Updated Branches: refs/heads/master 3ce50d56c -> 055e0146f
SENTRY-20: Sentry should throw an exception if testing.mode is not set on non-secure cluster (Shreepadma Venugopalan vi Prasad Mujumdar) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/055e0146 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/055e0146 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/055e0146 Branch: refs/heads/master Commit: 055e0146f83522a4668c2d20a04e7ba67dad085a Parents: 3ce50d5 Author: Prasad Mujumdar <[email protected]> Authored: Mon Sep 23 23:22:27 2013 -0700 Committer: Prasad Mujumdar <[email protected]> Committed: Mon Sep 23 23:22:27 2013 -0700 ---------------------------------------------------------------------- .../binding/hive/authz/HiveAuthzBinding.java | 7 ++++--- .../sentry/binding/hive/conf/HiveAuthzConf.java | 6 +++--- .../conf/InvalidConfigurationException.java | 15 ++++++++++++++ .../binding/hive/TestHiveAuthzBindings.java | 21 +++++++++++++++++--- .../e2e/hive/hiveserver/HiveServerFactory.java | 2 +- 5 files changed, 41 insertions(+), 10 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/055e0146/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java index 5190ba6..542b22c 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java @@ -17,6 +17,7 @@ package org.apache.sentry.binding.hive.authz; import java.lang.reflect.Constructor; + import java.util.EnumSet; import java.util.List; import java.util.Map; @@ -41,6 +42,7 @@ import org.apache.sentry.core.Subject; import org.apache.sentry.core.Authorizable.AuthorizableType; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import org.apache.sentry.binding.hive.conf.InvalidConfigurationException; import com.google.common.base.Strings; @@ -100,13 +102,12 @@ public class HiveAuthzBinding { // Instantiate the configured authz provider private AuthorizationProvider getAuthProvider(HiveConf hiveConf, String serverName) throws Exception { boolean isTestingMode = Boolean.parseBoolean(Strings.nullToEmpty( - authzConf.get(AuthzConfVars.ACCESS_TESTING_MODE.getVar())).trim()); + authzConf.get(AuthzConfVars.SENTRY_TESTING_MODE.getVar())).trim()); LOG.debug("Testing mode is " + isTestingMode); if(!isTestingMode) { String authMethod = Strings.nullToEmpty(hiveConf.getVar(ConfVars.HIVE_SERVER2_AUTHENTICATION)).trim(); if("none".equalsIgnoreCase(authMethod)) { - LOG.error("HiveServer2 authentication method cannot be set to none unless testing mode is enabled"); - return new NoAuthorizationProvider(); + throw new InvalidConfigurationException("Authentication can't be NONE in non-testing mode"); } boolean impersonation = hiveConf.getBoolVar(ConfVars.HIVE_SERVER2_KERBEROS_IMPERSONATION); boolean allowImpersonation = Boolean.parseBoolean(Strings.nullToEmpty( http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/055e0146/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java index bfd58fa..c51ce54 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java @@ -46,7 +46,7 @@ public class HiveAuthzConf extends Configuration { AUTHZ_PROVIDER_RESOURCE("hive.sentry.provider.resource", ""), AUTHZ_SERVER_NAME("hive.sentry.server", "HS2"), AUTHZ_RESTRICT_DEFAULT_DB("hive.sentry.restrict.defaultDB", "false"), - ACCESS_TESTING_MODE("hive.sentry.testing.mode", "false"), + SENTRY_TESTING_MODE("hive.sentry.testing.mode", "false"), AUTHZ_UDF_WHITELIST("hive.sentry.udf.whitelist", HIVE_UDF_WHITE_LIST), AUTHZ_ALLOW_HIVE_IMPERSONATION("hive.sentry.allow.hive.impersonation", "false"), AUTHZ_ONFAILURE_HOOKS("hive.sentry.failure.hooks", ""), @@ -56,7 +56,7 @@ public class HiveAuthzConf extends Configuration { AUTHZ_PROVIDER_RESOURCE_DEPRECATED("hive.access.provider.resource", ""), AUTHZ_SERVER_NAME_DEPRECATED("hive.access.server", "HS2"), AUTHZ_RESTRICT_DEFAULT_DB_DEPRECATED("hive.access.restrict.defaultDB", "false"), - ACCESS_TESTING_MODE_DEPRECATED("hive.access.testing.mode", "false"), + SENTRY_TESTING_MODE_DEPRECATED("hive.access.testing.mode", "false"), AUTHZ_UDF_WHITELIST_DEPRECATED("hive.access.udf.whitelist", HIVE_UDF_WHITE_LIST), AUTHZ_ALLOW_HIVE_IMPERSONATION_DEPRECATED("hive.access.allow.hive.impersonation", "false"), AUTHZ_ONFAILURE_HOOKS_DEPRECATED("hive.access.failure.hooks", ""), @@ -115,7 +115,7 @@ public class HiveAuthzConf extends Configuration { deprecatedConfigs.put(AuthzConfVars.AUTHZ_PROVIDER_RESOURCE_DEPRECATED.getVar(), AuthzConfVars.AUTHZ_PROVIDER_RESOURCE); deprecatedConfigs.put(AuthzConfVars.AUTHZ_SERVER_NAME_DEPRECATED.getVar(), AuthzConfVars.AUTHZ_SERVER_NAME); deprecatedConfigs.put(AuthzConfVars.AUTHZ_RESTRICT_DEFAULT_DB_DEPRECATED.getVar(), AuthzConfVars.AUTHZ_RESTRICT_DEFAULT_DB); - deprecatedConfigs.put(AuthzConfVars.ACCESS_TESTING_MODE_DEPRECATED.getVar(), AuthzConfVars.ACCESS_TESTING_MODE); + deprecatedConfigs.put(AuthzConfVars.SENTRY_TESTING_MODE_DEPRECATED.getVar(), AuthzConfVars.SENTRY_TESTING_MODE); deprecatedConfigs.put(AuthzConfVars.AUTHZ_UDF_WHITELIST_DEPRECATED.getVar(), AuthzConfVars.AUTHZ_UDF_WHITELIST); deprecatedConfigs.put(AuthzConfVars.AUTHZ_ALLOW_HIVE_IMPERSONATION_DEPRECATED.getVar(), AuthzConfVars.AUTHZ_ALLOW_HIVE_IMPERSONATION); deprecatedConfigs.put(AuthzConfVars.AUTHZ_ONFAILURE_HOOKS_DEPRECATED.getVar(), AuthzConfVars.AUTHZ_ONFAILURE_HOOKS); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/055e0146/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/InvalidConfigurationException.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/InvalidConfigurationException.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/InvalidConfigurationException.java new file mode 100644 index 0000000..84fc410 --- /dev/null +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/InvalidConfigurationException.java @@ -0,0 +1,15 @@ +package org.apache.sentry.binding.hive.conf; + +public class InvalidConfigurationException extends Exception +{ + private static final long serialVersionUID = 1L; + + //Parameterless Constructor + public InvalidConfigurationException() {} + + //Constructor that accepts a message + public InvalidConfigurationException(String message) + { + super(message); + } + } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/055e0146/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java index 20d4e8f..fb3d3f0 100644 --- a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java +++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java @@ -21,6 +21,8 @@ import java.util.ArrayList; import java.util.Arrays; import java.util.List; +import junit.framework.Assert; + import org.apache.commons.io.FileUtils; import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.conf.HiveConf.ConfVars; @@ -31,6 +33,7 @@ import org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges; import org.apache.sentry.binding.hive.authz.HiveAuthzPrivilegesMap; import org.apache.sentry.binding.hive.conf.HiveAuthzConf; import org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars; +import org.apache.sentry.binding.hive.conf.InvalidConfigurationException; import org.apache.sentry.core.AccessConstants; import org.apache.sentry.core.AccessURI; import org.apache.sentry.core.Authorizable; @@ -107,7 +110,7 @@ public class TestHiveAuthzBindings { authzConf.set(AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar(), new File(baseDir, RESOURCE_PATH).getPath()); authzConf.set(AuthzConfVars.AUTHZ_SERVER_NAME.getVar(), SERVER1); - authzConf.set(AuthzConfVars.ACCESS_TESTING_MODE.getVar(), "true"); + authzConf.set(AuthzConfVars.SENTRY_TESTING_MODE.getVar(), "true"); testAuth = new HiveAuthzBinding(hiveConf, authzConf); } @@ -288,7 +291,7 @@ public class TestHiveAuthzBindings { // perpare the hive and auth configs hiveConf.setBoolVar(ConfVars.HIVE_SERVER2_KERBEROS_IMPERSONATION, true); hiveConf.setVar(ConfVars.HIVE_SERVER2_AUTHENTICATION, "Kerberos"); - authzConf.set(AuthzConfVars.ACCESS_TESTING_MODE.getVar(), "false"); + authzConf.set(AuthzConfVars.SENTRY_TESTING_MODE.getVar(), "false"); testAuth = new HiveAuthzBinding(hiveConf, authzConf); // following check should pass, but with impersonation it will fail with due to NoAuthorizationProvider @@ -306,7 +309,7 @@ public class TestHiveAuthzBindings { // perpare the hive and auth configs hiveConf.setBoolVar(ConfVars.HIVE_SERVER2_KERBEROS_IMPERSONATION, true); hiveConf.setVar(ConfVars.HIVE_SERVER2_AUTHENTICATION, "Kerberos"); - authzConf.set(AuthzConfVars.ACCESS_TESTING_MODE.getVar(), "false"); + authzConf.set(AuthzConfVars.SENTRY_TESTING_MODE.getVar(), "false"); authzConf.set(AuthzConfVars.AUTHZ_ALLOW_HIVE_IMPERSONATION.getVar(), "true"); testAuth = new HiveAuthzBinding(hiveConf, authzConf); @@ -327,4 +330,16 @@ public class TestHiveAuthzBindings { } return authList; } + + /** + * Turn off authentication and verify exception is raised in non-testing mode + * @throws Exception + */ + @Test(expected=InvalidConfigurationException.class) + public void testNoAuthenticationRestriction() throws Exception { + // perpare the hive and auth configs + hiveConf.setVar(ConfVars.HIVE_SERVER2_AUTHENTICATION, "None"); + authzConf.set(AuthzConfVars.SENTRY_TESTING_MODE.getVar(), "false"); + testAuth = new HiveAuthzBinding(hiveConf, authzConf); + } } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/055e0146/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java index f6d1791..288a7b3 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java @@ -51,7 +51,7 @@ public class HiveServerFactory { public static final String AUTHZ_PROVIDER_RESOURCE = HiveAuthzConf.AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar(); public static final String AUTHZ_PROVIDER_FILENAME = "test-authz-provider.ini"; public static final String AUTHZ_SERVER_NAME = HiveAuthzConf.AuthzConfVars.AUTHZ_SERVER_NAME.getVar(); - public static final String ACCESS_TESTING_MODE = HiveAuthzConf.AuthzConfVars.ACCESS_TESTING_MODE.getVar(); + public static final String ACCESS_TESTING_MODE = HiveAuthzConf.AuthzConfVars.SENTRY_TESTING_MODE.getVar(); public static final String HS2_PORT = ConfVars.HIVE_SERVER2_THRIFT_PORT.toString(); public static final String SUPPORT_CONCURRENCY = HiveConf.ConfVars.HIVE_SUPPORT_CONCURRENCY.varname; public static final String HADOOPBIN = ConfVars.HADOOPBIN.toString();
