http://git-wip-us.apache.org/repos/asf/sentry/blob/7db84b2f/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestDelegateSentryStore.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestDelegateSentryStore.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestDelegateSentryStore.java deleted file mode 100644 index 69d1623..0000000 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestDelegateSentryStore.java +++ /dev/null @@ -1,182 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.generic.service.persistent; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.fail; - -import java.util.Set; - -import org.apache.sentry.core.common.exception.SentryAlreadyExistsException; -import org.apache.sentry.core.common.exception.SentryNoSuchObjectException; -import org.apache.sentry.provider.file.PolicyFile; -import org.junit.Before; -import org.junit.Test; - -import com.google.common.collect.Sets; - -public class TestDelegateSentryStore extends SentryStoreIntegrationBase{ - private static final String SEARCH = "solr"; - - @Before - public void configure() throws Exception { - /** - * add the admin user to admin groups - */ - policyFile = new PolicyFile(); - addGroupsToUser("admin", getAdminGroups()); - writePolicyFile(); - } - - @Test - public void testCreateDropRole() throws Exception { - String roleName = "test-drop-role"; - String grantor = "grantor"; - sentryStore.createRole(SEARCH, roleName, grantor); - sentryStore.dropRole(SEARCH, roleName, grantor); - } - - @Test - public void testCaseInsensitiveCreateDropRole() throws Exception { - String roleName1 = "test"; - String roleName2 = "TeSt"; - String grantor = "grantor"; - sentryStore.createRole(SEARCH, roleName1, grantor); - try { - sentryStore.createRole(SEARCH, roleName2, grantor); - fail("Fail to throw Exception"); - } catch (SentryAlreadyExistsException e) { - //ignore the exception - } - - try { - sentryStore.dropRole(SEARCH, roleName2, grantor); - } catch (SentryNoSuchObjectException e) { - fail("Shouldn't throw SentryNoSuchObjectException"); - } - } - - @Test(expected=Exception.class) - public void testCreateDuplicateRole() throws Exception { - String roleName = "test-dup-role"; - String grantor = "grantor"; - sentryStore.createRole(SEARCH, roleName, grantor); - sentryStore.createRole(SEARCH, roleName, grantor); - } - - @Test(expected=SentryNoSuchObjectException.class) - public void testDropNotExistRole() throws Exception { - String roleName = "not-exist"; - String grantor = "grantor"; - sentryStore.dropRole(SEARCH, roleName, grantor); - } - - @Test(expected = SentryNoSuchObjectException.class) - public void testAddGroupsNonExistantRole() - throws Exception { - String roleName = "non-existant-role"; - String grantor = "grantor"; - sentryStore.alterRoleAddGroups(SEARCH, roleName, Sets.newHashSet("g1"), grantor); - } - - @Test(expected = SentryNoSuchObjectException.class) - public void testDeleteGroupsNonExistantRole() - throws Exception { - String roleName = "non-existant-role"; - String grantor = "grantor"; - sentryStore.alterRoleDeleteGroups(SEARCH, roleName, Sets.newHashSet("g1"), grantor); - } - - @Test - public void testAddDeleteRoleToGroups() throws Exception { - String role1 = "r1", role2 = "r2"; - Set<String> twoGroups = Sets.newHashSet("g1", "g2"); - Set<String> oneGroup = Sets.newHashSet("g3"); - String grantor = "grantor"; - - sentryStore.createRole(SEARCH, role1, grantor); - sentryStore.createRole(SEARCH, role2, grantor); - - sentryStore.alterRoleAddGroups(SEARCH, role1, twoGroups, grantor); - assertEquals(twoGroups, sentryStore.getGroupsByRoles(SEARCH,Sets.newHashSet(role1))); - - assertEquals(Sets.newHashSet(role1), sentryStore.getRolesByGroups(SEARCH, twoGroups)); - - sentryStore.alterRoleAddGroups(SEARCH, role2, oneGroup, grantor); - assertEquals(oneGroup, sentryStore.getGroupsByRoles(SEARCH, Sets.newHashSet(role2))); - - sentryStore.alterRoleDeleteGroups(SEARCH, role1, Sets.newHashSet("g1"), grantor); - assertEquals(Sets.newHashSet("g2"), sentryStore.getGroupsByRoles(SEARCH, Sets.newHashSet(role1))); - - sentryStore.alterRoleDeleteGroups(SEARCH, role2, oneGroup, grantor); - assertEquals(Sets.newHashSet(), sentryStore.getGroupsByRoles(SEARCH, Sets.newHashSet(role2))); - } - - @Test - public void testGetRolesByGroupNames() throws Exception { - String role1 = "r1", role2 = "r2"; - Set<String> twoGroups = Sets.newHashSet("g1", "g2"); - String grantor = "grantor"; - - sentryStore.createRole(SEARCH, role1, grantor); - sentryStore.createRole(SEARCH, role2, grantor); - - sentryStore.alterRoleAddGroups(SEARCH, role1, twoGroups, grantor); - sentryStore.alterRoleAddGroups(SEARCH, role2, twoGroups, grantor); - - assertEquals(Sets.newHashSet(role1,role2), sentryStore.getRolesByGroups(SEARCH, twoGroups)); - } - - @Test - public void testGetGroupsByRoleNames() throws Exception { - String role1 = "r1", role2 = "r2"; - Set<String> twoGroups = Sets.newHashSet("g1", "g2"); - String grantor = "grantor"; - - sentryStore.createRole(SEARCH, role1, grantor); - sentryStore.createRole(SEARCH, role2, grantor); - - sentryStore.alterRoleAddGroups(SEARCH, role1, twoGroups, grantor); - sentryStore.alterRoleAddGroups(SEARCH, role2, twoGroups, grantor); - - assertEquals(twoGroups, sentryStore.getGroupsByRoles(SEARCH, Sets.newHashSet(role1))); - assertEquals(twoGroups, sentryStore.getGroupsByRoles(SEARCH, Sets.newHashSet(role2))); - assertEquals(twoGroups, sentryStore.getGroupsByRoles(SEARCH, Sets.newHashSet(role1,role2))); - } - - @Test - public void testGetAllRoles() throws Exception { - String role1 = "r1", role2 = "r2"; - Set<String> twoGroups = Sets.newHashSet("g1", "g2"); - String grantor = "grantor"; - - sentryStore.createRole(SEARCH, role1, grantor); - sentryStore.createRole(SEARCH, role2, grantor); - - sentryStore.alterRoleAddGroups(SEARCH, role1, twoGroups, grantor); - sentryStore.alterRoleAddGroups(SEARCH, role2, twoGroups, grantor); - - //test get all roles by groupName=null - String groupName = null; - Set<String> groups = Sets.newHashSet(groupName); - assertEquals(Sets.newHashSet(role1,role2), sentryStore.getRolesByGroups(SEARCH, groups)); - - groups.clear(); - assertEquals(0, sentryStore.getRolesByGroups(SEARCH, groups).size()); - } -}
http://git-wip-us.apache.org/repos/asf/sentry/blob/7db84b2f/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestPrivilegeOperatePersistence.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestPrivilegeOperatePersistence.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestPrivilegeOperatePersistence.java deleted file mode 100644 index 246b2be..0000000 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestPrivilegeOperatePersistence.java +++ /dev/null @@ -1,1138 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.generic.service.persistent; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.fail; - -import java.util.Arrays; -import java.util.Collections; -import java.util.List; - -import com.google.common.collect.Lists; -import org.apache.hadoop.conf.Configuration; -import org.apache.sentry.core.common.Authorizable; -import org.apache.sentry.core.common.BitFieldAction; -import org.apache.sentry.core.common.BitFieldActionFactory; -import org.apache.sentry.core.model.solr.Collection; -import org.apache.sentry.core.model.solr.Field; -import org.apache.sentry.core.model.solr.SolrConstants; -import org.apache.sentry.core.model.sqoop.SqoopActionConstant; -import org.apache.sentry.core.common.exception.SentryGrantDeniedException; -import org.apache.sentry.provider.db.generic.service.persistent.PrivilegeObject.Builder; -import org.apache.sentry.provider.file.PolicyFile; -import org.apache.sentry.service.common.ServiceConstants; -import org.junit.Before; -import org.junit.Test; - -import com.google.common.collect.Sets; - -/** - * The test cases are used for search component The authorizables are COLLECTION and Field - * The actions of search privilege are ALL,QUERY and UPDATE - */ -public class TestPrivilegeOperatePersistence extends SentryStoreIntegrationBase { - private static final String SEARCH = "solr"; - private static final String ADMIN_USER = "solr"; - private static final String GRANT_OPTION_USER = "user_grant_option"; - private static final String[] GRANT_OPTION_GROUP = { "group_grant_option" }; - private static final String NO_GRANT_OPTION_USER = "user_no_grant_option"; - private static final String[] NO_GRANT_OPTION_GROUP = { "group_no_grant_option" }; - - private static final String SERVICE = "service"; - private static final String COLLECTION_NAME = "collection1"; - private static final String NOT_COLLECTION_NAME = "not_collection1"; - private static final String FIELD_NAME = "field1"; - private static final String NOT_FIELD_NAME = "not_field1"; - - @Before - public void configure() throws Exception { - /** - * add the solr user to admin groups - */ - policyFile = new PolicyFile(); - addGroupsToUser(ADMIN_USER, getAdminGroups()); - writePolicyFile(); - } - - /** - * Grant query privilege to role r1 - */ - @Test - public void testGrantPrivilege() throws Exception { - testGrantPrivilege(sentryStore, SEARCH); - } - - @Test - public void testGrantPrivilegeTwice() throws Exception { - String roleName = "r1"; - /** - * grantor is admin, there is no need to check grant option - */ - String grantor = ADMIN_USER; - sentryStore.createRole(SEARCH, roleName, grantor); - - PrivilegeObject queryPrivilegeWithOption = new Builder() - .setComponent(SEARCH) - .setAction(SolrConstants.QUERY) - .setService(SERVICE) - .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME))) - .withGrantOption(true) - .build(); - - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilegeWithOption, grantor); - assertEquals(1,sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)).size()); - //grant again - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilegeWithOption, grantor); - assertEquals(1,sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)).size()); - - PrivilegeObject queryPrivilegeWithNoOption = new Builder() - .setComponent(SEARCH) - .setAction(SolrConstants.QUERY) - .setService(SERVICE) - .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME))) - .withGrantOption(false) - .build(); - - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilegeWithNoOption, grantor); - assertEquals(2,sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)).size()); - //grant again - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilegeWithNoOption, grantor); - assertEquals(2,sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)).size()); - - PrivilegeObject queryPrivilegeWithNullGrant = new Builder() - .setComponent(SEARCH) - .setAction(SolrConstants.QUERY) - .setService(SERVICE) - .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME))) - .withGrantOption(null) - .build(); - - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilegeWithNullGrant, grantor); - - assertEquals(3,sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)).size()); - //grant again - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilegeWithNullGrant, grantor); - assertEquals(3,sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)).size()); - - } - - /** - * Grant query privilege to role r1 and there is ALL privilege related this - * collection existed - */ - @Test - public void testGrantPrivilegeWithAllPrivilegeExist() throws Exception { - String roleName = "r1"; - /** - * grantor is admin, there is no need to check grant option - */ - String grantor = ADMIN_USER; - PrivilegeObject allPrivilege = new Builder() - .setComponent(SEARCH) - .setAction(SolrConstants.ALL) - .setService(SERVICE) - .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME))) - .build(); - - sentryStore.createRole(SEARCH, roleName, grantor); - /** - * grant all privilege to role r1 - */ - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, allPrivilege, grantor); - /** - * check role r1 truly has the privilege been granted - */ - assertEquals(Sets.newHashSet(allPrivilege), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName))); - - PrivilegeObject queryPrivilege = new Builder(allPrivilege) - .setAction(SolrConstants.QUERY) - .build(); - - /** - * grant query privilege to role r1 - */ - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilege, grantor); - /** - * all privilege has been existed, the query privilege will not persistent - */ - assertEquals(Sets.newHashSet(allPrivilege), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName))); - } - - /** - * Grant query privilege to role r1 and there are query and update privileges - * related this collection existed - */ - @Test - public void testGrantALLPrivilegeWithOtherPrivilegesExist() throws Exception { - String roleName1 = "r1"; - String roleName2 = "r2"; - /** - * grantor is admin, there is no need to check grant option - */ - String grantor = ADMIN_USER; - - PrivilegeObject queryPrivilege = new Builder() - .setComponent(SEARCH) - .setAction(SolrConstants.QUERY) - .setService(SERVICE) - .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME))) - .build(); - - PrivilegeObject updatePrivilege = new Builder(queryPrivilege) - .setAction(SolrConstants.UPDATE) - .build(); - - sentryStore.createRole(SEARCH, roleName1, grantor); - sentryStore.createRole(SEARCH, roleName2, grantor); - /** - * grant query and update privilege to role r1 and role r2 - */ - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege, grantor); - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, updatePrivilege,grantor); - assertEquals(Sets.newHashSet(queryPrivilege, updatePrivilege), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1))); - - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege, grantor); - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, updatePrivilege,grantor); - assertEquals(Sets.newHashSet(queryPrivilege, updatePrivilege), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2))); - - PrivilegeObject allPrivilege = new Builder(queryPrivilege) - .setAction(SolrConstants.ALL) - .build(); - - /** - * grant all privilege to role r1 - */ - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, allPrivilege, grantor); - - /** - * check the query and update privileges of roleName1 will be removed because of ALl privilege - * granted - */ - assertEquals(Sets.newHashSet(allPrivilege), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1))); - - /** - * check the query and update privileges of roleName2 will not affected and exist - */ - assertEquals(Sets.newHashSet(queryPrivilege, updatePrivilege), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2))); - } - - @Test - public void testGrantRevokeCheckWithGrantOption() throws Exception { - - addGroupsToUser(GRANT_OPTION_USER, GRANT_OPTION_GROUP); - addGroupsToUser(NO_GRANT_OPTION_USER, NO_GRANT_OPTION_GROUP); - writePolicyFile(); - - String roleName1 = "r1"; - String roleName2 = "r2"; - String grantor = "g1"; - sentryStore.createRole(SEARCH, roleName1, grantor); - sentryStore.createRole(SEARCH, roleName2, grantor); - /** - * grant query privilege to role r1 with grant option - */ - PrivilegeObject queryPrivilege1 = new Builder() - .setComponent(SEARCH) - .setAction(SolrConstants.QUERY) - .setService(SERVICE) - .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME))) - .withGrantOption(true) - .build(); - - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege1, - ADMIN_USER); - assertEquals(Sets.newHashSet(queryPrivilege1), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1))); - /** - * grant query privilege to role r2 no grant option - */ - PrivilegeObject queryPrivilege2 = new Builder() - .setComponent(SEARCH) - .setAction(SolrConstants.QUERY) - .setService(SERVICE) - .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME))) - .withGrantOption(false).build(); - - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege2, - ADMIN_USER); - assertEquals(Sets.newHashSet(queryPrivilege2), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2))); - - sentryStore.alterRoleAddGroups(SEARCH, roleName1, - Sets.newHashSet(GRANT_OPTION_GROUP), grantor); - sentryStore.alterRoleAddGroups(SEARCH, roleName2, - Sets.newHashSet(NO_GRANT_OPTION_GROUP), grantor); - - String roleName3 = "r3"; - sentryStore.createRole(SEARCH, roleName3, grantor); - /** - * the user with grant option grant query privilege to rolr r3 - */ - try{ - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName3, queryPrivilege1, - GRANT_OPTION_USER); - } catch (SentryGrantDeniedException e) { - fail("SentryGrantDeniedException shouldn't have been thrown"); - } - - /** - * the user with grant option revoke query privilege to rolr r3 - */ - try{ - sentryStore.alterRoleRevokePrivilege(SEARCH, roleName3, queryPrivilege1, - GRANT_OPTION_USER); - } catch (SentryGrantDeniedException e) { - fail("SentryGrantDeniedException shouldn't have been thrown"); - } - - /** - * the user with no grant option grant query privilege to rolr r3, it will - * throw SentryGrantDeniedException - */ - try { - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName3, queryPrivilege2, - NO_GRANT_OPTION_USER); - fail("SentryGrantDeniedException should have been thrown"); - } catch (SentryGrantDeniedException e) { - //ignore the exception - } - - /** - * the user with no grant option revoke query privilege to rolr r3, it will - * throw SentryGrantDeniedException - */ - try { - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName3, queryPrivilege2, - NO_GRANT_OPTION_USER); - fail("SentryGrantDeniedException should have been thrown"); - } catch (SentryGrantDeniedException e) { - //ignore the exception - } - } - - @Test - public void testGrantWithGrantOption() throws Exception { - - addGroupsToUser(GRANT_OPTION_USER, GRANT_OPTION_GROUP); - addGroupsToUser(NO_GRANT_OPTION_USER, NO_GRANT_OPTION_GROUP); - writePolicyFile(); - - String roleName1 = "r1"; - String grantor = "g1"; - sentryStore.createRole(SEARCH, roleName1, grantor); - /** - * grant query privilege to role r1 with grant option - */ - PrivilegeObject queryPrivilege = new Builder() - .setComponent(SEARCH) - .setAction(SolrConstants.QUERY) - .setService(SERVICE) - .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME))) - .withGrantOption(true) - .build(); - - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege,ADMIN_USER); - sentryStore.alterRoleAddGroups(SEARCH, roleName1, - Sets.newHashSet(GRANT_OPTION_GROUP), grantor); - - /** - * the user with grant option grant query privilege to rolr r2 - */ - String roleName2 = "r2"; - sentryStore.createRole(SEARCH, roleName2, grantor); - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege, GRANT_OPTION_USER); - - assertEquals(Sets.newHashSet(queryPrivilege), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2))); - - } - - - /** - * Grant query and update privileges to role r1 and revoke query privilege - * there is left update privilege related to role r1 - */ - @Test - public void testRevokePrivilege() throws Exception { - String roleName = "r1"; - /** - * grantor is admin, there is no need to check grant option - */ - String grantor = ADMIN_USER; - PrivilegeObject queryPrivilege = new Builder() - .setComponent(SEARCH) - .setAction(SolrConstants.QUERY) - .setService(SERVICE) - .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME))) - .build(); - - PrivilegeObject updatePrivilege = new Builder(queryPrivilege) - .setAction(SolrConstants.UPDATE) - .build(); - - sentryStore.createRole(SEARCH, roleName, grantor); - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilege, grantor); - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, updatePrivilege, grantor); - - assertEquals(Sets.newHashSet(queryPrivilege,updatePrivilege), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName))); - /** - * revoke query privilege - */ - sentryStore.alterRoleRevokePrivilege(SEARCH, roleName, queryPrivilege, grantor); - assertEquals(Sets.newHashSet(updatePrivilege), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName))); - } - - /** - * Grant query and update privileges to role r1 and revoke all privilege, - * there is no privilege related to role r1 - */ - @Test - public void testRevokeAllPrivilege() throws Exception { - String roleName = "r1"; - /** - * grantor is admin, there is no need to check grant option - */ - String grantor = ADMIN_USER; - PrivilegeObject queryPrivilege = new Builder() - .setComponent(SEARCH) - .setAction(SolrConstants.QUERY) - .setService(SERVICE) - .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME),new Field(FIELD_NAME))) - .build(); - - PrivilegeObject updatePrivilege = new Builder(queryPrivilege) - .setAction(SolrConstants.UPDATE) - .build(); - - sentryStore.createRole(SEARCH, roleName, grantor); - - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilege, grantor); - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, updatePrivilege, grantor); - - assertEquals(Sets.newHashSet(queryPrivilege,updatePrivilege), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName))); - /** - * revoke all privilege - */ - PrivilegeObject allPrivilege = new Builder(queryPrivilege) - .setAction(SolrConstants.ALL) - .build(); - - sentryStore.alterRoleRevokePrivilege(SEARCH, roleName, allPrivilege, grantor); - - assertEquals(Sets.newHashSet(), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName))); - } - - /** - * Grant all privilege to role r1 and revoke query privilege - * there is update privilege related to role r1 - */ - @Test - public void testRevokePrivilegeWithAllPrivilegeExist() throws Exception { - String roleName = "r1"; - /** - * grantor is admin, there is no need to check grant option - */ - String grantor = ADMIN_USER; - PrivilegeObject allPrivilege = new Builder() - .setComponent(SEARCH) - .setAction(SolrConstants.ALL) - .setService(SERVICE) - .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME))) - .build(); - - sentryStore.createRole(SEARCH, roleName, grantor); - - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, allPrivilege, grantor); - - assertEquals(Sets.newHashSet(allPrivilege), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName))); - /** - * revoke update privilege - */ - PrivilegeObject updatePrivilege = new Builder(allPrivilege) - .setAction(SolrConstants.UPDATE) - .build(); - - PrivilegeObject queryPrivilege = new Builder(allPrivilege) - .setAction(SolrConstants.QUERY) - .build(); - - sentryStore.alterRoleRevokePrivilege(SEARCH, roleName, updatePrivilege, grantor); - - assertEquals(Sets.newHashSet(queryPrivilege), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName))); - } - - /** - * Grant update, query and all privilege to role r1 - * Revoke query privilege from role r1 - * there is update privilege related to role r1 - */ - @Test - public void testRevokePrivilegeWithAllPrivilegesGranted() throws Exception { - String roleName = "r1"; - /** - * grantor is admin, there is no need to check grant option - */ - String grantor = ADMIN_USER; - PrivilegeObject allPrivilege = new Builder() - .setComponent(SEARCH) - .setAction(SolrConstants.ALL) - .setService(SERVICE) - .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME))) - .build(); - - PrivilegeObject updatePrivilege = new Builder(allPrivilege) - .setAction(SolrConstants.UPDATE) - .build(); - - PrivilegeObject queryPrivilege = new Builder(allPrivilege) - .setAction(SolrConstants.QUERY) - .build(); - - sentryStore.createRole(SEARCH, roleName, grantor); - //grant query to role r1 - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilege, grantor); - assertEquals(Sets.newHashSet(queryPrivilege), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName))); - - //grant update to role r1 - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, updatePrivilege, grantor); - assertEquals(Sets.newHashSet(queryPrivilege, updatePrivilege), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName))); - /** - * grant all action privilege to role r1, because all action includes query and update action, - * The role r1 only has the action all privilege - */ - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, allPrivilege, grantor); - assertEquals(Sets.newHashSet(allPrivilege), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName))); - /** - * revoke update privilege from role r1, the query privilege has been left - */ - sentryStore.alterRoleRevokePrivilege(SEARCH, roleName, updatePrivilege, grantor); - assertEquals(Sets.newHashSet(queryPrivilege), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName))); - } - - @Test - public void testRevokeParentPrivilegeWithChildsExist() throws Exception { - String roleName = "r1"; - /** - * grantor is admin, there is no need to check grant option - */ - String grantor = ADMIN_USER; - PrivilegeObject updatePrivilege1 = new Builder() - .setComponent(SEARCH) - .setAction(SolrConstants.UPDATE) - .setService(SERVICE) - .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME))) - .build(); - - PrivilegeObject queryPrivilege1 = new Builder() - .setComponent(SEARCH) - .setAction(SolrConstants.QUERY) - .setService(SERVICE) - .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME),new Field(FIELD_NAME))) - .build(); - - PrivilegeObject queryPrivilege2 = new Builder() - .setComponent(SEARCH) - .setAction(SolrConstants.QUERY) - .setService(SERVICE) - .setAuthorizables(Arrays.asList(new Collection(NOT_COLLECTION_NAME))) - .build(); - - sentryStore.createRole(SEARCH, roleName, grantor); - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, updatePrivilege1, grantor); - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilege1, grantor); - - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilege2, grantor); - - /** - * revoke all privilege with collection[COLLECTION_NAME=collection1] and its child privileges - */ - PrivilegeObject allPrivilege = new Builder() - .setComponent(SEARCH) - .setAction(SolrConstants.ALL) - .setService(SERVICE) - .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME))) - .build(); - - sentryStore.alterRoleRevokePrivilege(SEARCH, roleName, allPrivilege, grantor); - assertEquals(Sets.newHashSet(queryPrivilege2), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName))); - } - - @Test - public void testRevokeWithGrantOption() throws Exception { - - addGroupsToUser(GRANT_OPTION_USER, GRANT_OPTION_GROUP); - addGroupsToUser(NO_GRANT_OPTION_USER, NO_GRANT_OPTION_GROUP); - writePolicyFile(); - - String roleName1 = "r1"; - String grantor = "g1"; - sentryStore.createRole(SEARCH, roleName1, grantor); - /** - * grant query privilege to role r1 with grant option - */ - PrivilegeObject queryPrivilege = new Builder() - .setComponent(SEARCH) - .setAction(SolrConstants.QUERY) - .setService(SERVICE) - .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME))) - .withGrantOption(true) - .build(); - - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege, - ADMIN_USER); - assertEquals(Sets.newHashSet(queryPrivilege), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1))); - - sentryStore.alterRoleAddGroups(SEARCH, roleName1, - Sets.newHashSet(GRANT_OPTION_GROUP), grantor); - - String roleName2 = "r2"; - sentryStore.createRole(SEARCH, roleName2, grantor); - /** - * the user with grant option grant query privilege to rolr r2 - */ - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege, - GRANT_OPTION_USER); - assertEquals(Sets.newHashSet(queryPrivilege), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2))); - - /** - * the user with grant option revoke query privilege to rolr r3 - */ - sentryStore.alterRoleRevokePrivilege(SEARCH, roleName2, queryPrivilege, GRANT_OPTION_USER); - assertEquals(Sets.newHashSet(), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2))); - } - - @Test - public void testDropPrivilege() throws Exception{ - String roleName1 = "r1"; - String roleName2 = "r2"; - String grantor = ADMIN_USER; - - PrivilegeObject queryPrivilege = new Builder() - .setComponent(SEARCH) - .setAction(SolrConstants.QUERY) - .setService(SERVICE) - .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME))) - .build(); - - PrivilegeObject updatePrivilege = new Builder(queryPrivilege) - .setAction(SolrConstants.UPDATE) - .build(); - - /** - * grant query and update privilege to role r1 and r2 - */ - sentryStore.createRole(SEARCH, roleName1, grantor); - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege, grantor); - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, updatePrivilege, grantor); - - sentryStore.createRole(SEARCH, roleName2, grantor); - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege, grantor); - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, updatePrivilege, grantor); - - assertEquals(Sets.newHashSet(queryPrivilege,updatePrivilege), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1))); - - assertEquals(Sets.newHashSet(queryPrivilege,updatePrivilege), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2))); - /** - * drop query privilege - */ - sentryStore.dropPrivilege(SEARCH, queryPrivilege, grantor); - - assertEquals(Sets.newHashSet(updatePrivilege), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1))); - - assertEquals(Sets.newHashSet(updatePrivilege), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2))); - - /** - * drop ALL privilege - */ - PrivilegeObject allPrivilege = new Builder(queryPrivilege) - .setAction(SolrConstants.ALL) - .build(); - - sentryStore.dropPrivilege(SEARCH, allPrivilege, grantor); - - assertEquals(Sets.newHashSet(), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1))); - - assertEquals(Sets.newHashSet(), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2))); - - /** - * grant query and update field scope[collection1,field1] privilege to role r1 - * drop collection scope[collection1] privilege - * there is no privilege - */ - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege, grantor); - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, updatePrivilege, grantor); - - PrivilegeObject parentPrivilege = new Builder() - .setComponent(SEARCH) - .setAction(SolrConstants.ALL) - .setService(SERVICE) - .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME))) - .build(); - - sentryStore.dropPrivilege(SEARCH, parentPrivilege, grantor); - assertEquals(Sets.newHashSet(), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1))); - } - - @Test - public void testRenamePrivilege() throws Exception{ - String roleName1 = "r1"; - String roleName2 = "r2"; - String grantor = ADMIN_USER; - - List<? extends Authorizable> oldAuthoriables = Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME)); - List<? extends Authorizable> newAuthoriables = Arrays.asList(new Collection(COLLECTION_NAME), new Field(NOT_FIELD_NAME)); - - PrivilegeObject oldQueryPrivilege = new Builder() - .setComponent(SEARCH) - .setAction(SolrConstants.QUERY) - .setService(SERVICE) - .setAuthorizables(oldAuthoriables) - .build(); - - PrivilegeObject oldUpdatePrivilege = new Builder(oldQueryPrivilege) - .setAction(SolrConstants.UPDATE) - .build(); - - PrivilegeObject oldALLPrivilege = new Builder(oldQueryPrivilege) - .setAction(SolrConstants.ALL) - .build(); - - - PrivilegeObject newQueryPrivilege = new Builder() - .setComponent(SEARCH) - .setAction(SolrConstants.QUERY) - .setService(SERVICE) - .setAuthorizables(newAuthoriables) - .build(); - - PrivilegeObject newUpdatePrivilege = new Builder(newQueryPrivilege) - .setAction(SolrConstants.UPDATE) - .build(); - - PrivilegeObject newALLPrivilege = new Builder(newQueryPrivilege) - .setAction(SolrConstants.ALL) - .build(); - - - /** - * grant query and update privilege to role r1 - * grant all privilege to role r2 - */ - sentryStore.createRole(SEARCH, roleName1, grantor); - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, oldQueryPrivilege, grantor); - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, oldUpdatePrivilege, grantor); - - sentryStore.createRole(SEARCH, roleName2, grantor); - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, oldALLPrivilege, grantor); - - assertEquals(Sets.newHashSet(oldQueryPrivilege,oldUpdatePrivilege), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1))); - - assertEquals(Sets.newHashSet(oldALLPrivilege), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2))); - /** - * rename old query privilege to new query privilege - */ - sentryStore.renamePrivilege(SEARCH, SERVICE, - oldAuthoriables, - newAuthoriables, - grantor); - - assertEquals(Sets.newHashSet(newQueryPrivilege,newUpdatePrivilege), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1))); - - assertEquals(Sets.newHashSet(newALLPrivilege), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2))); - /** - * rename collection scope[collection=collection1] privilege to [collection=not_collection1] - * These privileges belong to collection scope[collection=collection1] will change to - * [collection=not_collection1] - */ - - List<? extends Authorizable> newAuthoriables1 = Arrays.asList(new Collection(NOT_COLLECTION_NAME),new Field(NOT_FIELD_NAME)); - - PrivilegeObject newQueryPrivilege1 = new Builder(newQueryPrivilege) - .setAuthorizables(newAuthoriables1) - .build(); - - PrivilegeObject newUpdatePrivilege1 = new Builder(newUpdatePrivilege) - .setAuthorizables(newAuthoriables1) - .build(); - - PrivilegeObject newALLPrivilege1 = new Builder(newALLPrivilege) - .setAuthorizables(newAuthoriables1) - .build(); - - sentryStore.renamePrivilege(SEARCH, SERVICE, - Arrays.asList(new Collection(COLLECTION_NAME)), - Arrays.asList(new Collection(NOT_COLLECTION_NAME)), - grantor); - - assertEquals(Sets.newHashSet(newQueryPrivilege1,newUpdatePrivilege1), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1))); - - assertEquals(Sets.newHashSet(newALLPrivilege1), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2))); - } - - @Test - public void testGetPrivilegesByRoleName() throws Exception { - String roleName1 = "r1"; - String roleName2 = "r2"; - String grantor = "g1"; - - PrivilegeObject queryPrivilege = new Builder() - .setComponent(SEARCH) - .setAction(SolrConstants.QUERY) - .setService(SERVICE) - .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME))) - .build(); - - sentryStore.createRole(SEARCH, roleName1, grantor); - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege, - ADMIN_USER); - - PrivilegeObject updatePrivilege = new Builder() - .setComponent(SEARCH) - .setAction(SolrConstants.QUERY) - .setService(SERVICE) - .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME))) - .build(); - - sentryStore.createRole(SEARCH, roleName2, grantor); - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, updatePrivilege, - ADMIN_USER); - - assertEquals(Sets.newHashSet(queryPrivilege,updatePrivilege), - sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1,roleName2))); - - } - - @Test - public void testGetPrivilegesByProvider() throws Exception { - String roleName1 = "r1"; - String roleName2 = "r2"; - String roleName3 = "r3"; - String group = "g3"; - String grantor = ADMIN_USER; - - String service1 = "service1"; - - PrivilegeObject queryPrivilege1 = new Builder() - .setComponent(SEARCH) - .setAction(SolrConstants.QUERY) - .setService(service1) - .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME))) - .build(); - - PrivilegeObject updatePrivilege1 = new Builder() - .setComponent(SEARCH) - .setAction(SolrConstants.UPDATE) - .setService(service1) - .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME))) - .build(); - - PrivilegeObject queryPrivilege2 = new Builder() - .setComponent(SEARCH) - .setAction(SolrConstants.QUERY) - .setService(service1) - .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME))) - .build(); - - PrivilegeObject updatePrivilege2 = new Builder() - .setComponent(SEARCH) - .setAction(SolrConstants.UPDATE) - .setService(service1) - .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME))) - .build(); - - sentryStore.createRole(SEARCH, roleName1, grantor); - sentryStore.createRole(SEARCH, roleName2, grantor); - sentryStore.createRole(SEARCH, roleName3, grantor); - - sentryStore.alterRoleAddGroups(SEARCH, roleName3, Sets.newHashSet(group), grantor); - - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege1, grantor); - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, updatePrivilege1, grantor); - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege2, grantor); - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName3, updatePrivilege2, grantor); - - assertEquals(Sets.newHashSet(updatePrivilege1, queryPrivilege1), - sentryStore.getPrivilegesByProvider(SEARCH, service1, Sets.newHashSet(roleName1), null, null)); - - assertEquals(Sets.newHashSet(updatePrivilege1, queryPrivilege1, queryPrivilege2), - sentryStore.getPrivilegesByProvider(SEARCH, service1, Sets.newHashSet(roleName1,roleName2), - null, null)); - - assertEquals(Sets.newHashSet(updatePrivilege1, queryPrivilege1, queryPrivilege2, updatePrivilege2), - sentryStore.getPrivilegesByProvider(SEARCH, service1, Sets.newHashSet(roleName1,roleName2), - Sets.newHashSet(group), null)); - - List<? extends Authorizable> authorizables = Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME)); - assertEquals(Sets.newHashSet(updatePrivilege1, updatePrivilege2), - sentryStore.getPrivilegesByProvider(SEARCH, service1, Sets.newHashSet(roleName1,roleName2), - Sets.newHashSet(group), authorizables)); - } - - @Test - public void testGetPrivilegesByAuthorizable() throws Exception { - String roleName1 = "r1"; - String roleName2 = "r2"; - String roleName3 = "r3"; - String grantor = ADMIN_USER; - - String service1 = "service1"; - - PrivilegeObject queryPrivilege1 = new Builder() - .setComponent(SEARCH) - .setAction(SolrConstants.QUERY) - .setService(service1) - .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME))) - .build(); - - PrivilegeObject updatePrivilege1 = new Builder() - .setComponent(SEARCH) - .setAction(SolrConstants.UPDATE) - .setService(service1) - .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME))) - .build(); - - PrivilegeObject queryPrivilege2 = new Builder() - .setComponent(SEARCH) - .setAction(SolrConstants.QUERY) - .setService(service1) - .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME))) - .build(); - - PrivilegeObject updatePrivilege2 = new Builder() - .setComponent(SEARCH) - .setAction(SolrConstants.UPDATE) - .setService(service1) - .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME))) - .build(); - - sentryStore.createRole(SEARCH, roleName1, grantor); - sentryStore.createRole(SEARCH, roleName2, grantor); - sentryStore.createRole(SEARCH, roleName3, grantor); - - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege1, grantor); - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, updatePrivilege1, grantor); - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege2, grantor); - sentryStore.alterRoleGrantPrivilege(SEARCH, roleName3, updatePrivilege2, grantor); - - assertEquals(0, sentryStore.getPrivilegesByAuthorizable(SEARCH, service1, null, - Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME))).size()); - assertEquals(1, sentryStore.getPrivilegesByAuthorizable(SEARCH, service1, Sets.newHashSet(roleName1), - Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME))).size()); - assertEquals(2, sentryStore.getPrivilegesByAuthorizable(SEARCH, service1, - Sets.newHashSet(roleName1), null).size()); - assertEquals(2, sentryStore.getPrivilegesByAuthorizable(SEARCH, service1, - Sets.newHashSet(roleName1,roleName2), null).size()); - assertEquals(2, sentryStore.getPrivilegesByAuthorizable(SEARCH, service1, - Sets.newHashSet(roleName1,roleName2, roleName3), null).size()); - } - - @Test(expected = Exception.class) - public void testGrantPrivilegeExternalComponentMissingConf() throws Exception { - testGrantPrivilege(sentryStore, "externalComponent"); - } - - @Test(expected = Exception.class) - public void testGrantPrivilegeExternalComponentInvalidConf() throws Exception { - String externalComponent = "mycomponent"; - Configuration confCopy = new Configuration(conf); - confCopy.set(String.format(ServiceConstants.ServerConfig.SENTRY_COMPONENT_ACTION_FACTORY_FORMAT, externalComponent), - InvalidActionFactory.class.getName()); - SentryStoreLayer store = new DelegateSentryStore(confCopy); - testGrantPrivilege(store, externalComponent); - } - - @Test - public void testGrantPrivilegeExternalComponent() throws Exception { - String externalComponent = "mycomponent"; - Configuration confCopy = new Configuration(conf); - confCopy.set(String.format(ServiceConstants.ServerConfig.SENTRY_COMPONENT_ACTION_FACTORY_FORMAT, externalComponent), - MyComponentActionFactory.class.getName()); - SentryStoreLayer store = new DelegateSentryStore(confCopy); - testGrantPrivilege(store, externalComponent); - } - - @Test - public void testGrantPrivilegeExternalComponentCaseInsensitivity() throws Exception { - String externalComponent = "MyCoMpOnEnT"; - Configuration confCopy = new Configuration(conf); - confCopy.set(String.format(ServiceConstants.ServerConfig.SENTRY_COMPONENT_ACTION_FACTORY_FORMAT, "mycomponent"), - MyComponentActionFactory.class.getName()); - SentryStoreLayer store = new DelegateSentryStore(confCopy); - testGrantPrivilege(store, externalComponent); - } - - private void testGrantPrivilege(SentryStoreLayer sentryStore, String component) throws Exception { - String roleName = "r1"; - /** - * grantor is admin, there is no need to check grant option - */ - String grantor = ADMIN_USER; - PrivilegeObject queryPrivilege = new Builder() - .setComponent(component) - .setAction(SolrConstants.QUERY) - .setService(SERVICE) - .setAuthorizables(Collections.singletonList(new Collection(COLLECTION_NAME))) - .withGrantOption(null) - .build(); - - sentryStore.createRole(component, roleName, grantor); - sentryStore.alterRoleGrantPrivilege(component, roleName, queryPrivilege, grantor); - - assertEquals(Sets.newHashSet(queryPrivilege), - sentryStore.getPrivilegesByRole(component, Sets.newHashSet(roleName))); - - PrivilegeObject queryPrivilegeWithOption = new Builder() - .setComponent(component) - .setAction(SolrConstants.QUERY) - .setService(SERVICE) - .setAuthorizables(Collections.singletonList(new Collection(COLLECTION_NAME))) - .withGrantOption(true) - .build(); - - sentryStore.alterRoleGrantPrivilege(component, roleName, queryPrivilegeWithOption, grantor); - - assertEquals(Sets.newHashSet(queryPrivilege, queryPrivilegeWithOption), - sentryStore.getPrivilegesByRole(component, Sets.newHashSet(roleName))); - - PrivilegeObject queryPrivilegeWithNoOption = new Builder() - .setComponent(component) - .setAction(SolrConstants.QUERY) - .setService(SERVICE) - .setAuthorizables(Collections.singletonList(new Collection(COLLECTION_NAME))) - .withGrantOption(false) - .build(); - - sentryStore.alterRoleGrantPrivilege(component, roleName, queryPrivilegeWithNoOption, grantor); - - assertEquals(Sets.newHashSet(queryPrivilege, queryPrivilegeWithOption, queryPrivilegeWithNoOption), - sentryStore.getPrivilegesByRole(component, Sets.newHashSet(roleName))); - } - - public static final class InvalidActionFactory { - - } - - public static final class MyComponentActionFactory extends BitFieldActionFactory { - - public enum MyComponentActionType { - FOO("foo", 1), - BAR("bar", 2), - QUERY(SolrConstants.QUERY, 4), - ALL("*", FOO.getCode() | BAR.getCode() | QUERY.getCode()); - - private String name; - private int code; - MyComponentActionType(String name, int code) { - this.name = name; - this.code = code; - } - - public int getCode() { - return code; - } - - public String getName() { - return name; - } - - static MyComponentActionType getActionByName(String name) { - for (MyComponentActionType action : MyComponentActionType.values()) { - if (action.name.equalsIgnoreCase(name)) { - return action; - } - } - throw new RuntimeException("can't get MyComponentActionType by name:" + name); - } - - static List<MyComponentActionType> getActionByCode(int code) { - List<MyComponentActionType> actions = Lists.newArrayList(); - for (MyComponentActionType action : MyComponentActionType.values()) { - if ((action.code & code) == action.code && action != MyComponentActionType.ALL) { - //MyComponentActionType.ALL action should not return in the list - actions.add(action); - } - } - if (actions.isEmpty()) { - throw new RuntimeException("can't get sqoopActionType by code:" + code); - } - return actions; - } - } - - public static class MyComponentAction extends BitFieldAction { - public MyComponentAction(String name) { - this(MyComponentActionType.getActionByName(name)); - } - public MyComponentAction(MyComponentActionType myComponentActionType) { - super(myComponentActionType.name, myComponentActionType.code); - } - } - - @Override - public List<? extends BitFieldAction> getActionsByCode(int actionCode) { - List<MyComponentAction> actions = Lists.newArrayList(); - for (MyComponentActionType action : MyComponentActionType.getActionByCode(actionCode)) { - actions.add(new MyComponentAction(action)); - } - return actions; - } - - @Override - public BitFieldAction getActionByName(String name) { - // Check the name is All - if (SqoopActionConstant.ALL_NAME.equalsIgnoreCase(name)) { - return new MyComponentAction(MyComponentActionType.ALL); - } - return new MyComponentAction(name); - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/7db84b2f/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestSentryGMPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestSentryGMPrivilege.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestSentryGMPrivilege.java deleted file mode 100644 index 03abb4e..0000000 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestSentryGMPrivilege.java +++ /dev/null @@ -1,207 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.generic.service.persistent; - -import static org.junit.Assert.assertTrue; -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.fail; - -import java.util.Arrays; - -import org.apache.sentry.core.model.db.AccessConstants; -import org.apache.sentry.core.model.solr.Collection; -import org.apache.sentry.core.model.solr.Field; -import org.apache.sentry.core.model.solr.SolrConstants; -import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege; -import org.junit.Test; - -public class TestSentryGMPrivilege { - - @Test - public void testValidateAuthorizables() throws Exception { - try { - new MSentryGMPrivilege("solr", - "service1", Arrays.asList(new Collection("c1"), new Field("f1")),SolrConstants.QUERY, false); - } catch (IllegalStateException e) { - fail("unexpect happend: it is a validated privilege"); - } - - try { - new MSentryGMPrivilege("solr", - "service1", Arrays.asList(new Collection(""), new Field("f1")),SolrConstants.QUERY, false); - fail("unexpect happend: it is not a validated privilege, The empty name of authorizable can't be empty"); - } catch (IllegalStateException e) { - } - - try { - new MSentryGMPrivilege("solr", - "service1", Arrays.asList(null, new Field("f1")),SolrConstants.QUERY, false); - fail("unexpect happend: it is not a validated privilege, The authorizable can't be null"); - } catch (IllegalStateException e) { - } - } - - @Test - public void testImpliesWithServerScope() throws Exception { - //The persistent privilege is server scope - MSentryGMPrivilege serverPrivilege = new MSentryGMPrivilege("solr", - "service1", null,SolrConstants.QUERY, false); - - MSentryGMPrivilege collectionPrivilege = new MSentryGMPrivilege("solr", - "service1", Arrays.asList(new Collection("c1")), - SolrConstants.QUERY, false); - assertTrue(serverPrivilege.implies(collectionPrivilege)); - - MSentryGMPrivilege fieldPrivilege = new MSentryGMPrivilege("solr", - "service1", Arrays.asList(new Collection("c1"), new Field("f1")), - SolrConstants.QUERY, false); - assertTrue(serverPrivilege.implies(fieldPrivilege)); - assertTrue(collectionPrivilege.implies(fieldPrivilege)); - - serverPrivilege.setAction(SolrConstants.UPDATE); - assertFalse(serverPrivilege.implies(collectionPrivilege)); - assertFalse(serverPrivilege.implies(fieldPrivilege)); - - serverPrivilege.setAction(SolrConstants.ALL); - assertTrue(serverPrivilege.implies(collectionPrivilege)); - assertTrue(serverPrivilege.implies(fieldPrivilege)); - } - /** - * The requested privilege has the different authorizable size with the persistent privilege - * @throws Exception - */ - @Test - public void testImpliesDifferentAuthorizable() throws Exception { - /** - * Test the scope of persistent privilege is the larger than the requested privilege - */ - MSentryGMPrivilege serverPrivilege = new MSentryGMPrivilege("solr", - "service1", null, SolrConstants.QUERY, false); - - MSentryGMPrivilege collectionPrivilege = new MSentryGMPrivilege("solr", - "service1", Arrays.asList(new Collection("c1")), - SolrConstants.QUERY, false); - - MSentryGMPrivilege fieldPrivilege = new MSentryGMPrivilege("solr", - "service1", Arrays.asList(new Collection("c1"), new Field("f1")), - SolrConstants.QUERY, false); - assertTrue(serverPrivilege.implies(collectionPrivilege)); - assertTrue(serverPrivilege.implies(fieldPrivilege)); - assertTrue(collectionPrivilege.implies(fieldPrivilege)); - /** - * Test the scope of persistent privilege is less than the request privilege - */ - assertFalse(fieldPrivilege.implies(collectionPrivilege)); - assertFalse(fieldPrivilege.implies(serverPrivilege)); - assertFalse(collectionPrivilege.implies(serverPrivilege)); - - /** - * Test the scope of persistent privilege is less than the request privilege, - * but the name of left authorizable is ALL - */ - MSentryGMPrivilege fieldAllPrivilege = new MSentryGMPrivilege("solr", - "service1", Arrays.asList(new Collection("c1"), new Field(AccessConstants.ALL)), - SolrConstants.QUERY, false); - - assertTrue(fieldAllPrivilege.implies(collectionPrivilege)); - - /** - * Test the scope of persistent privilege has the same scope as request privilege - */ - MSentryGMPrivilege fieldPrivilege1 = new MSentryGMPrivilege("solr", - "service1", Arrays.asList(new Collection("c1"), new Field("f1")), - SolrConstants.QUERY, false); - - MSentryGMPrivilege fieldPrivilege2 = new MSentryGMPrivilege("solr", - "service1", Arrays.asList(new Collection("c2"), new Field("f2")), - SolrConstants.QUERY, false); - assertFalse(fieldPrivilege1.implies(fieldPrivilege2)); - } - - /** - * The requested privilege has the same authorizable size as with the persistent privilege - * @throws Exception - */ - @Test - public void testSearchImpliesEqualAuthorizable() throws Exception { - - MSentryGMPrivilege serverPrivilege1 = new MSentryGMPrivilege("solr", - "service1", null,SolrConstants.QUERY, false); - - MSentryGMPrivilege serverPrivilege2 = new MSentryGMPrivilege("solr", - "service2", null,SolrConstants.QUERY, false); - - assertFalse(serverPrivilege1.implies(serverPrivilege2)); - - MSentryGMPrivilege collectionPrivilege1 = new MSentryGMPrivilege("solr", - "service1", Arrays.asList(new Collection("c1")), - SolrConstants.QUERY, false); - - MSentryGMPrivilege collectionPrivilege2 = new MSentryGMPrivilege("solr", - "service1", Arrays.asList(new Collection("c2")), - SolrConstants.QUERY, false); - - assertFalse(collectionPrivilege1.implies(collectionPrivilege2)); - - MSentryGMPrivilege fieldPrivilege1 = new MSentryGMPrivilege("solr", - "service1", Arrays.asList(new Collection("c1"), new Field("f1")), - SolrConstants.QUERY, false); - - MSentryGMPrivilege fieldPrivilege2 = new MSentryGMPrivilege("solr", - "service1", Arrays.asList(new Collection("c1"), new Field("f2")), - SolrConstants.QUERY, false); - - assertFalse(fieldPrivilege1.implies(fieldPrivilege2)); - - /** - * The authorizables aren't equal,but the persistent privilege has the ALL name - */ - collectionPrivilege2.setAuthorizables(Arrays.asList(new Collection(AccessConstants.ALL))); - collectionPrivilege2.implies(collectionPrivilege1); - - fieldPrivilege2.setAuthorizables(Arrays.asList(new Collection("c1"), new Field(AccessConstants.ALL))); - fieldPrivilege2.implies(fieldPrivilege1); - } - - @Test - public void testSearchImpliesAction() throws Exception { - /** - * action is equal - */ - MSentryGMPrivilege fieldPrivilege1 = new MSentryGMPrivilege("solr", - "service1", Arrays.asList(new Collection("c1"), new Field("f2")), - SolrConstants.QUERY, false); - - MSentryGMPrivilege fieldPrivilege2 = new MSentryGMPrivilege("solr", - "service1", Arrays.asList(new Collection("c1"), new Field("f2")), - SolrConstants.QUERY, false); - - assertTrue(fieldPrivilege1.implies(fieldPrivilege2)); - - /** - * action isn't equal - */ - fieldPrivilege2.setAction(SolrConstants.UPDATE); - assertFalse(fieldPrivilege1.implies(fieldPrivilege2)); - /** - * action isn't equal,but the persistent privilege has the ALL action - */ - fieldPrivilege1.setAction(SolrConstants.ALL); - assertTrue(fieldPrivilege1.implies(fieldPrivilege2)); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/7db84b2f/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestSentryRole.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestSentryRole.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestSentryRole.java deleted file mode 100644 index 65d26c0..0000000 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestSentryRole.java +++ /dev/null @@ -1,542 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.generic.service.persistent; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertTrue; -import static org.junit.Assert.fail; - -import java.io.File; -import java.util.Arrays; -import java.util.Properties; -import java.util.List; - -import javax.jdo.JDOHelper; -import javax.jdo.PersistenceManager; -import javax.jdo.PersistenceManagerFactory; -import javax.jdo.Query; -import javax.jdo.Transaction; - -import org.apache.commons.io.FileUtils; -import org.apache.sentry.core.model.solr.Collection; -import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege; -import org.apache.sentry.provider.db.service.model.MSentryPrivilege; -import org.apache.sentry.provider.db.service.model.MSentryRole; -import org.apache.sentry.provider.db.service.persistent.SentryStore; -import org.apache.sentry.service.common.ServiceConstants.ServerConfig; -import org.junit.After; -import org.junit.Before; -import org.junit.Test; - -import com.google.common.base.Preconditions; -import com.google.common.io.Files; -/** - * The class tests that the new feature SENTRY-398 generic model adds the new field in the MSentryRole - * will not affect the functionality of the origin hive/impala authorization model - * Some Tests below make sure that privileges are removed from sentry storage the moment they are not associated to any role. - * This avoid the need for PrivCleaner to perform periodic cleanup. - */ -public class TestSentryRole { - private static PersistenceManagerFactory pmf; - private static File dataDir; - - @Before - public void setup() throws Exception { - dataDir = new File(Files.createTempDir(), "sentry_policy_db"); - Properties prop = new Properties(); - prop.setProperty(ServerConfig.JAVAX_JDO_URL, "jdbc:derby:;databaseName=" + dataDir.getPath() + ";create=true"); - prop.setProperty(ServerConfig.JAVAX_JDO_USER, "Sentry"); - prop.setProperty(ServerConfig.JAVAX_JDO_PASS, "Sentry"); - prop.setProperty(ServerConfig.JAVAX_JDO_DRIVER_NAME, "org.apache.derby.jdbc.EmbeddedDriver"); - prop.setProperty("datanucleus.schema.autoCreateAll", "true"); - prop.setProperty("datanucleus.NontransactionalRead", "false"); - prop.setProperty("datanucleus.NontransactionalWrite", "false"); - pmf = JDOHelper.getPersistenceManagerFactory(prop); - } - - @After - public void tearDown() throws Exception { - pmf.close(); - FileUtils.deleteQuietly(dataDir); - } - - @Test - public void grantMixedPrivilegeTest() throws Exception { - String roleName = "r1"; - //hive/impala privilege - MSentryPrivilege hivePrivilege = new MSentryPrivilege(); - hivePrivilege.setServerName("hive.server1"); - hivePrivilege.setDbName("db1"); - hivePrivilege.setTableName("tb1"); - hivePrivilege.setPrivilegeScope("table"); - hivePrivilege.setAction("select"); - hivePrivilege.setGrantOption(true); - //solr privilege - MSentryGMPrivilege solrPrivilege = new MSentryGMPrivilege(); - solrPrivilege.setComponentName("solr"); - solrPrivilege.setServiceName("solr.server1"); - solrPrivilege.setAuthorizables(Arrays.asList(new Collection("c1"))); - solrPrivilege.setAction("query"); - solrPrivilege.setGrantOption(true); - - PersistenceManager pm = null; - //create role - pm = openTransaction(); - pm.makePersistent(new MSentryRole(roleName, System.currentTimeMillis())); - commitTransaction(pm); - //add hivePrivilege to role - pm = openTransaction(); - MSentryRole role = getMSentryRole(pm, roleName); - hivePrivilege.appendRole(role); - pm.makePersistent(hivePrivilege); - commitTransaction(pm); - //check hivePrivlege and solrPrivilege - pm = openTransaction(); - role = getMSentryRole(pm, roleName); - pm.retrieve(role); - assertEquals(1, role.getPrivileges().size()); - assertEquals(0, role.getGmPrivileges().size()); - commitTransaction(pm); - //add solrPrivilege to role - pm = openTransaction(); - role = getMSentryRole(pm, roleName); - pm.retrieve(role); - solrPrivilege.appendRole(role); - pm.makePersistent(solrPrivilege); - commitTransaction(pm); - //check hivePrivlege and solrPrivilege - pm = openTransaction(); - role = getMSentryRole(pm, roleName); - pm.retrieve(role); - assertEquals(1, role.getPrivileges().size()); - assertEquals(1, role.getGmPrivileges().size()); - commitTransaction(pm); - } - - @Test - public void testWantGrantPrivilegeTwice() throws Exception { - String roleName = "r1"; - //hive/impala privilege - MSentryPrivilege hivePrivilege = new MSentryPrivilege(); - hivePrivilege.setServerName("hive.server1"); - hivePrivilege.setDbName("db1"); - hivePrivilege.setTableName("tb1"); - hivePrivilege.setPrivilegeScope("table"); - hivePrivilege.setAction("select"); - hivePrivilege.setURI(SentryStore.NULL_COL); - hivePrivilege.setColumnName(SentryStore.NULL_COL); - hivePrivilege.setGrantOption(true); - //The same hivePrivilege - MSentryPrivilege hivePrivilege2 = new MSentryPrivilege(hivePrivilege); - //solr privilege - MSentryGMPrivilege solrPrivilege = new MSentryGMPrivilege(); - solrPrivilege.setComponentName("solr"); - solrPrivilege.setServiceName("solr.server1"); - solrPrivilege.setAuthorizables(Arrays.asList(new Collection("c1"))); - solrPrivilege.setAction("query"); - solrPrivilege.setGrantOption(true); - //The same solrPrivilege - MSentryGMPrivilege solrPrivilege2 = new MSentryGMPrivilege(solrPrivilege); - - PersistenceManager pm = null; - //create role - pm = openTransaction(); - pm.makePersistent(new MSentryRole(roleName, System.currentTimeMillis())); - commitTransaction(pm); - - //grant hivePrivilege and solrPrivilege to role - pm = openTransaction(); - MSentryRole role = getMSentryRole(pm, roleName); - solrPrivilege.appendRole(role); - hivePrivilege.appendRole(role); - pm.makePersistent(solrPrivilege); - pm.makePersistent(hivePrivilege); - commitTransaction(pm); - //check - pm = openTransaction(); - role = getMSentryRole(pm, roleName); - pm.retrieve(role); - assertEquals(1, role.getPrivileges().size()); - assertEquals(1, role.getGmPrivileges().size()); - commitTransaction(pm); - - //want to grant the same hivePrivilege and solrPrivilege to role again - //hivePrivilege2 is equal to hivePrivilege - //solrPrivilege2 is equal to solrPrivilege - pm = openTransaction(); - role = getMSentryRole(pm, roleName); - pm.retrieve(role); - if (!role.getGmPrivileges().contains(solrPrivilege2)) { - fail("unexpect happend: the MSentryGMPrivilege:" + solrPrivilege2 + " already be granted"); - } - if (!role.getPrivileges().contains(hivePrivilege2)) { - fail("unexpect happend: the MSentryPrivilege:" + hivePrivilege2 + " already be granted"); - } - commitTransaction(pm); - } - - @Test - public void testMixedRevokePrivilege() throws Exception { - String roleName = "r1"; - //hive/impala privilege - MSentryPrivilege hivePrivilege = new MSentryPrivilege(); - hivePrivilege.setServerName("hive.server1"); - hivePrivilege.setDbName("db1"); - hivePrivilege.setTableName("tb1"); - hivePrivilege.setPrivilegeScope("table"); - hivePrivilege.setAction("select"); - hivePrivilege.setURI(SentryStore.NULL_COL); - hivePrivilege.setColumnName(SentryStore.NULL_COL); - hivePrivilege.setGrantOption(true); - - //solr privilege - MSentryGMPrivilege solrPrivilege = new MSentryGMPrivilege(); - solrPrivilege.setComponentName("solr"); - solrPrivilege.setServiceName("solr.server1"); - solrPrivilege.setAuthorizables(Arrays.asList(new Collection("c1"))); - solrPrivilege.setAction("query"); - solrPrivilege.setGrantOption(true); - - PersistenceManager pm = null; - //create role - pm = openTransaction(); - pm.makePersistent(new MSentryRole(roleName, System.currentTimeMillis())); - commitTransaction(pm); - - //grant hivePrivilege and solrPrivilege to role - pm = openTransaction(); - MSentryRole role = getMSentryRole(pm, roleName); - hivePrivilege.appendRole(role); - solrPrivilege.appendRole(role); - pm.makePersistent(hivePrivilege); - pm.makePersistent(solrPrivilege); - commitTransaction(pm); - - //check - pm = openTransaction(); - role = getMSentryRole(pm, roleName); - pm.retrieve(role); - assertEquals(1, role.getPrivileges().size()); - assertEquals(1, role.getGmPrivileges().size()); - commitTransaction(pm); - - //revoke solrPrivilege from role - pm = openTransaction(); - role = getMSentryRole(pm, roleName); - solrPrivilege = (MSentryGMPrivilege)role.getGmPrivileges().toArray()[0]; - solrPrivilege.removeRole(role); - pm.makePersistent(solrPrivilege); - commitTransaction(pm); - - //check - pm = openTransaction(); - role = getMSentryRole(pm, roleName); - pm.retrieve(role); - assertEquals(1, role.getPrivileges().size()); - assertEquals(0, role.getGmPrivileges().size()); - commitTransaction(pm); - - //revoke hivePrivilege from role - pm = openTransaction(); - role = getMSentryRole(pm, roleName); - pm.retrieve(role); - hivePrivilege = (MSentryPrivilege)role.getPrivileges().toArray()[0]; - hivePrivilege.removeRole(role); - pm.makePersistent(hivePrivilege); - commitTransaction(pm); - - //check - pm = openTransaction(); - role = getMSentryRole(pm, roleName); - pm.retrieve(role); - assertEquals(0, role.getPrivileges().size()); - assertEquals(0, role.getGmPrivileges().size()); - commitTransaction(pm); - } - - @Test - public void testDeletePrivilegeAndRole() throws Exception { - String roleName = "r1"; - //hive/impala privilege - MSentryPrivilege hivePrivilege = new MSentryPrivilege(); - hivePrivilege.setServerName("hive.server1"); - hivePrivilege.setDbName("db1"); - hivePrivilege.setTableName("tb1"); - hivePrivilege.setPrivilegeScope("table"); - hivePrivilege.setAction("select"); - hivePrivilege.setURI(SentryStore.NULL_COL); - hivePrivilege.setColumnName(SentryStore.NULL_COL); - hivePrivilege.setGrantOption(true); - - //solr privilege - MSentryGMPrivilege solrPrivilege = new MSentryGMPrivilege(); - solrPrivilege.setComponentName("solr"); - solrPrivilege.setServiceName("solr.server1"); - solrPrivilege.setAuthorizables(Arrays.asList(new Collection("c1"))); - solrPrivilege.setAction("query"); - solrPrivilege.setGrantOption(true); - - PersistenceManager pm = null; - //create role - pm = openTransaction(); - pm.makePersistent(new MSentryRole(roleName, System.currentTimeMillis())); - commitTransaction(pm); - - //grant hivePrivilege and solrPrivilege to role - pm = openTransaction(); - MSentryRole role = getMSentryRole(pm, roleName); - hivePrivilege.appendRole(role); - solrPrivilege.appendRole(role); - pm.makePersistent(hivePrivilege); - pm.makePersistent(solrPrivilege); - commitTransaction(pm); - - //check - pm = openTransaction(); - role = getMSentryRole(pm, roleName); - pm.retrieve(role); - assertEquals(1, role.getPrivileges().size()); - assertEquals(1, role.getGmPrivileges().size()); - commitTransaction(pm); - - //remove all privileges - pm = openTransaction(); - role = getMSentryRole(pm, roleName); - role.removeGMPrivileges(); - role.removePrivileges(); - pm.makePersistent(role); - commitTransaction(pm); - - //check - pm = openTransaction(); - role = getMSentryRole(pm, roleName); - pm.retrieve(role); - assertEquals(0, role.getPrivileges().size()); - assertEquals(0, role.getGmPrivileges().size()); - commitTransaction(pm); - - //delete role - pm = openTransaction(); - role = getMSentryRole(pm, roleName); - pm.deletePersistent(role); - commitTransaction(pm); - - //check - pm = openTransaction(); - role = getMSentryRole(pm, roleName); - assertTrue(role == null); - commitTransaction(pm); - } - - /** - * Removes a role and makes sure that privileges are removed from sentry storage - * moment they are not associated to any role. - * @throws Exception - */ - @Test - public void testDeleteRole() throws Exception { - String roleName = "r1"; - //hive/impala privilege - MSentryPrivilege hivePrivilege = new MSentryPrivilege(); - hivePrivilege.setServerName("hive.server1"); - hivePrivilege.setDbName("db1"); - hivePrivilege.setTableName("tb1"); - hivePrivilege.setPrivilegeScope("table"); - hivePrivilege.setAction("select"); - hivePrivilege.setURI(SentryStore.NULL_COL); - hivePrivilege.setColumnName(SentryStore.NULL_COL); - hivePrivilege.setGrantOption(true); - - //solr privilege - MSentryGMPrivilege solrPrivilege = new MSentryGMPrivilege(); - solrPrivilege.setComponentName("solr"); - solrPrivilege.setServiceName("solr.server1"); - solrPrivilege.setAuthorizables(Arrays.asList(new Collection("c1"))); - solrPrivilege.setAction("query"); - solrPrivilege.setGrantOption(true); - - PersistenceManager pm = null; - //create role - pm = openTransaction(); - pm.makePersistent(new MSentryRole(roleName, System.currentTimeMillis())); - commitTransaction(pm); - - //grant hivePrivilege and solrPrivilege to role - pm = openTransaction(); - MSentryRole role = getMSentryRole(pm, roleName); - hivePrivilege.appendRole(role); - solrPrivilege.appendRole(role); - pm.makePersistent(hivePrivilege); - pm.makePersistent(solrPrivilege); - pm.makePersistent(role); - commitTransaction(pm); - - //check - pm = openTransaction(); - role = getMSentryRole(pm, roleName); - pm.retrieve(role); - assertEquals(1, role.getPrivileges().size()); - assertEquals(1, role.getGmPrivileges().size()); - commitTransaction(pm); - - //delete role - pm = openTransaction(); - role = getMSentryRole(pm, roleName); - - // pm.deletePersistent(role); - role.removePrivileges(); - role.removeGMPrivileges(); - pm.deletePersistent(role); - commitTransaction(pm); - - //check for privileges - //There shouldn't be any privilages - pm = openTransaction(); - Query query = pm.newQuery(MSentryPrivilege.class); - List<MSentryPrivilege> results = (List<MSentryPrivilege>) query.execute(); - assertEquals(1, results.size()); - Query query1 = pm.newQuery(MSentryGMPrivilege.class); - List<MSentryGMPrivilege> results1 = (List<MSentryGMPrivilege>) query1.execute(); - assertEquals(1, results1.size()); - commitTransaction(pm); - - //check - pm = openTransaction(); - role = getMSentryRole(pm, roleName); - assertTrue(role == null); - commitTransaction(pm); - } - - /** - * Removes a role and makes sure that privileges are not removed from sentry storage if - * they are associated to any other role as well. - * @throws Exception - */ - @Test - public void testDeleteRole1() throws Exception { - String roleName1 = "r1"; - String roleName2 = "r2"; - //hive/impala privilege - MSentryPrivilege hivePrivilege = new MSentryPrivilege(); - hivePrivilege.setServerName("hive.server1"); - hivePrivilege.setDbName("db1"); - hivePrivilege.setTableName("tb1"); - hivePrivilege.setPrivilegeScope("table"); - hivePrivilege.setAction("select"); - hivePrivilege.setURI(SentryStore.NULL_COL); - hivePrivilege.setColumnName(SentryStore.NULL_COL); - hivePrivilege.setGrantOption(true); - - //solr privilege - MSentryGMPrivilege solrPrivilege = new MSentryGMPrivilege(); - solrPrivilege.setComponentName("solr"); - solrPrivilege.setServiceName("solr.server1"); - solrPrivilege.setAuthorizables(Arrays.asList(new Collection("c1"))); - solrPrivilege.setAction("query"); - solrPrivilege.setGrantOption(true); - - PersistenceManager pm = null; - //create role1 - pm = openTransaction(); - pm.makePersistent(new MSentryRole(roleName1, System.currentTimeMillis())); - commitTransaction(pm); - - //create role2 - pm = openTransaction(); - pm.makePersistent(new MSentryRole(roleName2, System.currentTimeMillis())); - commitTransaction(pm); - - //grant hivePrivilege and solrPrivilege to role1 and role2 - pm = openTransaction(); - MSentryRole role1 = getMSentryRole(pm, roleName1); - MSentryRole role2 = getMSentryRole(pm, roleName2); - hivePrivilege.appendRole(role1); - solrPrivilege.appendRole(role1); - hivePrivilege.appendRole(role2); - solrPrivilege.appendRole(role2); - pm.makePersistent(hivePrivilege); - pm.makePersistent(solrPrivilege); - pm.makePersistent(role1); - pm.makePersistent(role2); - commitTransaction(pm); - - //check - pm = openTransaction(); - role1 = getMSentryRole(pm, roleName1); - pm.retrieve(role1); - assertEquals(1, role1.getPrivileges().size()); - assertEquals(1, role1.getGmPrivileges().size()); - role2 = getMSentryRole(pm, roleName2); - pm.retrieve(role2); - assertEquals(1, role2.getPrivileges().size()); - assertEquals(1, role2.getGmPrivileges().size()); - commitTransaction(pm); - - //delete role - pm = openTransaction(); - role1 = getMSentryRole(pm, roleName1); - role1.removePrivileges(); - role1.removeGMPrivileges(); - pm.deletePersistent(role1); - commitTransaction(pm); - - //check for privileges - //Privileges should be present - pm = openTransaction(); - Query query = pm.newQuery(MSentryPrivilege.class); - List<MSentryPrivilege> results = (List<MSentryPrivilege>) query.execute(); - assertEquals(1, results.size()); - Query query1 = pm.newQuery(MSentryGMPrivilege.class); - List<MSentryGMPrivilege> results1 = (List<MSentryGMPrivilege>) query1.execute(); - assertEquals(1, results1.size()); - commitTransaction(pm); - - //check - pm = openTransaction(); - role1 = getMSentryRole(pm, roleName1); - assertTrue(role1 == null); - commitTransaction(pm); - } - private PersistenceManager openTransaction() { - PersistenceManager pm = pmf.getPersistenceManager(); - Transaction currentTransaction = pm.currentTransaction(); - currentTransaction.begin(); - return pm; - } - - private void commitTransaction(PersistenceManager pm) { - Transaction currentTransaction = pm.currentTransaction(); - try { - Preconditions.checkState(currentTransaction.isActive(), "Transaction is not active"); - currentTransaction.commit(); - } finally { - pm.close(); - } - } - - private MSentryRole getMSentryRole(PersistenceManager pm, String roleName) { - Query query = pm.newQuery(MSentryRole.class); - query.setFilter("this.roleName == t"); - query.declareParameters("java.lang.String t"); - query.setUnique(true); - MSentryRole sentryRole = (MSentryRole) query.execute(roleName); - return sentryRole; - } - - -} http://git-wip-us.apache.org/repos/asf/sentry/blob/7db84b2f/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/appender/TestRollingFileWithoutDeleteAppender.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/appender/TestRollingFileWithoutDeleteAppender.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/appender/TestRollingFileWithoutDeleteAppender.java deleted file mode 100644 index ca9062b..0000000 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/appender/TestRollingFileWithoutDeleteAppender.java +++ /dev/null @@ -1,106 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.provider.db.log.appender; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.fail; -import static org.junit.Assert.assertTrue; - -import java.io.File; - -import org.apache.commons.io.FileUtils; -import org.apache.log4j.Logger; -import org.apache.log4j.PatternLayout; -import org.junit.After; -import org.junit.Before; -import org.junit.Test; - -import com.google.common.io.Files; - -public class TestRollingFileWithoutDeleteAppender { - private Logger sentryLogger = Logger.getRootLogger(); - private File dataDir; - - @Before - public void init() { - dataDir = Files.createTempDir(); - } - - @Test - public void testRollOver() throws Throwable { - if (dataDir == null) { - fail("Excepted temp folder for audit log is created."); - } - RollingFileWithoutDeleteAppender appender = new RollingFileWithoutDeleteAppender( - new PatternLayout("%m%n"), dataDir.getPath() + "/auditLog.log"); - appender.setMaximumFileSize(100); - sentryLogger.addAppender(appender); - // Write exactly 10 bytes with each log - for (int i = 0; i < 99; i++) { - if (i < 10) { - sentryLogger.debug("Hello---" + i); - } else if (i < 100) { - sentryLogger.debug("Hello--" + i); - } - } - - if (dataDir != null) { - File[] files = dataDir.listFiles(); - if (files != null) { - assertEquals(files.length, 10); - } else { - fail("Excepted 10 log files."); - } - } else { - fail("Excepted 10 log files."); - } - - } - - /*** - * Generate log enough to cause a single rollover. Verify the file name format - * @throws Throwable - */ - @Test - public void testFileNamePattern() throws Throwable { - if (dataDir == null) { - fail("Excepted temp folder for audit log is created."); - } - RollingFileWithoutDeleteAppender appender = new RollingFileWithoutDeleteAppender( - new PatternLayout("%m%n"), dataDir.getPath() + "/auditLog.log"); - appender.setMaximumFileSize(10); - sentryLogger.addAppender(appender); - sentryLogger.debug("123456789012345"); - File[] files = dataDir.listFiles(); - if (files != null) { - assertEquals(files.length, 2); - assertTrue(files[0].getName().contains("auditLog.log.")); - assertTrue(files[1].getName().contains("auditLog.log.")); - } else { - fail("Excepted 2 log files."); - } - } - - @After - public void destroy() { - if (dataDir != null) { - FileUtils.deleteQuietly(dataDir); - } - } -}
