http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolIndexer.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolIndexer.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolIndexer.java deleted file mode 100644 index 4dddf78..0000000 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolIndexer.java +++ /dev/null @@ -1,263 +0,0 @@ - /** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.provider.db.generic.tools; - - import com.google.common.collect.Sets; - import com.google.common.io.Files; - import org.apache.commons.io.FileUtils; - import org.apache.sentry.core.common.exception.SentryConfigurationException; - import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceIntegrationBase; - import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege; - import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole; - import org.apache.sentry.service.thrift.ServiceConstants; - import org.junit.After; - import org.junit.Before; - import org.junit.Test; - - import java.io.File; - import java.io.FileOutputStream; - import java.util.HashMap; - import java.util.HashSet; - import java.util.Map; - import java.util.Set; - - import static org.apache.sentry.provider.common.AuthorizationComponent.HBASE_INDEXER; - import static org.junit.Assert.assertEquals; - import static org.junit.Assert.assertTrue; - import static org.junit.Assert.fail; - - public class TestSentryConfigToolIndexer extends SentryGenericServiceIntegrationBase { - private static String RESOURCES_DIR = "target" + File.separator + "test-classes" + File.separator; - private static String VALID_POLICY_INI = RESOURCES_DIR + "indexer_config_import_tool.ini"; - private static String INVALID_POLICY_INI = RESOURCES_DIR + "indexer_invalid.ini"; - private static String CASE_POLICY_INI = RESOURCES_DIR + "indexer_case.ini"; - private File confDir; - private File confPath; - private String requestorName = ""; - private String service = "service1"; - - @Before - public void prepareForTest() throws Exception { - confDir = Files.createTempDir(); - confPath = new File(confDir, "sentry-site.xml"); - conf.set(ServiceConstants.ClientConfig.SERVICE_NAME, service); - if (confPath.createNewFile()) { - FileOutputStream to = new FileOutputStream(confPath); - conf.writeXml(to); - to.close(); - } - requestorName = clientUgi.getShortUserName();//System.getProperty("user.name", ""); - Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); - setLocalGroupMapping(requestorName, requestorUserGroupNames); - // add ADMIN_USER for the after() in SentryServiceIntegrationBase - setLocalGroupMapping(ADMIN_USER, requestorUserGroupNames); - writePolicyFile(); - } - - @After - public void clearTestData() throws Exception { - FileUtils.deleteQuietly(confDir); - - // clear roles and privileges - Set<TSentryRole> tRoles = client.listAllRoles(requestorName, HBASE_INDEXER); - for (TSentryRole tRole : tRoles) { - String role = tRole.getRoleName(); - Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName( - requestorName, role, HBASE_INDEXER, service); - for (TSentryPrivilege privilege : privileges) { - client.revokePrivilege(requestorName, role, HBASE_INDEXER, privilege); - } - client.dropRole(requestorName, role, HBASE_INDEXER); - } - } - - @Test - public void testConvertIni() throws Exception { - runTestAsSubject(new TestOperation() { - @Override - public void runTestAsSubject() throws Exception { - String[] args = {"-mgr", "-f", VALID_POLICY_INI, "-conf", confPath.getAbsolutePath(), "-v", "-i"}; - SentryShellIndexer sentryTool = new SentryShellIndexer(); - sentryTool.executeShell(args); - - Map<String, Set<String>> groupMapping = new HashMap<String, Set<String>>(); - groupMapping.put("corporal_role", Sets.newHashSet("corporal", "sergeant", "general", "commander_in_chief")); - groupMapping.put("sergeant_role", Sets.newHashSet("sergeant", "general", "commander_in_chief")); - groupMapping.put("general_role", Sets.newHashSet("general", "commander_in_chief")); - groupMapping.put("commander_in_chief_role", Sets.newHashSet("commander_in_chief")); - - - Map<String, Set<String>> privilegeMapping = new HashMap<String, Set<String>>(); - privilegeMapping.put("corporal_role", - Sets.newHashSet("Indexer=info->action=read", "Indexer=info->action=write")); - privilegeMapping.put("sergeant_role", - Sets.newHashSet("Indexer=info->action=write")); - privilegeMapping.put("general_role", - Sets.newHashSet("Indexer=info->action=*")); - privilegeMapping.put("commander_in_chief_role", - Sets.newHashSet("Indexer=*->action=*")); - - // check roles - Set<TSentryRole> tRoles = client.listAllRoles(requestorName, HBASE_INDEXER); - assertEquals("Unexpected number of roles", groupMapping.keySet().size(), tRoles.size()); - Set<String> roles = new HashSet<String>(); - for (TSentryRole tRole : tRoles) { - roles.add(tRole.getRoleName()); - } - - for (String expectedRole : groupMapping.keySet()) { - assertTrue("Didn't find expected role: " + expectedRole, roles.contains(expectedRole)); - } - - // check groups - for (TSentryRole tRole : tRoles) { - Set<String> expectedGroups = groupMapping.get(tRole.getRoleName()); - assertEquals("Group size doesn't match for role: " + tRole.getRoleName(), - expectedGroups.size(), tRole.getGroups().size()); - assertTrue("Group does not contain all expected members for role: " + tRole.getRoleName(), - tRole.getGroups().containsAll(expectedGroups)); - } - - // check privileges - GenericPrivilegeConverter convert = new GenericPrivilegeConverter(HBASE_INDEXER, service); - for (String role : roles) { - Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName( - requestorName, role, HBASE_INDEXER, service); - Set<String> expectedPrivileges = privilegeMapping.get(role); - assertEquals("Privilege set size doesn't match for role: " + role, - expectedPrivileges.size(), privileges.size()); - - Set<String> privilegeStrs = new HashSet<String>(); - for (TSentryPrivilege privilege : privileges) { - privilegeStrs.add(convert.toString(privilege)); - } - - for (String expectedPrivilege : expectedPrivileges) { - assertTrue("Did not find expected privilege: " + expectedPrivilege, - privilegeStrs.contains(expectedPrivilege)); - } - } - } - }); - } - - @Test - public void testNoPolicyFile() throws Exception { - runTestAsSubject(new TestOperation() { - @Override - public void runTestAsSubject() throws Exception { - String[] args = { "-mgr", "-f", INVALID_POLICY_INI + "Foobar", "-conf", confPath.getAbsolutePath(), "-v", "-i"}; - SentryShellIndexer sentryTool = new SentryShellIndexer(); - try { - sentryTool.executeShell(args); - fail("Exception should be thrown for nonexistant ini"); - } catch (SentryConfigurationException e) { - // expected exception - } - } - }); - } - - @Test - public void testNoValidateNorImport() throws Exception { - runTestAsSubject(new TestOperation() { - @Override - public void runTestAsSubject() throws Exception { - String[] args = { "-mgr", "-f", INVALID_POLICY_INI, "-conf", confPath.getAbsolutePath()}; - SentryShellIndexer sentryTool = new SentryShellIndexer(); - try { - sentryTool.executeShell(args); - fail("Exception should be thrown for validating invalid ini"); - } catch (IllegalArgumentException e) { - // expected exception - } - } - }); - } - - @Test - public void testConvertInvalidIni() throws Exception { - runTestAsSubject(new TestOperation() { - @Override - public void runTestAsSubject() throws Exception { - // test: validate an invalid ini - String[] args = { "-mgr", "-f", INVALID_POLICY_INI, "-conf", confPath.getAbsolutePath(), "-v", "-i"}; - SentryShellIndexer sentryTool = new SentryShellIndexer(); - try { - sentryTool.executeShell(args); - fail("Exception should be thrown for validating invalid ini"); - } catch (SentryConfigurationException e) { - // expected exception - } - - // test without validating, should not error - args = new String[] { "-mgr", "-f", INVALID_POLICY_INI, "-conf", confPath.getAbsolutePath(), "-i"}; - sentryTool = new SentryShellIndexer(); - sentryTool.executeShell(args); - } - }); - } - - @Test - public void testCompatCheck() throws Exception { - runTestAsSubject(new TestOperation() { - @Override - public void runTestAsSubject() throws Exception { - // test: validate an invalid ini - String[] args = { "-mgr", "-f", CASE_POLICY_INI, "-conf", confPath.getAbsolutePath(), "-v", "-i", "-c"}; - SentryShellIndexer sentryTool = new SentryShellIndexer(); - try { - sentryTool.executeShell(args); - fail("Exception should be thrown for validating invalid ini"); - } catch (SentryConfigurationException e) { - assertEquals("Expected error", 1, e.getConfigErrors().size()); - String error = e.getConfigErrors().get(0); - assertCasedRoleNamesInMessage(error, "RoLe1", "rOlE1"); - String warning = e.getConfigWarnings().get(0); - assertCasedRoleNamesInMessage(warning, "ROLE2", "RoLe1", "rOlE1"); - assertEquals("Expected warning", 1, e.getConfigWarnings().size()); - } - - // test without compat checking - args = new String[] { "-mgr", "-f", CASE_POLICY_INI, "-conf", confPath.getAbsolutePath(), "-i", "-v"}; - sentryTool = new SentryShellIndexer(); - sentryTool.executeShell(args); - } - }); - } - - // Test that a valid compat check doesn't throw an exception - @Test - public void testCompatCheckValid() throws Exception { - runTestAsSubject(new TestOperation() { - @Override - public void runTestAsSubject() throws Exception { - String[] args = { "-mgr", "-f", VALID_POLICY_INI, "-conf", confPath.getAbsolutePath(), "-v", "-i", "-c"}; - SentryShellIndexer sentryTool = new SentryShellIndexer(); - sentryTool.executeShell(args); - } - }); - } - - private void assertCasedRoleNamesInMessage(String message, String ... casedRoleNames) { - for (String casedRoleName : casedRoleNames) { - assertTrue("Expected cased role name: " + casedRoleName, message.contains(casedRoleName)); - } - } - }
http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java deleted file mode 100644 index 9e6ff42..0000000 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java +++ /dev/null @@ -1,261 +0,0 @@ - /** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.provider.db.generic.tools; - -import com.google.common.io.Files; -import com.google.common.collect.Sets; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertTrue; -import static org.junit.Assert.fail; - -import java.io.File; -import java.io.FileOutputStream; -import java.util.HashMap; -import java.util.HashSet; -import java.util.Map; -import java.util.Set; - -import org.apache.commons.io.FileUtils; -import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceIntegrationBase; -import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole; -import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege; -import org.apache.sentry.core.common.exception.SentryConfigurationException; - -import org.junit.After; -import org.junit.Before; -import org.junit.Test; - -public class TestSentryConfigToolSolr extends SentryGenericServiceIntegrationBase { - private static String RESOURCES_DIR = "target" + File.separator + "test-classes" + File.separator; - private static String VALID_POLICY_INI = RESOURCES_DIR + "solr_config_import_tool.ini"; - private static String INVALID_POLICY_INI = RESOURCES_DIR + "solr_invalid.ini"; - private static String CASE_POLICY_INI = RESOURCES_DIR + "solr_case.ini"; - private File confDir; - private File confPath; - private String requestorName = ""; - private String service = "service1"; - - @Before - public void prepareForTest() throws Exception { - confDir = Files.createTempDir(); - confPath = new File(confDir, "sentry-site.xml"); - if (confPath.createNewFile()) { - FileOutputStream to = new FileOutputStream(confPath); - conf.writeXml(to); - to.close(); - } - requestorName = clientUgi.getShortUserName();//System.getProperty("user.name", ""); - Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); - setLocalGroupMapping(requestorName, requestorUserGroupNames); - // add ADMIN_USER for the after() in SentryServiceIntegrationBase - setLocalGroupMapping(ADMIN_USER, requestorUserGroupNames); - writePolicyFile(); - } - - @After - public void clearTestData() throws Exception { - FileUtils.deleteQuietly(confDir); - - // clear roles and privileges - Set<TSentryRole> tRoles = client.listAllRoles(requestorName, SOLR); - for (TSentryRole tRole : tRoles) { - String role = tRole.getRoleName(); - Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName( - requestorName, role, SOLR, service); - for (TSentryPrivilege privilege : privileges) { - client.revokePrivilege(requestorName, role, SOLR, privilege); - } - client.dropRole(requestorName, role, SOLR); - } - } - - @Test - public void testConvertIni() throws Exception { - runTestAsSubject(new TestOperation() { - @Override - public void runTestAsSubject() throws Exception { - String[] args = { "-p", VALID_POLICY_INI, "-conf", confPath.getAbsolutePath(), "-v", "-i"}; - SentryConfigToolSolr sentryTool = new SentryConfigToolSolr(); - sentryTool.executeConfigTool(args); - - Map<String, Set<String>> groupMapping = new HashMap<String, Set<String>>(); - groupMapping.put("corporal_role", Sets.newHashSet("corporal", "sergeant", "general", "commander_in_chief")); - groupMapping.put("sergeant_role", Sets.newHashSet("sergeant", "general", "commander_in_chief")); - groupMapping.put("general_role", Sets.newHashSet("general", "commander_in_chief")); - groupMapping.put("commander_in_chief_role", Sets.newHashSet("commander_in_chief")); - - Map<String, Set<String>> privilegeMapping = new HashMap<String, Set<String>>(); - privilegeMapping.put("corporal_role", - Sets.newHashSet("Collection=info->action=query", "Collection=info->action=update")); - privilegeMapping.put("sergeant_role", - Sets.newHashSet("Collection=info->action=update")); - privilegeMapping.put("general_role", - Sets.newHashSet("Collection=info->action=*")); - privilegeMapping.put("commander_in_chief_role", - Sets.newHashSet("Collection=*->action=*")); - - // check roles - Set<TSentryRole> tRoles = client.listAllRoles(requestorName, SOLR); - assertEquals("Unexpected number of roles", groupMapping.keySet().size(), tRoles.size()); - Set<String> roles = new HashSet<String>(); - for (TSentryRole tRole : tRoles) { - roles.add(tRole.getRoleName()); - } - - for (String expectedRole : groupMapping.keySet()) { - assertTrue("Didn't find expected role: " + expectedRole, roles.contains(expectedRole)); - } - - // check groups - for (TSentryRole tRole : tRoles) { - Set<String> expectedGroups = groupMapping.get(tRole.getRoleName()); - assertEquals("Group size doesn't match for role: " + tRole.getRoleName(), - expectedGroups.size(), tRole.getGroups().size()); - assertTrue("Group does not contain all expected members for role: " + tRole.getRoleName(), - tRole.getGroups().containsAll(expectedGroups)); - } - - // check privileges - GenericPrivilegeConverter convert = new GenericPrivilegeConverter(SOLR, service); - for (String role : roles) { - Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName( - requestorName, role, SOLR, service); - Set<String> expectedPrivileges = privilegeMapping.get(role); - assertEquals("Privilege set size doesn't match for role: " + role, - expectedPrivileges.size(), privileges.size()); - - Set<String> privilegeStrs = new HashSet<String>(); - for (TSentryPrivilege privilege : privileges) { - privilegeStrs.add(convert.toString(privilege)); - } - - for (String expectedPrivilege : expectedPrivileges) { - assertTrue("Did not find expected privilege: " + expectedPrivilege + " in " + privilegeStrs, - privilegeStrs.contains(expectedPrivilege)); - } - } - } - }); - } - - @Test - public void testNoPolicyFile() throws Exception { - runTestAsSubject(new TestOperation() { - @Override - public void runTestAsSubject() throws Exception { - String[] args = { "-p", INVALID_POLICY_INI + "Foobar", "-conf", confPath.getAbsolutePath(), "-v", "-i"}; - SentryConfigToolSolr sentryTool = new SentryConfigToolSolr(); - try { - sentryTool.executeConfigTool(args); - fail("Exception should be thrown for nonexistant ini"); - } catch (SentryConfigurationException e) { - // expected exception - } - } - }); - } - - @Test - public void testNoValidateNorImport() throws Exception { - runTestAsSubject(new TestOperation() { - @Override - public void runTestAsSubject() throws Exception { - String[] args = { "-p", INVALID_POLICY_INI, "-conf", confPath.getAbsolutePath()}; - SentryConfigToolSolr sentryTool = new SentryConfigToolSolr(); - try { - sentryTool.executeConfigTool(args); - fail("Exception should be thrown for validating invalid ini"); - } catch (IllegalArgumentException e) { - // expected exception - } - } - }); - } - - @Test - public void testConvertInvalidIni() throws Exception { - runTestAsSubject(new TestOperation() { - @Override - public void runTestAsSubject() throws Exception { - // test: validate an invalid ini - String[] args = { "-p", INVALID_POLICY_INI, "-conf", confPath.getAbsolutePath(), "-v", "-i"}; - SentryConfigToolSolr sentryTool = new SentryConfigToolSolr(); - try { - sentryTool.executeConfigTool(args); - fail("Exception should be thrown for validating invalid ini"); - } catch (SentryConfigurationException e) { - // expected exception - } - - // test without validating, should not error - args = new String[] { "-p", INVALID_POLICY_INI, "-conf", confPath.getAbsolutePath(), "-i"}; - sentryTool = new SentryConfigToolSolr(); - sentryTool.executeConfigTool(args); - } - }); - } - - @Test - public void testCompatCheck() throws Exception { - runTestAsSubject(new TestOperation() { - @Override - public void runTestAsSubject() throws Exception { - // test: validate an invalid ini - String[] args = { "-p", CASE_POLICY_INI, "-conf", confPath.getAbsolutePath(), "-v", "-i", "-c"}; - SentryConfigToolSolr sentryTool = new SentryConfigToolSolr(); - try { - sentryTool.executeConfigTool(args); - fail("Exception should be thrown for validating invalid ini"); - } catch (SentryConfigurationException e) { - assertEquals("Expected error", 1, e.getConfigErrors().size()); - String error = e.getConfigErrors().get(0); - assertCasedRoleNamesInMessage(error, "RoLe1", "rOlE1"); - String warning = e.getConfigWarnings().get(0); - assertCasedRoleNamesInMessage(warning, "ROLE2", "RoLe1", "rOlE1"); - assertEquals("Expected warning", 1, e.getConfigWarnings().size()); - } - - // test without compat checking - args = new String[] { "-p", CASE_POLICY_INI, "-conf", confPath.getAbsolutePath(), "-i", "-v"}; - sentryTool = new SentryConfigToolSolr(); - sentryTool.executeConfigTool(args); - } - }); - } - - // Test that a valid compat check doesn't throw an exception - @Test - public void testCompatCheckValid() throws Exception { - runTestAsSubject(new TestOperation() { - @Override - public void runTestAsSubject() throws Exception { - String[] args = { "-p", VALID_POLICY_INI, "-conf", confPath.getAbsolutePath(), "-v", "-i", "-c"}; - SentryConfigToolSolr sentryTool = new SentryConfigToolSolr(); - sentryTool.executeConfigTool(args); - } - }); - } - - private void assertCasedRoleNamesInMessage(String message, String ... casedRoleNames) { - for (String casedRoleName : casedRoleNames) { - assertTrue("Expected cased role name: " + casedRoleName, message.contains(casedRoleName)); - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellIndexer.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellIndexer.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellIndexer.java deleted file mode 100644 index f66eb85..0000000 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellIndexer.java +++ /dev/null @@ -1,526 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.provider.db.generic.tools; - -import com.google.common.collect.Sets; -import com.google.common.io.Files; -import org.apache.commons.io.FileUtils; -import org.apache.sentry.core.common.exception.SentryUserException; -import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceIntegrationBase; -import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege; -import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole; -import org.apache.sentry.provider.db.tools.SentryShellCommon; -import org.apache.sentry.service.thrift.ServiceConstants; -import org.junit.After; -import org.junit.Before; -import org.junit.Test; - -import java.io.ByteArrayOutputStream; -import java.io.File; -import java.io.FileOutputStream; -import java.io.PrintStream; -import java.util.HashSet; -import java.util.Iterator; -import java.util.Set; - -import static junit.framework.Assert.assertEquals; -import static org.apache.sentry.provider.common.AuthorizationComponent.HBASE_INDEXER; -import static org.junit.Assert.assertTrue; -import static org.junit.Assert.fail; - -public class TestSentryShellIndexer extends SentryGenericServiceIntegrationBase { - private File confDir; - private File confPath; - private static String TEST_ROLE_NAME_1 = "testRole1"; - private static String TEST_ROLE_NAME_2 = "testRole2"; - private String requestorName = ""; - private String service = "service1"; - - @Before - public void prepareForTest() throws Exception { - confDir = Files.createTempDir(); - confPath = new File(confDir, "sentry-site.xml"); - conf.set(ServiceConstants.ClientConfig.SERVICE_NAME, service); - if (confPath.createNewFile()) { - FileOutputStream to = new FileOutputStream(confPath); - conf.writeXml(to); - to.close(); - } - requestorName = clientUgi.getShortUserName(); - Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); - setLocalGroupMapping(requestorName, requestorUserGroupNames); - // add ADMIN_USER for the after() in SentryServiceIntegrationBase - setLocalGroupMapping(ADMIN_USER, requestorUserGroupNames); - writePolicyFile(); - } - - @After - public void clearTestData() throws Exception { - FileUtils.deleteQuietly(confDir); - } - - @Test - public void testCreateDropRole() throws Exception { - runTestAsSubject(new TestOperation() { - @Override - public void runTestAsSubject() throws Exception { - // test: create role with -cr - String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() }; - SentryShellIndexer.main(args); - // test: create role with --create_role - args = new String[] { "--create_role", "-r", TEST_ROLE_NAME_2, "-conf", - confPath.getAbsolutePath() }; - SentryShellIndexer.main(args); - - // validate the result, list roles with -lr - args = new String[] { "-lr", "-conf", confPath.getAbsolutePath() }; - SentryShellIndexer sentryShell = new SentryShellIndexer(); - Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true); - validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2); - - // validate the result, list roles with --list_role - args = new String[] { "--list_role", "-conf", confPath.getAbsolutePath() }; - sentryShell = new SentryShellIndexer(); - roleNames = getShellResultWithOSRedirect(sentryShell, args, true); - validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2); - - // test: drop role with -dr - args = new String[] { "-dr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() }; - SentryShellIndexer.main(args); - // test: drop role with --drop_role - args = new String[] { "--drop_role", "-r", TEST_ROLE_NAME_2, "-conf", - confPath.getAbsolutePath() }; - SentryShellIndexer.main(args); - - // validate the result - Set<TSentryRole> roles = client.listAllRoles(requestorName, HBASE_INDEXER); - assertEquals("Incorrect number of roles", 0, roles.size()); - } - }); - } - - @Test - public void testAddDeleteRoleForGroup() throws Exception { - runTestAsSubject(new TestOperation() { - @Override - public void runTestAsSubject() throws Exception { - // Group names are case sensitive - mixed case names should work - String TEST_GROUP_1 = "testGroup1"; - String TEST_GROUP_2 = "testGroup2"; - String TEST_GROUP_3 = "testGroup3"; - - // create the role for test - client.createRole(requestorName, TEST_ROLE_NAME_1, HBASE_INDEXER); - client.createRole(requestorName, TEST_ROLE_NAME_2, HBASE_INDEXER); - // test: add role to group with -arg - String[] args = { "-arg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_1, "-conf", - confPath.getAbsolutePath() }; - SentryShellIndexer.main(args); - // test: add role to multiple groups - args = new String[] { "-arg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_2 + "," + TEST_GROUP_3, - "-conf", - confPath.getAbsolutePath() }; - SentryShellIndexer.main(args); - // test: add role to group with --add_role_group - args = new String[] { "--add_role_group", "-r", TEST_ROLE_NAME_2, "-g", TEST_GROUP_1, - "-conf", - confPath.getAbsolutePath() }; - SentryShellIndexer.main(args); - - // validate the result list roles with -lr and -g - args = new String[] { "-lr", "-g", TEST_GROUP_1, "-conf", confPath.getAbsolutePath() }; - SentryShellIndexer sentryShell = new SentryShellIndexer(); - Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true); - validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2); - - // list roles with --list_role and -g - args = new String[] { "--list_role", "-g", TEST_GROUP_2, "-conf", - confPath.getAbsolutePath() }; - sentryShell = new SentryShellIndexer(); - roleNames = getShellResultWithOSRedirect(sentryShell, args, true); - validateRoleNames(roleNames, TEST_ROLE_NAME_1); - - args = new String[] { "--list_role", "-g", TEST_GROUP_3, "-conf", - confPath.getAbsolutePath() }; - sentryShell = new SentryShellIndexer(); - roleNames = getShellResultWithOSRedirect(sentryShell, args, true); - validateRoleNames(roleNames, TEST_ROLE_NAME_1); - - // test: delete role from group with -drg - args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_1, "-conf", - confPath.getAbsolutePath() }; - SentryShellIndexer.main(args); - // test: delete role to multiple groups - args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_2 + "," + TEST_GROUP_3, - "-conf", - confPath.getAbsolutePath() }; - SentryShellIndexer.main(args); - // test: delete role from group with --delete_role_group - args = new String[] { "--delete_role_group", "-r", TEST_ROLE_NAME_2, "-g", TEST_GROUP_1, - "-conf", confPath.getAbsolutePath() }; - SentryShellIndexer.main(args); - - // validate the result - Set<TSentryRole> roles = client.listRolesByGroupName(requestorName, TEST_GROUP_1, HBASE_INDEXER); - assertEquals("Incorrect number of roles", 0, roles.size()); - roles = client.listRolesByGroupName(requestorName, TEST_GROUP_2, HBASE_INDEXER); - assertEquals("Incorrect number of roles", 0, roles.size()); - roles = client.listRolesByGroupName(requestorName, TEST_GROUP_3, HBASE_INDEXER); - assertEquals("Incorrect number of roles", 0, roles.size()); - // clear the test data - client.dropRole(requestorName, TEST_ROLE_NAME_1, HBASE_INDEXER); - client.dropRole(requestorName, TEST_ROLE_NAME_2, HBASE_INDEXER); - } - }); - } - - @Test - public void testCaseSensitiveGroupName() throws Exception { - runTestAsSubject(new TestOperation() { - @Override - public void runTestAsSubject() throws Exception { - - // create the role for test - client.createRole(requestorName, TEST_ROLE_NAME_1, HBASE_INDEXER); - // add role to a group (lower case) - String[] args = { "-arg", "-r", TEST_ROLE_NAME_1, "-g", "group1", "-conf", - confPath.getAbsolutePath() }; - SentryShellIndexer.main(args); - - // validate the roles when group name is same case as above - args = new String[] { "-lr", "-g", "group1", "-conf", confPath.getAbsolutePath() }; - SentryShellIndexer sentryShell = new SentryShellIndexer(); - Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true); - validateRoleNames(roleNames, TEST_ROLE_NAME_1); - - // roles should be empty when group name is different case than above - args = new String[] { "-lr", "-g", "GROUP1", "-conf", confPath.getAbsolutePath() }; - roleNames = getShellResultWithOSRedirect(sentryShell, args, true); - validateRoleNames(roleNames); - } - }); - } - - public static String grant(boolean shortOption) { - return shortOption ? "-gpr" : "--grant_privilege_role"; - } - - public static String revoke(boolean shortOption) { - return shortOption ? "-rpr" : "--revoke_privilege_role"; - } - - public static String list(boolean shortOption) { - return shortOption ? "-lp" : "--list_privilege"; - } - - private void assertGrantRevokePrivilege(final boolean shortOption) throws Exception { - runTestAsSubject(new TestOperation() { - @Override - public void runTestAsSubject() throws Exception { - // create the role for test - client.createRole(requestorName, TEST_ROLE_NAME_1, HBASE_INDEXER); - client.createRole(requestorName, TEST_ROLE_NAME_2, HBASE_INDEXER); - - String [] privs = { - "Indexer=*->action=*", - "Indexer=indexer1->action=read", - "Indexer=indexer2->action=write" - }; - for (int i = 0; i < privs.length; ++i) { - // test: grant privilege to role - String [] args = new String [] { grant(shortOption), "-r", TEST_ROLE_NAME_1, "-p", - privs[ i ], - "-conf", confPath.getAbsolutePath() }; - SentryShellIndexer.main(args); - } - - // test the list privilege - String [] args = new String[] { list(shortOption), "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() }; - SentryShellIndexer sentryShell = new SentryShellIndexer(); - Set<String> privilegeStrs = getShellResultWithOSRedirect(sentryShell, args, true); - assertEquals("Incorrect number of privileges", privs.length, privilegeStrs.size()); - for (int i = 0; i < privs.length; ++i) { - assertTrue("Expected privilege: " + privs[ i ], privilegeStrs.contains(privs[ i ])); - } - - for (int i = 0; i < privs.length; ++i) { - args = new String[] { revoke(shortOption), "-r", TEST_ROLE_NAME_1, "-p", - privs[ i ], "-conf", - confPath.getAbsolutePath() }; - SentryShellIndexer.main(args); - Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorName, - TEST_ROLE_NAME_1, HBASE_INDEXER, service); - assertEquals("Incorrect number of privileges", privs.length - (i + 1), privileges.size()); - } - - // clear the test data - client.dropRole(requestorName, TEST_ROLE_NAME_1, HBASE_INDEXER); - client.dropRole(requestorName, TEST_ROLE_NAME_2, HBASE_INDEXER); - } - }); - } - - - @Test - public void testGrantRevokePrivilegeWithShortOption() throws Exception { - assertGrantRevokePrivilege(true); - } - - @Test - public void testGrantRevokePrivilegeWithLongOption() throws Exception { - assertGrantRevokePrivilege(false); - } - - @Test - public void testNegativeCaseWithInvalidArgument() throws Exception { - runTestAsSubject(new TestOperation() { - @Override - public void runTestAsSubject() throws Exception { - client.createRole(requestorName, TEST_ROLE_NAME_1, HBASE_INDEXER); - // test: create duplicate role with -cr - String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() }; - SentryShellIndexer sentryShell = new SentryShellIndexer(); - try { - sentryShell.executeShell(args); - fail("Exception should be thrown for creating duplicate role"); - } catch (SentryUserException e) { - // expected exception - } - - // test: drop non-exist role with -dr - args = new String[] { "-dr", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() }; - sentryShell = new SentryShellIndexer(); - try { - sentryShell.executeShell(args); - fail("Exception should be thrown for dropping non-exist role"); - } catch (SentryUserException e) { - // excepted exception - } - - // test: add non-exist role to group with -arg - args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf", - confPath.getAbsolutePath() }; - sentryShell = new SentryShellIndexer(); - try { - sentryShell.executeShell(args); - fail("Exception should be thrown for granting non-exist role to group"); - } catch (SentryUserException e) { - // excepted exception - } - - // test: drop group from non-exist role with -drg - args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf", - confPath.getAbsolutePath() }; - sentryShell = new SentryShellIndexer(); - try { - sentryShell.executeShell(args); - fail("Exception should be thrown for drop group from non-exist role"); - } catch (SentryUserException e) { - // excepted exception - } - - // test: grant privilege to role with the error privilege format - args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p", "serverserver1->action=*", - "-conf", confPath.getAbsolutePath() }; - sentryShell = new SentryShellIndexer(); - try { - sentryShell.executeShell(args); - fail("Exception should be thrown for the error privilege format, invalid key value."); - } catch (IllegalArgumentException e) { - // excepted exception - } - - // test: grant privilege to role with the error privilege hierarchy - args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p", - "server=server1->table=tbl1->column=col2->action=insert", "-conf", - confPath.getAbsolutePath() }; - sentryShell = new SentryShellIndexer(); - try { - sentryShell.executeShell(args); - fail("Exception should be thrown for the error privilege format, invalid key value."); - } catch (IllegalArgumentException e) { - // expected exception - } - - // clear the test data - client.dropRole(requestorName, TEST_ROLE_NAME_1, HBASE_INDEXER); - } - }); - } - - @Test - public void testNegativeCaseWithoutRequiredArgument() throws Exception { - runTestAsSubject(new TestOperation() { - @Override - public void runTestAsSubject() throws Exception { - String strOptionConf = "conf"; - client.createRole(requestorName, TEST_ROLE_NAME_1, HBASE_INDEXER); - // test: the conf is required argument - String[] args = { "-cr", "-r", TEST_ROLE_NAME_1 }; - SentryShellIndexer sentryShell = new SentryShellIndexer(); - validateMissingParameterMsg(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + strOptionConf); - - // test: -r is required when create role - args = new String[] { "-cr", "-conf", confPath.getAbsolutePath() }; - sentryShell = new SentryShellIndexer(); - validateMissingParameterMsg(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME); - - // test: -r is required when drop role - args = new String[] { "-dr", "-conf", confPath.getAbsolutePath() }; - sentryShell = new SentryShellIndexer(); - validateMissingParameterMsg(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME); - - // test: -r is required when add role to group - args = new String[] { "-arg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() }; - sentryShell = new SentryShellIndexer(); - validateMissingParameterMsg(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME); - - // test: -g is required when add role to group - args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() }; - sentryShell = new SentryShellIndexer(); - validateMissingParameterMsg(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME); - - // test: -r is required when delete role from group - args = new String[] { "-drg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() }; - sentryShell = new SentryShellIndexer(); - validateMissingParameterMsg(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME); - - // test: -g is required when delete role from group - args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() }; - sentryShell = new SentryShellIndexer(); - validateMissingParameterMsg(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME); - - // test: -r is required when grant privilege to role - args = new String[] { "-gpr", "-p", "indexer=Indexer1", "-conf", confPath.getAbsolutePath() }; - sentryShell = new SentryShellIndexer(); - validateMissingParameterMsg(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME); - - // test: -p is required when grant privilege to role - args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() }; - sentryShell = new SentryShellIndexer(); - validateMissingParameterMsg(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE); - - // test: action is required in privilege - args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-p", "indexer=Indexer1" }; - sentryShell = new SentryShellIndexer(); - try { - getShellResultWithOSRedirect(sentryShell, args, false); - fail("Expected IllegalArgumentException"); - } catch (IllegalArgumentException e) { - assert("Privilege is invalid: action required but not specified.".equals(e.getMessage())); - } - - // test: -r is required when revoke privilege from role - args = new String[] { "-rpr", "-p", "indexer=Indexer1", "-conf", confPath.getAbsolutePath() }; - sentryShell = new SentryShellIndexer(); - validateMissingParameterMsg(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME); - - // test: -p is required when revoke privilege from role - args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() }; - sentryShell = new SentryShellIndexer(); - validateMissingParameterMsg(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE); - - // test: command option is required for shell - args = new String[] {"-conf", confPath.getAbsolutePath() }; - sentryShell = new SentryShellIndexer(); - validateMissingParameterMsgsContains(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + "[", - "-arg Add role to group", - "-cr Create role", - "-rpr Revoke privilege from role", - "-drg Delete role from group", - "-lr List role", - "-lp List privilege", - "-gpr Grant privilege to role", - "-dr Drop role"); - - // clear the test data - client.dropRole(requestorName, TEST_ROLE_NAME_1, HBASE_INDEXER); - } - }); - } - - // redirect the System.out to ByteArrayOutputStream, then execute the command and parse the result. - private Set<String> getShellResultWithOSRedirect(SentryShellIndexer sentryShell, - String[] args, boolean expectedExecuteResult) throws Exception { - PrintStream oldOut = System.out; - ByteArrayOutputStream outContent = new ByteArrayOutputStream(); - System.setOut(new PrintStream(outContent)); - assertEquals(expectedExecuteResult, sentryShell.executeShell(args)); - String outContentStr = outContent.toString(); - Set<String> resultSet = outContentStr.length() > 0 ? Sets.<String>newHashSet(outContentStr.split("\n")) : Sets.<String>newHashSet(); - System.setOut(oldOut); - return resultSet; - } - - private void validateRoleNames(Set<String> roleNames, String ... expectedRoleNames) { - if (expectedRoleNames != null && expectedRoleNames.length > 0) { - assertEquals("Found: " + roleNames.size() + " roles, expected: " + expectedRoleNames.length, - expectedRoleNames.length, roleNames.size()); - Set<String> lowerCaseRoles = new HashSet<String>(); - for (String role : roleNames) { - lowerCaseRoles.add(role.toLowerCase()); - } - - for (String expectedRole : expectedRoleNames) { - assertTrue("Expected role: " + expectedRole, - lowerCaseRoles.contains(expectedRole.toLowerCase())); - } - } - } - - private void validateMissingParameterMsg(SentryShellIndexer sentryShell, String[] args, - String expectedErrorMsg) throws Exception { - Set<String> errorMsgs = getShellResultWithOSRedirect(sentryShell, args, false); - assertTrue("Expected error message: " + expectedErrorMsg, errorMsgs.contains(expectedErrorMsg)); - } - - private void validateMissingParameterMsgsContains(SentryShellIndexer sentryShell, String[] args, - String ... expectedErrorMsgsContains) throws Exception { - Set<String> errorMsgs = getShellResultWithOSRedirect(sentryShell, args, false); - boolean foundAllMessages = false; - Iterator<String> it = errorMsgs.iterator(); - while (it.hasNext()) { - String errorMessage = it.next(); - boolean missingExpected = false; - for (String expectedContains : expectedErrorMsgsContains) { - if (!errorMessage.contains(expectedContains)) { - missingExpected = true; - break; - } - } - if (!missingExpected) { - foundAllMessages = true; - break; - } - } - assertTrue(foundAllMessages); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellKafka.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellKafka.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellKafka.java deleted file mode 100644 index a9234fa..0000000 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellKafka.java +++ /dev/null @@ -1,550 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.provider.db.generic.tools; - -import com.google.common.collect.Sets; -import com.google.common.io.Files; -import org.apache.commons.io.FileUtils; -import org.apache.sentry.core.common.exception.SentryUserException; -import org.apache.sentry.core.model.kafka.validator.KafkaPrivilegeValidator; -import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceIntegrationBase; -import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege; -import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole; -import org.apache.sentry.provider.db.tools.SentryShellCommon; -import org.junit.After; -import org.junit.Before; -import org.junit.Test; - -import java.io.ByteArrayOutputStream; -import java.io.File; -import java.io.FileOutputStream; -import java.io.PrintStream; -import java.util.Arrays; -import java.util.HashSet; -import java.util.Iterator; -import java.util.Set; - -import static org.junit.Assert.*; - -public class TestSentryShellKafka extends SentryGenericServiceIntegrationBase { - private File confDir; - private File confPath; - private static String TEST_ROLE_NAME_1 = "testRole1"; - private static String TEST_ROLE_NAME_2 = "testRole2"; - private static String KAFKA = "kafka"; - private String requestorName = ""; - private String service = "kafka"; - - @Before - public void prepareForTest() throws Exception { - confDir = Files.createTempDir(); - confPath = new File(confDir, "sentry-site.xml"); - if (confPath.createNewFile()) { - FileOutputStream to = new FileOutputStream(confPath); - conf.writeXml(to); - to.close(); - } - requestorName = clientUgi.getShortUserName();//.getProperty("user.name", ""); - Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); - setLocalGroupMapping(requestorName, requestorUserGroupNames); - // add ADMIN_USER for the after() in SentryServiceIntegrationBase - setLocalGroupMapping(ADMIN_USER, requestorUserGroupNames); - writePolicyFile(); - } - - @After - public void clearTestData() throws Exception { - FileUtils.deleteQuietly(confDir); - } - - @Test - public void testCreateDropRole() throws Exception { - runTestAsSubject(new TestOperation() { - @Override - public void runTestAsSubject() throws Exception { - // test: create role with -cr - String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-t", "kafka" }; - SentryShellGeneric.main(args); - // test: create role with --create_role - args = new String[] { "--create_role", "-r", TEST_ROLE_NAME_2, "-conf", - confPath.getAbsolutePath(), "-t", "kafka" }; - SentryShellGeneric.main(args); - - // validate the result, list roles with -lr - args = new String[] { "-lr", "-conf", confPath.getAbsolutePath(), "-t", "kafka" }; - SentryShellGeneric sentryShell = new SentryShellGeneric(); - Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true); - validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2); - - // validate the result, list roles with --list_role - args = new String[] { "--list_role", "-conf", confPath.getAbsolutePath(), "-t", "kafka" }; - sentryShell = new SentryShellGeneric(); - roleNames = getShellResultWithOSRedirect(sentryShell, args, true); - validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2); - - // test: drop role with -dr - args = new String[] { "-dr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-t", "kafka" }; - SentryShellGeneric.main(args); - // test: drop role with --drop_role - args = new String[] { "--drop_role", "-r", TEST_ROLE_NAME_2, "-conf", - confPath.getAbsolutePath(), "-t", "kafka" }; - SentryShellGeneric.main(args); - - // validate the result - Set<TSentryRole> roles = client.listAllRoles(requestorName, KAFKA); - assertEquals("Incorrect number of roles", 0, roles.size()); - } - }); - } - - @Test - public void testAddDeleteRoleForGroup() throws Exception { - runTestAsSubject(new TestOperation() { - @Override - public void runTestAsSubject() throws Exception { - // Group names are case sensitive - mixed case names should work - String TEST_GROUP_1 = "testGroup1"; - String TEST_GROUP_2 = "testGroup2"; - String TEST_GROUP_3 = "testGroup3"; - - // create the role for test - client.createRole(requestorName, TEST_ROLE_NAME_1, KAFKA); - client.createRole(requestorName, TEST_ROLE_NAME_2, KAFKA); - // test: add role to group with -arg - String[] args = { "-arg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_1, "-conf", - confPath.getAbsolutePath(), "-t", "kafka" }; - SentryShellGeneric.main(args); - // test: add role to multiple groups - args = new String[] { "-arg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_2 + "," + TEST_GROUP_3, - "-conf", - confPath.getAbsolutePath(), "-t", "kafka" }; - SentryShellGeneric.main(args); - // test: add role to group with --add_role_group - args = new String[] { "--add_role_group", "-r", TEST_ROLE_NAME_2, "-g", TEST_GROUP_1, - "-conf", - confPath.getAbsolutePath(), "-t", "kafka" }; - SentryShellGeneric.main(args); - - // validate the result list roles with -lr and -g - args = new String[] { "-lr", "-g", TEST_GROUP_1, "-conf", confPath.getAbsolutePath(), "-t", "kafka" }; - SentryShellGeneric sentryShell = new SentryShellGeneric(); - Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true); - validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2); - - // list roles with --list_role and -g - args = new String[] { "--list_role", "-g", TEST_GROUP_2, "-conf", - confPath.getAbsolutePath(), "-t", "kafka" }; - sentryShell = new SentryShellGeneric(); - roleNames = getShellResultWithOSRedirect(sentryShell, args, true); - validateRoleNames(roleNames, TEST_ROLE_NAME_1); - - args = new String[] { "--list_role", "-g", TEST_GROUP_3, "-conf", - confPath.getAbsolutePath(), "-t", "kafka" }; - sentryShell = new SentryShellGeneric(); - roleNames = getShellResultWithOSRedirect(sentryShell, args, true); - validateRoleNames(roleNames, TEST_ROLE_NAME_1); - - // List the groups and roles via listGroups - args = new String[] { "--list_group", "-conf", confPath.getAbsolutePath(), "-t", "kafka" }; - sentryShell = new SentryShellGeneric(); - Set<String> groups = getShellResultWithOSRedirect(sentryShell, args, true); - assertEquals(3, groups.size()); - assertTrue(groups.contains("testGroup3 = testrole1")); - assertTrue(groups.contains("testGroup2 = testrole1")); - assertTrue(groups.contains("testGroup1 = testrole2, testrole1")); - - // test: delete role from group with -drg - args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_1, "-conf", - confPath.getAbsolutePath(), "-t", "kafka" }; - SentryShellGeneric.main(args); - // test: delete role to multiple groups - args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_2 + "," + TEST_GROUP_3, - "-conf", - confPath.getAbsolutePath(), "-t", "kafka" }; - SentryShellGeneric.main(args); - // test: delete role from group with --delete_role_group - args = new String[] { "--delete_role_group", "-r", TEST_ROLE_NAME_2, "-g", TEST_GROUP_1, - "-conf", confPath.getAbsolutePath(), "-t", "kafka" }; - SentryShellGeneric.main(args); - - // validate the result - Set<TSentryRole> roles = client.listRolesByGroupName(requestorName, TEST_GROUP_1, KAFKA); - assertEquals("Incorrect number of roles", 0, roles.size()); - roles = client.listRolesByGroupName(requestorName, TEST_GROUP_2, KAFKA); - assertEquals("Incorrect number of roles", 0, roles.size()); - roles = client.listRolesByGroupName(requestorName, TEST_GROUP_3, KAFKA); - assertEquals("Incorrect number of roles", 0, roles.size()); - // clear the test data - client.dropRole(requestorName, TEST_ROLE_NAME_1, KAFKA); - client.dropRole(requestorName, TEST_ROLE_NAME_2, KAFKA); - } - }); - } - - @Test - public void testCaseSensitiveGroupName() throws Exception { - runTestAsSubject(new TestOperation() { - @Override - public void runTestAsSubject() throws Exception { - - // create the role for test - client.createRole(requestorName, TEST_ROLE_NAME_1, KAFKA); - // add role to a group (lower case) - String[] args = {"-arg", "-r", TEST_ROLE_NAME_1, "-g", "group1", "-conf", - confPath.getAbsolutePath(), "-t", "kafka"}; - SentryShellGeneric.main(args); - - // validate the roles when group name is same case as above - args = new String[]{"-lr", "-g", "group1", "-conf", confPath.getAbsolutePath(), "-t", "kafka"}; - SentryShellGeneric sentryShell = new SentryShellGeneric(); - Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true); - validateRoleNames(roleNames, TEST_ROLE_NAME_1); - - // roles should be empty when group name is different case than above - args = new String[]{"-lr", "-g", "GROUP1", "-conf", confPath.getAbsolutePath(), "-t", "kafka"}; - roleNames = getShellResultWithOSRedirect(sentryShell, args, true); - validateRoleNames(roleNames); - } - }); - } - - public static String grant(boolean shortOption) { - return shortOption ? "-gpr" : "--grant_privilege_role"; - } - - public static String revoke(boolean shortOption) { - return shortOption ? "-rpr" : "--revoke_privilege_role"; - } - - public static String list(boolean shortOption) { - return shortOption ? "-lp" : "--list_privilege"; - } - - private void assertGrantRevokePrivilege(final boolean shortOption) throws Exception { - runTestAsSubject(new TestOperation() { - @Override - public void runTestAsSubject() throws Exception { - // create the role for test - client.createRole(requestorName, TEST_ROLE_NAME_1, KAFKA); - client.createRole(requestorName, TEST_ROLE_NAME_2, KAFKA); - - String [] privs = { - "HOST=*->CLUSTER=kafka-cluster->action=read", - "HOST=h1->TOPIC=t1->action=write", - "HOST=*->CONSUMERGROUP=cg1->action=read", - "CLUSTER=kafka-cluster->action=write", - "CONSUMERGROUP=cg2->action=write" - }; - for (int i = 0; i < privs.length; ++i) { - // test: grant privilege to role - String [] args = new String [] { grant(shortOption), "-r", TEST_ROLE_NAME_1, "-p", - privs[ i ], - "-conf", confPath.getAbsolutePath(), "-t", "kafka" }; - SentryShellGeneric.main(args); - } - - // test the list privilege - String [] args = new String[] { list(shortOption), "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-t", "kafka" }; - SentryShellGeneric sentryShell = new SentryShellGeneric(); - Set<String> privilegeStrs = getShellResultWithOSRedirect(sentryShell, args, true); - - assertEquals("Incorrect number of privileges", privs.length, privilegeStrs.size()); - for (int i = 0; i < privs.length; ++i) { - assertTrue("Expected privilege: " + privs[i] + " in " + Arrays.toString(privilegeStrs.toArray()), privilegeStrs.contains(privs[i].startsWith("HOST=") ? privs[i] : "HOST=*->" + privs[i])); - } - - for (int i = 0; i < privs.length; ++i) { - args = new String[] { revoke(shortOption), "-r", TEST_ROLE_NAME_1, "-p", - privs[ i ], "-conf", - confPath.getAbsolutePath(), "-t", "kafka" }; - SentryShellGeneric.main(args); - Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorName, - TEST_ROLE_NAME_1, KAFKA, service); - assertEquals("Incorrect number of privileges. Received privileges: " + Arrays.toString(privileges.toArray()), privs.length - (i + 1), privileges.size()); - } - - // clear the test data - client.dropRole(requestorName, TEST_ROLE_NAME_1, KAFKA); - client.dropRole(requestorName, TEST_ROLE_NAME_2, KAFKA); - } - }); - } - - - @Test - public void testGrantRevokePrivilegeWithShortOption() throws Exception { - assertGrantRevokePrivilege(true); - } - - @Test - public void testGrantRevokePrivilegeWithLongOption() throws Exception { - assertGrantRevokePrivilege(false); - } - - - @Test - public void testNegativeCaseWithInvalidArgument() throws Exception { - runTestAsSubject(new TestOperation() { - @Override - public void runTestAsSubject() throws Exception { - client.createRole(requestorName, TEST_ROLE_NAME_1, KAFKA); - // test: create duplicate role with -cr - String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-t", "kafka" }; - SentryShellGeneric sentryShell = new SentryShellGeneric(); - try { - sentryShell.executeShell(args); - fail("Exception should be thrown for creating duplicate role"); - } catch (SentryUserException e) { - // expected exception - } catch (Exception e) { - fail ("Unexpected exception received. " + e); - } - - // test: drop non-exist role with -dr - args = new String[] { "-dr", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath(), "-t", "kafka" }; - sentryShell = new SentryShellGeneric(); - try { - sentryShell.executeShell(args); - fail("Exception should be thrown for dropping non-exist role"); - } catch (SentryUserException e) { - // excepted exception - } catch (Exception e) { - fail ("Unexpected exception received. " + e); - } - - // test: add non-exist role to group with -arg - args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf", - confPath.getAbsolutePath(), "-t", "kafka" }; - sentryShell = new SentryShellGeneric(); - try { - sentryShell.executeShell(args); - fail("Exception should be thrown for granting non-exist role to group"); - } catch (SentryUserException e) { - // excepted exception - } catch (Exception e) { - fail ("Unexpected exception received. " + e); - } - - // test: drop group from non-exist role with -drg - args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf", - confPath.getAbsolutePath(), "-t", "kafka" }; - sentryShell = new SentryShellGeneric(); - try { - sentryShell.executeShell(args); - fail("Exception should be thrown for drop group from non-exist role"); - } catch (SentryUserException e) { - // excepted exception - } catch (Exception e) { - fail ("Unexpected exception received. " + e); - } - - // test: grant privilege to role with the error privilege format - args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p", "serverserver1->action=all", - "-conf", confPath.getAbsolutePath(), "-t", "kafka" }; - sentryShell = new SentryShellGeneric(); - try { - sentryShell.executeShell(args); - fail("Exception should be thrown for the error privilege format, invalid key value."); - } catch (IllegalArgumentException e) { - // excepted exception - } catch (Exception e) { - fail ("Unexpected exception received. " + e); - } - - // test: grant privilege to role with the error privilege hierarchy - args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p", - "consumergroup=cg1->host=h1->action=create", "-conf", - confPath.getAbsolutePath(), "-t", "kafka" }; - sentryShell = new SentryShellGeneric(); - try { - sentryShell.executeShell(args); - fail("Exception should be thrown for the error privilege format, invalid key value."); - } catch (IllegalArgumentException e) { - // expected exception - } catch (Exception e) { - fail ("Unexpected exception received. " + e); - } - - // clear the test data - client.dropRole(requestorName, TEST_ROLE_NAME_1, KAFKA); - } - }); - } - - @Test - public void testNegativeCaseWithoutRequiredArgument() throws Exception { - runTestAsSubject(new TestOperation() { - @Override - public void runTestAsSubject() throws Exception { - String strOptionConf = "conf"; - client.createRole(requestorName, TEST_ROLE_NAME_1, KAFKA); - // test: the conf is required argument - String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-t", "kafka" }; - SentryShellGeneric sentryShell = new SentryShellGeneric(); - validateMissingParameterMsg(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + strOptionConf); - - // test: -r is required when create role - args = new String[] { "-cr", "-conf", confPath.getAbsolutePath(), "-t", "kafka" }; - sentryShell = new SentryShellGeneric(); - validateMissingParameterMsg(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME); - - // test: -r is required when drop role - args = new String[] { "-dr", "-conf", confPath.getAbsolutePath(), "-t", "kafka" }; - sentryShell = new SentryShellGeneric(); - validateMissingParameterMsg(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME); - - // test: -r is required when add role to group - args = new String[] { "-arg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath(), "-t", "kafka" }; - sentryShell = new SentryShellGeneric(); - validateMissingParameterMsg(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME); - - // test: -g is required when add role to group - args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath(), "-t", "kafka" }; - sentryShell = new SentryShellGeneric(); - validateMissingParameterMsg(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME); - - // test: -r is required when delete role from group - args = new String[] { "-drg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath(), "-t", "kafka" }; - sentryShell = new SentryShellGeneric(); - validateMissingParameterMsg(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME); - - // test: -g is required when delete role from group - args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath(), "-t", "kafka" }; - sentryShell = new SentryShellGeneric(); - validateMissingParameterMsg(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME); - - // test: -r is required when grant privilege to role - args = new String[] { "-gpr", "-p", "server=server1", "-conf", confPath.getAbsolutePath(), "-t", "kafka" }; - sentryShell = new SentryShellGeneric(); - validateMissingParameterMsg(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME); - - // test: -p is required when grant privilege to role - args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-t", "kafka" }; - sentryShell = new SentryShellGeneric(); - validateMissingParameterMsg(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE); - - // test: action is required in privilege - args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-p", "host=*->topic=t1", "-t", "kafka" }; - sentryShell = new SentryShellGeneric(); - try { - getShellResultWithOSRedirect(sentryShell, args, false); - fail("Expected IllegalArgumentException"); - } catch (IllegalArgumentException e) { - assert(("Kafka privilege must end with a valid action.\n" + KafkaPrivilegeValidator.KafkaPrivilegeHelpMsg).equals(e.getCause().getMessage())); - } catch (Exception e) { - fail ("Unexpected exception received. " + e); - } - - // test: -r is required when revoke privilege from role - args = new String[] { "-rpr", "-p", "host=h1", "-conf", confPath.getAbsolutePath(), "-t", "kafka" }; - sentryShell = new SentryShellGeneric(); - validateMissingParameterMsg(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME); - - // test: -p is required when revoke privilege from role - args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-t", "kafka" }; - sentryShell = new SentryShellGeneric(); - validateMissingParameterMsg(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE); - - // test: command option is required for shell - args = new String[] {"-conf", confPath.getAbsolutePath(), "-t", "kafka" }; - sentryShell = new SentryShellGeneric(); - validateMissingParameterMsgsContains(sentryShell, args, - SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + "[", - "-arg Add role to group", - "-cr Create role", - "-rpr Revoke privilege from role", - "-drg Delete role from group", - "-lr List role", - "-lp List privilege", - "-gpr Grant privilege to role", - "-dr Drop role"); - - // clear the test data - client.dropRole(requestorName, TEST_ROLE_NAME_1, KAFKA); - } - }); - } - - // redirect the System.out to ByteArrayOutputStream, then execute the command and parse the result. - private Set<String> getShellResultWithOSRedirect(SentryShellGeneric sentryShell, - String[] args, boolean expectedExecuteResult) throws Exception { - PrintStream oldOut = System.out; - ByteArrayOutputStream outContent = new ByteArrayOutputStream(); - System.setOut(new PrintStream(outContent)); - assertEquals(expectedExecuteResult, sentryShell.executeShell(args)); - Set<String> resultSet = Sets.newHashSet(outContent.toString().split("\n")); - System.setOut(oldOut); - return resultSet; - } - - private void validateRoleNames(Set<String> roleNames, String ... expectedRoleNames) { - if (expectedRoleNames != null && expectedRoleNames.length > 0) { - assertEquals("Found: " + roleNames.size() + " roles, expected: " + expectedRoleNames.length, - expectedRoleNames.length, roleNames.size()); - Set<String> lowerCaseRoles = new HashSet<String>(); - for (String role : roleNames) { - lowerCaseRoles.add(role.toLowerCase()); - } - - for (String expectedRole : expectedRoleNames) { - assertTrue("Expected role: " + expectedRole, - lowerCaseRoles.contains(expectedRole.toLowerCase())); - } - } - } - - private void validateMissingParameterMsg(SentryShellGeneric sentryShell, String[] args, - String expectedErrorMsg) throws Exception { - Set<String> errorMsgs = getShellResultWithOSRedirect(sentryShell, args, false); - assertTrue("Expected error message: " + expectedErrorMsg, errorMsgs.contains(expectedErrorMsg)); - } - - private void validateMissingParameterMsgsContains(SentryShellGeneric sentryShell, String[] args, - String ... expectedErrorMsgsContains) throws Exception { - Set<String> errorMsgs = getShellResultWithOSRedirect(sentryShell, args, false); - boolean foundAllMessages = false; - Iterator<String> it = errorMsgs.iterator(); - while (it.hasNext()) { - String errorMessage = it.next(); - boolean missingExpected = false; - for (String expectedContains : expectedErrorMsgsContains) { - if (!errorMessage.contains(expectedContains)) { - missingExpected = true; - break; - } - } - if (!missingExpected) { - foundAllMessages = true; - break; - } - } - assertTrue(foundAllMessages); - } -}
