Repository: sentry Updated Branches: refs/heads/master 23bc2159a -> 4dc017163
SENTRY-2085: Sentry error handling exposes SentryGroupNotFoundException externally. (Zachary Amsden, reviewed by Kalyan Kumar Kalvagadda, Lina Li) Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/4dc01716 Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/4dc01716 Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/4dc01716 Branch: refs/heads/master Commit: 4dc017163c18d941ee06d160ec0e83f8e60620f1 Parents: 23bc215 Author: Kalyan Kumar Kalvagadda <[email protected]> Authored: Wed Jan 3 16:55:34 2018 -0600 Committer: Kalyan Kumar Kalvagadda <[email protected]> Committed: Wed Jan 3 16:55:34 2018 -0600 ---------------------------------------------------------------------- .../binding/hive/authz/HiveAuthzBinding.java | 2 +- .../hive/authz/HiveAuthzBindingHookBase.java | 22 ++++-- .../binding/hive/TestHiveAuthzBindings.java | 3 +- .../solr/authz/SentrySolrPluginImpl.java | 5 +- .../binding/solr/authz/SolrAuthzBinding.java | 6 +- .../binding/solr/TestSolrAuthzBinding.java | 9 +-- .../exception/SentryGroupNotFoundException.java | 35 ++------- .../provider/common/AuthorizationProvider.java | 4 +- .../provider/common/GroupMappingService.java | 5 +- .../common/HadoopGroupMappingService.java | 2 +- .../common/ResourceAuthorizationProvider.java | 19 ++++- .../common/TestNoAuthorizationProvider.java | 12 ++- .../thrift/SentryPolicyStoreProcessor.java | 77 ++++++++++++++++++-- .../TestSentryGenericPolicyProcessor.java | 48 +++++++++++- .../provider/file/LocalGroupMappingService.java | 2 +- .../provider/file/TestLocalGroupMapping.java | 14 +++- .../QueryDocAuthorizationComponent.java | 10 ++- .../tests/e2e/hive/TestUserManagement.java | 21 +----- .../tests/e2e/hive/TestUserManagement.java | 21 +----- 19 files changed, 211 insertions(+), 106 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java b/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java index 8ce7a02..7565a34 100644 --- a/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java +++ b/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java @@ -391,7 +391,7 @@ public class HiveAuthzBinding { return activeRoleSet; } - public Set<String> getGroups(Subject subject) { + public Set<String> getGroups(Subject subject) throws SentryUserException { return authProvider.getGroupMapping().getGroups(subject.getName()); } http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java index 9c60c22..447deaf 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java @@ -53,6 +53,7 @@ import org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationSco import org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationType; import org.apache.sentry.binding.hive.conf.HiveAuthzConf; import org.apache.sentry.core.common.Subject; +import org.apache.sentry.core.common.exception.SentryGroupNotFoundException; import org.apache.sentry.core.common.utils.PathUtils; import org.apache.sentry.core.model.db.AccessURI; import org.apache.sentry.core.model.db.Column; @@ -74,6 +75,7 @@ import java.net.URL; import java.security.CodeSource; import java.util.ArrayList; import java.util.Arrays; +import java.util.Collections; import java.util.EnumSet; import java.util.List; import java.util.Set; @@ -823,14 +825,20 @@ public abstract class HiveAuthzBindingHookBase extends AbstractSemanticAnalyzerH String userName) throws SemanticException { // get the original HiveAuthzBinding, and get the user's privileges by AuthorizationProvider AuthorizationProvider authProvider = hiveAuthzBinding.getCurrentAuthProvider(); - Set<String> userPrivileges = - authProvider.getPolicyEngine().getPrivileges( - authProvider.getGroupMapping().getGroups(userName), Sets.newHashSet(userName), - hiveAuthzBinding.getActiveRoleSet(), hiveAuthzBinding.getAuthServer()); - - // create PrivilegeCache using user's privileges - PrivilegeCache privilegeCache = new SimplePrivilegeCache(userPrivileges); try { + Set<String> groups; + try { + groups = authProvider.getGroupMapping().getGroups(userName); + } catch (SentryGroupNotFoundException e) { + groups = Collections.emptySet(); + LOG.debug("Could not find groups for user: " + userName); + } + Set<String> userPrivileges = + authProvider.getPolicyEngine().getPrivileges(groups, Sets.newHashSet(userName), + hiveAuthzBinding.getActiveRoleSet(), hiveAuthzBinding.getAuthServer()); + + // create PrivilegeCache using user's privileges + PrivilegeCache privilegeCache = new SimplePrivilegeCache(userPrivileges); // create new instance of HiveAuthzBinding whose backend provider should be SimpleCacheProviderBackend return new HiveAuthzBinding(HiveAuthzBinding.HiveHook.HiveServer2, hiveAuthzBinding.getHiveConf(), hiveAuthzBinding.getAuthzConf(), privilegeCache); http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java index a41d1bd..3bbf6fb 100644 --- a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java +++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java @@ -42,7 +42,6 @@ import org.apache.sentry.core.model.db.DBModelAuthorizable; import org.apache.sentry.core.model.db.Database; import org.apache.sentry.core.model.db.Server; import org.apache.sentry.core.model.db.Table; -import org.apache.sentry.core.common.exception.SentryGroupNotFoundException; import org.apache.sentry.core.common.utils.PolicyFiles; import org.junit.After; import org.junit.Before; @@ -299,7 +298,7 @@ public class TestHiveAuthzBindings { inputTabHierarcyList, outputTabHierarcyList); } - @Test(expected = SentryGroupNotFoundException.class) + @Test(expected = AuthorizationException.class) public void testValidateCreateFunctionRejectionForUnknownUser() throws Exception { inputTabHierarcyList.add(Arrays.asList(new DBModelAuthorizable[] { new Server(SERVER1), new AccessURI("file:///path/to/some/lib/dir/my.jar") http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SentrySolrPluginImpl.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SentrySolrPluginImpl.java b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SentrySolrPluginImpl.java index 91d08f0..4092fe4 100644 --- a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SentrySolrPluginImpl.java +++ b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SentrySolrPluginImpl.java @@ -39,6 +39,7 @@ import org.apache.hadoop.security.authentication.util.KerberosName; import org.apache.http.auth.BasicUserPrincipal; import org.apache.sentry.binding.solr.conf.SolrAuthzConf; import org.apache.sentry.core.common.Subject; +import org.apache.sentry.core.common.exception.SentryUserException; import org.apache.sentry.core.model.solr.AdminOperation; import org.apache.sentry.core.model.solr.Collection; import org.apache.sentry.core.model.solr.SolrConstants; @@ -268,7 +269,7 @@ public class SentrySolrPluginImpl implements AuthorizationPlugin { /** * This method returns the roles associated with the specified user name. */ - public Set<String> getRoles (String userName) { + public Set<String> getRoles (String userName) throws SentryUserException { return binding.getRoles(userName); } @@ -457,4 +458,4 @@ public class SentrySolrPluginImpl implements AuthorizationPlugin { && "kerberos".equalsIgnoreCase(authVal); } -} \ No newline at end of file +} http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java index 803e5ea..5c2a301 100644 --- a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java +++ b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java @@ -34,6 +34,7 @@ import org.apache.sentry.core.common.ActiveRoleSet; import org.apache.sentry.core.common.Authorizable; import org.apache.sentry.core.common.Model; import org.apache.sentry.core.common.Subject; +import org.apache.sentry.core.common.exception.SentryUserException; import org.apache.sentry.core.model.solr.SolrPrivilegeModel; import org.apache.sentry.core.model.solr.AdminOperation; import org.apache.sentry.core.model.solr.Collection; @@ -214,7 +215,7 @@ public class SolrAuthzBinding implements Closeable { * @deprecated use getRoles instead */ @Deprecated - public Set<String> getGroups(String user) { + public Set<String> getGroups(String user) throws SentryUserException { return groupMapping.getGroups(user); } @@ -222,8 +223,9 @@ public class SolrAuthzBinding implements Closeable { * Get the roles associated with the user * @param user * @return The roles associated with the user + * @throws SentryUserException */ - public Set<String> getRoles(String user) { + public Set<String> getRoles(String user) throws SentryUserException { return providerBackend.getRoles(getGroups(user), ActiveRoleSet.ALL); } http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java index f060b82..8d28ccc 100644 --- a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java +++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java @@ -309,7 +309,7 @@ public class TestSolrAuthzBinding { } /** - * Test that a user that doesn't exist throws an exception + * Test that a user that doesn't exist gets an AuthException * when trying to authorize */ @Test @@ -317,11 +317,8 @@ public class TestSolrAuthzBinding { SolrAuthzConf solrAuthzConf = new SolrAuthzConf(Collections.singletonList(Resources.getResource("sentry-site.xml"))); setUsableAuthzConf(solrAuthzConf); - try (SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf)) { - binding.authorizeCollection(new Subject("bogus"), infoCollection, querySet); - Assert.fail("Expected SentryGroupNotFoundException"); - } catch (SentryGroupNotFoundException e) { - } + SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf); + expectAuthException(binding, new Subject("bogus"), infoCollection, querySet); } /** http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/exception/SentryGroupNotFoundException.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/exception/SentryGroupNotFoundException.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/exception/SentryGroupNotFoundException.java index b978df6..6344435 100644 --- a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/exception/SentryGroupNotFoundException.java +++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/exception/SentryGroupNotFoundException.java @@ -17,45 +17,26 @@ package org.apache.sentry.core.common.exception; -public class SentryGroupNotFoundException extends RuntimeException { +public class SentryGroupNotFoundException extends SentryUserException { private static final long serialVersionUID = -116202866086371881L; /** - * Creates a new SentryGroupNotFoundException. - */ - public SentryGroupNotFoundException() { - super(); - } - - /** * Constructs a new SentryGroupNotFoundException. * - * @param message - * the reason for the exception + * @param msg The reason for the exception */ - public SentryGroupNotFoundException(String message) { - super(message); + public SentryGroupNotFoundException(String msg) { + super(msg); } /** * Constructs a new SentryGroupNotFoundException. * - * @param cause - * the underlying Throwable that caused this exception to be thrown. - */ - public SentryGroupNotFoundException(Throwable cause) { - super(cause); - } - - /** - * Constructs a new SentryGroupNotFoundException. + * @param msg The message to send + * @param t The underlying exception * - * @param message - * the reason for the exception - * @param cause - * the underlying Throwable that caused this exception to be thrown. */ - public SentryGroupNotFoundException(String message, Throwable cause) { - super(message, cause); + public SentryGroupNotFoundException(String msg, Throwable t) { + super(msg, t); } } http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java index 2d82bcf..73fcda8 100644 --- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java +++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java @@ -25,6 +25,7 @@ import org.apache.sentry.core.common.Action; import org.apache.sentry.core.common.ActiveRoleSet; import org.apache.sentry.core.common.Authorizable; import org.apache.sentry.core.common.exception.SentryConfigurationException; +import org.apache.sentry.core.common.exception.SentryGroupNotFoundException; import org.apache.sentry.core.common.Subject; import org.apache.sentry.policy.common.PolicyEngine; @@ -71,7 +72,8 @@ public interface AuthorizationProvider { * @return * @throws SentryConfigurationException */ - Set<String> listPrivilegesForSubject(Subject subject) throws SentryConfigurationException; + Set<String> listPrivilegesForSubject(Subject subject) + throws SentryConfigurationException, SentryGroupNotFoundException; /** * Returns the list privileges for the given group http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/GroupMappingService.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/GroupMappingService.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/GroupMappingService.java index 7e85261..9048d76 100644 --- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/GroupMappingService.java +++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/GroupMappingService.java @@ -17,9 +17,10 @@ package org.apache.sentry.provider.common; import java.util.Set; - import javax.annotation.concurrent.ThreadSafe; +import org.apache.sentry.core.common.exception.SentryGroupNotFoundException; + /** * Interface so the Groups class is easier to unit test with. * Implementations of this class are expected to be thread safe @@ -31,5 +32,5 @@ public interface GroupMappingService { /** * @return non-null list of groups for user */ - Set<String> getGroups(String user); + Set<String> getGroups(String user) throws SentryGroupNotFoundException; } http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java index bde53d5..00b5cf6 100644 --- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java +++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java @@ -54,7 +54,7 @@ public class HadoopGroupMappingService implements GroupMappingService { } @Override - public Set<String> getGroups(String user) { + public Set<String> getGroups(String user) throws SentryGroupNotFoundException { List<String> groupList = Lists.newArrayList(); try { groupList = groups.getGroups(user); http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java index 005724f..a9b98f3 100644 --- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java +++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java @@ -22,6 +22,7 @@ import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER; import static org.apache.sentry.core.common.utils.SentryConstants.PRIVILEGE_NAME; import java.util.ArrayList; +import java.util.Collections; import java.util.HashSet; import java.util.List; import java.util.Set; @@ -31,6 +32,7 @@ import org.apache.sentry.core.common.ActiveRoleSet; import org.apache.sentry.core.common.Authorizable; import org.apache.sentry.core.common.Model; import org.apache.sentry.core.common.exception.SentryConfigurationException; +import org.apache.sentry.core.common.exception.SentryGroupNotFoundException; import org.apache.sentry.core.common.Subject; import org.apache.sentry.policy.common.PolicyEngine; import org.apache.sentry.policy.common.Privilege; @@ -91,13 +93,21 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv Preconditions.checkNotNull(actions, "Actions cannot be null"); Preconditions.checkArgument(!actions.isEmpty(), "Actions cannot be empty"); Preconditions.checkNotNull(roleSet, "ActiveRoleSet cannot be null"); - return doHasAccess(subject, authorizableHierarchy, actions, roleSet); + boolean hasAccess = false; + hasAccess = doHasAccess(subject, authorizableHierarchy, actions, roleSet); + return hasAccess; } private boolean doHasAccess(Subject subject, List<? extends Authorizable> authorizables, Set<? extends Action> actions, ActiveRoleSet roleSet) { - Set<String> groups = getGroups(subject); + Set<String> groups; + try { + groups = getGroups(subject); + } catch (SentryGroupNotFoundException e) { + groups = Collections.emptySet(); + LOGGER.debug("Groups not found for " + subject); + } Set<String> users = Sets.newHashSet(subject.getName()); Set<String> hierarchy = new HashSet<String>(); for (Authorizable authorizable : authorizables) { @@ -169,7 +179,7 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv return groupService; } - private Set<String> getGroups(Subject subject) { + private Set<String> getGroups(Subject subject) throws SentryGroupNotFoundException { return groupService.getGroups(subject.getName()); } @@ -179,7 +189,8 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv } @Override - public Set<String> listPrivilegesForSubject(Subject subject) throws SentryConfigurationException { + public Set<String> listPrivilegesForSubject(Subject subject) + throws SentryConfigurationException, SentryGroupNotFoundException { return policy.getPrivileges(getGroups(subject), Sets.newHashSet(subject.getName()), ActiveRoleSet.ALL, (Authorizable[]) null); } http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java index fe01b06..c8f2bed 100644 --- a/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java +++ b/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java @@ -19,6 +19,8 @@ package org.apache.sentry.provider.common; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; +import org.apache.sentry.core.common.exception.SentryGroupNotFoundException; +import org.junit.Assert; import org.junit.Test; /** @@ -32,8 +34,12 @@ public class TestNoAuthorizationProvider { assertFalse(nap.hasAccess(null, null, null, null)); GroupMappingService gms = nap.getGroupMapping(); - assertEquals(gms.getGroups(null).size(), 0); - assertEquals(gms.getGroups("").size(), 0); - assertEquals(gms.getGroups("a").size(), 0); + try { + assertEquals(gms.getGroups(null).size(), 0); + assertEquals(gms.getGroups("").size(), 0); + assertEquals(gms.getGroups("a").size(), 0); + } catch (SentryGroupNotFoundException e) { + Assert.fail("SentryGroupsNotFoundException should not be thrown"); + } } } http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java index 650880b..2fbad36 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java @@ -211,6 +211,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { } catch (SentryAccessDeniedException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.AccessDenied(e.getMessage(), e)); + } catch (SentryGroupNotFoundException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.AccessDenied(e.getMessage(), e)); } catch (SentryThriftAPIMismatchException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); @@ -282,6 +285,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { } catch (SentryAccessDeniedException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.AccessDenied(e.getMessage(), e)); + } catch (SentryGroupNotFoundException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.AccessDenied(e.getMessage(), e)); } catch (SentryThriftAPIMismatchException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); @@ -368,6 +374,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { } catch (SentryAccessDeniedException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.AccessDenied(e.getMessage(), e)); + } catch (SentryGroupNotFoundException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.AccessDenied(e.getMessage(), e)); } catch (SentryThriftAPIMismatchException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); @@ -426,6 +435,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { } catch (SentryAccessDeniedException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.AccessDenied(e.getMessage(), e)); + } catch (SentryGroupNotFoundException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.AccessDenied(e.getMessage(), e)); } catch (SentryThriftAPIMismatchException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); @@ -482,6 +494,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { } catch (SentryAccessDeniedException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.AccessDenied(e.getMessage(), e)); + } catch (SentryGroupNotFoundException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.AccessDenied(e.getMessage(), e)); } catch (SentryThriftAPIMismatchException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); @@ -522,6 +537,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { } catch (SentryAccessDeniedException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.AccessDenied(e.getMessage(), e)); + } catch (SentryGroupNotFoundException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.AccessDenied(e.getMessage(), e)); } catch (SentryThriftAPIMismatchException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); @@ -563,6 +581,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { } catch (SentryAccessDeniedException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.AccessDenied(e.getMessage(), e)); + } catch (SentryGroupNotFoundException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.AccessDenied(e.getMessage(), e)); } catch (SentryThriftAPIMismatchException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); @@ -620,6 +641,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { } catch (SentryAccessDeniedException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.AccessDenied(e.getMessage(), e)); + } catch (SentryGroupNotFoundException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.AccessDenied(e.getMessage(), e)); } catch (SentryThriftAPIMismatchException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); @@ -663,7 +687,7 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { //Non admin users are only allowed to list only groups which they belong to if(!admin && (request.getGroupName() == null || !groups.contains(request.getGroupName()))) { throw new SentryAccessDeniedException("Access denied to " + subject); - }else { + } else { groups.clear(); groups.add(request.getGroupName()); } @@ -679,6 +703,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { } catch (SentryAccessDeniedException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.AccessDenied(e.getMessage(), e)); + } catch (SentryGroupNotFoundException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.AccessDenied(e.getMessage(), e)); } catch (SentryThriftAPIMismatchException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); @@ -708,8 +735,24 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { throw new SentryAccessDeniedException("The user name can't be empty."); } - Set<String> requestorGroups = getRequestorGroups(requestor); - Set<String> userGroups = getRequestorGroups(userName); + Set<String> requestorGroups; + try { + requestorGroups = getRequestorGroups(requestor); + } catch (SentryGroupNotFoundException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.AccessDenied(e.getMessage(), e)); + return response; + } + + Set<String> userGroups; + try { + userGroups = getRequestorGroups(userName); + } catch (SentryGroupNotFoundException e) { + LOGGER.error(e.getMessage(), e); + String msg = "Groups for user " + userName + " do not exist: " + e.getMessage(); + response.setStatus(Status.AccessDenied(msg, e)); + return response; + } boolean isAdmin = inAdminGroups(requestorGroups); // Only admin users can list other user's roles in the system @@ -720,10 +763,6 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { roleSet = sentryStore.getTSentryRolesByUserNames(Sets.newHashSet(userName)); response.setRoles(roleSet); response.setStatus(Status.OK()); - } catch (SentryGroupNotFoundException e) { - LOGGER.error(e.getMessage(), e); - String msg = "Group couldn't be retrieved for " + requestor + " or " + userName + "."; - response.setStatus(Status.AccessDenied(msg, e)); } catch (SentryNoSuchObjectException e) { response.setRoles(roleSet); String msg = "Role: " + request + " couldn't be retrieved."; @@ -779,6 +818,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { } catch (SentryAccessDeniedException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.AccessDenied(e.getMessage(), e)); + } catch (SentryGroupNotFoundException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.AccessDenied(e.getMessage(), e)); } catch (SentryThriftAPIMismatchException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); @@ -901,6 +943,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { } catch (SentryAccessDeniedException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.AccessDenied(e.getMessage(), e)); + } catch (SentryGroupNotFoundException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.AccessDenied(e.getMessage(), e)); } catch (SentryThriftAPIMismatchException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); @@ -942,6 +987,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { } catch (SentryAccessDeniedException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.AccessDenied(e.getMessage(), e)); + } catch (SentryGroupNotFoundException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.AccessDenied(e.getMessage(), e)); } catch (SentryThriftAPIMismatchException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); @@ -1010,6 +1058,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { } catch (SentryAccessDeniedException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.AccessDenied(e.getMessage(), e)); + } catch (SentryGroupNotFoundException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.AccessDenied(e.getMessage(), e)); } catch (SentryThriftAPIMismatchException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); @@ -1113,6 +1164,12 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { response.setMappingData(tSentryMappingData); response.setStatus(Status.OK()); + } catch (SentryAccessDeniedException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.AccessDenied(e.getMessage(), e)); + } catch (SentryGroupNotFoundException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.AccessDenied(e.getMessage(), e)); } catch (Exception e) { String msg = "Unknown error for request: " + request + ", message: " + e.getMessage(); LOGGER.error(msg, e); @@ -1137,6 +1194,12 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { } sentryStore.importSentryMetaData(request.getMappingData(), request.isOverwriteRole()); response.setStatus(Status.OK()); + } catch (SentryAccessDeniedException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.AccessDenied(e.getMessage(), e)); + } catch (SentryGroupNotFoundException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.AccessDenied(e.getMessage(), e)); } catch (SentryInvalidInputException e) { String msg = "Invalid input privilege object"; LOGGER.error(msg, e); http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericPolicyProcessor.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericPolicyProcessor.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericPolicyProcessor.java index 6597a7c..cc72b33 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericPolicyProcessor.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericPolicyProcessor.java @@ -53,6 +53,9 @@ import com.google.common.collect.Sets; public class TestSentryGenericPolicyProcessor extends org.junit.Assert { private static final String ADMIN_GROUP = "admin_group"; private static final String ADMIN_USER = "admin_user"; + private static final String NOT_ADMIN_USER = "not_admin_user"; + private static final String NOT_ADMIN_GROUP = "not_admin_group"; + private static final String NO_GROUP_USER = "no_group_user"; private SentryStoreLayer mockStore = Mockito.mock(SentryStoreLayer.class); private SentryGenericPolicyProcessor processor; @@ -67,7 +70,7 @@ public class TestSentryGenericPolicyProcessor extends org.junit.Assert { @Test public void testNotAdminOperation() throws Exception { - String requestUser = "not_" + ADMIN_USER; + String requestUser = NOT_ADMIN_USER; Status validateStatus = Status.ACCESS_DENIED; testOperation(requestUser, validateStatus); } @@ -217,6 +220,45 @@ public class TestSentryGenericPolicyProcessor extends org.junit.Assert { } @Test + public void testUserWithNoGroup() throws Exception { + setup(); + + TCreateSentryRoleRequest createrequest = new TCreateSentryRoleRequest(); + createrequest.setRequestorUserName(NO_GROUP_USER); + createrequest.setRoleName("r1"); + assertEquals(Status.ACCESS_DENIED, fromTSentryStatus(processor.create_sentry_role(createrequest).getStatus())); + + TDropSentryRoleRequest dropRequest = new TDropSentryRoleRequest(); + dropRequest.setRequestorUserName(NO_GROUP_USER); + dropRequest.setRoleName("r1"); + assertEquals(Status.ACCESS_DENIED, fromTSentryStatus(processor.drop_sentry_role(dropRequest).getStatus())); + + TAlterSentryRoleAddGroupsRequest addRequest = new TAlterSentryRoleAddGroupsRequest(); + addRequest.setRequestorUserName(NO_GROUP_USER); + addRequest.setRoleName("r1"); + addRequest.setGroups(Sets.newHashSet("g1")); + assertEquals(Status.ACCESS_DENIED, fromTSentryStatus(processor.alter_sentry_role_add_groups(addRequest).getStatus())); + + TAlterSentryRoleDeleteGroupsRequest delRequest = new TAlterSentryRoleDeleteGroupsRequest(); + delRequest.setRequestorUserName(NO_GROUP_USER); + delRequest.setRoleName("r1"); + delRequest.setGroups(Sets.newHashSet("g1")); + assertEquals(Status.ACCESS_DENIED, fromTSentryStatus(processor.alter_sentry_role_delete_groups(delRequest).getStatus())); + + TDropPrivilegesRequest dropPrivRequest = new TDropPrivilegesRequest(); + dropPrivRequest.setRequestorUserName(NO_GROUP_USER); + dropPrivRequest.setPrivilege(new TSentryPrivilege("test", "test", new ArrayList<TAuthorizable>(), "test")); + assertEquals(Status.ACCESS_DENIED, fromTSentryStatus(processor.drop_sentry_privilege(dropPrivRequest).getStatus())); + + TRenamePrivilegesRequest renameRequest = new TRenamePrivilegesRequest(); + renameRequest.setRequestorUserName(NO_GROUP_USER); + assertEquals(Status.ACCESS_DENIED, fromTSentryStatus(processor.rename_sentry_privilege(renameRequest).getStatus())); + + // Can't test GrantPrivilege / RevokePrivilege since the authorization happens + // in the persistence layer, which isn't setup in this test. + } + + @Test public void testGetRolesAndPrivileges() throws Exception { String roleName = "r1"; String groupName = "g1"; @@ -311,8 +353,10 @@ public class TestSentryGenericPolicyProcessor extends org.junit.Assert { public Set<String> getGroups(String user) { if (user.equalsIgnoreCase(ADMIN_USER)) { return Sets.newHashSet(ADMIN_GROUP); + } else if (user.equalsIgnoreCase(NOT_ADMIN_USER)){ + return Sets.newHashSet(NOT_ADMIN_GROUP); } else { - return Sets.newHashSet("not" + ADMIN_GROUP); + return Collections.emptySet(); } } } http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java index 5447420..4430ce7 100644 --- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java +++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java @@ -85,7 +85,7 @@ public class LocalGroupMappingService implements GroupMappingService { } @Override - public Set<String> getGroups(String user) { + public Set<String> getGroups(String user) throws SentryGroupNotFoundException { Set<String> groups = groupMap.get(user); if (groups == null || groups.isEmpty()) { throw new SentryGroupNotFoundException("Unable to obtain groups for " + user); http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java index 9864b82..40cb814 100644 --- a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java +++ b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java @@ -59,10 +59,20 @@ public class TestLocalGroupMapping { @Test public void testGroupMapping() { - Set<String> fooGroupsFromResource = localGroupMapping.getGroups("foo"); + Set<String> fooGroupsFromResource = null; + try { + fooGroupsFromResource = localGroupMapping.getGroups("foo"); + } catch (SentryGroupNotFoundException e) { + Assert.fail("SentryGroupNotFoundException should not be thrown"); + } Assert.assertEquals(fooGroupsFromResource, fooGroups); - Set<String> barGroupsFromResource = localGroupMapping.getGroups("bar"); + Set<String> barGroupsFromResource = null; + try { + barGroupsFromResource = localGroupMapping.getGroups("bar"); + } catch (SentryGroupNotFoundException e) { + Assert.fail("SentryGroupNotFoundException should not be thrown"); + } Assert.assertEquals(barGroupsFromResource, barGroups); try { http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-solr/solr-sentry-handlers/src/main/java/org/apache/solr/handler/component/QueryDocAuthorizationComponent.java ---------------------------------------------------------------------- diff --git a/sentry-solr/solr-sentry-handlers/src/main/java/org/apache/solr/handler/component/QueryDocAuthorizationComponent.java b/sentry-solr/solr-sentry-handlers/src/main/java/org/apache/solr/handler/component/QueryDocAuthorizationComponent.java index 2338ab8..9da3d6e 100644 --- a/sentry-solr/solr-sentry-handlers/src/main/java/org/apache/solr/handler/component/QueryDocAuthorizationComponent.java +++ b/sentry-solr/solr-sentry-handlers/src/main/java/org/apache/solr/handler/component/QueryDocAuthorizationComponent.java @@ -21,6 +21,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.apache.sentry.binding.solr.authz.SentrySolrPluginImpl; +import org.apache.sentry.core.common.exception.SentryUserException; import org.apache.solr.common.SolrException; import org.apache.solr.common.params.ModifiableSolrParams; import org.apache.solr.common.params.SolrParams; @@ -166,8 +167,13 @@ public class QueryDocAuthorizationComponent extends SearchComponent throw new SolrException(SolrException.ErrorCode.UNAUTHORIZED, getClass().getSimpleName() + " can only be used with Sentry authorization plugin for Solr"); } - - return ((SentrySolrPluginImpl)plugin).getRoles(userName); + try { + return ((SentrySolrPluginImpl)plugin).getRoles(userName); + } catch (SentryUserException e) { + throw new SolrException(SolrException.ErrorCode.UNAUTHORIZED, + "Request from user: " + userName + + " rejected due to SentryUserException: ", e); + } } } http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java index 02ac514..fd8ec56 100644 --- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java +++ b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java @@ -19,7 +19,6 @@ package org.apache.sentry.tests.e2e.hive; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; -import static org.junit.Assert.fail; import java.io.File; import java.io.FileOutputStream; @@ -28,7 +27,6 @@ import java.sql.ResultSet; import java.sql.Statement; import org.apache.hadoop.mapreduce.JobContext; -import org.apache.hive.service.cli.HiveSQLException; import org.apache.sentry.provider.file.PolicyFile; import org.junit.After; import org.junit.Before; @@ -364,23 +362,12 @@ public class TestUserManagement extends AbstractTestWithStaticConfiguration { statement.close(); connection.close(); - // user1 hasn't any group + // user1 has no group connection = context.createConnection("user1"); statement = context.createStatement(connection); - // for any sql need to be authorized, exception will be thrown if the uer hasn't any group - // information - try { - statement.execute("CREATE TABLE db1.t1 (under_col int, value string)"); - fail("User without group configuration, SentryGroupNotFoundException should be thrown "); - } catch (HiveSQLException hse) { - assertTrue(hse.getMessage().indexOf("SentryGroupNotFoundException") >= 0); - } - try { - statement.execute("SELECT under_col from db1.t1"); - fail("User without group configuration, SentryGroupNotFoundException should be thrown "); - } catch (HiveSQLException hse) { - assertTrue(hse.getMessage().indexOf("SentryGroupNotFoundException") >= 0); - } + context.assertAuthzException(statement, + "CREATE TABLE db1.t1 (under_col int, value string)"); + context.assertAuthzException(statement, "SELECT under_col from db1.t1"); statement.close(); connection.close(); } http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java index 02ac514..fd8ec56 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java @@ -19,7 +19,6 @@ package org.apache.sentry.tests.e2e.hive; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; -import static org.junit.Assert.fail; import java.io.File; import java.io.FileOutputStream; @@ -28,7 +27,6 @@ import java.sql.ResultSet; import java.sql.Statement; import org.apache.hadoop.mapreduce.JobContext; -import org.apache.hive.service.cli.HiveSQLException; import org.apache.sentry.provider.file.PolicyFile; import org.junit.After; import org.junit.Before; @@ -364,23 +362,12 @@ public class TestUserManagement extends AbstractTestWithStaticConfiguration { statement.close(); connection.close(); - // user1 hasn't any group + // user1 has no group connection = context.createConnection("user1"); statement = context.createStatement(connection); - // for any sql need to be authorized, exception will be thrown if the uer hasn't any group - // information - try { - statement.execute("CREATE TABLE db1.t1 (under_col int, value string)"); - fail("User without group configuration, SentryGroupNotFoundException should be thrown "); - } catch (HiveSQLException hse) { - assertTrue(hse.getMessage().indexOf("SentryGroupNotFoundException") >= 0); - } - try { - statement.execute("SELECT under_col from db1.t1"); - fail("User without group configuration, SentryGroupNotFoundException should be thrown "); - } catch (HiveSQLException hse) { - assertTrue(hse.getMessage().indexOf("SentryGroupNotFoundException") >= 0); - } + context.assertAuthzException(statement, + "CREATE TABLE db1.t1 (under_col int, value string)"); + context.assertAuthzException(statement, "SELECT under_col from db1.t1"); statement.close(); connection.close(); }
