Repository: sentry Updated Branches: refs/heads/master 542e984ba -> 985b70887
SENTRY-2429: Transfer database owner drops table owner Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/985b7088 Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/985b7088 Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/985b7088 Branch: refs/heads/master Commit: 985b7088742906b266f0c1af393916e1d58ddd0e Parents: 542e984 Author: lina.li <[email protected]> Authored: Thu Oct 18 15:18:00 2018 -0500 Committer: lina.li <[email protected]> Committed: Thu Oct 18 23:33:16 2018 -0500 ---------------------------------------------------------------------- .../db/service/persistent/SentryStore.java | 32 ++++- .../e2e/dbprovider/TestOwnerPrivileges.java | 141 +++++++++++++++++++ 2 files changed, 172 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/985b7088/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java ---------------------------------------------------------------------- diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java index 29f83a8..b387a22 100644 --- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java +++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java @@ -1492,6 +1492,13 @@ public class SentryStore implements SentryStoreInterface { removeStaledPrivileges(pm, privilegesCopy); } + /** + * Return the privileges on the authorizable object specified in tPriv, and including + * privileges on the child authorizable objects. + * @param tPriv the privilege that specifies the authorizable object to find its privileges + * @param pm persistant manager + * @return the privileges on the authorizable object specified in tPriv + */ @SuppressWarnings("unchecked") private List<MSentryPrivilege> getMSentryPrivileges(TSentryPrivilege tPriv, PersistenceManager pm) { Query query = pm.newQuery(MSentryPrivilege.class); @@ -1522,6 +1529,29 @@ public class SentryStore implements SentryStoreInterface { return (List<MSentryPrivilege>) query.executeWithMap(paramBuilder.getArguments()); } + /** + * Return the privileges on the authorizable object specified in tPriv, and not including + * privileges on the child authorizable objects. + * @param tPriv the privilege that specifies the authorizable object to find its privileges + * @param pm persistant manager + * @return the privileges on the authorizable object specified in tPriv + */ + @SuppressWarnings("unchecked") + private List<MSentryPrivilege> getMSentryPrivilegesExactMatch(TSentryPrivilege tPriv, PersistenceManager pm) { + Query query = pm.newQuery(MSentryPrivilege.class); + QueryParamBuilder paramBuilder = QueryParamBuilder.newQueryParamBuilder(); + paramBuilder + .add(SERVER_NAME, tPriv.getServerName()) + .add("action", tPriv.getAction()) + .add(DB_NAME, tPriv.getDbName()) + .add(TABLE_NAME, tPriv.getTableName()) + .add(COLUMN_NAME, tPriv.getColumnName()) + .add(URI, tPriv.getURI(), true); + + query.setFilter(paramBuilder.toString()); + return (List<MSentryPrivilege>) query.executeWithMap(paramBuilder.getArguments()); + } + private MSentryPrivilege getMSentryPrivilege(TSentryPrivilege tPriv, PersistenceManager pm) { Boolean grantOption = null; if (tPriv.getGrantOption().equals(TSentryGrantOption.TRUE)) { @@ -2854,7 +2884,7 @@ public class SentryStore implements SentryStoreInterface { tOwnerPrivilege.setAction(AccessConstants.OWNER); // Finding owner privileges and removing them. - List<MSentryPrivilege> mOwnerPrivileges = getMSentryPrivileges(tOwnerPrivilege, pm); + List<MSentryPrivilege> mOwnerPrivileges = getMSentryPrivilegesExactMatch(tOwnerPrivilege, pm); for(MSentryPrivilege mOwnerPriv : mOwnerPrivileges) { Set<MSentryUser> users; users = mOwnerPriv.getUsers(); http://git-wip-us.apache.org/repos/asf/sentry/blob/985b7088/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestOwnerPrivileges.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestOwnerPrivileges.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestOwnerPrivileges.java index 880fa94..d3294f4 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestOwnerPrivileges.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestOwnerPrivileges.java @@ -363,6 +363,147 @@ public class TestOwnerPrivileges extends TestHDFSIntegrationBase { } } + /** + * Verify that if the same user is owner of both DB and table, after alter DB's owner, + * the table owner is still that user + * + * @throws Exception + */ + @Ignore("Enable the test once HIVE-18031 is in the hiver version integrated with Sentry") + @Test + public void testAlterDBNotDropTableOwnerSameOwner() throws Exception { + String allWithGrantRole = "allWithGrant_role"; + String ownerRole = "owner_role"; + dbNames = new String[]{DB1}; + roles = new String[]{"admin_role", "create_db1", "owner_role"}; + + // create required roles + setupUserRoles(roles, statementAdmin); + + // remove test DB if it exists + statementAdmin.execute("DROP DATABASE IF EXISTS " + DB1 + " CASCADE"); + + // setup privileges for USER1 + statementAdmin.execute("GRANT CREATE ON SERVER server1 TO ROLE create_db1"); + + // USER1 creates test DB + Connection connectionUSER1_1 = hiveServer2.createConnection(USER1_1, USER1_1); + Statement statementUSER1_1 = connectionUSER1_1.createStatement(); + statementUSER1_1.execute("CREATE DATABASE " + DB1); + statementUSER1_1.execute("USE " + DB1); + + // USER1 create table + statementUSER1_1.execute("CREATE TABLE " + DB1 + "." + tableName1 + + " (under_col int comment 'the under column')"); + + // verify privileges created for new database + verifyTableOwnerPrivilegeExistForPrincipal(statementUSER1_1, SentryPrincipalType.USER, Lists.newArrayList(USER1_1), + DB1, "", 1); + + // verify privileges created for new table + verifyTableOwnerPrivilegeExistForPrincipal(statementUSER1_1, SentryPrincipalType.USER, Lists.newArrayList(USER1_1), + DB1, tableName1, 1); + + // change db owner + // setup all privilege for USERGROUP2 + statementAdmin.execute("create role " + allWithGrantRole); + statementAdmin.execute("grant role " + allWithGrantRole + " to group " + USERGROUP2); + statementAdmin.execute("GRANT ALL ON DATABASE " + DB1 + " to role " + + allWithGrantRole + " with grant option"); + Connection connectionUSER2_1 = hiveServer2.createConnection(USER2_1, USER2_1); + Statement statementUSER2_1 = connectionUSER2_1.createStatement(); + statementUSER2_1.execute("ALTER DATABASE " + DB1 + " SET OWNER ROLE " + "owner_role"); + + // Verify that new owner has owner privilege on DB + verifyTableOwnerPrivilegeExistForPrincipal(statementAdmin, SentryPrincipalType.ROLE, + Lists.newArrayList(ownerRole), DB1, "", 1); + + // Verify table still has its owner + verifyTableOwnerPrivilegeExistForPrincipal(statementUSER1_1, SentryPrincipalType.USER, Lists.newArrayList(USER1_1), + DB1, tableName1, 1); + + statementAdmin.execute("DROP ROLE " + allWithGrantRole); + + statementAdmin.close(); + connection.close(); + + statementUSER1_1.close(); + connectionUSER1_1.close(); + + statementUSER2_1.close(); + connectionUSER2_1.close(); + } + + /** + * Verify that if owner of DB is different from owner of its table, after alter DB's owner, + * the table owner still exists + * + * @throws Exception + */ + @Ignore("Enable the test once HIVE-18031 is in the hiver version integrated with Sentry") + @Test + public void testAlterDBNotDropTableOwnerDifferentOwner() throws Exception { + String allWithGrantRole = "allWithGrant_role"; + String ownerRole = "owner_role"; + dbNames = new String[]{DB1}; + roles = new String[]{"admin_role", "create_db1", "owner_role"}; + + // create required roles + setupUserRoles(roles, statementAdmin); + + // remove test DB if it exists, then create the DB, so its owner is admin + statementAdmin.execute("DROP DATABASE IF EXISTS " + DB1 + " CASCADE"); + statementAdmin.execute("CREATE DATABASE " + DB1); + + // setup privileges for USER1 + statementAdmin.execute("GRANT CREATE ON SERVER server1 TO ROLE create_db1"); + Connection connectionUSER1_1 = hiveServer2.createConnection(USER1_1, USER1_1); + Statement statementUSER1_1 = connectionUSER1_1.createStatement(); + statementUSER1_1.execute("USE " + DB1); + + // USER1 create table and becomes owner of that table + statementUSER1_1.execute("CREATE TABLE " + DB1 + "." + tableName1 + + " (under_col int comment 'the under column')"); + + // verify privileges created for new database + verifyTableOwnerPrivilegeExistForPrincipal(statementAdmin, SentryPrincipalType.USER, Lists.newArrayList(admin), + DB1, "", 1); + + // verify privileges created for new table + verifyTableOwnerPrivilegeExistForPrincipal(statementUSER1_1, SentryPrincipalType.USER, Lists.newArrayList(USER1_1), + DB1, tableName1, 1); + + // change db owner + // setup all privilege for USERGROUP2 + statementAdmin.execute("create role " + allWithGrantRole); + statementAdmin.execute("grant role " + allWithGrantRole + " to group " + USERGROUP2); + statementAdmin.execute("GRANT ALL ON DATABASE " + DB1 + " to role " + + allWithGrantRole + " with grant option"); + Connection connectionUSER2_1 = hiveServer2.createConnection(USER2_1, USER2_1); + Statement statementUSER2_1 = connectionUSER2_1.createStatement(); + statementUSER2_1.execute("ALTER DATABASE " + DB1 + " SET OWNER ROLE " + "owner_role"); + + // Verify that new owner has owner privilege on DB + verifyTableOwnerPrivilegeExistForPrincipal(statementAdmin, SentryPrincipalType.ROLE, + Lists.newArrayList(ownerRole), DB1, "", 1); + + // Verify table still has its owner + verifyTableOwnerPrivilegeExistForPrincipal(statementUSER1_1, SentryPrincipalType.USER, Lists.newArrayList(USER1_1), + DB1, tableName1, 1); + + statementAdmin.execute("DROP ROLE " + allWithGrantRole); + + statementAdmin.close(); + connection.close(); + + statementUSER1_1.close(); + connectionUSER1_1.close(); + + statementUSER2_1.close(); + connectionUSER2_1.close(); + } + + /** * Verify that the user who creases table has owner privilege on this table and
