http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderGeneralCases.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderGeneralCases.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderGeneralCases.java deleted file mode 100644 index 89559a6..0000000 --- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderGeneralCases.java +++ /dev/null @@ -1,180 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.db; - -import java.io.File; -import java.io.IOException; -import java.util.Arrays; -import java.util.EnumSet; -import java.util.List; -import java.util.Set; - -import org.junit.Assert; - -import org.apache.commons.io.FileUtils; -import org.apache.sentry.core.common.Action; -import org.apache.sentry.core.common.ActiveRoleSet; -import org.apache.sentry.core.common.Authorizable; -import org.apache.sentry.core.common.Subject; -import org.apache.sentry.core.model.db.AccessConstants; -import org.apache.sentry.core.model.db.DBModelAction; -import org.apache.sentry.core.model.db.Database; -import org.apache.sentry.core.model.db.Server; -import org.apache.sentry.core.model.db.Table; -import org.apache.sentry.provider.common.MockGroupMappingServiceProvider; -import org.apache.sentry.provider.common.ResourceAuthorizationProvider; -import org.apache.sentry.provider.file.HadoopGroupResourceAuthorizationProvider; -import org.apache.sentry.provider.file.PolicyFiles; -import org.junit.After; -import org.junit.Test; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import com.google.common.base.Objects; -import com.google.common.collect.HashMultimap; -import com.google.common.collect.Multimap; -import com.google.common.io.Files; - - -public class TestResourceAuthorizationProviderGeneralCases { - - private static final Logger LOGGER = LoggerFactory - .getLogger(TestResourceAuthorizationProviderGeneralCases.class); - - private static final Multimap<String, String> USER_TO_GROUP_MAP = HashMultimap - .create(); - - private static final Subject SUB_ADMIN = new Subject("admin1"); - private static final Subject SUB_MANAGER = new Subject("manager1"); - private static final Subject SUB_ANALYST = new Subject("analyst1"); - private static final Subject SUB_JUNIOR_ANALYST = new Subject("jranalyst1"); - - private static final Server SVR_SERVER1 = new Server("server1"); - private static final Server SVR_ALL = new Server(AccessConstants.ALL); - - private static final Database DB_CUSTOMERS = new Database("customers"); - private static final Database DB_ANALYST = new Database("analyst1"); - private static final Database DB_JR_ANALYST = new Database("jranalyst1"); - - private static final Table TBL_PURCHASES = new Table("purchases"); - - private static final Set<? extends Action> ALL = EnumSet.of(DBModelAction.ALL); - private static final Set<? extends Action> SELECT = EnumSet.of(DBModelAction.SELECT); - private static final Set<? extends Action> INSERT = EnumSet.of(DBModelAction.INSERT); - - static { - USER_TO_GROUP_MAP.putAll(SUB_ADMIN.getName(), Arrays.asList("admin")); - USER_TO_GROUP_MAP.putAll(SUB_MANAGER.getName(), Arrays.asList("manager")); - USER_TO_GROUP_MAP.putAll(SUB_ANALYST.getName(), Arrays.asList("analyst")); - USER_TO_GROUP_MAP.putAll(SUB_JUNIOR_ANALYST.getName(), - Arrays.asList("jranalyst")); - } - - private final ResourceAuthorizationProvider authzProvider; - private File baseDir; - - public TestResourceAuthorizationProviderGeneralCases() throws IOException { - baseDir = Files.createTempDir(); - PolicyFiles.copyToDir(baseDir, "test-authz-provider.ini", "test-authz-provider-other-group.ini"); - authzProvider = new HadoopGroupResourceAuthorizationProvider( - new DBPolicyFileBackend("server1", - new File(baseDir, "test-authz-provider.ini").getPath()), - new MockGroupMappingServiceProvider(USER_TO_GROUP_MAP)); - - } - - @After - public void teardown() { - if(baseDir != null) { - FileUtils.deleteQuietly(baseDir); - } - } - - private void doTestAuthorizables( - Subject subject, Set<? extends Action> privileges, boolean expected, - Authorizable... authorizables) throws Exception { - List<Authorizable> authzHierarchy = Arrays.asList(authorizables); - Objects.ToStringHelper helper = Objects.toStringHelper("TestParameters"); - helper.add("authorizables", authzHierarchy).add("Privileges", privileges); - LOGGER.info("Running with " + helper.toString()); - Assert.assertEquals(helper.toString(), expected, - authzProvider.hasAccess(subject, authzHierarchy, privileges, ActiveRoleSet.ALL)); - LOGGER.info("Passed " + helper.toString()); - } - - private void doTestResourceAuthorizationProvider(Subject subject, - Server server, Database database, Table table, - Set<? extends Action> privileges, boolean expected) throws Exception { - List<Authorizable> authzHierarchy = Arrays.asList(new Authorizable[] { - server, database, table - }); - Objects.ToStringHelper helper = Objects.toStringHelper("TestParameters"); - helper.add("Subject", subject).add("Server", server).add("DB", database) - .add("Table", table).add("Privileges", privileges).add("authzHierarchy", authzHierarchy); - LOGGER.info("Running with " + helper.toString()); - Assert.assertEquals(helper.toString(), expected, - authzProvider.hasAccess(subject, authzHierarchy, privileges, ActiveRoleSet.ALL)); - LOGGER.info("Passed " + helper.toString()); - } - - @Test - public void testAdmin() throws Exception { - doTestResourceAuthorizationProvider(SUB_ADMIN, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, ALL, true); - doTestResourceAuthorizationProvider(SUB_ADMIN, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, SELECT, true); - doTestResourceAuthorizationProvider(SUB_ADMIN, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, INSERT, true); - doTestAuthorizables(SUB_ADMIN, SELECT, true, SVR_ALL, DB_CUSTOMERS, TBL_PURCHASES); - - } - @Test - public void testManager() throws Exception { - doTestResourceAuthorizationProvider(SUB_MANAGER, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, ALL, false); - doTestResourceAuthorizationProvider(SUB_MANAGER, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, SELECT, true); - doTestResourceAuthorizationProvider(SUB_MANAGER, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, INSERT, false); - doTestResourceAuthorizationProvider(SUB_MANAGER, SVR_ALL, DB_CUSTOMERS, TBL_PURCHASES, SELECT, true); - } - @Test - public void testAnalyst() throws Exception { - doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, ALL, false); - doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, SELECT, true); - doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, INSERT, false); - doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_ALL, DB_CUSTOMERS, TBL_PURCHASES, SELECT, true); - - // analyst sandbox - doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_ANALYST, TBL_PURCHASES, ALL, true); - doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_ANALYST, TBL_PURCHASES, SELECT, true); - doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_ANALYST, TBL_PURCHASES, INSERT, true); - doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_ALL, DB_ANALYST, TBL_PURCHASES, SELECT, true); - - // jr analyst sandbox - doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_JR_ANALYST, TBL_PURCHASES, ALL, false); - doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_JR_ANALYST, TBL_PURCHASES, SELECT, true); - doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_JR_ANALYST, TBL_PURCHASES, INSERT, false); - doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_ALL, DB_JR_ANALYST, TBL_PURCHASES, SELECT, true); - } - @Test - public void testJuniorAnalyst() throws Exception { - doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, ALL, false); - doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, SELECT, false); - doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, INSERT, false); - doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_ALL, DB_CUSTOMERS, TBL_PURCHASES, SELECT, false); - // jr analyst sandbox - doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_SERVER1, DB_JR_ANALYST, TBL_PURCHASES, ALL, true); - doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_SERVER1, DB_JR_ANALYST, TBL_PURCHASES, SELECT, true); - doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_SERVER1, DB_JR_ANALYST, TBL_PURCHASES, INSERT, true); - doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_ALL, DB_JR_ANALYST, TBL_PURCHASES, SELECT, true); - } -}
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderSpecialCases.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderSpecialCases.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderSpecialCases.java deleted file mode 100644 index 3d3e45a..0000000 --- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderSpecialCases.java +++ /dev/null @@ -1,122 +0,0 @@ - /* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.db; - -import java.io.File; -import java.io.IOException; -import java.util.EnumSet; -import java.util.List; -import java.util.Set; - -import org.junit.Assert; - -import org.apache.commons.io.FileUtils; -import org.apache.sentry.core.common.Action; -import org.apache.sentry.core.common.ActiveRoleSet; -import org.apache.sentry.core.common.Authorizable; -import org.apache.sentry.core.common.Subject; -import org.apache.sentry.core.model.db.AccessURI; -import org.apache.sentry.core.model.db.DBModelAction; -import org.apache.sentry.core.model.db.Server; -import org.apache.sentry.provider.common.AuthorizationProvider; -import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider; -import org.apache.sentry.provider.file.PolicyFile; -import org.junit.After; -import org.junit.Before; -import org.junit.Test; - -import com.google.common.collect.ImmutableList; -import com.google.common.io.Files; - -public class TestResourceAuthorizationProviderSpecialCases { - private AuthorizationProvider authzProvider; - private PolicyFile policyFile; - private File baseDir; - private File iniFile; - private String initResource; - @Before - public void setup() throws IOException { - baseDir = Files.createTempDir(); - iniFile = new File(baseDir, "policy.ini"); - initResource = "file://" + iniFile.getPath(); - policyFile = new PolicyFile(); - } - - @After - public void teardown() throws IOException { - if(baseDir != null) { - FileUtils.deleteQuietly(baseDir); - } - } - - @Test - public void testDuplicateEntries() throws Exception { - Subject user1 = new Subject("user1"); - Server server1 = new Server("server1"); - AccessURI uri = new AccessURI("file:///path/to/"); - Set<? extends Action> actions = EnumSet.of(DBModelAction.ALL, DBModelAction.SELECT, DBModelAction.INSERT); - policyFile.addGroupsToUser(user1.getName(), true, "group1", "group1") - .addRolesToGroup("group1", true, "role1", "role1") - .addPermissionsToRole("role1", true, "server=" + server1.getName() + "->uri=" + uri.getName(), - "server=" + server1.getName() + "->uri=" + uri.getName()); - policyFile.write(iniFile); - DBPolicyFileBackend policy = new DBPolicyFileBackend(server1.getName(), initResource); - authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy); - List<? extends Authorizable> authorizableHierarchy = ImmutableList.of(server1, uri); - Assert.assertTrue(authorizableHierarchy.toString(), - authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL)); - } - @Test - public void testNonAbolutePath() throws Exception { - Subject user1 = new Subject("user1"); - Server server1 = new Server("server1"); - AccessURI uri = new AccessURI("file:///path/to/"); - Set<? extends Action> actions = EnumSet.of(DBModelAction.ALL, DBModelAction.SELECT, DBModelAction.INSERT); - policyFile.addGroupsToUser(user1.getName(), "group1") - .addRolesToGroup("group1", "role1") - .addPermissionsToRole("role1", "server=" + server1.getName() + "->uri=" + uri.getName()); - policyFile.write(iniFile); - DBPolicyFileBackend policy = new DBPolicyFileBackend(server1.getName(), initResource); - authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy); - // positive test - List<? extends Authorizable> authorizableHierarchy = ImmutableList.of(server1, uri); - Assert.assertTrue(authorizableHierarchy.toString(), - authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL)); - // negative tests - // TODO we should support the case of /path/to/./ but let's to that later - uri = new AccessURI("file:///path/to/./"); - authorizableHierarchy = ImmutableList.of(server1, uri); - Assert.assertFalse(authorizableHierarchy.toString(), - authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL)); - uri = new AccessURI("file:///path/to/../"); - authorizableHierarchy = ImmutableList.of(server1, uri); - Assert.assertFalse(authorizableHierarchy.toString(), - authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL)); - uri = new AccessURI("file:///path/to/../../"); - authorizableHierarchy = ImmutableList.of(server1, uri); - Assert.assertFalse(authorizableHierarchy.toString(), - authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL)); - uri = new AccessURI("file:///path/to/dir/../../"); - authorizableHierarchy = ImmutableList.of(server1, uri); - Assert.assertFalse(authorizableHierarchy.toString(), - authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL)); - } - @Test(expected=IllegalArgumentException.class) - public void testInvalidPath() throws Exception { - new AccessURI(":invaliduri"); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineDFS.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineDFS.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineDFS.java deleted file mode 100644 index 77232a6..0000000 --- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineDFS.java +++ /dev/null @@ -1,114 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.db; - -import java.io.File; -import java.io.IOException; -import java.util.Set; - -import org.junit.Assert; - -import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.fs.FileSystem; -import org.apache.hadoop.fs.Path; -import org.apache.hadoop.hdfs.MiniDFSCluster; -import org.apache.sentry.core.common.ActiveRoleSet; -import org.apache.sentry.provider.file.PolicyFile; -import org.apache.sentry.provider.file.PolicyFiles; -import org.junit.AfterClass; -import org.junit.BeforeClass; -import org.junit.Test; - -import com.google.common.collect.ImmutableSet; -import com.google.common.collect.Sets; -import com.google.common.io.Files; - -public class TestSimpleDBPolicyEngineDFS extends AbstractTestSimplePolicyEngine { - - private static MiniDFSCluster dfsCluster; - private static FileSystem fileSystem; - private static Path root; - private static Path etc; - - @BeforeClass - public static void setupLocalClazz() throws IOException { - File baseDir = getBaseDir(); - Assert.assertNotNull(baseDir); - File dfsDir = new File(baseDir, "dfs"); - Assert.assertTrue(dfsDir.isDirectory() || dfsDir.mkdirs()); - Configuration conf = new Configuration(); - conf.set(MiniDFSCluster.HDFS_MINIDFS_BASEDIR, dfsDir.getPath()); - dfsCluster = new MiniDFSCluster.Builder(conf).numDataNodes(2).build(); - fileSystem = dfsCluster.getFileSystem(); - root = new Path(fileSystem.getUri().toString()); - etc = new Path(root, "/etc"); - fileSystem.mkdirs(etc); - } - @AfterClass - public static void teardownLocalClazz() { - if(dfsCluster != null) { - dfsCluster.shutdown(); - } - } - - @Override - protected void afterSetup() throws IOException { - fileSystem.delete(etc, true); - fileSystem.mkdirs(etc); - PolicyFiles.copyToDir(fileSystem, etc, "test-authz-provider.ini", "test-authz-provider-other-group.ini"); - setPolicy(new DBPolicyFileBackend("server1", - new Path(etc, "test-authz-provider.ini").toString())); - } - @Override - protected void beforeTeardown() throws IOException { - fileSystem.delete(etc, true); - } - - @Test - public void testMultiFSPolicy() throws Exception { - File globalPolicyFile = new File(Files.createTempDir(), "global-policy.ini"); - File dbPolicyFile = new File(Files.createTempDir(), "db11-policy.ini"); - - // Create global policy file - PolicyFile dbPolicy = new PolicyFile() - .addPermissionsToRole("db11_role", "server=server1->db=db11") - .addRolesToGroup("group1", "db11_role"); - - dbPolicy.write(dbPolicyFile); - Path dbPolicyPath = new Path(etc, "db11-policy.ini"); - - // create per-db policy file - PolicyFile globalPolicy = new PolicyFile() - .addPermissionsToRole("admin_role", "server=server1") - .addRolesToGroup("admin_group", "admin_role") - .addGroupsToUser("db", "admin_group"); - globalPolicy.addDatabase("db11", dbPolicyPath.toUri().toString()); - globalPolicy.write(globalPolicyFile); - - - PolicyFiles.copyFilesToDir(fileSystem, etc, globalPolicyFile); - PolicyFiles.copyFilesToDir(fileSystem, etc, dbPolicyFile); - DBPolicyFileBackend multiFSEngine = - new DBPolicyFileBackend("server1", globalPolicyFile.getPath()); - - Set<String> dbGroups = Sets.newHashSet(); - dbGroups.add("group1"); - ImmutableSet<String> dbPerms = - multiFSEngine.getAllPrivileges(dbGroups, ActiveRoleSet.ALL); - Assert.assertEquals("No DB permissions found", 1, dbPerms.size()); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineLocalFS.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineLocalFS.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineLocalFS.java deleted file mode 100644 index f779949..0000000 --- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineLocalFS.java +++ /dev/null @@ -1,44 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.db; - -import java.io.File; -import java.io.IOException; - -import org.junit.Assert; - -import org.apache.commons.io.FileUtils; -import org.apache.sentry.provider.file.PolicyFiles; - -public class TestSimpleDBPolicyEngineLocalFS extends AbstractTestSimplePolicyEngine { - - @Override - protected void afterSetup() throws IOException { - File baseDir = getBaseDir(); - Assert.assertNotNull(baseDir); - Assert.assertTrue(baseDir.isDirectory() || baseDir.mkdirs()); - PolicyFiles.copyToDir(baseDir, "test-authz-provider.ini", "test-authz-provider-other-group.ini"); - setPolicy(new DBPolicyFileBackend("server1", - new File(baseDir, "test-authz-provider.ini").getPath())); - } - @Override - protected void beforeTeardown() throws IOException { - File baseDir = getBaseDir(); - Assert.assertNotNull(baseDir); - FileUtils.deleteQuietly(baseDir); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/test/resources/log4j.properties ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/test/resources/log4j.properties b/sentry-policy/sentry-policy-db/src/test/resources/log4j.properties deleted file mode 100644 index c41373c..0000000 --- a/sentry-policy/sentry-policy-db/src/test/resources/log4j.properties +++ /dev/null @@ -1,31 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -# Define some default values that can be overridden by system properties. -# -# For testing, it may also be convenient to specify - -log4j.rootLogger=DEBUG,console - -log4j.appender.console=org.apache.log4j.ConsoleAppender -log4j.appender.console.target=System.err -log4j.appender.console.layout=org.apache.log4j.PatternLayout -log4j.appender.console.layout.ConversionPattern=%d (%t) [%p - %l] %m%n - -log4j.logger.org.apache.hadoop.conf.Configuration=INFO http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/test/resources/test-authz-provider-other-group.ini ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/test/resources/test-authz-provider-other-group.ini b/sentry-policy/sentry-policy-db/src/test/resources/test-authz-provider-other-group.ini deleted file mode 100644 index cd3695c..0000000 --- a/sentry-policy/sentry-policy-db/src/test/resources/test-authz-provider-other-group.ini +++ /dev/null @@ -1,22 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. - -[groups] -other_group = analyst_role - -[roles] -analyst_role = server=server1->db=other_group_db->table=purchases->action=select \ No newline at end of file http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/test/resources/test-authz-provider.ini ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/test/resources/test-authz-provider.ini b/sentry-policy/sentry-policy-db/src/test/resources/test-authz-provider.ini deleted file mode 100644 index 2d00699..0000000 --- a/sentry-policy/sentry-policy-db/src/test/resources/test-authz-provider.ini +++ /dev/null @@ -1,32 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. - -[databases] -other_group_db = test-authz-provider-other-group.ini - -[groups] -manager = analyst_role, junior_analyst_role -analyst = analyst_role -jranalyst = junior_analyst_role -admin = admin - -[roles] -analyst_role = server=server1->db=customers->table=purchases->action=select, \ - server=server1->db=analyst1, \ - server=server1->db=jranalyst1->table=*->action=select -junior_analyst_role = server=server1->db=jranalyst1, server=server1->db=customers->table=purchases_partial->action=select -admin = server=server1 http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-engine/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-engine/pom.xml b/sentry-policy/sentry-policy-engine/pom.xml new file mode 100644 index 0000000..e9c44d7 --- /dev/null +++ b/sentry-policy/sentry-policy-engine/pom.xml @@ -0,0 +1,53 @@ +<?xml version="1.0"?> +<!-- +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +--> +<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"; xmlns="http://maven.apache.org/POM/4.0.0"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> + <modelVersion>4.0.0</modelVersion> + <parent> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-policy</artifactId> + <version>1.8.0-SNAPSHOT</version> + </parent> + + <artifactId>sentry-policy-engine</artifactId> + <name>Sentry Policy Engine</name> + + <dependencies> + <dependency> + <groupId>log4j</groupId> + <artifactId>log4j</artifactId> + </dependency> + <dependency> + <groupId>com.google.guava</groupId> + <artifactId>guava</artifactId> + </dependency> + <dependency> + <groupId>org.slf4j</groupId> + <artifactId>slf4j-api</artifactId> + </dependency> + <dependency> + <groupId>org.slf4j</groupId> + <artifactId>slf4j-log4j12</artifactId> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-provider-common</artifactId> + </dependency> + </dependencies> + +</project> http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-engine/src/main/java/org/apache/sentry/policy/engine/common/CommonPolicyEngine.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-engine/src/main/java/org/apache/sentry/policy/engine/common/CommonPolicyEngine.java b/sentry-policy/sentry-policy-engine/src/main/java/org/apache/sentry/policy/engine/common/CommonPolicyEngine.java new file mode 100644 index 0000000..16e1ba2 --- /dev/null +++ b/sentry-policy/sentry-policy-engine/src/main/java/org/apache/sentry/policy/engine/common/CommonPolicyEngine.java @@ -0,0 +1,106 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.policy.engine.common; + +import com.google.common.collect.ImmutableSet; +import org.apache.sentry.core.common.ActiveRoleSet; +import org.apache.sentry.core.common.Authorizable; +import org.apache.sentry.core.common.SentryConfigurationException; +import org.apache.sentry.policy.common.PolicyEngine; +import org.apache.sentry.policy.common.PrivilegeFactory; +import org.apache.sentry.provider.common.ProviderBackend; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.util.Set; + +public class CommonPolicyEngine implements PolicyEngine { + + private static final Logger LOGGER = LoggerFactory + .getLogger(CommonPolicyEngine.class); + + private final ProviderBackend providerBackend; + + public CommonPolicyEngine(ProviderBackend providerBackend) { + this.providerBackend = providerBackend; + } + + /** + * {@inheritDoc} + */ + @Override + public PrivilegeFactory getPrivilegeFactory() { + return new CommonPrivilegeFactory(); + } + + /** + * {@inheritDoc} + */ + @Override + public ImmutableSet<String> getAllPrivileges(Set<String> groups, + ActiveRoleSet roleSet) throws SentryConfigurationException { + return getPrivileges(groups, roleSet); + } + + @Override + public ImmutableSet<String> getAllPrivileges(Set<String> groups, Set<String> users, + ActiveRoleSet roleSet) throws SentryConfigurationException { + return getPrivileges(groups, users, roleSet); + } + + /** + * {@inheritDoc} + */ + @Override + public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet, Authorizable... authorizableHierarchy) + throws SentryConfigurationException { + if(LOGGER.isDebugEnabled()) { + LOGGER.debug("Getting permissions for {}", groups); + } + + ImmutableSet<String> result = providerBackend.getPrivileges(groups, roleSet); + if(LOGGER.isDebugEnabled()) { + LOGGER.debug("result = " + result); + } + return result; + } + + @Override + public ImmutableSet<String> getPrivileges(Set<String> groups, Set<String> users, ActiveRoleSet roleSet, + Authorizable... authorizableHierarchy) throws SentryConfigurationException { + if (LOGGER.isDebugEnabled()) { + LOGGER.debug("Getting permissions for groups: {}, users: {}", groups, users); + } + ImmutableSet<String> result = providerBackend.getPrivileges(groups, users, roleSet); + if (LOGGER.isDebugEnabled()) { + LOGGER.debug("result = " + result); + } + return result; + } + + @Override + public void validatePolicy(boolean strictValidation) throws SentryConfigurationException { + this.providerBackend.validatePolicy(strictValidation); + } + + @Override + public void close() { + if (providerBackend != null) { + providerBackend.close(); + } + } +} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-engine/src/main/java/org/apache/sentry/policy/engine/common/CommonPrivilegeFactory.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-engine/src/main/java/org/apache/sentry/policy/engine/common/CommonPrivilegeFactory.java b/sentry-policy/sentry-policy-engine/src/main/java/org/apache/sentry/policy/engine/common/CommonPrivilegeFactory.java new file mode 100644 index 0000000..d338f0e --- /dev/null +++ b/sentry-policy/sentry-policy-engine/src/main/java/org/apache/sentry/policy/engine/common/CommonPrivilegeFactory.java @@ -0,0 +1,29 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.policy.engine.common; + +import org.apache.sentry.policy.common.CommonPrivilege; +import org.apache.sentry.policy.common.Privilege; +import org.apache.sentry.policy.common.PrivilegeFactory; + +public class CommonPrivilegeFactory implements PrivilegeFactory { + + @Override + public Privilege createPrivilege(String privilege) { + return new CommonPrivilege(privilege); + } +} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-indexer/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-indexer/pom.xml b/sentry-policy/sentry-policy-indexer/pom.xml index 9b307c5..e6ef72f 100644 --- a/sentry-policy/sentry-policy-indexer/pom.xml +++ b/sentry-policy/sentry-policy-indexer/pom.xml @@ -73,6 +73,10 @@ limitations under the License. </dependency> <dependency> <groupId>org.apache.sentry</groupId> + <artifactId>sentry-policy-engine</artifactId> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> <artifactId>sentry-provider-file</artifactId> </dependency> <dependency> http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/AbstractIndexerPrivilegeValidator.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/AbstractIndexerPrivilegeValidator.java b/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/AbstractIndexerPrivilegeValidator.java deleted file mode 100644 index a01824c..0000000 --- a/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/AbstractIndexerPrivilegeValidator.java +++ /dev/null @@ -1,50 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.indexer; - -import static org.apache.sentry.policy.common.PolicyConstants.AUTHORIZABLE_SPLITTER; -import static org.apache.sentry.policy.common.PolicyConstants.PRIVILEGE_PREFIX; - -import java.util.List; - -import org.apache.sentry.core.model.indexer.IndexerModelAuthorizable; -import org.apache.sentry.policy.common.PrivilegeValidator; -import org.apache.shiro.config.ConfigurationException; - -import com.google.common.annotations.VisibleForTesting; -import com.google.common.collect.Lists; - -public abstract class AbstractIndexerPrivilegeValidator implements PrivilegeValidator { - - @VisibleForTesting - public static Iterable<IndexerModelAuthorizable> parsePrivilege(String string) { - List<IndexerModelAuthorizable> result = Lists.newArrayList(); - for(String section : AUTHORIZABLE_SPLITTER.split(string)) { - // XXX this ugly hack is because action is not an authorizable - if(!section.toLowerCase().startsWith(PRIVILEGE_PREFIX)) { - IndexerModelAuthorizable authorizable = IndexerModelAuthorizables.from(section); - if(authorizable == null) { - String msg = "No authorizable found for " + section; - throw new ConfigurationException(msg); - } - result.add(authorizable); - } - } - return result; - } - -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/IndexerModelAuthorizables.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/IndexerModelAuthorizables.java b/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/IndexerModelAuthorizables.java deleted file mode 100644 index 13893b3..0000000 --- a/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/IndexerModelAuthorizables.java +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.indexer; - -import org.apache.sentry.core.model.indexer.Indexer; -import org.apache.sentry.core.model.indexer.IndexerModelAuthorizable; -import org.apache.sentry.core.model.indexer.IndexerModelAuthorizable.AuthorizableType; -import org.apache.sentry.policy.common.KeyValue; - -public class IndexerModelAuthorizables { - - public static IndexerModelAuthorizable from(KeyValue keyValue) { - String prefix = keyValue.getKey().toLowerCase(); - String name = keyValue.getValue().toLowerCase(); - for(AuthorizableType type : AuthorizableType.values()) { - if(prefix.equalsIgnoreCase(type.name())) { - return from(type, name); - } - } - return null; - } - public static IndexerModelAuthorizable from(String s) { - return from(new KeyValue(s)); - } - - private static IndexerModelAuthorizable from(AuthorizableType type, String name) { - switch (type) { - case Indexer: - return new Indexer(name); - default: - return null; - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/IndexerRequiredInPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/IndexerRequiredInPrivilege.java b/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/IndexerRequiredInPrivilege.java deleted file mode 100644 index 06b815f..0000000 --- a/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/IndexerRequiredInPrivilege.java +++ /dev/null @@ -1,43 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.indexer; - -import org.apache.sentry.core.common.SentryConfigurationException; -import org.apache.sentry.core.model.indexer.Indexer; -import org.apache.sentry.core.model.indexer.IndexerModelAuthorizable; -import org.apache.sentry.policy.common.PrivilegeValidatorContext; - -public class IndexerRequiredInPrivilege extends AbstractIndexerPrivilegeValidator { - - @Override - public void validate(PrivilegeValidatorContext context) throws SentryConfigurationException { - String privilege = context.getPrivilege(); - Iterable<IndexerModelAuthorizable> authorizables = parsePrivilege(privilege); - boolean foundIndexerInAuthorizables = false; - - for(IndexerModelAuthorizable authorizable : authorizables) { - if(authorizable instanceof Indexer) { - foundIndexerInAuthorizables = true; - break; - } - } - if(!foundIndexerInAuthorizables) { - String msg = "Missing indexer object in " + privilege; - throw new SentryConfigurationException(msg); - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/IndexerWildcardPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/IndexerWildcardPrivilege.java b/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/IndexerWildcardPrivilege.java index 0ec0ce1..71d2a66 100644 --- a/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/IndexerWildcardPrivilege.java +++ b/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/IndexerWildcardPrivilege.java @@ -23,11 +23,12 @@ package org.apache.sentry.policy.indexer; import java.util.List; +import org.apache.sentry.core.common.Model; +import org.apache.sentry.core.common.utils.SentryConstants; import org.apache.sentry.core.model.indexer.IndexerConstants; -import org.apache.sentry.policy.common.PolicyConstants; import org.apache.sentry.policy.common.Privilege; import org.apache.sentry.policy.common.PrivilegeFactory; -import org.apache.sentry.policy.common.KeyValue; +import org.apache.sentry.core.common.utils.KeyValue; import com.google.common.base.Preconditions; import com.google.common.base.Strings; @@ -44,7 +45,7 @@ public class IndexerWildcardPrivilege implements Privilege { throw new IllegalArgumentException("Wildcard string cannot be null or empty."); } List<KeyValue>parts = Lists.newArrayList(); - for (String authorizable : PolicyConstants.AUTHORIZABLE_SPLITTER.trimResults().split( + for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.trimResults().split( wildcardString)) { if (authorizable.isEmpty()) { throw new IllegalArgumentException("Privilege '" + wildcardString + "' has an empty section"); @@ -59,7 +60,7 @@ public class IndexerWildcardPrivilege implements Privilege { @Override - public boolean implies(Privilege p) { + public boolean implies(Privilege p, Model model) { // By default only supports comparisons with other IndexerWildcardPermissions if (!(p instanceof IndexerWildcardPrivilege)) { return false; @@ -108,7 +109,7 @@ public class IndexerWildcardPrivilege implements Privilege { "Please report, this method should not be called with two different keys"); if(policyPart.getValue().equals(IndexerConstants.ALL) || policyPart.equals(requestPart)) { return true; - } else if (!PolicyConstants.PRIVILEGE_NAME.equalsIgnoreCase(policyPart.getKey()) + } else if (!SentryConstants.PRIVILEGE_NAME.equalsIgnoreCase(policyPart.getKey()) && IndexerConstants.ALL.equalsIgnoreCase(requestPart.getValue())) { /* privilege request is to match with any object of given type */ return true; @@ -118,7 +119,7 @@ public class IndexerWildcardPrivilege implements Privilege { @Override public String toString() { - return PolicyConstants.AUTHORIZABLE_JOINER.join(parts); + return SentryConstants.AUTHORIZABLE_JOINER.join(parts); } @Override http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/SimpleIndexerPolicyEngine.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/SimpleIndexerPolicyEngine.java b/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/SimpleIndexerPolicyEngine.java index 8914319..7b1536a 100644 --- a/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/SimpleIndexerPolicyEngine.java +++ b/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/SimpleIndexerPolicyEngine.java @@ -21,15 +21,12 @@ import java.util.Set; import org.apache.sentry.core.common.ActiveRoleSet; import org.apache.sentry.core.common.Authorizable; import org.apache.sentry.core.common.SentryConfigurationException; -import org.apache.sentry.policy.common.PolicyEngine; import org.apache.sentry.policy.common.PrivilegeFactory; -import org.apache.sentry.policy.common.PrivilegeValidator; +import org.apache.sentry.policy.common.PolicyEngine; import org.apache.sentry.provider.common.ProviderBackend; -import org.apache.sentry.provider.common.ProviderBackendContext; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import com.google.common.collect.ImmutableList; import com.google.common.collect.ImmutableSet; /** @@ -44,10 +41,6 @@ public class SimpleIndexerPolicyEngine implements PolicyEngine { public SimpleIndexerPolicyEngine(ProviderBackend providerBackend) { this.providerBackend = providerBackend; - ProviderBackendContext context = new ProviderBackendContext(); - context.setAllowPerDatabase(false); - context.setValidators(createPrivilegeValidators()); - this.providerBackend.initialize(context); } /** @@ -107,10 +100,6 @@ public class SimpleIndexerPolicyEngine implements PolicyEngine { throw new SentryConfigurationException("Not implemented yet"); } - public static ImmutableList<PrivilegeValidator> createPrivilegeValidators() { - return ImmutableList.<PrivilegeValidator>of(new IndexerRequiredInPrivilege()); - } - @Override public void close() { if (providerBackend != null) { http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/IndexPolicyTestUtil.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/IndexPolicyTestUtil.java b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/IndexPolicyTestUtil.java new file mode 100644 index 0000000..45f100e --- /dev/null +++ b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/IndexPolicyTestUtil.java @@ -0,0 +1,44 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.policy.indexer; + +import org.apache.hadoop.conf.Configuration; +import org.apache.sentry.core.model.indexer.IndexerPrivilegeModel; +import org.apache.sentry.policy.common.PolicyEngine; +import org.apache.sentry.policy.engine.common.CommonPolicyEngine; +import org.apache.sentry.provider.common.ProviderBackend; +import org.apache.sentry.provider.common.ProviderBackendContext; +import org.apache.sentry.provider.file.SimpleFileProviderBackend; + +import java.io.IOException; + +public class IndexPolicyTestUtil { + + public static PolicyEngine createPolicyEngineForTest(String resource) throws IOException { + + ProviderBackend providerBackend = new SimpleFileProviderBackend(new Configuration(), resource); + + // create backendContext + ProviderBackendContext context = new ProviderBackendContext(); + context.setAllowPerDatabase(false); + context.setValidators(IndexerPrivilegeModel.getInstance().getPrivilegeValidators()); + // initialize the backend with the context + providerBackend.initialize(context); + + return new CommonPolicyEngine(providerBackend); + } +} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/IndexerPolicyFileBackend.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/IndexerPolicyFileBackend.java b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/IndexerPolicyFileBackend.java deleted file mode 100644 index ba1b3ed..0000000 --- a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/IndexerPolicyFileBackend.java +++ /dev/null @@ -1,28 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.indexer; - -import java.io.IOException; - -import org.apache.hadoop.conf.Configuration; -import org.apache.sentry.provider.file.SimpleFileProviderBackend; - -public class IndexerPolicyFileBackend extends SimpleIndexerPolicyEngine { - public IndexerPolicyFileBackend(String resource) throws IOException{ - super(new SimpleFileProviderBackend(new Configuration(), resource)); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestCommonPrivilegeForIndexer.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestCommonPrivilegeForIndexer.java b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestCommonPrivilegeForIndexer.java new file mode 100644 index 0000000..2a3bde7 --- /dev/null +++ b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestCommonPrivilegeForIndexer.java @@ -0,0 +1,214 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.policy.indexer; + +import org.apache.sentry.core.common.Model; +import org.apache.sentry.core.common.utils.KeyValue; +import org.apache.sentry.core.common.utils.SentryConstants; +import org.apache.sentry.core.model.indexer.IndexerConstants; +import org.apache.sentry.core.model.indexer.IndexerPrivilegeModel; +import org.apache.sentry.policy.common.CommonPrivilege; +import org.apache.sentry.policy.common.Privilege; +import org.junit.Before; +import org.junit.Test; + +import static junit.framework.Assert.assertFalse; +import static junit.framework.Assert.assertTrue; + +public class TestCommonPrivilegeForIndexer { + + private Model indexerPrivilegeModel; + + private static final String ALL = IndexerConstants.ALL; + + @Before + public void prepareData() { + indexerPrivilegeModel = IndexerPrivilegeModel.getInstance(); + } + + @Test + public void testSimpleNoAction() throws Exception { + CommonPrivilege indexer1 = create(new KeyValue("indexer", "ind1")); + CommonPrivilege indexer2 = create(new KeyValue("indexer", "ind2")); + CommonPrivilege indexer1Case = create(new KeyValue("indeXeR", "inD1")); + + assertTrue(indexer1.implies(indexer1, indexerPrivilegeModel)); + assertTrue(indexer2.implies(indexer2, indexerPrivilegeModel)); + assertTrue(indexer1.implies(indexer1Case, indexerPrivilegeModel)); + assertTrue(indexer1Case.implies(indexer1, indexerPrivilegeModel)); + + assertFalse(indexer1.implies(indexer2, indexerPrivilegeModel)); + assertFalse(indexer1Case.implies(indexer2, indexerPrivilegeModel)); + assertFalse(indexer2.implies(indexer1, indexerPrivilegeModel)); + assertFalse(indexer2.implies(indexer1Case, indexerPrivilegeModel)); + } + + @Test + public void testSimpleAction() throws Exception { + CommonPrivilege read = + create(new KeyValue("indexer", "ind1"), new KeyValue("action", "read")); + CommonPrivilege write = + create(new KeyValue("indexer", "ind1"), new KeyValue("action", "write")); + CommonPrivilege readCase = + create(new KeyValue("indeXeR", "iNd1"), new KeyValue("AcTiOn", "ReAd")); + + assertTrue(read.implies(read, indexerPrivilegeModel)); + assertTrue(write.implies(write, indexerPrivilegeModel)); + assertTrue(read.implies(readCase, indexerPrivilegeModel)); + assertTrue(readCase.implies(read, indexerPrivilegeModel)); + + assertFalse(read.implies(write, indexerPrivilegeModel)); + assertFalse(readCase.implies(write, indexerPrivilegeModel)); + assertFalse(write.implies(read, indexerPrivilegeModel)); + assertFalse(write.implies(readCase, indexerPrivilegeModel)); + } + + @Test + public void testRoleShorterThanRequest() throws Exception { + CommonPrivilege indexer1 = create(new KeyValue("indexer", "ind1")); + CommonPrivilege read = + create(new KeyValue("indexer", "ind1"), new KeyValue("action", "read")); + CommonPrivilege write = + create(new KeyValue("indexer", "ind1"), new KeyValue("action", "write")); + CommonPrivilege all = + create(new KeyValue("indexer", "ind1"), new KeyValue("action", ALL)); + + assertTrue(indexer1.implies(read, indexerPrivilegeModel)); + assertTrue(indexer1.implies(write, indexerPrivilegeModel)); + assertTrue(indexer1.implies(all, indexerPrivilegeModel)); + + assertFalse(read.implies(indexer1, indexerPrivilegeModel)); + assertFalse(write.implies(indexer1, indexerPrivilegeModel)); + assertTrue(all.implies(indexer1, indexerPrivilegeModel)); + } + + @Test + public void testIndexerAll() throws Exception { + CommonPrivilege indexerAll = create(new KeyValue("indexer", ALL)); + CommonPrivilege indexer1 = create(new KeyValue("indexer", "ind1")); + assertTrue(indexerAll.implies(indexer1, indexerPrivilegeModel)); + assertTrue(indexer1.implies(indexerAll, indexerPrivilegeModel)); + + CommonPrivilege allWrite = + create(new KeyValue("indexer", ALL), new KeyValue("action", "write")); + CommonPrivilege allRead = + create(new KeyValue("indexer", ALL), new KeyValue("action", "read")); + CommonPrivilege ind1Write = + create(new KeyValue("indexer", "ind1"), new KeyValue("action", "write")); + CommonPrivilege ind1Read = + create(new KeyValue("indexer", "ind1"), new KeyValue("action", "read")); + assertTrue(allWrite.implies(ind1Write, indexerPrivilegeModel)); + assertTrue(allRead.implies(ind1Read, indexerPrivilegeModel)); + assertTrue(ind1Write.implies(allWrite, indexerPrivilegeModel)); + assertTrue(ind1Read.implies(allRead, indexerPrivilegeModel)); + assertFalse(allWrite.implies(ind1Read, indexerPrivilegeModel)); + assertFalse(ind1Write.implies(ind1Read, indexerPrivilegeModel)); + assertFalse(allRead.implies(ind1Write, indexerPrivilegeModel)); + assertFalse(ind1Read.implies(allWrite, indexerPrivilegeModel)); + assertFalse(allWrite.implies(allRead, indexerPrivilegeModel)); + assertFalse(allRead.implies(allWrite, indexerPrivilegeModel)); + assertFalse(ind1Write.implies(ind1Read, indexerPrivilegeModel)); + assertFalse(ind1Read.implies(ind1Write, indexerPrivilegeModel)); + + // test different length paths + assertTrue(indexerAll.implies(allWrite, indexerPrivilegeModel)); + assertTrue(indexerAll.implies(allRead, indexerPrivilegeModel)); + assertTrue(indexerAll.implies(ind1Write, indexerPrivilegeModel)); + assertTrue(indexerAll.implies(ind1Read, indexerPrivilegeModel)); + assertFalse(allWrite.implies(indexerAll, indexerPrivilegeModel)); + assertFalse(allRead.implies(indexerAll, indexerPrivilegeModel)); + assertFalse(ind1Write.implies(indexerAll, indexerPrivilegeModel)); + assertFalse(ind1Read.implies(indexerAll, indexerPrivilegeModel)); + } + + @Test + public void testActionAll() throws Exception { + CommonPrivilege ind1All = + create(new KeyValue("indexer", "index1"), new KeyValue("action", ALL)); + CommonPrivilege ind1Write = + create(new KeyValue("indexer", "index1"), new KeyValue("action", "write")); + CommonPrivilege ind1Read = + create(new KeyValue("indexer", "index1"), new KeyValue("action", "read")); + assertTrue(ind1All.implies(ind1All, indexerPrivilegeModel)); + assertTrue(ind1All.implies(ind1Write, indexerPrivilegeModel)); + assertTrue(ind1All.implies(ind1Read, indexerPrivilegeModel)); + assertFalse(ind1Write.implies(ind1All, indexerPrivilegeModel)); + assertFalse(ind1Read.implies(ind1All, indexerPrivilegeModel)); + + // test different lengths + CommonPrivilege ind1 = + create(new KeyValue("indexer", "index1")); + assertTrue(ind1All.implies(ind1, indexerPrivilegeModel)); + assertTrue(ind1.implies(ind1All, indexerPrivilegeModel)); + } + + @Test + public void testUnexpected() throws Exception { + Privilege p = new Privilege() { + @Override + public boolean implies(Privilege p, Model model) { + return false; + } + }; + CommonPrivilege indexer1 = create(new KeyValue("indexer", "index1")); + assertFalse(indexer1.implies(null, indexerPrivilegeModel)); + assertFalse(indexer1.implies(p, indexerPrivilegeModel)); + assertFalse(indexer1.equals(null)); + assertFalse(indexer1.equals(p)); + } + + @Test(expected=IllegalArgumentException.class) + public void testNullString() throws Exception { + System.out.println(create((String)null)); + } + + @Test(expected=IllegalArgumentException.class) + public void testEmptyString() throws Exception { + System.out.println(create("")); + } + + @Test(expected=IllegalArgumentException.class) + public void testEmptyKey() throws Exception { + System.out.println(create(SentryConstants.KV_JOINER.join("indexer", ""))); + } + + @Test(expected=IllegalArgumentException.class) + public void testEmptyValue() throws Exception { + System.out.println(create(SentryConstants.KV_JOINER.join("", "index1"))); + } + + @Test(expected=IllegalArgumentException.class) + public void testEmptyPart() throws Exception { + System.out.println(create(SentryConstants.AUTHORIZABLE_JOINER. + join(SentryConstants.KV_JOINER.join("indexer11", "index1"), ""))); + } + + @Test(expected=IllegalArgumentException.class) + public void testOnlySeperators() throws Exception { + System.out.println(create(SentryConstants.AUTHORIZABLE_JOINER. + join(SentryConstants.KV_SEPARATOR, SentryConstants.KV_SEPARATOR, + SentryConstants.KV_SEPARATOR))); + } + + static CommonPrivilege create(KeyValue... keyValues) { + return create(SentryConstants.AUTHORIZABLE_JOINER.join(keyValues)); + } + + static CommonPrivilege create(String s) { + return new CommonPrivilege(s); + } +} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerAuthorizationProviderGeneralCases.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerAuthorizationProviderGeneralCases.java b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerAuthorizationProviderGeneralCases.java index d6d8b79..939621b 100644 --- a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerAuthorizationProviderGeneralCases.java +++ b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerAuthorizationProviderGeneralCases.java @@ -32,6 +32,7 @@ import org.apache.sentry.core.common.Authorizable; import org.apache.sentry.core.common.Subject; import org.apache.sentry.core.model.indexer.Indexer; import org.apache.sentry.core.model.indexer.IndexerModelAction; +import org.apache.sentry.core.model.indexer.IndexerPrivilegeModel; import org.apache.sentry.provider.common.MockGroupMappingServiceProvider; import org.apache.sentry.provider.common.ResourceAuthorizationProvider; import org.apache.sentry.provider.file.HadoopGroupResourceAuthorizationProvider; @@ -84,8 +85,8 @@ public class TestIndexerAuthorizationProviderGeneralCases { baseDir = Files.createTempDir(); PolicyFiles.copyToDir(baseDir, "test-authz-provider.ini"); authzProvider = new HadoopGroupResourceAuthorizationProvider( - new IndexerPolicyFileBackend(new File(baseDir, "test-authz-provider.ini").getPath()), - new MockGroupMappingServiceProvider(USER_TO_GROUP_MAP)); + IndexPolicyTestUtil.createPolicyEngineForTest(new File(baseDir, "test-authz-provider.ini").getPath()), + new MockGroupMappingServiceProvider(USER_TO_GROUP_MAP), IndexerPrivilegeModel.getInstance()); } http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerAuthorizationProviderSpecialCases.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerAuthorizationProviderSpecialCases.java b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerAuthorizationProviderSpecialCases.java index 9c211b7..1717c42 100644 --- a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerAuthorizationProviderSpecialCases.java +++ b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerAuthorizationProviderSpecialCases.java @@ -31,6 +31,8 @@ import org.apache.sentry.core.common.Authorizable; import org.apache.sentry.core.common.Subject; import org.apache.sentry.core.model.indexer.Indexer; import org.apache.sentry.core.model.indexer.IndexerModelAction; +import org.apache.sentry.core.model.indexer.IndexerPrivilegeModel; +import org.apache.sentry.policy.common.PolicyEngine; import org.apache.sentry.provider.common.AuthorizationProvider; import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider; import org.apache.sentry.provider.file.PolicyFile; @@ -72,8 +74,8 @@ public class TestIndexerAuthorizationProviderSpecialCases { .addPermissionsToRole("role1", true, "indexer=" + indexer1.getName(), "indexer=" + indexer1.getName()); policyFile.write(iniFile); - IndexerPolicyFileBackend policy = new IndexerPolicyFileBackend(initResource); - authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy); + PolicyEngine policy = IndexPolicyTestUtil.createPolicyEngineForTest(initResource); + authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy, IndexerPrivilegeModel.getInstance()); List<? extends Authorizable> authorizableHierarchy = ImmutableList.of(indexer1); Assert.assertTrue(authorizableHierarchy.toString(), authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL)); http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerModelAuthorizables.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerModelAuthorizables.java b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerModelAuthorizables.java index 8d21dc3..1d8ca53 100644 --- a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerModelAuthorizables.java +++ b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerModelAuthorizables.java @@ -21,13 +21,14 @@ import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNull; import org.apache.sentry.core.model.indexer.Indexer; +import org.apache.sentry.core.model.indexer.IndexerModelAuthorizables; import org.junit.Test; public class TestIndexerModelAuthorizables { @Test public void testIndexer() throws Exception { - Indexer indexer = (Indexer)IndexerModelAuthorizables.from("InDexEr=indexer1"); + Indexer indexer = (Indexer) IndexerModelAuthorizables.from("InDexEr=indexer1"); assertEquals("indexer1", indexer.getName()); } http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerPolicyEngineDFS.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerPolicyEngineDFS.java b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerPolicyEngineDFS.java index c6d6718..e644827 100644 --- a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerPolicyEngineDFS.java +++ b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerPolicyEngineDFS.java @@ -63,7 +63,7 @@ public class TestIndexerPolicyEngineDFS extends AbstractTestIndexerPolicyEngine fileSystem.delete(etc, true); fileSystem.mkdirs(etc); PolicyFiles.copyToDir(fileSystem, etc, "test-authz-provider.ini"); - setPolicy(new IndexerPolicyFileBackend(new Path(etc, + setPolicy(IndexPolicyTestUtil.createPolicyEngineForTest(new Path(etc, "test-authz-provider.ini").toString())); } http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerPolicyEngineLocalFS.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerPolicyEngineLocalFS.java b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerPolicyEngineLocalFS.java index f083f49..bd827fc 100644 --- a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerPolicyEngineLocalFS.java +++ b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerPolicyEngineLocalFS.java @@ -32,7 +32,7 @@ public class TestIndexerPolicyEngineLocalFS extends AbstractTestIndexerPolicyEng Assert.assertNotNull(baseDir); Assert.assertTrue(baseDir.isDirectory() || baseDir.mkdirs()); PolicyFiles.copyToDir(baseDir, "test-authz-provider.ini"); - setPolicy(new IndexerPolicyFileBackend(new File(baseDir, "test-authz-provider.ini").getPath())); + setPolicy(IndexPolicyTestUtil.createPolicyEngineForTest(new File(baseDir, "test-authz-provider.ini").getPath())); } @Override protected void beforeTeardown() throws IOException { http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerPolicyNegative.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerPolicyNegative.java b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerPolicyNegative.java index a453c48..e1a0dcc 100644 --- a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerPolicyNegative.java +++ b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerPolicyNegative.java @@ -72,7 +72,7 @@ public class TestIndexerPolicyNegative { append("other_group = some_role", otherPolicyFile); append("[roles]", otherPolicyFile); append("some_role = indexer=i1", otherPolicyFile); - IndexerPolicyFileBackend policy = new IndexerPolicyFileBackend(globalPolicyFile.getPath()); + PolicyEngine policy = IndexPolicyTestUtil.createPolicyEngineForTest(globalPolicyFile.getPath()); Assert.assertEquals(Collections.emptySet(), policy.getPrivileges(Sets.newHashSet("other_group"), ActiveRoleSet.ALL)); } @@ -83,7 +83,7 @@ public class TestIndexerPolicyNegative { append("group = some_role", globalPolicyFile); append("[roles]", globalPolicyFile); append("some_role = action=read", globalPolicyFile); - PolicyEngine policy = new IndexerPolicyFileBackend(globalPolicyFile.getPath()); + PolicyEngine policy = IndexPolicyTestUtil.createPolicyEngineForTest(globalPolicyFile.getPath()); ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL); Assert.assertTrue(permissions.toString(), permissions.isEmpty()); } @@ -94,7 +94,7 @@ public class TestIndexerPolicyNegative { append("group = malicious_role", globalPolicyFile); append("[roles]", globalPolicyFile); append("malicious_role = indexer=*", globalPolicyFile); - PolicyEngine policy = new IndexerPolicyFileBackend(globalPolicyFile.getPath()); + PolicyEngine policy = IndexPolicyTestUtil.createPolicyEngineForTest(globalPolicyFile.getPath()); ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("incorrectGroup"), ActiveRoleSet.ALL); Assert.assertTrue(permissions.toString(), permissions.isEmpty()); } http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerRequiredInRole.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerRequiredInRole.java b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerRequiredInRole.java index 57876e5..ff20d03 100644 --- a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerRequiredInRole.java +++ b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerRequiredInRole.java @@ -20,7 +20,8 @@ package org.apache.sentry.policy.indexer; import org.junit.Assert; -import org.apache.sentry.policy.common.PrivilegeValidatorContext; +import org.apache.sentry.core.common.validator.PrivilegeValidatorContext; +import org.apache.sentry.core.model.indexer.validator.IndexerRequiredInPrivilege; import org.apache.shiro.config.ConfigurationException; import org.junit.Test; http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerWildcardPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerWildcardPrivilege.java b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerWildcardPrivilege.java deleted file mode 100644 index 17cebc3..0000000 --- a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerWildcardPrivilege.java +++ /dev/null @@ -1,203 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.sentry.policy.indexer; -import static org.apache.sentry.policy.common.PolicyConstants.AUTHORIZABLE_JOINER; -import static org.apache.sentry.policy.common.PolicyConstants.KV_JOINER; -import static org.apache.sentry.policy.common.PolicyConstants.KV_SEPARATOR; - -import org.apache.sentry.core.model.indexer.IndexerConstants; -import org.apache.sentry.policy.common.Privilege; -import org.apache.sentry.policy.common.KeyValue; -import org.junit.Test; - -public class TestIndexerWildcardPrivilege extends org.junit.Assert { - - private static final String ALL = IndexerConstants.ALL; - - @Test - public void testSimpleNoAction() throws Exception { - Privilege indexer1 = create(new KeyValue("indexer", "ind1")); - Privilege indexer2 = create(new KeyValue("indexer", "ind2")); - Privilege indexer1Case = create(new KeyValue("indeXeR", "inD1")); - - assertTrue(indexer1.implies(indexer1)); - assertTrue(indexer2.implies(indexer2)); - assertTrue(indexer1.implies(indexer1Case)); - assertTrue(indexer1Case.implies(indexer1)); - - assertFalse(indexer1.implies(indexer2)); - assertFalse(indexer1Case.implies(indexer2)); - assertFalse(indexer2.implies(indexer1)); - assertFalse(indexer2.implies(indexer1Case)); - } - - @Test - public void testSimpleAction() throws Exception { - Privilege read = - create(new KeyValue("indexer", "ind1"), new KeyValue("action", "read")); - Privilege write = - create(new KeyValue("indexer", "ind1"), new KeyValue("action", "write")); - Privilege readCase = - create(new KeyValue("indeXeR", "iNd1"), new KeyValue("AcTiOn", "ReAd")); - - assertTrue(read.implies(read)); - assertTrue(write.implies(write)); - assertTrue(read.implies(readCase)); - assertTrue(readCase.implies(read)); - - assertFalse(read.implies(write)); - assertFalse(readCase.implies(write)); - assertFalse(write.implies(read)); - assertFalse(write.implies(readCase)); - } - - @Test - public void testRoleShorterThanRequest() throws Exception { - Privilege indexer1 = create(new KeyValue("indexer", "ind1")); - Privilege read = - create(new KeyValue("indexer", "ind1"), new KeyValue("action", "read")); - Privilege write = - create(new KeyValue("indexer", "ind1"), new KeyValue("action", "write")); - Privilege all = - create(new KeyValue("indexer", "ind1"), new KeyValue("action", ALL)); - - assertTrue(indexer1.implies(read)); - assertTrue(indexer1.implies(write)); - assertTrue(indexer1.implies(all)); - - assertFalse(read.implies(indexer1)); - assertFalse(write.implies(indexer1)); - assertTrue(all.implies(indexer1)); - } - - @Test - public void testIndexerAll() throws Exception { - Privilege indexerAll = create(new KeyValue("indexer", ALL)); - Privilege indexer1 = create(new KeyValue("indexer", "ind1")); - assertTrue(indexerAll.implies(indexer1)); - assertTrue(indexer1.implies(indexerAll)); - - Privilege allWrite = - create(new KeyValue("indexer", ALL), new KeyValue("action", "write")); - Privilege allRead = - create(new KeyValue("indexer", ALL), new KeyValue("action", "read")); - Privilege ind1Write = - create(new KeyValue("indexer", "ind1"), new KeyValue("action", "write")); - Privilege ind1Read = - create(new KeyValue("indexer", "ind1"), new KeyValue("action", "read")); - assertTrue(allWrite.implies(ind1Write)); - assertTrue(allRead.implies(ind1Read)); - assertTrue(ind1Write.implies(allWrite)); - assertTrue(ind1Read.implies(allRead)); - assertFalse(allWrite.implies(ind1Read)); - assertFalse(ind1Write.implies(ind1Read)); - assertFalse(allRead.implies(ind1Write)); - assertFalse(ind1Read.implies(allWrite)); - assertFalse(allWrite.implies(allRead)); - assertFalse(allRead.implies(allWrite)); - assertFalse(ind1Write.implies(ind1Read)); - assertFalse(ind1Read.implies(ind1Write)); - - // test different length paths - assertTrue(indexerAll.implies(allWrite)); - assertTrue(indexerAll.implies(allRead)); - assertTrue(indexerAll.implies(ind1Write)); - assertTrue(indexerAll.implies(ind1Read)); - assertFalse(allWrite.implies(indexerAll)); - assertFalse(allRead.implies(indexerAll)); - assertFalse(ind1Write.implies(indexerAll)); - assertFalse(ind1Read.implies(indexerAll)); - } - - @Test - public void testActionAll() throws Exception { - Privilege ind1All = - create(new KeyValue("indexer", "index1"), new KeyValue("action", ALL)); - Privilege ind1Write = - create(new KeyValue("indexer", "index1"), new KeyValue("action", "write")); - Privilege ind1Read = - create(new KeyValue("indexer", "index1"), new KeyValue("action", "read")); - assertTrue(ind1All.implies(ind1All)); - assertTrue(ind1All.implies(ind1Write)); - assertTrue(ind1All.implies(ind1Read)); - assertFalse(ind1Write.implies(ind1All)); - assertFalse(ind1Read.implies(ind1All)); - - // test different lengths - Privilege ind1 = - create(new KeyValue("indexer", "index1")); - assertTrue(ind1All.implies(ind1)); - assertTrue(ind1.implies(ind1All)); - } - - @Test - public void testUnexpected() throws Exception { - Privilege p = new Privilege() { - @Override - public boolean implies(Privilege p) { - return false; - } - }; - Privilege indexer1 = create(new KeyValue("indexer", "index1")); - assertFalse(indexer1.implies(null)); - assertFalse(indexer1.implies(p)); - assertFalse(indexer1.equals(null)); - assertFalse(indexer1.equals(p)); - } - - @Test(expected=IllegalArgumentException.class) - public void testNullString() throws Exception { - System.out.println(create((String)null)); - } - - @Test(expected=IllegalArgumentException.class) - public void testEmptyString() throws Exception { - System.out.println(create("")); - } - - @Test(expected=IllegalArgumentException.class) - public void testEmptyKey() throws Exception { - System.out.println(create(KV_JOINER.join("indexer", ""))); - } - - @Test(expected=IllegalArgumentException.class) - public void testEmptyValue() throws Exception { - System.out.println(create(KV_JOINER.join("", "index1"))); - } - - @Test(expected=IllegalArgumentException.class) - public void testEmptyPart() throws Exception { - System.out.println(create(AUTHORIZABLE_JOINER. - join(KV_JOINER.join("indexer11", "index1"), ""))); - } - - @Test(expected=IllegalArgumentException.class) - public void testOnlySeperators() throws Exception { - System.out.println(create(AUTHORIZABLE_JOINER. - join(KV_SEPARATOR, KV_SEPARATOR, KV_SEPARATOR))); - } - - static IndexerWildcardPrivilege create(KeyValue... keyValues) { - return create(AUTHORIZABLE_JOINER.join(keyValues)); - - } - static IndexerWildcardPrivilege create(String s) { - return new IndexerWildcardPrivilege(s); - } -}
