http://git-wip-us.apache.org/repos/asf/sentry/blob/9351d19d/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestNotificationHandlerInvoker.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestNotificationHandlerInvoker.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestNotificationHandlerInvoker.java new file mode 100644 index 0000000..92f3f8b --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestNotificationHandlerInvoker.java @@ -0,0 +1,102 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.api.service.thrift; + +import org.apache.hadoop.conf.Configuration; +import org.junit.Before; +import org.junit.Test; +import org.mockito.Mockito; + +import com.google.common.collect.Lists; + +public class TestNotificationHandlerInvoker { + + private Configuration conf; + private NotificationHandler handler; + private NotificationHandlerInvoker invoker; + + @Before + public void setup() throws Exception { + conf = new Configuration(false); + handler = Mockito.spy(new NotificationHandler(conf) {}); + invoker = new NotificationHandlerInvoker(conf, + Lists.newArrayList(new ThrowingNotificationHandler(conf), handler)); + } + + @Test + public void testCreateSentryRole() throws Exception { + TCreateSentryRoleRequest request = new TCreateSentryRoleRequest(); + TCreateSentryRoleResponse response = new TCreateSentryRoleResponse(); + invoker.create_sentry_role(request, response); + Mockito.verify(handler).create_sentry_role(request, response); + } + + @Test + public void testDropSentryRole() throws Exception { + TDropSentryRoleRequest request = new TDropSentryRoleRequest(); + TDropSentryRoleResponse response = new TDropSentryRoleResponse(); + invoker.drop_sentry_role(request, response); + Mockito.verify(handler).drop_sentry_role(request, response); + } + + + + @Test + public void testAlterSentryRoleAddGroups() throws Exception { + TAlterSentryRoleAddGroupsRequest request = new TAlterSentryRoleAddGroupsRequest(); + TAlterSentryRoleAddGroupsResponse response = new TAlterSentryRoleAddGroupsResponse(); + invoker.alter_sentry_role_add_groups(request, response); + Mockito.verify(handler).alter_sentry_role_add_groups(request, response); + } + + @Test + public void testAlterSentryRoleDeleteGroups() throws Exception { + TAlterSentryRoleDeleteGroupsRequest request = new TAlterSentryRoleDeleteGroupsRequest(); + TAlterSentryRoleDeleteGroupsResponse response = new TAlterSentryRoleDeleteGroupsResponse(); + invoker.alter_sentry_role_delete_groups(request, response); + Mockito.verify(handler).alter_sentry_role_delete_groups(request, response); + } + + public static class ThrowingNotificationHandler extends NotificationHandler { + public ThrowingNotificationHandler(Configuration config) throws Exception { + super(config); + } + @Override + public void create_sentry_role(TCreateSentryRoleRequest request, + TCreateSentryRoleResponse response) { + throw new RuntimeException(); + } + public void drop_sentry_role(TDropSentryRoleRequest request, + TDropSentryRoleResponse response) { + throw new RuntimeException(); + } + @Override + public void alter_sentry_role_add_groups( + TAlterSentryRoleAddGroupsRequest request, + TAlterSentryRoleAddGroupsResponse response) { + throw new RuntimeException(); + } + @Override + public void alter_sentry_role_delete_groups( + TAlterSentryRoleDeleteGroupsRequest request, + TAlterSentryRoleDeleteGroupsResponse response) { + throw new RuntimeException(); + } + } +}
http://git-wip-us.apache.org/repos/asf/sentry/blob/9351d19d/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyServiceClient.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyServiceClient.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyServiceClient.java new file mode 100644 index 0000000..e845936 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyServiceClient.java @@ -0,0 +1,64 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * <p> + * http://www.apache.org/licenses/LICENSE-2.0 + * <p> + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.api.service.thrift; + +import java.util.Set; + +import org.apache.sentry.service.thrift.SentryServiceFactory; +import org.apache.sentry.service.thrift.SentryServiceIntegrationBase; +import org.junit.BeforeClass; +import org.junit.Test; + +import com.google.common.collect.Sets; + +public class TestSentryPolicyServiceClient extends SentryServiceIntegrationBase { + + @BeforeClass + public static void setup() throws Exception { + beforeSetup(); + setupConf(); + startSentryService(); + afterSetup(); + kerberos = false; + } + + @Test + public void testConnectionWhenReconnect() throws Exception { + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + String roleName = "admin_r"; + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + writePolicyFile(); + + client.dropRoleIfExists(requestorUserName, roleName); + client.createRole(requestorUserName, roleName); + client.listAllRoles(requestorUserName); + stopSentryService(); + server = SentryServiceFactory.create(conf); + startSentryService(); + client.listAllRoles(requestorUserName); + client.dropRole(requestorUserName, roleName); + } + }); + } + +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/sentry/blob/9351d19d/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java new file mode 100644 index 0000000..efacf19 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java @@ -0,0 +1,81 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.api.service.thrift; + +import org.apache.sentry.api.common.ThriftConstants; +import org.apache.sentry.core.common.exception.SentrySiteConfigurationException; +import org.junit.Assert; + +import org.apache.hadoop.conf.Configuration; +import org.apache.sentry.core.common.exception.SentryThriftAPIMismatchException; +import org.apache.sentry.core.common.utils.PolicyStoreConstants.PolicyStoreServerConfig; +import org.junit.Before; +import org.junit.Test; + +public class TestSentryPolicyStoreProcessor { + + private Configuration conf; + + @Before + public void setup() { + conf = new Configuration(false); + } + @Test(expected=SentrySiteConfigurationException.class) + public void testConfigNotNotificationHandler() throws Exception { + conf.set(PolicyStoreServerConfig.NOTIFICATION_HANDLERS, Object.class.getName()); + SentryPolicyStoreProcessor.createHandlers(conf); + } + @Test(expected=SentrySiteConfigurationException.class) + public void testConfigCannotCreateNotificationHandler() throws Exception { + conf.set(PolicyStoreServerConfig.NOTIFICATION_HANDLERS, + ExceptionInConstructorNotificationHandler.class.getName()); + SentryPolicyStoreProcessor.createHandlers(conf); + } + @Test(expected=SentrySiteConfigurationException.class) + public void testConfigNotAClassNotificationHandler() throws Exception { + conf.set(PolicyStoreServerConfig.NOTIFICATION_HANDLERS, "junk"); + SentryPolicyStoreProcessor.createHandlers(conf); + } + @Test + public void testConfigMultipleNotificationHandlers() throws Exception { + conf.set(PolicyStoreServerConfig.NOTIFICATION_HANDLERS, + NoopNotificationHandler.class.getName() + "," + + NoopNotificationHandler.class.getName() + " " + + NoopNotificationHandler.class.getName()); + Assert.assertEquals(3, SentryPolicyStoreProcessor.createHandlers(conf).size()); + } + public static class ExceptionInConstructorNotificationHandler extends NotificationHandler { + public ExceptionInConstructorNotificationHandler(Configuration config) throws Exception { + super(config); + throw new Exception(); + } + } + public static class NoopNotificationHandler extends NotificationHandler { + public NoopNotificationHandler(Configuration config) throws Exception { + super(config); + } + } + @Test(expected=SentryThriftAPIMismatchException.class) + public void testSentryThriftAPIMismatch() throws Exception { + SentryPolicyStoreProcessor.validateClientVersion(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT -1); + } + @Test + public void testSentryThriftAPIMatchVersion() throws Exception { + SentryPolicyStoreProcessor.validateClientVersion(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); + } +} http://git-wip-us.apache.org/repos/asf/sentry/blob/9351d19d/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerForPoolWithoutKerberos.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerForPoolWithoutKerberos.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerForPoolWithoutKerberos.java new file mode 100644 index 0000000..7330204 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerForPoolWithoutKerberos.java @@ -0,0 +1,35 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless createRequired by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.api.service.thrift; + +import org.junit.BeforeClass; + +public class TestSentryServerForPoolWithoutKerberos extends TestSentryServerWithoutKerberos { + + @BeforeClass + public static void setup() throws Exception { + kerberos = false; + pooled = true; + beforeSetup(); + setupConf(); + startSentryService(); + afterSetup(); + } + +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/sentry/blob/9351d19d/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerLogLevel.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerLogLevel.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerLogLevel.java new file mode 100644 index 0000000..6290fb7 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerLogLevel.java @@ -0,0 +1,100 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.api.service.thrift; + +import org.apache.commons.io.IOUtils; +import org.apache.log4j.LogManager; +import org.apache.log4j.Logger; +import org.apache.sentry.service.thrift.SentryServiceIntegrationBase; +import org.junit.*; + +import java.net.HttpURLConnection; +import java.net.URL; + +public class TestSentryServerLogLevel extends SentryServiceIntegrationBase { + private final String CLASS_NAME = "org.eclipse.jetty.server.handler.ContextHandler"; + + @BeforeClass + public static void setup() throws Exception { + webServerEnabled = true; + webSecurity = false; + SentryServiceIntegrationBase.setup(); + } + + @Override + @Before + public void before() throws Exception { + } + + @Override + @After + public void after() { + } + + /** + * Get the log level for the specified class + * @param className: Name of class + * @return + * Log level of the class + */ + private String getLogLevel(String className) { + Logger logInstance = LogManager.getLogger(className); + return logInstance.getEffectiveLevel().toString(); + } + + /** + * Send log level and class name via the HTTP interface and verify that it is set at the loogger. + * @throws Exception + */ + @Test + public void testSetLogLevel() throws Exception { + final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort + "/admin/logLevel?log=" + + CLASS_NAME + "&level=INFO"); + HttpURLConnection conn = (HttpURLConnection) url.openConnection(); + Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode()); + String response = IOUtils.toString(conn.getInputStream()); + Assert.assertTrue(response.contains("INFO")); + Assert.assertEquals("INFO", getLogLevel(CLASS_NAME)); + } + + /** + * Send class name via the HTTP interface and verify that it is get at the loogger. + * @throws Exception + */ + @Test + public void testGetLogLevel() throws Exception { + final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort + "/admin/logLevel?log=" + CLASS_NAME); + HttpURLConnection conn = (HttpURLConnection) url.openConnection(); + Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode()); + String response = IOUtils.toString(conn.getInputStream()); + Assert.assertTrue(response.contains("INFO")); + Assert.assertEquals("INFO", getLogLevel(CLASS_NAME)); + } + + /** + * Send class name and invalid log level via the HTTP interface and verify that it returns error response. + * @throws Exception + */ + @Test + public void testInvalidLogLevel() throws Exception { + final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort + "/admin/logLevel?log=" + + CLASS_NAME + "&level=ABCD"); + HttpURLConnection conn = (HttpURLConnection) url.openConnection(); + Assert.assertEquals(HttpURLConnection.HTTP_BAD_REQUEST, conn.getResponseCode()); + } +} http://git-wip-us.apache.org/repos/asf/sentry/blob/9351d19d/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerPubSub.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerPubSub.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerPubSub.java new file mode 100644 index 0000000..716109f --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerPubSub.java @@ -0,0 +1,181 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.api.service.thrift; + +import org.apache.sentry.core.common.utils.PubSub; +import org.apache.sentry.core.common.utils.PubSub.Topic; +import org.apache.sentry.service.thrift.SentryServiceIntegrationBase; + +import org.junit.*; + +import java.net.HttpURLConnection; +import java.net.URL; + +public class TestSentryServerPubSub extends SentryServiceIntegrationBase { + + private static final Topic[] topics = Topic.values(); + private static final String[] messages = { "message1", "message2", "message3", "" }; + + private static volatile String REQUEST_URL; + + private final TestSubscriber testSubscriber = new TestSubscriber(); + + private static final class TestSubscriber implements PubSub.Subscriber { + private volatile Topic topic; + private volatile String message; + private volatile int count; + @Override + public void onMessage(Topic topic, String message) { + this.topic = topic; + this.message = message; + this.count++; + } + } + + @BeforeClass + public static void setup() throws Exception { + webServerEnabled = true; + webSecurity = false; + SentryServiceIntegrationBase.setup(); + REQUEST_URL= "http://"; + SERVER_HOST + ":" + webServerPort + "/admin/publishMessage?topic=%s&message=%s"; + } + + @Override + @Before + public void before() throws Exception { + + // Subscribe to all defined topics. + // After each successfull HTTP-GET, testSubscriber.onMessage() + // will be called and "topic" and "message" fields will be + // set according to HTTP-GET parameters. + testSubscriber.count = 0; + for (Topic topic : topics) { + PubSub.getInstance().subscribe(topic, testSubscriber); + } + Assert.assertEquals("Unexpected number of registered topics", topics.length, PubSub.getInstance().getTopics().size()); + } + + @Override + @After + public void after() { + // unsubscribe + for (Topic topic : topics) { + PubSub.getInstance().unsubscribe(topic, testSubscriber); + } + testSubscriber.count = 0; + Assert.assertTrue("Topics should have been removed after unsubscribe()", PubSub.getInstance().getTopics().isEmpty()); + } + + /** + * Successfully publish notifications + * @throws Exception + */ + @Test + public void testPubSub() throws Exception { + int count = 0; + for (Topic topic : topics) { + for (String message : messages) { + URL url = new URL(String.format(REQUEST_URL, topic.getName(), message)); + HttpURLConnection conn = null; + try { + conn = (HttpURLConnection) url.openConnection(); + Assert.assertEquals("Unexpected response code", HttpURLConnection.HTTP_OK, conn.getResponseCode()); + } finally { + safeClose(conn); + } + Assert.assertEquals("Unexpected topic", topic, testSubscriber.topic); + if (message.isEmpty()) { + Assert.assertEquals("Unexpected message", null, testSubscriber.message); + } else { + Assert.assertEquals("Unexpected message", message, testSubscriber.message); + } + Assert.assertEquals("Unexpected number of PubSub.onMessage() callbacks", ++count, testSubscriber.count); + } + } + } + + /** + * Submit empty topic. It's ok, generates form page. + * @throws Exception + */ + @Test + public void testPubSubEmptyTopic() throws Exception { + URL url = new URL(String.format(REQUEST_URL, "", "message")); + HttpURLConnection conn = null; + try { + conn = (HttpURLConnection) url.openConnection(); + Assert.assertEquals("Unexpected response code", HttpURLConnection.HTTP_OK, conn.getResponseCode()); + } finally { + safeClose(conn); + } + Assert.assertEquals("Unexpected number of PubSub.onMessage() callbacks", 0, testSubscriber.count); + } + + /** + * Submit invalid topic + * @throws Exception + */ + @Test + public void testPubSubInvalidTopic() throws Exception { + String[] invalid_topics = { "invalid_topic_1", "invalid_topic_2", "invalid_topic_3" }; + for (String topic : invalid_topics) { + URL url = new URL(String.format(REQUEST_URL, topic, "message")); + HttpURLConnection conn = null; + try { + conn = (HttpURLConnection) url.openConnection(); + Assert.assertEquals("Unexpected response code", HttpURLConnection.HTTP_BAD_REQUEST, conn.getResponseCode()); + } finally { + safeClose(conn); + } + Assert.assertEquals("Unexpected number of PubSub.onMessage() callbacks", 0, testSubscriber.count); + } + } + + /** + * Submit topic that has no subscribers. + * @throws Exception + */ + @Test + public void testPubSubNonSubscribedTopic() throws Exception { + // At this point all valid Topic values have been subscribed to + // in before() method. + // Unsubscribe from one topic and then try publishing to it. + PubSub.getInstance().unsubscribe(Topic.HDFS_SYNC_HMS, testSubscriber); + Assert.assertEquals("Unexpected number of registered topics", topics.length-1, PubSub.getInstance().getTopics().size()); + + URL url = new URL(String.format(REQUEST_URL, Topic.HDFS_SYNC_HMS.getName(), "message")); + HttpURLConnection conn = null; + try { + conn = (HttpURLConnection) url.openConnection(); + Assert.assertEquals("Unexpected response code", HttpURLConnection.HTTP_BAD_REQUEST, conn.getResponseCode()); + } finally { + safeClose(conn); + } + // re-subscribe, not to upset after() method which expects all topics to be subscribed to + PubSub.getInstance().subscribe(Topic.HDFS_SYNC_HMS, testSubscriber); + } + + private static void safeClose(HttpURLConnection conn) { + if (conn != null) { + try { + conn.disconnect(); + } catch (Exception ignore) { + } + } + } +} http://git-wip-us.apache.org/repos/asf/sentry/blob/9351d19d/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerWithoutKerberos.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerWithoutKerberos.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerWithoutKerberos.java new file mode 100644 index 0000000..3deadab --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerWithoutKerberos.java @@ -0,0 +1,214 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless createRequired by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.api.service.thrift; +import static org.junit.Assert.assertEquals; + +import java.util.ArrayList; +import java.util.HashSet; +import java.util.Set; + +import org.apache.sentry.core.common.ActiveRoleSet; +import org.apache.sentry.core.common.Authorizable; +import org.apache.sentry.core.model.db.AccessConstants; +import org.apache.sentry.core.model.db.Database; +import org.apache.sentry.core.model.db.Server; +import org.apache.sentry.core.model.db.Table; +import org.apache.sentry.service.thrift.SentryServiceIntegrationBase; +import org.junit.BeforeClass; +import org.junit.Test; + +import com.google.common.collect.Lists; +import com.google.common.collect.Sets; + +public class TestSentryServerWithoutKerberos extends SentryServiceIntegrationBase { + + @BeforeClass + public static void setup() throws Exception { + kerberos = false; + beforeSetup(); + setupConf(); + startSentryService(); + afterSetup(); + } + + @Test + public void testCreateRole() throws Exception { + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + writePolicyFile(); + String roleName = "admin_r"; + client.dropRoleIfExists(requestorUserName, roleName); + client.createRole(requestorUserName, roleName); + client.dropRole(requestorUserName, roleName); + } + + @Test + public void testQueryPushDown() throws Exception { + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + writePolicyFile(); + + String roleName1 = "admin_r1"; + String roleName2 = "admin_r2"; + + String group1 = "g1"; + String group2 = "g2"; + + client.dropRoleIfExists(requestorUserName, roleName1); + client.createRole(requestorUserName, roleName1); + client.grantRoleToGroup(requestorUserName, group1, roleName1); + + client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL"); + client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL"); + client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL"); + client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL"); + + client.dropRoleIfExists(requestorUserName, roleName2); + client.createRole(requestorUserName, roleName2); + client.grantRoleToGroup(requestorUserName, group1, roleName2); + client.grantRoleToGroup(requestorUserName, group2, roleName2); + + client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL"); + client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL"); + client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL"); + client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL"); + client.grantTablePrivilege(requestorUserName, roleName2, "server", "db3", "table5", "ALL"); + + Set<TSentryPrivilege> listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, null); + assertEquals("Privilege not assigned to role2 !!", 5, listPrivilegesByRoleName.size()); + + listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, new ArrayList<Authorizable>()); + assertEquals("Privilege not assigned to role2 !!", 5, listPrivilegesByRoleName.size()); + + listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db1"))); + assertEquals("Privilege not assigned to role2 !!", 2, listPrivilegesByRoleName.size()); + + listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db2"), new Table("table1"))); + assertEquals("Privilege not assigned to role2 !!", 0, listPrivilegesByRoleName.size()); + + listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db1"), new Table("table1"))); + assertEquals("Privilege not assigned to role2 !!", 1, listPrivilegesByRoleName.size()); + + listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db3"))); + assertEquals("Privilege not assigned to role2 !!", 1, listPrivilegesByRoleName.size()); + + Set<String> listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), null, ActiveRoleSet.ALL, new Server("server"), new Database("db2")); + assertEquals("Privilege not correctly assigned to roles !!", + Sets.newHashSet("server=server->db=db2->table=table4->action=all", "server=server->db=db2->table=table3->action=all"), + listPrivilegesForProvider); + + listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), null, ActiveRoleSet.ALL, new Server("server"), new Database("db3")); + assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet("server=server->db=db3->table=table5->action=all"), listPrivilegesForProvider); + + listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), null, new ActiveRoleSet(Sets.newHashSet(roleName1)), new Server("server"), new Database("db3")); + assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet("server=+"), listPrivilegesForProvider); + + listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), null, new ActiveRoleSet(Sets.newHashSet(roleName1)), new Server("server1")); + assertEquals("Privilege not correctly assigned to roles !!", new HashSet<String>(), listPrivilegesForProvider); + } + + + + /** + * Create role, add privileges and grant it to a group drop the role and + * verify the privileges are no longer visible recreate the role with same + * name and verify the privileges again. + * @throws Exception + */ + @Test + public void testDropRole() throws Exception { + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + writePolicyFile(); + String roleName = "admin_r"; + + // create role and add privileges + client.dropRoleIfExists(requestorUserName, roleName); + client.createRole(requestorUserName, roleName); + client.grantRoleToGroup(requestorUserName, ADMIN_GROUP, roleName); + client.grantDatabasePrivilege(requestorUserName, roleName, "server1", "db2", AccessConstants.ALL); + client.grantTablePrivilege(requestorUserName, roleName, "server1", "db3", "tab3", "ALL"); + assertEquals(2, client.listPrivilegesForProvider(requestorUserGroupNames, null, + ActiveRoleSet.ALL).size()); + + // drop role and verify privileges + client.dropRole(requestorUserName, roleName); + assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, null, + ActiveRoleSet.ALL).size()); + + // recreate the role + client.createRole(requestorUserName, roleName); + client.grantRoleToGroup(requestorUserName, ADMIN_GROUP, roleName); + assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, null, + ActiveRoleSet.ALL).size()); + + // grant different privileges and verify + client.grantDatabasePrivilege(requestorUserName, roleName, "server1", "db2", AccessConstants.ALL); + assertEquals(1, client.listPrivilegesForProvider(requestorUserGroupNames, null, + ActiveRoleSet.ALL).size()); + client.dropRole(requestorUserName, roleName); + assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, null, + ActiveRoleSet.ALL).size()); + assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, null, + ActiveRoleSet.ALL).size()); + } + + @Test + public void testDropRoleOnUser() throws Exception { + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + Set<String> requestorUserNames = Sets.newHashSet(ADMIN_USER); + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + writePolicyFile(); + String roleName = "admin_r"; + + // create role and add privileges + client.dropRoleIfExists(requestorUserName, roleName); + client.createRole(requestorUserName, roleName); + client.grantRoleToUser(requestorUserName, ADMIN_USER, roleName); + client.grantDatabasePrivilege(requestorUserName, roleName, "server1", "db2", AccessConstants.ALL); + client.grantTablePrivilege(requestorUserName, roleName, "server1", "db3", "tab3", "ALL"); + assertEquals(2, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames, + ActiveRoleSet.ALL).size()); + + // drop role and verify privileges + client.dropRole(requestorUserName, roleName); + assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames, + ActiveRoleSet.ALL).size()); + + // recreate the role + client.createRole(requestorUserName, roleName); + client.grantRoleToGroup(requestorUserName, ADMIN_GROUP, roleName); + assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames, + ActiveRoleSet.ALL).size()); + + // grant different privileges and verify + client.grantDatabasePrivilege(requestorUserName, roleName, "server1", "db2", AccessConstants.ALL); + assertEquals(1, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames, + ActiveRoleSet.ALL).size()); + client.dropRole(requestorUserName, roleName); + assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames, + ActiveRoleSet.ALL).size()); + assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames, + ActiveRoleSet.ALL).size()); + } +} http://git-wip-us.apache.org/repos/asf/sentry/blob/9351d19d/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceClientPool.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceClientPool.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceClientPool.java new file mode 100644 index 0000000..6c88955 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceClientPool.java @@ -0,0 +1,111 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.api.service.thrift; + +import static org.junit.Assert.assertTrue; + +import java.security.PrivilegedExceptionAction; +import java.util.ArrayList; +import java.util.List; +import java.util.Set; +import java.util.concurrent.Callable; +import java.util.concurrent.ExecutorService; +import java.util.concurrent.Executors; +import java.util.concurrent.Future; +import java.util.concurrent.FutureTask; + +import org.apache.sentry.core.common.exception.SentryUserException; +import org.apache.sentry.service.thrift.SentryServiceFactory; +import org.apache.sentry.service.thrift.SentryServiceIntegrationBase; +import org.junit.Test; + +import com.google.common.collect.Sets; + +public class TestSentryServiceClientPool extends SentryServiceIntegrationBase { + + @Test + public void testConnectionWhenReconnect() throws Exception { + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + String roleName = "admin_r"; + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + writePolicyFile(); + + client.dropRoleIfExists(requestorUserName, roleName); + client.createRole(requestorUserName, roleName); + client.listAllRoles(requestorUserName); + stopSentryService(); + server = SentryServiceFactory.create(conf); + startSentryService(); + client.listAllRoles(requestorUserName); + client.dropRole(requestorUserName, roleName); + } + }); + } + + @Test + public void testConnectionWithMultipleRetries() throws Exception { + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + List<Future<Boolean>> tasks = new ArrayList<Future<Boolean>>(); + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + String roleName = "admin_r"; + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + writePolicyFile(); + + client.dropRoleIfExists(requestorUserName, roleName); + client.createRole(requestorUserName, roleName); + + ExecutorService executorService = Executors.newFixedThreadPool(20); + + Callable<Boolean> func = new Callable<Boolean>() { + public Boolean call() throws Exception { + return clientUgi.doAs(new PrivilegedExceptionAction<Boolean>() { + @Override + public Boolean run() throws Exception { + try { + client.listAllRoles(ADMIN_USER); + return true; + } catch (SentryUserException sue) { + return false; + } + } + }); + } + }; + + for (int i = 0; i < 30; i++) { + FutureTask<Boolean> task = new FutureTask<Boolean>(func); + tasks.add(task); + executorService.submit(task); + } + + for (Future<Boolean> task : tasks) { + Boolean result = task.get(); + assertTrue("Some tasks are failed.", result); + } + } + }); + } +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/sentry/blob/9351d19d/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceFailureCase.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceFailureCase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceFailureCase.java new file mode 100644 index 0000000..fa67f27 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceFailureCase.java @@ -0,0 +1,75 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.api.service.thrift; + +import org.apache.sentry.service.thrift.SentryServiceIntegrationBase; +import org.apache.sentry.service.common.ServiceConstants.ServerConfig; +import org.junit.After; +import org.junit.Assert; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.google.common.base.Strings; + +public class TestSentryServiceFailureCase extends SentryServiceIntegrationBase { + private static final Logger LOGGER = LoggerFactory.getLogger(TestSentryServiceFailureCase.class); + private static final String PEER_CALLBACK_FAILURE = "Peer indicated failure: Problem with callback handler"; + + @BeforeClass + public static void setup() throws Exception { + kerberos = true; + beforeSetup(); + setupConf(); + conf.set(ServerConfig.ALLOW_CONNECT, ""); + startSentryService(); + afterSetup(); + } + + @Override + @Before + public void before() throws Exception { + } + + @Override + @After + public void after() { + } + + @Test + public void testClientServerConnectionFailure() throws Exception { + try { + connectToSentryService(); + String requestorUserName = ADMIN_USER; + client.listAllRoles(requestorUserName); + Assert.fail("Failed to receive Exception"); + } catch(Exception e) { + LOGGER.info("Excepted exception", e); + Throwable cause = e.getCause(); + if (cause == null) { + throw e; + } + String msg = "Exception message: " + cause.getMessage(); + Assert.assertTrue(msg, Strings.nullToEmpty(cause.getMessage()) + .contains(PEER_CALLBACK_FAILURE)); + } + } +} http://git-wip-us.apache.org/repos/asf/sentry/blob/9351d19d/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceForPoolWithKerberos.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceForPoolWithKerberos.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceForPoolWithKerberos.java new file mode 100644 index 0000000..aa156f2 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceForPoolWithKerberos.java @@ -0,0 +1,35 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless createRequired by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.api.service.thrift; + +import org.junit.BeforeClass; + +public class TestSentryServiceForPoolWithKerberos extends TestSentryServiceWithKerberos { + + @BeforeClass + public static void setup() throws Exception { + kerberos = true; + pooled = true; + beforeSetup(); + setupConf(); + startSentryService(); + afterSetup(); + } + +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/sentry/blob/9351d19d/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceImportExport.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceImportExport.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceImportExport.java new file mode 100644 index 0000000..cf1fdab --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceImportExport.java @@ -0,0 +1,751 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.api.service.thrift; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + +import java.util.Map; +import java.util.Set; + +import org.apache.sentry.core.common.utils.SentryConstants; +import org.apache.sentry.core.common.utils.PolicyFileConstants; +import org.apache.sentry.service.thrift.SentryServiceIntegrationBase; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; + +import com.google.common.collect.Maps; +import com.google.common.collect.Sets; + +public class TestSentryServiceImportExport extends SentryServiceIntegrationBase { + + // define the privileges + public static String PRIVILIEGE1 = "server=server1"; + public static String PRIVILIEGE2 = "server=server1->action=select->grantoption=false"; + public static String PRIVILIEGE3 = "server=server1->db=db2->action=insert->grantoption=true"; + public static String PRIVILIEGE4 = "server=server1->db=db1->table=tbl1->action=insert"; + public static String PRIVILIEGE5 = "server=server1->db=db1->table=tbl2->column=col1->action=insert"; + public static String PRIVILIEGE6 = "server=server1->db=db1->table=tbl3->column=col1->action=*->grantoption=true"; + public static String PRIVILIEGE7 = "server=server1->db=db1->table=tbl4->column=col1->action=all->grantoption=true"; + public static String PRIVILIEGE8 = "server=server1->uri=hdfs://testserver:9999/path2->action=insert"; + public static String PRIVILIEGE9 = "server=server1->db=db2->table=tbl1->action=insert"; + + @BeforeClass + public static void setup() throws Exception { + kerberos = false; + setupConf(); + startSentryService(); + } + + @Before + public void preparePolicyFile() throws Exception { + super.before(); + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + writePolicyFile(); + } + + // Befor import, database is empty. + // The following information is imported: + // group1=role1,role2,role3 + // group2=role1,role2,role3 + // group3=role1,role2,role3 + // role1=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8 + // role2=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8 + // role3=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8 + // Both import API importPolicy and export API exportPoicy are tested. + @Test + public void testImportExportPolicy1() throws Exception { + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + Map<String, Map<String, Set<String>>> policyFileMappingData = Maps.newHashMap(); + Map<String, Set<String>> groupRolesMap = Maps.newHashMap(); + Set<String> roles = Sets.newHashSet("role1", "role2", "role3"); + groupRolesMap.put("group1", roles); + groupRolesMap.put("group2", roles); + groupRolesMap.put("group3", roles); + Map<String, Set<String>> rolePrivilegesMap = Maps.newHashMap(); + for (String roleName : roles) { + rolePrivilegesMap.put(roleName, Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, + PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8)); + } + policyFileMappingData.put(PolicyFileConstants.GROUPS, groupRolesMap); + policyFileMappingData.put(PolicyFileConstants.ROLES, rolePrivilegesMap); + client.importPolicy(policyFileMappingData, ADMIN_USER, false); + + Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null); + validateSentryMappingData(sentryMappingData, + policyFileMappingData); + } + }); + } + + // call import twice, and there has no duplicate data: + // The data for 1st import: + // group1=role1 + // role1=privilege1,privilege2,privilege3,privilege4 + // The data for 2nd import: + // group2=role2,role3 + // group3=role2,role3 + // role2=privilege5,privilege6,privilege7,privilege8 + // role3=privilege5,privilege6,privilege7,privilege8 + // Both import API importPolicy and export API exportPoicy are tested. + @Test + public void testImportExportPolicy2() throws Exception { + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap(); + Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap(); + groupRolesMap1.put("group1", Sets.newHashSet("role1")); + Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap(); + rolePrivilegesMap1.put("role1", + Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4)); + policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1); + policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1); + client.importPolicy(policyFileMappingData1, ADMIN_USER, false); + + Map<String, Map<String, Set<String>>> policyFileMappingData2 = Maps.newHashMap(); + Map<String, Set<String>> groupRolesMap2 = Maps.newHashMap(); + groupRolesMap2.put("group2", Sets.newHashSet("role2", "role3")); + groupRolesMap2.put("group3", Sets.newHashSet("role2", "role3")); + Map<String, Set<String>> rolePrivilegesMap2 = Maps.newHashMap(); + rolePrivilegesMap2.put("role2", + Sets.newHashSet(PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8)); + rolePrivilegesMap2.put("role3", + Sets.newHashSet(PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8)); + policyFileMappingData2.put(PolicyFileConstants.GROUPS, groupRolesMap2); + policyFileMappingData2.put(PolicyFileConstants.ROLES, rolePrivilegesMap2); + client.importPolicy(policyFileMappingData2, ADMIN_USER, false); + + Map<String, Map<String, Set<String>>> exceptedMappingData = Maps.newHashMap(); + // for exceptedMappingData, combine policyFileMappingData1 and policyFileMappingData2 + exceptedMappingData.put(PolicyFileConstants.GROUPS, + policyFileMappingData1.get(PolicyFileConstants.GROUPS)); + exceptedMappingData.get(PolicyFileConstants.GROUPS).putAll( + policyFileMappingData2.get(PolicyFileConstants.GROUPS)); + exceptedMappingData.put(PolicyFileConstants.ROLES, + policyFileMappingData1.get(PolicyFileConstants.ROLES)); + exceptedMappingData.get(PolicyFileConstants.ROLES).putAll( + policyFileMappingData2.get(PolicyFileConstants.ROLES)); + + Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null); + validateSentryMappingData(sentryMappingData, exceptedMappingData); + } + }); + } + + // Call import twice, and there has overlapping groups + // The data for 1st import: + // group1=role1, role2 + // group2=role1, role2 + // group3=role1, role2 + // role1=privilege1,privilege2,privilege3,privilege4,privilege5 + // role2=privilege1,privilege2,privilege3,privilege4,privilege5 + // The data for 2nd import: + // group1=role2,role3 + // group2=role2,role3 + // group3=role2,role3 + // role2=privilege4,privilege5,privilege6,privilege7,privilege8 + // role3=privilege4,privilege5,privilege6,privilege7,privilege8 + // Both import API importPolicy and export API exportPoicy are tested. + @Test + public void testImportExportPolicy3() throws Exception { + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap(); + Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap(); + groupRolesMap1.put("group1", Sets.newHashSet("role1", "role2")); + groupRolesMap1.put("group2", Sets.newHashSet("role1", "role2")); + groupRolesMap1.put("group3", Sets.newHashSet("role1", "role2")); + Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap(); + rolePrivilegesMap1.put("role1", + Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5)); + rolePrivilegesMap1.put("role2", + Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5)); + policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1); + policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1); + client.importPolicy(policyFileMappingData1, ADMIN_USER, false); + + Map<String, Map<String, Set<String>>> policyFileMappingData2 = Maps.newHashMap(); + Map<String, Set<String>> groupRolesMap2 = Maps.newHashMap(); + groupRolesMap2.put("group1", Sets.newHashSet("role2", "role3")); + groupRolesMap2.put("group2", Sets.newHashSet("role2", "role3")); + groupRolesMap2.put("group3", Sets.newHashSet("role2", "role3")); + Map<String, Set<String>> rolePrivilegesMap2 = Maps.newHashMap(); + rolePrivilegesMap2.put("role2", + Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8)); + rolePrivilegesMap2.put("role3", + Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8)); + policyFileMappingData2.put(PolicyFileConstants.GROUPS, groupRolesMap2); + policyFileMappingData2.put(PolicyFileConstants.ROLES, rolePrivilegesMap2); + client.importPolicy(policyFileMappingData2, ADMIN_USER, false); + + Map<String, Map<String, Set<String>>> exceptedMappingData = Maps.newHashMap(); + Map<String, Set<String>> exceptedRolesMap = Maps.newHashMap(); + exceptedRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3")); + exceptedRolesMap.put("group2", Sets.newHashSet("role1", "role2", "role3")); + exceptedRolesMap.put("group3", Sets.newHashSet("role1", "role2", "role3")); + Map<String, Set<String>> exceptedPrivilegesMap = Maps.newHashMap(); + exceptedPrivilegesMap.put("role1", + Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5)); + exceptedPrivilegesMap.put("role2", Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, + PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8)); + exceptedPrivilegesMap.put("role3", + Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8)); + exceptedMappingData.put(PolicyFileConstants.GROUPS, exceptedRolesMap); + exceptedMappingData.put(PolicyFileConstants.ROLES, exceptedPrivilegesMap); + + Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null); + validateSentryMappingData(sentryMappingData, exceptedMappingData); + } + }); + } + + // Only mapping data for [group,role] is imported: + // group1=role1,role2 + @Test + public void testImportExportPolicy4() throws Exception { + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + Map<String, Map<String, Set<String>>> policyFileMappingData = Maps.newHashMap(); + Map<String, Set<String>> groupRolesMap = Maps.newHashMap(); + Set<String> roles = Sets.newHashSet("role1", "role2"); + groupRolesMap.put("group1", roles); + Map<String, Set<String>> rolePrivilegesMap = Maps.newHashMap(); + policyFileMappingData.put(PolicyFileConstants.GROUPS, groupRolesMap); + policyFileMappingData.put(PolicyFileConstants.ROLES, rolePrivilegesMap); + client.importPolicy(policyFileMappingData, ADMIN_USER, false); + + Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null); + validateSentryMappingData(sentryMappingData, + policyFileMappingData); + } + }); + } + + // call import twice, and there has no duplicate data, the import will be with the overwrite mode: + // The data for 1st import: + // group1=role1 + // role1=privilege1 + // The data for 2nd import: + // group2=role2,role3 + // group3=role2,role3 + // role2=privilege2 + // role3=privilege2 + // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap, + // getPrivilegesList are tested. + @Test + public void testImportExportPolicy5() throws Exception { + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap(); + Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap(); + groupRolesMap1.put("group1", Sets.newHashSet("role1")); + Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap(); + rolePrivilegesMap1.put("role1", Sets.newHashSet(PRIVILIEGE1)); + policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1); + policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1); + client.importPolicy(policyFileMappingData1, ADMIN_USER, true); + + Map<String, Map<String, Set<String>>> policyFileMappingData2 = Maps.newHashMap(); + Map<String, Set<String>> groupRolesMap2 = Maps.newHashMap(); + groupRolesMap2.put("group2", Sets.newHashSet("role2", "role3")); + groupRolesMap2.put("group3", Sets.newHashSet("role2", "role3")); + Map<String, Set<String>> rolePrivilegesMap2 = Maps.newHashMap(); + rolePrivilegesMap2.put("role2", Sets.newHashSet(PRIVILIEGE2)); + rolePrivilegesMap2.put("role3", Sets.newHashSet(PRIVILIEGE2)); + policyFileMappingData2.put(PolicyFileConstants.GROUPS, groupRolesMap2); + policyFileMappingData2.put(PolicyFileConstants.ROLES, rolePrivilegesMap2); + client.importPolicy(policyFileMappingData2, ADMIN_USER, true); + + Map<String, Map<String, Set<String>>> exceptedMappingData = Maps.newHashMap(); + Map<String, Set<String>> exceptedRolesMap = Maps.newHashMap(); + exceptedRolesMap.put("group1", Sets.newHashSet("role1")); + exceptedRolesMap.put("group2", Sets.newHashSet("role2", "role3")); + exceptedRolesMap.put("group3", Sets.newHashSet("role2", "role3")); + Map<String, Set<String>> exceptedPrivilegesMap = Maps.newHashMap(); + exceptedPrivilegesMap.put("role1", Sets.newHashSet(PRIVILIEGE1)); + exceptedPrivilegesMap.put("role2", Sets.newHashSet(PRIVILIEGE2)); + exceptedPrivilegesMap.put("role3", Sets.newHashSet(PRIVILIEGE2)); + exceptedMappingData.put(PolicyFileConstants.GROUPS, exceptedRolesMap); + exceptedMappingData.put(PolicyFileConstants.ROLES, exceptedPrivilegesMap); + + Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null); + validateSentryMappingData(sentryMappingData, exceptedMappingData); + } + }); + } + + // call import twice, and there has data overlap, the import will be with the overwrite mode: + // The data for 1st import: + // group1=role1, role2 + // group2=role1, role2 + // group3=role1, role2 + // role1=privilege1,privilege2,privilege3,privilege4,privilege5 + // role2=privilege1,privilege2,privilege3,privilege4,privilege5 + // The data for 2nd import: + // group1=role2,role3 + // group2=role2,role3 + // group3=role2,role3 + // role2=privilege4,privilege5,privilege6,privilege7,privilege8 + // role3=privilege4,privilege5,privilege6,privilege7,privilege8 + // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap, + // getPrivilegesList are tested. + @Test + public void testImportExportPolicy6() throws Exception { + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap(); + Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap(); + groupRolesMap1.put("group1", Sets.newHashSet("role1", "role2")); + groupRolesMap1.put("group2", Sets.newHashSet("role1", "role2")); + groupRolesMap1.put("group3", Sets.newHashSet("role1", "role2")); + Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap(); + rolePrivilegesMap1.put("role1", + Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5)); + rolePrivilegesMap1.put("role2", + Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5)); + policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1); + policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1); + client.importPolicy(policyFileMappingData1, ADMIN_USER, true); + + Map<String, Map<String, Set<String>>> policyFileMappingData2 = Maps.newHashMap(); + Map<String, Set<String>> groupRolesMap2 = Maps.newHashMap(); + groupRolesMap2.put("group1", Sets.newHashSet("role2", "role3")); + groupRolesMap2.put("group2", Sets.newHashSet("role2", "role3")); + groupRolesMap2.put("group3", Sets.newHashSet("role2", "role3")); + Map<String, Set<String>> rolePrivilegesMap2 = Maps.newHashMap(); + rolePrivilegesMap2.put("role2", + Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8)); + rolePrivilegesMap2.put("role3", + Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8)); + policyFileMappingData2.put(PolicyFileConstants.GROUPS, groupRolesMap2); + policyFileMappingData2.put(PolicyFileConstants.ROLES, rolePrivilegesMap2); + client.importPolicy(policyFileMappingData2, ADMIN_USER, true); + + Map<String, Map<String, Set<String>>> exceptedMappingData = Maps.newHashMap(); + Map<String, Set<String>> exceptedRolesMap = Maps.newHashMap(); + exceptedRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3")); + exceptedRolesMap.put("group2", Sets.newHashSet("role1", "role2", "role3")); + exceptedRolesMap.put("group3", Sets.newHashSet("role1", "role2", "role3")); + Map<String, Set<String>> exceptedPrivilegesMap = Maps.newHashMap(); + exceptedPrivilegesMap.put("role1", + Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5)); + exceptedPrivilegesMap.put("role2", + Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8)); + exceptedPrivilegesMap.put("role3", + Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8)); + exceptedMappingData.put(PolicyFileConstants.GROUPS, exceptedRolesMap); + exceptedMappingData.put(PolicyFileConstants.ROLES, exceptedPrivilegesMap); + + Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null); + validateSentryMappingData(sentryMappingData, exceptedMappingData); + } + }); + } + + // test the import privileges with the action: All, *, select, insert + // All and * should replace the select and insert + // The data for import: + // group1=role1, role2 + // role1=testPrivilege1,testPrivilege2,testPrivilege3,testPrivilege4 + // role2=testPrivilege5, testPrivilege6,testPrivilege7,testPrivilege8 + @Test + public void testImportExportPolicy7() throws Exception { + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + String testPrivilege1 = "server=server1->db=db1->table=tbl1->action=select->grantoption=true"; + String testPrivilege2 = "server=server1->db=db1->table=tbl1->action=insert->grantoption=false"; + String testPrivilege3 = "server=server1->db=db1->table=tbl1->action=all->grantoption=true"; + String testPrivilege4 = "server=server1->db=db1->table=tbl1->action=insert->grantoption=true"; + String testPrivilege5 = "server=server1->db=db1->table=tbl2->action=select->grantoption=true"; + String testPrivilege6 = "server=server1->db=db1->table=tbl2->action=insert->grantoption=false"; + String testPrivilege7 = "server=server1->db=db1->table=tbl2->action=*->grantoption=true"; + String testPrivilege8 = "server=server1->db=db1->table=tbl2->action=insert->grantoption=true"; + + Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap(); + Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap(); + groupRolesMap1.put("group1", Sets.newHashSet("role1", "role2")); + Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap(); + rolePrivilegesMap1.put("role1", + Sets.newHashSet(testPrivilege1, testPrivilege2, testPrivilege3, testPrivilege4)); + rolePrivilegesMap1.put("role2", + Sets.newHashSet(testPrivilege5, testPrivilege6, testPrivilege7, testPrivilege8)); + policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1); + policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1); + client.importPolicy(policyFileMappingData1, ADMIN_USER, true); + + Map<String, Map<String, Set<String>>> exceptedMappingData = Maps.newHashMap(); + Map<String, Set<String>> exceptedRolesMap = Maps.newHashMap(); + exceptedRolesMap.put("group1", Sets.newHashSet("role1", "role2")); + Map<String, Set<String>> exceptedPrivilegesMap = Maps.newHashMap(); + exceptedPrivilegesMap.put("role1", Sets.newHashSet(testPrivilege2, testPrivilege3)); + exceptedPrivilegesMap.put("role2", Sets.newHashSet(testPrivilege6, testPrivilege7)); + exceptedMappingData.put(PolicyFileConstants.GROUPS, exceptedRolesMap); + exceptedMappingData.put(PolicyFileConstants.ROLES, exceptedPrivilegesMap); + + Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null); + validateSentryMappingData(sentryMappingData, exceptedMappingData); + } + }); + } + + // Call import twice, and there has overlapping actions, all and * should replace the select and + // insert + // The data for 1st import: + // group1=role1, role2 + // role1=privilege1(with select action),privilege2(with insert action) + // role2=privilege4(with select action),privilege5(with insert action) + // The data for 2nd import: + // group1=role1, role2 + // role1=privilege3(with all action) + // role2=privilege6(with * action) + @Test + public void testImportExportPolicy8() throws Exception { + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + String testPrivilege1 = "server=server1->db=db1->table=tbl1->action=select->grantoption=true"; + String testPrivilege2 = "server=server1->db=db1->table=tbl1->action=insert->grantoption=true"; + String testPrivilege3 = "server=server1->db=db1->table=tbl1->action=all->grantoption=true"; + String testPrivilege4 = "server=server1->db=db1->table=tbl2->action=select->grantoption=true"; + String testPrivilege5 = "server=server1->db=db1->table=tbl2->action=insert->grantoption=true"; + String testPrivilege6 = "server=server1->db=db1->table=tbl2->action=*->grantoption=true"; + + Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap(); + Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap(); + groupRolesMap1.put("group1", Sets.newHashSet("role1", "role2")); + Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap(); + rolePrivilegesMap1.put("role1", Sets.newHashSet(testPrivilege1, testPrivilege2)); + rolePrivilegesMap1.put("role2", Sets.newHashSet(testPrivilege4, testPrivilege5)); + policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1); + policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1); + client.importPolicy(policyFileMappingData1, ADMIN_USER, false); + + Map<String, Map<String, Set<String>>> policyFileMappingData2 = Maps.newHashMap(); + Map<String, Set<String>> groupRolesMap2 = Maps.newHashMap(); + groupRolesMap2.put("group1", Sets.newHashSet("role1", "role2")); + Map<String, Set<String>> rolePrivilegesMap2 = Maps.newHashMap(); + rolePrivilegesMap2.put("role1", Sets.newHashSet(testPrivilege3)); + rolePrivilegesMap2.put("role2", Sets.newHashSet(testPrivilege6)); + policyFileMappingData2.put(PolicyFileConstants.GROUPS, groupRolesMap2); + policyFileMappingData2.put(PolicyFileConstants.ROLES, rolePrivilegesMap2); + client.importPolicy(policyFileMappingData2, ADMIN_USER, false); + + Map<String, Map<String, Set<String>>> exceptedMappingData = policyFileMappingData2; + Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null); + // all and * should replace the select and insert + validateSentryMappingData(sentryMappingData, exceptedMappingData); + } + }); + } + + // test the user not in the admin group can't do the import/export + @Test + public void testImportExportPolicy9() throws Exception { + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap(); + Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap(); + Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap(); + policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1); + policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1); + try { + client.importPolicy(policyFileMappingData1, "no-admin-user", false); + fail("non-admin can't do the import."); + } catch (Exception e) { + // excepted exception + } + + try { + client.exportPolicy("no-admin-user", null); + fail("non-admin can't do the export."); + } catch (Exception e) { + // excepted exception + } + } + }); + } + + // The following data is imported: + // group1=role1 + // group2=role1,role2 + // group3=role2,role3 + // group4=role1,role2,role3 + // role1=privilege3,privilege4,privilege9 + // role2=privilege3,privilege4,privilege5,privilege6,privilege7 + // role3=privilege4,privilege5,privilege6,privilege7,privilege8 + // Export APIs getRoleNameTPrivilegesMap, getGroupNameRoleNamesMap are tested. + @Test + public void testExportPolicyWithSpecificObject() throws Exception { + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + // import the test data + Map<String, Map<String, Set<String>>> policyFileMappingData = Maps.newHashMap(); + Map<String, Set<String>> groupRolesMap = Maps.newHashMap(); + groupRolesMap.put("group1", Sets.newHashSet("role1")); + groupRolesMap.put("group2", Sets.newHashSet("role1", "role2")); + groupRolesMap.put("group3", Sets.newHashSet("role2", "role3")); + groupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3")); + Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap(); + rolePrivilegesMap1.put("role1", + Sets.newHashSet(PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE9)); + rolePrivilegesMap1.put("role2", + Sets.newHashSet(PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5, + PRIVILIEGE6, PRIVILIEGE7)); + rolePrivilegesMap1.put("role3", + Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, + PRIVILIEGE7, PRIVILIEGE8)); + policyFileMappingData.put(PolicyFileConstants.GROUPS, groupRolesMap); + policyFileMappingData.put(PolicyFileConstants.ROLES, rolePrivilegesMap1); + client.importPolicy(policyFileMappingData, ADMIN_USER, true); + + // verify the rolePrivilegesMap and groupRolesMap with null objectPath + Map<String, Map<String, Set<String>>> expectedMappingData = Maps.newHashMap(); + Map<String, Set<String>> expectedGroupRoles = Maps.newHashMap(); + expectedGroupRoles.put("group1", Sets.newHashSet("role1")); + expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2")); + expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3")); + expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2", "role3")); + Map<String, Set<String>> expectedRolePrivileges = Maps.newHashMap(); + expectedRolePrivileges.put("role1", Sets.newHashSet( + PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE9)); + expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE3, PRIVILIEGE4, + PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7)); + expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE4, + PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8)); + expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles); + expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges); + + Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null); + validateSentryMappingData(sentryMappingData, expectedMappingData); + + // verify the rolePrivilegesMap and groupRolesMap with empty objectPath + expectedMappingData = Maps.newHashMap(); + expectedGroupRoles = Maps.newHashMap(); + expectedGroupRoles.put("group1", Sets.newHashSet("role1")); + expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2")); + expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3")); + expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2", "role3")); + expectedRolePrivileges = Maps.newHashMap(); + expectedRolePrivileges.put("role1", Sets.newHashSet( + PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE9)); + expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE3, PRIVILIEGE4, + PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7)); + expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE4, + PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8)); + expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles); + expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges); + + sentryMappingData = client.exportPolicy(ADMIN_USER, ""); + validateSentryMappingData(sentryMappingData, expectedMappingData); + + // verify the rolePrivilegesMap and groupRolesMap for db=db1 + expectedMappingData = Maps.newHashMap(); + expectedGroupRoles = Maps.newHashMap(); + expectedGroupRoles.put("group1", Sets.newHashSet("role1")); + expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2")); + expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3")); + expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2", "role3")); + expectedRolePrivileges = Maps.newHashMap(); + expectedRolePrivileges.put("role1", Sets.newHashSet(PRIVILIEGE4)); + expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE4, + PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7)); + expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE4, + PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7)); + expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles); + expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges); + + sentryMappingData = client.exportPolicy(ADMIN_USER, "db=db1"); + validateSentryMappingData(sentryMappingData, expectedMappingData); + + // verify the rolePrivilegesMap and groupRolesMap for db=db2 + expectedMappingData = Maps.newHashMap(); + expectedGroupRoles = Maps.newHashMap(); + expectedGroupRoles.put("group1", Sets.newHashSet("role1")); + expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2")); + expectedGroupRoles.put("group3", Sets.newHashSet("role2")); + expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2")); + expectedRolePrivileges = Maps.newHashMap(); + expectedRolePrivileges.put("role1", Sets.newHashSet(PRIVILIEGE3, PRIVILIEGE9)); + expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE3)); + expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles); + expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges); + + sentryMappingData = client.exportPolicy(ADMIN_USER, "db=db2"); + validateSentryMappingData(sentryMappingData, expectedMappingData); + + // verify the rolePrivilegesMap and groupRolesMap for db=db1->table=tbl1 + expectedMappingData = Maps.newHashMap(); + expectedGroupRoles = Maps.newHashMap(); + expectedGroupRoles.put("group1", Sets.newHashSet("role1")); + expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2")); + expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3")); + expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2", "role3")); + expectedRolePrivileges = Maps.newHashMap(); + expectedRolePrivileges.put("role1", Sets.newHashSet(PRIVILIEGE4)); + expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE4)); + expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE4)); + expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles); + expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges); + + sentryMappingData = client.exportPolicy(ADMIN_USER, "db=db1->table=tbl1"); + validateSentryMappingData(sentryMappingData, expectedMappingData); + + // verify the rolePrivilegesMap and groupRolesMap for db=db1->table=tbl2 + expectedMappingData = Maps.newHashMap(); + expectedGroupRoles = Maps.newHashMap(); + expectedGroupRoles.put("group2", Sets.newHashSet("role2")); + expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3")); + expectedGroupRoles.put("group4", Sets.newHashSet("role2", "role3")); + expectedRolePrivileges = Maps.newHashMap(); + expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE5)); + expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE5)); + expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles); + expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges); + + sentryMappingData = client.exportPolicy(ADMIN_USER, "db=db1->table=tbl2"); + validateSentryMappingData(sentryMappingData, expectedMappingData); + + // verify the rolePrivilegesMap and groupRolesMap for db=db1->table=tbl1 + expectedMappingData = Maps.newHashMap(); + expectedGroupRoles = Maps.newHashMap(); + expectedGroupRoles.put("group1", Sets.newHashSet("role1")); + expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2")); + expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3")); + expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2", "role3")); + expectedRolePrivileges = Maps.newHashMap(); + expectedRolePrivileges.put("role1", Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE9)); + expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE4)); + expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE4)); + expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles); + expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges); + + sentryMappingData = client.exportPolicy(ADMIN_USER, "table=tbl1"); + validateSentryMappingData(sentryMappingData, expectedMappingData); + + // verify the invalid exportObject string + try { + client.exportPolicy(ADMIN_USER, "invalidString"); + fail("RuntimeException should be thrown."); + } catch (RuntimeException sue) { + // excepted exception + } + } + }); + } + + // Befor import, database is empty. + // The following information is imported: + // group1=role1,role2,role3 + // group2=role1,role2,role3 + // user1=role1,role2,role3 + // user2=role1,role2,role3 + // role1=privilege1,privilege2,privilege3,privilege4 + // role2=privilege1,privilege2,privilege3,privilege4 + // role3=privilege1,privilege2,privilege3,privilege4 + @Test + public void testImportExportPolicyWithUser() throws Exception { + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + Map<String, Map<String, Set<String>>> policyFileMappingData = Maps.newHashMap(); + Map<String, Set<String>> groupRolesMap = Maps.newHashMap(); + Map<String, Set<String>> userRolesMap = Maps.newHashMap(); + Set<String> roles = Sets.newHashSet("role1", "role2", "role3"); + groupRolesMap.put("group1", roles); + groupRolesMap.put("group2", roles); + userRolesMap.put("user1", roles); + userRolesMap.put("user2", roles); + Map<String, Set<String>> rolePrivilegesMap = Maps.newHashMap(); + for (String roleName : roles) { + rolePrivilegesMap.put(roleName, Sets.newHashSet(PRIVILIEGE1, + PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4)); + } + policyFileMappingData.put(PolicyFileConstants.USER_ROLES, userRolesMap); + policyFileMappingData.put(PolicyFileConstants.GROUPS, groupRolesMap); + policyFileMappingData.put(PolicyFileConstants.ROLES, rolePrivilegesMap); + client.importPolicy(policyFileMappingData, ADMIN_USER, false); + + Map<String, Map<String, Set<String>>> sentryMappingData = + client.exportPolicy(ADMIN_USER, null); + // validate the [user, role] mapping + validateRolesMap(sentryMappingData.get(PolicyFileConstants.USER_ROLES), + policyFileMappingData.get(PolicyFileConstants.USER_ROLES)); + validateSentryMappingData(sentryMappingData, + policyFileMappingData); + } + }); + } + + // verify the mapping data + public void validateSentryMappingData( + Map<String, Map<String, Set<String>>> actualMappingData, + Map<String, Map<String, Set<String>>> expectedMappingData) { + validateRolesMap(actualMappingData.get(PolicyFileConstants.GROUPS), + expectedMappingData.get(PolicyFileConstants.GROUPS)); + validateRolePrivilegesMap(actualMappingData.get(PolicyFileConstants.ROLES), + expectedMappingData.get(PolicyFileConstants.ROLES)); + } + + // verify the mapping data for [group,role] and [user,role] + private void validateRolesMap(Map<String, Set<String>> actualMap, + Map<String, Set<String>> expectedMap) { + assertEquals(expectedMap.keySet().size(), actualMap.keySet().size()); + for (String name : actualMap.keySet()) { + Set<String> actualRoles = actualMap.get(name); + Set<String> expectedRoles = expectedMap.get(name); + assertEquals(actualRoles.size(), expectedRoles.size()); + assertTrue(actualRoles.equals(expectedRoles)); + } + } + + // verify the mapping data for [role,privilege] + private void validateRolePrivilegesMap(Map<String, Set<String>> actualMap, + Map<String, Set<String>> expectedMap) { + assertEquals(expectedMap.keySet().size(), actualMap.keySet().size()); + for (String roleName : actualMap.keySet()) { + Set<String> actualPrivileges = actualMap.get(roleName); + Set<String> exceptedPrivileges = expectedMap.get(roleName); + assertEquals(exceptedPrivileges.size(), actualPrivileges.size()); + for (String actualPrivilege : actualPrivileges) { + boolean isFound = exceptedPrivileges.contains(actualPrivilege); + if (!isFound) { + String withOptionPrivilege = SentryConstants.AUTHORIZABLE_JOINER.join(actualPrivilege, + SentryConstants.KV_JOINER.join(PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME, + "false")); + isFound = exceptedPrivileges.contains(withOptionPrivilege); + } + assertTrue(isFound); + } + } + } +}
