http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-common/src/test/java/org/apache/sentry/policy/common/TestCommonPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-common/src/test/java/org/apache/sentry/policy/common/TestCommonPrivilege.java b/sentry-policy/sentry-policy-common/src/test/java/org/apache/sentry/policy/common/TestCommonPrivilege.java new file mode 100644 index 0000000..3f60b19 --- /dev/null +++ b/sentry-policy/sentry-policy-common/src/test/java/org/apache/sentry/policy/common/TestCommonPrivilege.java @@ -0,0 +1,147 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.policy.common; + +import org.apache.sentry.core.common.Model; +import org.apache.sentry.core.common.utils.KeyValue; +import org.junit.Before; +import org.junit.Test; +import java.util.List; + +import static junit.framework.Assert.assertEquals; +import static junit.framework.Assert.assertTrue; +import static junit.framework.Assert.assertFalse; + +public class TestCommonPrivilege { + + private Model testModel; + + @Before + public void prepareData() { + testModel = new ModelForTest(); + } + + @Test + public void testCreateCommonPrivilege() throws Exception { + String privilegeHiveStr = "server=server1->db=db1->table=table1->column=column1->action=select"; + String privilegeSolrStr = "server=server1->collection=col1->action=update"; + String privilegeSqoopStr = "server=server1->link=link1->action=read"; + + CommonPrivilege privilegeHive = new CommonPrivilege(privilegeHiveStr); + CommonPrivilege privilegeSolr = new CommonPrivilege(privilegeSolrStr); + CommonPrivilege privilegeSqoop = new CommonPrivilege(privilegeSqoopStr); + + List<KeyValue> keyValues = privilegeHive.getParts(); + assertEquals(5, keyValues.size()); + // test the value and the order + assertEquals("server", keyValues.get(0).getKey()); + assertEquals("server1", keyValues.get(0).getValue()); + assertEquals("db", keyValues.get(1).getKey()); + assertEquals("db1", keyValues.get(1).getValue()); + assertEquals("table", keyValues.get(2).getKey()); + assertEquals("table1", keyValues.get(2).getValue()); + assertEquals("column", keyValues.get(3).getKey()); + assertEquals("column1", keyValues.get(3).getValue()); + assertEquals("action", keyValues.get(4).getKey()); + assertEquals("select", keyValues.get(4).getValue()); + + keyValues = privilegeSolr.getParts(); + assertEquals(3, keyValues.size()); + assertEquals("server", keyValues.get(0).getKey()); + assertEquals("server1", keyValues.get(0).getValue()); + assertEquals("collection", keyValues.get(1).getKey()); + assertEquals("col1", keyValues.get(1).getValue()); + assertEquals("action", keyValues.get(2).getKey()); + assertEquals("update", keyValues.get(2).getValue()); + + keyValues = privilegeSqoop.getParts(); + assertEquals(3, keyValues.size()); + assertEquals("server", keyValues.get(0).getKey()); + assertEquals("server1", keyValues.get(0).getValue()); + assertEquals("link", keyValues.get(1).getKey()); + assertEquals("link1", keyValues.get(1).getValue()); + assertEquals("action", keyValues.get(2).getKey()); + assertEquals("read", keyValues.get(2).getValue()); + } + + @Test + public void testImplyCommonPrivilegeWithoutAction() throws Exception { + + CommonPrivilege requestPrivilege = new CommonPrivilege("server=server1->db=db1->table=table1"); + CommonPrivilege privilegForTest1 = new CommonPrivilege("server=server1->db=db1->table=table1"); + CommonPrivilege privilegForTest2 = new CommonPrivilege("server=server1->db=db1"); + CommonPrivilege privilegForTest3 = new CommonPrivilege("server=server1->db=db1->table=table2"); + CommonPrivilege privilegForTest4 = new CommonPrivilege("server=server1->db=db1->table=table1->column=col1"); + CommonPrivilege privilegForTest5 = new CommonPrivilege("server=server1->db=db1->table=table1->column=*"); + + assertTrue(privilegForTest1.implies(requestPrivilege, testModel)); + assertTrue(privilegForTest2.implies(requestPrivilege, testModel)); + assertFalse(privilegForTest3.implies(requestPrivilege, testModel)); + assertFalse(privilegForTest4.implies(requestPrivilege, testModel)); + assertTrue(privilegForTest5.implies(requestPrivilege, testModel)); + } + + @Test + public void testImplyCommonPrivilegeWithUrl() throws Exception { + + CommonPrivilege requestPrivilege = new CommonPrivilege("server=server1->uri=hdfs:///url/for/request"); + CommonPrivilege privilegForTest1 = new CommonPrivilege("server=server1->uri=hdfs:///url"); + CommonPrivilege privilegForTest2 = new CommonPrivilege("server=server1->uri=hdfs:///url/for/request"); + CommonPrivilege privilegForTest3 = new CommonPrivilege("server=server1->uri=hdfs:///url/unvalid/for/request"); + + assertTrue(privilegForTest1.implies(requestPrivilege, testModel)); + assertTrue(privilegForTest2.implies(requestPrivilege, testModel)); + assertFalse(privilegForTest3.implies(requestPrivilege, testModel)); + } + + @Test + public void testImplyCommonPrivilegeForAction() throws Exception { + CommonPrivilege privilegForSelect = new CommonPrivilege("server=server1->db=db1->table=table1->action=select"); + CommonPrivilege privilegForInsert = new CommonPrivilege("server=server1->db=db1->table=table1->action=insert"); + CommonPrivilege privilegForAll = new CommonPrivilege("server=server1->db=db1->table=table1->action=all"); + + // the privilege should imply itself + assertTrue(privilegForSelect.implies(privilegForSelect, testModel)); + assertTrue(privilegForInsert.implies(privilegForInsert, testModel)); + assertTrue(privilegForAll.implies(privilegForAll, testModel)); + + // do the imply with the different action based on operate & + assertFalse(privilegForInsert.implies(privilegForSelect, testModel)); + assertTrue(privilegForAll.implies(privilegForSelect, testModel)); + + assertFalse(privilegForSelect.implies(privilegForInsert, testModel)); + assertTrue(privilegForAll.implies(privilegForInsert, testModel)); + + assertFalse(privilegForSelect.implies(privilegForAll, testModel)); + assertFalse(privilegForInsert.implies(privilegForAll, testModel)); + } + + @Test + public void testImplyStringCaseSensitive() throws Exception { + CommonPrivilege privileg1 = new CommonPrivilege("server=server1->db=db1->table=table1->column=col1->action=select"); + CommonPrivilege privileg2 = new CommonPrivilege("server=server1->db=db1->table=table1->column=CoL1->action=select"); + CommonPrivilege privileg3 = new CommonPrivilege("server=SERver1->db=Db1->table=TAbLe1->column=col1->action=select"); + CommonPrivilege privileg4 = new CommonPrivilege("SERVER=server1->DB=db1->TABLE=table1->COLUMN=col1->ACTION=select"); + + // column is case sensitive + assertFalse(privileg1.implies(privileg2, testModel)); + // server, db, table is case insensitive + assertTrue(privileg1.implies(privileg3, testModel)); + // key in privilege is case insensitive + assertTrue(privileg1.implies(privileg4, testModel)); + } +}
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-common/src/test/java/org/apache/sentry/policy/common/TestKeyValue.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-common/src/test/java/org/apache/sentry/policy/common/TestKeyValue.java b/sentry-policy/sentry-policy-common/src/test/java/org/apache/sentry/policy/common/TestKeyValue.java deleted file mode 100644 index 0ab6569..0000000 --- a/sentry-policy/sentry-policy-common/src/test/java/org/apache/sentry/policy/common/TestKeyValue.java +++ /dev/null @@ -1,76 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.common; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertFalse; -import static org.apache.sentry.policy.common.PolicyConstants.KV_JOINER; - -import org.junit.Test; - -public class TestKeyValue { - - @Test - public void testWithSeparators() throws Exception { - KeyValue kv = new KeyValue("URI=/u/h/w/t/partition=value/"); - assertEquals("URI", kv.getKey()); - assertEquals("/u/h/w/t/partition=value/", kv.getValue()); - } - - @Test(expected = IllegalArgumentException.class) - public void testEmptyKey() throws Exception { - new KeyValue(KV_JOINER.join("", "b")); - } - - @Test(expected = IllegalArgumentException.class) - public void testEmptyValue() throws Exception { - new KeyValue(KV_JOINER.join("a", "")); - } - - @Test - public void testOneParameterConstructor() throws Exception { - KeyValue kv1 = new KeyValue(KV_JOINER.join("k1", "v1")); - KeyValue kv2 = new KeyValue(KV_JOINER.join("k1", "v1")); - KeyValue kv3 = new KeyValue(KV_JOINER.join("k2", "v2")); - doTest(kv1, kv2, kv3); - } - - @Test - public void testTwoParameterConstructor() throws Exception { - KeyValue kv1 = new KeyValue("k1", "v1"); - KeyValue kv2 = new KeyValue("k1", "v1"); - KeyValue kv3 = new KeyValue("k2", "v2"); - doTest(kv1, kv2, kv3); - } - - private void doTest(KeyValue kv1, KeyValue kv2, KeyValue kv3) { - assertEquals(kv1, kv2); - assertFalse(kv1.equals(kv3)); - - assertEquals(kv1.toString(), kv2.toString()); - assertFalse(kv1.toString().equals(kv3.toString())); - - assertEquals(kv1.hashCode(), kv2.hashCode()); - assertFalse(kv1.hashCode() == kv3.hashCode()); - - assertEquals(kv1.getKey(), kv2.getKey()); - assertFalse(kv1.getKey().equals(kv3.getKey())); - - assertEquals(kv1.getValue(), kv2.getValue()); - assertFalse(kv1.getValue().equals(kv3.getValue())); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/pom.xml b/sentry-policy/sentry-policy-db/pom.xml deleted file mode 100644 index 56206dc..0000000 --- a/sentry-policy/sentry-policy-db/pom.xml +++ /dev/null @@ -1,98 +0,0 @@ -<?xml version="1.0"?> -<!-- -Licensed to the Apache Software Foundation (ASF) under one or more -contributor license agreements. See the NOTICE file distributed with -this work for additional information regarding copyright ownership. -The ASF licenses this file to You under the Apache License, Version 2.0 -(the "License"); you may not use this file except in compliance with -the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. ---> -<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"; xmlns="http://maven.apache.org/POM/4.0.0"; - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>org.apache.sentry</groupId> - <artifactId>sentry-policy</artifactId> - <version>1.8.0-SNAPSHOT</version> - </parent> - - <artifactId>sentry-policy-db</artifactId> - <name>Sentry Policy for Databases</name> - - <dependencies> - <dependency> - <groupId>org.apache.hadoop</groupId> - <artifactId>hadoop-common</artifactId> - <scope>provided</scope> - </dependency> - - <dependency> - <groupId>org.apache.hadoop</groupId> - <artifactId>hadoop-minicluster</artifactId> - <scope>test</scope> - </dependency> - - <dependency> - <groupId>junit</groupId> - <artifactId>junit</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>log4j</groupId> - <artifactId>log4j</artifactId> - </dependency> - <dependency> - <groupId>org.apache.shiro</groupId> - <artifactId>shiro-core</artifactId> - </dependency> - <dependency> - <groupId>com.google.guava</groupId> - <artifactId>guava</artifactId> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-api</artifactId> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-log4j12</artifactId> - </dependency> - <dependency> - <groupId>org.apache.hive</groupId> - <artifactId>hive-beeline</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.apache.sentry</groupId> - <artifactId>sentry-core-common</artifactId> - </dependency> - <dependency> - <groupId>org.apache.sentry</groupId> - <artifactId>sentry-core-model-db</artifactId> - </dependency> - <dependency> - <groupId>org.apache.sentry</groupId> - <artifactId>sentry-provider-common</artifactId> - </dependency> - <dependency> - <groupId>org.apache.sentry</groupId> - <artifactId>sentry-provider-file</artifactId> - </dependency> - <dependency> - <groupId>org.apache.sentry</groupId> - <artifactId>sentry-provider-common</artifactId> - <scope>test</scope> - <type>test-jar</type> - <version>${project.version}</version> - </dependency> - </dependencies> - -</project> http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/AbstractDBPrivilegeValidator.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/AbstractDBPrivilegeValidator.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/AbstractDBPrivilegeValidator.java deleted file mode 100644 index 8bd311a..0000000 --- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/AbstractDBPrivilegeValidator.java +++ /dev/null @@ -1,50 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.db; - -import static org.apache.sentry.policy.common.PolicyConstants.AUTHORIZABLE_SPLITTER; -import static org.apache.sentry.policy.common.PolicyConstants.PRIVILEGE_PREFIX; - -import java.util.List; - -import org.apache.sentry.core.model.db.DBModelAuthorizable; -import org.apache.sentry.policy.common.PrivilegeValidator; -import org.apache.shiro.config.ConfigurationException; - -import com.google.common.annotations.VisibleForTesting; -import com.google.common.collect.Lists; - -public abstract class AbstractDBPrivilegeValidator implements PrivilegeValidator { - - @VisibleForTesting - public static Iterable<DBModelAuthorizable> parsePrivilege(String string) { - List<DBModelAuthorizable> result = Lists.newArrayList(); - for(String section : AUTHORIZABLE_SPLITTER.split(string)) { - // XXX this ugly hack is because action is not an authorizeable - if(!section.toLowerCase().startsWith(PRIVILEGE_PREFIX)) { - DBModelAuthorizable authorizable = DBModelAuthorizables.from(section); - if(authorizable == null) { - String msg = "No authorizable found for " + section; - throw new ConfigurationException(msg); - } - result.add(authorizable); - } - } - return result; - } - -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBModelAuthorizables.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBModelAuthorizables.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBModelAuthorizables.java deleted file mode 100644 index 96b172d..0000000 --- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBModelAuthorizables.java +++ /dev/null @@ -1,67 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.db; - -import org.apache.sentry.core.model.db.AccessURI; -import org.apache.sentry.core.model.db.Column; -import org.apache.sentry.core.model.db.DBModelAuthorizable; -import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType; -import org.apache.sentry.core.model.db.Database; -import org.apache.sentry.core.model.db.Server; -import org.apache.sentry.core.model.db.Table; -import org.apache.sentry.core.model.db.View; -import org.apache.sentry.policy.common.KeyValue; - -public class DBModelAuthorizables { - - public static DBModelAuthorizable from(KeyValue keyValue) { - String prefix = keyValue.getKey().toLowerCase(); - String name = keyValue.getValue(); - for(AuthorizableType type : AuthorizableType.values()) { - if(prefix.equalsIgnoreCase(type.name())) { - if (prefix.equalsIgnoreCase(AuthorizableType.URI.toString())) { - return from(type, name); - } else { - return from(type, name.toLowerCase()); - } - } - } - return null; - } - public static DBModelAuthorizable from(String s) { - return from(new KeyValue(s)); - } - - private static DBModelAuthorizable from(AuthorizableType type, String name) { - switch (type) { - case Server: - return new Server(name); - case Db: - return new Database(name); - case Table: - return new Table(name); - case View: - return new View(name); - case Column: - return new Column(name); - case URI: - return new AccessURI(name); - default: - return null; - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPrivilege.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPrivilege.java deleted file mode 100644 index 116e0aa..0000000 --- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPrivilege.java +++ /dev/null @@ -1,164 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -// copied from apache shiro - -package org.apache.sentry.policy.db; - -import java.util.List; - -import org.apache.sentry.core.common.utils.PathUtils; -import org.apache.sentry.core.model.db.AccessConstants; -import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType; -import org.apache.sentry.policy.common.PolicyConstants; -import org.apache.sentry.policy.common.Privilege; -import org.apache.sentry.policy.common.PrivilegeFactory; -import org.apache.sentry.policy.common.KeyValue; - -import com.google.common.annotations.VisibleForTesting; -import com.google.common.base.Preconditions; -import com.google.common.base.Strings; -import com.google.common.collect.ImmutableList; -import com.google.common.collect.Lists; - -// XXX this class is made ugly by the fact that Action is not a Authorizable. -public class DBWildcardPrivilege implements Privilege { - - private final ImmutableList<KeyValue> parts; - - public DBWildcardPrivilege(String wildcardString) { - wildcardString = Strings.nullToEmpty(wildcardString).trim(); - if (wildcardString.isEmpty()) { - throw new IllegalArgumentException("Wildcard string cannot be null or empty."); - } - List<KeyValue>parts = Lists.newArrayList(); - for (String authorizable : PolicyConstants.AUTHORIZABLE_SPLITTER.trimResults().split( - wildcardString)) { - if (authorizable.isEmpty()) { - throw new IllegalArgumentException("Privilege '" + wildcardString + "' has an empty section"); - } - parts.add(new KeyValue(authorizable)); - } - if (parts.isEmpty()) { - throw new AssertionError("Should never occur: " + wildcardString); - } - this.parts = ImmutableList.copyOf(parts); - } - - - @Override - public boolean implies(Privilege p) { - // By default only supports comparisons with other DBWildcardPermissions - if (!(p instanceof DBWildcardPrivilege)) { - return false; - } - - DBWildcardPrivilege wp = (DBWildcardPrivilege) p; - - List<KeyValue> otherParts = wp.parts; - if(equals(wp)) { - return true; - } - int index = 0; - for (KeyValue otherPart : otherParts) { - // If this privilege has less parts than the other privilege, everything - // after the number of parts contained - // in this privilege is automatically implied, so return true - if (parts.size() - 1 < index) { - return true; - } else { - KeyValue part = parts.get(index); - // Support for action inheritance from parent to child (eg. Db -> Table) - if (part.getKey().equalsIgnoreCase("action") && !(otherPart.getKey().equalsIgnoreCase("action"))) { - continue; - } - // are the keys even equal - if(!part.getKey().equalsIgnoreCase(otherPart.getKey())) { - return false; - } - if (!impliesKeyValue(part, otherPart)) { - return false; - } - index++; - } - } - // If this privilege has more parts than - // the other parts, only imply it if - // all of the other parts are wildcards - for (; index < parts.size(); index++) { - KeyValue part = parts.get(index); - if (!part.getValue().equals(AccessConstants.ALL)) { - return false; - } - } - - return true; - } - - private boolean impliesKeyValue(KeyValue policyPart, KeyValue requestPart) { - Preconditions.checkState(policyPart.getKey().equalsIgnoreCase(requestPart.getKey()), - "Please report, this method should not be called with two different keys"); - if(policyPart.getValue().equals(AccessConstants.ALL) || - policyPart.getValue().equalsIgnoreCase("ALL")) { - return true; - } else if (!PolicyConstants.PRIVILEGE_NAME.equalsIgnoreCase(policyPart.getKey()) - && AccessConstants.ALL.equalsIgnoreCase(requestPart.getValue())) { - /* privilege request is to match with any object of given type */ - return true; - } else if (!PolicyConstants.PRIVILEGE_NAME.equalsIgnoreCase(policyPart.getKey()) - && AccessConstants.SOME.equalsIgnoreCase(requestPart.getValue())) { - /* privilege request is to match with any object of given type */ - return true; - } else if(policyPart.getKey().equalsIgnoreCase(AuthorizableType.URI.name())) { - return impliesURI(policyPart.getValue(), requestPart.getValue()); - } - return policyPart.equals(requestPart); - } - - @VisibleForTesting - protected static boolean impliesURI(String privilege, String request) { - return PathUtils.impliesURI(privilege, request); - } - - @Override - public String toString() { - return PolicyConstants.AUTHORIZABLE_JOINER.join(parts); - } - - @Override - public boolean equals(Object o) { - if (o instanceof DBWildcardPrivilege) { - DBWildcardPrivilege wp = (DBWildcardPrivilege) o; - return parts.equals(wp.parts); - } - return false; - } - - @Override - public int hashCode() { - return parts.hashCode(); - } - - public static class DBWildcardPrivilegeFactory implements PrivilegeFactory { - @Override - public Privilege createPrivilege(String privilege) { - return new DBWildcardPrivilege(privilege); - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseMustMatch.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseMustMatch.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseMustMatch.java deleted file mode 100644 index d280c41..0000000 --- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseMustMatch.java +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.db; - -import org.apache.sentry.core.model.db.DBModelAuthorizable; -import org.apache.sentry.core.model.db.Database; -import org.apache.sentry.policy.common.PrivilegeValidatorContext; -import org.apache.shiro.config.ConfigurationException; - -public class DatabaseMustMatch extends AbstractDBPrivilegeValidator { - - @Override - public void validate(PrivilegeValidatorContext context) throws ConfigurationException { - String database = context.getDatabase(); - String privilege = context.getPrivilege(); - /* - * Rule only applies to rules in per database policy file - */ - if(database != null) { - Iterable<DBModelAuthorizable> authorizables = parsePrivilege(privilege); - for(DBModelAuthorizable authorizable : authorizables) { - if(authorizable instanceof Database && - !database.equalsIgnoreCase(authorizable.getName())) { - String msg = "Privilege " + privilege + " references db " + - authorizable.getName() + ", but is only allowed to reference " - + database; - throw new ConfigurationException(msg); - } - } - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseRequiredInPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseRequiredInPrivilege.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseRequiredInPrivilege.java deleted file mode 100644 index e89aa16..0000000 --- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseRequiredInPrivilege.java +++ /dev/null @@ -1,71 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.db; - -import org.apache.sentry.core.model.db.AccessURI; -import org.apache.sentry.core.model.db.DBModelAuthorizable; -import org.apache.sentry.core.model.db.Database; -import org.apache.sentry.policy.common.PrivilegeValidatorContext; -import org.apache.shiro.config.ConfigurationException; - -public class DatabaseRequiredInPrivilege extends AbstractDBPrivilegeValidator { - - @Override - public void validate(PrivilegeValidatorContext context) throws ConfigurationException { - String database = context.getDatabase(); - String privilege = context.getPrivilege(); - /* - * Rule only applies to rules in per database policy file - */ - if(database != null) { - Iterable<DBModelAuthorizable> authorizables = parsePrivilege(privilege); - /* - * Each permission in a non-global file must have a database - * object except for URIs. - * - * We allow URIs to be specified in the per DB policy file for - * ease of mangeability. URIs will contain to remain server scope - * objects. - */ - boolean foundDatabaseInAuthorizables = false; - boolean foundURIInAuthorizables = false; - boolean allowURIInAuthorizables = false; - - if ("true".equalsIgnoreCase( - System.getProperty(SimpleDBPolicyEngine.ACCESS_ALLOW_URI_PER_DB_POLICYFILE))) { - allowURIInAuthorizables = true; - } - - for(DBModelAuthorizable authorizable : authorizables) { - if(authorizable instanceof Database) { - foundDatabaseInAuthorizables = true; - } - if (authorizable instanceof AccessURI) { - if (foundDatabaseInAuthorizables) { - String msg = "URI object is specified at DB scope in " + privilege; - throw new ConfigurationException(msg); - } - foundURIInAuthorizables = true; - } - } - if(!foundDatabaseInAuthorizables && !(foundURIInAuthorizables && allowURIInAuthorizables)) { - String msg = "Missing database object in " + privilege; - throw new ConfigurationException(msg); - } - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServerNameMustMatch.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServerNameMustMatch.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServerNameMustMatch.java deleted file mode 100644 index 1848a32..0000000 --- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServerNameMustMatch.java +++ /dev/null @@ -1,43 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.db; - -import org.apache.sentry.core.model.db.DBModelAuthorizable; -import org.apache.sentry.core.model.db.Server; -import org.apache.sentry.policy.common.PrivilegeValidatorContext; -import org.apache.shiro.config.ConfigurationException; - -public class ServerNameMustMatch extends AbstractDBPrivilegeValidator { - - private final String serverName; - public ServerNameMustMatch(String serverName) { - this.serverName = serverName; - } - @Override - public void validate(PrivilegeValidatorContext context) throws ConfigurationException { - String privilege = context.getPrivilege(); - Iterable<DBModelAuthorizable> authorizables = parsePrivilege(privilege); - for(DBModelAuthorizable authorizable : authorizables) { - if(authorizable instanceof Server && !serverName.equalsIgnoreCase(authorizable.getName())) { - String msg = "Server name " + authorizable.getName() + " in " - + privilege + " is invalid. Expected " + serverName; - throw new ConfigurationException(msg); - } - } - } - -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServersAllIsInvalid.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServersAllIsInvalid.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServersAllIsInvalid.java deleted file mode 100644 index b729ec3..0000000 --- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServersAllIsInvalid.java +++ /dev/null @@ -1,39 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.db; - -import org.apache.sentry.core.model.db.DBModelAuthorizable; -import org.apache.sentry.core.model.db.Server; -import org.apache.sentry.policy.common.PrivilegeValidatorContext; -import org.apache.shiro.config.ConfigurationException; - -public class ServersAllIsInvalid extends AbstractDBPrivilegeValidator { - - @Override - public void validate(PrivilegeValidatorContext context) throws ConfigurationException { - String privilege = context.getPrivilege(); - Iterable<DBModelAuthorizable> authorizables = parsePrivilege(privilege); - for(DBModelAuthorizable authorizable : authorizables) { - if(authorizable instanceof Server && - authorizable.getName().equals(Server.ALL.getName())) { - String msg = "Invalid value for " + authorizable.getAuthzType() + " in " + privilege; - throw new ConfigurationException(msg); - } - } - } - -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java deleted file mode 100644 index 9d25592..0000000 --- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java +++ /dev/null @@ -1,121 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.db; - -import java.util.Set; - -import org.apache.sentry.core.common.ActiveRoleSet; -import org.apache.sentry.core.common.Authorizable; -import org.apache.sentry.core.common.SentryConfigurationException; -import org.apache.sentry.policy.common.PrivilegeFactory; -import org.apache.sentry.policy.common.PolicyEngine; -import org.apache.sentry.policy.common.PrivilegeValidator; -import org.apache.sentry.provider.common.ProviderBackend; -import org.apache.sentry.provider.common.ProviderBackendContext; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import com.google.common.collect.ImmutableList; -import com.google.common.collect.ImmutableSet; - -public class SimpleDBPolicyEngine implements PolicyEngine { - - private static final Logger LOGGER = LoggerFactory - .getLogger(SimpleDBPolicyEngine.class); - - public final static String ACCESS_ALLOW_URI_PER_DB_POLICYFILE = "sentry.allow.uri.db.policyfile"; - - private final ProviderBackend providerBackend; - - public SimpleDBPolicyEngine(String serverName, ProviderBackend providerBackend) { - this.providerBackend = providerBackend; - ProviderBackendContext context = new ProviderBackendContext(); - context.setAllowPerDatabase(true); - context.setValidators(createPrivilegeValidators(serverName)); - this.providerBackend.initialize(context); - } - - /** - * {@inheritDoc} - */ - @Override - public PrivilegeFactory getPrivilegeFactory() { - return new DBWildcardPrivilege.DBWildcardPrivilegeFactory(); - } - - - - @Override - public ImmutableSet<String> getAllPrivileges(Set<String> groups, - ActiveRoleSet roleSet) throws SentryConfigurationException { - return getPrivileges(groups, roleSet); - } - - @Override - public ImmutableSet<String> getAllPrivileges(Set<String> groups, Set<String> users, - ActiveRoleSet roleSet) throws SentryConfigurationException { - return getPrivileges(groups, users, roleSet); - } - - /** - * {@inheritDoc} - */ - @Override - public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet, Authorizable... authorizableHierarchy) - throws SentryConfigurationException { - if(LOGGER.isDebugEnabled()) { - LOGGER.debug("Getting permissions for {}", groups); - } - ImmutableSet<String> result = providerBackend.getPrivileges(groups, roleSet, authorizableHierarchy); - if(LOGGER.isDebugEnabled()) { - LOGGER.debug("result = " + result); - } - return result; - } - - @Override - public ImmutableSet<String> getPrivileges(Set<String> groups, Set<String> users, - ActiveRoleSet roleSet, Authorizable... authorizableHierarchy) - throws SentryConfigurationException { - if (LOGGER.isDebugEnabled()) { - LOGGER.debug("Getting permissions for groups: {}, users: {}", groups, users); - } - ImmutableSet<String> result = providerBackend.getPrivileges(groups, users, roleSet, - authorizableHierarchy); - if (LOGGER.isDebugEnabled()) { - LOGGER.debug("result = " + result); - } - return result; - } - - @Override - public void validatePolicy(boolean strictValidation) throws SentryConfigurationException { - this.providerBackend.validatePolicy(strictValidation); - } - - @Override - public void close() { - if (providerBackend != null) { - providerBackend.close(); - } - } - - public static ImmutableList<PrivilegeValidator> createPrivilegeValidators(String serverName) { - return ImmutableList.<PrivilegeValidator>of(new ServersAllIsInvalid(), new DatabaseMustMatch(), - new DatabaseRequiredInPrivilege(), new ServerNameMustMatch(serverName)); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java deleted file mode 100644 index 0a65b2c..0000000 --- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java +++ /dev/null @@ -1,156 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.db; - -import java.io.File; -import java.io.IOException; -import java.util.Set; -import java.util.TreeSet; - -import org.junit.Assert; - -import org.apache.commons.io.FileUtils; -import org.apache.sentry.core.common.ActiveRoleSet; -import org.apache.sentry.policy.common.PolicyEngine; -import org.junit.After; -import org.junit.AfterClass; -import org.junit.Before; -import org.junit.BeforeClass; -import org.junit.Test; - -import com.google.common.collect.Sets; -import com.google.common.io.Files; - -public abstract class AbstractTestSimplePolicyEngine { - private static final String PERM_SERVER1_CUSTOMERS_SELECT = "server=server1->db=customers->table=purchases->action=select"; - private static final String PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT = "server=server1->db=customers->table=purchases_partial->action=select"; - private static final String PERM_SERVER1_ANALYST_ALL = "server=server1->db=analyst1"; - private static final String PERM_SERVER1_JUNIOR_ANALYST_ALL = "server=server1->db=jranalyst1"; - private static final String PERM_SERVER1_JUNIOR_ANALYST_READ = "server=server1->db=jranalyst1->table=*->action=select"; - private static final String PERM_SERVER1_OTHER_GROUP_DB_CUSTOMERS_SELECT = "server=server1->db=other_group_db->table=purchases->action=select"; - - private static final String PERM_SERVER1_ADMIN = "server=server1"; - private PolicyEngine policy; - private static File baseDir; - - @BeforeClass - public static void setupClazz() throws IOException { - baseDir = Files.createTempDir(); - } - - @AfterClass - public static void teardownClazz() throws IOException { - if(baseDir != null) { - FileUtils.deleteQuietly(baseDir); - } - } - - protected void setPolicy(PolicyEngine policy) { - this.policy = policy; - } - protected static File getBaseDir() { - return baseDir; - } - @Before - public void setup() throws IOException { - afterSetup(); - } - @After - public void teardown() throws IOException { - beforeTeardown(); - } - protected void afterSetup() throws IOException { - - } - - protected void beforeTeardown() throws IOException { - - } - - @Test - public void testManager() throws Exception { - Set<String> expected = Sets.newTreeSet(Sets.newHashSet( - PERM_SERVER1_CUSTOMERS_SELECT, PERM_SERVER1_ANALYST_ALL, - PERM_SERVER1_JUNIOR_ANALYST_ALL, PERM_SERVER1_JUNIOR_ANALYST_READ, - PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT - )); - Assert.assertEquals(expected.toString(), - new TreeSet<String>(policy.getAllPrivileges(set("manager"), ActiveRoleSet.ALL)) - .toString()); - } - - @Test - public void testAnalyst() throws Exception { - Set<String> expected = Sets.newTreeSet(Sets.newHashSet( - PERM_SERVER1_CUSTOMERS_SELECT, PERM_SERVER1_ANALYST_ALL, - PERM_SERVER1_JUNIOR_ANALYST_READ)); - Assert.assertEquals(expected.toString(), - new TreeSet<String>(policy.getAllPrivileges(set("analyst"), ActiveRoleSet.ALL)) - .toString()); - } - - @Test - public void testJuniorAnalyst() throws Exception { - Set<String> expected = Sets.newTreeSet(Sets - .newHashSet(PERM_SERVER1_JUNIOR_ANALYST_ALL, - PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT)); - Assert.assertEquals(expected.toString(), - new TreeSet<String>(policy.getAllPrivileges(set("jranalyst"), ActiveRoleSet.ALL)) - .toString()); - } - - @Test - public void testAdmin() throws Exception { - Set<String> expected = Sets.newTreeSet(Sets.newHashSet(PERM_SERVER1_ADMIN)); - Assert.assertEquals(expected.toString(), - new TreeSet<String>(policy.getAllPrivileges(set("admin"), ActiveRoleSet.ALL)) - .toString()); - } - - - @Test - public void testOtherGroup() throws Exception { - Set<String> expected = Sets.newTreeSet(Sets.newHashSet( - PERM_SERVER1_OTHER_GROUP_DB_CUSTOMERS_SELECT)); - Assert.assertEquals(expected.toString(), - new TreeSet<String>(policy.getAllPrivileges(set("other_group"), ActiveRoleSet.ALL)) - .toString()); - } - - @Test - public void testDbAll() throws Exception { - Set<String> expected = Sets.newTreeSet(Sets - .newHashSet(PERM_SERVER1_JUNIOR_ANALYST_ALL, - PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT)); - Assert.assertEquals(expected.toString(), - new TreeSet<String>(policy.getAllPrivileges(set("jranalyst"), ActiveRoleSet.ALL)) - .toString()); - } - - @Test - public void testDbAllforOtherGroup() throws Exception { - Set<String> expected = Sets.newTreeSet(Sets.newHashSet( - PERM_SERVER1_OTHER_GROUP_DB_CUSTOMERS_SELECT)); - Assert.assertEquals(expected.toString(), - new TreeSet<String>(policy.getAllPrivileges(set("other_group"), ActiveRoleSet.ALL)) - .toString()); - } - - private static Set<String> set(String... values) { - return Sets.newHashSet(values); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/DBPolicyFileBackend.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/DBPolicyFileBackend.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/DBPolicyFileBackend.java deleted file mode 100644 index 9dc63e4..0000000 --- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/DBPolicyFileBackend.java +++ /dev/null @@ -1,28 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.db; - -import java.io.IOException; - -import org.apache.hadoop.conf.Configuration; -import org.apache.sentry.provider.file.SimpleFileProviderBackend; - -public class DBPolicyFileBackend extends SimpleDBPolicyEngine { - public DBPolicyFileBackend(String server, String resource) throws IOException{ - super(server, new SimpleFileProviderBackend(new Configuration(), resource)); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBModelAuthorizables.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBModelAuthorizables.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBModelAuthorizables.java deleted file mode 100644 index ad14278..0000000 --- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBModelAuthorizables.java +++ /dev/null @@ -1,75 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.sentry.policy.db; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertNull; - -import org.apache.sentry.core.model.db.AccessURI; -import org.apache.sentry.core.model.db.Database; -import org.apache.sentry.core.model.db.Server; -import org.apache.sentry.core.model.db.Table; -import org.apache.sentry.core.model.db.View; -import org.junit.Test; - -public class TestDBModelAuthorizables { - - @Test - public void testServer() throws Exception { - Server server = (Server)DBModelAuthorizables.from("SeRvEr=server1"); - assertEquals("server1", server.getName()); - } - @Test - public void testDb() throws Exception { - Database db = (Database)DBModelAuthorizables.from("dB=db1"); - assertEquals("db1", db.getName()); - } - @Test - public void testTable() throws Exception { - Table table = (Table)DBModelAuthorizables.from("tAbLe=t1"); - assertEquals("t1", table.getName()); - } - @Test - public void testView() throws Exception { - View view = (View)DBModelAuthorizables.from("vIeW=v1"); - assertEquals("v1", view.getName()); - } - @Test - public void testURI() throws Exception { - AccessURI uri = (AccessURI)DBModelAuthorizables.from("UrI=hdfs://uri1:8200/blah"); - assertEquals("hdfs://uri1:8200/blah", uri.getName()); - } - - @Test(expected=IllegalArgumentException.class) - public void testNoKV() throws Exception { - System.out.println(DBModelAuthorizables.from("nonsense")); - } - - @Test(expected=IllegalArgumentException.class) - public void testEmptyKey() throws Exception { - System.out.println(DBModelAuthorizables.from("=v")); - } - @Test(expected=IllegalArgumentException.class) - public void testEmptyValue() throws Exception { - System.out.println(DBModelAuthorizables.from("k=")); - } - @Test - public void testNotAuthorizable() throws Exception { - assertNull(DBModelAuthorizables.from("k=v")); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPrivilege.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPrivilege.java deleted file mode 100644 index aa6fccd..0000000 --- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPrivilege.java +++ /dev/null @@ -1,335 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.sentry.policy.db; -import static org.apache.sentry.policy.common.PolicyConstants.AUTHORIZABLE_JOINER; -import static org.apache.sentry.policy.common.PolicyConstants.KV_JOINER; -import static org.apache.sentry.policy.common.PolicyConstants.KV_SEPARATOR; - -import org.apache.sentry.core.model.db.AccessConstants; -import org.apache.sentry.policy.common.Privilege; -import org.apache.sentry.policy.common.KeyValue; -import org.junit.Test; - -public class TestDBWildcardPrivilege extends org.junit.Assert { - - private static final String ALL = AccessConstants.ALL; - - private static final Privilege ROLE_SERVER_SERVER1_DB_ALL = - create(new KeyValue("server", "server1"), new KeyValue("db", ALL)); - private static final Privilege ROLE_SERVER_SERVER1_DB_DB1 = - create(new KeyValue("server", "server1"), new KeyValue("db", "db1")); - private static final Privilege ROLE_SERVER_SERVER2_DB_ALL = - create(new KeyValue("server", "server2"), new KeyValue("db", ALL)); - private static final Privilege ROLE_SERVER_SERVER2_DB_DB1 = - create(new KeyValue("server", "server2"), new KeyValue("db", "db1")); - private static final Privilege ROLE_SERVER_ALL_DB_ALL = - create(new KeyValue("server", ALL), new KeyValue("db", ALL)); - private static final Privilege ROLE_SERVER_ALL_DB_DB1 = - create(new KeyValue("server", ALL), new KeyValue("db", "db1")); - - private static final Privilege ROLE_SERVER_SERVER1_URI_URI1 = - create(new KeyValue("server", "server1"), new KeyValue("uri", - "hdfs://namenode:8020/path/to/uri1")); - private static final Privilege ROLE_SERVER_SERVER1_URI_URI2 = - create(new KeyValue("server", "server1"), new KeyValue("uri", - "hdfs://namenode:8020/path/to/uri2/")); - private static final Privilege ROLE_SERVER_SERVER1_URI_ALL = - create(new KeyValue("server", "server1"), new KeyValue("uri", ALL)); - - - private static final Privilege ROLE_SERVER_SERVER1 = - create(new KeyValue("server", "server1")); - - - private static final Privilege REQUEST_SERVER1_DB1 = - create(new KeyValue("server", "server1"), new KeyValue("db", "db1")); - private static final Privilege REQUEST_SERVER2_DB1 = - create(new KeyValue("server", "server2"), new KeyValue("db", "db1")); - private static final Privilege REQUEST_SERVER1_DB2 = - create(new KeyValue("server", "server1"), new KeyValue("db", "db2")); - private static final Privilege REQUEST_SERVER2_DB2 = - create(new KeyValue("server", "server2"), new KeyValue("db", "db2")); - - private static final Privilege REQUEST_SERVER1_URI1 = - create(new KeyValue("server", "server1"), new KeyValue("uri", - "hdfs://namenode:8020/path/to/uri1/some/file")); - private static final Privilege REQUEST_SERVER1_URI2 = - create(new KeyValue("server", "server1"), new KeyValue("uri", - "hdfs://namenode:8020/path/to/uri2/some/other/file")); - - private static final Privilege REQUEST_SERVER1_OTHER = - create(new KeyValue("server", "server2"), new KeyValue("other", "thing")); - - private static final Privilege REQUEST_SERVER1 = - create(new KeyValue("server", "server2")); - - @Test - public void testOther() throws Exception { - assertFalse(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_OTHER)); - assertFalse(REQUEST_SERVER1_OTHER.implies(ROLE_SERVER_ALL_DB_ALL)); - } - @Test - public void testRoleShorterThanRequest() throws Exception { - assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_DB1)); - assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_DB2)); - assertFalse(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER2_DB1)); - assertFalse(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER2_DB2)); - - assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1)); - assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1)); - } - @Test - public void testRolesAndRequests() throws Exception { - // ROLE_SERVER_SERVER1_DB_ALL - assertTrue(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER1_DB1)); - assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER2_DB1)); - assertTrue(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER1_DB2)); - assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER2_DB2)); - - // test inverse - assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER1_DB_ALL)); - assertFalse(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER1_DB_ALL)); - assertTrue(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER1_DB_ALL)); - assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER1_DB_ALL)); - - // ROLE_SERVER_SERVER1_DB_DB1 - assertTrue(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER1_DB1)); - assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER2_DB1)); - assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER1_DB2)); - assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER2_DB2)); - - // test inverse - assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER1_DB_DB1)); - assertFalse(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER1_DB_DB1)); - assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER1_DB_DB1)); - assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER1_DB_DB1)); - - // ROLE_SERVER_SERVER2_DB_ALL - assertFalse(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER1_DB1)); - assertTrue(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER2_DB1)); - assertFalse(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER1_DB2)); - assertTrue(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER2_DB2)); - - // test inverse - assertFalse(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER2_DB_ALL)); - assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER2_DB_ALL)); - assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER2_DB_ALL)); - assertTrue(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER2_DB_ALL)); - - // ROLE_SERVER_SERVER2_DB_DB1 - assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER1_DB1)); - assertTrue(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER2_DB1)); - assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER1_DB2)); - assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER2_DB2)); - - assertFalse(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER2_DB_DB1)); - assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER2_DB_DB1)); - assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER2_DB_DB1)); - assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER2_DB_DB1)); - - // ROLE_SERVER_ALL_DB_ALL - assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_DB1)); - assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER2_DB1)); - assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_DB2)); - assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER2_DB2)); - - // test inverse - assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_ALL_DB_ALL)); - assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_ALL_DB_ALL)); - assertTrue(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_ALL_DB_ALL)); - assertTrue(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_ALL_DB_ALL)); - - // ROLE_SERVER_ALL_DB_DB1 - assertTrue(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_DB1)); - assertTrue(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER2_DB1)); - assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_DB2)); - assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER2_DB2)); - - // test inverse - assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_ALL_DB_DB1)); - assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_ALL_DB_DB1)); - assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_ALL_DB_DB1)); - assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_ALL_DB_DB1)); - - // uri - assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI1)); - assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2)); - assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2)); - assertTrue(ROLE_SERVER_SERVER1_URI_ALL.implies(REQUEST_SERVER1_URI1)); - assertTrue(ROLE_SERVER_SERVER1_URI_ALL.implies(REQUEST_SERVER1_URI2)); - assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2)); - assertTrue(ROLE_SERVER_SERVER1_URI_URI1.implies(REQUEST_SERVER1_URI1)); - assertFalse(ROLE_SERVER_SERVER1_URI_URI1.implies(REQUEST_SERVER1_URI2)); - assertTrue(ROLE_SERVER_SERVER1_URI_URI2.implies(REQUEST_SERVER1_URI2)); - assertFalse(ROLE_SERVER_SERVER1_URI_URI2.implies(REQUEST_SERVER1_URI1)); - assertFalse(REQUEST_SERVER2_DB2.implies(REQUEST_SERVER1_URI1)); - assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_URI1)); - // test inverse - assertTrue(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_ALL)); - assertTrue(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_ALL)); - assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1)); - assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_URI1)); - assertFalse(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_URI1)); - assertFalse(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_URI2)); - assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_URI2)); - }; - @Test - public void testUnexpected() throws Exception { - Privilege p = new Privilege() { - @Override - public boolean implies(Privilege p) { - return false; - } - }; - assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(null)); - assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(p)); - assertFalse(ROLE_SERVER_SERVER1_DB_ALL.equals(null)); - assertFalse(ROLE_SERVER_SERVER1_DB_ALL.equals(p)); - - assertEquals(ROLE_SERVER_SERVER1_DB_ALL.hashCode(), - create(ROLE_SERVER_SERVER1_DB_ALL.toString()).hashCode()); - } - @Test(expected=IllegalArgumentException.class) - public void testNullString() throws Exception { - System.out.println(create((String)null)); - } - @Test(expected=IllegalArgumentException.class) - public void testEmptyString() throws Exception { - System.out.println(create("")); - } - @Test(expected=IllegalArgumentException.class) - public void testEmptyKey() throws Exception { - System.out.println(create(KV_JOINER.join("", "db1"))); - } - @Test(expected=IllegalArgumentException.class) - public void testEmptyValue() throws Exception { - System.out.println(create(KV_JOINER.join("db", ""))); - } - @Test(expected=IllegalArgumentException.class) - public void testEmptyPart() throws Exception { - System.out.println(create(AUTHORIZABLE_JOINER. - join(KV_JOINER.join("server", "server1"), ""))); - } - @Test(expected=IllegalArgumentException.class) - public void testOnlySeperators() throws Exception { - System.out.println(create(AUTHORIZABLE_JOINER. - join(KV_SEPARATOR, KV_SEPARATOR, KV_SEPARATOR))); - } - @Test - public void testImpliesURIPositive() throws Exception { - assertTrue(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path", - "hdfs://namenode:8020/path/to/some/dir")); - assertTrue(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path", - "hdfs://namenode:8020/path")); - assertTrue(DBWildcardPrivilege.impliesURI("file:///path", - "file:///path/to/some/dir")); - assertTrue(DBWildcardPrivilege.impliesURI("file:///path", - "file:///path")); - } - @Test - public void testImpliesURINegative() throws Exception { - // relative path - assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path", - "hdfs://namenode:8020/path/to/../../other")); - assertFalse(DBWildcardPrivilege.impliesURI("file:///path", - "file:///path/to/../../other")); - // bad policy - assertFalse(DBWildcardPrivilege.impliesURI("blah", - "hdfs://namenode:8020/path/to/some/dir")); - // bad request - assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path", - "blah")); - // scheme - assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path", - "file:///path/to/some/dir")); - assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path", - "file://namenode:8020/path/to/some/dir")); - // hostname - assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode1:8020/path", - "hdfs://namenode2:8020/path/to/some/dir")); - // port - assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path", - "hdfs://namenode:8021/path/to/some/dir")); - // mangled path - assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path", - "hdfs://namenode:8020/pathFooBar")); - // ends in / - assertTrue(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path/", - "hdfs://namenode:8020/path/FooBar")); - } - @Test - public void testActionHierarchy() throws Exception { - String dbName = "db1"; - DBWildcardPrivilege dbAll = create(new KeyValue("server", "server1"), - new KeyValue("db", dbName), new KeyValue("action", "ALL")); - - DBWildcardPrivilege dbSelect = create(new KeyValue("server", "server1"), - new KeyValue("db", dbName), new KeyValue("action", "SELECT")); - DBWildcardPrivilege dbInsert = create(new KeyValue("server", "server1"), - new KeyValue("db", dbName), new KeyValue("action", "INSERT")); - DBWildcardPrivilege dbAlter = create(new KeyValue("server", "server1"), - new KeyValue("db", dbName), new KeyValue("action", "ALTER")); - DBWildcardPrivilege dbCreate = create(new KeyValue("server", "server1"), - new KeyValue("db", dbName), new KeyValue("action", "CREATE")); - DBWildcardPrivilege dbDrop = create(new KeyValue("server", "server1"), - new KeyValue("db", dbName), new KeyValue("action", "DROP")); - DBWildcardPrivilege dbIndex = create(new KeyValue("server", "server1"), - new KeyValue("db", dbName), new KeyValue("action", "INDEX")); - DBWildcardPrivilege dbLock = create(new KeyValue("server", "server1"), - new KeyValue("db", dbName), new KeyValue("action", "LOCK")); - - assertTrue(dbAll.implies(dbSelect)); - assertTrue(dbAll.implies(dbInsert)); - assertTrue(dbAll.implies(dbAlter)); - assertTrue(dbAll.implies(dbCreate)); - assertTrue(dbAll.implies(dbDrop)); - assertTrue(dbAll.implies(dbIndex)); - assertTrue(dbAll.implies(dbLock)); - - dbAll = create(new KeyValue("server", "server1"), - new KeyValue("db", dbName), new KeyValue("action", "*")); - - assertTrue(dbAll.implies(dbSelect)); - assertTrue(dbAll.implies(dbInsert)); - assertTrue(dbAll.implies(dbAlter)); - assertTrue(dbAll.implies(dbCreate)); - assertTrue(dbAll.implies(dbDrop)); - assertTrue(dbAll.implies(dbIndex)); - assertTrue(dbAll.implies(dbLock)); - - dbAll = create(new KeyValue("server", "server1"), - new KeyValue("db", dbName)); - - assertTrue(dbAll.implies(dbSelect)); - assertTrue(dbAll.implies(dbInsert)); - assertTrue(dbAll.implies(dbAlter)); - assertTrue(dbAll.implies(dbCreate)); - assertTrue(dbAll.implies(dbDrop)); - assertTrue(dbAll.implies(dbIndex)); - assertTrue(dbAll.implies(dbLock)); - - } - static DBWildcardPrivilege create(KeyValue... keyValues) { - return create(AUTHORIZABLE_JOINER.join(keyValues)); - - } - static DBWildcardPrivilege create(String s) { - return new DBWildcardPrivilege(s); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDatabaseRequiredInRole.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDatabaseRequiredInRole.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDatabaseRequiredInRole.java deleted file mode 100644 index c08a4f4..0000000 --- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDatabaseRequiredInRole.java +++ /dev/null @@ -1,49 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.sentry.policy.db; - -import org.junit.Assert; - -import org.apache.sentry.policy.common.PrivilegeValidatorContext; -import org.apache.shiro.config.ConfigurationException; -import org.junit.Test; - -public class TestDatabaseRequiredInRole { - - @Test - public void testURIInPerDbPolicyFile() throws Exception { - DatabaseRequiredInPrivilege dbRequiredInRole = new DatabaseRequiredInPrivilege(); - System.setProperty("sentry.allow.uri.db.policyfile", "true"); - dbRequiredInRole.validate(new PrivilegeValidatorContext("db1", - "server=server1->URI=file:///user/db/warehouse/tab1")); - System.setProperty("sentry.allow.uri.db.policyfile", "false"); - } - - @Test - public void testURIWithDBInPerDbPolicyFile() throws Exception { - DatabaseRequiredInPrivilege dbRequiredInRole = new DatabaseRequiredInPrivilege(); - try { - dbRequiredInRole.validate(new PrivilegeValidatorContext("db1", - "server=server1->db=db1->URI=file:///user/db/warehouse/tab1")); - Assert.fail("Expected ConfigurationException"); - } catch (ConfigurationException e) { - // expected - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestPolicyParsingNegative.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestPolicyParsingNegative.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestPolicyParsingNegative.java deleted file mode 100644 index fc21ceb..0000000 --- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestPolicyParsingNegative.java +++ /dev/null @@ -1,194 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.db; - -import java.io.File; -import java.io.IOException; - -import org.junit.Assert; - -import org.apache.commons.io.FileUtils; -import org.apache.sentry.core.common.ActiveRoleSet; -import org.apache.sentry.policy.common.PolicyEngine; -import org.apache.sentry.provider.file.PolicyFile; -import org.junit.After; -import org.junit.Before; -import org.junit.Test; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import com.google.common.base.Charsets; -import com.google.common.collect.ImmutableSet; -import com.google.common.collect.Sets; -import com.google.common.io.Files; - -public class TestPolicyParsingNegative { - - @SuppressWarnings("unused") - private static final Logger LOGGER = LoggerFactory - .getLogger(TestPolicyParsingNegative.class); - - private File baseDir; - private File globalPolicyFile; - private File otherPolicyFile; - - @Before - public void setup() { - baseDir = Files.createTempDir(); - globalPolicyFile = new File(baseDir, "global.ini"); - otherPolicyFile = new File(baseDir, "other.ini"); - } - - @After - public void teardown() { - if(baseDir != null) { - FileUtils.deleteQuietly(baseDir); - } - } - - private void append(String from, File to) throws IOException { - Files.append(from + "\n", to, Charsets.UTF_8); - } - - @Test - public void testUnauthorizedDbSpecifiedInDBPolicyFile() throws Exception { - append("[databases]", globalPolicyFile); - append("other_group_db = " + otherPolicyFile.getPath(), globalPolicyFile); - append("[groups]", otherPolicyFile); - append("other_group = malicious_role", otherPolicyFile); - append("[roles]", otherPolicyFile); - append("malicious_role = server=server1->db=customers->table=purchases->action=select", otherPolicyFile); - PolicyEngine policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath()); - ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("other_group"), ActiveRoleSet.ALL); - Assert.assertTrue(permissions.toString(), permissions.isEmpty()); - } - @Test - public void testPerDbFileCannotContainUsersOrDatabases() throws Exception { - PolicyEngine policy; - ImmutableSet<String> permissions; - PolicyFile policyFile; - // test sanity - policyFile = PolicyFile.setAdminOnServer1("admin"); - policyFile.addGroupsToUser("admin1", "admin"); - policyFile.write(globalPolicyFile); - policyFile.write(otherPolicyFile); - policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath()); - permissions = policy.getAllPrivileges(Sets.newHashSet("admin"), ActiveRoleSet.ALL); - Assert.assertEquals(permissions.toString(), "[server=server1]"); - // test to ensure [users] fails parsing of per-db file - policyFile.addDatabase("other", otherPolicyFile.getPath()); - policyFile.write(globalPolicyFile); - policyFile.write(otherPolicyFile); - policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath()); - permissions = policy.getAllPrivileges(Sets.newHashSet("admin"), ActiveRoleSet.ALL); - Assert.assertEquals(permissions.toString(), "[server=server1]"); - // test to ensure [databases] fails parsing of per-db file - // by removing the user mapping from the per-db policy file - policyFile.removeGroupsFromUser("admin1", "admin") - .write(otherPolicyFile); - policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath()); - permissions = policy.getAllPrivileges(Sets.newHashSet("admin"), ActiveRoleSet.ALL); - Assert.assertEquals(permissions.toString(), "[server=server1]"); - } - - @Test - public void testDatabaseRequiredInRole() throws Exception { - append("[databases]", globalPolicyFile); - append("other_group_db = " + otherPolicyFile.getPath(), globalPolicyFile); - append("[groups]", otherPolicyFile); - append("other_group = malicious_role", otherPolicyFile); - append("[roles]", otherPolicyFile); - append("malicious_role = server=server1", otherPolicyFile); - PolicyEngine policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath()); - ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("other_group"), ActiveRoleSet.ALL); - Assert.assertTrue(permissions.toString(), permissions.isEmpty()); - } - - @Test - public void testServerAll() throws Exception { - append("[groups]", globalPolicyFile); - append("group = malicious_role", globalPolicyFile); - append("[roles]", globalPolicyFile); - append("malicious_role = server=*", globalPolicyFile); - PolicyEngine policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath()); - ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL); - Assert.assertTrue(permissions.toString(), permissions.isEmpty()); - } - - @Test - public void testServerIncorrect() throws Exception { - append("[groups]", globalPolicyFile); - append("group = malicious_role", globalPolicyFile); - append("[roles]", globalPolicyFile); - append("malicious_role = server=server2", globalPolicyFile); - PolicyEngine policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath()); - ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL); - Assert.assertTrue(permissions.toString(), permissions.isEmpty()); - } - - @Test - public void testAll() throws Exception { - append("[groups]", globalPolicyFile); - append("group = malicious_role", globalPolicyFile); - append("[roles]", globalPolicyFile); - append("malicious_role = *", globalPolicyFile); - PolicyEngine policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath()); - ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL); - Assert.assertTrue(permissions.toString(), permissions.isEmpty()); - } - - /** - * Create policy file with multiple per db files. - * Verify that a file with bad format is the only one that's ignored - * @throws Exception - */ - @Test - public void testMultiDbWithErrors() throws Exception { - File db1PolicyFile = new File(baseDir, "db1.ini"); - File db2PolicyFile = new File(baseDir, "db2.ini"); - - // global policy file - append("[databases]", globalPolicyFile); - append("db1 = " + db1PolicyFile.getPath(), globalPolicyFile); - append("db2 = " + db2PolicyFile.getPath(), globalPolicyFile); - append("[groups]", globalPolicyFile); - append("db3_group = db3_rule", globalPolicyFile); - append("[roles]", globalPolicyFile); - append("db3_rule = server=server1->db=db3->table=sales->action=select", globalPolicyFile); - - //db1 policy file with badly formatted rule - append("[groups]", db1PolicyFile); - append("db1_group = bad_rule", db1PolicyFile); - append("[roles]", db1PolicyFile); - append("bad_rule = server=server1->db=customers->=purchases->action=", db1PolicyFile); - - //db2 policy file with proper rule - append("[groups]", db2PolicyFile); - append("db2_group = db2_rule", db2PolicyFile); - append("[roles]", db2PolicyFile); - append("db2_rule = server=server1->db=db2->table=purchases->action=select", db2PolicyFile); - - PolicyEngine policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath()); - - // verify that the db1 rule is empty - ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("db1_group"), ActiveRoleSet.ALL); - Assert.assertTrue(permissions.toString(), permissions.isEmpty()); - - permissions = policy.getAllPrivileges(Sets.newHashSet("db2_group"), ActiveRoleSet.ALL); - Assert.assertEquals(permissions.toString(), 1, permissions.size()); - } -}
