http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScope.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScope.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScope.java deleted file mode 100644 index 4c1cd8e..0000000 --- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScope.java +++ /dev/null @@ -1,662 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.tests.e2e.hive; - -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertTrue; - -import java.io.File; -import java.io.FileOutputStream; -import java.sql.Connection; -import java.sql.ResultSet; -import java.sql.SQLException; -import java.sql.Statement; - -import org.junit.Assert; - -import org.apache.sentry.provider.file.PolicyFile; -import org.junit.Before; -import org.junit.BeforeClass; -import org.junit.Test; - -import com.google.common.io.Resources; - -/* Tests privileges at table scope within a single database. - */ - -public class TestPrivilegesAtTableScope extends AbstractTestWithStaticConfiguration { - - private static PolicyFile policyFile; - private final static String MULTI_TYPE_DATA_FILE_NAME = "emp.dat"; - - @Before - public void setup() throws Exception { - policyFile = super.setupPolicy(); - super.setup(); - prepareDBDataForTest(); - } - - @BeforeClass - public static void setupTestStaticConfiguration() throws Exception { - AbstractTestWithStaticConfiguration.setupTestStaticConfiguration(); - } - - protected static void prepareDBDataForTest() throws Exception { - // copy data file to test dir - File dataDir = context.getDataDir(); - File dataFile = new File(dataDir, MULTI_TYPE_DATA_FILE_NAME); - FileOutputStream to = new FileOutputStream(dataFile); - Resources.copy(Resources.getResource(MULTI_TYPE_DATA_FILE_NAME), to); - to.close(); - - // setup db objects needed by the test - Connection connection = context.createConnection(ADMIN1); - Statement statement = context.createStatement(connection); - - statement.execute("DROP DATABASE IF EXISTS DB_1 CASCADE"); - statement.execute("CREATE DATABASE DB_1"); - statement.execute("USE DB_1"); - - statement.execute("CREATE TABLE " + TBL1 + "(B INT, A STRING) " - + " row format delimited fields terminated by '|' stored as textfile"); - statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() + "' INTO TABLE " + TBL1); - statement.execute("CREATE TABLE " + TBL2 + "(B INT, A STRING) " - + " row format delimited fields terminated by '|' stored as textfile"); - statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() + "' INTO TABLE " + TBL2); - statement.execute("CREATE VIEW VIEW_1 AS SELECT A, B FROM " + TBL1); - - statement.close(); - connection.close(); - } - - /* - * Admin creates database DB_1, table TBL1, TBL2 in DB_1, loads data into - * TBL1, TBL2 Admin grants SELECT on TBL1, TBL2, INSERT on TBL1 to - * USER_GROUP of which user1 is a member. - */ - @Test - public void testInsertAndSelect() throws Exception { - policyFile - .addRolesToGroup(USERGROUP1, "select_tab1", "insert_tab1", "select_tab2") - .addPermissionsToRole("select_tab1", "server=server1->db=DB_1->table=" + TBL1 + "->action=select") - .addPermissionsToRole("insert_tab1", "server=server1->db=DB_1->table=" + TBL1 + "->action=insert") - .addPermissionsToRole("select_tab2", "server=server1->db=DB_1->table=" + TBL2 + "->action=select") - .setUserGroupMapping(StaticUserGroup.getStaticMapping()); - writePolicyFile(policyFile); - - // test execution - Connection connection = context.createConnection(USER1_1); - Statement statement = context.createStatement(connection); - statement.execute("USE DB_1"); - // test user can insert - statement.execute("INSERT INTO TABLE " + TBL1 + " SELECT A, B FROM " + TBL2); - // test user can query table - statement.executeQuery("SELECT A FROM " + TBL2); - // negative test: test user can't drop - try { - statement.execute("DROP TABLE " + TBL1); - Assert.fail("Expected SQL exception"); - } catch (SQLException e) { - context.verifyAuthzException(e); - } - statement.close(); - connection.close(); - - // connect as admin and drop TBL1 - connection = context.createConnection(ADMIN1); - statement = context.createStatement(connection); - statement.execute("USE DB_1"); - statement.execute("DROP TABLE " + TBL1); - statement.close(); - connection.close(); - - // negative test: connect as user1 and try to recreate TBL1 - connection = context.createConnection(USER1_1); - statement = context.createStatement(connection); - statement.execute("USE DB_1"); - try { - statement.execute("CREATE TABLE " + TBL1 + "(A STRING)"); - Assert.fail("Expected SQL exception"); - } catch (SQLException e) { - context.verifyAuthzException(e); - } - - statement.close(); - connection.close(); - - // connect as admin to restore the TBL1 - connection = context.createConnection(ADMIN1); - statement = context.createStatement(connection); - statement.execute("USE DB_1"); - statement.execute("CREATE TABLE " + TBL1 + "(B INT, A STRING) " - + " row format delimited fields terminated by '|' stored as textfile"); - statement.execute("INSERT INTO TABLE " + TBL1 + " SELECT A, B FROM " + TBL2); - statement.close(); - connection.close(); - - } - - /* - * Admin creates database DB_1, table TBL1, TBL2 in DB_1, loads data into - * TBL1, TBL2. Admin grants INSERT on TBL1, SELECT on TBL2 to USER_GROUP - * of which user1 is a member. - */ - @Test - public void testInsert() throws Exception { - policyFile - .addRolesToGroup(USERGROUP1, "insert_tab1", "select_tab2") - .addPermissionsToRole("insert_tab1", "server=server1->db=DB_1->table=" + TBL1 + "->action=insert") - .addPermissionsToRole("select_tab2", "server=server1->db=DB_1->table=" + TBL2 + "->action=select") - .setUserGroupMapping(StaticUserGroup.getStaticMapping()); - writePolicyFile(policyFile); - - // test execution - Connection connection = context.createConnection(USER1_1); - Statement statement = context.createStatement(connection); - statement.execute("USE " + DB1); - // test user can execute insert on table - statement.execute("INSERT INTO TABLE " + TBL1 + " SELECT A, B FROM " + TBL2); - - // negative test: user can't query table - try { - statement.executeQuery("SELECT A FROM " + TBL1); - Assert.fail("Expected SQL exception"); - } catch (SQLException e) { - context.verifyAuthzException(e); - } - - // negative test: test user can't query view - try { - statement.executeQuery("SELECT A FROM VIEW_1"); - Assert.fail("Expected SQL exception"); - } catch (SQLException e) { - context.verifyAuthzException(e); - } - - // negative test case: show tables shouldn't list VIEW_1 - ResultSet resultSet = statement.executeQuery("SHOW TABLES"); - while (resultSet.next()) { - String tableName = resultSet.getString(1); - assertNotNull("table name is null in result set", tableName); - assertFalse("Found VIEW_1 in the result set", - "VIEW_1".equalsIgnoreCase(tableName)); - } - - // negative test: test user can't create a new view - try { - statement.executeQuery("CREATE VIEW VIEW_2(A) AS SELECT A FROM " + TBL1); - Assert.fail("Expected SQL Exception"); - } catch (SQLException e) { - context.verifyAuthzException(e); - } - statement.close(); - connection.close(); - } - - /* - * Admin creates database DB_1, table TBL1, TBL2 in DB_1, loads data into - * TBL1, TBL2. Admin grants SELECT on TBL1, TBL2 to USER_GROUP of which - * user1 is a member. - */ - @Test - public void testSelect() throws Exception { - policyFile - .addRolesToGroup(USERGROUP1, "select_tab1", "select_tab2") - .addPermissionsToRole("select_tab1", "server=server1->db=DB_1->table=" + TBL1 + "->action=select") - .addPermissionsToRole("insert_tab1", "server=server1->db=DB_1->table=" + TBL1 + "->action=insert") - .addPermissionsToRole("select_tab2", "server=server1->db=DB_1->table=" + TBL2 + "->action=select") - .setUserGroupMapping(StaticUserGroup.getStaticMapping()); - writePolicyFile(policyFile); - - // test execution - Connection connection = context.createConnection(USER1_1); - Statement statement = context.createStatement(connection); - statement.execute("USE " + DB1); - // test user can execute query on table - statement.executeQuery("SELECT A FROM " + TBL1); - - // negative test: test insert into table - try { - statement.executeQuery("INSERT INTO TABLE " + TBL1 + " SELECT A, B FROM " + TBL2); - Assert.fail("Expected SQL exception"); - } catch (SQLException e) { - context.verifyAuthzException(e); - } - - // negative test: test user can't query view - try { - statement.executeQuery("SELECT A FROM VIEW_1"); - Assert.fail("Expected SQL exception"); - } catch (SQLException e) { - context.verifyAuthzException(e); - } - - // negative test: test user can't create a new view - try { - statement.executeQuery("CREATE VIEW VIEW_2(A) AS SELECT A FROM " + TBL1); - Assert.fail("Expected SQL Exception"); - } catch (SQLException e) { - context.verifyAuthzException(e); - } - statement.close(); - connection.close(); - } - - /* - * Admin creates database DB_1, table TBL1, TBL2 in DB_1, VIEW_1 on TBL1 - * loads data into TBL1, TBL2. Admin grants SELECT on TBL1,TBL2 to - * USER_GROUP of which user1 is a member. - */ - @Test - public void testTableViewJoin() throws Exception { - policyFile - .addRolesToGroup(USERGROUP1, "select_tab1", "select_tab2") - .addPermissionsToRole("select_tab1", "server=server1->db=DB_1->table=" + TBL1 + "->action=select") - .addPermissionsToRole("select_tab2", "server=server1->db=DB_1->table=" + TBL2 + "->action=select") - .setUserGroupMapping(StaticUserGroup.getStaticMapping()); - writePolicyFile(policyFile); - - // test execution - Connection connection = context.createConnection(USER1_1); - Statement statement = context.createStatement(connection); - statement.execute("USE " + DB1); - // test user can execute query TBL1 JOIN TBL2 - statement.executeQuery("SELECT T1.B FROM " + TBL1 + " T1 JOIN " + TBL2 + " T2 ON (T1.B = T2.B)"); - - // negative test: test user can't execute query VIEW_1 JOIN TBL2 - try { - statement.executeQuery("SELECT V1.B FROM VIEW_1 V1 JOIN " + TBL2 + " T2 ON (V1.B = T2.B)"); - Assert.fail("Expected SQL exception"); - } catch (SQLException e) { - context.verifyAuthzException(e); - } - - statement.close(); - connection.close(); - } - - /* - * Admin creates database DB_1, table TBL1, TBL2 in DB_1, VIEW_1 on TBL1 - * loads data into TBL1, TBL2. Admin grants SELECT on TBL2 to USER_GROUP of - * which user1 is a member. - */ - @Test - public void testTableViewJoin2() throws Exception { - policyFile - .addRolesToGroup(USERGROUP1, "select_tab2") - .addPermissionsToRole("select_tab1", "server=server1->db=DB_1->table=" + TBL1 + "->action=select") - .addPermissionsToRole("select_tab2", "server=server1->db=DB_1->table=" + TBL2 + "->action=select") - .setUserGroupMapping(StaticUserGroup.getStaticMapping()); - writePolicyFile(policyFile); - - // test execution - Connection connection = context.createConnection(USER1_1); - Statement statement = context.createStatement(connection); - statement.execute("USE " + DB1); - // test user can execute query on TBL2 - statement.executeQuery("SELECT A FROM " + TBL2); - - // negative test: test user can't execute query VIEW_1 JOIN TBL2 - try { - statement.executeQuery("SELECT VIEW_1.B FROM VIEW_1 JOIN " + TBL2 + " ON (VIEW_1.B = " + TBL2 + ".B)"); - Assert.fail("Expected SQL exception"); - } catch (SQLException e) { - context.verifyAuthzException(e); - } - - // negative test: test user can't execute query TBL1 JOIN TBL2 - try { - statement.executeQuery("SELECT " + TBL1 + ".B FROM " + TBL1 + " JOIN " + TBL2 + " ON (" + TBL1 + ".B = " + TBL2 + ".B)"); - Assert.fail("Expected SQL exception"); - } catch (SQLException e) { - context.verifyAuthzException(e); - } - - statement.close(); - connection.close(); - } - - /* - * Admin creates database DB_1, table TBL1, TBL2 in DB_1, VIEW_1 on TBL1 - * loads data into TBL1, TBL2. Admin grants SELECT on TBL2, VIEW_1 to - * USER_GROUP of which user1 is a member. - */ - @Test - public void testTableViewJoin3() throws Exception { - policyFile - .addRolesToGroup(USERGROUP1, "select_tab2", "select_view1") - .addPermissionsToRole("select_view1", "server=server1->db=DB_1->table=VIEW_1->action=select") - .addPermissionsToRole("select_tab2", "server=server1->db=DB_1->table=" + TBL2 + "->action=select") - .setUserGroupMapping(StaticUserGroup.getStaticMapping()); - writePolicyFile(policyFile); - - // test execution - Connection connection = context.createConnection(USER1_1); - Statement statement = context.createStatement(connection); - statement.execute("USE " + DB1); - // test user can execute query on TBL2 - statement.executeQuery("SELECT A FROM " + TBL2); - - // test user can execute query VIEW_1 JOIN TBL2 - statement.executeQuery("SELECT V1.B FROM VIEW_1 V1 JOIN " + TBL2 + " T2 ON (V1.B = T2.B)"); - - // test user can execute query on VIEW_1 - statement.executeQuery("SELECT A FROM VIEW_1"); - - // negative test: test user can't execute query TBL1 JOIN TBL2 - try { - statement.executeQuery("SELECT T1.B FROM " + TBL1 + " T1 JOIN " + TBL2 + " T2 ON (T1.B = T2.B)"); - Assert.fail("Expected SQL exception"); - } catch (SQLException e) { - context.verifyAuthzException(e); - } - - statement.close(); - connection.close(); - } - - /* - * Admin creates database DB_1, table TBL1, TBL2 in DB_1, VIEW_1 on TBL1 - * loads data into TBL1, TBL2. Admin grants SELECT on TBL1, VIEW_1 to - * USER_GROUP of which user1 is a member. - */ - @Test - public void testTableViewJoin4() throws Exception { - policyFile - .addRolesToGroup(USERGROUP1, "select_tab1", "select_view1") - .addPermissionsToRole("select_view1", "server=server1->db=DB_1->table=VIEW_1->action=select") - .addPermissionsToRole("select_tab1", "server=server1->db=DB_1->table=" + TBL1 + "->action=select") - .setUserGroupMapping(StaticUserGroup.getStaticMapping()); - writePolicyFile(policyFile); - - // test execution - Connection connection = context.createConnection(USER1_1); - Statement statement = context.createStatement(connection); - statement.execute("USE " + DB1); - - // test user can execute query VIEW_1 JOIN TBL1 - statement.executeQuery("SELECT VIEW_1.B FROM VIEW_1 JOIN " + TBL1 + " ON (VIEW_1.B = " + TBL1 + ".B)"); - - // negative test: test user can't execute query TBL1 JOIN TBL2 - try { - statement.executeQuery("SELECT " + TBL1 + ".B FROM " + TBL1 + " JOIN " + TBL2 + " ON (" + TBL1 + ".B = " + TBL2 + ".B)"); - Assert.fail("Expected SQL exception"); - } catch (SQLException e) { - context.verifyAuthzException(e); - } - - statement.close(); - connection.close(); - } - - /*** - * Verify truncate table permissions for different users with different - * privileges - * @throws Exception - */ - @Test - public void testTruncateTable() throws Exception { - File dataDir = context.getDataDir(); - // copy data file to test dir - File dataFile = new File(dataDir, MULTI_TYPE_DATA_FILE_NAME); - FileOutputStream to = new FileOutputStream(dataFile); - Resources.copy(Resources.getResource(MULTI_TYPE_DATA_FILE_NAME), to); - to.close(); - - policyFile.setUserGroupMapping(StaticUserGroup.getStaticMapping()); - writePolicyFile(policyFile); - - // setup db objects needed by the test - Connection connection = context.createConnection(ADMIN1); - Statement statement = context.createStatement(connection); - - statement.execute("USE " + DB1); - statement.execute("DROP TABLE if exists " + TBL1); - statement.execute("DROP TABLE if exists " + TBL2); - statement.execute("DROP TABLE if exists " + TBL3); - statement.execute("CREATE TABLE " + TBL1 + "(B INT, A STRING) " - + " row format delimited fields terminated by '|' stored as textfile"); - statement.execute("CREATE TABLE " + TBL2 + "(B INT, A STRING) " - + " row format delimited fields terminated by '|' stored as textfile"); - statement.execute("CREATE TABLE " + TBL3 + "(B INT, A STRING) " - + " row format delimited fields terminated by '|' stored as textfile"); - statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() - + "' INTO TABLE " + TBL1); - statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() - + "' INTO TABLE " + TBL2); - statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() - + "' INTO TABLE " + TBL3); - - // verify admin can execute truncate table - statement.execute("TRUNCATE TABLE " + TBL1); - assertFalse(hasData(statement, TBL1)); - - statement.close(); - connection.close(); - - // add roles and grant permissions - updatePolicyFile(); - - // test truncate table without partitions - truncateTableTests(false); - } - - /*** - * Verify truncate partitioned permissions for different users with different - * privileges - * @throws Exception - */ - @Test - public void testTruncatePartitionedTable() throws Exception { - File dataDir = context.getDataDir(); - // copy data file to test dir - File dataFile = new File(dataDir, MULTI_TYPE_DATA_FILE_NAME); - FileOutputStream to = new FileOutputStream(dataFile); - Resources.copy(Resources.getResource(MULTI_TYPE_DATA_FILE_NAME), to); - to.close(); - - policyFile.setUserGroupMapping(StaticUserGroup.getStaticMapping()); - writePolicyFile(policyFile); - - // create partitioned tables - Connection connection = context.createConnection(ADMIN1); - Statement statement = context.createStatement(connection); - statement.execute("USE " + DB1); - statement.execute("DROP TABLE if exists " + TBL1); - statement.execute("CREATE TABLE " + TBL1 + " (i int) PARTITIONED BY (j int)"); - statement.execute("DROP TABLE if exists " + TBL2); - statement.execute("CREATE TABLE " + TBL2 + " (i int) PARTITIONED BY (j int)"); - statement.execute("DROP TABLE if exists " + TBL3); - statement.execute("CREATE TABLE " + TBL3 + " (i int) PARTITIONED BY (j int)"); - - // verify admin can execute truncate empty partitioned table - statement.execute("TRUNCATE TABLE " + TBL1); - assertFalse(hasData(statement, TBL1)); - statement.close(); - connection.close(); - - // add roles and grant permissions - updatePolicyFile(); - - // test truncate empty partitioned tables - truncateTableTests(false); - - // add partitions to tables - connection = context.createConnection(ADMIN1); - statement = context.createStatement(connection); - statement.execute("USE " + DB1); - statement.execute("ALTER TABLE " + TBL1 + " ADD PARTITION (j=1) PARTITION (j=2)"); - statement.execute("ALTER TABLE " + TBL2 + " ADD PARTITION (j=1) PARTITION (j=2)"); - statement.execute("ALTER TABLE " + TBL3 + " ADD PARTITION (j=1) PARTITION (j=2)"); - - // verify admin can execute truncate NOT empty partitioned table - statement.execute("TRUNCATE TABLE " + TBL1 + " partition (j=1)"); - statement.execute("TRUNCATE TABLE " + TBL1); - assertFalse(hasData(statement, TBL1)); - statement.close(); - connection.close(); - - // test truncate NOT empty partitioned tables - truncateTableTests(true); - } - - /** - * Test queries without from clause. Hive rewrites the queries with dummy db and table - * entities which should not trip authorization check. - * @throws Exception - */ - @Test - public void testSelectWithoutFrom() throws Exception { - policyFile - .addRolesToGroup(USERGROUP1, "all_tab1") - .addPermissionsToRole("all_tab1", - "server=server1->db=" + DB1 + "->table=" + TBL1) - .addRolesToGroup(USERGROUP2, "select_tab1") - .addPermissionsToRole("select_tab1", - "server=server1->db=" + DB1 + "->table=" + TBL1) - .setUserGroupMapping(StaticUserGroup.getStaticMapping()); - writePolicyFile(policyFile); - - Connection connection = context.createConnection(USER1_1); - Statement statement = context.createStatement(connection); - - // test with implicit default database - assertTrue(statement.executeQuery("SELECT 1 ").next()); - assertTrue(statement.executeQuery("SELECT current_database()").next()); - - // test after switching database - statement.execute("USE " + DB1); - assertTrue(statement.executeQuery("SELECT 1 ").next()); - assertTrue(statement.executeQuery("SELECT current_database() ").next()); - statement.close(); - connection.close(); - } - - // verify that the given table has data - private boolean hasData(Statement stmt, String tableName) throws Exception { - ResultSet rs1 = stmt.executeQuery("SELECT * FROM " + tableName); - boolean hasResults = rs1.next(); - rs1.close(); - return hasResults; - } - - @Test - public void testDummyPartition() throws Exception { - - policyFile.setUserGroupMapping(StaticUserGroup.getStaticMapping()); - writePolicyFile(policyFile); - - // setup db objects needed by the test - Connection connection = context.createConnection(ADMIN1); - Statement statement = context.createStatement(connection); - - statement.execute("USE " + DB1); - - statement.execute("DROP TABLE if exists " + TBL1); - statement.execute("CREATE table " + TBL1 + " (a int) PARTITIONED BY (b string, c string)"); - statement.execute("DROP TABLE if exists " + TBL3); - statement.execute("CREATE table " + TBL3 + " (a2 int) PARTITIONED BY (b2 string, c2 string)"); - statement.close(); - connection.close(); - - policyFile - .addRolesToGroup(USERGROUP1, "select_tab1", "select_tab2") - .addPermissionsToRole("select_tab1", "server=server1->db=DB_1->table=" + TBL1 + "->action=select") - .addPermissionsToRole("select_tab2", "server=server1->db=DB_1->table=" + TBL3 + "->action=insert"); - writePolicyFile(policyFile); - - connection = context.createConnection(USER1_1); - statement = context.createStatement(connection); - - statement.execute("USE " + DB1); - statement.execute("INSERT OVERWRITE TABLE " + TBL3 + " PARTITION(b2='abc', c2) select a, b as c2 from " + TBL1); - statement.close(); - connection.close(); - - } - - /** - * update policy file for truncate table tests - */ - private void updatePolicyFile() throws Exception{ - policyFile - .addRolesToGroup(USERGROUP1, "all_tab1") - .addPermissionsToRole("all_tab1", - "server=server1->db=" + DB1 + "->table=" + TBL2) - .addRolesToGroup(USERGROUP2, "drop_tab1") - .addPermissionsToRole("drop_tab1", - "server=server1->db=" + DB1 + "->table=" + TBL3 + "->action=drop", - "server=server1->db=" + DB1 + "->table=" + TBL3 + "->action=select") - .addRolesToGroup(USERGROUP3, "select_tab1") - .addPermissionsToRole("select_tab1", - "server=server1->db=" + DB1 + "->table=" + TBL1 + "->action=select"); - writePolicyFile(policyFile); - } - - /** - * Test truncate table with or without partitions for users with different privileges. - * Only test truncate table partition if truncPartition is true. - */ - private void truncateTableTests(boolean truncPartition) throws Exception{ - Connection connection = null; - Statement statement = null; - try { - connection = context.createConnection(USER1_1); - statement = context.createStatement(connection); - statement.execute("USE " + DB1); - // verify all privileges on table can truncate table - if (truncPartition) { - statement.execute("TRUNCATE TABLE " + TBL2 + " PARTITION (j=1)"); - } - statement.execute("TRUNCATE TABLE " + TBL2); - assertFalse(hasData(statement, TBL2)); - statement.close(); - connection.close(); - - connection = context.createConnection(USER2_1); - statement = context.createStatement(connection); - statement.execute("USE " + DB1); - // verify drop privilege on table can truncate table - if (truncPartition) { - statement.execute("TRUNCATE TABLE " + TBL3 + " partition (j=1)"); - } - statement.execute("TRUNCATE TABLE " + TBL3); - assertFalse(hasData(statement, TBL3)); - statement.close(); - connection.close(); - - connection = context.createConnection(USER3_1); - statement = context.createStatement(connection); - statement.execute("USE " + DB1); - // verify select privilege on table can NOT truncate table - if (truncPartition) { - context.assertAuthzException( - statement, "TRUNCATE TABLE " + TBL1 + " PARTITION (j=1)"); - } - context.assertAuthzException(statement, "TRUNCATE TABLE " + TBL1); - } finally { - if (statement != null) { - statement.close(); - } - if (connection != null) { - connection.close(); - } - } - } -}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestReloadPrivileges.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestReloadPrivileges.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestReloadPrivileges.java deleted file mode 100644 index 6d4e8d3..0000000 --- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestReloadPrivileges.java +++ /dev/null @@ -1,54 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.tests.e2e.hive; - -import java.sql.Connection; -import java.sql.Statement; - -import org.apache.sentry.provider.file.PolicyFile; -import org.junit.Before; -import org.junit.BeforeClass; -import org.junit.Test; - -public class TestReloadPrivileges extends AbstractTestWithStaticConfiguration { - private PolicyFile policyFile; - - @BeforeClass - public static void setupTestStaticConfiguration() throws Exception { - AbstractTestWithStaticConfiguration.setupTestStaticConfiguration(); - } - - @Before - public void setup() throws Exception { - policyFile = - PolicyFile.setAdminOnServer1(ADMINGROUP).setUserGroupMapping( - StaticUserGroup.getStaticMapping()); - writePolicyFile(policyFile); - } - - @Test - public void testReload() throws Exception { - Connection connection = context.createConnection(USER1_1); - Statement statement = context.createStatement(connection); - statement.execute("RELOAD"); - statement.close(); - connection.close(); - } - -} http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestRuntimeMetadataRetrieval.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestRuntimeMetadataRetrieval.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestRuntimeMetadataRetrieval.java deleted file mode 100644 index efb588e..0000000 --- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestRuntimeMetadataRetrieval.java +++ /dev/null @@ -1,429 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.tests.e2e.hive; - -import java.io.File; -import java.io.FileOutputStream; -import java.sql.Connection; -import java.sql.ResultSet; -import java.sql.SQLException; -import java.sql.Statement; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.List; - -import org.apache.sentry.provider.file.PolicyFile; -import org.junit.Assert; -import org.junit.Before; -import org.junit.BeforeClass; -import org.junit.Test; - -import com.google.common.io.Resources; - -/** - * Metadata tests for show tables and show databases. * Unlike rest of the - * access privilege validation which is handled in semantic hooks, these - * statements are validaed via a runtime fetch hook - */ -public class TestRuntimeMetadataRetrieval extends AbstractTestWithStaticConfiguration { - private PolicyFile policyFile; - private final String SINGLE_TYPE_DATA_FILE_NAME = "kv1.dat"; - private File dataDir; - private File dataFile; - - @BeforeClass - public static void setupTestStaticConfiguration () throws Exception { - AbstractTestWithStaticConfiguration.setupTestStaticConfiguration(); - } - - @Before - public void setup() throws Exception { - policyFile = super.setupPolicy(); - super.setup(); - dataDir = context.getDataDir(); - dataFile = new File(dataDir, SINGLE_TYPE_DATA_FILE_NAME); - FileOutputStream to = new FileOutputStream(dataFile); - Resources.copy(Resources.getResource(SINGLE_TYPE_DATA_FILE_NAME), to); - to.close(); - } - - /** - * Steps: 1. admin create db_1 and db_1.tb_1 - * 2. admin should see all tables - * 3. user1 should only see the tables it has any level of privilege - */ - @Test - public void testShowTables1() throws Exception { - // tables visible to user1 (not access to tb_4 - String tableNames[] = {"tb_1", "tb_2", "tb_3", "tb_4"}; - List<String> tableNamesValidation = new ArrayList<String>(); - - String user1TableNames[] = {"tb_1", "tb_2", "tb_3"}; - - Connection connection = context.createConnection(ADMIN1); - Statement statement = context.createStatement(connection); - statement.execute("CREATE DATABASE " + DB1); - statement.execute("USE " + DB1); - createTabs(statement, DB1, tableNames); - // Admin should see all tables - ResultSet rs = statement.executeQuery("SHOW TABLES"); - tableNamesValidation.addAll(Arrays.asList(tableNames)); - - validateTables(rs, tableNamesValidation); - statement.close(); - - policyFile - .addRolesToGroup(USERGROUP1, "tab1_priv,tab2_priv,tab3_priv") - .addPermissionsToRole("tab1_priv", "server=server1->db=" + DB1 + "->table=" - + tableNames[0] + "->action=select") - .addPermissionsToRole("tab2_priv", "server=server1->db=" + DB1 + "->table=" - + tableNames[1] + "->action=insert") - .addPermissionsToRole("tab3_priv", "server=server1->db=" + DB1 + "->table=" - + tableNames[2] + "->action=select") - .setUserGroupMapping(StaticUserGroup.getStaticMapping()); - writePolicyFile(policyFile); - - connection = context.createConnection(USER1_1); - statement = context.createStatement(connection); - statement.execute("USE " + DB1); - // User1 should see tables with any level of access - rs = statement.executeQuery("SHOW TABLES"); - tableNamesValidation.addAll(Arrays.asList(user1TableNames)); - validateTables(rs, tableNamesValidation); - statement.close(); - } - - /** - * Steps: 1. admin create db_1 and tables - * 2. admin should see all tables - * 3. user1 should only see the all tables with db level privilege - */ - @Test - public void testShowTables2() throws Exception { - // tables visible to user1 (not access to tb_4 - String tableNames[] = {"tb_1", "tb_2", "tb_3", "tb_4"}; - List<String> tableNamesValidation = new ArrayList<String>(); - - String user1TableNames[] = {"tb_1", "tb_2", "tb_3", "tb_4"}; - - Connection connection = context.createConnection(ADMIN1); - Statement statement = context.createStatement(connection); - statement.execute("CREATE DATABASE " + DB1); - statement.execute("USE " + DB1); - createTabs(statement, DB1, tableNames); - // Admin should see all tables - ResultSet rs = statement.executeQuery("SHOW TABLES"); - tableNamesValidation.addAll(Arrays.asList(tableNames)); - validateTables(rs, tableNamesValidation); - statement.close(); - - policyFile - .addRolesToGroup(USERGROUP1, "db_priv") - .addPermissionsToRole("db_priv", "server=server1->db=" + DB1) - .setUserGroupMapping(StaticUserGroup.getStaticMapping()); - writePolicyFile(policyFile); - - connection = context.createConnection(USER1_1); - statement = context.createStatement(connection); - statement.execute("USE " + DB1); - // User1 should see tables with any level of access - rs = statement.executeQuery("SHOW TABLES"); - tableNamesValidation.addAll(Arrays.asList(user1TableNames)); - validateTables(rs, tableNamesValidation); - statement.close(); - } - - /** - * Steps: 1. admin create db_1 and db_1.tb_1 - * 2. admin should see all tables - * 3. user1 should only see the tables he/she has any level of privilege - */ - @Test - public void testShowTables3() throws Exception { - // tables visible to user1 (not access to tb_4 - String tableNames[] = {"tb_1", "tb_2", "tb_3", "newtab_3"}; - List<String> tableNamesValidation = new ArrayList<String>(); - - String adminTableNames[] = {"tb_3", "newtab_3", "tb_2", "tb_1"}; - String user1TableNames[] = {"newtab_3"}; - - Connection connection = context.createConnection(ADMIN1); - Statement statement = context.createStatement(connection); - statement.execute("CREATE DATABASE " + DB1); - statement.execute("USE " + DB1); - createTabs(statement, DB1, tableNames); - // Admin should see all tables - ResultSet rs = statement.executeQuery("SHOW TABLES"); - tableNamesValidation.addAll(Arrays.asList(adminTableNames)); - validateTables(rs, tableNamesValidation); - statement.close(); - - policyFile - .addRolesToGroup(USERGROUP1, "tab_priv") - .addPermissionsToRole("tab_priv", "server=server1->db=" + DB1 + "->table=" - + tableNames[3] + "->action=insert") - .setUserGroupMapping(StaticUserGroup.getStaticMapping()); - writePolicyFile(policyFile); - - connection = context.createConnection(USER1_1); - statement = context.createStatement(connection); - statement.execute("USE " + DB1); - // User1 should see tables with any level of access - rs = statement.executeQuery("SHOW TABLES"); - tableNamesValidation.addAll(Arrays.asList(user1TableNames)); - validateTables(rs, tableNamesValidation); - statement.close(); - } - - /** - * Steps: 1. admin create db_1 and db_1.tb_1 - * 2. admin should see all tables - * 3. user1 should only see the tables with db level privilege - */ - @Test - public void testShowTables4() throws Exception { - String tableNames[] = {"tb_1", "tb_2", "tb_3", "newtab_3"}; - List<String> tableNamesValidation = new ArrayList<String>(); - - String adminTableNames[] = {"tb_3", "newtab_3", "tb_1", "tb_2"}; - String user1TableNames[] = {"tb_3", "newtab_3", "tb_1", "tb_2"}; - - Connection connection = context.createConnection(ADMIN1); - Statement statement = context.createStatement(connection); - statement.execute("CREATE DATABASE " + DB1); - statement.execute("USE " + DB1); - createTabs(statement, DB1, tableNames); - // Admin should be able to see all tables - ResultSet rs = statement.executeQuery("SHOW TABLES"); - tableNamesValidation.addAll(Arrays.asList(adminTableNames)); - validateTables(rs, tableNamesValidation); - statement.close(); - - policyFile - .addRolesToGroup(USERGROUP1, "tab_priv") - .addPermissionsToRole("tab_priv", "server=server1->db=" + DB1) - .setUserGroupMapping(StaticUserGroup.getStaticMapping()); - writePolicyFile(policyFile); - - connection = context.createConnection(USER1_1); - statement = context.createStatement(connection); - statement.execute("USE " + DB1); - // User1 should see tables with any level of access - rs = statement.executeQuery("SHOW TABLES"); - tableNamesValidation.addAll(Arrays.asList(user1TableNames)); - validateTables(rs, tableNamesValidation); - statement.close(); - } - - /** - * Steps: 1. admin creates tables in default db - * 2. user1 shouldn't see any table when he/she doesn't have any privilege on default - */ - @Test - public void testShowTables5() throws Exception { - String tableNames[] = {"tb_1", "tb_2", "tb_3", "tb_4"}; - - Connection connection = context.createConnection(ADMIN1); - Statement statement = context.createStatement(connection); - createTabs(statement, "default", tableNames); - - policyFile - .setUserGroupMapping(StaticUserGroup.getStaticMapping()); - writePolicyFile(policyFile); - - connection = context.createConnection(USER1_1); - statement = context.createStatement(connection); - // User1 should see tables with any level of access - ResultSet rs = statement.executeQuery("SHOW TABLES"); - // user1 doesn't have access to any tables in default db - Assert.assertFalse(rs.next()); - statement.close(); - } - - /** - * Steps: 1. admin create db_1 and tb_1, tb_2, tb_3, tb_4 and table_5 - * 2. admin should see all tables except table_5 which does not match tb* - * 3. user1 should only see the matched tables it has any level of privilege - */ - @Test - public void testShowTablesExtended() throws Exception { - // tables visible to user1 (not access to tb_4 - String tableNames[] = {"tb_1", "tb_2", "tb_3", "tb_4", "table_5"}; - List<String> tableNamesValidation = new ArrayList<String>(); - - String user1TableNames[] = {"tb_1", "tb_2", "tb_3"}; - - Connection connection = context.createConnection(ADMIN1); - Statement statement = context.createStatement(connection); - statement.execute("CREATE DATABASE " + DB1); - statement.execute("USE " + DB1); - createTabs(statement, DB1, tableNames); - - policyFile - .addRolesToGroup(USERGROUP1, "tab1_priv,tab2_priv,tab3_priv") - .addPermissionsToRole("tab1_priv", "server=server1->db=" + DB1 + "->table=" - + tableNames[0] + "->action=select") - .addPermissionsToRole("tab2_priv", "server=server1->db=" + DB1 + "->table=" - + tableNames[1] + "->action=insert") - .addPermissionsToRole("tab3_priv", "server=server1->db=" + DB1 + "->table=" - + tableNames[2] + "->action=select") - .setUserGroupMapping(StaticUserGroup.getStaticMapping()); - writePolicyFile(policyFile); - - // Admin should see all tables except table_5, the one does not match the pattern - ResultSet rs = statement.executeQuery("SHOW TABLE EXTENDED IN " + DB1 + " LIKE 'tb*'"); - tableNamesValidation.addAll(Arrays.asList(tableNames).subList(0, 4)); - validateTablesInRs(rs, tableNamesValidation); - statement.close(); - - connection = context.createConnection(USER1_1); - statement = context.createStatement(connection); - statement.execute("USE " + DB1); - // User1 should see tables with any level of access - rs = statement.executeQuery("SHOW TABLE EXTENDED IN " + DB1 + " LIKE 'tb*'"); - tableNamesValidation.addAll(Arrays.asList(user1TableNames)); - validateTablesInRs(rs, tableNamesValidation); - statement.close(); - } - - /** - * Steps: 1. admin create few dbs - * 2. admin can do show databases - * 3. users with db level permissions should only those dbs on 'show database' - */ - @Test - public void testShowDatabases1() throws Exception { - List<String> dbNamesValidation = new ArrayList<String>(); - String[] dbNames = {DB1, DB2, DB3}; - String[] user1DbNames = {DB1}; - - createDb(ADMIN1, dbNames); - dbNamesValidation.addAll(Arrays.asList(dbNames)); - dbNamesValidation.add("default"); - Connection connection = context.createConnection(ADMIN1); - Statement statement = context.createStatement(connection); - ResultSet rs = statement.executeQuery("SHOW DATABASES"); - validateDBs(rs, dbNamesValidation); // admin should see all dbs - rs.close(); - - policyFile - .addRolesToGroup(USERGROUP1, "db1_all") - .addPermissionsToRole("db1_all", "server=server1->db=" + DB1) - .setUserGroupMapping(StaticUserGroup.getStaticMapping()); - writePolicyFile(policyFile); - - connection = context.createConnection(USER1_1); - statement = context.createStatement(connection); - rs = statement.executeQuery("SHOW DATABASES"); - dbNamesValidation.addAll(Arrays.asList(user1DbNames)); - dbNamesValidation.add("default"); - // user should see only dbs with access - validateDBs(rs, dbNamesValidation); - rs.close(); - } - - /** - * Steps: 1. admin create few dbs - * 2. admin can do show databases - * 3. users with table level permissions should should only those parent dbs on 'show - * database' - */ - @Test - public void testShowDatabases2() throws Exception { - String[] dbNames = {DB1, DB2, DB3}; - List<String> dbNamesValidation = new ArrayList<String>(); - String[] user1DbNames = {DB1, DB2}; - String tableNames[] = {"tb_1"}; - - // verify by SQL - // 1, 2 - createDb(ADMIN1, dbNames); - dbNamesValidation.addAll(Arrays.asList(dbNames)); - dbNamesValidation.add("default"); - Connection connection = context.createConnection(ADMIN1); - Statement statement = context.createStatement(connection); - createTabs(statement, DB1, tableNames); - createTabs(statement, DB2, tableNames); - ResultSet rs = statement.executeQuery("SHOW DATABASES"); - validateDBs(rs, dbNamesValidation); // admin should see all dbs - rs.close(); - - policyFile - .addRolesToGroup(USERGROUP1, "db1_tab,db2_tab") - .addPermissionsToRole("db1_tab", "server=server1->db=" + DB1 + "->table=tb_1->action=select") - .addPermissionsToRole("db2_tab", "server=server1->db=" + DB2 + "->table=tb_1->action=insert") - .setUserGroupMapping(StaticUserGroup.getStaticMapping()); - writePolicyFile(policyFile); - - connection = context.createConnection(USER1_1); - statement = context.createStatement(connection); - rs = statement.executeQuery("SHOW DATABASES"); - dbNamesValidation.addAll(Arrays.asList(user1DbNames)); - dbNamesValidation.add("default"); - // user should see only dbs with access - validateDBs(rs, dbNamesValidation); - rs.close(); - } - - // compare the table resultset with given array of table names - private void validateDBs(ResultSet rs, List<String> dbNames) - throws SQLException { - while (rs.next()) { - String dbName = rs.getString(1); - //There might be non test related dbs in the system - if(dbNames.contains(dbName.toLowerCase())) { - dbNames.remove(dbName.toLowerCase()); - } - } - Assert.assertTrue(dbNames.toString(), dbNames.isEmpty()); - } - - // Create the give tables - private void createTabs(Statement statement, String dbName, - String tableNames[]) throws SQLException { - for (String tabName : tableNames) { - statement.execute("DROP TABLE IF EXISTS " + dbName + "." + tabName); - statement.execute("create table " + dbName + "." + tabName - + " (under_col int comment 'the under column', value string)"); - } - } - - // compare the table resultset with given array of table names - private void validateTables(ResultSet rs, List<String> tableNames) throws SQLException { - while (rs.next()) { - String tableName = rs.getString(1); - Assert.assertTrue(tableName, tableNames.remove(tableName.toLowerCase())); - } - Assert.assertTrue(tableNames.toString(), tableNames.isEmpty()); - rs.close(); - } - - // compare the tables in resultset with given array of table names - // for some hive query like 'show table extended ...', the resultset does - // not only contains tableName (See HIVE-8109) - private void validateTablesInRs(ResultSet rs, List<String> tableNames) throws SQLException { - while (rs.next()) { - String tableName = rs.getString(1); - if (tableName.startsWith("tableName:")) { - Assert.assertTrue("Expected table " + tableName.substring(10), - tableNames.remove(tableName.substring(10).toLowerCase())); - } - } - Assert.assertTrue(tableNames.toString(), tableNames.isEmpty()); - rs.close(); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestSandboxOps.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestSandboxOps.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestSandboxOps.java deleted file mode 100644 index 017adea..0000000 --- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestSandboxOps.java +++ /dev/null @@ -1,529 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.tests.e2e.hive; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertTrue; - -import java.io.File; -import java.io.FileOutputStream; -import java.sql.Connection; -import java.sql.ResultSet; -import java.sql.Statement; - -import org.apache.hadoop.fs.Path; -import org.apache.sentry.core.common.utils.PolicyFiles; -import org.apache.sentry.provider.file.PolicyFile; -import org.junit.Before; -import org.junit.Test; - -import com.google.common.io.Resources; - -public class TestSandboxOps extends AbstractTestWithStaticConfiguration { - private PolicyFile policyFile; - private File dataFile; - private String loadData; - private static final String DB2_POLICY_FILE = "db2-policy-file.ini"; - - - @Before - public void setup() throws Exception { - policyFile = super.setupPolicy(); - super.setup(); - dataFile = new File(dataDir, SINGLE_TYPE_DATA_FILE_NAME); - FileOutputStream to = new FileOutputStream(dataFile); - Resources.copy(Resources.getResource(SINGLE_TYPE_DATA_FILE_NAME), to); - to.close(); - loadData = "server=server1->uri=file://" + dataFile.getPath(); - } - - private PolicyFile addTwoUsersWithAllDb() throws Exception { - policyFile - .addPermissionsToRole("db1_all", "server=server1->db=" + DB1) - .addPermissionsToRole("db2_all", "server=server1->db=" + DB2) - .addRolesToGroup(USERGROUP1, "db1_all", "db2_all"); - return policyFile; - } - /** - * Tests to ensure that users with all@db can create tables - * and that they cannot create databases or load data - */ - @Test - public void testDbPrivileges() throws Exception { - String[] dbs = new String[] { DB1, DB2 }; - for (String dbName : dbs) { - createDb(ADMIN1, dbName); - } - - addTwoUsersWithAllDb(); - writePolicyFile(policyFile); - - for (String user : new String[] { USER1_1, USER1_2 }) { - for (String dbName : dbs) { - Connection userConn = context.createConnection(user); - String tabName = user + "_tab1"; - Statement userStmt = context.createStatement(userConn); - // Positive case: test user1 and user2 has - // permissions to access db1 and db2 - userStmt.execute("use " + dbName); - userStmt.execute("create table " + tabName + " (id int)"); - context.assertAuthzException(userStmt, "load data local inpath '" + dataFile + "' into table " + tabName); - assertTrue(userStmt.execute("select * from " + tabName)); - // negative users cannot create databases - context.assertAuthzException(userStmt, "CREATE DATABASE " + DB3); - userStmt.close(); - userConn.close(); - } - } - } - - /** - * Test Case 2.11 admin user create a new database DB_1 and grant ALL to - * himself on DB_1 should work - */ - @Test - public void testAdminDbPrivileges() throws Exception { - Connection adminCon = context.createConnection(ADMIN1); - Statement adminStmt = context.createStatement(adminCon); - adminStmt.execute("use default"); - adminStmt.execute("CREATE DATABASE " + DB1); - - // access the new databases - adminStmt.execute("use " + DB1); - String tabName = "admin_tab1"; - adminStmt.execute("create table " + tabName + "(c1 string)"); - adminStmt.execute("load data local inpath '" + dataFile.getPath() + "' into table " - + tabName); - adminStmt.execute("select * from " + tabName); - } - - /** - * Test Case 2.16 admin user create a new database DB_1 create TABLE_1 and - * TABLE_2 (same schema) in DB_1 admin user grant SELECT, INSERT to user1's - * group on TABLE_2 negative test case: user1 try to do following on TABLE_1 - * will fail: --insert overwrite TABLE_2 select * from TABLE_1 - */ - @Test - public void testNegativeUserDMLPrivileges() throws Exception { - Connection adminCon = context.createConnection(ADMIN1); - Statement adminStmt = context.createStatement(adminCon); - adminStmt.execute("use default"); - adminStmt.execute("CREATE DATABASE " + DB1); - adminStmt.execute("use " + DB1); - adminStmt.execute("create table table_1 (id int)"); - adminStmt.execute("create table table_2 (id int)"); - adminStmt.close(); - adminCon.close(); - - policyFile - .addPermissionsToRole("db1_tab2_all", "server=server1->db=" + DB1 + "->table=table_2") - .addRolesToGroup(USERGROUP1, "db1_tab2_all"); - writePolicyFile(policyFile); - - Connection userConn = context.createConnection(USER1_1); - Statement userStmt = context.createStatement(userConn); - userStmt.execute("use " + DB1); - // user1 doesn't have select privilege on table_1, so insert/select should fail - context.assertAuthzException(userStmt, "insert overwrite table table_2 select * from table_1"); - context.assertAuthzException(userStmt, "insert overwrite directory '" + baseDir.getPath() + "' select * from table_1"); - userConn.close(); - userStmt.close(); - } - - /** - * Test Case 2.17 Execution steps a) Admin user creates a new database DB_1, - * b) Admin user grants ALL on DB_1 to group GROUP_1 c) User from GROUP_1 - * creates table TAB_1, TAB_2 in DB_1 d) Admin user grants SELECT on TAB_1 to - * group GROUP_2 - * - * 1) verify users from GROUP_2 have only SELECT privileges on TAB_1. They - * shouldn't be able to perform any operation other than those listed as - * requiring SELECT in the privilege model. - * - * 2) verify users from GROUP_2 can't perform queries involving join between - * TAB_1 and TAB_2. - * - * 3) verify users from GROUP_1 can't perform operations requiring ALL @ - * SERVER scope. Refer to list - */ - @Test - public void testNegUserPrivilegesAll() throws Exception { - // create dbs - Connection adminCon = context.createConnection(ADMIN1); - Statement adminStmt = context.createStatement(adminCon); - adminStmt.execute("use default"); - adminStmt.execute("CREATE DATABASE " + DB1); - adminStmt.execute("use " + DB1); - adminStmt.execute("create table table_1 (name string)"); - adminStmt.execute("load data local inpath '" + dataFile.getPath() + "' into table table_1"); - adminStmt.execute("create table table_2 (name string)"); - adminStmt.execute("load data local inpath '" + dataFile.getPath() + "' into table table_2"); - adminStmt.execute("create view v1 AS select * from table_1"); - adminStmt.execute("create table table_part_1 (name string) PARTITIONED BY (year INT)"); - adminStmt.execute("ALTER TABLE table_part_1 ADD PARTITION (year = 2012)"); - adminStmt.execute("ALTER TABLE table_1 SET TBLPROPERTIES (\"createTime\"=\"1375824555\")"); - adminStmt.close(); - adminCon.close(); - - policyFile - .addRolesToGroup(USERGROUP1, "db1_all") - .addRolesToGroup(USERGROUP2, "db1_tab1_select") - .addPermissionsToRole("db1_tab1_select", "server=server1->db="+ DB1 + "->table=table_1->action=select") - .addPermissionsToRole("db1_all", "server=server1->db=" + DB1); - writePolicyFile(policyFile); - - Connection userConn = context.createConnection(USER2_1); - Statement userStmt = context.createStatement(userConn); - userStmt.execute("use " + DB1); - - context.assertAuthzException(userStmt, "alter table table_2 add columns (id int)"); - context.assertAuthzException(userStmt, "drop database " + DB1); - context.assertAuthzException(userStmt, "CREATE INDEX x ON TABLE table_1(name) AS 'org.apache.hadoop.hive.ql.index.compact.CompactIndexHandler'"); - context.assertAuthzException(userStmt, "CREATE TEMPORARY FUNCTION strip AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'"); - context.assertAuthzException(userStmt, "create table foo(id int)"); - context.assertAuthzException(userStmt, "create table c_tab_2 as select * from table_2"); // no select or create privilege - context.assertAuthzException(userStmt, "create table c_tab_1 as select * from table_1"); // no create privilege - context.assertAuthzException(userStmt, "ALTER DATABASE " + DB1 + " SET DBPROPERTIES ('foo' = 'bar')"); - context.assertAuthzException(userStmt, "ALTER VIEW v1 SET TBLPROPERTIES ('foo' = 'bar')"); - context.assertAuthzException(userStmt, "DROP VIEW IF EXISTS v1"); - context.assertAuthzException(userStmt, "create table table_5 (name string)"); - context.assertAuthzException(userStmt, "ALTER TABLE table_1 RENAME TO table_99"); - context.assertAuthzException(userStmt, "insert overwrite table table_2 select * from table_1"); - context.assertAuthzException(userStmt, "ALTER TABLE table_part_1 ADD IF NOT EXISTS PARTITION (year = 2012)"); - context.assertAuthzException(userStmt, "ALTER TABLE table_part_1 PARTITION (year = 2012) SET LOCATION '" + baseDir.getPath() + "'"); - context.assertAuthzException(userStmt, "ALTER TABLE table_1 SET TBLPROPERTIES (\"createTime\"=\"1375824555\")"); - } - - /** - * Steps: - * 1. admin user create databases, DB_1 and DB_2, no table or other - * object in database - * 2. admin grant all to user1's group on DB_1 and DB_2 - * positive test case: - * a)user1 has the privilege to create table, load data, - * drop table, create view, insert more data on both databases - * b) user1 can switch between DB_1 and DB_2 without - * exception negative test case: - * c) user1 cannot drop database - * 3. admin remove all to group1 on DB_2 - * positive test case: - * d) user1 has the privilege to create view on tables in DB_1 - * negative test case: - * e) user1 cannot create view on tables in DB_1 that select - * from tables in DB_2 - * 4. admin grant select to group1 on DB_2.ta_2 - * positive test case: - * f) user1 has the privilege to create view to select from - * DB_1.tb_1 and DB_2.tb_2 - * negative test case: - * g) user1 cannot create view to select from DB_1.tb_1 - * and DB_2.tb_3 - * @throws Exception - */ - @Test - public void testSandboxOpt9() throws Exception { - createDb(ADMIN1, DB1, DB2); - - policyFile - .addPermissionsToRole(GROUP1_ROLE, ALL_DB1, ALL_DB2, loadData) - .addRolesToGroup(USERGROUP1, GROUP1_ROLE); - writePolicyFile(policyFile); - - Connection connection = context.createConnection(USER1_1); - Statement statement = context.createStatement(connection); - - // a - statement.execute("USE " + DB1); - createTable(USER1_1, DB1, dataFile, TBL1); - statement.execute("DROP VIEW IF EXISTS " + VIEW1); - statement.execute("CREATE VIEW " + VIEW1 + " (value) AS SELECT value from " + TBL1 + " LIMIT 10"); - - createTable(USER1_1, DB2, dataFile, TBL2, TBL3); - // d - statement.execute("USE " + DB1); - policyFile.removePermissionsFromRole(GROUP1_ROLE, ALL_DB2); - writePolicyFile(policyFile); - // e - // create db1.view1 as select from db2.tbl2 - statement.execute("DROP VIEW IF EXISTS " + VIEW2); - context.assertAuthzException(statement, "CREATE VIEW " + VIEW2 + - " (value) AS SELECT value from " + DB2 + "." + TBL2 + " LIMIT 10"); - // create db1.tbl2 as select from db2.tbl2 - statement.execute("DROP TABLE IF EXISTS " + TBL2); - context.assertAuthzException(statement, "CREATE TABLE " + TBL2 + - " AS SELECT value from " + DB2 + "." + TBL2 + " LIMIT 10"); - context.assertAuthzException(statement, "CREATE TABLE " + DB2 + "." + TBL2 + - " AS SELECT value from " + DB2 + "." + TBL2 + " LIMIT 10"); - - // f - policyFile.addPermissionsToRole(GROUP1_ROLE, SELECT_DB2_TBL2); - writePolicyFile(policyFile); - statement.execute("DROP VIEW IF EXISTS " + VIEW2); - statement.execute("CREATE VIEW " + VIEW2 - + " (value) AS SELECT value from " + DB2 + "." + TBL2 + " LIMIT 10"); - - // g - statement.execute("DROP VIEW IF EXISTS " + VIEW3); - context.assertAuthzException(statement, "CREATE VIEW " + VIEW3 - + " (value) AS SELECT value from " + DB2 + "." + TBL3 + " LIMIT 10"); - statement.close(); - connection.close(); - } - - /** - * Tests select on table with index. - * - * Steps: - * 1. admin user create a new database DB_1 - * 2. admin create TABLE_1 in DB_1 - * 3. admin create INDEX_1 for COLUMN_1 in TABLE_1 in DB_1 - * 4. admin user grant INSERT and SELECT to user1's group on TABLE_1 - * - * negative test case: - * a) user1 try to SELECT * FROM TABLE_1 WHERE COLUMN_1 == ... - * should NOT work - * b) user1 should not be able to check the list of view or - * index in DB_1 - * @throws Exception - */ - @Test - public void testSandboxOpt13() throws Exception { - createDb(ADMIN1, DB1); - createTable(ADMIN1, DB1, dataFile, TBL1); - createTable(ADMIN1, DB1, dataFile, TBL2); - Connection connection = context.createConnection(ADMIN1); - Statement statement = context.createStatement(connection); - statement.execute("USE " + DB1); - statement.execute("DROP INDEX IF EXISTS " + INDEX1 + " ON " + TBL1); - statement.execute("CREATE INDEX " + INDEX1 + " ON TABLE " + TBL1 - + " (under_col) as 'COMPACT' WITH DEFERRED REBUILD"); - statement.close(); - connection.close(); - - // unrelated permission to allow user1 to connect to db1 - policyFile - .addPermissionsToRole(GROUP1_ROLE, SELECT_DB1_TBL2) - .addRolesToGroup(USERGROUP1, GROUP1_ROLE); - writePolicyFile(policyFile); - - connection = context.createConnection(USER1_1); - statement = context.createStatement(connection); - statement.execute("USE " + DB1); - context.assertAuthzException(statement, "SELECT * FROM " + TBL1 + " WHERE under_col == 5"); - context.assertAuthzException(statement, "SHOW INDEXES ON " + TBL1); - policyFile.addPermissionsToRole(GROUP1_ROLE, SELECT_DB1_TBL1, INSERT_DB1_TBL1, loadData); - writePolicyFile(policyFile); - statement.execute("USE " + DB1); - assertTrue(statement.execute("SELECT * FROM " + TBL1 + " WHERE under_col == 5")); - assertTrue(statement.execute("SHOW INDEXES ON " + TBL1)); - } - - /** - * Steps: - * 1. Admin user creates a new database DB_1 - * 2. Admin user grants ALL on DB_1 to group GROUP_1 - * 3. User from GROUP_1 creates table TAB_1, TAB_2 in DB_1 - * 4. Admin user grants SELECT/INSERT on TAB_1 to group GROUP_2 - * a) verify users from GROUP_2 have only SELECT/INSERT - * privileges on TAB_1. They shouldn't be able to perform - * any operation other than those listed as - * requiring SELECT in the privilege model. - * b) verify users from GROUP_2 can't perform queries - * involving join between TAB_1 and TAB_2. - * c) verify users from GROUP_1 can't perform operations - * requiring ALL @SERVER scope: - * *) create database - * *) drop database - * *) show databases - * *) show locks - * *) execute ALTER TABLE .. SET LOCATION on a table in DB_1 - * *) execute ALTER PARTITION ... SET LOCATION on a table in DB_1 - * *) execute CREATE EXTERNAL TABLE ... in DB_1 - * *) execute ADD JAR - * *) execute a query with TRANSOFORM - * @throws Exception - */ - @Test - public void testSandboxOpt17() throws Exception { - createDb(ADMIN1, DB1); - createTable(ADMIN1, DB1, dataFile, TBL1, TBL2); - - policyFile - .addRolesToGroup(USERGROUP1, "all_db1", "load_data") - .addRolesToGroup(USERGROUP2, "select_tb1") - .addPermissionsToRole("select_tb1", "server=server1->db=" + DB1 + "->table=" + TBL1 + "->action=select") - .addPermissionsToRole("all_db1", "server=server1->db=" + DB1) - .addPermissionsToRole("load_data", "server=server1->uri=file://" + dataFile.toString()); - writePolicyFile(policyFile); - - Connection connection = context.createConnection(USER1_1); - Statement statement = context.createStatement(connection); - // c - statement.execute("USE " + DB1); - context.assertAuthzException(statement, "CREATE DATABASE " + DB3); - ResultSet rs = statement.executeQuery("SHOW DATABASES"); - assertTrue(rs.next()); - assertEquals(DB1, rs.getString(1)); - context.assertAuthzException(statement, "ALTER TABLE " + TBL1 + - " ADD PARTITION (value = 10) LOCATION '" + dataDir.getPath() + "'"); - context.assertAuthzException(statement, "ALTER TABLE " + TBL1 - + " PARTITION (value = 10) SET LOCATION '" + dataDir.getPath() + "'"); - context.assertAuthzException(statement, "CREATE EXTERNAL TABLE " + TBL3 - + " (under_col int, value string) LOCATION '" + dataDir.getPath() + "'"); - statement.close(); - connection.close(); - - connection = context.createConnection(USER2_1); - statement = context.createStatement(connection); - - // a - statement.execute("USE " + DB1); - context.assertAuthzException(statement, "SELECT * FROM TABLE " + TBL2 + " LIMIT 10"); - context.assertAuthzException(statement, "EXPLAIN SELECT * FROM TABLE " + TBL2 + " WHERE under_col > 5 LIMIT 10"); - context.assertAuthzException(statement, "DESCRIBE " + TBL2); - context.assertAuthzException(statement, "LOAD DATA LOCAL INPATH '" + dataFile.getPath() + "' INTO TABLE " + TBL2); - context.assertAuthzException(statement, "analyze table " + TBL2 + " compute statistics for columns under_col, value"); - // b - context.assertAuthzException(statement, "SELECT " + TBL1 + ".* FROM " + TBL1 + " JOIN " + TBL2 + - " ON (" + TBL1 + ".value = " + TBL2 + ".value)"); - statement.close(); - connection.close(); - } - - /** - * Positive and negative tests for INSERT OVERWRITE [LOCAL] DIRECTORY and - * LOAD DATA [LOCAL] INPATH. EXPORT/IMPORT are handled in separate junit class. - * Formerly testSandboxOpt18 - */ - @Test - public void testInsertOverwriteAndLoadData() throws Exception { - long counter = System.currentTimeMillis(); - File allowedDir = assertCreateDir(new File(baseDir, - "test-" + (counter++))); - File restrictedDir = assertCreateDir(new File(baseDir, - "test-" + (counter++))); - Path allowedDfsDir = dfs.assertCreateDir("test-" + (counter++)); - Path restrictedDfsDir = dfs.assertCreateDir("test-" + (counter++)); - //Hive needs write permissions on this local directory - baseDir.setWritable(true, false); - - createDb(ADMIN1, DB1); - createTable(ADMIN1, DB1, dataFile, TBL1); - - policyFile - .addRolesToGroup(USERGROUP1, "all_db1", "load_data") - .addPermissionsToRole("all_db1", "server=server1->db=" + DB1) - .addPermissionsToRole("load_data", "server=server1->uri=file://" + allowedDir.getPath() + - ", server=server1->uri=file://" + allowedDir.getPath() + - ", server=server1->uri=" + allowedDfsDir.toString()); - writePolicyFile(policyFile); - - Connection connection = context.createConnection(USER1_1); - Statement statement = context.createStatement(connection); - statement.execute("USE " + DB1); - statement.execute("INSERT OVERWRITE LOCAL DIRECTORY 'file://" + allowedDir.getPath() + "' SELECT * FROM " + TBL1); - statement.execute("INSERT OVERWRITE DIRECTORY '" + allowedDfsDir + "' SELECT * FROM " + TBL1); - statement.execute("LOAD DATA LOCAL INPATH 'file://" + allowedDir.getPath() + "' INTO TABLE " + TBL1); - statement.execute("LOAD DATA INPATH '" + allowedDfsDir + "' INTO TABLE " + TBL1); - context.assertAuthzException(statement, "INSERT OVERWRITE LOCAL DIRECTORY 'file://" + restrictedDir.getPath() + "' SELECT * FROM " + TBL1); - context.assertAuthzException(statement, "INSERT OVERWRITE DIRECTORY '" + restrictedDfsDir + "' SELECT * FROM " + TBL1); - context.assertAuthzException(statement, "LOAD DATA INPATH 'file://" + restrictedDir.getPath() + "' INTO TABLE " + TBL1); - context.assertAuthzException(statement, "LOAD DATA LOCAL INPATH 'file://" + restrictedDir.getPath() + "' INTO TABLE " + TBL1); - statement.close(); - connection.close(); - } - - /** - * test create table as with cross database ref - * @throws Exception - */ - @Test - public void testSandboxOpt10() throws Exception { - String rTab1 = "rtab_1"; - String rTab2 = "rtab_2"; - - createDb(ADMIN1, DB1, DB2); - createTable(ADMIN1, DB1, dataFile, TBL1); - createTable(ADMIN1, DB2, dataFile, TBL2, TBL3); - - policyFile - .addPermissionsToRole(GROUP1_ROLE, ALL_DB1, SELECT_DB2_TBL2, loadData) - .addRolesToGroup(USERGROUP1, GROUP1_ROLE); - writePolicyFile(policyFile); - - // a - Connection connection = context.createConnection(USER1_1); - Statement statement = context.createStatement(connection); - statement.execute("USE " + DB1); - statement.execute("CREATE TABLE " + rTab1 + " AS SELECT * FROM " + DB2 + "." + TBL2); - // user1 doesn't have access to db2, so following create table as should fail - context.assertAuthzException(statement, "CREATE TABLE " + rTab2 + " AS SELECT * FROM " + DB2 + "." + TBL3); - - statement.close(); - connection.close(); - } - - // Create per-db policy file on hdfs and global policy on local. - @Test - public void testPerDbPolicyOnDFS() throws Exception { - File db2PolicyFileHandle = new File(baseDir.getPath(), DB2_POLICY_FILE); - - PolicyFile db2PolicyFile = new PolicyFile(); - db2PolicyFile - .addRolesToGroup(USERGROUP2, "select_tbl2") - .addPermissionsToRole("select_tbl2", "server=server1->db=" + DB2 + "->table=tbl2->action=select") - .write(db2PolicyFileHandle); - PolicyFiles.copyFilesToDir(fileSystem, dfs.getBaseDir(), db2PolicyFileHandle); - - // setup db objects needed by the test - Connection connection = context.createConnection(ADMIN1); - Statement statement = context.createStatement(connection); - - statement.execute("CREATE DATABASE " + DB1); - statement.execute("USE " + DB1); - statement.execute("CREATE TABLE tbl1(B INT, A STRING) " + - " row format delimited fields terminated by '|' stored as textfile"); - statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() + "' INTO TABLE tbl1"); - statement.execute("CREATE DATABASE " + DB2); - statement.execute("USE " + DB2); - statement.execute("CREATE TABLE tbl2(B INT, A STRING) " + - " row format delimited fields terminated by '|' stored as textfile"); - statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() + "' INTO TABLE tbl2"); - statement.close(); - connection.close(); - - policyFile - .addRolesToGroup(USERGROUP1, "select_tbl1") - .addRolesToGroup(USERGROUP2, "select_tbl2") - .addPermissionsToRole("select_tbl1", "server=server1->db=" + DB1 + "->table=tbl1->action=select") - .addDatabase(DB2, dfs.getBaseDir().toUri().toString() + "/" + DB2_POLICY_FILE); - writePolicyFile(policyFile); - - // test per-db file for db2 - - connection = context.createConnection(USER2_1); - statement = context.createStatement(connection); - // test user2 can use db2 - statement.execute("USE " + DB2); - statement.execute("select * from tbl2"); - - statement.close(); - connection.close(); - } - -} http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestSentryOnFailureHookLoading.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestSentryOnFailureHookLoading.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestSentryOnFailureHookLoading.java deleted file mode 100644 index f1fd15e..0000000 --- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestSentryOnFailureHookLoading.java +++ /dev/null @@ -1,134 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.tests.e2e.hive; - -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertTrue; - -import java.io.File; -import java.io.FileOutputStream; -import java.sql.Connection; -import java.sql.SQLException; -import java.sql.Statement; -import java.util.HashMap; -import java.util.Map; - -import org.junit.Assert; - -import org.apache.hadoop.hive.conf.HiveConf; -import org.apache.sentry.binding.hive.conf.HiveAuthzConf; -import org.apache.sentry.provider.file.PolicyFile; -import org.apache.sentry.tests.e2e.hive.hiveserver.HiveServerFactory; -import org.junit.After; -import org.junit.Before; -import org.junit.Test; - -import com.google.common.io.Resources; - -public class TestSentryOnFailureHookLoading extends AbstractTestWithHiveServer { - - private Context context; - private PolicyFile policyFile; - - Map<String, String > testProperties; - private static final String SINGLE_TYPE_DATA_FILE_NAME = "kv1.dat"; - - @Before - public void setup() throws Exception { - testProperties = new HashMap<String, String>(); - testProperties.put(HiveAuthzConf.AuthzConfVars.AUTHZ_ONFAILURE_HOOKS.getVar(), - DummySentryOnFailureHook.class.getName()); - testProperties.put(HiveConf.ConfVars.METASTORE_AUTO_CREATE_ALL.varname, "true"); - policyFile = PolicyFile.setAdminOnServer1(ADMINGROUP); - } - - @After - public void teardown() throws Exception { - if (context != null) { - context.close(); - } - } - - /* Admin creates database DB_2 - * user1 tries to drop DB_2, but it has permissions for DB_1. - */ - @Test - public void testOnFailureHookLoading() throws Exception { - - // Do not run this test if run with external HiveServer2 - // This test checks for a static member, which will not - // be set if HiveServer2 and the test run in different JVMs - String hiveServer2Type = System.getProperty( - HiveServerFactory.HIVESERVER2_TYPE); - if (hiveServer2Type != null && - !HiveServerFactory.isInternalServer(HiveServerFactory.HiveServer2Type - .valueOf(hiveServer2Type.trim()))) { - return; - } - - context = createContext(testProperties); - - File dataDir = context.getDataDir(); - //copy data file to test dir - File dataFile = new File(dataDir, SINGLE_TYPE_DATA_FILE_NAME); - FileOutputStream to = new FileOutputStream(dataFile); - Resources.copy(Resources.getResource(SINGLE_TYPE_DATA_FILE_NAME), to); - to.close(); - - policyFile - .addRolesToGroup(USERGROUP1, "all_db1", "load_data") - .addPermissionsToRole("all_db1", "server=server1->db=DB_1") - .setUserGroupMapping(StaticUserGroup.getStaticMapping()) - .write(context.getPolicyFile()); - - // setup db objects needed by the test - Connection connection = context.createConnection(ADMIN1); - Statement statement = context.createStatement(connection); - statement.execute("DROP DATABASE IF EXISTS DB_1 CASCADE"); - statement.execute("DROP DATABASE IF EXISTS DB_2 CASCADE"); - statement.execute("CREATE DATABASE DB_1"); - statement.execute("CREATE DATABASE DB_2"); - statement.close(); - connection.close(); - - // test execution - connection = context.createConnection(USER1_1); - statement = context.createStatement(connection); - - //negative test case: user can't drop another user's database - assertFalse(DummySentryOnFailureHook.invoked); - try { - statement.execute("DROP DATABASE DB_2 CASCADE"); - Assert.fail("Expected SQL exception"); - } catch (SQLException e) { - assertTrue(DummySentryOnFailureHook.invoked); - } - - statement.close(); - connection.close(); - - //test cleanup - connection = context.createConnection(ADMIN1); - statement = context.createStatement(connection); - statement.execute("DROP DATABASE DB_1 CASCADE"); - statement.execute("DROP DATABASE DB_2 CASCADE"); - statement.close(); - connection.close(); - context.close(); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestServerConfiguration.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestServerConfiguration.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestServerConfiguration.java deleted file mode 100644 index f489b63..0000000 --- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestServerConfiguration.java +++ /dev/null @@ -1,265 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.tests.e2e.hive; - -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertTrue; - -import java.io.File; -import java.io.FileOutputStream; -import java.sql.Connection; -import java.sql.ResultSet; -import java.sql.SQLException; -import java.sql.Statement; -import java.util.Map; - -import org.apache.hadoop.hive.conf.HiveConf; -import org.apache.hadoop.hive.conf.HiveConf.ConfVars; -import org.apache.sentry.binding.hive.conf.HiveAuthzConf; -import org.apache.sentry.binding.hive.v2.HiveAuthzBindingSessionHookV2; -import org.apache.sentry.binding.hive.v2.SentryAuthorizerFactory; -import org.apache.sentry.provider.file.PolicyFile; -import org.apache.sentry.tests.e2e.hive.hiveserver.HiveServerFactory; -import org.junit.After; -import org.junit.Assert; -import org.junit.Before; -import org.junit.Test; - -import com.google.common.base.Charsets; -import com.google.common.collect.Maps; - -public class TestServerConfiguration extends AbstractTestWithHiveServer { - - // Context is created inside individual test cases, because the - // test cases for server configuration are properties based. - private static Context context; - private static Map<String, String> properties; - private PolicyFile policyFile; - - @Before - public void setupPolicyFile() throws Exception { - properties = Maps.newHashMap(); - properties.put(HiveConf.ConfVars.METASTORE_AUTO_CREATE_ALL.varname, "true"); - policyFile = PolicyFile.setAdminOnServer1(ADMINGROUP); - } - - @After - public void tearDown() throws Exception { - if(context != null) { - context.close(); - } - - if(hiveServer != null) { - hiveServer.shutdown(); - hiveServer = null; - } - } - - /** - * hive.server2.enable.impersonation must be disabled - */ - @Test - public void testImpersonationIsDisabled() throws Exception { - properties.put(HiveServerFactory.ACCESS_TESTING_MODE, "false"); - properties.put("hive.server2.enable.impersonation", "true"); - verifyInvalidConfigurationException(properties); - } - - /** - * hive.server2.authentication must be set to LDAP or KERBEROS - */ - @Test - public void testAuthenticationIsStrong() throws Exception { - properties.put(HiveServerFactory.ACCESS_TESTING_MODE, "false"); - properties.put("hive.server2.authentication", "NONE"); - verifyInvalidConfigurationException(properties); - } - - private void verifyInvalidConfigurationException(Map<String, String> properties) throws Exception{ - context = createContext(properties); - policyFile - .setUserGroupMapping(StaticUserGroup.getStaticMapping()) - .write(context.getPolicyFile()); - Connection connection = context.createConnection(ADMIN1); - Statement statement = context.createStatement(connection); - try { - statement.execute("create table test (a string)"); - Assert.fail("Expected SQLException"); - } catch (SQLException e) { - context.verifyInvalidConfigurationException(e); - } finally { - if (context != null) { - context.close(); - } - } - } - - /** - * Test removal of policy file - */ - @Test - public void testRemovalOfPolicyFile() throws Exception { - context = createContext(properties); - Connection connection = context.createConnection(ADMIN1); - Statement statement = context.createStatement(connection); - try { - statement.execute("DROP TABLE IF EXISTS test CASCADE"); - statement.execute("create table test (a string)"); - Assert.fail("Expected SQLException"); - } catch (SQLException e) { - context.verifyAuthzException(e); - } - } - - /** - * Test corruption of policy file - */ - @Test - public void testCorruptionOfPolicyFile() throws Exception { - context = createContext(properties); - File policyFile = context.getPolicyFile(); - FileOutputStream out = new FileOutputStream(policyFile); - out.write("this is not valid".getBytes(Charsets.UTF_8)); - out.close(); - Connection connection = context.createConnection(ADMIN1); - Statement statement = context.createStatement(connection); - try { - statement.execute("DROP TABLE IF EXISTS test CASCADE"); - statement.execute("create table test (a string)"); - Assert.fail("Expected SQLException"); - } catch (SQLException e) { - context.verifyAuthzException(e); - } - } - - @Test - public void testAddDeleteDFSRestriction() throws Exception { - context = createContext(properties); - policyFile - .addRolesToGroup(USERGROUP1, "all_db1") - .addRolesToGroup(USERGROUP2, "select_tb1") - .addPermissionsToRole("select_tb1", "server=server1->db=db_1->table=tbl_1->action=select") - .addPermissionsToRole("all_db1", "server=server1->db=db_1") - .setUserGroupMapping(StaticUserGroup.getStaticMapping()) - .write(context.getPolicyFile()); - - Connection connection = context.createConnection(USER1_1); - Statement statement = context.createStatement(connection); - - // disallow external executables. The external.exec is set to false by session hooks - context.assertAuthzException(statement, "ADD JAR /usr/lib/hive/lib/hbase.jar"); - context.assertAuthzException(statement, "ADD FILE /tmp/tt.py"); - context.assertAuthzException(statement, "DFS -ls"); - context.assertAuthzException(statement, "DELETE JAR /usr/lib/hive/lib/hbase.jar"); - context.assertAuthzException(statement, "DELETE FILE /tmp/tt.py"); - statement.close(); - connection.close(); - } - - /** - * Test that the required access configs are set by session hook - */ - @Test - public void testAccessConfigRestrictions() throws Exception { - context = createContext(properties); - policyFile - .setUserGroupMapping(StaticUserGroup.getStaticMapping()) - .write(context.getPolicyFile()); - - String testUser = USER1_1; - // verify the config is set correctly by session hook - verifyConfig(testUser, ConfVars.HIVE_AUTHORIZATION_ENABLED.varname, "true"); - verifyConfig(testUser, ConfVars.HIVE_SERVER2_ENABLE_DOAS.varname, "false"); - verifyConfig(testUser, ConfVars.HIVE_AUTHENTICATOR_MANAGER.varname, - "org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator"); - verifyConfig(testUser, ConfVars.HIVE_AUTHORIZATION_MANAGER.varname, - SentryAuthorizerFactory.class.getName()); - verifyConfig(testUser, ConfVars.HIVE_CAPTURE_TRANSFORM_ENTITY.varname, "true"); - verifyConfig(testUser, ConfVars.HIVE_SECURITY_COMMAND_WHITELIST.varname, "set"); - verifyConfig(testUser, ConfVars.SCRATCHDIRPERMISSION.varname, - HiveAuthzBindingSessionHookV2.SCRATCH_DIR_PERMISSIONS); - verifyConfig(testUser, HiveConf.ConfVars.HIVE_CONF_RESTRICTED_LIST.varname, - HiveAuthzBindingSessionHookV2.ACCESS_RESTRICT_LIST); - verifyConfig(testUser, HiveAuthzConf.HIVE_ACCESS_SUBJECT_NAME, testUser); - } - - private void verifyConfig(String userName, String confVar, String expectedValue) throws Exception { - Connection connection = context.createConnection(userName); - Statement statement = context.createStatement(connection); - statement.execute("set " + confVar); - ResultSet res = statement.getResultSet(); - assertTrue(res.next()); - String configValue = res.getString(1); - assertNotNull(configValue); - String restrictListValues = (configValue.split("="))[1]; - assertFalse(restrictListValues.isEmpty()); - for (String restrictConfig: expectedValue.split(",")) { - assertTrue(restrictListValues.toLowerCase().contains(restrictConfig.toLowerCase())); - } - - } - - /** - * Test access to default DB with explicit privilege requirement - * Admin should be able to run use default with server level access - * User with db level access should be able to run use default - * User with table level access should be able to run use default - * User with no access to default db objects, should NOT be able run use default - * @throws Exception - */ - @Test - public void testDefaultDbRestrictivePrivilege() throws Exception { - properties.put(HiveAuthzConf.AuthzConfVars.AUTHZ_RESTRICT_DEFAULT_DB.getVar(), "true"); - context = createContext(properties); - - policyFile - .addRolesToGroup(USERGROUP1, "all_default") - .addRolesToGroup(USERGROUP2, "select_default") - .addRolesToGroup(USERGROUP3, "all_db1") - .addPermissionsToRole("all_default", "server=server1->db=default") - .addPermissionsToRole("select_default", "server=server1->db=default->table=tab_2->action=select") - .addPermissionsToRole("all_db1", "server=server1->db=DB_1") - .setUserGroupMapping(StaticUserGroup.getStaticMapping()) - .write(context.getPolicyFile()); - - Connection connection = context.createConnection(ADMIN1); - Statement statement = context.createStatement(connection); - statement.execute("use default"); - - connection = context.createConnection(USER1_1); - statement = context.createStatement(connection); - statement.execute("use default"); - - connection = context.createConnection(USER2_1); - statement = context.createStatement(connection); - statement.execute("use default"); - - connection = context.createConnection(USER3_1); - statement = context.createStatement(connection); - try { - // user3 doesn't have any implicit permission for default - statement.execute("use default"); - assertFalse("user3 shouldn't be able switch to default", true); - } catch (SQLException e) { - context.verifyAuthzException(e); - } - context.close(); - } - -}
