http://git-wip-us.apache.org/repos/asf/sentry/blob/e62fa28d/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java index 7a88d90..f060b82 100644 --- a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java +++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java @@ -18,7 +18,6 @@ package org.apache.sentry.binding.solr; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertTrue; - import java.io.File; import java.io.FileNotFoundException; import java.io.IOException; @@ -36,15 +35,16 @@ import org.apache.commons.io.FileUtils; import org.apache.hadoop.fs.Path; import org.apache.hadoop.hdfs.MiniDFSCluster; import org.apache.hadoop.security.GroupMappingServiceProvider; -import org.apache.sentry.binding.solr.authz.SentrySolrAuthorizationException; import org.apache.sentry.binding.solr.authz.SolrAuthzBinding; import org.apache.sentry.binding.solr.conf.SolrAuthzConf; import org.apache.sentry.binding.solr.conf.SolrAuthzConf.AuthzConfVars; +import org.apache.sentry.core.common.ActiveRoleSet; import org.apache.sentry.core.common.Subject; -import org.apache.sentry.core.model.search.Collection; -import org.apache.sentry.core.model.search.SearchModelAction; import org.apache.sentry.core.common.exception.SentryGroupNotFoundException; import org.apache.sentry.core.common.utils.PolicyFiles; +import org.apache.sentry.core.model.solr.Collection; +import org.apache.sentry.core.model.solr.SolrModelAction; +import org.apache.solr.security.AuthorizationResponse; import org.junit.After; import org.junit.Before; import org.junit.Test; @@ -58,7 +58,7 @@ import com.google.common.io.Resources; */ public class TestSolrAuthzBinding { private static final String RESOURCE_PATH = "test-authz-provider.ini"; - private SolrAuthzConf authzConf = new SolrAuthzConf(Resources.getResource("sentry-site.xml")); + private SolrAuthzConf authzConf = new SolrAuthzConf(Collections.singletonList(Resources.getResource("sentry-site.xml"))); private File baseDir; private Collection infoCollection = new Collection("info"); @@ -68,11 +68,11 @@ public class TestSolrAuthzBinding { private Subject sergeant1 = new Subject("sergeant1"); private Subject general1 = new Subject("general1"); - private EnumSet<SearchModelAction> querySet = EnumSet.of(SearchModelAction.QUERY); - private EnumSet<SearchModelAction> updateSet = EnumSet.of(SearchModelAction.UPDATE); - private EnumSet<SearchModelAction> allSet = EnumSet.of(SearchModelAction.ALL); - private EnumSet<SearchModelAction> allOfSet = EnumSet.allOf(SearchModelAction.class); - private EnumSet<SearchModelAction> emptySet = EnumSet.noneOf(SearchModelAction.class); + private EnumSet<SolrModelAction> querySet = EnumSet.of(SolrModelAction.QUERY); + private EnumSet<SolrModelAction> updateSet = EnumSet.of(SolrModelAction.UPDATE); + private EnumSet<SolrModelAction> allSet = EnumSet.of(SolrModelAction.ALL); + private EnumSet<SolrModelAction> allOfSet = EnumSet.allOf(SolrModelAction.class); + private EnumSet<SolrModelAction> emptySet = EnumSet.noneOf(SolrModelAction.class); @Before public void setUp() throws Exception { @@ -103,31 +103,37 @@ public class TestSolrAuthzBinding { @Test public void testClassNotFound() throws Exception { SolrAuthzConf solrAuthzConf = - new SolrAuthzConf(Resources.getResource("sentry-site.xml")); + new SolrAuthzConf(Collections.singletonList(Resources.getResource("sentry-site.xml"))); setUsableAuthzConf(solrAuthzConf); // verify it is usable - new SolrAuthzBinding(solrAuthzConf); + { + SolrAuthzBinding binding = null; + try { + binding = new SolrAuthzBinding(solrAuthzConf); + } finally { + if (binding != null) { + binding.close(); + } + } + } // give a bogus provider solrAuthzConf.set(AuthzConfVars.AUTHZ_PROVIDER.getVar(), "org.apache.sentry.provider.BogusProvider"); - try { - new SolrAuthzBinding(solrAuthzConf); + try (SolrAuthzBinding b = new SolrAuthzBinding(solrAuthzConf)) { Assert.fail("Expected ClassNotFoundException"); } catch (ClassNotFoundException e) {} setUsableAuthzConf(solrAuthzConf); // give a bogus provider backend solrAuthzConf.set(AuthzConfVars.AUTHZ_PROVIDER_BACKEND.getVar(), "org.apache.sentry.provider.file.BogusProviderBackend"); - try { - new SolrAuthzBinding(solrAuthzConf); + try (SolrAuthzBinding b = new SolrAuthzBinding(solrAuthzConf)) { Assert.fail("Expected ClassNotFoundException"); } catch (ClassNotFoundException e) {} setUsableAuthzConf(solrAuthzConf); // give a bogus policy enine solrAuthzConf.set(AuthzConfVars.AUTHZ_POLICY_ENGINE.getVar(), "org.apache.sentry.provider.solr.BogusPolicyEngine"); - try { - new SolrAuthzBinding(solrAuthzConf); + try (SolrAuthzBinding b = new SolrAuthzBinding(solrAuthzConf)) { Assert.fail("Expected ClassNotFoundException"); } catch (ClassNotFoundException e) {} } @@ -139,13 +145,12 @@ public class TestSolrAuthzBinding { @Test public void testResourceNotFound() throws Exception { SolrAuthzConf solrAuthzConf = - new SolrAuthzConf(Resources.getResource("sentry-site.xml")); + new SolrAuthzConf(Collections.singletonList(Resources.getResource("sentry-site.xml"))); setUsableAuthzConf(solrAuthzConf); // bogus specification solrAuthzConf.set(AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar(), new File(baseDir, "test-authz-bogus-provider.ini").getPath()); - try { - new SolrAuthzBinding(solrAuthzConf); + try (SolrAuthzBinding b = new SolrAuthzBinding(solrAuthzConf)) { Assert.fail("Expected InvocationTargetException"); } catch (InvocationTargetException e) { assertTrue(e.getTargetException() instanceof FileNotFoundException); @@ -153,8 +158,7 @@ public class TestSolrAuthzBinding { // missing specification solrAuthzConf.unset(AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar()); - try { - new SolrAuthzBinding(solrAuthzConf); + try (SolrAuthzBinding b = new SolrAuthzBinding(solrAuthzConf)) { Assert.fail("Expected InvocationTargetException"); } catch (InvocationTargetException e) { assertTrue(e.getTargetException() instanceof IllegalArgumentException); @@ -167,7 +171,14 @@ public class TestSolrAuthzBinding { */ @Test public void testAuthProviderOnlySolrAuthzConfs() throws Exception { - new SolrAuthzBinding(authzConf); + SolrAuthzBinding binding = null; + try { + binding = new SolrAuthzBinding(authzConf); + } finally { + if (binding != null) { + binding.close(); + } + } } /** @@ -176,48 +187,49 @@ public class TestSolrAuthzBinding { @Test public void testGroupMapping() throws Exception { SolrAuthzConf solrAuthzConf = - new SolrAuthzConf(Resources.getResource("sentry-site.xml")); + new SolrAuthzConf(Collections.singletonList(Resources.getResource("sentry-site.xml"))); setUsableAuthzConf(solrAuthzConf); - SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf); - // check non-existant users - try { - binding.getGroups(null); - Assert.fail("Expected SentryGroupNotFoundException"); - } catch (SentryGroupNotFoundException e) { - } - try { - binding.getGroups("nonExistantUser"); - Assert.fail("Expected SentryGroupNotFoundException"); - } catch (SentryGroupNotFoundException e) { - } + try (SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf)) { + // check non-existant users + try { + binding.getGroups(null); + Assert.fail("Expected SentryGroupNotFoundException"); + } catch (SentryGroupNotFoundException e) { + } + try { + binding.getGroups("nonExistantUser"); + Assert.fail("Expected SentryGroupNotFoundException"); + } catch (SentryGroupNotFoundException e) { + } - // check group names don't map to user names - try { - binding.getGroups("corporal"); - Assert.fail("Expected SentryGroupNotFoundException"); - } catch (SentryGroupNotFoundException e) { - } - try { - binding.getGroups("sergeant"); - Assert.fail("Expected SentryGroupNotFoundException"); - } catch (SentryGroupNotFoundException e) { - } - try { - binding.getGroups("general"); - Assert.fail("Expected SentryGroupNotFoundException"); - } catch (SentryGroupNotFoundException e) { - } - try { - binding.getGroups("othergeneralgroup"); - Assert.fail("Expected SentryGroupNotFoundException"); - } catch (SentryGroupNotFoundException e) { - } + // check group names don't map to user names + try { + binding.getGroups("corporal"); + Assert.fail("Expected SentryGroupNotFoundException"); + } catch (SentryGroupNotFoundException e) { + } + try { + binding.getGroups("sergeant"); + Assert.fail("Expected SentryGroupNotFoundException"); + } catch (SentryGroupNotFoundException e) { + } + try { + binding.getGroups("general"); + Assert.fail("Expected SentryGroupNotFoundException"); + } catch (SentryGroupNotFoundException e) { + } + try { + binding.getGroups("othergeneralgroup"); + Assert.fail("Expected SentryGroupNotFoundException"); + } catch (SentryGroupNotFoundException e) { + } - // check valid group names - assertEquals(binding.getGroups("corporal1"), Sets.newHashSet("corporal")); - assertEquals(binding.getGroups("sergeant1"), Sets.newHashSet("sergeant")); - assertEquals(binding.getGroups("general1"), Sets.newHashSet("general", "othergeneralgroup")); + // check valid group names + assertEquals(binding.getGroups("corporal1"), Sets.newHashSet("corporal")); + assertEquals(binding.getGroups("sergeant1"), Sets.newHashSet("sergeant")); + assertEquals(binding.getGroups("general1"), Sets.newHashSet("general", "othergeneralgroup")); + } } /** @@ -226,40 +238,49 @@ public class TestSolrAuthzBinding { @Test public void testGetRoles() throws Exception { SolrAuthzConf solrAuthzConf = - new SolrAuthzConf(Resources.getResource("sentry-site.xml")); + new SolrAuthzConf(Collections.singletonList(Resources.getResource("sentry-site.xml"))); setUsableAuthzConf(solrAuthzConf); - SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf); - Set<String> emptySet = Collections.emptySet(); - - // check user with undefined group - assertEquals(binding.getRoles("undefinedGroupUser"), emptySet); - // check group with undefined role - assertEquals(binding.getRoles("undefinedRoleUser"), emptySet); + try (SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf)) { + Set<String> emptySet = Collections.emptySet(); + + // check user with undefined group + assertEquals(binding.getRoles("undefinedGroupUser"), emptySet); + // check group with undefined role + assertEquals(binding.getRoles("undefinedRoleUser"), emptySet); + + // check role names don't map in the other direction + try { + binding.getRoles("corporal_role"); + Assert.fail("Expected SentryGroupNotFoundException"); + } catch (SentryGroupNotFoundException e) { + } + try { + binding.getRoles("sergeant_role"); + Assert.fail("Expected SentryGroupNotFoundException"); + } catch (SentryGroupNotFoundException e) { + } + try { + binding.getRoles("general_role"); + Assert.fail("Expected SentryGroupNotFoundException"); + } catch (SentryGroupNotFoundException e) { + } - // check role names don't map in the other direction - try { - binding.getRoles("corporal_role"); - Assert.fail("Expected SentryGroupNotFoundException"); - } catch (SentryGroupNotFoundException e) { + // check valid users + System.out.println("---" + binding.providerBackend.toString()); + + assertEquals(Sets.newHashSet("corporal"), binding.getGroups("corporal1")); + assertEquals(Sets.newHashSet("corporal_role"), + binding.providerBackend.getRoles(Sets.newHashSet("corporal"), ActiveRoleSet.ALL)); + assertEquals(Sets.newHashSet("corporal_role"), binding.getRoles("corporal1")); + assertEquals(Sets.newHashSet("corporal_role", "sergeant_role"), + binding.getRoles("sergeant1")); + assertEquals(Sets.newHashSet("corporal_role", "sergeant_role", "general_role"), + binding.getRoles("general1")); + + // check user whos groups have overlapping roles + assertEquals(Sets.newHashSet("corporal_role", "sergeant_role", "general_role"), + binding.getRoles("overlappingUser")); } - try { - binding.getRoles("sergeant_role"); - Assert.fail("Expected SentryGroupNotFoundException"); - } catch (SentryGroupNotFoundException e) { - } - try { - binding.getRoles("general_role"); - Assert.fail("Expected SentryGroupNotFoundException"); - } catch (SentryGroupNotFoundException e) { - } - - // check valid users - assertEquals(binding.getRoles("corporal1"), Sets.newHashSet("corporal_role")); - assertEquals(binding.getRoles("sergeant1"), Sets.newHashSet("corporal_role", "sergeant_role")); - assertEquals(binding.getRoles("general1"), Sets.newHashSet("corporal_role", "sergeant_role", "general_role")); - - // check user whos groups have overlapping roles - assertEquals(binding.getRoles("overlappingUser"), Sets.newHashSet("corporal_role", "sergeant_role", "general_role")); } /** @@ -267,19 +288,24 @@ public class TestSolrAuthzBinding { */ @Test public void testSolrAuthzConfs() throws Exception { - SolrAuthzConf solrAuthzConf = - new SolrAuthzConf(Resources.getResource("sentry-site.xml")); - setUsableAuthzConf(solrAuthzConf); - new SolrAuthzBinding(solrAuthzConf); + SolrAuthzConf solrAuthzConf = + new SolrAuthzConf(Collections.singletonList(Resources.getResource("sentry-site.xml"))); + setUsableAuthzConf(solrAuthzConf); + + SolrAuthzBinding binding = null; + try { + binding = new SolrAuthzBinding(solrAuthzConf); + } finally { + if (binding != null) { + binding.close(); + } + } } private void expectAuthException(SolrAuthzBinding binding, Subject subject, - Collection collection, EnumSet<SearchModelAction> action) throws Exception { - try { - binding.authorizeCollection(subject, collection, action); - Assert.fail("Expected SentrySolrAuthorizationException"); - } catch(SentrySolrAuthorizationException e) { - } + Collection collection, Set<SolrModelAction> action) throws Exception { + assertEquals(AuthorizationResponse.FORBIDDEN, + binding.authorizeCollection(subject, collection, action)); } /** @@ -288,11 +314,10 @@ public class TestSolrAuthzBinding { */ @Test public void testNoUser() throws Exception { - SolrAuthzConf solrAuthzConf = - new SolrAuthzConf(Resources.getResource("sentry-site.xml")); - setUsableAuthzConf(solrAuthzConf); - SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf); - try { + SolrAuthzConf solrAuthzConf = + new SolrAuthzConf(Collections.singletonList(Resources.getResource("sentry-site.xml"))); + setUsableAuthzConf(solrAuthzConf); + try (SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf)) { binding.authorizeCollection(new Subject("bogus"), infoCollection, querySet); Assert.fail("Expected SentryGroupNotFoundException"); } catch (SentryGroupNotFoundException e) { @@ -304,11 +329,11 @@ public class TestSolrAuthzBinding { */ @Test public void testNoCollection() throws Exception { - SolrAuthzConf solrAuthzConf = - new SolrAuthzConf(Resources.getResource("sentry-site.xml")); - setUsableAuthzConf(solrAuthzConf); - SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf); - expectAuthException(binding, corporal1, new Collection("bogus"), querySet); + SolrAuthzConf solrAuthzConf = + new SolrAuthzConf(Collections.singletonList(Resources.getResource("sentry-site.xml"))); + setUsableAuthzConf(solrAuthzConf); + SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf); + expectAuthException(binding, corporal1, new Collection("bogus"), querySet); } /** @@ -317,10 +342,9 @@ public class TestSolrAuthzBinding { @Test public void testNoAction() throws Exception { SolrAuthzConf solrAuthzConf = - new SolrAuthzConf(Resources.getResource("sentry-site.xml")); + new SolrAuthzConf(Collections.singletonList(Resources.getResource("sentry-site.xml"))); setUsableAuthzConf(solrAuthzConf); - SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf); - try { + try (SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf)) { binding.authorizeCollection(corporal1, infoCollection, emptySet); Assert.fail("Expected IllegalArgumentException"); } catch (IllegalArgumentException e) { @@ -333,18 +357,19 @@ public class TestSolrAuthzBinding { @Test public void testAuthException() throws Exception { SolrAuthzConf solrAuthzConf = - new SolrAuthzConf(Resources.getResource("sentry-site.xml")); - setUsableAuthzConf(solrAuthzConf); - SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf); - expectAuthException(binding, corporal1, infoCollection, updateSet); - expectAuthException(binding, corporal1, infoCollection, allSet); - expectAuthException(binding, corporal1, generalInfoCollection, querySet); - expectAuthException(binding, corporal1, generalInfoCollection, updateSet); - expectAuthException(binding, corporal1, generalInfoCollection, allSet); - expectAuthException(binding, sergeant1, infoCollection, allSet); - expectAuthException(binding, sergeant1, generalInfoCollection, querySet); - expectAuthException(binding, sergeant1, generalInfoCollection, updateSet); - expectAuthException(binding, sergeant1, generalInfoCollection, allSet); + new SolrAuthzConf(Collections.singletonList(Resources.getResource("sentry-site.xml"))); + setUsableAuthzConf(solrAuthzConf); + try (SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf)) { + expectAuthException(binding, corporal1, infoCollection, updateSet); + expectAuthException(binding, corporal1, infoCollection, allSet); + expectAuthException(binding, corporal1, generalInfoCollection, querySet); + expectAuthException(binding, corporal1, generalInfoCollection, updateSet); + expectAuthException(binding, corporal1, generalInfoCollection, allSet); + expectAuthException(binding, sergeant1, infoCollection, allSet); + expectAuthException(binding, sergeant1, generalInfoCollection, querySet); + expectAuthException(binding, sergeant1, generalInfoCollection, updateSet); + expectAuthException(binding, sergeant1, generalInfoCollection, allSet); + } } /** @@ -352,21 +377,22 @@ public class TestSolrAuthzBinding { */ @Test public void testAuthAllowed() throws Exception { - SolrAuthzConf solrAuthzConf = - new SolrAuthzConf(Resources.getResource("sentry-site.xml")); - setUsableAuthzConf(solrAuthzConf); - SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf); - binding.authorizeCollection(corporal1, infoCollection, querySet); - binding.authorizeCollection(sergeant1, infoCollection, querySet); - binding.authorizeCollection(sergeant1, infoCollection, updateSet); - binding.authorizeCollection(general1, infoCollection, querySet); - binding.authorizeCollection(general1, infoCollection, updateSet); - binding.authorizeCollection(general1, infoCollection, allSet); - binding.authorizeCollection(general1, infoCollection, allOfSet); - binding.authorizeCollection(general1, generalInfoCollection, querySet); - binding.authorizeCollection(general1, generalInfoCollection, updateSet); - binding.authorizeCollection(general1, generalInfoCollection, allSet); - binding.authorizeCollection(general1, generalInfoCollection, allOfSet); + SolrAuthzConf solrAuthzConf = + new SolrAuthzConf(Collections.singletonList(Resources.getResource("sentry-site.xml"))); + setUsableAuthzConf(solrAuthzConf); + try (SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf)) { + binding.authorizeCollection(corporal1, infoCollection, querySet); + binding.authorizeCollection(sergeant1, infoCollection, querySet); + binding.authorizeCollection(sergeant1, infoCollection, updateSet); + binding.authorizeCollection(general1, infoCollection, querySet); + binding.authorizeCollection(general1, infoCollection, updateSet); + binding.authorizeCollection(general1, infoCollection, allSet); + binding.authorizeCollection(general1, infoCollection, allOfSet); + binding.authorizeCollection(general1, generalInfoCollection, querySet); + binding.authorizeCollection(general1, generalInfoCollection, updateSet); + binding.authorizeCollection(general1, generalInfoCollection, allSet); + binding.authorizeCollection(general1, generalInfoCollection, allOfSet); + } } /** @@ -376,13 +402,14 @@ public class TestSolrAuthzBinding { @Test public void testResourceWithSchemeNotSet() throws Exception { SolrAuthzConf solrAuthzConf = - new SolrAuthzConf(Resources.getResource("sentry-site.xml")); + new SolrAuthzConf(Collections.singletonList(Resources.getResource("sentry-site.xml"))); setUsableAuthzConf(solrAuthzConf); MiniDFSCluster dfsCluster = HdfsTestUtil.setupClass(new File(Files.createTempDir(), - TestSolrAuthzBinding.class.getName() + "_" - + System.currentTimeMillis()).getAbsolutePath()); + TestSolrAuthzBinding.class.getName() + "_" + + System.currentTimeMillis()).getAbsolutePath()); String resourceOnHDFS = "/hdfs" + File.separator + UUID.randomUUID() + File.separator + "test-authz-provider.ini"; + SolrAuthzBinding binding = null; try { // Copy resource to HDFSS dfsCluster.getFileSystem().copyFromLocalFile(false, @@ -391,26 +418,31 @@ public class TestSolrAuthzBinding { solrAuthzConf.set(AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar(), resourceOnHDFS); // set HDFS as the defaultFS so the resource will be found solrAuthzConf.set("fs.defaultFS", dfsCluster.getFileSystem().getConf().get("fs.defaultFS")); - new SolrAuthzBinding(solrAuthzConf); + binding = new SolrAuthzBinding(solrAuthzConf); } finally { + if (binding != null) { + binding.close(); + } if (dfsCluster != null) { HdfsTestUtil.teardownClass(dfsCluster); } } } + @SuppressWarnings("deprecation") @Test public void testCustomGroupMapping() throws Exception { SolrAuthzConf solrAuthzConf = - new SolrAuthzConf(Resources.getResource("sentry-site.xml")); + new SolrAuthzConf(Collections.singletonList(Resources.getResource("sentry-site.xml"))); setUsableAuthzConf(solrAuthzConf); solrAuthzConf.set(AuthzConfVars.AUTHZ_PROVIDER.getVar(), "org.apache.sentry.provider.common.HadoopGroupResourceAuthorizationProvider"); solrAuthzConf.set("hadoop.security.group.mapping", - FoobarGroupMappingServiceProvider.class.getName()); - SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf); - final String user = "userTestSolrAuthzBinding"; - assertEquals(1, binding.getGroups(user).size()); - assertTrue(binding.getGroups(user).contains("foobar")); + FoobarGroupMappingServiceProvider.class.getName()); + try (SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf)) { + final String user = "userTestSolrAuthzBinding"; + assertEquals(1, binding.getGroups(user).size()); + assertTrue(binding.getGroups(user).contains("foobar")); + } } /**
http://git-wip-us.apache.org/repos/asf/sentry/blob/e62fa28d/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/AbstractTestSearchPolicyEngine.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/AbstractTestSearchPolicyEngine.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/AbstractTestSearchPolicyEngine.java deleted file mode 100644 index 3df6ecf..0000000 --- a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/AbstractTestSearchPolicyEngine.java +++ /dev/null @@ -1,129 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.solr; - -import java.io.File; -import java.io.IOException; -import java.util.Set; -import java.util.TreeSet; - -import org.junit.Assert; - -import org.apache.commons.io.FileUtils; -import org.apache.sentry.core.common.ActiveRoleSet; -import org.apache.sentry.policy.common.PolicyEngine; -import org.junit.After; -import org.junit.AfterClass; -import org.junit.Before; -import org.junit.BeforeClass; -import org.junit.Test; - -import com.google.common.collect.Sets; -import com.google.common.io.Files; - -public abstract class AbstractTestSearchPolicyEngine { - private static final String ANALYST_PURCHASES_UPDATE = "collection=purchases->action=update"; - private static final String ANALYST_ANALYST1_ALL = "collection=analyst1"; - private static final String ANALYST_JRANALYST1_ACTION_ALL = "collection=jranalyst1->action=*"; - private static final String ANALYST_TMPCOLLECTION_UPDATE = "collection=tmpcollection->action=update"; - private static final String ANALYST_TMPCOLLECTION_QUERY = "collection=tmpcollection->action=query"; - private static final String JRANALYST_JRANALYST1_ALL = "collection=jranalyst1"; - private static final String JRANALYST_PURCHASES_PARTIAL_QUERY = "collection=purchases_partial->action=query"; - private static final String ADMIN_COLLECTION_ALL = "collection=*"; - - private PolicyEngine policy; - private static File baseDir; - - @BeforeClass - public static void setupClazz() throws IOException { - baseDir = Files.createTempDir(); - } - - @AfterClass - public static void teardownClazz() throws IOException { - if(baseDir != null) { - FileUtils.deleteQuietly(baseDir); - } - } - - protected void setPolicy(PolicyEngine policy) { - this.policy = policy; - } - protected static File getBaseDir() { - return baseDir; - } - @Before - public void setup() throws IOException { - afterSetup(); - } - @After - public void teardown() throws IOException { - beforeTeardown(); - } - protected void afterSetup() throws IOException { - - } - - protected void beforeTeardown() throws IOException { - - } - - @Test - public void testManager() throws Exception { - Set<String> expected = Sets.newTreeSet(Sets.newHashSet( - ANALYST_PURCHASES_UPDATE, ANALYST_ANALYST1_ALL, - ANALYST_JRANALYST1_ACTION_ALL, ANALYST_TMPCOLLECTION_UPDATE, - ANALYST_TMPCOLLECTION_QUERY, JRANALYST_JRANALYST1_ALL, - JRANALYST_PURCHASES_PARTIAL_QUERY)); - Assert.assertEquals(expected.toString(), - new TreeSet<String>(policy.getPrivileges(set("manager"), ActiveRoleSet.ALL)) - .toString()); - } - - @Test - public void testAnalyst() throws Exception { - Set<String> expected = Sets.newTreeSet(Sets.newHashSet( - ANALYST_PURCHASES_UPDATE, ANALYST_ANALYST1_ALL, - ANALYST_JRANALYST1_ACTION_ALL, ANALYST_TMPCOLLECTION_UPDATE, - ANALYST_TMPCOLLECTION_QUERY)); - Assert.assertEquals(expected.toString(), - new TreeSet<String>(policy.getPrivileges(set("analyst"), ActiveRoleSet.ALL)) - .toString()); - } - - @Test - public void testJuniorAnalyst() throws Exception { - Set<String> expected = Sets.newTreeSet(Sets - .newHashSet(JRANALYST_JRANALYST1_ALL, - JRANALYST_PURCHASES_PARTIAL_QUERY)); - Assert.assertEquals(expected.toString(), - new TreeSet<String>(policy.getPrivileges(set("jranalyst"), ActiveRoleSet.ALL)) - .toString()); - } - - @Test - public void testAdmin() throws Exception { - Set<String> expected = Sets.newTreeSet(Sets.newHashSet(ADMIN_COLLECTION_ALL)); - Assert.assertEquals(expected.toString(), - new TreeSet<String>(policy.getPrivileges(set("admin"), ActiveRoleSet.ALL)) - .toString()); - } - - private static Set<String> set(String... values) { - return Sets.newHashSet(values); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/e62fa28d/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/AbstractTestSolrPolicyEngine.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/AbstractTestSolrPolicyEngine.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/AbstractTestSolrPolicyEngine.java new file mode 100644 index 0000000..d4f6ec2 --- /dev/null +++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/AbstractTestSolrPolicyEngine.java @@ -0,0 +1,129 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.policy.solr; + +import java.io.File; +import java.io.IOException; +import java.util.Set; +import java.util.TreeSet; + +import org.junit.Assert; + +import org.apache.commons.io.FileUtils; +import org.apache.sentry.core.common.ActiveRoleSet; +import org.apache.sentry.policy.common.PolicyEngine; +import org.junit.After; +import org.junit.AfterClass; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; + +import com.google.common.collect.Sets; +import com.google.common.io.Files; + +public abstract class AbstractTestSolrPolicyEngine { + private static final String ANALYST_PURCHASES_UPDATE = "collection=purchases->action=update"; + private static final String ANALYST_ANALYST1_ALL = "collection=analyst1"; + private static final String ANALYST_JRANALYST1_ACTION_ALL = "collection=jranalyst1->action=*"; + private static final String ANALYST_TMPCOLLECTION_UPDATE = "collection=tmpcollection->action=update"; + private static final String ANALYST_TMPCOLLECTION_QUERY = "collection=tmpcollection->action=query"; + private static final String JRANALYST_JRANALYST1_ALL = "collection=jranalyst1"; + private static final String JRANALYST_PURCHASES_PARTIAL_QUERY = "collection=purchases_partial->action=query"; + private static final String ADMIN_COLLECTION_ALL = "collection=*"; + + private PolicyEngine policy; + private static File baseDir; + + @BeforeClass + public static void setupClazz() throws IOException { + baseDir = Files.createTempDir(); + } + + @AfterClass + public static void teardownClazz() throws IOException { + if(baseDir != null) { + FileUtils.deleteQuietly(baseDir); + } + } + + protected void setPolicy(PolicyEngine policy) { + this.policy = policy; + } + protected static File getBaseDir() { + return baseDir; + } + @Before + public void setup() throws IOException { + afterSetup(); + } + @After + public void teardown() throws IOException { + beforeTeardown(); + } + protected void afterSetup() throws IOException { + + } + + protected void beforeTeardown() throws IOException { + + } + + @Test + public void testManager() throws Exception { + Set<String> expected = Sets.newTreeSet(Sets.newHashSet( + ANALYST_PURCHASES_UPDATE, ANALYST_ANALYST1_ALL, + ANALYST_JRANALYST1_ACTION_ALL, ANALYST_TMPCOLLECTION_UPDATE, + ANALYST_TMPCOLLECTION_QUERY, JRANALYST_JRANALYST1_ALL, + JRANALYST_PURCHASES_PARTIAL_QUERY)); + Assert.assertEquals(expected.toString(), + new TreeSet<String>(policy.getPrivileges(set("manager"), ActiveRoleSet.ALL)) + .toString()); + } + + @Test + public void testAnalyst() throws Exception { + Set<String> expected = Sets.newTreeSet(Sets.newHashSet( + ANALYST_PURCHASES_UPDATE, ANALYST_ANALYST1_ALL, + ANALYST_JRANALYST1_ACTION_ALL, ANALYST_TMPCOLLECTION_UPDATE, + ANALYST_TMPCOLLECTION_QUERY)); + Assert.assertEquals(expected.toString(), + new TreeSet<String>(policy.getPrivileges(set("analyst"), ActiveRoleSet.ALL)) + .toString()); + } + + @Test + public void testJuniorAnalyst() throws Exception { + Set<String> expected = Sets.newTreeSet(Sets + .newHashSet(JRANALYST_JRANALYST1_ALL, + JRANALYST_PURCHASES_PARTIAL_QUERY)); + Assert.assertEquals(expected.toString(), + new TreeSet<String>(policy.getPrivileges(set("jranalyst"), ActiveRoleSet.ALL)) + .toString()); + } + + @Test + public void testAdmin() throws Exception { + Set<String> expected = Sets.newTreeSet(Sets.newHashSet(ADMIN_COLLECTION_ALL)); + Assert.assertEquals(expected.toString(), + new TreeSet<String>(policy.getPrivileges(set("admin"), ActiveRoleSet.ALL)) + .toString()); + } + + private static Set<String> set(String... values) { + return Sets.newHashSet(values); + } +} http://git-wip-us.apache.org/repos/asf/sentry/blob/e62fa28d/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/SearchPolicyTestUtil.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/SearchPolicyTestUtil.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/SearchPolicyTestUtil.java deleted file mode 100644 index e198b5c..0000000 --- a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/SearchPolicyTestUtil.java +++ /dev/null @@ -1,45 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.solr; - -import org.apache.hadoop.conf.Configuration; -import org.apache.sentry.core.model.search.SearchPrivilegeModel; -import org.apache.sentry.policy.common.PolicyEngine; -import org.apache.sentry.policy.engine.common.CommonPolicyEngine; -import org.apache.sentry.provider.common.ProviderBackend; -import org.apache.sentry.provider.common.ProviderBackendContext; -import org.apache.sentry.provider.file.SimpleFileProviderBackend; - -import java.io.IOException; - -public class SearchPolicyTestUtil { - - public static PolicyEngine createPolicyEngineForTest(String resource) throws IOException { - - ProviderBackend providerBackend = new SimpleFileProviderBackend(new Configuration(), resource); - - // create backendContext - ProviderBackendContext context = new ProviderBackendContext(); - context.setAllowPerDatabase(false); - context.setValidators(SearchPrivilegeModel.getInstance().getPrivilegeValidators()); - // initialize the backend with the context - providerBackend.initialize(context); - - - return new CommonPolicyEngine(providerBackend); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/e62fa28d/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/SolrPolicyTestUtil.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/SolrPolicyTestUtil.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/SolrPolicyTestUtil.java new file mode 100644 index 0000000..c219a97 --- /dev/null +++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/SolrPolicyTestUtil.java @@ -0,0 +1,45 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.policy.solr; + +import org.apache.hadoop.conf.Configuration; +import org.apache.sentry.core.model.solr.SolrPrivilegeModel; +import org.apache.sentry.policy.common.PolicyEngine; +import org.apache.sentry.policy.engine.common.CommonPolicyEngine; +import org.apache.sentry.provider.common.ProviderBackend; +import org.apache.sentry.provider.common.ProviderBackendContext; +import org.apache.sentry.provider.file.SimpleFileProviderBackend; + +import java.io.IOException; + +public class SolrPolicyTestUtil { + + public static PolicyEngine createPolicyEngineForTest(String resource) throws IOException { + + ProviderBackend providerBackend = new SimpleFileProviderBackend(new Configuration(), resource); + + // create backendContext + ProviderBackendContext context = new ProviderBackendContext(); + context.setAllowPerDatabase(false); + context.setValidators(SolrPrivilegeModel.getInstance().getPrivilegeValidators()); + // initialize the backend with the context + providerBackend.initialize(context); + + + return new CommonPolicyEngine(providerBackend); + } +} http://git-wip-us.apache.org/repos/asf/sentry/blob/e62fa28d/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestCollectionRequiredInRole.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestCollectionRequiredInRole.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestCollectionRequiredInRole.java deleted file mode 100644 index 76211dd..0000000 --- a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestCollectionRequiredInRole.java +++ /dev/null @@ -1,64 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.sentry.policy.solr; - -import org.junit.Assert; - -import org.apache.sentry.core.common.validator.PrivilegeValidatorContext; -import org.apache.sentry.core.model.search.validator.CollectionRequiredInPrivilege; -import org.apache.shiro.config.ConfigurationException; -import org.junit.Test; - -public class TestCollectionRequiredInRole { - - @Test - public void testEmptyRole() throws Exception { - CollectionRequiredInPrivilege collRequiredInRole = new CollectionRequiredInPrivilege(); - - // check no db - try { - collRequiredInRole.validate(new PrivilegeValidatorContext("index=index1")); - Assert.fail("Expected ConfigurationException"); - } catch (ConfigurationException e) { - // expected - } - - // check with db - try { - collRequiredInRole.validate(new PrivilegeValidatorContext("db1","index=index2")); - Assert.fail("Expected ConfigurationException"); - } catch (ConfigurationException e) { - // expected - } - } - - @Test - public void testCollectionWithoutAction() throws Exception { - CollectionRequiredInPrivilege collRequiredInRole = new CollectionRequiredInPrivilege(); - collRequiredInRole.validate(new PrivilegeValidatorContext("collection=nodb")); - collRequiredInRole.validate(new PrivilegeValidatorContext("db2","collection=db")); - } - - @Test - public void testCollectionWithAction() throws Exception { - CollectionRequiredInPrivilege collRequiredInRole = new CollectionRequiredInPrivilege(); - collRequiredInRole.validate(new PrivilegeValidatorContext(null,"collection=nodb->action=query")); - collRequiredInRole.validate(new PrivilegeValidatorContext("db2","collection=db->action=update")); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/e62fa28d/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderGeneralCases.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderGeneralCases.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderGeneralCases.java deleted file mode 100644 index b4aa684..0000000 --- a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderGeneralCases.java +++ /dev/null @@ -1,193 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.solr; - -import java.io.File; -import java.io.IOException; -import java.util.Arrays; -import java.util.EnumSet; -import java.util.List; -import java.util.Set; - -import com.google.common.collect.Sets; -import junit.framework.Assert; - -import org.apache.commons.io.FileUtils; -import org.apache.sentry.core.common.Action; -import org.apache.sentry.core.common.ActiveRoleSet; -import org.apache.sentry.core.common.Authorizable; -import org.apache.sentry.core.common.Subject; -import org.apache.sentry.core.model.search.Collection; -import org.apache.sentry.core.model.search.SearchModelAction; -import org.apache.sentry.core.model.search.SearchPrivilegeModel; -import org.apache.sentry.provider.common.GroupMappingService; -import org.apache.sentry.provider.common.ResourceAuthorizationProvider; -import org.apache.sentry.provider.file.HadoopGroupResourceAuthorizationProvider; -import org.apache.sentry.core.common.utils.PolicyFiles; -import org.junit.After; -import org.junit.Test; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import com.google.common.base.Objects; -import com.google.common.collect.HashMultimap; -import com.google.common.collect.Multimap; -import com.google.common.io.Files; - - -public class TestSearchAuthorizationProviderGeneralCases { - - private static final Logger LOGGER = LoggerFactory - .getLogger(TestSearchAuthorizationProviderGeneralCases.class); - - private static final Multimap<String, String> USER_TO_GROUP_MAP = HashMultimap - .create(); - - private static final Subject SUB_ADMIN = new Subject("admin1"); - private static final Subject SUB_MANAGER = new Subject("manager1"); - private static final Subject SUB_ANALYST = new Subject("analyst1"); - private static final Subject SUB_JUNIOR_ANALYST = new Subject("jranalyst1"); - - private static final Collection COLL_PURCHASES = new Collection("purchases"); - private static final Collection COLL_ANALYST1 = new Collection("analyst1"); - private static final Collection COLL_JRANALYST1 = new Collection("jranalyst1"); - private static final Collection COLL_TMP = new Collection("tmpcollection"); - private static final Collection COLL_PURCHASES_PARTIAL = new Collection("purchases_partial"); - - private static final SearchModelAction QUERY = SearchModelAction.QUERY; - private static final SearchModelAction UPDATE = SearchModelAction.UPDATE; - - static { - USER_TO_GROUP_MAP.putAll(SUB_ADMIN.getName(), Arrays.asList("admin")); - USER_TO_GROUP_MAP.putAll(SUB_MANAGER.getName(), Arrays.asList("manager")); - USER_TO_GROUP_MAP.putAll(SUB_ANALYST.getName(), Arrays.asList("analyst")); - USER_TO_GROUP_MAP.putAll(SUB_JUNIOR_ANALYST.getName(), - Arrays.asList("jranalyst")); - } - - private final ResourceAuthorizationProvider authzProvider; - private File baseDir; - - public TestSearchAuthorizationProviderGeneralCases() throws IOException { - baseDir = Files.createTempDir(); - PolicyFiles.copyToDir(baseDir, "solr-policy-test-authz-provider.ini"); - authzProvider = new HadoopGroupResourceAuthorizationProvider( - SearchPolicyTestUtil.createPolicyEngineForTest(new File(baseDir, "solr-policy-test-authz-provider.ini").getPath()), - new MockGroupMappingServiceProvider(USER_TO_GROUP_MAP), SearchPrivilegeModel.getInstance()); - - } - - @After - public void teardown() { - if(baseDir != null) { - FileUtils.deleteQuietly(baseDir); - } - } - - private void doTestAuthProviderOnCollection(Subject subject, - Collection collection, Set<? extends Action> expectedPass) throws Exception { - Set<SearchModelAction> allActions = EnumSet.of(SearchModelAction.ALL, SearchModelAction.QUERY, SearchModelAction.UPDATE); - for(SearchModelAction action : allActions) { - doTestResourceAuthorizationProvider(subject, collection, - EnumSet.of(action), expectedPass.contains(action)); - } - } - - private void doTestResourceAuthorizationProvider(Subject subject, - Collection collection, - Set<? extends Action> privileges, boolean expected) throws Exception { - List<Authorizable> authzHierarchy = Arrays.asList(new Authorizable[] { - collection - }); - Objects.ToStringHelper helper = Objects.toStringHelper("TestParameters"); - helper.add("Subject", subject).add("Collection", collection) - .add("Privileges", privileges).add("authzHierarchy", authzHierarchy); - LOGGER.info("Running with " + helper.toString()); - Assert.assertEquals(helper.toString(), expected, - authzProvider.hasAccess(subject, authzHierarchy, privileges, ActiveRoleSet.ALL)); - LOGGER.info("Passed " + helper.toString()); - } - - @Test - public void testAdmin() throws Exception { - Set<SearchModelAction> allActions = EnumSet.allOf(SearchModelAction.class); - doTestAuthProviderOnCollection(SUB_ADMIN, COLL_PURCHASES, allActions); - doTestAuthProviderOnCollection(SUB_ADMIN, COLL_ANALYST1, allActions); - doTestAuthProviderOnCollection(SUB_ADMIN, COLL_JRANALYST1, allActions); - doTestAuthProviderOnCollection(SUB_ADMIN, COLL_TMP, allActions); - doTestAuthProviderOnCollection(SUB_ADMIN, COLL_PURCHASES_PARTIAL, allActions); - } - - @Test - public void testManager() throws Exception { - Set<SearchModelAction> updateOnly = EnumSet.of(SearchModelAction.UPDATE); - doTestAuthProviderOnCollection(SUB_MANAGER, COLL_PURCHASES, updateOnly); - - Set<SearchModelAction> allActions = EnumSet.allOf(SearchModelAction.class); - doTestAuthProviderOnCollection(SUB_MANAGER, COLL_ANALYST1, allActions); - doTestAuthProviderOnCollection(SUB_MANAGER, COLL_JRANALYST1, allActions); - - Set<SearchModelAction> queryUpdateOnly = EnumSet.of(QUERY, UPDATE); - doTestAuthProviderOnCollection(SUB_MANAGER, COLL_TMP, queryUpdateOnly); - - Set<SearchModelAction> queryOnly = EnumSet.of(SearchModelAction.QUERY); - doTestAuthProviderOnCollection(SUB_MANAGER, COLL_PURCHASES_PARTIAL, queryOnly); - } - - @Test - public void testAnalyst() throws Exception { - Set<SearchModelAction> updateOnly = EnumSet.of(SearchModelAction.UPDATE); - doTestAuthProviderOnCollection(SUB_ANALYST, COLL_PURCHASES, updateOnly); - - Set<SearchModelAction> allActions = EnumSet.allOf(SearchModelAction.class); - doTestAuthProviderOnCollection(SUB_ANALYST, COLL_ANALYST1, allActions); - doTestAuthProviderOnCollection(SUB_ANALYST, COLL_JRANALYST1, allActions); - - Set<SearchModelAction> queryUpdateOnly = EnumSet.of(QUERY, UPDATE); - doTestAuthProviderOnCollection(SUB_ANALYST, COLL_TMP, queryUpdateOnly); - - Set<SearchModelAction> noActions = EnumSet.noneOf(SearchModelAction.class); - doTestAuthProviderOnCollection(SUB_ANALYST, COLL_PURCHASES_PARTIAL, noActions); - } - - @Test - public void testJuniorAnalyst() throws Exception { - Set<SearchModelAction> allActions = EnumSet.allOf(SearchModelAction.class); - doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_JRANALYST1, allActions); - - Set<SearchModelAction> queryOnly = EnumSet.of(SearchModelAction.QUERY); - doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_PURCHASES_PARTIAL, queryOnly); - - Set<SearchModelAction> noActions = EnumSet.noneOf(SearchModelAction.class); - doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_PURCHASES, noActions); - doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_ANALYST1, noActions); - doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_TMP, noActions); - } - - public class MockGroupMappingServiceProvider implements GroupMappingService { - private final Multimap<String, String> userToGroupMap; - - public MockGroupMappingServiceProvider(Multimap<String, String> userToGroupMap) { - this.userToGroupMap = userToGroupMap; - } - - @Override - public Set<String> getGroups(String user) { - return Sets.newHashSet(userToGroupMap.get(user)); - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/e62fa28d/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderSpecialCases.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderSpecialCases.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderSpecialCases.java deleted file mode 100644 index 371f361..0000000 --- a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderSpecialCases.java +++ /dev/null @@ -1,84 +0,0 @@ - /* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.solr; - -import java.io.File; -import java.io.IOException; -import java.util.EnumSet; -import java.util.List; -import java.util.Set; - -import org.junit.Assert; - -import org.apache.commons.io.FileUtils; -import org.apache.sentry.core.common.Action; -import org.apache.sentry.core.common.ActiveRoleSet; -import org.apache.sentry.core.common.Authorizable; -import org.apache.sentry.core.common.Subject; -import org.apache.sentry.core.model.search.Collection; -import org.apache.sentry.core.model.search.SearchModelAction; -import org.apache.sentry.core.model.search.SearchPrivilegeModel; -import org.apache.sentry.policy.common.PolicyEngine; -import org.apache.sentry.provider.common.AuthorizationProvider; -import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider; -import org.apache.sentry.provider.file.PolicyFile; -import org.junit.After; -import org.junit.Before; -import org.junit.Test; - -import com.google.common.collect.ImmutableList; -import com.google.common.io.Files; - -public class TestSearchAuthorizationProviderSpecialCases { - private AuthorizationProvider authzProvider; - private PolicyFile policyFile; - private File baseDir; - private File iniFile; - private String initResource; - @Before - public void setup() throws IOException { - baseDir = Files.createTempDir(); - iniFile = new File(baseDir, "policy.ini"); - initResource = "file://" + iniFile.getPath(); - policyFile = new PolicyFile(); - } - - @After - public void teardown() throws IOException { - if(baseDir != null) { - FileUtils.deleteQuietly(baseDir); - } - } - - @Test - public void testDuplicateEntries() throws Exception { - Subject user1 = new Subject("user1"); - Collection collection1 = new Collection("collection1"); - Set<? extends Action> actions = EnumSet.allOf(SearchModelAction.class); - policyFile.addGroupsToUser(user1.getName(), true, "group1", "group1") - .addRolesToGroup("group1", true, "role1", "role1") - .addPermissionsToRole("role1", true, "collection=" + collection1.getName(), - "collection=" + collection1.getName()); - policyFile.write(iniFile); - PolicyEngine policy = SearchPolicyTestUtil.createPolicyEngineForTest(initResource); - authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy, SearchPrivilegeModel.getInstance()); - List<? extends Authorizable> authorizableHierarchy = ImmutableList.of(collection1); - Assert.assertTrue(authorizableHierarchy.toString(), - authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL)); - } - -} http://git-wip-us.apache.org/repos/asf/sentry/blob/e62fa28d/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchModelAuthorizables.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchModelAuthorizables.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchModelAuthorizables.java deleted file mode 100644 index e7da13a..0000000 --- a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchModelAuthorizables.java +++ /dev/null @@ -1,54 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.sentry.policy.solr; -import static junit.framework.Assert.assertEquals; -import static junit.framework.Assert.assertNull; - -import org.apache.sentry.core.model.search.Collection; -import org.apache.sentry.core.model.search.SearchModelAuthorizables; -import org.junit.Test; - -public class TestSearchModelAuthorizables { - - @Test - public void testCollection() throws Exception { - Collection coll = (Collection) SearchModelAuthorizables.from("CoLleCtiOn=collection1"); - assertEquals("collection1", coll.getName()); - } - - @Test(expected=IllegalArgumentException.class) - public void testNoKV() throws Exception { - System.out.println(SearchModelAuthorizables.from("nonsense")); - } - - @Test(expected=IllegalArgumentException.class) - public void testEmptyKey() throws Exception { - System.out.println(SearchModelAuthorizables.from("=v")); - } - - @Test(expected=IllegalArgumentException.class) - public void testEmptyValue() throws Exception { - System.out.println(SearchModelAuthorizables.from("k=")); - } - - @Test - public void testNotAuthorizable() throws Exception { - assertNull(SearchModelAuthorizables.from("k=v")); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/e62fa28d/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyEngineDFS.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyEngineDFS.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyEngineDFS.java deleted file mode 100644 index 59283ea..0000000 --- a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyEngineDFS.java +++ /dev/null @@ -1,74 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.solr; - -import java.io.File; -import java.io.IOException; - -import org.junit.Assert; - -import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.fs.FileSystem; -import org.apache.hadoop.fs.Path; -import org.apache.hadoop.hdfs.MiniDFSCluster; -import org.apache.sentry.core.common.utils.PolicyFiles; -import org.junit.AfterClass; -import org.junit.BeforeClass; - -public class TestSearchPolicyEngineDFS extends AbstractTestSearchPolicyEngine { - - private static MiniDFSCluster dfsCluster; - private static FileSystem fileSystem; - private static Path root; - private static Path etc; - - @BeforeClass - public static void setupLocalClazz() throws IOException { - File baseDir = getBaseDir(); - Assert.assertNotNull(baseDir); - File dfsDir = new File(baseDir, "dfs"); - Assert.assertTrue(dfsDir.isDirectory() || dfsDir.mkdirs()); - Configuration conf = new Configuration(); - conf.set(MiniDFSCluster.HDFS_MINIDFS_BASEDIR, dfsDir.getPath()); - dfsCluster = new MiniDFSCluster.Builder(conf).numDataNodes(2).build(); - fileSystem = dfsCluster.getFileSystem(); - root = new Path(fileSystem.getUri().toString()); - etc = new Path(root, "/etc"); - fileSystem.mkdirs(etc); - } - - @AfterClass - public static void teardownLocalClazz() { - if(dfsCluster != null) { - dfsCluster.shutdown(); - } - } - - @Override - protected void afterSetup() throws IOException { - fileSystem.delete(etc, true); - fileSystem.mkdirs(etc); - PolicyFiles.copyToDir(fileSystem, etc, "solr-policy-test-authz-provider.ini"); - setPolicy(SearchPolicyTestUtil.createPolicyEngineForTest(new Path(etc, - "solr-policy-test-authz-provider.ini").toString())); - } - - @Override - protected void beforeTeardown() throws IOException { - fileSystem.delete(etc, true); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/e62fa28d/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyEngineLocalFS.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyEngineLocalFS.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyEngineLocalFS.java deleted file mode 100644 index 0ff4502..0000000 --- a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyEngineLocalFS.java +++ /dev/null @@ -1,43 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.solr; - -import java.io.File; -import java.io.IOException; - -import org.junit.Assert; - -import org.apache.commons.io.FileUtils; -import org.apache.sentry.core.common.utils.PolicyFiles; - -public class TestSearchPolicyEngineLocalFS extends AbstractTestSearchPolicyEngine { - - @Override - protected void afterSetup() throws IOException { - File baseDir = getBaseDir(); - Assert.assertNotNull(baseDir); - Assert.assertTrue(baseDir.isDirectory() || baseDir.mkdirs()); - PolicyFiles.copyToDir(baseDir, "solr-policy-test-authz-provider.ini"); - setPolicy(SearchPolicyTestUtil.createPolicyEngineForTest(new File(baseDir, "solr-policy-test-authz-provider.ini").getPath())); - } - @Override - protected void beforeTeardown() throws IOException { - File baseDir = getBaseDir(); - Assert.assertNotNull(baseDir); - FileUtils.deleteQuietly(baseDir); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/e62fa28d/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyNegative.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyNegative.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyNegative.java deleted file mode 100644 index 20fee76..0000000 --- a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyNegative.java +++ /dev/null @@ -1,101 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.solr; - -import java.io.File; -import java.io.IOException; -import java.util.Collections; - -import org.junit.Assert; - -import org.apache.commons.io.FileUtils; -import org.apache.sentry.core.common.ActiveRoleSet; -import org.apache.sentry.policy.common.PolicyEngine; -import org.junit.After; -import org.junit.Before; -import org.junit.Test; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import com.google.common.base.Charsets; -import com.google.common.collect.ImmutableSet; -import com.google.common.collect.Sets; -import com.google.common.io.Files; - -public class TestSearchPolicyNegative { - - @SuppressWarnings("unused") - private static final Logger LOGGER = LoggerFactory - .getLogger(TestSearchPolicyNegative.class); - - private File baseDir; - private File globalPolicyFile; - private File otherPolicyFile; - - @Before - public void setup() { - baseDir = Files.createTempDir(); - globalPolicyFile = new File(baseDir, "global.ini"); - otherPolicyFile = new File(baseDir, "other.ini"); - } - - @After - public void teardown() { - if(baseDir != null) { - FileUtils.deleteQuietly(baseDir); - } - } - - private void append(String from, File to) throws IOException { - Files.append(from + "\n", to, Charsets.UTF_8); - } - - @Test - public void testPerDbFileException() throws Exception { - append("[databases]", globalPolicyFile); - append("other_group_db = " + otherPolicyFile.getPath(), globalPolicyFile); - append("[groups]", otherPolicyFile); - append("other_group = some_role", otherPolicyFile); - append("[roles]", otherPolicyFile); - append("some_role = collection=c1", otherPolicyFile); - PolicyEngine policy = SearchPolicyTestUtil.createPolicyEngineForTest(globalPolicyFile.getPath()); - Assert.assertEquals(Collections.emptySet(), - policy.getPrivileges(Sets.newHashSet("other_group"), ActiveRoleSet.ALL)); - } - - @Test - public void testCollectionRequiredInRole() throws Exception { - append("[groups]", globalPolicyFile); - append("group = some_role", globalPolicyFile); - append("[roles]", globalPolicyFile); - append("some_role = action=query", globalPolicyFile); - PolicyEngine policy = SearchPolicyTestUtil.createPolicyEngineForTest(globalPolicyFile.getPath()); - ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL); - Assert.assertTrue(permissions.toString(), permissions.isEmpty()); - } - - @Test - public void testGroupIncorrect() throws Exception { - append("[groups]", globalPolicyFile); - append("group = malicious_role", globalPolicyFile); - append("[roles]", globalPolicyFile); - append("malicious_role = collection=*", globalPolicyFile); - PolicyEngine policy = SearchPolicyTestUtil.createPolicyEngineForTest(globalPolicyFile.getPath()); - ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("incorrectGroup"), ActiveRoleSet.ALL); - Assert.assertTrue(permissions.toString(), permissions.isEmpty()); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/e62fa28d/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSolrAuthorizationProviderGeneralCases.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSolrAuthorizationProviderGeneralCases.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSolrAuthorizationProviderGeneralCases.java new file mode 100644 index 0000000..a8b0453 --- /dev/null +++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSolrAuthorizationProviderGeneralCases.java @@ -0,0 +1,196 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.policy.solr; + +import java.io.File; +import java.io.IOException; +import java.util.Arrays; +import java.util.EnumSet; +import java.util.List; +import java.util.Set; + +import com.google.common.collect.Sets; +import junit.framework.Assert; + +import org.apache.commons.io.FileUtils; +import org.apache.sentry.core.common.Action; +import org.apache.sentry.core.common.ActiveRoleSet; +import org.apache.sentry.core.common.Authorizable; +import org.apache.sentry.core.common.Subject; +import org.apache.sentry.core.model.solr.Collection; +import org.apache.sentry.core.model.solr.SolrModelAction; +import org.apache.sentry.core.model.solr.SolrPrivilegeModel; +import org.apache.sentry.provider.common.GroupMappingService; +import org.apache.sentry.provider.common.ResourceAuthorizationProvider; +import org.apache.sentry.provider.file.HadoopGroupResourceAuthorizationProvider; +import org.apache.sentry.core.common.utils.PolicyFiles; +import org.junit.After; +import org.junit.Test; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.google.common.base.Objects; +import com.google.common.collect.HashMultimap; +import com.google.common.collect.Multimap; +import com.google.common.io.Files; + + +public class TestSolrAuthorizationProviderGeneralCases { + + private static final Logger LOGGER = LoggerFactory + .getLogger(TestSolrAuthorizationProviderGeneralCases.class); + + private static final Multimap<String, String> USER_TO_GROUP_MAP = HashMultimap + .create(); + + private static final Subject SUB_ADMIN = new Subject("admin1"); + private static final Subject SUB_MANAGER = new Subject("manager1"); + private static final Subject SUB_ANALYST = new Subject("analyst1"); + private static final Subject SUB_JUNIOR_ANALYST = new Subject("jranalyst1"); + + private static final Collection COLL_PURCHASES = new Collection("purchases"); + private static final Collection COLL_ANALYST1 = new Collection("analyst1"); + private static final Collection COLL_JRANALYST1 = new Collection("jranalyst1"); + private static final Collection COLL_TMP = new Collection("tmpcollection"); + private static final Collection COLL_PURCHASES_PARTIAL = new Collection("purchases_partial"); + + private static final SolrModelAction QUERY = SolrModelAction.QUERY; + private static final SolrModelAction UPDATE = SolrModelAction.UPDATE; + + static { + USER_TO_GROUP_MAP.putAll(SUB_ADMIN.getName(), Arrays.asList("admin")); + USER_TO_GROUP_MAP.putAll(SUB_MANAGER.getName(), Arrays.asList("manager")); + USER_TO_GROUP_MAP.putAll(SUB_ANALYST.getName(), Arrays.asList("analyst")); + USER_TO_GROUP_MAP.putAll(SUB_JUNIOR_ANALYST.getName(), + Arrays.asList("jranalyst")); + } + + private final ResourceAuthorizationProvider authzProvider; + private File baseDir; + + public TestSolrAuthorizationProviderGeneralCases() throws IOException { + baseDir = Files.createTempDir(); + PolicyFiles.copyToDir(baseDir, "solr-policy-test-authz-provider.ini"); + authzProvider = new HadoopGroupResourceAuthorizationProvider( + SolrPolicyTestUtil.createPolicyEngineForTest(new File(baseDir, "solr-policy-test-authz-provider.ini").getPath()), + new MockGroupMappingServiceProvider(USER_TO_GROUP_MAP), SolrPrivilegeModel.getInstance()); + + } + + @After + public void teardown() { + if(baseDir != null) { + FileUtils.deleteQuietly(baseDir); + } + } + + private void doTestAuthProviderOnCollection(Subject subject, + Collection collection, Set<? extends Action> expectedPass) throws Exception { + Set<SolrModelAction> allActions = + EnumSet.of(SolrModelAction.ALL, SolrModelAction.QUERY, SolrModelAction.UPDATE); + for (SolrModelAction action : allActions) { + doTestResourceAuthorizationProvider(subject, collection, + EnumSet.of(action), expectedPass.contains(action)); + } + } + + private void doTestResourceAuthorizationProvider(Subject subject, + Collection collection, + Set<? extends Action> privileges, boolean expected) throws Exception { + List<Authorizable> authzHierarchy = Arrays.asList(new Authorizable[] { + collection + }); + Objects.ToStringHelper helper = Objects.toStringHelper("TestParameters"); + helper.add("Subject", subject) + .add("Collection", collection) + .add("Privileges", privileges) + .add("authzHierarchy", authzHierarchy); + LOGGER.info("Running with " + helper.toString()); + Assert.assertEquals(helper.toString(), expected, + authzProvider.hasAccess(subject, authzHierarchy, privileges, ActiveRoleSet.ALL)); + LOGGER.info("Passed " + helper.toString()); + } + + @Test + public void testAdmin() throws Exception { + Set<SolrModelAction> allActions = EnumSet.allOf(SolrModelAction.class); + doTestAuthProviderOnCollection(SUB_ADMIN, COLL_PURCHASES, allActions); + doTestAuthProviderOnCollection(SUB_ADMIN, COLL_ANALYST1, allActions); + doTestAuthProviderOnCollection(SUB_ADMIN, COLL_JRANALYST1, allActions); + doTestAuthProviderOnCollection(SUB_ADMIN, COLL_TMP, allActions); + doTestAuthProviderOnCollection(SUB_ADMIN, COLL_PURCHASES_PARTIAL, allActions); + } + + @Test + public void testManager() throws Exception { + Set<SolrModelAction> updateOnly = EnumSet.of(SolrModelAction.UPDATE); + doTestAuthProviderOnCollection(SUB_MANAGER, COLL_PURCHASES, updateOnly); + + Set<SolrModelAction> allActions = EnumSet.allOf(SolrModelAction.class); + doTestAuthProviderOnCollection(SUB_MANAGER, COLL_ANALYST1, allActions); + doTestAuthProviderOnCollection(SUB_MANAGER, COLL_JRANALYST1, allActions); + + Set<SolrModelAction> queryUpdateOnly = EnumSet.of(QUERY, UPDATE); + doTestAuthProviderOnCollection(SUB_MANAGER, COLL_TMP, queryUpdateOnly); + + Set<SolrModelAction> queryOnly = EnumSet.of(SolrModelAction.QUERY); + doTestAuthProviderOnCollection(SUB_MANAGER, COLL_PURCHASES_PARTIAL, queryOnly); + } + + @Test + public void testAnalyst() throws Exception { + Set<SolrModelAction> updateOnly = EnumSet.of(SolrModelAction.UPDATE); + doTestAuthProviderOnCollection(SUB_ANALYST, COLL_PURCHASES, updateOnly); + + Set<SolrModelAction> allActions = EnumSet.allOf(SolrModelAction.class); + doTestAuthProviderOnCollection(SUB_ANALYST, COLL_ANALYST1, allActions); + doTestAuthProviderOnCollection(SUB_ANALYST, COLL_JRANALYST1, allActions); + + Set<SolrModelAction> queryUpdateOnly = EnumSet.of(QUERY, UPDATE); + doTestAuthProviderOnCollection(SUB_ANALYST, COLL_TMP, queryUpdateOnly); + + Set<SolrModelAction> noActions = EnumSet.noneOf(SolrModelAction.class); + doTestAuthProviderOnCollection(SUB_ANALYST, COLL_PURCHASES_PARTIAL, noActions); + } + + @Test + public void testJuniorAnalyst() throws Exception { + Set<SolrModelAction> allActions = EnumSet.allOf(SolrModelAction.class); + doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_JRANALYST1, allActions); + + Set<SolrModelAction> queryOnly = EnumSet.of(SolrModelAction.QUERY); + doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_PURCHASES_PARTIAL, queryOnly); + + Set<SolrModelAction> noActions = EnumSet.noneOf(SolrModelAction.class); + doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_PURCHASES, noActions); + doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_ANALYST1, noActions); + doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_TMP, noActions); + } + + public class MockGroupMappingServiceProvider implements GroupMappingService { + private final Multimap<String, String> userToGroupMap; + + public MockGroupMappingServiceProvider(Multimap<String, String> userToGroupMap) { + this.userToGroupMap = userToGroupMap; + } + + @Override + public Set<String> getGroups(String user) { + return Sets.newHashSet(userToGroupMap.get(user)); + } + } +} http://git-wip-us.apache.org/repos/asf/sentry/blob/e62fa28d/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSolrAuthorizationProviderSpecialCases.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSolrAuthorizationProviderSpecialCases.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSolrAuthorizationProviderSpecialCases.java new file mode 100644 index 0000000..1329a68 --- /dev/null +++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSolrAuthorizationProviderSpecialCases.java @@ -0,0 +1,84 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.policy.solr; + +import java.io.File; +import java.io.IOException; +import java.util.EnumSet; +import java.util.List; +import java.util.Set; + +import org.junit.Assert; + +import org.apache.commons.io.FileUtils; +import org.apache.sentry.core.common.Action; +import org.apache.sentry.core.common.ActiveRoleSet; +import org.apache.sentry.core.common.Authorizable; +import org.apache.sentry.core.common.Subject; +import org.apache.sentry.policy.common.PolicyEngine; +import org.apache.sentry.provider.common.AuthorizationProvider; +import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider; +import org.apache.sentry.provider.file.PolicyFile; +import org.apache.sentry.core.model.solr.Collection; +import org.apache.sentry.core.model.solr.SolrModelAction; +import org.apache.sentry.core.model.solr.SolrPrivilegeModel; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; + +import com.google.common.collect.ImmutableList; +import com.google.common.io.Files; + +public class TestSolrAuthorizationProviderSpecialCases { + private AuthorizationProvider authzProvider; + private PolicyFile policyFile; + private File baseDir; + private File iniFile; + private String initResource; + @Before + public void setup() throws IOException { + baseDir = Files.createTempDir(); + iniFile = new File(baseDir, "policy.ini"); + initResource = "file://" + iniFile.getPath(); + policyFile = new PolicyFile(); + } + + @After + public void teardown() throws IOException { + if(baseDir != null) { + FileUtils.deleteQuietly(baseDir); + } + } + + @Test + public void testDuplicateEntries() throws Exception { + Subject user1 = new Subject("user1"); + Collection collection1 = new Collection("collection1"); + Set<? extends Action> actions = EnumSet.allOf(SolrModelAction.class); + policyFile.addGroupsToUser(user1.getName(), true, "group1", "group1") + .addRolesToGroup("group1", true, "role1", "role1") + .addPermissionsToRole("role1", true, "collection=" + collection1.getName(), + "collection=" + collection1.getName()); + policyFile.write(iniFile); + PolicyEngine policy = SolrPolicyTestUtil.createPolicyEngineForTest(initResource); + authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy, SolrPrivilegeModel.getInstance()); + List<? extends Authorizable> authorizableHierarchy = ImmutableList.of(collection1); + Assert.assertTrue(authorizableHierarchy.toString(), + authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL)); + } + +} http://git-wip-us.apache.org/repos/asf/sentry/blob/e62fa28d/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSolrModelAuthorizables.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSolrModelAuthorizables.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSolrModelAuthorizables.java new file mode 100644 index 0000000..425937e --- /dev/null +++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSolrModelAuthorizables.java @@ -0,0 +1,54 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.sentry.policy.solr; +import static junit.framework.Assert.assertEquals; +import static junit.framework.Assert.assertNull; + +import org.apache.sentry.core.model.solr.Collection; +import org.apache.sentry.core.model.solr.SolrModelAuthorizables; +import org.junit.Test; + +public class TestSolrModelAuthorizables { + + @Test + public void testCollection() throws Exception { + Collection coll = (Collection) SolrModelAuthorizables.from("CoLleCtiOn=collection1"); + assertEquals("collection1", coll.getName()); + } + + @Test(expected=IllegalArgumentException.class) + public void testNoKV() throws Exception { + System.out.println(SolrModelAuthorizables.from("nonsense")); + } + + @Test(expected=IllegalArgumentException.class) + public void testEmptyKey() throws Exception { + System.out.println(SolrModelAuthorizables.from("=v")); + } + + @Test(expected=IllegalArgumentException.class) + public void testEmptyValue() throws Exception { + System.out.println(SolrModelAuthorizables.from("k=")); + } + + @Test + public void testNotAuthorizable() throws Exception { + assertNull(SolrModelAuthorizables.from("k=v")); + } +}
