http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java deleted file mode 100644 index 81059c5..0000000 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java +++ /dev/null @@ -1,608 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.provider.db.tools; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertTrue; -import static org.junit.Assert.fail; - -import java.io.ByteArrayOutputStream; -import java.io.File; -import java.io.FileOutputStream; -import java.io.PrintStream; -import java.util.HashSet; -import java.util.Iterator; -import java.util.Set; - -import org.apache.commons.io.FileUtils; -import org.apache.sentry.core.common.exception.SentryUserException; -import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; -import org.apache.sentry.provider.db.service.thrift.TSentryRole; -import org.apache.sentry.service.thrift.SentryServiceIntegrationBase; -import org.junit.After; -import org.junit.Before; -import org.junit.Test; - -import com.google.common.collect.Sets; -import com.google.common.io.Files; - -public class TestSentryShellHive extends SentryServiceIntegrationBase { - - private File confDir; - private File confPath; - private static String TEST_ROLE_NAME_1 = "testRole1"; - private static String TEST_ROLE_NAME_2 = "testRole2"; - private String requestorName = ""; - - @Before - public void prepareForTest() throws Exception { - confDir = Files.createTempDir(); - confPath = new File(confDir, "sentry-site.xml"); - if (confPath.createNewFile()) { - FileOutputStream to = new FileOutputStream(confPath); - conf.writeXml(to); - to.close(); - } - requestorName = clientUgi.getShortUserName(); - Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); - setLocalGroupMapping(requestorName, requestorUserGroupNames); - // add ADMIN_USER for the after() in SentryServiceIntegrationBase - setLocalGroupMapping(ADMIN_USER, requestorUserGroupNames); - writePolicyFile(); - } - - @After - public void clearTestData() throws Exception { - FileUtils.deleteQuietly(confDir); - } - - @Test - public void testCreateDropRole() throws Exception { - runTestAsSubject(new TestOperation() { - @Override - public void runTestAsSubject() throws Exception { - // test: create role with -cr - String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() }; - SentryShellHive.main(args); - // test: create role with --create_role - args = new String[] { "--create_role", "-r", TEST_ROLE_NAME_2, "-conf", - confPath.getAbsolutePath() }; - SentryShellHive.main(args); - - // validate the result, list roles with -lr - args = new String[] { "-lr", "-conf", confPath.getAbsolutePath() }; - SentryShellHive sentryShell = new SentryShellHive(); - Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true); - validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2); - - // validate the result, list roles with --list_role - args = new String[] { "--list_role", "-conf", confPath.getAbsolutePath() }; - sentryShell = new SentryShellHive(); - roleNames = getShellResultWithOSRedirect(sentryShell, args, true); - validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2); - - // test: drop role with -dr - args = new String[] { "-dr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() }; - SentryShellHive.main(args); - // test: drop role with --drop_role - args = new String[] { "--drop_role", "-r", TEST_ROLE_NAME_2, "-conf", - confPath.getAbsolutePath() }; - SentryShellHive.main(args); - - // validate the result - Set<TSentryRole> roles = client.listRoles(requestorName); - assertEquals("Incorrect number of roles", 0, roles.size()); - } - }); - } - - @Test - public void testAddDeleteRoleForGroup() throws Exception { - runTestAsSubject(new TestOperation() { - @Override - public void runTestAsSubject() throws Exception { - // create the role for test - client.createRole(requestorName, TEST_ROLE_NAME_1); - client.createRole(requestorName, TEST_ROLE_NAME_2); - // test: add role to group with -arg - String[] args = { "-arg", "-r", TEST_ROLE_NAME_1, "-g", "testGroup1", "-conf", - confPath.getAbsolutePath() }; - SentryShellHive.main(args); - // test: add role to multiple groups - args = new String[] { "-arg", "-r", TEST_ROLE_NAME_1, "-g", "testGroup2,testGroup3", - "-conf", - confPath.getAbsolutePath() }; - SentryShellHive.main(args); - // test: add role to group with --add_role_group - args = new String[] { "--add_role_group", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", - "-conf", - confPath.getAbsolutePath() }; - SentryShellHive.main(args); - - // validate the result list roles with -lr and -g - args = new String[] { "-lr", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() }; - SentryShellHive sentryShell = new SentryShellHive(); - Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true); - validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2); - - - // list roles with --list_role and -g - args = new String[] { "--list_role", "-g", "testGroup2", "-conf", - confPath.getAbsolutePath() }; - sentryShell = new SentryShellHive(); - roleNames = getShellResultWithOSRedirect(sentryShell, args, true); - validateRoleNames(roleNames, TEST_ROLE_NAME_1); - - args = new String[] { "--list_role", "-g", "testGroup3", "-conf", - confPath.getAbsolutePath() }; - sentryShell = new SentryShellHive(); - roleNames = getShellResultWithOSRedirect(sentryShell, args, true); - validateRoleNames(roleNames, TEST_ROLE_NAME_1); - - // test: delete role from group with -drg - args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", "testGroup1", "-conf", - confPath.getAbsolutePath() }; - SentryShellHive.main(args); - // test: delete role to multiple groups - args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", "testGroup2,testGroup3", - "-conf", - confPath.getAbsolutePath() }; - SentryShellHive.main(args); - // test: delete role from group with --delete_role_group - args = new String[] { "--delete_role_group", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", - "-conf", confPath.getAbsolutePath() }; - SentryShellHive.main(args); - - // validate the result - Set<TSentryRole> roles = client.listRolesByGroupName(requestorName, "testGroup1"); - assertEquals("Incorrect number of roles", 0, roles.size()); - roles = client.listRolesByGroupName(requestorName, "testGroup2"); - assertEquals("Incorrect number of roles", 0, roles.size()); - roles = client.listRolesByGroupName(requestorName, "testGroup3"); - assertEquals("Incorrect number of roles", 0, roles.size()); - // clear the test data - client.dropRole(requestorName, TEST_ROLE_NAME_1); - client.dropRole(requestorName, TEST_ROLE_NAME_2); - } - }); - } - - @Test - public void testGrantRevokePrivilegeWithShortOption() throws Exception { - runTestAsSubject(new TestOperation() { - @Override - public void runTestAsSubject() throws Exception { - // create the role for test - client.createRole(requestorName, TEST_ROLE_NAME_1); - client.createRole(requestorName, TEST_ROLE_NAME_2); - - // test: grant privilege to role with -gpr - String[] args = { "-gpr", "-r", TEST_ROLE_NAME_1, "-p", - "server=server1->action=*", - "-conf", confPath.getAbsolutePath() }; - SentryShellHive.main(args); - args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p", - "server=server1->db=db1->action=select", "-conf", confPath.getAbsolutePath() }; - SentryShellHive.main(args); - args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p", - "server=server1->db=db1->table=tbl1->action=insert", "-conf", - confPath.getAbsolutePath() }; - SentryShellHive.main(args); - args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p", - "server=server1->db=db1->table=tbl1->column=col1->action=insert", "-conf", - confPath.getAbsolutePath() }; - SentryShellHive.main(args); - args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p", - "server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true", - "-conf", confPath.getAbsolutePath() }; - SentryShellHive.main(args); - // for the uri privilege, the action will be awalys * - args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p", - "server=server1->uri=hdfs://path/testuri", "-conf", confPath.getAbsolutePath() }; - SentryShellHive.main(args); - - // test the list privilege with -lp - args = new String[] { "-lp", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() }; - SentryShellHive sentryShell = new SentryShellHive(); - Set<String> privilegeStrs = getShellResultWithOSRedirect(sentryShell, args, true); - // validate the result for -lp - assertEquals("Incorrect number of privileges", 6, privilegeStrs.size()); - assertTrue(privilegeStrs.contains("server=server1->action=*")); - assertTrue(privilegeStrs.contains("server=server1->db=db1->action=select")); - assertTrue(privilegeStrs.contains("server=server1->db=db1->table=tbl1->action=insert")); - assertTrue(privilegeStrs - .contains("server=server1->db=db1->table=tbl1->column=col1->action=insert")); - assertTrue(privilegeStrs - .contains("server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true")); - // for the uri privilege, the action will be awalys * - assertTrue(privilegeStrs.contains("server=server1->uri=hdfs://path/testuri->action=*")); - - // test: revoke privilege from role with -rpr - args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p", - "server=server1->db=db1->table=tbl1->column=col1->action=insert", "-conf", - confPath.getAbsolutePath() }; - SentryShellHive.main(args); - Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorName, - TEST_ROLE_NAME_1); - assertEquals("Incorrect number of privileges", 5, privileges.size()); - - args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p", - "server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true", - "-conf", confPath.getAbsolutePath() }; - SentryShellHive.main(args); - privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1); - assertEquals("Incorrect number of privileges", 4, privileges.size()); - - args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p", - "server=server1->uri=hdfs://path/testuri", "-conf", confPath.getAbsolutePath() }; - SentryShellHive.main(args); - privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1); - assertEquals("Incorrect number of privileges", 3, privileges.size()); - - args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p", - "server=server1->db=db1->table=tbl1->action=insert", "-conf", - confPath.getAbsolutePath() }; - SentryShellHive.main(args); - privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1); - assertEquals("Incorrect number of privileges", 2, privileges.size()); - - args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p", - "server=server1->db=db1->action=select", "-conf", confPath.getAbsolutePath() }; - SentryShellHive.main(args); - privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1); - assertEquals("Incorrect number of privileges", 1, privileges.size()); - - args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p", "server=server1->action=*", - "-conf", - confPath.getAbsolutePath() }; - SentryShellHive.main(args); - privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1); - assertEquals("Incorrect number of privileges", 0, privileges.size()); - - // clear the test data - client.dropRole(requestorName, TEST_ROLE_NAME_1); - client.dropRole(requestorName, TEST_ROLE_NAME_2); - } - }); - } - - @Test - public void testGrantRevokePrivilegeWithLongOption() throws Exception { - runTestAsSubject(new TestOperation() { - @Override - public void runTestAsSubject() throws Exception { - // create the role for test - client.createRole(requestorName, TEST_ROLE_NAME_1); - client.createRole(requestorName, TEST_ROLE_NAME_2); - - // test: grant privilege to role with -gpr - String[] args = { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p", - "server=server1->action=*", "-conf", confPath.getAbsolutePath() }; - SentryShellHive.main(args); - args = new String[] { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p", - "server=server1->db=db1->action=select", "-conf", confPath.getAbsolutePath() }; - SentryShellHive.main(args); - args = new String[] { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p", - "server=server1->db=db1->table=tbl1->action=insert", "-conf", - confPath.getAbsolutePath() }; - SentryShellHive.main(args); - args = new String[] { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p", - "server=server1->db=db1->table=tbl1->column=col1->action=insert", "-conf", - confPath.getAbsolutePath() }; - SentryShellHive.main(args); - args = new String[] { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p", - "server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true", - "-conf", confPath.getAbsolutePath() }; - SentryShellHive.main(args); - // for the uri privilege, the action will be awalys * - args = new String[] { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p", - "server=server1->uri=hdfs://path/testuri", "-conf", confPath.getAbsolutePath() }; - SentryShellHive.main(args); - - // test the list privilege with -lp - args = new String[] { "--list_privilege", "-r", TEST_ROLE_NAME_1, "-conf", - confPath.getAbsolutePath() }; - SentryShellHive sentryShell = new SentryShellHive(); - Set<String> privilegeStrs = getShellResultWithOSRedirect(sentryShell, args, true); - // validate the result for -lp - assertEquals("Incorrect number of privileges", 6, privilegeStrs.size()); - assertTrue(privilegeStrs.contains("server=server1->action=*")); - assertTrue(privilegeStrs.contains("server=server1->db=db1->action=select")); - assertTrue(privilegeStrs.contains("server=server1->db=db1->table=tbl1->action=insert")); - assertTrue(privilegeStrs - .contains("server=server1->db=db1->table=tbl1->column=col1->action=insert")); - assertTrue(privilegeStrs - .contains("server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true")); - // for the uri privilege, the action will be awalys * - assertTrue(privilegeStrs.contains("server=server1->uri=hdfs://path/testuri->action=*")); - - // test: revoke privilege from role with -rpr - args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p", - "server=server1->db=db1->table=tbl1->column=col1->action=insert", "-conf", - confPath.getAbsolutePath() }; - SentryShellHive.main(args); - Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorName, - TEST_ROLE_NAME_1); - assertEquals("Incorrect number of privileges", 5, privileges.size()); - - args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p", - "server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true", - "-conf", confPath.getAbsolutePath() }; - SentryShellHive.main(args); - privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1); - assertEquals("Incorrect number of privileges", 4, privileges.size()); - - args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p", - "server=server1->uri=hdfs://path/testuri", "-conf", confPath.getAbsolutePath() }; - SentryShellHive.main(args); - privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1); - assertEquals("Incorrect number of privileges", 3, privileges.size()); - - args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p", - "server=server1->db=db1->table=tbl1->action=insert", "-conf", - confPath.getAbsolutePath() }; - SentryShellHive.main(args); - privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1); - assertEquals("Incorrect number of privileges", 2, privileges.size()); - - args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p", - "server=server1->db=db1->action=select", "-conf", confPath.getAbsolutePath() }; - SentryShellHive.main(args); - privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1); - assertEquals("Incorrect number of privileges", 1, privileges.size()); - - args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p", - "server=server1->action=*", "-conf", confPath.getAbsolutePath() }; - SentryShellHive.main(args); - privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1); - assertEquals("Incorrect number of privileges", 0, privileges.size()); - - // clear the test data - client.dropRole(requestorName, TEST_ROLE_NAME_1); - client.dropRole(requestorName, TEST_ROLE_NAME_2); - } - }); - } - - @Test - public void testNegativeCaseWithInvalidArgument() throws Exception { - runTestAsSubject(new TestOperation() { - @Override - public void runTestAsSubject() throws Exception { - client.createRole(requestorName, TEST_ROLE_NAME_1); - // test: create duplicate role with -cr - String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() }; - SentryShellHive sentryShell = new SentryShellHive(); - try { - sentryShell.executeShell(args); - fail("Exception should be thrown for creating duplicate role"); - } catch (SentryUserException e) { - // excepted exception - } - - // test: drop non-exist role with -dr - args = new String[] { "-dr", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() }; - sentryShell = new SentryShellHive(); - try { - sentryShell.executeShell(args); - fail("Exception should be thrown for dropping non-exist role"); - } catch (SentryUserException e) { - // excepted exception - } - - // test: add non-exist role to group with -arg - args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf", - confPath.getAbsolutePath() }; - sentryShell = new SentryShellHive(); - try { - sentryShell.executeShell(args); - fail("Exception should be thrown for granting non-exist role to group"); - } catch (SentryUserException e) { - // excepted exception - } - - // test: drop group from non-exist role with -drg - args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf", - confPath.getAbsolutePath() }; - sentryShell = new SentryShellHive(); - try { - sentryShell.executeShell(args); - fail("Exception should be thrown for drop group from non-exist role"); - } catch (SentryUserException e) { - // excepted exception - } - - // test: grant privilege to role with the error privilege format - args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p", "serverserver1->action=*", - "-conf", confPath.getAbsolutePath() }; - sentryShell = new SentryShellHive(); - try { - sentryShell.executeShell(args); - fail("Exception should be thrown for the error privilege format, invalid key value."); - } catch (IllegalArgumentException e) { - // excepted exception - } - - // test: grant privilege to role with the error privilege hierarchy - args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p", - "server=server1->table=tbl1->column=col2->action=insert", "-conf", - confPath.getAbsolutePath() }; - sentryShell = new SentryShellHive(); - try { - sentryShell.executeShell(args); - fail("Exception should be thrown for the error privilege format, invalid key value."); - } catch (IllegalArgumentException e) { - // excepted exception - } - - // clear the test data - client.dropRole(requestorName, TEST_ROLE_NAME_1); - } - }); - } - - @Test - public void testNegativeCaseWithoutRequiredArgument() throws Exception { - runTestAsSubject(new TestOperation() { - @Override - public void runTestAsSubject() throws Exception { - String strOptionConf = "conf"; - client.createRole(requestorName, TEST_ROLE_NAME_1); - // test: the conf is required argument - String[] args = { "-cr", "-r", TEST_ROLE_NAME_1 }; - SentryShellHive sentryShell = new SentryShellHive(); - validateMissingParameterMsg(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + strOptionConf); - - // test: -r is required when create role - args = new String[] { "-cr", "-conf", confPath.getAbsolutePath() }; - sentryShell = new SentryShellHive(); - validateMissingParameterMsg(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME); - - // test: -r is required when drop role - args = new String[] { "-dr", "-conf", confPath.getAbsolutePath() }; - sentryShell = new SentryShellHive(); - validateMissingParameterMsg(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME); - - // test: -r is required when add role to group - args = new String[] { "-arg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() }; - sentryShell = new SentryShellHive(); - validateMissingParameterMsg(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME); - - // test: -g is required when add role to group - args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() }; - sentryShell = new SentryShellHive(); - validateMissingParameterMsg(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME); - - // test: -r is required when delete role from group - args = new String[] { "-drg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() }; - sentryShell = new SentryShellHive(); - validateMissingParameterMsg(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME); - - // test: -g is required when delete role from group - args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() }; - sentryShell = new SentryShellHive(); - validateMissingParameterMsg(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME); - - // test: -r is required when grant privilege to role - args = new String[] { "-gpr", "-p", "server=server1", "-conf", confPath.getAbsolutePath() }; - sentryShell = new SentryShellHive(); - validateMissingParameterMsg(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME); - - // test: -p is required when grant privilege to role - args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() }; - sentryShell = new SentryShellHive(); - validateMissingParameterMsg(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE); - - // test: -r is required when revoke privilege from role - args = new String[] { "-rpr", "-p", "server=server1", "-conf", confPath.getAbsolutePath() }; - sentryShell = new SentryShellHive(); - validateMissingParameterMsg(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME); - - // test: -p is required when revoke privilege from role - args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() }; - sentryShell = new SentryShellHive(); - validateMissingParameterMsg(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE); - - // test: command option is required for shell - args = new String[] {"-conf", confPath.getAbsolutePath() }; - sentryShell = new SentryShellHive(); - validateMissingParameterMsgsContains(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + "[", - "-arg Add role to group", - "-cr Create role", - "-rpr Revoke privilege from role", - "-drg Delete role from group", - "-lr List role", - "-lp List privilege", - "-gpr Grant privilege to role", - "-dr Drop role"); - - // clear the test data - client.dropRole(requestorName, TEST_ROLE_NAME_1); - } - }); - } - - // redirect the System.out to ByteArrayOutputStream, then execute the command and parse the result. - private Set<String> getShellResultWithOSRedirect(SentryShellHive sentryShell, - String[] args, boolean exceptedExecuteResult) throws Exception { - PrintStream oldOut = System.out; - ByteArrayOutputStream outContent = new ByteArrayOutputStream(); - System.setOut(new PrintStream(outContent)); - assertEquals(exceptedExecuteResult, sentryShell.executeShell(args)); - Set<String> resultSet = Sets.newHashSet(outContent.toString().split("\n")); - System.setOut(oldOut); - return resultSet; - } - - private void validateRoleNames(Set<String> roleNames, String ... expectedRoleNames) { - if (expectedRoleNames != null && expectedRoleNames.length > 0) { - assertEquals("Found: " + roleNames.size() + " roles, expected: " + expectedRoleNames.length, - expectedRoleNames.length, roleNames.size()); - Set<String> lowerCaseRoles = new HashSet<String>(); - for (String role : roleNames) { - lowerCaseRoles.add(role.toLowerCase()); - } - - for (String expectedRole : expectedRoleNames) { - assertTrue("Expected role: " + expectedRole, - lowerCaseRoles.contains(expectedRole.toLowerCase())); - } - } - } - - private void validateMissingParameterMsg(SentryShellHive sentryShell, String[] args, - String exceptedErrorMsg) throws Exception { - Set<String> errorMsgs = getShellResultWithOSRedirect(sentryShell, args, false); - assertTrue(errorMsgs.contains(exceptedErrorMsg)); - } - - private void validateMissingParameterMsgsContains(SentryShellHive sentryShell, String[] args, - String ... expectedErrorMsgsContains) throws Exception { - Set<String> errorMsgs = getShellResultWithOSRedirect(sentryShell, args, false); - boolean foundAllMessages = false; - Iterator<String> it = errorMsgs.iterator(); - while (it.hasNext()) { - String errorMessage = it.next(); - boolean missingExpected = false; - for (String expectedContains : expectedErrorMsgsContains) { - if (!errorMessage.contains(expectedContains)) { - missingExpected = true; - break; - } - } - if (!missingExpected) { - foundAllMessages = true; - break; - } - } - assertTrue(foundAllMessages); - } -}
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java deleted file mode 100644 index cb2d9c9..0000000 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java +++ /dev/null @@ -1,355 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.service.thrift; -import java.io.File; -import java.security.PrivilegedExceptionAction; -import java.util.Properties; -import java.util.Set; -import java.util.concurrent.TimeoutException; - - -import com.google.common.io.Resources; -import org.apache.commons.io.FileUtils; -import org.apache.curator.test.TestingServer; -import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.minikdc.MiniKdc; -import org.apache.hadoop.net.NetUtils; -import org.apache.hadoop.security.UserGroupInformation; -import org.apache.sentry.provider.db.service.persistent.HAContext; -import org.apache.sentry.provider.db.service.thrift.SentryMiniKdcTestcase; -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; -import org.apache.sentry.provider.db.service.thrift.TSentryRole; -import org.apache.sentry.provider.file.PolicyFile; -import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig; -import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; -import org.apache.zookeeper.server.ZooKeeperSaslServer; -import org.junit.After; -import org.junit.AfterClass; -import org.junit.Assert; -import org.junit.Before; -import org.junit.BeforeClass; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import com.google.common.base.Strings; -import com.google.common.io.Files; - -public abstract class SentryServiceIntegrationBase extends SentryMiniKdcTestcase { - private static final Logger LOGGER = LoggerFactory.getLogger(SentryServiceIntegrationBase.class); - - protected static final String SERVER_HOST = NetUtils.createSocketAddr("localhost:80").getAddress().getCanonicalHostName(); - protected static final String REALM = "EXAMPLE.COM"; - protected static final String SERVER_PRINCIPAL = "sentry/" + SERVER_HOST; - protected static String SERVER_KERBEROS_NAME = "sentry/" + SERVER_HOST + "@" + REALM; - protected static final String HTTP_PRINCIPAL = "HTTP/" + SERVER_HOST; - protected static final String CLIENT_PRINCIPAL = "hive/" + SERVER_HOST; - protected static final String CLIENT_KERBEROS_SHORT_NAME = "hive"; - protected static final String CLIENT_KERBEROS_NAME = CLIENT_KERBEROS_SHORT_NAME - + "/" + SERVER_HOST + "@" + REALM; - protected static final String ADMIN_USER = "admin_user"; - protected static final String ADMIN_GROUP = "admin_group"; - - protected static SentryService server; - protected SentryPolicyServiceClient client; - protected static MiniKdc kdc; - protected static File kdcWorkDir; - protected static File dbDir; - protected static File serverKeytab; - protected static File httpKeytab; - protected static File clientKeytab; - protected static UserGroupInformation clientUgi; - protected static boolean kerberos; - protected final static Configuration conf = new Configuration(false); - protected PolicyFile policyFile; - protected File policyFilePath; - protected static Properties kdcConfOverlay = new Properties(); - - protected static boolean haEnabled = false; - protected static final String ZK_SERVER_PRINCIPAL = "zookeeper/" + SERVER_HOST; - protected static TestingServer zkServer; - - private static File ZKKeytabFile; - - protected static boolean webServerEnabled = false; - protected static int webServerPort = ServerConfig.SENTRY_WEB_PORT_DEFAULT; - protected static boolean webSecurity = false; - - protected static boolean pooled = false; - - protected static boolean useSSL = false; - - @BeforeClass - public static void setup() throws Exception { - kerberos = true; - pooled = true; - beforeSetup(); - setupConf(); - startSentryService(); - afterSetup(); - } - - private static void setupKdc() throws Exception { - startMiniKdc(kdcConfOverlay); - } - - public static void startSentryService() throws Exception { - server.start(); - final long start = System.currentTimeMillis(); - while(!server.isRunning()) { - Thread.sleep(1000); - if(System.currentTimeMillis() - start > 60000L) { - throw new TimeoutException("Server did not start after 60 seconds"); - } - } - } - - public void stopSentryService() throws Exception { - server.stop(); - Thread.sleep(30000); - } - - public static void setupConf() throws Exception { - if (kerberos) { - setupKdc(); - kdc = getKdc(); - kdcWorkDir = getWorkDir(); - serverKeytab = new File(kdcWorkDir, "server.keytab"); - clientKeytab = new File(kdcWorkDir, "client.keytab"); - kdc.createPrincipal(serverKeytab, SERVER_PRINCIPAL); - kdc.createPrincipal(clientKeytab, CLIENT_PRINCIPAL); - conf.set(ServerConfig.PRINCIPAL, getServerKerberosName()); - conf.set(ServerConfig.KEY_TAB, serverKeytab.getPath()); - conf.set(ServerConfig.ALLOW_CONNECT, CLIENT_KERBEROS_SHORT_NAME); - conf.set(ServerConfig.SERVER_HA_ZOOKEEPER_CLIENT_PRINCIPAL, - getServerKerberosName()); - conf.set(ServerConfig.SERVER_HA_ZOOKEEPER_CLIENT_KEYTAB, - serverKeytab.getPath()); - - conf.set(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true"); - conf.set("hadoop.security.authentication", "kerberos"); - UserGroupInformation.setConfiguration(conf); - UserGroupInformation.loginUserFromKeytab(CLIENT_PRINCIPAL, clientKeytab.getPath()); - clientUgi = UserGroupInformation.getLoginUser(); - } else { - LOGGER.info("Stopped KDC"); - conf.set(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_NONE); - } - if (haEnabled) { - zkServer = getZKServer(); - conf.set(ServerConfig.SENTRY_HA_ENABLED, "true"); - conf.set(ServerConfig.SENTRY_HA_ZOOKEEPER_QUORUM, zkServer.getConnectString()); - conf.set(ServerConfig.SENTRY_HA_ZOOKEEPER_NAMESPACE, "sentry-test-case"); - if (kerberos) { - conf.set(ServerConfig.SENTRY_HA_ZOOKEEPER_SECURITY, "true"); - } - } - if (webServerEnabled) { - conf.set(ServerConfig.SENTRY_WEB_ENABLE, "true"); - conf.set(ServerConfig.SENTRY_WEB_PORT, String.valueOf(webServerPort)); - if (webSecurity) { - httpKeytab = new File(kdcWorkDir, "http.keytab"); - kdc.createPrincipal(httpKeytab, HTTP_PRINCIPAL); - conf.set(ServerConfig.SENTRY_WEB_SECURITY_TYPE, - ServerConfig.SENTRY_WEB_SECURITY_TYPE_KERBEROS); - conf.set(ServerConfig.SENTRY_WEB_SECURITY_PRINCIPAL, HTTP_PRINCIPAL); - conf.set(ServerConfig.SENTRY_WEB_SECURITY_KEYTAB, httpKeytab.getPath()); - } else { - conf.set(ServerConfig.SENTRY_WEB_SECURITY_TYPE, - ServerConfig.SENTRY_WEB_SECURITY_TYPE_NONE); - } - } else { - conf.set(ServerConfig.SENTRY_WEB_ENABLE, "false"); - } - if (pooled) { - conf.set(ClientConfig.SENTRY_POOL_ENABLED, "true"); - } - if (useSSL) { - conf.set(ServerConfig.SENTRY_WEB_USE_SSL, "true"); - conf.set(ServerConfig.SENTRY_WEB_SSL_KEYSTORE_PATH, - Resources.getResource("keystore.jks").getPath()); - conf.set(ServerConfig.SENTRY_WEB_SSL_KEYSTORE_PASSWORD, "password"); - } - conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false"); - conf.set(ServerConfig.ADMIN_GROUPS, ADMIN_GROUP); - conf.set(ServerConfig.RPC_ADDRESS, SERVER_HOST); - conf.set(ServerConfig.RPC_PORT, String.valueOf(0)); - dbDir = new File(Files.createTempDir(), "sentry_policy_db"); - conf.set(ServerConfig.SENTRY_STORE_JDBC_URL, - "jdbc:derby:;databaseName=" + dbDir.getPath() + ";create=true"); - conf.set(ServerConfig.SENTRY_STORE_JDBC_PASS, "dummy"); - server = new SentryServiceFactory().create(conf); - conf.set(ClientConfig.SERVER_RPC_ADDRESS, server.getAddress().getHostName()); - conf.set(ClientConfig.SERVER_RPC_PORT, String.valueOf(server.getAddress().getPort())); - conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING, - ServerConfig.SENTRY_STORE_LOCAL_GROUP_MAPPING); - } - - @Before - public void before() throws Exception { - policyFilePath = new File(dbDir, "local_policy_file.ini"); - conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING_RESOURCE, - policyFilePath.getPath()); - policyFile = new PolicyFile(); - connectToSentryService(); - } - - @After - public void after() { - try { - runTestAsSubject(new TestOperation() { - @Override - public void runTestAsSubject() throws Exception { - if (client != null) { - Set<TSentryRole> tRoles = client.listRoles(ADMIN_USER); - if (tRoles != null) { - for (TSentryRole tRole : tRoles) { - client.dropRole(ADMIN_USER, tRole.getRoleName()); - } - } - client.close(); - } - } - }); - } catch (Exception e) { - LOGGER.error(e.getMessage(), e); - } finally { - policyFilePath.delete(); - } - } - - public void connectToSentryService() throws Exception { - if (kerberos) { - client = clientUgi.doAs(new PrivilegedExceptionAction<SentryPolicyServiceClient>() { - @Override - public SentryPolicyServiceClient run() throws Exception { - return SentryServiceClientFactory.create(conf); - } - }); - } else { - client = SentryServiceClientFactory.create(conf); - } - } - - @AfterClass - public static void tearDown() throws Exception { - beforeTeardown(); - - if(server != null) { - server.stop(); - } - if (dbDir != null) { - FileUtils.deleteQuietly(dbDir); - } - stopMiniKdc(); - afterTeardown(); - } - - public static String getServerKerberosName() { - return SERVER_KERBEROS_NAME; - } - - public static void beforeSetup() throws Exception { - - } - public static void afterSetup() throws Exception { - - } - public static void beforeTeardown() throws Exception { - - } - public static void afterTeardown() throws Exception { - - } - protected static void assertOK(TSentryResponseStatus resp) { - assertStatus(Status.OK, resp); - } - - protected static void assertStatus(Status status, TSentryResponseStatus resp) { - if (resp.getValue() != status.getCode()) { - String message = "Expected: " + status + ", Response: " + Status.fromCode(resp.getValue()) - + ", Code: " + resp.getValue() + ", Message: " + resp.getMessage(); - String stackTrace = Strings.nullToEmpty(resp.getStack()).trim(); - if (!stackTrace.isEmpty()) { - message += ", StackTrace: " + stackTrace; - } - Assert.fail(message); - } - } - - protected void setLocalGroupMapping(String user, Set<String> groupSet) { - for (String group : groupSet) { - policyFile.addGroupsToUser(user, group); - } - } - - protected void writePolicyFile() throws Exception { - policyFile.write(policyFilePath); - } - - protected static TestingServer getZKServer() throws Exception { - if (!kerberos) { - LOGGER.info("Creating a non-security ZooKeeper Server."); - return new TestingServer(); - } else { - LOGGER.info("Creating a security ZooKeeper Server."); - // Not entirely sure exactly what "javax.security.auth.useSubjectCredsOnly=false" does, but it has something to do with - // re-authenticating in cases where it otherwise wouldn't. One of the sections on this page briefly mentions it: - // http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/Troubleshooting.html - System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); - - // Setup KDC and principal - kdc = getKdc(); - ZKKeytabFile = new File(kdcWorkDir, "test.keytab"); - kdc.createPrincipal(ZKKeytabFile, ZK_SERVER_PRINCIPAL); - - System.setProperty("zookeeper.authProvider.1", "org.apache.zookeeper.server.auth.SASLAuthenticationProvider"); - System.setProperty("zookeeper.kerberos.removeHostFromPrincipal", "true"); - System.setProperty("zookeeper.kerberos.removeRealmFromPrincipal", "true"); - - JaasConfiguration.addEntryForKeytab("Server", ZK_SERVER_PRINCIPAL, ZKKeytabFile.getAbsolutePath()); - // Here's where we add the "Client" to the jaas configuration, even though we'd like not to - JaasConfiguration.addEntryForKeytab(HAContext.SENTRY_ZK_JAAS_NAME, - SERVER_KERBEROS_NAME, serverKeytab.getAbsolutePath()); - javax.security.auth.login.Configuration.setConfiguration(JaasConfiguration.getInstance()); - - System.setProperty(ZooKeeperSaslServer.LOGIN_CONTEXT_NAME_KEY, "Server"); - - return new TestingServer(); - } - - } - - protected void runTestAsSubject(final TestOperation test) throws Exception { - /*if (false) { - clientUgi.doAs(new PrivilegedExceptionAction<Void>() { - @Override - public Void run() throws Exception { - test.runTestAsSubject(); - return null; - }}); - } else { - */ test.runTestAsSubject(); - //} - } - - protected interface TestOperation { - void runTestAsSubject() throws Exception; - } - -} http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/test/resources/cacerts.jks ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/resources/cacerts.jks b/sentry-provider/sentry-provider-db/src/test/resources/cacerts.jks deleted file mode 100644 index 6ac6495..0000000 Binary files a/sentry-provider/sentry-provider-db/src/test/resources/cacerts.jks and /dev/null differ http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/test/resources/keystore.jks ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/resources/keystore.jks b/sentry-provider/sentry-provider-db/src/test/resources/keystore.jks deleted file mode 100644 index a6beece..0000000 Binary files a/sentry-provider/sentry-provider-db/src/test/resources/keystore.jks and /dev/null differ http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/test/resources/log4j.properties ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/resources/log4j.properties b/sentry-provider/sentry-provider-db/src/test/resources/log4j.properties deleted file mode 100644 index 9766758..0000000 --- a/sentry-provider/sentry-provider-db/src/test/resources/log4j.properties +++ /dev/null @@ -1,34 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -# Define some default values that can be overridden by system properties. -# -# For testing, it may also be convenient to specify - -log4j.rootLogger=DEBUG,console - -log4j.appender.console=org.apache.log4j.ConsoleAppender -log4j.appender.console.target=System.err -log4j.appender.console.layout=org.apache.log4j.PatternLayout -log4j.appender.console.layout.ConversionPattern=%d (%t) [%p - %l] %m%n - -log4j.logger.org.apache.hadoop.conf.Configuration=INFO -log4j.logger.org.apache.hadoop.metrics2=INFO -log4j.logger.org.apache.directory=INFO -log4j.logger.org.apache.directory.api.ldap.model.entry.AbstractValue=WARN http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/test/resources/solr_case.ini ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/resources/solr_case.ini b/sentry-provider/sentry-provider-db/src/test/resources/solr_case.ini deleted file mode 100644 index fbbebfc..0000000 --- a/sentry-provider/sentry-provider-db/src/test/resources/solr_case.ini +++ /dev/null @@ -1,26 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. - -[groups] -groupa = RoLe1 -groupb = rOlE1 -groupc = ROLE2 - -[roles] -RoLe1 = collection=* -rOlE1 = collection=* -ROLE2 = collection=* http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/test/resources/solr_config_import_tool.ini ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/resources/solr_config_import_tool.ini b/sentry-provider/sentry-provider-db/src/test/resources/solr_config_import_tool.ini deleted file mode 100644 index da7df4c..0000000 --- a/sentry-provider/sentry-provider-db/src/test/resources/solr_config_import_tool.ini +++ /dev/null @@ -1,29 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. - -[groups] -corporal = corporal_role -sergeant = corporal_role, sergeant_role -general = corporal_role, sergeant_role, general_role -commander_in_chief = corporal_role, sergeant_role, general_role, commander_in_chief_role - -[roles] -corporal_role = collection=info->action=query, \ - collection=info->action=update -sergeant_role = collection=info->action=update -general_role = collection=info->action=* -commander_in_chief_role = collection=* http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/test/resources/solr_invalid.ini ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/resources/solr_invalid.ini b/sentry-provider/sentry-provider-db/src/test/resources/solr_invalid.ini deleted file mode 100644 index 03083a7..0000000 --- a/sentry-provider/sentry-provider-db/src/test/resources/solr_invalid.ini +++ /dev/null @@ -1,21 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. - -[groups] - -[roles] - http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-file/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-file/pom.xml b/sentry-provider/sentry-provider-file/pom.xml index 04f38d8..25db036 100644 --- a/sentry-provider/sentry-provider-file/pom.xml +++ b/sentry-provider/sentry-provider-file/pom.xml @@ -29,11 +29,6 @@ limitations under the License. <dependencies> <dependency> - <groupId>org.apache.hadoop</groupId> - <artifactId>hadoop-common</artifactId> - <scope>provided</scope> - </dependency> - <dependency> <groupId>junit</groupId> <artifactId>junit</artifactId> <scope>test</scope> @@ -43,14 +38,6 @@ limitations under the License. <artifactId>log4j</artifactId> </dependency> <dependency> - <groupId>org.apache.shiro</groupId> - <artifactId>shiro-core</artifactId> - </dependency> - <dependency> - <groupId>com.google.guava</groupId> - <artifactId>guava</artifactId> - </dependency> - <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-api</artifactId> </dependency> @@ -60,10 +47,6 @@ limitations under the License. </dependency> <dependency> <groupId>org.apache.sentry</groupId> - <artifactId>sentry-core-common</artifactId> - </dependency> - <dependency> - <groupId>org.apache.sentry</groupId> <artifactId>sentry-provider-common</artifactId> </dependency> </dependencies> http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java index dec47c2..eb23ff1 100644 --- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java +++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java @@ -26,8 +26,8 @@ import java.util.Set; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.fs.FileSystem; import org.apache.hadoop.fs.Path; +import org.apache.sentry.core.common.service.GroupMappingService; import org.apache.sentry.core.common.utils.SentryConstants; -import org.apache.sentry.provider.common.GroupMappingService; import org.apache.sentry.core.common.utils.PolicyFileConstants; import org.apache.sentry.core.common.exception.SentryGroupNotFoundException; import org.apache.shiro.config.Ini; http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFile.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFile.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFile.java deleted file mode 100644 index 6a77827..0000000 --- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFile.java +++ /dev/null @@ -1,202 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.provider.file; - -import static org.apache.sentry.core.common.utils.PolicyFileConstants.DATABASES; -import static org.apache.sentry.core.common.utils.PolicyFileConstants.GROUPS; -import static org.apache.sentry.core.common.utils.PolicyFileConstants.ROLES; -import static org.apache.sentry.core.common.utils.PolicyFileConstants.USERS; - -import java.io.File; -import java.util.Collection; -import java.util.List; -import java.util.Map; -import java.util.Map.Entry; - -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import com.google.common.annotations.VisibleForTesting; -import com.google.common.base.Charsets; -import com.google.common.base.Joiner; -import com.google.common.collect.ArrayListMultimap; -import com.google.common.collect.Lists; -import com.google.common.collect.Maps; -import com.google.common.collect.Multimap; -import com.google.common.io.Files; - -/** - * PolicyFile creator. Written specifically to be used with tests. Specifically - * due to the fact that methods that would typically return true or false to - * indicate success or failure these methods throw an unchecked exception. - * This is because in a test if you mean to remove a user from the policy file, - * the user should absolutely be there. If not, the test is mis-behaving. - */ -@VisibleForTesting -public class PolicyFile { - - private static final Logger LOGGER = LoggerFactory - .getLogger(PolicyFile.class); - - private static final String NL = System.getProperty("line.separator", "\n"); - - private final Map<String, String> databasesToPolicyFiles = Maps.newHashMap(); - private final Multimap<String, String> usersToGroups = ArrayListMultimap.create(); - private final Multimap<String, String> groupsToRoles = ArrayListMultimap - .create(); - private final Multimap<String, String> rolesToPermissions = ArrayListMultimap - .create(); - - public Multimap<String, String> getGroupsToRoles() { - return groupsToRoles; - } - public Multimap<String, String> getRolesToPermissions() { - return rolesToPermissions; - } - public PolicyFile addRolesToGroup(String groupName, String... roleNames) - throws Exception { - return addRolesToGroup(groupName, false, roleNames); - } - public PolicyFile addRolesToGroup(String groupName, boolean allowDuplicates, String... roleNames) { - return add(groupsToRoles.get(groupName), allowDuplicates, roleNames); - } - public PolicyFile addPermissionsToRole(String roleName, String... permissionNames) { - return addPermissionsToRole(roleName, false, permissionNames); - } - public PolicyFile addPermissionsToRole(String roleName, boolean allowDuplicates, String... permissionNames) { - return add(rolesToPermissions.get(roleName), allowDuplicates, permissionNames); - } - public PolicyFile addGroupsToUser(String userName, String... groupNames) { - LOGGER.warn("Static user:group mapping is not being used"); - return addGroupsToUser(userName, false, groupNames); - } - public PolicyFile addGroupsToUser(String userName, boolean allowDuplicates, String... groupNames) { - LOGGER.warn("Static user:group mapping is not being used"); - return add(usersToGroups.get(userName), allowDuplicates, groupNames); - } - public PolicyFile setUserGroupMapping(Map<String, String> mapping) { - for (Entry<String, String> entry : mapping.entrySet()) { - usersToGroups.put(entry.getKey(), entry.getValue()); - } - return this; - } - public PolicyFile addDatabase(String databaseName, String path) { - String oldPath = databasesToPolicyFiles.put(databaseName, path); - if (oldPath != null) { - throw new IllegalStateException("Database " + databaseName + " already existed in " + - databasesToPolicyFiles + " with value of " + oldPath); - } - databasesToPolicyFiles.put(databaseName, path); - return this; - } - public PolicyFile removeRolesFromGroup(String groupName, String... roleNames) { - return remove(groupsToRoles.get(groupName), roleNames); - } - public PolicyFile removePermissionsFromRole(String roleName, String... permissionNames) { - return remove(rolesToPermissions.get(roleName), permissionNames); - } - public PolicyFile removeGroupsFromUser(String userName, String... groupNames) { - LOGGER.warn("Static user:group mapping is not being used"); - return remove(usersToGroups.get(userName), groupNames); - } - public PolicyFile removeDatabase(String databaseName) { - if(databasesToPolicyFiles.remove(databaseName) == null) { - throw new IllegalStateException("Database " + databaseName + " did not exist in " + - databasesToPolicyFiles); - } - return this; - } - public PolicyFile copy() { - PolicyFile other = new PolicyFile(); - other.databasesToPolicyFiles.putAll(databasesToPolicyFiles); - other.usersToGroups.putAll(usersToGroups); - other.groupsToRoles.putAll(groupsToRoles); - other.rolesToPermissions.putAll(rolesToPermissions); - return other; - } - - public void write(File clientFile, File serverFile) throws Exception { - write(clientFile); - write(serverFile); - } - - public void write(File file) throws Exception { - if(file.exists() && !file.delete()) { - throw new IllegalStateException("Unable to delete " + file); - } - String contents = Joiner.on(NL) - .join(getSection(DATABASES, databasesToPolicyFiles), - getSection(USERS, usersToGroups), - getSection(GROUPS, groupsToRoles), - getSection(ROLES, rolesToPermissions), - ""); - LOGGER.info("Writing policy file to " + file + ":\n" + contents); - Files.write(contents, file, Charsets.UTF_8); - } - - private String getSection(String name, Map<String, String> mapping) { - if(mapping.isEmpty()) { - return ""; - } - Joiner kvJoiner = Joiner.on(" = "); - List<String> lines = Lists.newArrayList(); - lines.add("[" + name + "]"); - for (Entry<String, String> entry : mapping.entrySet()) { - lines.add(kvJoiner.join(entry.getKey(), entry.getValue())); - } - return Joiner.on(NL).join(lines); - } - private String getSection(String name, Multimap<String, String> mapping) { - if(mapping.isEmpty()) { - return ""; - } - Joiner kvJoiner = Joiner.on(" = "); - Joiner itemJoiner = Joiner.on(" , "); - List<String> lines = Lists.newArrayList(); - lines.add("[" + name + "]"); - for(String key : mapping.keySet()) { - lines.add(kvJoiner.join(key, itemJoiner.join(mapping.get(key)))); - } - return Joiner.on(NL).join(lines); - } - - private PolicyFile remove(Collection<String> exitingItems, String[] newItems) { - for(String newItem : newItems) { - if(!exitingItems.remove(newItem)) { - throw new IllegalStateException("Item " + newItem + " did not exist in " + exitingItems); - } - } - return this; - } - private PolicyFile add(Collection<String> exitingItems, boolean allowDuplicates, String[] newItems) { - for(String newItem : newItems) { - if(exitingItems.contains(newItem) && !allowDuplicates) { - throw new IllegalStateException("Item " + newItem + " already exists in " + exitingItems); - } - exitingItems.add(newItem); - } - return this; - } - - //User:Group mapping for the admin user needs to be set separately - public static PolicyFile setAdminOnServer1(String admin) throws Exception { - return new PolicyFile() - .addRolesToGroup(admin, "admin_role") - .addPermissionsToRole("admin_role", "server=server1"); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-service/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-service/pom.xml b/sentry-service/pom.xml new file mode 100644 index 0000000..4bcb7f1 --- /dev/null +++ b/sentry-service/pom.xml @@ -0,0 +1,38 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +--> +<project xmlns="http://maven.apache.org/POM/4.0.0"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd";> + + <modelVersion>4.0.0</modelVersion> + + <parent> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry</artifactId> + <version>1.8.0-SNAPSHOT</version> + </parent> + + <artifactId>sentry-service</artifactId> + <name>Sentry Service</name> + <packaging>pom</packaging> + + <modules> + <module>sentry-service-common</module> + <module>sentry-service-server</module> + <module>sentry-service-client</module> + </modules> + +</project> http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-service/sentry-service-client/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-service/sentry-service-client/pom.xml b/sentry-service/sentry-service-client/pom.xml new file mode 100644 index 0000000..fc37c5e --- /dev/null +++ b/sentry-service/sentry-service-client/pom.xml @@ -0,0 +1,57 @@ +<?xml version="1.0"?> +<!-- +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +--> +<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"; xmlns="http://maven.apache.org/POM/4.0.0"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> + <modelVersion>4.0.0</modelVersion> + <parent> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-service</artifactId> + <version>1.8.0-SNAPSHOT</version> + </parent> + + <artifactId>sentry-service-client</artifactId> + <name>Sentry Service Client</name> + + <dependencies> + <dependency> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-service-common</artifactId> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-core-model-kafka</artifactId> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-core-model-db</artifactId> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-core-model-search</artifactId> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-provider-file</artifactId> + </dependency> + <dependency> + <groupId>org.apache.commons</groupId> + <artifactId>commons-pool2</artifactId> + </dependency> + </dependencies> + +</project> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClient.java ---------------------------------------------------------------------- diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClient.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClient.java new file mode 100644 index 0000000..11cdee7 --- /dev/null +++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClient.java @@ -0,0 +1,196 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.provider.db.generic.service.thrift; + +import java.util.List; +import java.util.Map; +import java.util.Set; + +import org.apache.sentry.core.common.exception.SentryUserException; +import org.apache.sentry.core.common.ActiveRoleSet; +import org.apache.sentry.core.common.Authorizable; + +public interface SentryGenericServiceClient { + + /** + * Create a sentry role + * @param requestorUserName: user on whose behalf the request is issued + * @param roleName: Name of the role + * @param component: The request is issued to which component + * @throws SentryUserException + */ + void createRole(String requestorUserName, String roleName, + String component) throws SentryUserException; + + void createRoleIfNotExist(String requestorUserName, + String roleName, String component) throws SentryUserException; + + /** + * Drop a sentry role + * @param requestorUserName: user on whose behalf the request is issued + * @param roleName: Name of the role + * @param component: The request is issued to which component + * @throws SentryUserException + */ + void dropRole(String requestorUserName, String roleName, + String component) throws SentryUserException; + + void dropRoleIfExists(String requestorUserName, String roleName, + String component) throws SentryUserException; + + /** + * add a sentry role to groups. + * @param requestorUserName: user on whose behalf the request is issued + * @param roleName: Name of the role + * @param component: The request is issued to which component + * @param groups: The name of groups + * @throws SentryUserException + */ + void addRoleToGroups(String requestorUserName, String roleName, + String component, Set<String> groups) throws SentryUserException; + + /** + * delete a sentry role from groups. + * @param requestorUserName: user on whose behalf the request is issued + * @param roleName: Name of the role + * @param component: The request is issued to which component + * @param groups: The name of groups + * @throws SentryUserException + */ + void deleteRoleToGroups(String requestorUserName, String roleName, + String component, Set<String> groups) throws SentryUserException; + + /** + * grant privilege + * @param requestorUserName: user on whose behalf the request is issued + * @param roleName: Name of the role + * @param component: The request is issued to which component + * @param privilege + * @throws SentryUserException + */ + void grantPrivilege(String requestorUserName, String roleName, + String component, TSentryPrivilege privilege) throws SentryUserException; + + /** + * revoke privilege + * @param requestorUserName: user on whose behalf the request is issued + * @param roleName: Name of the role + * @param component: The request is issued to which component + * @param privilege + * @throws SentryUserException + */ + void revokePrivilege(String requestorUserName, String roleName, + String component, TSentryPrivilege privilege) throws SentryUserException; + + /** + * drop privilege + * @param requestorUserName: user on whose behalf the request is issued + * @param component: The request is issued to which component + * @param privilege + * @throws SentryUserException + */ + void dropPrivilege(String requestorUserName,String component, + TSentryPrivilege privilege) throws SentryUserException; + + /** + * rename privilege + * @param requestorUserName: user on whose behalf the request is issued + * @param component: The request is issued to which component + * @param serviceName: The Authorizable belongs to which service + * @param oldAuthorizables + * @param newAuthorizables + * @throws SentryUserException + */ + void renamePrivilege(String requestorUserName, String component, + String serviceName, List<? extends Authorizable> oldAuthorizables, + List<? extends Authorizable> newAuthorizables) throws SentryUserException; + + /** + * Gets sentry role objects for a given groupName using the Sentry service + * @param requestorUserName : user on whose behalf the request is issued + * @param groupName : groupName to look up ( if null returns all roles for groups related to requestorUserName) + * @param component: The request is issued to which component + * @return Set of thrift sentry role objects + * @throws SentryUserException + */ + Set<TSentryRole> listRolesByGroupName( + String requestorUserName, + String groupName, + String component) + throws SentryUserException; + + Set<TSentryRole> listUserRoles(String requestorUserName, String component) + throws SentryUserException; + + Set<TSentryRole> listAllRoles(String requestorUserName, String component) + throws SentryUserException; + + /** + * Gets sentry privileges for a given roleName and Authorizable Hierarchy using the Sentry service + * @param requestorUserName: user on whose behalf the request is issued + * @param roleName: + * @param component: The request is issued to which component + * @param serviceName + * @param authorizables + * @return + * @throws SentryUserException + */ + Set<TSentryPrivilege> listPrivilegesByRoleName( + String requestorUserName, String roleName, String component, + String serviceName, List<? extends Authorizable> authorizables) + throws SentryUserException; + + Set<TSentryPrivilege> listPrivilegesByRoleName( + String requestorUserName, String roleName, String component, + String serviceName) throws SentryUserException; + + /** + * get sentry permissions from provider as followings: + * @param: component: The request is issued to which component + * @param: serviceName: The privilege belongs to which service + * @param: roleSet + * @param: groupNames + * @param: the authorizables + * @returns the set of permissions + * @throws SentryUserException + */ + Set<String> listPrivilegesForProvider(String component, + String serviceName, ActiveRoleSet roleSet, Set<String> groups, + List<? extends Authorizable> authorizables) throws SentryUserException; + + /** + * Get sentry privileges based on valid active roles and the authorize objects. Note that + * it is client responsibility to ensure the requestor username, etc. is not impersonated. + * + * @param component: The request respond to which component. + * @param serviceName: The name of service. + * @param requestorUserName: The requestor user name. + * @param authorizablesSet: The set of authorize objects. One authorize object is represented + * as a string. e.g resourceType1=resourceName1->resourceType2=resourceName2->resourceType3=resourceName3. + * @param groups: The requested groups. + * @param roleSet: The active roles set. + * + * @returns The mapping of authorize objects and TSentryPrivilegeMap(<role, set<privileges>). + * @throws SentryUserException + */ + Map<String, TSentryPrivilegeMap> listPrivilegsbyAuthorizable(String component, + String serviceName, String requestorUserName, Set<String> authorizablesSet, + Set<String> groups, ActiveRoleSet roleSet) throws SentryUserException; + + void close(); +}
