrivMap);
-
- // list privileges with null group set and ALL roleset
- authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet,
- null, new ActiveRoleSet(true));
- assertEquals(expectedResults, authPrivMap);
-
- // list privileges with user1's group set and null roles
- authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet,
- userGroupNames1, null);
- assertEquals(expectedResults, authPrivMap);
-
- // list privileges with user1's group set and ALL roles
- authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet,
- userGroupNames1, new ActiveRoleSet(true));
- assertEquals(expectedResults, authPrivMap);
-
- // list privileges with null group and user's specific roles with uppercase name
- authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet,
- null, new ActiveRoleSet(Sets.newHashSet(roleName1.toUpperCase())));
- assertEquals(expectedResults, authPrivMap);
-
- // verify that user1 can't query group2
- try {
- client.listPrivilegsbyAuthorizable(user1, authorizableSet, userGroupNames2, null);
- fail("listPrivilegsbyAuthorizable() should fail for user1 accessing " + group2);
- } catch (SentryAccessDeniedException e) {
- // expected
- }
-
- // verify that user1 can't query role2
- ActiveRoleSet roleSet2 = new ActiveRoleSet(Sets.newHashSet(roleName2));
- try {
- client.listPrivilegsbyAuthorizable(user1, authorizableSet, null, roleSet2);
- fail("listPrivilegsbyAuthorizable() should fail for user1 accessing " + roleName2);
- } catch (SentryAccessDeniedException e) {
- // expected
- }
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = ADMIN_USER;
+ String user1 = "user1";
+ String group1 = "group1";
+ String group2 = "group2";
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ Set<String> userGroupNames1 = Sets.newHashSet(group1);
+ Set<String> userGroupNames2 = Sets.newHashSet(group2);
+ String roleName1 = "role1";
+ String roleName2 = "role2";
+ String server = "server1";
+ String db = "testDB";
+ String db2 = "testDB2";
+ String tab = "testTab";
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ setLocalGroupMapping(user1, userGroupNames1);
+ writePolicyFile();
+
+ client.dropRoleIfExists(requestorUserName, roleName1);
+ client.createRole(requestorUserName, roleName1);
+ client.dropRoleIfExists(requestorUserName, roleName2);
+ client.createRole(requestorUserName, roleName2);
+
+ client.grantDatabasePrivilege(requestorUserName, roleName1, server, db,
+ AccessConstants.SELECT);
+ client.grantTablePrivilege(requestorUserName, roleName1, server, db, tab,
+ AccessConstants.ALL);
+ TSentryPrivilege role1db2tab = client.grantTablePrivilege(
+ requestorUserName, roleName1, server, db2, tab, AccessConstants.SELECT);
+ client.grantRoleToGroup(requestorUserName, group1, roleName1);
+
+ client.grantDatabasePrivilege(requestorUserName, roleName2, server, db,
+ AccessConstants.ALL);
+ client.grantDatabasePrivilege(requestorUserName, roleName2, server, db2,
+ AccessConstants.SELECT);
+ client.grantTablePrivilege(requestorUserName, roleName2, server, db2, tab,
+ AccessConstants.ALL);
+ client.grantURIPrivilege(requestorUserName, roleName1, server,
+ "hdfs:///fooUri");
+
+ // build expected output. user1 should see privileges on tab1 from role1
+ TSentryPrivilegeMap db1RoleToPrivMap = new TSentryPrivilegeMap(
+ new TreeMap<String, Set<TSentryPrivilege>>());
+ db1RoleToPrivMap.getPrivilegeMap().put(roleName1, Sets.newHashSet(role1db2tab));
+ Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults = Maps.newTreeMap();
+ List<? extends Authorizable> db2TabAuthorizable = Lists.newArrayList(
+ new Server(server), new Database(db2), new Table(tab));
+ expectedResults.put(
+ SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(db2TabAuthorizable),
+ db1RoleToPrivMap);
+
+ Set<List<? extends Authorizable>> authorizableSet = Sets.newHashSet();
+ authorizableSet.add(db2TabAuthorizable);
+
+ // list privileges with null group and roles
+ Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client
+ .listPrivilegsbyAuthorizable(user1, authorizableSet, null, null);
+ assertEquals(expectedResults, authPrivMap);
+
+ // list privileges with empty group set and null roles
+ authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet,
+ new HashSet<String>(), null);
+ assertEquals(expectedResults, authPrivMap);
+
+ // list privileges with null group set and ALL roleset
+ authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet,
+ null, new ActiveRoleSet(true));
+ assertEquals(expectedResults, authPrivMap);
+
+ // list privileges with user1's group set and null roles
+ authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet,
+ userGroupNames1, null);
+ assertEquals(expectedResults, authPrivMap);
+
+ // list privileges with user1's group set and ALL roles
+ authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet,
+ userGroupNames1, new ActiveRoleSet(true));
+ assertEquals(expectedResults, authPrivMap);
+
+ // list privileges with null group and user's specific roles with uppercase name
+ authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet,
+ null, new ActiveRoleSet(Sets.newHashSet(roleName1.toUpperCase())));
+ assertEquals(expectedResults, authPrivMap);
+
+ // verify that user1 can't query group2
+ try {
+ client.listPrivilegsbyAuthorizable(user1, authorizableSet, userGroupNames2, null);
+ fail("listPrivilegsbyAuthorizable() should fail for user1 accessing " + group2);
+ } catch (SentryAccessDeniedException e) {
+ // expected
+ }
+
+ // verify that user1 can't query role2
+ ActiveRoleSet roleSet2 = new ActiveRoleSet(Sets.newHashSet(roleName2));
+ try {
+ client.listPrivilegsbyAuthorizable(user1, authorizableSet, null, roleSet2);
+ fail("listPrivilegsbyAuthorizable() should fail for user1 accessing " + roleName2);
+ } catch (SentryAccessDeniedException e) {
+ // expected
+ }
+ }});
}
/**
@@ -708,58 +762,66 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase {
* @param defaultVal A default to pass to getConfigValue
* @throws Exception
*/
- private void checkBannedConfigVal(String configVal, String defaultVal)
+ private void checkBannedConfigVal(final String configVal, final String defaultVal)
throws Exception {
- try {
- client.getConfigValue(configVal, defaultVal);
- fail("Attempt to access " + configVal + " succeeded");
- } catch (SentryAccessDeniedException e) {
- assertTrue(e.toString().contains("was denied"));
- assertTrue(e.toString().contains(configVal));
- }
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ try {
+ client.getConfigValue(configVal, defaultVal);
+ fail("Attempt to access " + configVal + " succeeded");
+ } catch (SentryAccessDeniedException e) {
+ assertTrue(e.toString().contains("was denied"));
+ assertTrue(e.toString().contains(configVal));
+ }
+ }});
}
@Test
public void testGetConfigVal() throws Exception {
- String val;
-
- // Basic success case
- val = client.getConfigValue("sentry.service.admin.group", "xxx");
- assertEquals(val, "admin_group");
-
- // Undefined value gets the default back
- val = client.getConfigValue("sentry.this.is.not.defined", "hello");
- assertEquals(val, "hello");
-
- // Undefined value and null default gets null back
- val = client.getConfigValue("sentry.this.is.not.defined", null);
- assertEquals(val, null);
-
- // Known config value with null default works as expected
- val = client.getConfigValue("sentry.service.admin.group", null);
- assertEquals(val, "admin_group");
-
- // Value that is forbidden (anything not starting with "sentry") dies
- checkBannedConfigVal("notsentry", "xxx");
-
- // Ditto with a null default
- checkBannedConfigVal("notsentry", null);
-
- // Values with .jdbc. are forbidden
- checkBannedConfigVal("sentry.xxx.jdbc.xxx", null);
-
- // Values with password are forbidden
- checkBannedConfigVal("sentry.xxx.password", null);
-
- // Attempt to get the location of the keytab also fails
- checkBannedConfigVal("sentry.service.server.keytab", null);
-
- // null parameter name fails
- try {
- val = client.getConfigValue(null, null);
- fail("null parameter succeeded");
- } catch (SentryUserException e) {
- // expected
- }
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String val;
+
+ // Basic success case
+ val = client.getConfigValue("sentry.service.admin.group", "xxx");
+ assertEquals(val, "admin_group");
+
+ // Undefined value gets the default back
+ val = client.getConfigValue("sentry.this.is.not.defined", "hello");
+ assertEquals(val, "hello");
+
+ // Undefined value and null default gets null back
+ val = client.getConfigValue("sentry.this.is.not.defined", null);
+ assertEquals(val, null);
+
+ // Known config value with null default works as expected
+ val = client.getConfigValue("sentry.service.admin.group", null);
+ assertEquals(val, "admin_group");
+
+ // Value that is forbidden (anything not starting with "sentry") dies
+ checkBannedConfigVal("notsentry", "xxx");
+
+ // Ditto with a null default
+ checkBannedConfigVal("notsentry", null);
+
+ // Values with .jdbc. are forbidden
+ checkBannedConfigVal("sentry.xxx.jdbc.xxx", null);
+
+ // Values with password are forbidden
+ checkBannedConfigVal("sentry.xxx.password", null);
+
+ // Attempt to get the location of the keytab also fails
+ checkBannedConfigVal("sentry.service.server.keytab", null);
+
+ // null parameter name fails
+ try {
+ val = client.getConfigValue(null, null);
+ fail("null parameter succeeded");
+ } catch (SentryUserException e) {
+ // expected
+ }
+ }});
}
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/78b61c9a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
index be14afd..0bdc3a2 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
@@ -277,4 +277,21 @@ public abstract class SentryServiceIntegrationBase extends SentryMiniKdcTestcase
}
+ protected void runTestAsSubject(final TestOperation test) throws Exception {
+ if (this.kerberos) {
+ Subject.doAs(clientSubject, new PrivilegedExceptionAction<Void>() {
+ @Override
+ public Void run() throws Exception {
+ test.runTestAsSubject();
+ return null;
+ }});
+ } else {
+ test.runTestAsSubject();
+ }
+ }
+
+ protected interface TestOperation {
+ public void runTestAsSubject() throws Exception;
+ }
+
}
[2/2] incubator-sentry git commit: SENTRY-595: [UnitTest] In Kerberos
mode, client should run under clientSubject (Dapeng Sun via Lenni Kuff)
Posted by ls...@apache.org.
SENTRY-595: [UnitTest] In Kerberos mode, client should run under clientSubject (Dapeng Sun via Lenni Kuff)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/78b61c9a
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/78b61c9a
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/78b61c9a
Branch: refs/heads/master
Commit: 78b61c9af900ee194ad733befd43e40602a5822f
Parents: 6cb65f9
Author: Lenni Kuff <ls...@cloudera.com>
Authored: Mon Jan 12 09:21:38 2015 -0800
Committer: Lenni Kuff <ls...@cloudera.com>
Committed: Mon Jan 12 09:21:38 2015 -0800
----------------------------------------------------------------------
.../TestSentryGenericServiceIntegration.java | 593 ++++----
.../thrift/TestSentryServiceIntegration.java | 1346 +++++++++---------
.../thrift/SentryServiceIntegrationBase.java | 17 +
3 files changed, 1037 insertions(+), 919 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/78b61c9a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericServiceIntegration.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericServiceIntegration.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericServiceIntegration.java
index 596a8c7..dfd9f10 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericServiceIntegration.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericServiceIntegration.java
@@ -79,354 +79,393 @@ public class TestSentryGenericServiceIntegration extends SentryServiceIntegratio
@Test
public void testCreateDropShowRole() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String roleName = "admin_r";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ String roleName = "admin_r";
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
- client.dropRoleIfExists(requestorUserName, roleName, SOLR);
+ client.dropRoleIfExists(requestorUserName, roleName, SOLR);
- client.createRole(requestorUserName, roleName, SOLR);
+ client.createRole(requestorUserName, roleName, SOLR);
- client.addRoleToGroups(requestorUserName, roleName, SOLR, Sets.newHashSet(requestorUserGroupNames));
+ client.addRoleToGroups(requestorUserName, roleName, SOLR, Sets.newHashSet(requestorUserGroupNames));
- Set<TSentryRole> roles = client.listUserRoles(requestorUserName,SOLR);
- assertEquals("Incorrect number of roles", 1, roles.size());
- for (TSentryRole role:roles) {
- assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName));
- }
- client.dropRole(requestorUserName, roleName, SOLR);
+ Set<TSentryRole> roles = client.listUserRoles(requestorUserName,SOLR);
+ assertEquals("Incorrect number of roles", 1, roles.size());
+ for (TSentryRole role:roles) {
+ assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName));
+ }
+ client.dropRole(requestorUserName, roleName, SOLR);
+ }});
}
@Test
public void testAddDeleteRoleToGroup() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String testGroupName = "g1";
- String roleName = "admin_r";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- setLocalGroupMapping(requestorUserName, Sets.newHashSet(testGroupName));
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName, SOLR);
-
- client.createRole(requestorUserName, roleName, SOLR);
-
- client.addRoleToGroups(requestorUserName, roleName, SOLR, Sets.newHashSet(testGroupName));
-
- Set<TSentryRole> roles = client.listUserRoles(requestorUserName,SOLR);
- assertEquals("Incorrect number of roles", 1, roles.size());
- for (TSentryRole role:roles) {
- assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName));
- assertTrue(role.getGroups().size() == 1);
- for (String group :role.getGroups()) {
- assertEquals(testGroupName, group);
- }
- }
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ String testGroupName = "g1";
+ String roleName = "admin_r";
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ setLocalGroupMapping(requestorUserName, Sets.newHashSet(testGroupName));
+ writePolicyFile();
+
+ client.dropRoleIfExists(requestorUserName, roleName, SOLR);
+
+ client.createRole(requestorUserName, roleName, SOLR);
+
+ client.addRoleToGroups(requestorUserName, roleName, SOLR, Sets.newHashSet(testGroupName));
+
+ Set<TSentryRole> roles = client.listUserRoles(requestorUserName,SOLR);
+ assertEquals("Incorrect number of roles", 1, roles.size());
+ for (TSentryRole role:roles) {
+ assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName));
+ assertTrue(role.getGroups().size() == 1);
+ for (String group :role.getGroups()) {
+ assertEquals(testGroupName, group);
+ }
+ }
- client.deleteRoleToGroups(requestorUserName, roleName, SOLR, Sets.newHashSet(testGroupName));
- roles = client.listUserRoles(requestorUserName,SOLR);
- assertEquals("Incorrect number of roles", 0, roles.size());
+ client.deleteRoleToGroups(requestorUserName, roleName, SOLR, Sets.newHashSet(testGroupName));
+ roles = client.listUserRoles(requestorUserName,SOLR);
+ assertEquals("Incorrect number of roles", 0, roles.size());
- client.dropRole(requestorUserName, roleName, SOLR);
+ client.dropRole(requestorUserName, roleName, SOLR);
+ }});
}
@Test
public void testGranRevokePrivilege() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName1 = "admin_r1";
- String roleName2 = "admin_r2";
-
- client.dropRoleIfExists(requestorUserName, roleName1, SOLR);
- client.createRole(requestorUserName, roleName1, SOLR);
-
- client.dropRoleIfExists(requestorUserName, roleName2, SOLR);
- client.createRole(requestorUserName, roleName2, SOLR);
-
- TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
- fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
- SearchConstants.QUERY);
-
- TSentryPrivilege updatePrivilege = new TSentryPrivilege(SOLR, "service1",
- fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
- SearchConstants.UPDATE);
-
- client.grantPrivilege(requestorUserName, roleName1, SOLR, queryPrivilege);
- client.grantPrivilege(requestorUserName, roleName2, SOLR, updatePrivilege);
-
- client.revokePrivilege(requestorUserName, roleName1, SOLR, queryPrivilege);
- client.revokePrivilege(requestorUserName, roleName2, SOLR, updatePrivilege);
-
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+ String roleName1 = "admin_r1";
+ String roleName2 = "admin_r2";
+
+ client.dropRoleIfExists(requestorUserName, roleName1, SOLR);
+ client.createRole(requestorUserName, roleName1, SOLR);
+
+ client.dropRoleIfExists(requestorUserName, roleName2, SOLR);
+ client.createRole(requestorUserName, roleName2, SOLR);
+
+ TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
+ fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
+ SearchConstants.QUERY);
+
+ TSentryPrivilege updatePrivilege = new TSentryPrivilege(SOLR, "service1",
+ fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
+ SearchConstants.UPDATE);
+
+ client.grantPrivilege(requestorUserName, roleName1, SOLR, queryPrivilege);
+ client.grantPrivilege(requestorUserName, roleName2, SOLR, updatePrivilege);
+
+ client.revokePrivilege(requestorUserName, roleName1, SOLR, queryPrivilege);
+ client.revokePrivilege(requestorUserName, roleName2, SOLR, updatePrivilege);
+ }});
}
@Test
public void testMultipleRolesSamePrivilege() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName1 = "admin_r1";
- String roleName2 = "admin_r2";
-
- client.dropRoleIfExists(requestorUserName, roleName1, SOLR);
- client.createRole(requestorUserName, roleName1, SOLR);
-
- client.dropRoleIfExists(requestorUserName, roleName2, SOLR);
- client.createRole(requestorUserName, roleName2, SOLR);
-
- TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
- fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
- SearchConstants.QUERY);
-
- client.grantPrivilege(requestorUserName, roleName1, SOLR, queryPrivilege);
- Set<TSentryPrivilege> listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName1, SOLR, "service1");
- assertTrue("Privilege not assigned to role1 !!", listPrivilegesByRoleName.size() == 1);
-
- client.grantPrivilege(requestorUserName, roleName2, SOLR, queryPrivilege);
- listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, SOLR, "service1");
- assertTrue("Privilege not assigned to role2 !!", listPrivilegesByRoleName.size() == 1);
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+ String roleName1 = "admin_r1";
+ String roleName2 = "admin_r2";
+
+ client.dropRoleIfExists(requestorUserName, roleName1, SOLR);
+ client.createRole(requestorUserName, roleName1, SOLR);
+
+ client.dropRoleIfExists(requestorUserName, roleName2, SOLR);
+ client.createRole(requestorUserName, roleName2, SOLR);
+
+ TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
+ fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
+ SearchConstants.QUERY);
+
+ client.grantPrivilege(requestorUserName, roleName1, SOLR, queryPrivilege);
+ Set<TSentryPrivilege> listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName1, SOLR, "service1");
+ assertTrue("Privilege not assigned to role1 !!", listPrivilegesByRoleName.size() == 1);
+
+ client.grantPrivilege(requestorUserName, roleName2, SOLR, queryPrivilege);
+ listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, SOLR, "service1");
+ assertTrue("Privilege not assigned to role2 !!", listPrivilegesByRoleName.size() == 1);
+ }});
}
@Test
public void testShowRoleGrant() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String roleName = "admin_r1";
- String groupName = "group1";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- setLocalGroupMapping(requestorUserName, Sets.newHashSet(groupName));
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName, SOLR);
- client.createRole(requestorUserName, roleName, SOLR);
- client.addRoleToGroups(requestorUserName, roleName, SOLR, Sets.newHashSet(groupName));
-
- Set<TSentryRole> groupRoles = client.listRolesByGroupName(requestorUserName, groupName,SOLR);
- assertTrue(groupRoles.size() == 1);
- for (TSentryRole role:groupRoles) {
- assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName));
- assertTrue(role.getGroups().size() == 1);
- for (String group :role.getGroups()) {
- assertEquals(groupName, group);
- }
- }
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ String roleName = "admin_r1";
+ String groupName = "group1";
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ setLocalGroupMapping(requestorUserName, Sets.newHashSet(groupName));
+ writePolicyFile();
+
+ client.dropRoleIfExists(requestorUserName, roleName, SOLR);
+ client.createRole(requestorUserName, roleName, SOLR);
+ client.addRoleToGroups(requestorUserName, roleName, SOLR, Sets.newHashSet(groupName));
+
+ Set<TSentryRole> groupRoles = client.listRolesByGroupName(requestorUserName, groupName,SOLR);
+ assertTrue(groupRoles.size() == 1);
+ for (TSentryRole role:groupRoles) {
+ assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName));
+ assertTrue(role.getGroups().size() == 1);
+ for (String group :role.getGroups()) {
+ assertEquals(groupName, group);
+ }
+ }
- client.dropRole(requestorUserName, roleName, SOLR);
+ client.dropRole(requestorUserName, roleName, SOLR);
+ }});
}
@Test
public void testShowGrant() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String roleName = "admin_r1";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName, SOLR);
- client.createRole(requestorUserName, roleName, SOLR);
-
- TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
- fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
- SearchConstants.QUERY);
-
- TSentryPrivilege updatePrivilege = new TSentryPrivilege(SOLR, "service1",
- fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
- SearchConstants.UPDATE);
-
- client.grantPrivilege(requestorUserName, roleName, SOLR, updatePrivilege);
- client.grantPrivilege(requestorUserName, roleName, SOLR, queryPrivilege);
- Set<TSentryPrivilege> privileges = client.listPrivilegesByRoleName(requestorUserName, roleName, SOLR, "service1");
- assertTrue(privileges.size() == 2);
-
- client.revokePrivilege(requestorUserName, roleName, SOLR, updatePrivilege);
- privileges = client.listPrivilegesByRoleName(requestorUserName, roleName, SOLR, "service1");
- assertTrue(privileges.size() == 1);
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ String roleName = "admin_r1";
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+
+ client.dropRoleIfExists(requestorUserName, roleName, SOLR);
+ client.createRole(requestorUserName, roleName, SOLR);
+
+ TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
+ fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
+ SearchConstants.QUERY);
+
+ TSentryPrivilege updatePrivilege = new TSentryPrivilege(SOLR, "service1",
+ fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
+ SearchConstants.UPDATE);
+
+ client.grantPrivilege(requestorUserName, roleName, SOLR, updatePrivilege);
+ client.grantPrivilege(requestorUserName, roleName, SOLR, queryPrivilege);
+ Set<TSentryPrivilege> privileges = client.listPrivilegesByRoleName(requestorUserName, roleName, SOLR, "service1");
+ assertTrue(privileges.size() == 2);
+
+ client.revokePrivilege(requestorUserName, roleName, SOLR, updatePrivilege);
+ privileges = client.listPrivilegesByRoleName(requestorUserName, roleName, SOLR, "service1");
+ assertTrue(privileges.size() == 1);
+ }});
}
@Test
public void testSameGrantTwice() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName = "admin_r1";
-
- client.createRole(requestorUserName, roleName, SOLR);
-
- TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
- fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
- SearchConstants.QUERY);
-
- client.grantPrivilege(requestorUserName, roleName, SOLR, queryPrivilege);
- assertEquals(1, client.listPrivilegesByRoleName(requestorUserName, roleName, SOLR, "service1").size());
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+ String roleName = "admin_r1";
+
+ client.createRole(requestorUserName, roleName, SOLR);
+
+ TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
+ fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
+ SearchConstants.QUERY);
+
+ client.grantPrivilege(requestorUserName, roleName, SOLR, queryPrivilege);
+ assertEquals(1, client.listPrivilegesByRoleName(requestorUserName, roleName, SOLR, "service1").size());
+ }});
}
@Test
public void testGrantRevokeWithGrantOption() throws Exception {
- String adminUser = ADMIN_USER;
- Set<String> adminGroup = Sets.newHashSet(ADMIN_GROUP);
- String grantOptionUser = "user1";
- Set<String> grantOptionGroup = Sets.newHashSet("group1");
- String noGrantOptionUser = "user2";
- Set<String> noGrantOptionGroup = Sets.newHashSet("group2");
-
- setLocalGroupMapping(adminUser, adminGroup);
- setLocalGroupMapping(grantOptionUser, grantOptionGroup);
- setLocalGroupMapping(noGrantOptionUser, noGrantOptionGroup);
- writePolicyFile();
-
- String grantRole = "grant_r";
- String noGrantRole = "no_grant_r";
- String testRole = "test_role";
-
- client.createRole(adminUser, grantRole, SOLR);
- client.createRole(adminUser, noGrantRole, SOLR);
- client.createRole(adminUser, testRole, SOLR);
-
- TSentryPrivilege grantPrivilege = new TSentryPrivilege(SOLR, "service1",
- fromAuthorizable(Arrays.asList(new Collection("c1"))),
- SearchConstants.QUERY);
- grantPrivilege.setGrantOption(TSentryGrantOption.TRUE);
-
- TSentryPrivilege noGrantPrivilege = new TSentryPrivilege(SOLR, "service1",
- fromAuthorizable(Arrays.asList(new Collection("c1"))),
- SearchConstants.QUERY);
- noGrantPrivilege.setGrantOption(TSentryGrantOption.FALSE);
-
- TSentryPrivilege testPrivilege = new TSentryPrivilege(SOLR, "service1",
- fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
- SearchConstants.QUERY);
- testPrivilege.setGrantOption(TSentryGrantOption.FALSE);
-
- client.grantPrivilege(adminUser, grantRole, SOLR, grantPrivilege);
- client.grantPrivilege(adminUser, noGrantRole, SOLR, noGrantPrivilege);
-
- client.addRoleToGroups(adminUser, grantRole, SOLR, grantOptionGroup);
- client.addRoleToGroups(adminUser, noGrantRole, SOLR, noGrantOptionGroup);
-
- try {
- client.grantPrivilege(grantOptionUser,testRole,SOLR, testPrivilege);
- } catch (SentryUserException e) {
- fail("grantOptionUser failed grant privilege to user");
- }
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String adminUser = ADMIN_USER;
+ Set<String> adminGroup = Sets.newHashSet(ADMIN_GROUP);
+ String grantOptionUser = "user1";
+ Set<String> grantOptionGroup = Sets.newHashSet("group1");
+ String noGrantOptionUser = "user2";
+ Set<String> noGrantOptionGroup = Sets.newHashSet("group2");
+
+ setLocalGroupMapping(adminUser, adminGroup);
+ setLocalGroupMapping(grantOptionUser, grantOptionGroup);
+ setLocalGroupMapping(noGrantOptionUser, noGrantOptionGroup);
+ writePolicyFile();
+
+ String grantRole = "grant_r";
+ String noGrantRole = "no_grant_r";
+ String testRole = "test_role";
+
+ client.createRole(adminUser, grantRole, SOLR);
+ client.createRole(adminUser, noGrantRole, SOLR);
+ client.createRole(adminUser, testRole, SOLR);
+
+ TSentryPrivilege grantPrivilege = new TSentryPrivilege(SOLR, "service1",
+ fromAuthorizable(Arrays.asList(new Collection("c1"))),
+ SearchConstants.QUERY);
+ grantPrivilege.setGrantOption(TSentryGrantOption.TRUE);
+
+ TSentryPrivilege noGrantPrivilege = new TSentryPrivilege(SOLR, "service1",
+ fromAuthorizable(Arrays.asList(new Collection("c1"))),
+ SearchConstants.QUERY);
+ noGrantPrivilege.setGrantOption(TSentryGrantOption.FALSE);
+
+ TSentryPrivilege testPrivilege = new TSentryPrivilege(SOLR, "service1",
+ fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
+ SearchConstants.QUERY);
+ testPrivilege.setGrantOption(TSentryGrantOption.FALSE);
+
+ client.grantPrivilege(adminUser, grantRole, SOLR, grantPrivilege);
+ client.grantPrivilege(adminUser, noGrantRole, SOLR, noGrantPrivilege);
+
+ client.addRoleToGroups(adminUser, grantRole, SOLR, grantOptionGroup);
+ client.addRoleToGroups(adminUser, noGrantRole, SOLR, noGrantOptionGroup);
+
+ try {
+ client.grantPrivilege(grantOptionUser,testRole,SOLR, testPrivilege);
+ } catch (SentryUserException e) {
+ fail("grantOptionUser failed grant privilege to user");
+ }
- try {
- client.grantPrivilege(noGrantOptionUser, testRole, SOLR, testPrivilege);
- fail("noGrantOptionUser can't grant privilege to user");
- } catch (SentryUserException e) {
- }
+ try {
+ client.grantPrivilege(noGrantOptionUser, testRole, SOLR, testPrivilege);
+ fail("noGrantOptionUser can't grant privilege to user");
+ } catch (SentryUserException e) {
+ }
- try {
- client.revokePrivilege(grantOptionUser, testRole, SOLR, testPrivilege);
- } catch(SentryUserException e) {
- fail("grantOptionUser failed revoke privilege to user");
- }
+ try {
+ client.revokePrivilege(grantOptionUser, testRole, SOLR, testPrivilege);
+ } catch(SentryUserException e) {
+ fail("grantOptionUser failed revoke privilege to user");
+ }
- try {
- client.revokePrivilege(noGrantOptionUser, testRole, SOLR, testPrivilege);
- fail("noGrantOptionUser can't revoke privilege to user");
- } catch (SentryUserException e) {
- }
+ try {
+ client.revokePrivilege(noGrantOptionUser, testRole, SOLR, testPrivilege);
+ fail("noGrantOptionUser can't revoke privilege to user");
+ } catch (SentryUserException e) {
+ }
+ }});
}
@Test
public void testGetPrivilegeByHierarchy() throws Exception {
- String adminUser = ADMIN_USER;
- Set<String> adminGroup = Sets.newHashSet(ADMIN_GROUP);
- String testRole = "role1";
- Set<String> testGroup = Sets.newHashSet("group1");
- String testUser = "user1";
- setLocalGroupMapping(adminUser, adminGroup);
- setLocalGroupMapping(testUser, testGroup);
- writePolicyFile();
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String adminUser = ADMIN_USER;
+ Set<String> adminGroup = Sets.newHashSet(ADMIN_GROUP);
+ String testRole = "role1";
+ Set<String> testGroup = Sets.newHashSet("group1");
+ String testUser = "user1";
+ setLocalGroupMapping(adminUser, adminGroup);
+ setLocalGroupMapping(testUser, testGroup);
+ writePolicyFile();
- client.createRole(adminUser, testRole, SOLR);
- client.addRoleToGroups(adminUser, testRole, SOLR, testGroup);
+ client.createRole(adminUser, testRole, SOLR);
+ client.addRoleToGroups(adminUser, testRole, SOLR, testGroup);
- TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
- fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
- SearchConstants.QUERY);
+ TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
+ fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
+ SearchConstants.QUERY);
- TSentryPrivilege updatePrivilege = new TSentryPrivilege(SOLR, "service1",
- fromAuthorizable(Arrays.asList(new Collection("c2"), new Field("f2"))),
- SearchConstants.UPDATE);
+ TSentryPrivilege updatePrivilege = new TSentryPrivilege(SOLR, "service1",
+ fromAuthorizable(Arrays.asList(new Collection("c2"), new Field("f2"))),
+ SearchConstants.UPDATE);
- client.grantPrivilege(adminUser, testRole, SOLR, queryPrivilege);
- client.grantPrivilege(adminUser, testRole, SOLR, updatePrivilege);
+ client.grantPrivilege(adminUser, testRole, SOLR, queryPrivilege);
+ client.grantPrivilege(adminUser, testRole, SOLR, updatePrivilege);
- assertEquals(2, client.listPrivilegesByRoleName(testUser, testRole, SOLR, "service1").size());
+ assertEquals(2, client.listPrivilegesByRoleName(testUser, testRole, SOLR, "service1").size());
- assertEquals(1, client.listPrivilegesByRoleName(testUser, testRole,
- SOLR, "service1", Arrays.asList(new Collection("c1"))).size());
+ assertEquals(1, client.listPrivilegesByRoleName(testUser, testRole,
+ SOLR, "service1", Arrays.asList(new Collection("c1"))).size());
- assertEquals(1, client.listPrivilegesByRoleName(testUser, testRole,
- SOLR, "service1", Arrays.asList(new Collection("c2"))).size());
+ assertEquals(1, client.listPrivilegesByRoleName(testUser, testRole,
+ SOLR, "service1", Arrays.asList(new Collection("c2"))).size());
- assertEquals(1, client.listPrivilegesByRoleName(testUser, testRole,
- SOLR, "service1", Arrays.asList(new Collection("c1"), new Field("f1"))).size());
+ assertEquals(1, client.listPrivilegesByRoleName(testUser, testRole,
+ SOLR, "service1", Arrays.asList(new Collection("c1"), new Field("f1"))).size());
- assertEquals(1, client.listPrivilegesByRoleName(testUser, testRole,
- SOLR, "service1", Arrays.asList(new Collection("c2"), new Field("f2"))).size());
+ assertEquals(1, client.listPrivilegesByRoleName(testUser, testRole,
+ SOLR, "service1", Arrays.asList(new Collection("c2"), new Field("f2"))).size());
- //test listPrivilegesForProvider by group(testGroup)
- ActiveRoleSet roleSet = ActiveRoleSet.ALL;
+ //test listPrivilegesForProvider by group(testGroup)
+ ActiveRoleSet roleSet = ActiveRoleSet.ALL;
- assertEquals(1, client.listPrivilegesForProvider(SOLR, "service1", roleSet,
- testGroup, Arrays.asList(new Collection("c1"))).size());
+ assertEquals(1, client.listPrivilegesForProvider(SOLR, "service1", roleSet,
+ testGroup, Arrays.asList(new Collection("c1"))).size());
- assertEquals(1, client.listPrivilegesForProvider(SOLR, "service1", roleSet,
- testGroup, Arrays.asList(new Collection("c2"))).size());
+ assertEquals(1, client.listPrivilegesForProvider(SOLR, "service1", roleSet,
+ testGroup, Arrays.asList(new Collection("c2"))).size());
- assertEquals(1, client.listPrivilegesForProvider(SOLR, "service1", roleSet,
- testGroup, Arrays.asList(new Collection("c1"), new Field("f1"))).size());
+ assertEquals(1, client.listPrivilegesForProvider(SOLR, "service1", roleSet,
+ testGroup, Arrays.asList(new Collection("c1"), new Field("f1"))).size());
- assertEquals(1, client.listPrivilegesForProvider(SOLR, "service1", roleSet,
- testGroup, Arrays.asList(new Collection("c2"), new Field("f2"))).size());
+ assertEquals(1, client.listPrivilegesForProvider(SOLR, "service1", roleSet,
+ testGroup, Arrays.asList(new Collection("c2"), new Field("f2"))).size());
+ }});
}
@Test
public void testDropAndRenamePrivilege() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName = "admin_r1";
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+ String roleName = "admin_r1";
- client.createRole(requestorUserName, roleName, SOLR);
+ client.createRole(requestorUserName, roleName, SOLR);
- TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
- fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
- SearchConstants.QUERY);
- client.grantPrivilege(requestorUserName, roleName, SOLR, queryPrivilege);
+ TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
+ fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
+ SearchConstants.QUERY);
+ client.grantPrivilege(requestorUserName, roleName, SOLR, queryPrivilege);
- assertEquals(1, client.listPrivilegesByRoleName(requestorUserName, roleName,
- SOLR, "service1", Arrays.asList(new Collection("c1"), new Field("f1"))).size());
+ assertEquals(1, client.listPrivilegesByRoleName(requestorUserName, roleName,
+ SOLR, "service1", Arrays.asList(new Collection("c1"), new Field("f1"))).size());
- assertEquals(0, client.listPrivilegesByRoleName(requestorUserName, roleName,
- SOLR, "service1", Arrays.asList(new Collection("c2"), new Field("f2"))).size());
+ assertEquals(0, client.listPrivilegesByRoleName(requestorUserName, roleName,
+ SOLR, "service1", Arrays.asList(new Collection("c2"), new Field("f2"))).size());
- client.renamePrivilege(requestorUserName, SOLR, "service1", Arrays.asList(new Collection("c1"), new Field("f1")),
- Arrays.asList(new Collection("c2"), new Field("f2")));
+ client.renamePrivilege(requestorUserName, SOLR, "service1", Arrays.asList(new Collection("c1"), new Field("f1")),
+ Arrays.asList(new Collection("c2"), new Field("f2")));
- assertEquals(0, client.listPrivilegesByRoleName(requestorUserName, roleName,
- SOLR, "service1", Arrays.asList(new Collection("c1"), new Field("f1"))).size());
+ assertEquals(0, client.listPrivilegesByRoleName(requestorUserName, roleName,
+ SOLR, "service1", Arrays.asList(new Collection("c1"), new Field("f1"))).size());
- assertEquals(1, client.listPrivilegesByRoleName(requestorUserName, roleName,
- SOLR, "service1", Arrays.asList(new Collection("c2"), new Field("f2"))).size());
+ assertEquals(1, client.listPrivilegesByRoleName(requestorUserName, roleName,
+ SOLR, "service1", Arrays.asList(new Collection("c2"), new Field("f2"))).size());
- TSentryPrivilege dropPrivilege = new TSentryPrivilege(SOLR, "service1",
- fromAuthorizable(Arrays.asList(new Collection("c2"), new Field("f2"))),
- SearchConstants.QUERY);
+ TSentryPrivilege dropPrivilege = new TSentryPrivilege(SOLR, "service1",
+ fromAuthorizable(Arrays.asList(new Collection("c2"), new Field("f2"))),
+ SearchConstants.QUERY);
- client.dropPrivilege(requestorUserName, SOLR, dropPrivilege);
+ client.dropPrivilege(requestorUserName, SOLR, dropPrivilege);
- assertEquals(0, client.listPrivilegesByRoleName(requestorUserName, roleName,
- SOLR, "service1", Arrays.asList(new Collection("c2"), new Field("f2"))).size());
+ assertEquals(0, client.listPrivilegesByRoleName(requestorUserName, roleName,
+ SOLR, "service1", Arrays.asList(new Collection("c2"), new Field("f2"))).size());
+ }});
}
private List<TAuthorizable> fromAuthorizable(List<? extends Authorizable> authorizables) {