http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreImportExport.java ---------------------------------------------------------------------- diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreImportExport.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreImportExport.java new file mode 100644 index 0000000..d1a88b0 --- /dev/null +++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreImportExport.java @@ -0,0 +1,1164 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.db.service.persistent; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; + +import java.io.File; +import java.util.List; +import java.util.Map; +import java.util.Set; + +import org.apache.commons.io.FileUtils; +import org.apache.hadoop.conf.Configuration; +import org.apache.sentry.core.model.db.AccessConstants; +import org.apache.sentry.provider.db.service.model.MSentryGroup; +import org.apache.sentry.provider.db.service.model.MSentryPrivilege; +import org.apache.sentry.provider.db.service.model.MSentryRole; +import org.apache.sentry.provider.db.service.model.MSentryUser; +import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption; +import org.apache.sentry.provider.db.service.thrift.TSentryMappingData; +import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; +import org.apache.sentry.core.common.utils.PolicyFile; +import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope; +import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; +import org.junit.After; +import org.junit.AfterClass; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; + +import com.google.common.collect.Maps; +import com.google.common.collect.Sets; +import com.google.common.io.Files; + +public class TestSentryStoreImportExport { + + private static File dataDir; + private static SentryStore sentryStore; + private static String[] adminGroups = { "adminGroup1" }; + private static PolicyFile policyFile; + private static File policyFilePath; + private TSentryPrivilege tSentryPrivilege1; + private TSentryPrivilege tSentryPrivilege2; + private TSentryPrivilege tSentryPrivilege3; + private TSentryPrivilege tSentryPrivilege4; + private TSentryPrivilege tSentryPrivilege5; + private TSentryPrivilege tSentryPrivilege6; + private TSentryPrivilege tSentryPrivilege7; + private TSentryPrivilege tSentryPrivilege8; + private TSentryPrivilege tSentryPrivilege9; + + @BeforeClass + public static void setupEnv() throws Exception { + dataDir = new File(Files.createTempDir(), "sentry_policy_db"); + Configuration conf = new Configuration(false); + conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false"); + conf.set(ServerConfig.SENTRY_STORE_JDBC_URL, "jdbc:derby:;databaseName=" + dataDir.getPath() + + ";create=true"); + conf.set(ServerConfig.SENTRY_STORE_JDBC_PASS, "sentry"); + conf.setStrings(ServerConfig.ADMIN_GROUPS, adminGroups); + conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING, ServerConfig.SENTRY_STORE_LOCAL_GROUP_MAPPING); + policyFilePath = new File(dataDir, "local_policy_file.ini"); + conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING_RESOURCE, policyFilePath.getPath()); + policyFile = new PolicyFile(); + sentryStore = new SentryStore(conf); + + String adminUser = "g1"; + addGroupsToUser(adminUser, adminGroups); + writePolicyFile(); + } + + @Before + public void setupPrivilege() { + preparePrivilege(); + } + + @After + public void clearStore() { + sentryStore.clearAllTables(); + } + + // create the privileges instance for test case: + // privilege1=[server=server1] + // privilege2=[server=server1, action=select, grantOption=false] + // privilege3=[server=server1, db=db2, action=insert, grantOption=true] + // privilege4=[server=server1, db=db1, table=tbl1, action=insert, grantOption=false] + // privilege5=[server=server1, db=db1, table=tbl2, column=col1, action=insert, grantOption=false] + // privilege6=[server=server1, db=db1, table=tbl3, column=col1, action=*, grantOption=true] + // privilege7=[server=server1, db=db1, table=tbl4, column=col1, action=all, grantOption=true] + // privilege8=[server=server1, uri=hdfs://testserver:9999/path1, action=insert, grantOption=false] + // privilege9=[server=server1, db=db2, table=tbl1, action=insert, grantOption=false] + private void preparePrivilege() { + tSentryPrivilege1 = createTSentryPrivilege(PrivilegeScope.SERVER.name(), "server1", "", "", "", + "", "", TSentryGrantOption.UNSET); + tSentryPrivilege2 = createTSentryPrivilege(PrivilegeScope.SERVER.name(), "server1", "", "", "", + "", AccessConstants.SELECT, TSentryGrantOption.FALSE); + tSentryPrivilege3 = createTSentryPrivilege(PrivilegeScope.DATABASE.name(), "server1", "db2", + "", "", "", AccessConstants.INSERT, TSentryGrantOption.TRUE); + tSentryPrivilege4 = createTSentryPrivilege(PrivilegeScope.TABLE.name(), "server1", "db1", + "tbl1", "", "", AccessConstants.INSERT, TSentryGrantOption.FALSE); + tSentryPrivilege5 = createTSentryPrivilege(PrivilegeScope.COLUMN.name(), "server1", "db1", + "tbl2", "col1", "", AccessConstants.INSERT, TSentryGrantOption.FALSE); + tSentryPrivilege6 = createTSentryPrivilege(PrivilegeScope.COLUMN.name(), "server1", "db1", + "tbl3", "col1", "", AccessConstants.ALL, TSentryGrantOption.TRUE); + tSentryPrivilege7 = createTSentryPrivilege(PrivilegeScope.COLUMN.name(), "server1", "db1", + "tbl4", "col1", "", AccessConstants.ACTION_ALL, TSentryGrantOption.TRUE); + tSentryPrivilege8 = createTSentryPrivilege(PrivilegeScope.URI.name(), "server1", "", "", "", + "hdfs://testserver:9999/path1", AccessConstants.INSERT, TSentryGrantOption.FALSE); + tSentryPrivilege9 = createTSentryPrivilege(PrivilegeScope.TABLE.name(), "server1", "db2", + "tbl1", "", "", AccessConstants.INSERT, TSentryGrantOption.FALSE); + } + + @AfterClass + public static void teardown() { + if (sentryStore != null) { + sentryStore.stop(); + } + if (dataDir != null) { + FileUtils.deleteQuietly(dataDir); + } + } + + protected static void addGroupsToUser(String user, String... groupNames) { + policyFile.addGroupsToUser(user, groupNames); + } + + protected static void writePolicyFile() throws Exception { + policyFile.write(policyFilePath); + } + + // Befor import, database is empty. + // The following information is imported: + // group1=role1,role2,role3 + // group2=role1,role2,role3 + // group3=role1,role2,role3 + // role1=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8 + // role2=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8 + // role3=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8 + // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap, + // getPrivilegesList are tested. + @Test + public void testImportExportPolicy1() throws Exception { + TSentryMappingData tSentryMappingData = new TSentryMappingData(); + Map<String, Set<String>> sentryGroupRolesMap = Maps.newHashMap(); + Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap = Maps.newHashMap(); + sentryGroupRolesMap.put("group1", Sets.newHashSet("Role1", "role2", "role3")); + sentryGroupRolesMap.put("group2", Sets.newHashSet("Role1", "role2", "role3")); + sentryGroupRolesMap.put("group3", Sets.newHashSet("Role1", "role2", "role3")); + sentryRolePrivilegesMap.put("Role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7, tSentryPrivilege8)); + sentryRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7, tSentryPrivilege8)); + sentryRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7, tSentryPrivilege8)); + tSentryMappingData.setGroupRolesMap(sentryGroupRolesMap); + tSentryMappingData.setRolePrivilegesMap(sentryRolePrivilegesMap); + sentryStore.importSentryMetaData(tSentryMappingData, false); + + Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap(); + Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap(); + List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList(); + + // test the result data for the role + verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3")); + + // test the result data for the group + verifyGroups(groupsMap, Sets.newHashSet("group1", "group2", "group3")); + + // test the result data for the privilege + verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7, tSentryPrivilege8)); + + // test the mapping data for group and role + List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null); + Map<String, Set<String>> actualGroupRolesMap = mapList.get( + SentryStore.INDEX_GROUP_ROLES_MAP); + Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap(); + exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3")); + exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2", "role3")); + exceptedGroupRolesMap.put("group3", Sets.newHashSet("role1", "role2", "role3")); + verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap); + + // test the mapping data for role and privilege + Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore + .getRoleNameTPrivilegesMap(); + Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap(); + exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7, tSentryPrivilege8)); + exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7, tSentryPrivilege8)); + exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7, tSentryPrivilege8)); + + verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap); + } + + // call import twice, and there has no duplicate data: + // The data for 1st import: + // group1=role1 + // role1=privilege1,privilege2,privilege3,privilege4 + // The data for 2nd import: + // group2=role2,role3 + // group3=role2,role3 + // role2=privilege5,privilege6,privilege7,privilege8 + // role3=privilege5,privilege6,privilege7,privilege8 + // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap, + // getPrivilegesList are tested. + @Test + public void testImportExportPolicy2() throws Exception { + TSentryMappingData tSentryMappingData1 = new TSentryMappingData(); + Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap(); + Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap(); + sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1")); + sentryRolePrivilegesMap1 + .put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, tSentryPrivilege3, + tSentryPrivilege4)); + tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1); + tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1); + sentryStore.importSentryMetaData(tSentryMappingData1, false); + + TSentryMappingData tSentryMappingData2 = new TSentryMappingData(); + Map<String, Set<String>> sentryGroupRolesMap2 = Maps.newHashMap(); + Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap2 = Maps.newHashMap(); + sentryGroupRolesMap2.put("group2", Sets.newHashSet("role2", "role3")); + sentryGroupRolesMap2.put("group3", Sets.newHashSet("role2", "role3")); + sentryRolePrivilegesMap2 + .put("role2", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7, + tSentryPrivilege8)); + sentryRolePrivilegesMap2 + .put("role3", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7, + tSentryPrivilege8)); + tSentryMappingData2.setGroupRolesMap(sentryGroupRolesMap2); + tSentryMappingData2.setRolePrivilegesMap(sentryRolePrivilegesMap2); + sentryStore.importSentryMetaData(tSentryMappingData2, false); + + Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap(); + Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap(); + List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList(); + + // test the result data for the role + verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3")); + + // test the result data for the group + verifyGroups(groupsMap, Sets.newHashSet("group1", "group2", "group3")); + + // test the result data for the privilege + verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7, tSentryPrivilege8)); + + // test the mapping data for group and role + List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null); + Map<String, Set<String>> actualGroupRolesMap = mapList.get( + SentryStore.INDEX_GROUP_ROLES_MAP); + Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap(); + exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1")); + exceptedGroupRolesMap.put("group2", Sets.newHashSet("role2", "role3")); + exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3")); + verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap); + + // test the mapping data for role and privilege + Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore + .getRoleNameTPrivilegesMap(); + Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap(); + exceptedRolePrivilegesMap + .put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, tSentryPrivilege3, + tSentryPrivilege4)); + exceptedRolePrivilegesMap + .put("role2", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7, + tSentryPrivilege8)); + exceptedRolePrivilegesMap + .put("role3", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7, + tSentryPrivilege8)); + verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap); + } + + // call import twice, and there has data overlap: + // The data for 1st import: + // group1=role1, role2 + // group2=role1, role2 + // group3=role1, role2 + // role1=privilege1,privilege2,privilege3,privilege4,privilege5 + // role2=privilege1,privilege2,privilege3,privilege4,privilege5 + // The data for 2nd import: + // group1=role2,role3 + // group2=role2,role3 + // group3=role2,role3 + // role2=privilege4,privilege5,privilege6,privilege7,privilege8 + // role3=privilege4,privilege5,privilege6,privilege7,privilege8 + // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap, + // getPrivilegesList are tested. + @Test + public void testImportExportPolicy3() throws Exception { + TSentryMappingData tSentryMappingData1 = new TSentryMappingData(); + Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap(); + Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap(); + sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2")); + sentryGroupRolesMap1.put("group2", Sets.newHashSet("role1", "role2")); + sentryGroupRolesMap1.put("group3", Sets.newHashSet("role1", "role2")); + sentryRolePrivilegesMap1.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5)); + sentryRolePrivilegesMap1.put("role2", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5)); + tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1); + tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1); + sentryStore.importSentryMetaData(tSentryMappingData1, false); + + TSentryMappingData tSentryMappingData2 = new TSentryMappingData(); + Map<String, Set<String>> sentryGroupRolesMap2 = Maps.newHashMap(); + Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap2 = Maps.newHashMap(); + sentryGroupRolesMap2.put("group1", Sets.newHashSet("role2", "role3")); + sentryGroupRolesMap2.put("group2", Sets.newHashSet("role2", "role3")); + sentryGroupRolesMap2.put("group3", Sets.newHashSet("role2", "role3")); + sentryRolePrivilegesMap2.put("role2", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5, + tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8)); + sentryRolePrivilegesMap2.put("role3", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5, + tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8)); + tSentryMappingData2.setGroupRolesMap(sentryGroupRolesMap2); + tSentryMappingData2.setRolePrivilegesMap(sentryRolePrivilegesMap2); + sentryStore.importSentryMetaData(tSentryMappingData2, false); + + Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap(); + Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap(); + List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList(); + + // test the result data for the role + verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3")); + + // test the result data for the group + verifyGroups(groupsMap, Sets.newHashSet("group1", "group2", "group3")); + + // test the result data for the privilege + verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7, tSentryPrivilege8)); + + // test the mapping data for group and role + List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null); + Map<String, Set<String>> actualGroupRolesMap = mapList.get( + SentryStore.INDEX_GROUP_ROLES_MAP); + Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap(); + exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3")); + exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2", "role3")); + exceptedGroupRolesMap.put("group3", Sets.newHashSet("role1", "role2", "role3")); + verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap); + + // test the mapping data for role and privilege + Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore + .getRoleNameTPrivilegesMap(); + Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap(); + exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5)); + exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7, tSentryPrivilege8)); + exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5, + tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8)); + verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap); + } + + // call import twice, and there has one role without group. + // The data for 1st import: + // group1=role1, role2 + // role1=privilege1,privilege2 + // role2=privilege3,privilege4 + // The data for 2nd import: + // group2=role2 + // role2=privilege5,privilege6 + // role3=privilege7,privilege8 + // role3 is without group, will be imported also + @Test + public void testImportExportPolicy4() throws Exception { + TSentryMappingData tSentryMappingData1 = new TSentryMappingData(); + Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap(); + Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap(); + sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2")); + sentryRolePrivilegesMap1.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2)); + sentryRolePrivilegesMap1.put("role2", Sets.newHashSet(tSentryPrivilege3, tSentryPrivilege4)); + tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1); + tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1); + sentryStore.importSentryMetaData(tSentryMappingData1, false); + + TSentryMappingData tSentryMappingData2 = new TSentryMappingData(); + Map<String, Set<String>> sentryGroupRolesMap2 = Maps.newHashMap(); + Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap2 = Maps.newHashMap(); + sentryGroupRolesMap2.put("group2", Sets.newHashSet("role2")); + sentryRolePrivilegesMap2.put("role2", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6)); + sentryRolePrivilegesMap2.put("role3", Sets.newHashSet(tSentryPrivilege7, tSentryPrivilege8)); + tSentryMappingData2.setGroupRolesMap(sentryGroupRolesMap2); + tSentryMappingData2.setRolePrivilegesMap(sentryRolePrivilegesMap2); + sentryStore.importSentryMetaData(tSentryMappingData2, false); + + Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap(); + Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap(); + List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList(); + + // test the result data for the role + verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3")); + + // test the result data for the group + verifyGroups(groupsMap, Sets.newHashSet("group1", "group2")); + + // test the result data for the privilege + verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7, tSentryPrivilege8)); + + // test the mapping data for group and role + List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null); + Map<String, Set<String>> actualGroupRolesMap = mapList.get( + SentryStore.INDEX_GROUP_ROLES_MAP); + Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap(); + exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2")); + exceptedGroupRolesMap.put("group2", Sets.newHashSet("role2")); + verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap); + + // test the mapping data for role and privilege + Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore + .getRoleNameTPrivilegesMap(); + Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap(); + exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2)); + exceptedRolePrivilegesMap + .put("role2", Sets.newHashSet(tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, + tSentryPrivilege6)); + exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege7, tSentryPrivilege8)); + verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap); + } + + // test for import mapping data for [group,role] only: + // group1=role1, role2 + @Test + public void testImportExportPolicy5() throws Exception { + TSentryMappingData tSentryMappingData1 = new TSentryMappingData(); + Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap(); + Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap(); + sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2")); + tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1); + tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1); + sentryStore.importSentryMetaData(tSentryMappingData1, false); + + Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap(); + Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap(); + List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList(); + + // test the result data for the role + verifyRoles(rolesMap, Sets.newHashSet("role1", "role2")); + + // test the result data for the group + verifyGroups(groupsMap, Sets.newHashSet("group1")); + + // test the result data for the privilege + assertTrue(privilegesList.isEmpty()); + + // test the mapping data for group and role + List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null); + Map<String, Set<String>> actualGroupRolesMap = mapList.get( + SentryStore.INDEX_GROUP_ROLES_MAP); + Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap(); + exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2")); + verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap); + + // test the mapping data for role and privilege + Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore + .getRoleNameTPrivilegesMap(); + assertTrue(actualRolePrivilegesMap.isEmpty()); + } + + // test for filter the orphaned group: + // group1=role1, role2 + // group2=role2 + @Test + public void testImportExportPolicy6() throws Exception { + TSentryMappingData tSentryMappingData1 = new TSentryMappingData(); + Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap(); + Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap(); + sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2")); + sentryGroupRolesMap1.put("group2", Sets.newHashSet("role2")); + tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1); + tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1); + sentryStore.importSentryMetaData(tSentryMappingData1, false); + + // drop the role2, the group2 is orphaned group + sentryStore.dropSentryRole("role2"); + + Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap(); + Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap(); + List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList(); + + // test the result data for the role + verifyRoles(rolesMap, Sets.newHashSet("role1")); + + // test the result data for the group + verifyGroups(groupsMap, Sets.newHashSet("group1", "group2")); + + // test the result data for the privilege + assertTrue(privilegesList.isEmpty()); + + // test the mapping data for group and role + List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null); + Map<String, Set<String>> actualGroupRolesMap = mapList.get( + SentryStore.INDEX_GROUP_ROLES_MAP); + Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap(); + exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1")); + verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap); + + // test the mapping data for role and privilege + Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore + .getRoleNameTPrivilegesMap(); + assertTrue(actualRolePrivilegesMap.isEmpty()); + } + + // call import twice, and there has no duplicate data, the import will be with the overwrite mode: + // The data for 1st import: + // group1=role1 + // role1=privilege1 + // The data for 2nd import: + // group2=role2,role3 + // group3=role2,role3 + // role2=privilege2 + // role3=privilege2 + // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap, + // getPrivilegesList are tested. + @Test + public void testImportExportPolicy7() throws Exception { + TSentryMappingData tSentryMappingData1 = new TSentryMappingData(); + Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap(); + Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap(); + sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1")); + sentryRolePrivilegesMap1.put("role1", Sets.newHashSet(tSentryPrivilege1)); + tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1); + tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1); + // the import with overwrite mode + sentryStore.importSentryMetaData(tSentryMappingData1, true); + + TSentryMappingData tSentryMappingData2 = new TSentryMappingData(); + Map<String, Set<String>> sentryGroupRolesMap2 = Maps.newHashMap(); + Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap2 = Maps.newHashMap(); + sentryGroupRolesMap2.put("group2", Sets.newHashSet("role2", "role3")); + sentryGroupRolesMap2.put("group3", Sets.newHashSet("role2", "role3")); + sentryRolePrivilegesMap2.put("role2", Sets.newHashSet(tSentryPrivilege2)); + sentryRolePrivilegesMap2.put("role3", Sets.newHashSet(tSentryPrivilege2)); + tSentryMappingData2.setGroupRolesMap(sentryGroupRolesMap2); + tSentryMappingData2.setRolePrivilegesMap(sentryRolePrivilegesMap2); + // the import with overwrite mode + sentryStore.importSentryMetaData(tSentryMappingData2, true); + + Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap(); + Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap(); + List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList(); + + // test the result data for the role + verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3")); + + // test the result data for the group + verifyGroups(groupsMap, Sets.newHashSet("group1", "group2", "group3")); + + // test the result data for the privilege + verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2)); + + // test the mapping data for group and role + List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null); + Map<String, Set<String>> actualGroupRolesMap = mapList.get( + SentryStore.INDEX_GROUP_ROLES_MAP); + Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap(); + exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1")); + exceptedGroupRolesMap.put("group2", Sets.newHashSet("role2", "role3")); + exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3")); + verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap); + + // test the mapping data for role and privilege + Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore + .getRoleNameTPrivilegesMap(); + Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap(); + exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1)); + exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege2)); + exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege2)); + verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap); + } + + // call import twice, and there has data overlap, the import will be with the overwrite mode: + // The data for 1st import: + // group1=role1, role2 + // group2=role1, role2 + // group3=role1, role2 + // role1=privilege1,privilege2,privilege3,privilege4,privilege5 + // role2=privilege1,privilege2,privilege3,privilege4,privilege5 + // The data for 2nd import: + // group1=role2,role3 + // group2=role2,role3 + // group3=role2,role3 + // role2=privilege4,privilege5,privilege6,privilege7,privilege8 + // role3=privilege4,privilege5,privilege6,privilege7,privilege8 + // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap, + // getPrivilegesList are tested. + @Test + public void testImportExportPolicy8() throws Exception { + TSentryMappingData tSentryMappingData1 = new TSentryMappingData(); + Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap(); + Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap(); + sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2")); + sentryGroupRolesMap1.put("group2", Sets.newHashSet("role1", "role2")); + sentryGroupRolesMap1.put("group3", Sets.newHashSet("role1", "role2")); + sentryRolePrivilegesMap1.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5)); + sentryRolePrivilegesMap1.put("role2", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5)); + tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1); + tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1); + // the import with overwrite mode + sentryStore.importSentryMetaData(tSentryMappingData1, true); + + TSentryMappingData tSentryMappingData2 = new TSentryMappingData(); + Map<String, Set<String>> sentryGroupRolesMap2 = Maps.newHashMap(); + Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap2 = Maps.newHashMap(); + sentryGroupRolesMap2.put("group1", Sets.newHashSet("role2", "role3")); + sentryGroupRolesMap2.put("group2", Sets.newHashSet("role2", "role3")); + sentryGroupRolesMap2.put("group3", Sets.newHashSet("role2", "role3")); + sentryRolePrivilegesMap2.put("role2", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5, + tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8)); + sentryRolePrivilegesMap2.put("role3", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5, + tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8)); + tSentryMappingData2.setGroupRolesMap(sentryGroupRolesMap2); + tSentryMappingData2.setRolePrivilegesMap(sentryRolePrivilegesMap2); + // the import with overwrite mode + sentryStore.importSentryMetaData(tSentryMappingData2, true); + + Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap(); + Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap(); + List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList(); + + // test the result data for the role + verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3")); + + // test the result data for the group + verifyGroups(groupsMap, Sets.newHashSet("group1", "group2", "group3")); + + // test the result data for the privilege + verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7, tSentryPrivilege8)); + + // test the mapping data for group and role + List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null); + Map<String, Set<String>> actualGroupRolesMap = mapList.get( + SentryStore.INDEX_GROUP_ROLES_MAP); + Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap(); + exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3")); + exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2", "role3")); + exceptedGroupRolesMap.put("group3", Sets.newHashSet("role1", "role2", "role3")); + verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap); + + // test the mapping data for role and privilege + Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore + .getRoleNameTPrivilegesMap(); + Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap(); + exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5)); + // role2 should be overwrite + exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5, + tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8)); + exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5, + tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8)); + verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap); + } + + // test the import privileges with the action: All, *, select, insert + // All and * should replace the select and insert + // The data for import: + // group1=role1, role2 + // role1=testPrivilege1,testPrivilege2,testPrivilege3,testPrivilege4 + // role2=testPrivilege5, testPrivilege6,testPrivilege7,testPrivilege8 + @Test + public void testImportExportPolicy9() throws Exception { + TSentryPrivilege testPrivilege1 = createTSentryPrivilege(PrivilegeScope.TABLE.name(), + "server1", "db1", "tbl1", "", "", AccessConstants.SELECT, TSentryGrantOption.TRUE); + TSentryPrivilege testPrivilege2 = createTSentryPrivilege(PrivilegeScope.TABLE.name(), + "server1", "db1", "tbl1", "", "", AccessConstants.INSERT, TSentryGrantOption.FALSE); + TSentryPrivilege testPrivilege3 = createTSentryPrivilege(PrivilegeScope.TABLE.name(), + "server1", "db1", "tbl1", "", "", AccessConstants.ACTION_ALL, TSentryGrantOption.TRUE); + TSentryPrivilege testPrivilege4 = createTSentryPrivilege(PrivilegeScope.TABLE.name(), + "server1", "db1", "tbl1", "", "", AccessConstants.INSERT, TSentryGrantOption.TRUE); + TSentryPrivilege testPrivilege5 = createTSentryPrivilege(PrivilegeScope.TABLE.name(), + "server1", "db1", "tbl2", "", "", AccessConstants.SELECT, TSentryGrantOption.TRUE); + TSentryPrivilege testPrivilege6 = createTSentryPrivilege(PrivilegeScope.TABLE.name(), + "server1", "db1", "tbl2", "", "", AccessConstants.INSERT, TSentryGrantOption.FALSE); + TSentryPrivilege testPrivilege7 = createTSentryPrivilege(PrivilegeScope.TABLE.name(), + "server1", "db1", "tbl2", "", "", AccessConstants.ALL, TSentryGrantOption.TRUE); + TSentryPrivilege testPrivilege8 = createTSentryPrivilege(PrivilegeScope.TABLE.name(), + "server1", "db1", "tbl2", "", "", AccessConstants.INSERT, TSentryGrantOption.TRUE); + + TSentryMappingData tSentryMappingData1 = new TSentryMappingData(); + Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap(); + Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap(); + sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2")); + // after import there should be only testPrivilege2, testPrivilege3 + sentryRolePrivilegesMap1.put("role1", + Sets.newHashSet(testPrivilege1, testPrivilege2, testPrivilege3, testPrivilege4)); + // after import there should be only testPrivilege6,testPrivilege7 + sentryRolePrivilegesMap1.put("role2", + Sets.newHashSet(testPrivilege5, testPrivilege6, testPrivilege7, testPrivilege8)); + tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1); + tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1); + // the import with overwrite mode + sentryStore.importSentryMetaData(tSentryMappingData1, true); + + Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap(); + Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap(); + + // test the result data for the role + verifyRoles(rolesMap, Sets.newHashSet("role1", "role2")); + + // test the result data for the group + verifyGroups(groupsMap, Sets.newHashSet("group1")); + + // test the mapping data for group and role + List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null); + Map<String, Set<String>> actualGroupRolesMap = mapList.get( + SentryStore.INDEX_GROUP_ROLES_MAP); + Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap(); + exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2")); + verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap); + + // test the mapping data for role and privilege + Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore + .getRoleNameTPrivilegesMap(); + Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap(); + exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(testPrivilege2, testPrivilege3)); + exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(testPrivilege6, testPrivilege7)); + verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap); + } + + // The following data is imported: + // group1=role1 + // group2=role1,role2 + // group3=role2,role3 + // group4=role1,role2,role3 + // role1=privilege3,privilege4,privilege9 + // role2=privilege3,privilege4,privilege5,privilege6,privilege7 + // role3=privilege4,privilege5,privilege6,privilege7,privilege8 + // Export APIs getRoleNameTPrivilegesMap, getGroupNameRoleNamesMap are tested. + @Test + public void testExportPolicyWithSpecificObject() throws Exception { + // import the data for test + TSentryMappingData tSentryMappingData = new TSentryMappingData(); + Map<String, Set<String>> sentryGroupRolesMap = Maps.newHashMap(); + Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap = Maps.newHashMap(); + sentryGroupRolesMap.put("group1", Sets.newHashSet("role1")); + sentryGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2")); + sentryGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3")); + sentryGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3")); + sentryRolePrivilegesMap.put("role1", Sets.newHashSet( + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege9)); + sentryRolePrivilegesMap.put("role2", Sets.newHashSet( + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7)); + sentryRolePrivilegesMap.put("role3", Sets.newHashSet( + tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7, tSentryPrivilege8)); + tSentryMappingData.setGroupRolesMap(sentryGroupRolesMap); + tSentryMappingData.setRolePrivilegesMap(sentryRolePrivilegesMap); + sentryStore.importSentryMetaData(tSentryMappingData, false); + + // verify the rolePrivilegesMap and groupRolesMap for db=db1 + Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = + sentryStore.getRoleNameTPrivilegesMap("db1", ""); + Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap(); + exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege4)); + exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege4, + tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7)); + exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4, + tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7)); + verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap); + + List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList( + actualRolePrivilegesMap.keySet()); + Map<String, Set<String>> actualGroupRolesMap = mapList.get( + SentryStore.INDEX_GROUP_ROLES_MAP); + Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap(); + exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1")); + exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2")); + exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3")); + exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3")); + verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap); + + // verify the rolePrivilegesMap and groupRolesMap for db=db2 + actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("db2", ""); + exceptedRolePrivilegesMap = Maps.newHashMap(); + exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege3, tSentryPrivilege9)); + exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege3)); + verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap); + + mapList = sentryStore.getGroupUserRoleMapList(actualRolePrivilegesMap.keySet()); + actualGroupRolesMap = mapList.get(SentryStore.INDEX_GROUP_ROLES_MAP); + exceptedGroupRolesMap = Maps.newHashMap(); + exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1")); + exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2")); + exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2")); + exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2")); + verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap); + + // verify the rolePrivilegesMap and groupRolesMap for db=db1 and table=tbl1 + actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("db1", "tbl1"); + exceptedRolePrivilegesMap = Maps.newHashMap(); + exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege4)); + exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege4)); + exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4)); + verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap); + + mapList = sentryStore.getGroupUserRoleMapList(actualRolePrivilegesMap.keySet()); + actualGroupRolesMap = mapList.get(SentryStore.INDEX_GROUP_ROLES_MAP); + exceptedGroupRolesMap = Maps.newHashMap(); + exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1")); + exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2")); + exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3")); + exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3")); + verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap); + + // verify the rolePrivilegesMap and groupRolesMap for db=db1 and table=tbl2 + actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("db1", "tbl2"); + exceptedRolePrivilegesMap = Maps.newHashMap(); + exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege5)); + exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege5)); + verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap); + + mapList = sentryStore.getGroupUserRoleMapList(actualRolePrivilegesMap.keySet()); + actualGroupRolesMap = mapList.get(SentryStore.INDEX_GROUP_ROLES_MAP); + exceptedGroupRolesMap = Maps.newHashMap(); + exceptedGroupRolesMap.put("group2", Sets.newHashSet("role2")); + exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3")); + exceptedGroupRolesMap.put("group4", Sets.newHashSet("role2", "role3")); + verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap); + + // verify the rolePrivilegesMap and groupRolesMap for table=tbl1 + actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("", "tbl1"); + exceptedRolePrivilegesMap = Maps.newHashMap(); + exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege9)); + exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege4)); + exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4)); + verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap); + + mapList = sentryStore.getGroupUserRoleMapList(actualRolePrivilegesMap.keySet()); + actualGroupRolesMap = mapList.get(SentryStore.INDEX_GROUP_ROLES_MAP); + exceptedGroupRolesMap = Maps.newHashMap(); + exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1")); + exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2")); + exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3")); + exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3")); + verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap); + + // verify the rolePrivilegesMap and groupRolesMap for empty parameter + actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("", ""); + exceptedRolePrivilegesMap = Maps.newHashMap(); + exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege3, + tSentryPrivilege4, tSentryPrivilege9)); + exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege3, + tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7)); + exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4, + tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7, tSentryPrivilege8)); + verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap); + + mapList = sentryStore.getGroupUserRoleMapList(actualRolePrivilegesMap.keySet()); + actualGroupRolesMap = mapList.get(SentryStore.INDEX_GROUP_ROLES_MAP); + exceptedGroupRolesMap = Maps.newHashMap(); + exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1")); + exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2")); + exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3")); + exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3")); + verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap); + } + + // Befor import, database is empty. + // The following information is imported: + // group1=role1,role2,role3 + // user1=role1,role2 + // user2=role2,role3 + // role1=privilege1,privilege2,privilege3,privilege4 + // role2=privilege5,privilege6,privilege7,privilege8 + // role3=privilege3,privilege4,privilege5,privilege6 + // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap, + // getUsersMap getPrivilegesList are tested. + @Test + public void testImportExportWithUser() throws Exception { + TSentryMappingData tSentryMappingData = new TSentryMappingData(); + Map<String, Set<String>> groupRolesMap = Maps.newHashMap(); + Map<String, Set<String>> userRolesMap = Maps.newHashMap(); + Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap = Maps.newHashMap(); + groupRolesMap.put("group1", Sets.newHashSet("Role1", "role2", "role3")); + userRolesMap.put("user1", Sets.newHashSet("Role1", "role2")); + userRolesMap.put("user2", Sets.newHashSet("role2", "role3")); + sentryRolePrivilegesMap.put("Role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4)); + sentryRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7, tSentryPrivilege8)); + sentryRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege3, + tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6)); + tSentryMappingData.setGroupRolesMap(groupRolesMap); + tSentryMappingData.setRolePrivilegesMap(sentryRolePrivilegesMap); + tSentryMappingData.setUserRolesMap(userRolesMap); + sentryStore.importSentryMetaData(tSentryMappingData, false); + + Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap(); + Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap(); + Map<String, MSentryUser> usersMap = sentryStore.getUserNameToUserMap(); + List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList(); + + // test the result data for the role + verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3")); + + // test the result data for the group + verifyGroups(groupsMap, Sets.newHashSet("group1")); + + // test the result data for the user + verifyUsers(usersMap, Sets.newHashSet("user1", "user2")); + + // test the result data for the privilege + verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7, tSentryPrivilege8)); + + // test the mapping data for group and role + List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null); + Map<String, Set<String>> actualGroupRolesMap = mapList.get( + SentryStore.INDEX_GROUP_ROLES_MAP); + Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap(); + exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3")); + verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap); + + Map<String, Set<String>> actualUserRolesMap = mapList.get( + SentryStore.INDEX_USER_ROLES_MAP); + Map<String, Set<String>> exceptedUserRolesMap = Maps.newHashMap(); + exceptedUserRolesMap.put("user1", Sets.newHashSet("role1", "role2")); + exceptedUserRolesMap.put("user2", Sets.newHashSet("role2", "role3")); + verifyUserGroupRolesMap(actualUserRolesMap, exceptedUserRolesMap); + + // test the mapping data for role and privilege + Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore + .getRoleNameTPrivilegesMap(); + Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap(); + exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4)); + exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7, tSentryPrivilege8)); + exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege3, + tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6)); + + verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap); + } + + private void verifyRoles(Map<String, MSentryRole> actualRoleMap, Set<String> expectedRoleNameSet) { + assertEquals(expectedRoleNameSet.size(), actualRoleMap.keySet().size()); + for (String roleName : actualRoleMap.keySet()) { + assertTrue(expectedRoleNameSet.contains(roleName)); + } + } + + private void verifyGroups(Map<String, MSentryGroup> actualGroupsMap, + Set<String> expectedGroupNameSet) { + assertEquals(expectedGroupNameSet.size(), actualGroupsMap.keySet().size()); + for (String groupName : actualGroupsMap.keySet()) { + assertTrue(expectedGroupNameSet.contains(groupName)); + } + } + + private void verifyUsers(Map<String, MSentryUser> actualUsersMap, + Set<String> expectedUserNameSet) { + assertEquals(expectedUserNameSet.size(), actualUsersMap.keySet().size()); + for (String userName : actualUsersMap.keySet()) { + assertTrue(expectedUserNameSet.contains(userName)); + } + } + + private void verifyPrivileges(List<MSentryPrivilege> actualPrivileges, + Set<TSentryPrivilege> expectedTSentryPrivilegeSet) { + assertEquals(expectedTSentryPrivilegeSet.size(), actualPrivileges.size()); + for (MSentryPrivilege mSentryPrivilege : actualPrivileges) { + boolean isFound = false; + for (TSentryPrivilege tSentryPrivilege : expectedTSentryPrivilegeSet) { + isFound = compareTSentryPrivilege(sentryStore.convertToTSentryPrivilege(mSentryPrivilege), + tSentryPrivilege); + if (isFound) { + break; + } + } + assertTrue(isFound); + } + } + + private void verifyUserGroupRolesMap(Map<String, Set<String>> actualMap, + Map<String, Set<String>> exceptedMap) { + assertEquals(exceptedMap.keySet().size(), actualMap.keySet().size()); + for (String name : actualMap.keySet()) { + Set<String> exceptedRoles = exceptedMap.get(name); + Set<String> actualRoles = actualMap.get(name); + assertEquals(actualRoles.size(), exceptedRoles.size()); + assertTrue(actualRoles.equals(exceptedRoles)); + } + } + + private void verifyRolePrivilegesMap(Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap, + Map<String, Set<TSentryPrivilege>> expectedRolePrivilegesMap) { + assertEquals(expectedRolePrivilegesMap.keySet().size(), actualRolePrivilegesMap.keySet().size()); + for (String roleName : expectedRolePrivilegesMap.keySet()) { + Set<TSentryPrivilege> exceptedTSentryPrivileges = expectedRolePrivilegesMap.get(roleName); + Set<TSentryPrivilege> actualTSentryPrivileges = actualRolePrivilegesMap.get(roleName); + assertEquals(exceptedTSentryPrivileges.size(), actualTSentryPrivileges.size()); + for (TSentryPrivilege actualPrivilege : actualTSentryPrivileges) { + boolean isFound = false; + for (TSentryPrivilege expectedPrivilege : exceptedTSentryPrivileges) { + isFound = compareTSentryPrivilege(expectedPrivilege, actualPrivilege); + if (isFound) { + break; + } + } + assertTrue(isFound); + } + } + } + + private TSentryPrivilege createTSentryPrivilege(String scope, String server, String dbName, + String tableName, String columnName, String uri, String action, TSentryGrantOption grantOption) { + TSentryPrivilege tSentryPrivilege = new TSentryPrivilege(); + tSentryPrivilege.setPrivilegeScope(scope); + tSentryPrivilege.setServerName(server); + tSentryPrivilege.setDbName(dbName); + tSentryPrivilege.setTableName(tableName); + tSentryPrivilege.setColumnName(columnName); + tSentryPrivilege.setURI(uri); + tSentryPrivilege.setAction(action); + tSentryPrivilege.setGrantOption(grantOption); + return tSentryPrivilege; + } + + // compare the TSentryPrivilege without the create time + private boolean compareTSentryPrivilege(TSentryPrivilege tSentryPrivilege1, + TSentryPrivilege tSentryPrivilege2) { + if (tSentryPrivilege1 == null) { + if (tSentryPrivilege2 == null) { + return true; + } else { + return false; + } + } else { + if (tSentryPrivilege2 == null) { + return false; + } + } + + boolean this_present_privilegeScope = true && tSentryPrivilege1.isSetPrivilegeScope(); + boolean that_present_privilegeScope = true && tSentryPrivilege2.isSetPrivilegeScope(); + if (this_present_privilegeScope || that_present_privilegeScope) { + if (!(this_present_privilegeScope && that_present_privilegeScope)) { + return false; + } + if (!tSentryPrivilege1.getPrivilegeScope().equalsIgnoreCase( + tSentryPrivilege2.getPrivilegeScope())) { + return false; + } + } + + boolean this_present_serverName = true && tSentryPrivilege1.isSetServerName(); + boolean that_present_serverName = true && tSentryPrivilege2.isSetServerName(); + if (this_present_serverName || that_present_serverName) { + if (!(this_present_serverName && that_present_serverName)) { + return false; + } + if (!tSentryPrivilege1.getServerName().equalsIgnoreCase(tSentryPrivilege2.getServerName())) { + return false; + } + } + + boolean this_present_dbName = true && tSentryPrivilege1.isSetDbName(); + boolean that_present_dbName = true && tSentryPrivilege2.isSetDbName(); + if (this_present_dbName || that_present_dbName) { + if (!(this_present_dbName && that_present_dbName)) { + return false; + } + if (!tSentryPrivilege1.getDbName().equalsIgnoreCase(tSentryPrivilege2.getDbName())) { + return false; + } + } + + boolean this_present_tableName = true && tSentryPrivilege1.isSetTableName(); + boolean that_present_tableName = true && tSentryPrivilege2.isSetTableName(); + if (this_present_tableName || that_present_tableName) { + if (!(this_present_tableName && that_present_tableName)) { + return false; + } + if (!tSentryPrivilege1.getTableName().equalsIgnoreCase(tSentryPrivilege2.getTableName())) { + return false; + } + } + + boolean this_present_URI = true && tSentryPrivilege1.isSetURI(); + boolean that_present_URI = true && tSentryPrivilege2.isSetURI(); + if (this_present_URI || that_present_URI) { + if (!(this_present_URI && that_present_URI)) { + return false; + } + if (!tSentryPrivilege1.getURI().equalsIgnoreCase(tSentryPrivilege2.getURI())) { + return false; + } + } + + boolean this_present_action = true && tSentryPrivilege1.isSetAction(); + boolean that_present_action = true && tSentryPrivilege2.isSetAction(); + if (this_present_action || that_present_action) { + if (!(this_present_action && that_present_action)) { + return false; + } + if (!tSentryPrivilege1.getAction().equalsIgnoreCase(tSentryPrivilege2.getAction())) { + return false; + } + } + + boolean this_present_grantOption = true && tSentryPrivilege1.isSetGrantOption(); + boolean that_present_grantOption = true && tSentryPrivilege2.isSetGrantOption(); + if (this_present_grantOption || that_present_grantOption) { + if (!(this_present_grantOption && that_present_grantOption)) { + return false; + } + if (!tSentryPrivilege1.getGrantOption().equals(tSentryPrivilege2.getGrantOption())) { + return false; + } + } + + boolean this_present_columnName = true && tSentryPrivilege1.isSetColumnName(); + boolean that_present_columnName = true && tSentryPrivilege2.isSetColumnName(); + if (this_present_columnName || that_present_columnName) { + if (!(this_present_columnName && that_present_columnName)) { + return false; + } + if (!tSentryPrivilege1.getColumnName().equalsIgnoreCase(tSentryPrivilege2.getColumnName())) { + return false; + } + } + + return true; + } +}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreToAuthorizable.java ---------------------------------------------------------------------- diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreToAuthorizable.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreToAuthorizable.java new file mode 100644 index 0000000..25f94fa --- /dev/null +++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreToAuthorizable.java @@ -0,0 +1,86 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.db.service.persistent; + +import static org.junit.Assert.assertEquals; + +import org.apache.sentry.core.model.db.AccessConstants; +import org.apache.sentry.provider.db.service.model.MSentryPrivilege; +import org.junit.Test; + +public class TestSentryStoreToAuthorizable { + + private MSentryPrivilege privilege; + + @Test + public void testServer() { + privilege = new MSentryPrivilege(null, "server1", null, null, null, null, null); + assertEquals("server=server1", + SentryStore.toAuthorizable(privilege)); + privilege = new MSentryPrivilege(null, "server1", null, null, null, null, + AccessConstants.ALL); + assertEquals("server=server1", + SentryStore.toAuthorizable(privilege)); + } + + @Test + public void testTable() { + privilege = new MSentryPrivilege(null, "server1", "db1", "tbl1", null, null, null); + assertEquals("server=server1->db=db1->table=tbl1", + SentryStore.toAuthorizable(privilege)); + privilege = new MSentryPrivilege(null, "server1", "db1", "tbl1", null, null, + AccessConstants.INSERT); + assertEquals("server=server1->db=db1->table=tbl1->action=insert", + SentryStore.toAuthorizable(privilege)); + privilege = new MSentryPrivilege(null, "server1", "db1", "tbl1", null, null, + AccessConstants.SELECT); + assertEquals("server=server1->db=db1->table=tbl1->action=select", + SentryStore.toAuthorizable(privilege)); + privilege = new MSentryPrivilege(null, "server1", "db1", "tbl1", null, null, + AccessConstants.ALL); + assertEquals("server=server1->db=db1->table=tbl1", + SentryStore.toAuthorizable(privilege)); + } + + @Test + public void testDb() { + privilege = new MSentryPrivilege(null, "server1", "db1", null, null, null, null); + assertEquals("server=server1->db=db1", + SentryStore.toAuthorizable(privilege)); + privilege = new MSentryPrivilege(null, "server1", "db1", null, null, null, + AccessConstants.ALL); + assertEquals("server=server1->db=db1", + SentryStore.toAuthorizable(privilege)); + } + + @Test + public void testUri() { + privilege = new MSentryPrivilege(null, "server1", null, null, null, "file:///", null); + assertEquals("server=server1->uri=file:///", + SentryStore.toAuthorizable(privilege)); + privilege = new MSentryPrivilege(null, "server1", null, null, null, "file:///", + AccessConstants.SELECT); + assertEquals("server=server1->uri=file:///->action=select", + SentryStore.toAuthorizable(privilege)); + privilege = new MSentryPrivilege(null, "server1", null, null, null, "file:///", + AccessConstants.ALL); + assertEquals("server=server1->uri=file:///", + SentryStore.toAuthorizable(privilege)); + } +} http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryVersion.java ---------------------------------------------------------------------- diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryVersion.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryVersion.java new file mode 100644 index 0000000..103dbb6 --- /dev/null +++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryVersion.java @@ -0,0 +1,84 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.db.service.persistent; + +import static org.junit.Assert.assertEquals; + +import java.io.File; + +import org.apache.hadoop.conf.Configuration; +import org.apache.sentry.core.common.exception.SentryNoSuchObjectException; +import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; +import org.junit.Before; +import org.junit.Test; + +import com.google.common.io.Files; + +public class TestSentryVersion { + + private File dataDir; + private Configuration conf; + + @Before + public void setup() throws Exception { + dataDir = new File(Files.createTempDir(), "sentry_policy_db"); + conf = new Configuration(false); + conf.set(ServerConfig.SENTRY_STORE_JDBC_URL, "jdbc:derby:;databaseName=" + + dataDir.getPath() + ";create=true"); + conf.set(ServerConfig.SENTRY_STORE_JDBC_PASS, "dummy"); + } + + /** + * Create the schema using auto creation Create new sentry store without + * implicit schema creation on the same backend db and make sure it starts + * + * @throws Exception + */ + @Test + public void testVerifySentryVersionCheck() throws Exception { + conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false"); + SentryStore sentryStore = new SentryStore(conf); + sentryStore.stop(); + conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "true"); + } + + /** + * Verify that store is not initialized by default without schema pre-created + * + * @throws Exception + */ + @Test(expected = SentryNoSuchObjectException.class) + public void testNegSentrySchemaDefault() throws Exception { + new SentryStore(conf); + } + + /** + * With schema verification turned off, Sentry Store should autoCreate the + * schema + * @throws Exception + */ + @Test + public void testSentryImplicitVersion() throws Exception { + conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false"); + SentryStore sentryStore = new SentryStore(conf); + assertEquals(SentryStoreSchemaInfo.getSentryVersion(), + sentryStore.getSentryVersion()); + } + +} http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/SentryMiniKdcTestcase.java ---------------------------------------------------------------------- diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/SentryMiniKdcTestcase.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/SentryMiniKdcTestcase.java new file mode 100644 index 0000000..1114194 --- /dev/null +++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/SentryMiniKdcTestcase.java @@ -0,0 +1,68 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.db.service.thrift; + +import java.io.File; +import java.util.Properties; + +import org.apache.hadoop.minikdc.MiniKdc; + +public class SentryMiniKdcTestcase { + + private static File workDir; + private static Properties conf; + private static MiniKdc kdc; + + public static void startMiniKdc(Properties confOverlay) throws Exception { + createTestDir(); + createMiniKdcConf(confOverlay); + kdc = new MiniKdc(conf, workDir); + kdc.start(); + } + + private static void createMiniKdcConf(Properties confOverlay) { + conf = MiniKdc.createConf(); + for ( Object property : confOverlay.keySet()) { + conf.put(property, confOverlay.get(property)); + } + } + + private static void createTestDir() { + workDir = new File(System.getProperty("test.dir", "target")); + } + + public static void stopMiniKdc() { + if (kdc != null) { + kdc.stop(); + } + } + + public static MiniKdc getKdc() { + return kdc; + } + + public static File getWorkDir() { + return workDir; + } + + public Properties getConf() { + return conf; + } + +} http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestAuthorizingDDLAuditLogWithKerberos.java ---------------------------------------------------------------------- diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestAuthorizingDDLAuditLogWithKerberos.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestAuthorizingDDLAuditLogWithKerberos.java new file mode 100644 index 0000000..48f25dd --- /dev/null +++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestAuthorizingDDLAuditLogWithKerberos.java @@ -0,0 +1,295 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.db.service.thrift; + +import static org.hamcrest.core.Is.is; +import static org.junit.Assert.assertThat; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + +import java.util.HashMap; +import java.util.Map; +import java.util.Set; + +import org.apache.log4j.Level; +import org.apache.log4j.Logger; +import org.apache.sentry.provider.db.log.appender.AuditLoggerTestAppender; +import org.apache.sentry.provider.db.log.util.CommandUtil; +import org.apache.sentry.provider.db.log.util.Constants; +import org.apache.sentry.service.thrift.SentryServiceIntegrationBase; +import org.codehaus.jettison.json.JSONObject; +import org.junit.BeforeClass; +import org.junit.Test; + +import com.google.common.collect.Sets; + +public class TestAuthorizingDDLAuditLogWithKerberos extends SentryServiceIntegrationBase { + + @BeforeClass + public static void setupLog4j() throws Exception { + Logger logger = Logger.getLogger("sentry.hive.authorization.ddl.logger"); + AuditLoggerTestAppender testAppender = new AuditLoggerTestAppender(); + logger.addAppender(testAppender); + logger.setLevel(Level.INFO); + } + + @Test + public void testBasic() throws Exception { + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP); + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + writePolicyFile(); + + String roleName = "testRole"; + String errorRoleName = "errorRole"; + String serverName = "server1"; + String groupName = "testGroup"; + String dbName = "dbTest"; + String tableName = "tableTest"; + Map<String, String> fieldValueMap = new HashMap<String, String>(); + + // for successful audit log + client.createRole(requestorUserName, roleName); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_CREATE_ROLE); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "CREATE ROLE " + roleName); + fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE); + // for ip address, there is another logic to test the result + fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null); + assertAuditLog(fieldValueMap); + + client.grantRoleToGroup(requestorUserName, groupName, roleName); + fieldValueMap.clear(); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_ADD_ROLE); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ROLE " + roleName + + " TO GROUP " + groupName); + fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE); + fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null); + assertAuditLog(fieldValueMap); + + client.grantDatabasePrivilege(requestorUserName, roleName, serverName, dbName, "ALL"); + fieldValueMap.clear(); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ALL ON DATABASE " + dbName + + " TO ROLE " + roleName); + fieldValueMap.put(Constants.LOG_FIELD_DATABASE_NAME, dbName); + fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE); + fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null); + assertAuditLog(fieldValueMap); + + client.grantTablePrivilege(requestorUserName, roleName, serverName, dbName, tableName, + "SELECT", true); + fieldValueMap.clear(); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT SELECT ON TABLE " + tableName + + " TO ROLE " + roleName + " WITH GRANT OPTION"); + fieldValueMap.put(Constants.LOG_FIELD_TABLE_NAME, tableName); + fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE); + fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null); + assertAuditLog(fieldValueMap); + + // for error audit log + try { + client.createRole(requestorUserName, roleName); + fail("Exception should have been thrown"); + } catch (Exception e) { + fieldValueMap.clear(); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_CREATE_ROLE); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "CREATE ROLE " + roleName); + fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE); + fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null); + assertAuditLog(fieldValueMap); + } + try { + client.grantRoleToGroup(requestorUserName, groupName, errorRoleName); + fail("Exception should have been thrown"); + } catch (Exception e) { + fieldValueMap.clear(); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_ADD_ROLE); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ROLE " + errorRoleName + + " TO GROUP " + groupName); + fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE); + fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null); + assertAuditLog(fieldValueMap); + } + try { + client + .grantDatabasePrivilege(requestorUserName, errorRoleName, serverName, dbName, "ALL"); + fail("Exception should have been thrown"); + } catch (Exception e) { + fieldValueMap.clear(); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ALL ON DATABASE " + dbName + + " TO ROLE " + errorRoleName); + fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE); + fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null); + assertAuditLog(fieldValueMap); + } + try { + client.grantDatabasePrivilege(requestorUserName, errorRoleName, serverName, dbName, + "INSERT"); + fail("Exception should have been thrown"); + } catch (Exception e) { + fieldValueMap.clear(); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT INSERT ON DATABASE " + + dbName + " TO ROLE " + errorRoleName); + fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE); + fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null); + assertAuditLog(fieldValueMap); + } + try { + client.grantDatabasePrivilege(requestorUserName, errorRoleName, serverName, dbName, + "SELECT"); + fail("Exception should have been thrown"); + } catch (Exception e) { + fieldValueMap.clear(); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT SELECT ON DATABASE " + + dbName + " TO ROLE " + errorRoleName); + fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE); + fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null); + assertAuditLog(fieldValueMap); + } + try { + client.grantTablePrivilege(requestorUserName, errorRoleName, serverName, dbName, + tableName, "SELECT"); + fail("Exception should have been thrown"); + } catch (Exception e) { + fieldValueMap.clear(); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT SELECT ON TABLE " + + tableName + " TO ROLE " + errorRoleName); + fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE); + fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null); + assertAuditLog(fieldValueMap); + } + + client.revokeTablePrivilege(requestorUserName, roleName, serverName, dbName, tableName, + "SELECT"); + fieldValueMap.clear(); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE SELECT ON TABLE " + tableName + + " FROM ROLE " + roleName); + fieldValueMap.put(Constants.LOG_FIELD_TABLE_NAME, tableName); + fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE); + fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null); + assertAuditLog(fieldValueMap); + + client.revokeDatabasePrivilege(requestorUserName, roleName, serverName, dbName, "ALL"); + fieldValueMap.clear(); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE ALL ON DATABASE " + dbName + + " FROM ROLE " + roleName); + fieldValueMap.put(Constants.LOG_FIELD_DATABASE_NAME, dbName); + fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE); + fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null); + assertAuditLog(fieldValueMap); + + client.revokeRoleFromGroup(requestorUserName, groupName, roleName); + fieldValueMap.clear(); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DELETE_ROLE); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE ROLE " + roleName + + " FROM GROUP " + groupName); + fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE); + fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null); + assertAuditLog(fieldValueMap); + + client.dropRole(requestorUserName, roleName); + fieldValueMap.clear(); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DROP_ROLE); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "DROP ROLE " + roleName); + fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE); + fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null); + assertAuditLog(fieldValueMap); + + // for error audit log + try { + client.revokeTablePrivilege(requestorUserName, errorRoleName, serverName, dbName, + tableName, "SELECT"); + fail("Exception should have been thrown"); + } catch (Exception e) { + fieldValueMap.clear(); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE SELECT ON TABLE " + + tableName + " FROM ROLE " + errorRoleName); + fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE); + fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null); + assertAuditLog(fieldValueMap); + } + + try { + client.revokeDatabasePrivilege(requestorUserName, errorRoleName, serverName, dbName, + "ALL"); + fail("Exception should have been thrown"); + } catch (Exception e) { + fieldValueMap.clear(); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE ALL ON DATABASE " + dbName + + " FROM ROLE " + errorRoleName); + fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE); + fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null); + assertAuditLog(fieldValueMap); + } + + try { + client.revokeRoleFromGroup(requestorUserName, groupName, errorRoleName); + fail("Exception should have been thrown"); + } catch (Exception e) { + fieldValueMap.clear(); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DELETE_ROLE); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE ROLE " + errorRoleName + + " FROM GROUP " + groupName); + fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE); + fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null); + assertAuditLog(fieldValueMap); + } + + try { + client.dropRole(requestorUserName, errorRoleName); + fail("Exception should have been thrown"); + } catch (Exception e) { + fieldValueMap.clear(); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DROP_ROLE); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "DROP ROLE " + errorRoleName); + fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE); + fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null); + assertAuditLog(fieldValueMap); + } + } + }); + } + + private void assertAuditLog(Map<String, String> fieldValueMap) throws Exception { + assertThat(AuditLoggerTestAppender.getLastLogLevel(), is(Level.INFO)); + JSONObject jsonObject = new JSONObject(AuditLoggerTestAppender.getLastLogEvent()); + if (fieldValueMap != null) { + for (Map.Entry<String, String> entry : fieldValueMap.entrySet()) { + String entryKey = entry.getKey(); + if (Constants.LOG_FIELD_IP_ADDRESS.equals(entryKey)) { + assertTrue(CommandUtil.assertIPInAuditLog(jsonObject.get(entryKey).toString())); + } else { + assertTrue(entry.getValue().equalsIgnoreCase(jsonObject.get(entryKey).toString())); + } + } + } + } +}
