http://git-wip-us.apache.org/repos/asf/sentry/blob/bfb354f2/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/metastore/AbstractMetastoreTestWithStaticConfiguration.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/metastore/AbstractMetastoreTestWithStaticConfiguration.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/metastore/AbstractMetastoreTestWithStaticConfiguration.java new file mode 100644 index 0000000..f1e6d75 --- /dev/null +++ b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/metastore/AbstractMetastoreTestWithStaticConfiguration.java @@ -0,0 +1,218 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.tests.e2e.metastore; + +import java.io.IOException; +import java.security.PrivilegedExceptionAction; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import org.apache.hadoop.hive.cli.CliSessionState; +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.metastore.HiveMetaStoreClient; +import org.apache.hadoop.hive.metastore.api.Database; +import org.apache.hadoop.hive.metastore.api.FieldSchema; +import org.apache.hadoop.hive.metastore.api.Order; +import org.apache.hadoop.hive.metastore.api.Partition; +import org.apache.hadoop.hive.metastore.api.SerDeInfo; +import org.apache.hadoop.hive.metastore.api.StorageDescriptor; +import org.apache.hadoop.hive.metastore.api.Table; +import org.apache.hadoop.hive.ql.Driver; +import org.apache.hadoop.hive.ql.processors.CommandProcessorResponse; +import org.apache.hadoop.hive.ql.session.SessionState; +import org.apache.hadoop.hive.serde.serdeConstants; +import org.apache.hadoop.security.UserGroupInformation; +import org.apache.pig.PigServer; +import org.apache.sentry.provider.file.PolicyFile; +import org.apache.sentry.tests.e2e.hive.AbstractTestWithStaticConfiguration; +import org.apache.sentry.tests.e2e.hive.hiveserver.HiveServerFactory.HiveServer2Type; +import org.junit.BeforeClass; + +public abstract class AbstractMetastoreTestWithStaticConfiguration extends + AbstractTestWithStaticConfiguration { + + @BeforeClass + public static void setupTestStaticConfiguration() throws Exception { + useSentryService = true; + clearDbPerTest = false; + testServerType = HiveServer2Type.InternalMetastore.name(); + AbstractTestWithStaticConfiguration.setupTestStaticConfiguration(); + } + + protected static void writePolicyFile(PolicyFile policyFile) throws Exception { + policyFile.write(context.getPolicyFile()); + } + + public static PolicyFile setAdminOnServer1(String adminGroup) + throws Exception { + return SentryPolicyProviderForDb.setAdminOnServer1(adminGroup, + getSentryClient()); + } + /** + * create a metastore table using the given attributes + * @param client + * @param dbName + * @param tabName + * @param cols + * @return + * @throws Exception + */ + public Table createMetastoreTable(HiveMetaStoreClient client, String dbName, + String tabName, List<FieldSchema> cols) throws Exception { + + Table tbl = makeMetastoreTableObject(client, dbName, tabName, cols); + client.createTable(tbl); + return tbl; + } + + public Table createMetastoreTableWithLocation(HiveMetaStoreClient client, + String dbName, String tabName, List<FieldSchema> cols, String location) + throws Exception { + Table tbl = makeMetastoreTableObject(client, dbName, tabName, cols); + tbl.getSd().setLocation(location); + client.createTable(tbl); + return tbl; + + } + + public Table createMetastoreTableWithPartition(HiveMetaStoreClient client, + String dbName, String tabName, List<FieldSchema> cols, + List<FieldSchema> partionVals) throws Exception { + Table tbl = makeMetastoreTableObject(client, dbName, tabName, cols); + tbl.setPartitionKeys(partionVals); + client.createTable(tbl); + return client.getTable(dbName, tabName); + } + + public void addPartition(HiveMetaStoreClient client, String dbName, + String tblName, List<String> ptnVals, Table tbl) throws Exception { + Partition part = makeMetastorePartitionObject(dbName, tblName, ptnVals, tbl); + client.add_partition(part); + } + + public void addPartitionWithLocation(HiveMetaStoreClient client, + String dbName, String tblName, List<String> ptnVals, Table tbl, + String location) throws Exception { + Partition part = makeMetastorePartitionObject(dbName, tblName, ptnVals, + tbl, location); + client.add_partition(part); + } + + public Table makeMetastoreTableObject(HiveMetaStoreClient client, + String dbName, String tabName, List<FieldSchema> cols) throws Exception { + Table tbl = new Table(); + tbl.setDbName(dbName); + tbl.setTableName(tabName); + StorageDescriptor sd = new StorageDescriptor(); + tbl.setSd(sd); + tbl.setParameters(new HashMap<String, String>()); + sd.setCols(cols); + sd.setCompressed(false); + sd.setParameters(new HashMap<String, String>()); + sd.setSerdeInfo(new SerDeInfo()); + sd.getSerdeInfo().setName(tbl.getTableName()); + sd.getSerdeInfo().setParameters(new HashMap<String, String>()); + sd.getSerdeInfo().getParameters() + .put(serdeConstants.SERIALIZATION_FORMAT, "1"); + sd.setSortCols(new ArrayList<Order>()); + return tbl; + } + + public Partition makeMetastorePartitionObject(String dbName, String tblName, + List<String> ptnVals, Table tbl, String partitionLocation) { + Partition part = makeMetastoreBasePartitionObject(dbName, tblName, ptnVals, + tbl); + part.getSd().setLocation(partitionLocation); + return part; + } + + public Partition makeMetastorePartitionObject(String dbName, String tblName, + List<String> ptnVals, Table tbl) { + Partition part = makeMetastoreBasePartitionObject(dbName, tblName, ptnVals, + tbl); + return part; + } + + private Partition makeMetastoreBasePartitionObject(String dbName, + String tblName, List<String> ptnVals, Table tbl) { + Partition part4 = new Partition(); + part4.setDbName(dbName); + part4.setTableName(tblName); + part4.setValues(ptnVals); + part4.setParameters(new HashMap<String, String>()); + part4.setSd(tbl.getSd().deepCopy()); + part4.getSd().setSerdeInfo(tbl.getSd().getSerdeInfo().deepCopy()); + part4.setParameters(new HashMap<String, String>()); + return part4; + } + + public void createMetastoreDB(HiveMetaStoreClient client, String dbName) + throws Exception { + Database db = new Database(); + db.setName(dbName); + client.createDatabase(db); + } + + public void execHiveSQLwithOverlay(final String sqlStmt, + final String userName, Map<String, String> overLay) throws Exception { + final HiveConf hiveConf = new HiveConf(); + for (Map.Entry<String, String> entry : overLay.entrySet()) { + hiveConf.set(entry.getKey(), entry.getValue()); + } + UserGroupInformation clientUgi = UserGroupInformation + .createRemoteUser(userName); + clientUgi.doAs(new PrivilegedExceptionAction<Object>() { + @Override + public Void run() throws Exception { + Driver driver = new Driver(hiveConf, userName); + SessionState.start(new CliSessionState(hiveConf)); + CommandProcessorResponse cpr = driver.run(sqlStmt); + if (cpr.getResponseCode() != 0) { + throw new IOException("Failed to execute \"" + sqlStmt + + "\". Driver returned " + cpr.getResponseCode() + " Error: " + + cpr.getErrorMessage()); + } + driver.close(); + SessionState.get().close(); + return null; + } + }); + } + + + public void execHiveSQL(String sqlStmt, String userName) throws Exception { + execHiveSQLwithOverlay(sqlStmt, userName, new HashMap<String, String>()); + } + + public void execPigLatin(String userName, final PigServer pigServer, + final String pigLatin) throws Exception { + UserGroupInformation clientUgi = UserGroupInformation + .createRemoteUser(userName); + clientUgi.doAs( + new PrivilegedExceptionAction<Object>() { + @Override + public Void run() throws Exception { + pigServer.registerQuery(pigLatin); + return null; + } + }); + } + +}
http://git-wip-us.apache.org/repos/asf/sentry/blob/bfb354f2/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/metastore/SentryPolicyProviderForDb.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/metastore/SentryPolicyProviderForDb.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/metastore/SentryPolicyProviderForDb.java new file mode 100644 index 0000000..2507f83 --- /dev/null +++ b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/metastore/SentryPolicyProviderForDb.java @@ -0,0 +1,163 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.tests.e2e.metastore; + +import static org.apache.sentry.policy.common.PolicyConstants.AUTHORIZABLE_SPLITTER; +import static org.apache.sentry.policy.common.PolicyConstants.PRIVILEGE_PREFIX; +import static org.apache.sentry.policy.common.PolicyConstants.ROLE_SPLITTER; + +import java.io.File; +import java.io.IOException; +import java.util.Collection; +import java.util.Map.Entry; +import java.util.Set; + +import org.apache.sentry.SentryUserException; +import org.apache.sentry.core.model.db.AccessConstants; +import org.apache.sentry.core.model.db.DBModelAction; +import org.apache.sentry.core.model.db.DBModelAuthorizable; +import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType; +import org.apache.sentry.policy.db.DBModelAuthorizables; +import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; +import org.apache.sentry.provider.db.service.thrift.TSentryRole; +import org.apache.sentry.provider.file.PolicyFile; +import org.apache.sentry.tests.e2e.hive.StaticUserGroup; +import org.apache.tools.ant.util.StringUtils; +import org.mortbay.log.Log; + +import com.google.common.collect.Sets; + +public class SentryPolicyProviderForDb extends PolicyFile { + protected static final Set<String> ADMIN_GROUP_SET = Sets + .newHashSet(StaticUserGroup.ADMINGROUP); + private SentryPolicyServiceClient sentryClient; + + protected SentryPolicyServiceClient getSentryClient() { + return sentryClient; + } + + public SentryPolicyProviderForDb(SentryPolicyServiceClient sentryClient) { + this.sentryClient = sentryClient; + } + + public static SentryPolicyProviderForDb setAdminOnServer1(String admin, + SentryPolicyServiceClient sentryClient) + throws Exception { + SentryPolicyProviderForDb policyFile = new SentryPolicyProviderForDb( + sentryClient); + policyFile.addRolesToGroup(admin, "admin_role").addPermissionsToRole( + "admin_role", "server=server1"); + return policyFile; + } + + public void write(File file) throws Exception { + super.write(file); + if (!usingSentryService()) { + return; + } + + // remove existing metadata + for (TSentryRole tRole : sentryClient.listRoles(StaticUserGroup.ADMIN1)) { + sentryClient.dropRole(StaticUserGroup.ADMIN1, tRole.getRoleName()); + } + + // create roles and add privileges + for (Entry<String, Collection<String>> roleEntry : rolesToPermissions + .asMap().entrySet()) { + sentryClient.createRole(StaticUserGroup.ADMIN1, roleEntry.getKey()); + for (String privilege : roleEntry.getValue()) { + addPrivilege(roleEntry.getKey(), privilege); + } + } + + // grant roles to groups + for (Entry<String, Collection<String>> groupEntry : groupsToRoles.asMap() + .entrySet()) { + for (String roleNames : groupEntry.getValue()) { + for (String roleName : roleNames.split(",")) { + try { + sentryClient + .grantRoleToGroup(StaticUserGroup.ADMIN1, groupEntry.getKey(), roleName); + } catch (SentryUserException e) { + Log.warn("Error granting role " + roleName + " to group " + + groupEntry.getKey()); + } + } + } + } + } + + private void addPrivilege(String roleName, String privileges) + throws Exception { + String serverName = null, dbName = null, tableName = null, columnName = null, uriPath = null; + String action = AccessConstants.ALL; + for (String privilege : ROLE_SPLITTER.split(privileges)) { + for (String section : AUTHORIZABLE_SPLITTER.split(privilege)) { + // action is not an authorizeable + if (!section.toLowerCase().startsWith(PRIVILEGE_PREFIX)) { + DBModelAuthorizable dbAuthorizable = DBModelAuthorizables + .from(section); + if (dbAuthorizable == null) { + throw new IOException("Unknow Auth type " + section); + } + + if (AuthorizableType.Server.equals(dbAuthorizable.getAuthzType())) { + serverName = dbAuthorizable.getName(); + } else if (AuthorizableType.Db.equals(dbAuthorizable.getAuthzType())) { + dbName = dbAuthorizable.getName(); + } else if (AuthorizableType.Table.equals(dbAuthorizable + .getAuthzType())) { + tableName = dbAuthorizable.getName(); + } else if (AuthorizableType.URI.equals(dbAuthorizable.getAuthzType())) { + uriPath = dbAuthorizable.getName(); + } else if (AuthorizableType.Column.equals(dbAuthorizable.getAuthzType())) { + columnName = dbAuthorizable.getName(); + } else { + throw new IOException("Unsupported auth type " + + dbAuthorizable.getName() + " : " + + dbAuthorizable.getTypeName()); + } + } else { + action = DBModelAction + .valueOf( + StringUtils.removePrefix(section, PRIVILEGE_PREFIX) + .toUpperCase()).toString(); + } + } + + if (columnName != null) { + sentryClient.grantColumnPrivilege(StaticUserGroup.ADMIN1, roleName, serverName, dbName, + tableName, columnName, action); + } else if (tableName != null) { + sentryClient.grantTablePrivilege(StaticUserGroup.ADMIN1, roleName, serverName, dbName, + tableName, action); + } else if (dbName != null) { + sentryClient.grantDatabasePrivilege(StaticUserGroup.ADMIN1, roleName, serverName, + dbName, action); + } else if (uriPath != null) { + sentryClient.grantURIPrivilege(StaticUserGroup.ADMIN1, roleName, serverName, uriPath); + } else if (serverName != null) { + sentryClient.grantServerPrivilege(StaticUserGroup.ADMIN1, roleName, serverName, action); + } + } + + } + + private boolean usingSentryService() { + return sentryClient != null; + } +} http://git-wip-us.apache.org/repos/asf/sentry/blob/bfb354f2/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/metastore/TestAuthorizingObjectStore.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/metastore/TestAuthorizingObjectStore.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/metastore/TestAuthorizingObjectStore.java new file mode 100644 index 0000000..815c38e --- /dev/null +++ b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/metastore/TestAuthorizingObjectStore.java @@ -0,0 +1,1106 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.tests.e2e.metastore; + +import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.core.IsNull.notNullValue; +import static org.junit.Assert.assertThat; +import static org.junit.Assert.fail; + +import java.util.ArrayList; +import java.util.Arrays; + +import org.apache.hadoop.hive.metastore.HiveMetaStoreClient; +import org.apache.hadoop.hive.metastore.api.FieldSchema; +import org.apache.hadoop.hive.metastore.api.MetaException; +import org.apache.hadoop.hive.metastore.api.NoSuchObjectException; +import org.apache.hadoop.hive.metastore.api.Table; +import org.apache.sentry.provider.file.PolicyFile; +import org.apache.sentry.tests.e2e.hive.StaticUserGroup; +import org.apache.thrift.TException; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; + +import com.google.common.collect.Lists; + +public class TestAuthorizingObjectStore extends + AbstractMetastoreTestWithStaticConfiguration { + private PolicyFile policyFile; + private static final String dbName1 = "db_1"; + private static final String dbName2 = "db_2"; + private static final String tabName1 = "tab1"; + private static final String tabName2 = "tab2"; + private static final String tabName3 = "tab3"; + private static final String tabName4 = "tab4"; + private static final String all_role = "all_role"; + private static final String db1_t1_role = "db1_t1_role"; + private static final String partitionVal = "part1"; + private static final String colName1 = "col1"; + // this user is configured for sentry.metastore.service.users, + // for this test, the value is set when creating the HiveServer. + private static final String userWithoutAccess = "accessAllMetaUser"; + + @BeforeClass + public static void setupTestStaticConfiguration () throws Exception { + AbstractMetastoreTestWithStaticConfiguration.setupTestStaticConfiguration(); + } + + @Override + @Before + public void setup() throws Exception { + policyFile = setAdminOnServer1(ADMINGROUP); + // add user ACCESSAllMETAUSER for the test case testPrivilegesForUserNameCaseSensitive + policyFile.addGroupsToUser(userWithoutAccess.toUpperCase(), "tempGroup").setUserGroupMapping( + StaticUserGroup.getStaticMapping()); + writePolicyFile(policyFile); + super.setup(); + + HiveMetaStoreClient client = null; + for (int i=0; i < 10; i++) { + try { + client = context.getMetaStoreClient(ADMIN1); + break; + } catch (Throwable e) { + // ignore + } + Thread.sleep(6000); + } + client.dropDatabase(dbName1, true, true, true); + client.dropDatabase(dbName2, true, true, true); + createMetastoreDB(client, dbName1); + createMetastoreDB(client, dbName2); + + Table tbl1 = createMetastoreTableWithPartition(client, dbName1, tabName1, + Lists.newArrayList(new FieldSchema("col1", "int", "")), + Lists.newArrayList(new FieldSchema("part_col1", "string", ""))); + addPartition(client, dbName1, tabName1, Lists.newArrayList(partitionVal), tbl1); + + Table tbl2 = createMetastoreTableWithPartition(client, dbName1, tabName2, + Lists.newArrayList(new FieldSchema("col1", "int", "")), + Lists.newArrayList(new FieldSchema("part_col1", "string", ""))); + addPartition(client, dbName1, tabName2, Lists.newArrayList(partitionVal), tbl2); + + Table tbl3 = createMetastoreTableWithPartition(client, dbName2, tabName3, + Lists.newArrayList(new FieldSchema("col1", "int", "")), + Lists.newArrayList(new FieldSchema("part_col1", "string", ""))); + addPartition(client, dbName2, tabName3, Lists.newArrayList(partitionVal), tbl3); + + Table tbl4 = createMetastoreTableWithPartition(client, dbName2, tabName4, + Lists.newArrayList(new FieldSchema("col1", "int", "")), + Lists.newArrayList(new FieldSchema("part_col1", "string", ""))); + addPartition(client, dbName2, tabName4, Lists.newArrayList(partitionVal), tbl4); + + client.close(); + + policyFile + .addRolesToGroup(USERGROUP1, all_role) + .addRolesToGroup(USERGROUP2, db1_t1_role) + .addPermissionsToRole(all_role, "server=server1->db=" + dbName1) + .addPermissionsToRole(all_role, "server=server1->db=" + dbName2) + .addPermissionsToRole(all_role, + "server=server1->db=" + dbName1 + "->table=" + tabName1 + "->action=SELECT") + .addPermissionsToRole(all_role, + "server=server1->db=" + dbName1 + "->table=" + tabName2 + "->action=SELECT") + .addPermissionsToRole(all_role, + "server=server1->db=" + dbName2 + "->table=" + tabName3 + "->action=SELECT") + .addPermissionsToRole(all_role, + "server=server1->db=" + dbName2 + "->table=" + tabName4 + "->action=SELECT") + .addPermissionsToRole(db1_t1_role, + "server=server1->db=" + dbName1 + "->table=" + tabName1 + "->action=SELECT") + .setUserGroupMapping(StaticUserGroup.getStaticMapping()); + writePolicyFile(policyFile); + } + + /** + * The configuration "sentry.metastore.service.users" is for user who has all + * access to metadata, and the value should be case-sensitive. + * + * @throws Exception + */ + @Test + public void testPrivilegesForUserNameCaseSensitive() throws Exception { + // The value of "sentry.metastore.service.users" is "accessAllMetaUser", and + // the value is case-sensitive. + // The input name is "ACCESSALLMEATAUSER", and the client should has no + // access to metadata. + HiveMetaStoreClient client = context.getMetaStoreClient(userWithoutAccess.toUpperCase()); + try { + client.getDatabase(dbName1); + fail("NoSuchObjectException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + } + + /** + * User accessAllMetaUser is configured as the value of + * "sentry.metastore.service.users" and has all access to databases and + * tables. + * + * @throws Exception + */ + @Test + public void testPrivilegesForUserWithoutAccess() throws Exception { + HiveMetaStoreClient client = context.getMetaStoreClient(userWithoutAccess); + assertThat(client.getDatabase(dbName1), notNullValue()); + assertThat(client.getDatabase(dbName2), notNullValue()); + // including the "default" db + assertThat(client.getAllDatabases().size(), equalTo(3)); + // including the "default" db + assertThat(client.getDatabases("*").size(), equalTo(3)); + assertThat(client.getTable(dbName1, tabName1), notNullValue()); + assertThat(client.getTable(dbName1, tabName2), notNullValue()); + assertThat(client.getTable(dbName2, tabName3), notNullValue()); + assertThat(client.getTable(dbName2, tabName4), notNullValue()); + assertThat(client.listPartitions(dbName1, tabName1, (short) 1).size(), equalTo(1)); + assertThat(client.listPartitions(dbName1, tabName2, (short) 1).size(), equalTo(1)); + assertThat(client.listPartitions(dbName2, tabName3, (short) 1).size(), equalTo(1)); + assertThat(client.listPartitions(dbName2, tabName4, (short) 1).size(), equalTo(1)); + + assertThat( + client.listPartitions(dbName1, tabName1, + new ArrayList<String>(Arrays.asList(partitionVal)), (short) 1).size(), equalTo(1)); + assertThat( + client.listPartitions(dbName1, tabName2, + new ArrayList<String>(Arrays.asList(partitionVal)), (short) 1).size(), equalTo(1)); + assertThat( + client.listPartitions(dbName2, tabName3, + new ArrayList<String>(Arrays.asList(partitionVal)), (short) 1).size(), equalTo(1)); + assertThat( + client.listPartitions(dbName2, tabName4, + new ArrayList<String>(Arrays.asList(partitionVal)), (short) 1).size(), equalTo(1)); + + assertThat( + client.getPartition(dbName1, tabName1, new ArrayList<String>(Arrays.asList(partitionVal))), + notNullValue()); + assertThat( + client.getPartition(dbName1, tabName2, new ArrayList<String>(Arrays.asList(partitionVal))), + notNullValue()); + assertThat( + client.getPartition(dbName2, tabName3, new ArrayList<String>(Arrays.asList(partitionVal))), + notNullValue()); + assertThat( + client.getPartition(dbName2, tabName4, new ArrayList<String>(Arrays.asList(partitionVal))), + notNullValue()); + assertThat(client.getTables(dbName1, "tab*").size(), equalTo(2)); + assertThat(client.getTables(dbName2, "tab*").size(), equalTo(2)); + assertThat( + client.getTableObjectsByName(dbName1, + new ArrayList<String>(Arrays.asList(tabName1, tabName2))).size(), equalTo(2)); + assertThat( + client.getTableObjectsByName(dbName2, + new ArrayList<String>(Arrays.asList(tabName3, tabName4))).size(), equalTo(2)); + assertThat(client.getAllTables(dbName1).size(), equalTo(2)); + assertThat(client.getAllTables(dbName2).size(), equalTo(2)); + assertThat(client.listPartitionNames(dbName1, tabName1, (short) 2).size(), equalTo(1)); + assertThat(client.listPartitionNames(dbName1, tabName2, (short) 2).size(), equalTo(1)); + assertThat(client.listPartitionNames(dbName2, tabName3, (short) 2).size(), equalTo(1)); + assertThat(client.listPartitionNames(dbName2, tabName4, (short) 2).size(), equalTo(1)); + assertThat( + client.listPartitionNames(dbName1, tabName1, + new ArrayList<String>(Arrays.asList(partitionVal)), (short) 2).size(), equalTo(1)); + assertThat( + client.listPartitionNames(dbName1, tabName2, + new ArrayList<String>(Arrays.asList(partitionVal)), (short) 2).size(), equalTo(1)); + assertThat( + client.listPartitionNames(dbName2, tabName3, + new ArrayList<String>(Arrays.asList(partitionVal)), (short) 2).size(), equalTo(1)); + assertThat( + client.listPartitionNames(dbName2, tabName4, + new ArrayList<String>(Arrays.asList(partitionVal)), (short) 2).size(), equalTo(1)); + assertThat( + client.getPartitionsByNames(dbName1, tabName1, new ArrayList<String>(Arrays.asList(""))) + .size(), equalTo(0)); + assertThat( + client.getPartitionsByNames(dbName1, tabName2, new ArrayList<String>(Arrays.asList(""))) + .size(), equalTo(0)); + assertThat( + client.getPartitionsByNames(dbName2, tabName3, new ArrayList<String>(Arrays.asList(""))) + .size(), equalTo(0)); + assertThat( + client.getPartitionsByNames(dbName2, tabName4, new ArrayList<String>(Arrays.asList(""))) + .size(), equalTo(0)); + try { + client.getIndex(dbName1, tabName1, "empty"); + fail("NoSuchObjectException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is successful. + } + try { + client.getIndex(dbName1, tabName2, "empty"); + fail("NoSuchObjectException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is successful. + } + try { + client.getIndex(dbName2, tabName3, "empty"); + fail("NoSuchObjectException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is successful. + } + try { + client.getIndex(dbName2, tabName3, "empty"); + fail("NoSuchObjectException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is successful. + } + + assertThat(client.listIndexes(dbName1, tabName1, (short) 1).size(), equalTo(0)); + assertThat(client.listIndexes(dbName1, tabName2, (short) 1).size(), equalTo(0)); + assertThat(client.listIndexes(dbName2, tabName3, (short) 1).size(), equalTo(0)); + assertThat(client.listIndexes(dbName2, tabName4, (short) 1).size(), equalTo(0)); + assertThat(client.listIndexNames(dbName1, tabName1, (short) 1).size(), equalTo(0)); + assertThat(client.listIndexNames(dbName1, tabName2, (short) 1).size(), equalTo(0)); + assertThat(client.listIndexNames(dbName2, tabName3, (short) 1).size(), equalTo(0)); + assertThat(client.listIndexNames(dbName2, tabName4, (short) 1).size(), equalTo(0)); + assertThat(client.getPartitionWithAuthInfo(dbName1, tabName1, + new ArrayList<String>(Arrays.asList(partitionVal)), "tempuser", new ArrayList<String>( + Arrays.asList("tempgroup"))), notNullValue()); + assertThat(client.getPartitionWithAuthInfo(dbName1, tabName2, + new ArrayList<String>(Arrays.asList(partitionVal)), "tempuser", new ArrayList<String>( + Arrays.asList("tempgroup"))), notNullValue()); + assertThat(client.getPartitionWithAuthInfo(dbName2, tabName3, + new ArrayList<String>(Arrays.asList(partitionVal)), "tempuser", new ArrayList<String>( + Arrays.asList("tempgroup"))), notNullValue()); + assertThat(client.getPartitionWithAuthInfo(dbName2, tabName4, + new ArrayList<String>(Arrays.asList(partitionVal)), "tempuser", new ArrayList<String>( + Arrays.asList("tempgroup"))), notNullValue()); + assertThat( + client.getTableColumnStatistics(dbName1, tabName1, + new ArrayList<String>(Arrays.asList(colName1))).size(), equalTo(0)); + assertThat( + client.getTableColumnStatistics(dbName1, tabName2, + new ArrayList<String>(Arrays.asList(colName1))).size(), equalTo(0)); + assertThat( + client.getTableColumnStatistics(dbName2, tabName3, + new ArrayList<String>(Arrays.asList(colName1))).size(), equalTo(0)); + assertThat( + client.getTableColumnStatistics(dbName2, tabName4, + new ArrayList<String>(Arrays.asList(colName1))).size(), equalTo(0)); + client.close(); + } + + /** + * The group of USER1_1 is USERGROUP1, and has all access to databases and + * tables. + * + * @throws Exception + */ + @Test + public void testPrivilegesForFullAccess() throws Exception { + HiveMetaStoreClient client = context.getMetaStoreClient(USER1_1); + assertThat(client.getDatabase(dbName1), notNullValue()); + assertThat(client.getDatabase(dbName2), notNullValue()); + // including the "default" db + assertThat(client.getAllDatabases().size(), equalTo(3)); + // including the "default" db + assertThat(client.getDatabases("*").size(), equalTo(3)); + assertThat(client.getTable(dbName1, tabName1), notNullValue()); + assertThat(client.getTable(dbName1, tabName2), notNullValue()); + assertThat(client.getTable(dbName2, tabName3), notNullValue()); + assertThat(client.getTable(dbName2, tabName4), notNullValue()); + assertThat(client.listPartitions(dbName1, tabName1, (short) 1).size(), equalTo(1)); + assertThat(client.listPartitions(dbName1, tabName2, (short) 1).size(), equalTo(1)); + assertThat(client.listPartitions(dbName2, tabName3, (short) 1).size(), equalTo(1)); + assertThat(client.listPartitions(dbName2, tabName4, (short) 1).size(), equalTo(1)); + + assertThat( + client.listPartitions(dbName1, tabName1, + new ArrayList<String>(Arrays.asList(partitionVal)), (short) 1).size(), equalTo(1)); + assertThat( + client.listPartitions(dbName1, tabName2, + new ArrayList<String>(Arrays.asList(partitionVal)), (short) 1).size(), equalTo(1)); + assertThat( + client.listPartitions(dbName2, tabName3, + new ArrayList<String>(Arrays.asList(partitionVal)), (short) 1).size(), equalTo(1)); + assertThat( + client.listPartitions(dbName2, tabName4, + new ArrayList<String>(Arrays.asList(partitionVal)), (short) 1).size(), equalTo(1)); + + assertThat( + client.getPartition(dbName1, tabName1, new ArrayList<String>(Arrays.asList(partitionVal))), + notNullValue()); + assertThat( + client.getPartition(dbName1, tabName2, new ArrayList<String>(Arrays.asList(partitionVal))), + notNullValue()); + assertThat( + client.getPartition(dbName2, tabName3, new ArrayList<String>(Arrays.asList(partitionVal))), + notNullValue()); + assertThat( + client.getPartition(dbName2, tabName4, new ArrayList<String>(Arrays.asList(partitionVal))), + notNullValue()); + assertThat(client.getTables(dbName1, "tab*").size(), equalTo(2)); + assertThat(client.getTables(dbName2, "tab*").size(), equalTo(2)); + assertThat( + client.getTableObjectsByName(dbName1, + new ArrayList<String>(Arrays.asList(tabName1, tabName2))).size(), equalTo(2)); + assertThat( + client.getTableObjectsByName(dbName2, + new ArrayList<String>(Arrays.asList(tabName3, tabName4))).size(), equalTo(2)); + assertThat(client.getAllTables(dbName1).size(), equalTo(2)); + assertThat(client.getAllTables(dbName2).size(), equalTo(2)); + assertThat(client.listPartitionNames(dbName1, tabName1, (short) 2).size(), equalTo(1)); + assertThat(client.listPartitionNames(dbName1, tabName2, (short) 2).size(), equalTo(1)); + assertThat(client.listPartitionNames(dbName2, tabName3, (short) 2).size(), equalTo(1)); + assertThat(client.listPartitionNames(dbName2, tabName4, (short) 2).size(), equalTo(1)); + assertThat( + client.listPartitionNames(dbName1, tabName1, + new ArrayList<String>(Arrays.asList(partitionVal)), (short) 2).size(), equalTo(1)); + assertThat( + client.listPartitionNames(dbName1, tabName2, + new ArrayList<String>(Arrays.asList(partitionVal)), (short) 2).size(), equalTo(1)); + assertThat( + client.listPartitionNames(dbName2, tabName3, + new ArrayList<String>(Arrays.asList(partitionVal)), (short) 2).size(), equalTo(1)); + assertThat( + client.listPartitionNames(dbName2, tabName4, + new ArrayList<String>(Arrays.asList(partitionVal)), (short) 2).size(), equalTo(1)); + assertThat( + client.getPartitionsByNames(dbName1, tabName1, new ArrayList<String>(Arrays.asList(""))) + .size(), equalTo(0)); + assertThat( + client.getPartitionsByNames(dbName1, tabName2, new ArrayList<String>(Arrays.asList(""))) + .size(), equalTo(0)); + assertThat( + client.getPartitionsByNames(dbName2, tabName3, new ArrayList<String>(Arrays.asList(""))) + .size(), equalTo(0)); + assertThat( + client.getPartitionsByNames(dbName2, tabName4, new ArrayList<String>(Arrays.asList(""))) + .size(), equalTo(0)); + try { + client.getIndex(dbName1, tabName1, "empty"); + fail("NoSuchObjectException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is successful. + } + try { + client.getIndex(dbName1, tabName2, "empty"); + fail("NoSuchObjectException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is successful. + } + try { + client.getIndex(dbName2, tabName3, "empty"); + fail("NoSuchObjectException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is successful. + } + try { + client.getIndex(dbName2, tabName3, "empty"); + fail("NoSuchObjectException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is successful. + } + + assertThat(client.listIndexes(dbName1, tabName1, (short) 1).size(), equalTo(0)); + assertThat(client.listIndexes(dbName1, tabName2, (short) 1).size(), equalTo(0)); + assertThat(client.listIndexes(dbName2, tabName3, (short) 1).size(), equalTo(0)); + assertThat(client.listIndexes(dbName2, tabName4, (short) 1).size(), equalTo(0)); + assertThat(client.listIndexNames(dbName1, tabName1, (short) 1).size(), equalTo(0)); + assertThat(client.listIndexNames(dbName1, tabName2, (short) 1).size(), equalTo(0)); + assertThat(client.listIndexNames(dbName2, tabName3, (short) 1).size(), equalTo(0)); + assertThat(client.listIndexNames(dbName2, tabName4, (short) 1).size(), equalTo(0)); + assertThat(client.getPartitionWithAuthInfo(dbName1, tabName1, + new ArrayList<String>(Arrays.asList(partitionVal)), "tempuser", new ArrayList<String>( + Arrays.asList("tempgroup"))), notNullValue()); + assertThat(client.getPartitionWithAuthInfo(dbName1, tabName2, + new ArrayList<String>(Arrays.asList(partitionVal)), "tempuser", new ArrayList<String>( + Arrays.asList("tempgroup"))), notNullValue()); + assertThat(client.getPartitionWithAuthInfo(dbName2, tabName3, + new ArrayList<String>(Arrays.asList(partitionVal)), "tempuser", new ArrayList<String>( + Arrays.asList("tempgroup"))), notNullValue()); + assertThat(client.getPartitionWithAuthInfo(dbName2, tabName4, + new ArrayList<String>(Arrays.asList(partitionVal)), "tempuser", new ArrayList<String>( + Arrays.asList("tempgroup"))), notNullValue()); + assertThat( + client.getTableColumnStatistics(dbName1, tabName1, + new ArrayList<String>(Arrays.asList(colName1))).size(), equalTo(0)); + assertThat( + client.getTableColumnStatistics(dbName1, tabName2, + new ArrayList<String>(Arrays.asList(colName1))).size(), equalTo(0)); + assertThat( + client.getTableColumnStatistics(dbName2, tabName3, + new ArrayList<String>(Arrays.asList(colName1))).size(), equalTo(0)); + assertThat( + client.getTableColumnStatistics(dbName2, tabName4, + new ArrayList<String>(Arrays.asList(colName1))).size(), equalTo(0)); + client.close(); + } + + /** + * The group of USER2_1 is USERGROUP2, and has the access to db1 and t1. + * + * @throws Exception + */ + @Test + public void testPrivilegesForPartialAccess() throws Exception { + HiveMetaStoreClient client = context.getMetaStoreClient(USER2_1); + assertThat(client.getDatabase(dbName1), notNullValue()); + try { + client.getDatabase(dbName2); + fail("NoSuchObjectException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + // including the "default" db + assertThat(client.getAllDatabases().size(), equalTo(2)); + // including the "default" db + assertThat(client.getDatabases("*").size(), equalTo(2)); + assertThat(client.getTable(dbName1, tabName1), notNullValue()); + try { + client.getTable(dbName1, tabName2); + fail("NoSuchObjectException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.getTable(dbName2, tabName3); + fail("NoSuchObjectException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.getTable(dbName2, tabName4); + fail("NoSuchObjectException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + + assertThat(client.listPartitions(dbName1, tabName1, (short) 1).size(), equalTo(1)); + try { + client.listPartitions(dbName1, tabName2, (short) 1); + fail("MetaException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.listPartitions(dbName2, tabName3, (short) 1); + fail("MetaException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.listPartitions(dbName2, tabName4, (short) 1); + fail("MetaException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + + assertThat( + client.listPartitions(dbName1, tabName1, + new ArrayList<String>(Arrays.asList(partitionVal)), (short) 1).size(), equalTo(1)); + try { + client.listPartitions(dbName1, tabName2, new ArrayList<String>(Arrays.asList(partitionVal)), + (short) 1); + fail("MetaException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.listPartitions(dbName2, tabName3, new ArrayList<String>(Arrays.asList(partitionVal)), + (short) 1); + fail("MetaException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.listPartitions(dbName2, tabName4, new ArrayList<String>(Arrays.asList(partitionVal)), + (short) 1); + fail("MetaException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + + assertThat( + client.getPartition(dbName1, tabName1, new ArrayList<String>(Arrays.asList(partitionVal))), + notNullValue()); + try { + client.getPartition(dbName1, tabName2, new ArrayList<String>(Arrays.asList(partitionVal))); + fail("NoSuchObjectException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.getPartition(dbName2, tabName3, new ArrayList<String>(Arrays.asList(partitionVal))); + fail("NoSuchObjectException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.getPartition(dbName2, tabName4, new ArrayList<String>(Arrays.asList(partitionVal))); + fail("NoSuchObjectException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + + assertThat(client.getTables(dbName1, "tab*").size(), equalTo(1)); + assertThat(client.getTables(dbName2, "tab*").size(), equalTo(0)); + assertThat( + client.getTableObjectsByName(dbName1, + new ArrayList<String>(Arrays.asList(tabName1, tabName2))).size(), equalTo(1)); + assertThat( + client.getTableObjectsByName(dbName2, + new ArrayList<String>(Arrays.asList(tabName3, tabName4))).size(), equalTo(0)); + assertThat(client.getAllTables(dbName1).size(), equalTo(1)); + assertThat(client.getAllTables(dbName2).size(), equalTo(0)); + + assertThat(client.listPartitionNames(dbName1, tabName1, (short) 2).size(), equalTo(1)); + try { + client.listPartitionNames(dbName1, tabName2, (short) 2); + fail("MetaException should have been thrown"); + } catch (TException te) { + // ignore, just make sure the authorization is failed. + } + try { + client.listPartitionNames(dbName2, tabName3, (short) 2); + fail("MetaException should have been thrown"); + } catch (TException te) { + // ignore, just make sure the authorization is failed. + } + try { + client.listPartitionNames(dbName2, tabName4, (short) 2); + fail("MetaException should have been thrown"); + } catch (TException te) { + // ignore, just make sure the authorization is failed. + } + + assertThat( + client.listPartitionNames(dbName1, tabName1, + new ArrayList<String>(Arrays.asList(partitionVal)), (short) 2).size(), equalTo(1)); + try { + client.listPartitionNames(dbName1, tabName2, + new ArrayList<String>(Arrays.asList(partitionVal)), (short) 2); + fail("MetaException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.listPartitionNames(dbName2, tabName3, + new ArrayList<String>(Arrays.asList(partitionVal)), (short) 2); + fail("MetaException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.listPartitionNames(dbName2, tabName4, + new ArrayList<String>(Arrays.asList(partitionVal)), (short) 2); + fail("MetaException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + + assertThat( + client.getPartitionsByNames(dbName1, tabName1, new ArrayList<String>(Arrays.asList(""))) + .size(), equalTo(0)); + try { + client.getPartitionsByNames(dbName1, tabName2, new ArrayList<String>(Arrays.asList(""))); + fail("MetaException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.getPartitionsByNames(dbName2, tabName3, new ArrayList<String>(Arrays.asList(""))); + fail("MetaException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.getPartitionsByNames(dbName2, tabName4, new ArrayList<String>(Arrays.asList(""))); + fail("MetaException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + + try { + client.getIndex(dbName1, tabName1, "empty"); + fail("NoSuchObjectException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is successful. + } + try { + client.getIndex(dbName1, tabName2, "empty"); + fail("MetaException should have been thrown"); + } catch (MetaException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.getIndex(dbName2, tabName3, "empty"); + fail("MetaException should have been thrown"); + } catch (MetaException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.getIndex(dbName2, tabName3, "empty"); + fail("MetaException should have been thrown"); + } catch (MetaException noe) { + // ignore, just make sure the authorization is failed. + } + + assertThat(client.listIndexes(dbName1, tabName1, (short) 1).size(), equalTo(0)); + try { + client.listIndexes(dbName1, tabName2, (short) 1); + fail("MetaException should have been thrown"); + } catch (MetaException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.listIndexes(dbName2, tabName3, (short) 1); + fail("MetaException should have been thrown"); + } catch (MetaException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.listIndexes(dbName2, tabName4, (short) 1); + fail("MetaException should have been thrown"); + } catch (MetaException noe) { + // ignore, just make sure the authorization is failed. + } + + assertThat(client.listIndexNames(dbName1, tabName1, (short) 1).size(), equalTo(0)); + try { + client.listIndexNames(dbName1, tabName2, (short) 1); + fail("MetaException should have been thrown"); + } catch (MetaException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.listIndexNames(dbName2, tabName3, (short) 1); + fail("MetaException should have been thrown"); + } catch (MetaException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.listIndexNames(dbName2, tabName4, (short) 1); + fail("MetaException should have been thrown"); + } catch (MetaException noe) { + // ignore, just make sure the authorization is failed. + } + + assertThat(client.getPartitionWithAuthInfo(dbName1, tabName1, + new ArrayList<String>(Arrays.asList(partitionVal)), "tempuser", new ArrayList<String>( + Arrays.asList("tempgroup"))), notNullValue()); + try { + client.getPartitionWithAuthInfo(dbName1, tabName2, + new ArrayList<String>(Arrays.asList(partitionVal)), "tempuser", new ArrayList<String>( + Arrays.asList("tempgroup"))); + fail("MetaException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.getPartitionWithAuthInfo(dbName2, tabName3, + new ArrayList<String>(Arrays.asList(partitionVal)), "tempuser", new ArrayList<String>( + Arrays.asList("tempgroup"))); + fail("MetaException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.getPartitionWithAuthInfo(dbName2, tabName4, + new ArrayList<String>(Arrays.asList(partitionVal)), "tempuser", new ArrayList<String>( + Arrays.asList("tempgroup"))); + fail("MetaException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + + assertThat( + client.getTableColumnStatistics(dbName1, tabName1, + new ArrayList<String>(Arrays.asList(colName1))).size(), equalTo(0)); + try { + client.getTableColumnStatistics(dbName1, tabName2, + new ArrayList<String>(Arrays.asList(colName1))); + fail("MetaException should have been thrown"); + } catch (MetaException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.getTableColumnStatistics(dbName2, tabName3, + new ArrayList<String>(Arrays.asList(colName1))); + fail("MetaException should have been thrown"); + } catch (MetaException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.getTableColumnStatistics(dbName2, tabName4, + new ArrayList<String>(Arrays.asList(colName1))); + fail("MetaException should have been thrown"); + } catch (MetaException noe) { + // ignore, just make sure the authorization is failed. + } + client.close(); + } + + /** + * The group of USER3_1 is USERGROUP3, and has no access to database and + * table. + * + * @throws Exception + */ + @Test + public void testPrivilegesForNoAccess() throws Exception { + HiveMetaStoreClient client = context.getMetaStoreClient(USER3_1); + try { + client.getDatabase(dbName1); + fail("NoSuchObjectException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.getDatabase(dbName2); + fail("NoSuchObjectException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + // including the "default" db + assertThat(client.getAllDatabases().size(), equalTo(1)); + // including the "default" db + assertThat(client.getDatabases("*").size(), equalTo(1)); + try { + client.getTable(dbName1, tabName1); + fail("NoSuchObjectException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.getTable(dbName1, tabName2); + fail("NoSuchObjectException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.getTable(dbName2, tabName3); + fail("NoSuchObjectException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.getTable(dbName2, tabName4); + fail("NoSuchObjectException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + + try { + client.listPartitions(dbName1, tabName1, (short) 1); + fail("MetaException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.listPartitions(dbName1, tabName2, (short) 1); + fail("MetaException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.listPartitions(dbName2, tabName3, (short) 1); + fail("MetaException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.listPartitions(dbName2, tabName4, (short) 1); + fail("MetaException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + + try { + client.listPartitions(dbName1, tabName1, new ArrayList<String>(Arrays.asList(partitionVal)), + (short) 1); + fail("MetaException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.listPartitions(dbName1, tabName2, new ArrayList<String>(Arrays.asList(partitionVal)), + (short) 1); + fail("MetaException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.listPartitions(dbName2, tabName3, new ArrayList<String>(Arrays.asList(partitionVal)), + (short) 1); + fail("MetaException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.listPartitions(dbName2, tabName4, new ArrayList<String>(Arrays.asList(partitionVal)), + (short) 1); + fail("MetaException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + + try { + client.getPartition(dbName1, tabName1, new ArrayList<String>(Arrays.asList(partitionVal))); + fail("NoSuchObjectException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.getPartition(dbName1, tabName2, new ArrayList<String>(Arrays.asList(partitionVal))); + fail("NoSuchObjectException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.getPartition(dbName2, tabName3, new ArrayList<String>(Arrays.asList(partitionVal))); + fail("NoSuchObjectException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.getPartition(dbName2, tabName4, new ArrayList<String>(Arrays.asList(partitionVal))); + fail("NoSuchObjectException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + + assertThat(client.getTables(dbName1, "tab*").size(), equalTo(0)); + assertThat(client.getTables(dbName2, "tab*").size(), equalTo(0)); + assertThat( + client.getTableObjectsByName(dbName1, + new ArrayList<String>(Arrays.asList(tabName1, tabName2))).size(), equalTo(0)); + assertThat( + client.getTableObjectsByName(dbName2, + new ArrayList<String>(Arrays.asList(tabName3, tabName4))).size(), equalTo(0)); + assertThat(client.getAllTables(dbName1).size(), equalTo(0)); + assertThat(client.getAllTables(dbName2).size(), equalTo(0)); + + try { + client.listPartitionNames(dbName1, tabName1, (short) 2); + fail("MetaException should have been thrown"); + } catch (TException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.listPartitionNames(dbName1, tabName2, (short) 2); + fail("MetaException should have been thrown"); + } catch (TException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.listPartitionNames(dbName2, tabName3, (short) 2); + fail("MetaException should have been thrown"); + } catch (TException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.listPartitionNames(dbName2, tabName4, (short) 2); + fail("MetaException should have been thrown"); + } catch (TException noe) { + // ignore, just make sure the authorization is failed. + } + + try { + client.listPartitionNames(dbName1, tabName1, + new ArrayList<String>(Arrays.asList(partitionVal)), (short) 2); + fail("MetaException should have been thrown"); + } catch (TException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.listPartitionNames(dbName1, tabName2, + new ArrayList<String>(Arrays.asList(partitionVal)), (short) 2); + fail("MetaException should have been thrown"); + } catch (TException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.listPartitionNames(dbName2, tabName3, + new ArrayList<String>(Arrays.asList(partitionVal)), (short) 2); + fail("MetaException should have been thrown"); + } catch (TException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.listPartitionNames(dbName2, tabName4, + new ArrayList<String>(Arrays.asList(partitionVal)), (short) 2); + fail("MetaException should have been thrown"); + } catch (TException noe) { + // ignore, just make sure the authorization is failed. + } + + try { + client.getPartitionsByNames(dbName1, tabName1, new ArrayList<String>(Arrays.asList(""))); + fail("MetaException should have been thrown"); + } catch (TException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.getPartitionsByNames(dbName1, tabName2, new ArrayList<String>(Arrays.asList(""))); + fail("MetaException should have been thrown"); + } catch (TException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.getPartitionsByNames(dbName2, tabName3, new ArrayList<String>(Arrays.asList(""))); + fail("MetaException should have been thrown"); + } catch (TException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.getPartitionsByNames(dbName2, tabName4, new ArrayList<String>(Arrays.asList(""))); + fail("MetaException should have been thrown"); + } catch (TException noe) { + // ignore, just make sure the authorization is failed. + } + + try { + client.getIndex(dbName1, tabName1, "empty"); + fail("MetaException should have been thrown"); + } catch (MetaException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.getIndex(dbName1, tabName2, "empty"); + fail("MetaException should have been thrown"); + } catch (MetaException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.getIndex(dbName2, tabName3, "empty"); + fail("MetaException should have been thrown"); + } catch (MetaException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.getIndex(dbName2, tabName3, "empty"); + fail("MetaException should have been thrown"); + } catch (MetaException noe) { + // ignore, just make sure the authorization is failed. + } + + try { + client.listIndexes(dbName1, tabName1, (short) 1); + fail("MetaException should have been thrown"); + } catch (MetaException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.listIndexes(dbName1, tabName2, (short) 1); + fail("MetaException should have been thrown"); + } catch (MetaException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.listIndexes(dbName2, tabName3, (short) 1); + fail("MetaException should have been thrown"); + } catch (MetaException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.listIndexes(dbName2, tabName4, (short) 1); + fail("MetaException should have been thrown"); + } catch (MetaException noe) { + // ignore, just make sure the authorization is failed. + } + + try { + client.listIndexNames(dbName1, tabName1, (short) 1); + fail("MetaException should have been thrown"); + } catch (MetaException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.listIndexNames(dbName1, tabName2, (short) 1); + fail("MetaException should have been thrown"); + } catch (MetaException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.listIndexNames(dbName2, tabName3, (short) 1); + fail("MetaException should have been thrown"); + } catch (MetaException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.listIndexNames(dbName2, tabName4, (short) 1); + fail("MetaException should have been thrown"); + } catch (MetaException noe) { + // ignore, just make sure the authorization is failed. + } + + try { + client.getPartitionWithAuthInfo(dbName1, tabName1, + new ArrayList<String>(Arrays.asList(partitionVal)), "tempuser", new ArrayList<String>( + Arrays.asList("tempgroup"))); + fail("MetaException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.getPartitionWithAuthInfo(dbName1, tabName2, + new ArrayList<String>(Arrays.asList(partitionVal)), "tempuser", new ArrayList<String>( + Arrays.asList("tempgroup"))); + fail("MetaException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.getPartitionWithAuthInfo(dbName2, tabName3, + new ArrayList<String>(Arrays.asList(partitionVal)), "tempuser", new ArrayList<String>( + Arrays.asList("tempgroup"))); + fail("MetaException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.getPartitionWithAuthInfo(dbName2, tabName4, + new ArrayList<String>(Arrays.asList(partitionVal)), "tempuser", new ArrayList<String>( + Arrays.asList("tempgroup"))); + fail("MetaException should have been thrown"); + } catch (NoSuchObjectException noe) { + // ignore, just make sure the authorization is failed. + } + + try { + client.getTableColumnStatistics(dbName1, tabName1, + new ArrayList<String>(Arrays.asList(colName1))); + fail("MetaException should have been thrown"); + } catch (MetaException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.getTableColumnStatistics(dbName1, tabName2, + new ArrayList<String>(Arrays.asList(colName1))); + fail("MetaException should have been thrown"); + } catch (MetaException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.getTableColumnStatistics(dbName2, tabName3, + new ArrayList<String>(Arrays.asList(colName1))); + fail("MetaException should have been thrown"); + } catch (MetaException noe) { + // ignore, just make sure the authorization is failed. + } + try { + client.getTableColumnStatistics(dbName2, tabName4, + new ArrayList<String>(Arrays.asList(colName1))); + fail("MetaException should have been thrown"); + } catch (MetaException noe) { + // ignore, just make sure the authorization is failed. + } + client.close(); + } +} http://git-wip-us.apache.org/repos/asf/sentry/blob/bfb354f2/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetaStoreWithPigHCat.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetaStoreWithPigHCat.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetaStoreWithPigHCat.java new file mode 100644 index 0000000..f406fd7 --- /dev/null +++ b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetaStoreWithPigHCat.java @@ -0,0 +1,113 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.tests.e2e.metastore; + +import static org.junit.Assert.assertEquals; + +import java.io.File; +import java.io.FileOutputStream; + +import org.apache.hadoop.hive.metastore.HiveMetaStoreClient; +import org.apache.hive.hcatalog.pig.HCatStorer; +import org.apache.pig.ExecType; +import org.apache.pig.PigServer; +import org.apache.sentry.provider.file.PolicyFile; +import org.apache.sentry.tests.e2e.hive.StaticUserGroup; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Ignore; +import org.junit.Test; + +import com.google.common.io.Resources; + +public class TestMetaStoreWithPigHCat extends + AbstractMetastoreTestWithStaticConfiguration { + private PolicyFile policyFile; + private File dataFile; + private static final String dbName = "db_1"; + private static final String tabName1 = "tab1"; + private static final String tabName2 = "tab2"; + private static final String db_all_role = "all_db1"; + + @BeforeClass + public static void beforeClass() { + System.setProperty("hadoopversion", "23"); + } + + @Before + public void setup() throws Exception { + dataFile = new File(dataDir, SINGLE_TYPE_DATA_FILE_NAME); + FileOutputStream to = new FileOutputStream(dataFile); + Resources.copy(Resources.getResource(SINGLE_TYPE_DATA_FILE_NAME), to); + to.close(); + + policyFile = setAdminOnServer1(ADMINGROUP); + policyFile + .addRolesToGroup(USERGROUP1, db_all_role) + .addRolesToGroup(USERGROUP2, "read_db_role") + .addPermissionsToRole(db_all_role, "server=server1->db=" + dbName) + .addPermissionsToRole("read_db_role", + "server=server1->db=" + dbName + "->table=" + tabName2 + "->action=SELECT") + .setUserGroupMapping(StaticUserGroup.getStaticMapping()); + writePolicyFile(policyFile); + + HiveMetaStoreClient client = context.getMetaStoreClient(ADMIN1); + client.dropDatabase(dbName, true, true, true); + createMetastoreDB(client, dbName); + client.close(); + } + + /** + * Verify add partition via Pig+HCatStore + * + * *** Disabled due to HCat inputformat compatibility issue in Hive 1.1.0 + */ + @Ignore + @Test + public void testPartionLoad() throws Exception { + execHiveSQL("CREATE TABLE " + dbName + "." + tabName1 + + " (id int) PARTITIONED BY (part_col STRING)", ADMIN1); + execHiveSQL("CREATE TABLE " + dbName + "." + tabName2 + + " (id int) PARTITIONED BY (part_col STRING)", ADMIN1); + + // user with ALL on DB should be able to add partion using Pig/HCatStore + PigServer pigServer = context.getPigServer(USER1_1, ExecType.LOCAL); + execPigLatin(USER1_1, pigServer, "A = load '" + dataFile.getPath() + + "' as (id:int);"); + execPigLatin(USER1_1, pigServer, "store A into '" + dbName + "." + tabName1 + + "' using " + HCatStorer.class.getName() + " ('part_col=part1');"); + HiveMetaStoreClient client = context.getMetaStoreClient(ADMIN1); + assertEquals(1, client.listPartitionNames(dbName, tabName1, (short) 10) + .size()); + + // user without select on DB should NOT be able to add partition with Pig/HCatStore + pigServer = context.getPigServer(USER2_1, ExecType.LOCAL); + execPigLatin(USER2_1, pigServer, "A = load '" + dataFile.getPath() + + "' as (id:int);"); + // This action won't be successful because of no permission, but there is no exception will + // be thrown in this thread. The detail exception can be found in + // sentry-tests/sentry-tests-hive/target/surefire-reports/org.apache.sentry.tests.e2e.metastore.TestMetaStoreWithPigHCat-output.txt. + execPigLatin(USER2_1, pigServer, "store A into '" + dbName + "." + tabName2 + "' using " + + HCatStorer.class.getName() + " ('part_col=part2');"); + // The previous action is failed, and there will be no data. + assertEquals(0, client.listPartitionNames(dbName, tabName2, (short) 10).size()); + client.close(); + } + +}
