SENTRY-1390: Add test cases to ensure usability of URI privileges for HMS binding (Hao Hao, Reviewed by: Sravya Tirukkovalur)
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/c8de9a90 Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/c8de9a90 Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/c8de9a90 Branch: refs/heads/sentry-ha-redesign Commit: c8de9a907f06c5ab08836e816176cb2a1598199b Parents: f71e2e8 Author: Alexander Kolbasov <[email protected]> Authored: Fri Mar 10 18:10:03 2017 -0800 Committer: Alexander Kolbasov <[email protected]> Committed: Fri Mar 10 18:10:03 2017 -0800 ---------------------------------------------------------------------- .../AbstractTestWithStaticConfiguration.java | 5 + .../tests/e2e/metastore/TestURIMetastore.java | 178 +++++++++++++++++++ 2 files changed, 183 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/c8de9a90/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java index 47be188..4994cf8 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java @@ -160,6 +160,7 @@ public abstract class AbstractTestWithStaticConfiguration { private static final String ENABLE_NOTIFICATION_LOG = "sentry.e2etest.enable.notification.log"; protected static boolean policyOnHdfs = false; + protected static boolean defaultFSOnHdfs = false; protected static boolean useSentryService = false; protected static boolean setMetastoreListener = true; protected static boolean useDbNotificationListener = false; @@ -330,6 +331,10 @@ public abstract class AbstractTestWithStaticConfiguration { setupSentryService(); } + if (defaultFSOnHdfs) { + properties.put("fs.defaultFS", fileSystem.getUri().toString()); + } + hiveServer = create(properties, baseDir, confDir, logDir, policyURI, fileSystem); hiveServer.start(); http://git-wip-us.apache.org/repos/asf/sentry/blob/c8de9a90/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestURIMetastore.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestURIMetastore.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestURIMetastore.java new file mode 100644 index 0000000..667df51 --- /dev/null +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestURIMetastore.java @@ -0,0 +1,178 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.tests.e2e.metastore; + +import com.google.common.collect.Lists; +import com.google.common.io.Resources; +import org.apache.hadoop.hive.metastore.HiveMetaStoreClient; +import org.apache.hadoop.hive.metastore.api.FieldSchema; +import org.apache.hadoop.hive.metastore.api.MetaException; +import org.apache.hadoop.hive.metastore.api.Table; +import org.apache.sentry.provider.file.PolicyFile; +import org.apache.sentry.tests.e2e.hive.Context; +import org.apache.sentry.tests.e2e.hive.StaticUserGroup; +import org.apache.sentry.tests.e2e.hive.hiveserver.HiveServerFactory; +import org.junit.After; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; + +import java.io.File; +import java.io.FileOutputStream; +import java.net.URI; +import java.util.ArrayList; + +import static org.junit.Assert.fail; + +/** + * This clase is to test URI privileges usability for Hive MetaStore binding. + */ +public class TestURIMetastore extends + AbstractMetastoreTestWithStaticConfiguration { + + private PolicyFile policyFile; + private File dataFile; + private static final String dbName = "db_1"; + private static final String db_all_role = "all_db1"; + private static final String uri_role = "uri_role"; + + + @BeforeClass + public static void setupTestStaticConfiguration() throws Exception { + setMetastoreListener = false; + defaultFSOnHdfs = true; + AbstractMetastoreTestWithStaticConfiguration.setupTestStaticConfiguration(); + } + + @Override + @Before + public void setup() throws Exception { + + policyFile = setAdminOnServer1(ADMINGROUP); + policyFile.setUserGroupMapping(StaticUserGroup.getStaticMapping()); + writePolicyFile(policyFile); + super.setup(); + + dataFile = new File(dataDir, SINGLE_TYPE_DATA_FILE_NAME); + FileOutputStream to = new FileOutputStream(dataFile); + Resources.copy(Resources.getResource(SINGLE_TYPE_DATA_FILE_NAME), to); + to.close(); + + HiveMetaStoreClient client = context.getMetaStoreClient(ADMIN1); + client.dropDatabase(dbName, true, true, true); + createMetastoreDB(client, dbName); + client.close(); + + policyFile + .addRolesToGroup(USERGROUP1, db_all_role) + .addPermissionsToRole(db_all_role, "server=server1->db=" + dbName) + .setUserGroupMapping(StaticUserGroup.getStaticMapping()); + writePolicyFile(policyFile); + } + + @After + public void tearDown() throws Exception { + if (context != null) { + context.close(); + } + } + + /** + * Verify URI privileges for create table DDL without scheme and authority + * @throws Exception + */ + @Test + public void testCreateTableWithURINoSchemeAndAuthority() throws Exception { + + String tabName1 = "tab1"; + String tabDir1 = hiveServer.getProperty(HiveServerFactory.WAREHOUSE_DIR) + File.separator + tabName1; + + // URI location that contains no scheme and authority. + String tabDir1Path = new URI(tabDir1).getPath(); + + policyFile.addRolesToGroup(USERGROUP1, uri_role) + .addRolesToGroup(USERGROUP2, db_all_role) + .addPermissionsToRole(uri_role, "server=server1->URI=" + tabDir1); + writePolicyFile(policyFile); + + // user with URI privileges should be able to add table to URI locations which has no authority and scheme. + HiveMetaStoreClient client = context.getMetaStoreClient(USER1_1); + createMetastoreTableWithLocation(client, dbName, tabName1, Lists.newArrayList(new FieldSchema("col1", "int", "")), tabDir1Path); + + client.close(); + + // user without URI privileges should be NOT able to create table to a specific location + client = context.getMetaStoreClient(USER2_1); + try { + createMetastoreTableWithLocation(client, dbName, "fooTab", Lists.newArrayList(new FieldSchema("col1", "int", "")), tabDir1Path); + fail("Create table with location should fail without URI privilege"); + } catch (MetaException e) { + Context.verifyMetastoreAuthException(e); + } + client.close(); + } + + /** + * Verify URI privileges for alter table DDL without scheme and authority + * @throws Exception + */ + @Test + public void testAlterTableWithURINoSchemeAndAuthority() throws Exception { + String tabName1 = "tab1"; + String newPath1 = "fooTab1"; + String newPath2 = "fooTab2"; + ArrayList<String> partVals1 = Lists.newArrayList("part1"); + ArrayList<String> partVals2 = Lists.newArrayList("part2"); + ArrayList<String> partVals3 = Lists.newArrayList("part3"); + + String tabDir1 = hiveServer.getProperty(HiveServerFactory.WAREHOUSE_DIR) + + File.separator + tabName1 + newPath1; + String tabDir2 = hiveServer.getProperty(HiveServerFactory.WAREHOUSE_DIR) + + File.separator + tabName1 + newPath2; + // URI location that contains no scheme and authority. + String tabDir1Path = new URI(tabDir1).getPath(); + String tabDir2Path = new URI(tabDir2).getPath(); + + policyFile.addRolesToGroup(USERGROUP1, uri_role) + .addRolesToGroup(USERGROUP2, db_all_role) + .addPermissionsToRole(uri_role, "server=server1->URI=" + tabDir1); + writePolicyFile(policyFile); + + // user with URI privileges should be able to alter partition to set that specific location + HiveMetaStoreClient client = context.getMetaStoreClient(USER1_1); + Table tbl1 = createMetastoreTableWithPartition(client, dbName, tabName1, + Lists.newArrayList(new FieldSchema("col1", "int", "")), + Lists.newArrayList(new FieldSchema("part_col1", "string", ""))); + addPartition(client, dbName, tabName1, partVals1, tbl1); + addPartitionWithLocation(client, dbName, tabName1, partVals2, tbl1, tabDir1Path); + client.close(); + + // user without URI privileges should be NOT able to alter partition to set + // that specific location + client = context.getMetaStoreClient(USER2_1); + try { + tbl1 = client.getTable(dbName, tabName1); + addPartitionWithLocation(client, dbName, tabName1, partVals3, tbl1, tabDir2Path); + fail("Add partition with location should have failed"); + } catch (MetaException e) { + Context.verifyMetastoreAuthException(e); + } + client.close(); + } +}
