Repository: incubator-sentry Updated Branches: refs/heads/master 369e241fb -> a6821a611
SENTRY-149: Support SET ROLE (Brock Noland via Prasad Mujumdar) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/a6821a61 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/a6821a61 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/a6821a61 Branch: refs/heads/master Commit: a6821a611c0a9a99ad92b4bee362c1402264c9f7 Parents: 369e241 Author: Prasad Mujumdar <[email protected]> Authored: Thu Mar 27 09:41:32 2014 -0700 Committer: Prasad Mujumdar <[email protected]> Committed: Thu Mar 27 09:41:32 2014 -0700 ---------------------------------------------------------------------- pom.xml | 8 ++-- .../hive/ql/exec/SentryGrantRevokeTask.java | 23 ++++++++++-- .../binding/hive/HiveAuthzBindingHook.java | 1 + .../SentryHiveAuthorizationTaskFactoryImpl.java | 31 ++++++++++++++-- .../binding/hive/authz/HiveAuthzBinding.java | 39 ++++++++++++++++++-- .../sentry/binding/hive/conf/HiveAuthzConf.java | 5 +++ .../TestSentryHiveAuthorizationTaskFactory.java | 20 +++++----- .../sentry/core/model/db/AccessConstants.java | 6 +++ .../tests/e2e/hive/TestDatabaseProvider.java | 11 +++++- 9 files changed, 119 insertions(+), 25 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a6821a61/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index 5bda553..b053bbf 100644 --- a/pom.xml +++ b/pom.xml @@ -67,8 +67,8 @@ limitations under the License. <jdo-api.version>3.0.1</jdo-api.version> <derby.version>10.4.2.0</derby.version> <commons-cli.version>1.2</commons-cli.version> - <hive.version>0.12.0-cdh5.0.0-SNAPSHOT</hive.version> - <hadoop.version>2.2.0-cdh5.0.0-SNAPSHOT</hadoop.version> + <hive.version>0.12.0-cdh5.1.0-SNAPSHOT</hive.version> + <hadoop.version>2.3.0-cdh5.1.0-SNAPSHOT</hadoop.version> <fest.reflect.version>1.4.1</fest.reflect.version> <guava.version>11.0.2</guava.version> <junit.version>4.9</junit.version> @@ -79,8 +79,8 @@ limitations under the License. <shiro.version>1.2.1</shiro.version> <slf4j.version>1.6.1</slf4j.version> <solr.version>4.7.0</solr.version> - <solr.sentry.handlers.version>4.4.0-cdh5.0.0-SNAPSHOT</solr.sentry.handlers.version> - <zookeeper.version>3.4.5-cdh5.0.0-SNAPSHOT</zookeeper.version> + <solr.sentry.handlers.version>4.4.0-cdh5.1.0-SNAPSHOT</solr.sentry.handlers.version> + <zookeeper.version>3.4.5-cdh5.1.0-SNAPSHOT</zookeeper.version> </properties> <dependencyManagement> http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a6821a61/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java index 70b05b6..2776eae 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java @@ -21,6 +21,7 @@ import java.io.DataOutputStream; import java.io.IOException; import java.io.Serializable; import java.util.Collections; +import java.util.HashSet; import java.util.List; import java.util.Set; @@ -45,9 +46,12 @@ import org.apache.hadoop.hive.ql.plan.api.StageType; import org.apache.hadoop.hive.ql.session.SessionState; import org.apache.hadoop.hive.ql.session.SessionState.LogHelper; import org.apache.sentry.SentryUserException; +import org.apache.sentry.binding.hive.authz.HiveAuthzBinding; import org.apache.sentry.binding.hive.conf.HiveAuthzConf; import org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars; +import org.apache.sentry.core.common.ActiveRoleSet; import org.apache.sentry.core.common.Subject; +import org.apache.sentry.core.model.db.AccessConstants; import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; import org.apache.sentry.service.thrift.SentryServiceClientFactory; import org.slf4j.Logger; @@ -57,6 +61,7 @@ import com.google.common.annotations.VisibleForTesting; import com.google.common.base.Preconditions; import com.google.common.base.Splitter; import com.google.common.collect.Iterables; +import com.google.common.collect.Sets; // TODO remove this suppress @SuppressWarnings("unused") @@ -73,6 +78,7 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable private SentryServiceClientFactory sentryClientFactory; private SentryPolicyServiceClient sentryClient; private HiveConf conf; + private HiveAuthzBinding hiveAuthzBinding; private HiveAuthzConf authzConf; private String server; private Subject subject; @@ -104,6 +110,7 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable LOG.error(msg, e); throw new RuntimeException(msg, e); } + Preconditions.checkNotNull(hiveAuthzBinding, "HiveAuthzBinding cannot be null"); Preconditions.checkNotNull(authzConf, "HiveAuthConf cannot be null"); Preconditions.checkNotNull(subject, "Subject cannot be null"); Preconditions.checkNotNull(subjectGroups, "Subject Groups cannot be null"); @@ -111,7 +118,7 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable "Config " + AuthzConfVars.AUTHZ_SERVER_NAME.getVar() + " is required"); if (work.getRoleDDLDesc() != null) { return processRoleDDL(conf, console, sentryClient, subject.getName(), subjectGroups, - work.getRoleDDLDesc()); + hiveAuthzBinding, work.getRoleDDLDesc()); } if (work.getGrantDesc() != null) { return processGrantDDL(conf, console, sentryClient, subject.getName(), subjectGroups, @@ -148,6 +155,11 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable "setAuthzConf should only be called once: " + this.authzConf); this.authzConf = authzConf; } + public void setHiveAuthzBinding(HiveAuthzBinding hiveAuthzBinding) { + Preconditions.checkState(this.hiveAuthzBinding == null, + "setHiveAuthzBinding should only be called once: " + this.hiveAuthzBinding); + this.hiveAuthzBinding = hiveAuthzBinding; + } public void setSubject(Subject subject) { Preconditions.checkState(this.subject == null, "setSubject should only be called once: " + this.subject); @@ -162,13 +174,16 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable @VisibleForTesting static int processRoleDDL(HiveConf conf, LogHelper console, SentryPolicyServiceClient sentryClient, String subject, - Set<String> subjectGroups, RoleDDLDesc desc) throws SentryUserException { + Set<String> subjectGroups, HiveAuthzBinding hiveAuthzBinding, RoleDDLDesc desc) + throws SentryUserException { RoleDDLDesc.RoleOperation operation = desc.getOperation(); DataOutputStream outStream = null; String name = desc.getName(); try { - if (operation.equals(RoleDDLDesc.RoleOperation.CREATE_ROLE)) { - SessionState.get().getAuthenticator(); + if (operation.equals(RoleDDLDesc.RoleOperation.SET_ROLE)) { + hiveAuthzBinding.setActiveRoleSet(name); + return RETURN_CODE_SUCCESS; + } else if (operation.equals(RoleDDLDesc.RoleOperation.CREATE_ROLE)) { sentryClient.createRole(subject, subjectGroups, name); return RETURN_CODE_SUCCESS; } else if (operation.equals(RoleDDLDesc.RoleOperation.DROP_ROLE)) { http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a6821a61/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java index 0b83299..8e5cf4e 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java @@ -277,6 +277,7 @@ implements HiveDriverFilterHook { for (Task<? extends Serializable> task : rootTasks) { if (task instanceof SentryGrantRevokeTask) { SentryGrantRevokeTask sentryTask = (SentryGrantRevokeTask)task; + sentryTask.setHiveAuthzBinding(hiveAuthzBinding); sentryTask.setAuthzConf(authzConf); sentryTask.setSubject(subject); sentryTask.setSubjectGroups(subjectGroups); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a6821a61/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java index 252d93b..d735e1b 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java @@ -48,6 +48,9 @@ import org.apache.hadoop.hive.ql.plan.ShowGrantDesc; import org.apache.hadoop.hive.ql.security.authorization.Privilege; import org.apache.hadoop.hive.ql.security.authorization.PrivilegeRegistry; import org.apache.hadoop.hive.ql.session.SessionState; +import org.apache.sentry.core.model.db.AccessConstants; + +import com.google.common.base.Preconditions; public class SentryHiveAuthorizationTaskFactoryImpl implements HiveAuthorizationTaskFactory { @@ -58,15 +61,23 @@ public class SentryHiveAuthorizationTaskFactoryImpl implements HiveAuthorization @Override public Task<? extends Serializable> createCreateRoleTask(ASTNode ast, HashSet<ReadEntity> inputs, - HashSet<WriteEntity> outputs) { + HashSet<WriteEntity> outputs) throws SemanticException { String roleName = BaseSemanticAnalyzer.unescapeIdentifier(ast.getChild(0).getText()); + if (AccessConstants.RESERVED_ROLE_NAMES.contains(roleName.toUpperCase())) { + String msg = "Roles cannot be one of the reserved roles: " + AccessConstants.RESERVED_ROLE_NAMES; + throw new SemanticException(msg); + } RoleDDLDesc roleDesc = new RoleDDLDesc(roleName, RoleDDLDesc.RoleOperation.CREATE_ROLE); return createTask(new DDLWork(inputs, outputs, roleDesc)); } @Override public Task<? extends Serializable> createDropRoleTask(ASTNode ast, HashSet<ReadEntity> inputs, - HashSet<WriteEntity> outputs) { + HashSet<WriteEntity> outputs) throws SemanticException { String roleName = BaseSemanticAnalyzer.unescapeIdentifier(ast.getChild(0).getText()); + if (AccessConstants.RESERVED_ROLE_NAMES.contains(roleName.toUpperCase())) { + String msg = "Roles cannot be one of the reserved roles: " + AccessConstants.RESERVED_ROLE_NAMES; + throw new SemanticException(msg); + } RoleDDLDesc roleDesc = new RoleDDLDesc(roleName, RoleDDLDesc.RoleOperation.DROP_ROLE); return createTask(new DDLWork(inputs, outputs, roleDesc)); } @@ -121,6 +132,7 @@ public class SentryHiveAuthorizationTaskFactoryImpl implements HiveAuthorization && SessionState.get().getAuthenticator() != null) { userName = SessionState.get().getAuthenticator().getUserName(); } + Preconditions.checkNotNull(privilegeObj, "privilegeObj is null for " + ast.dump()); if (privilegeObj.getPartSpec() != null) { throw new SemanticException(SentryHiveConstants.PARTITION_PRIVS_NOT_SUPPORTED); } @@ -258,6 +270,19 @@ public class SentryHiveAuthorizationTaskFactoryImpl implements HiveAuthorization return createTask(new DDLWork(inputs, outputs, grantRevokeRoleDDL)); } + @Override + public Task<? extends Serializable> createSetRoleTask(String role, HashSet<ReadEntity> inputs, + HashSet<WriteEntity> outputs) { + RoleDDLDesc roleDesc = new RoleDDLDesc(role, RoleDDLDesc.RoleOperation.SET_ROLE); + return createTask(new DDLWork(inputs, outputs, roleDesc)); + } + + @Override + public Task<? extends Serializable> createShowCurrentRoleTask(HashSet<ReadEntity> inputs, + HashSet<WriteEntity> outputs, Path resultFile) throws SemanticException { + throw new SemanticException("TODO IN FOLLOW ON"); + } + private PrivilegeObjectDesc analyzePrivilegeObject(ASTNode ast) throws SemanticException { PrivilegeObjectDesc subject = new PrivilegeObjectDesc(); @@ -327,4 +352,4 @@ public class SentryHiveAuthorizationTaskFactoryImpl implements HiveAuthorization task.setWork(work); return task; } -} \ No newline at end of file +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a6821a61/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java index eddf3ae..7a561ef 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java @@ -18,6 +18,7 @@ package org.apache.sentry.binding.hive.authz; import java.lang.reflect.Constructor; import java.util.EnumSet; +import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Set; @@ -36,6 +37,7 @@ import org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars; import org.apache.sentry.binding.hive.conf.InvalidConfigurationException; import org.apache.sentry.core.common.ActiveRoleSet; import org.apache.sentry.core.common.Subject; +import org.apache.sentry.core.model.db.AccessConstants; import org.apache.sentry.core.model.db.DBModelAction; import org.apache.sentry.core.model.db.DBModelAuthorizable; import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType; @@ -47,7 +49,9 @@ import org.apache.sentry.provider.common.ProviderBackend; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import com.google.common.base.Splitter; import com.google.common.base.Strings; +import com.google.common.collect.Sets; public class HiveAuthzBinding { private static final Logger LOG = LoggerFactory @@ -55,16 +59,39 @@ public class HiveAuthzBinding { private static final Map<String, HiveAuthzBinding> authzBindingMap = new ConcurrentHashMap<String, HiveAuthzBinding>(); private static final AtomicInteger queryID = new AtomicInteger(); + private static final Splitter ROLE_SET_SPLITTER = Splitter.on(",").trimResults() + .omitEmptyStrings(); public static final String HIVE_BINDING_TAG = "hive.authz.bindings.tag"; + private final HiveConf hiveConf; private final Server authServer; private final AuthorizationProvider authProvider; private volatile boolean open; + private ActiveRoleSet activeRoleSet; public HiveAuthzBinding (HiveConf hiveConf, HiveAuthzConf authzConf) throws Exception { + this.hiveConf = hiveConf; this.authServer = new Server(authzConf.get(AuthzConfVars.AUTHZ_SERVER_NAME.getVar())); this.authProvider = getAuthProvider(hiveConf, authzConf, authServer.getName()); this.open = true; + this.activeRoleSet = parseActiveRoleSet(hiveConf.get(HiveAuthzConf.SENTRY_ACTIVE_ROLE_SET, + authzConf.get(HiveAuthzConf.SENTRY_ACTIVE_ROLE_SET, "")).trim()); + } + + private static ActiveRoleSet parseActiveRoleSet(String name) { + // if unset, then we choose the default of ALL + if (name.isEmpty()) { + return ActiveRoleSet.ALL; + } else if (AccessConstants.NONE_ROLE.equalsIgnoreCase(name)) { + return new ActiveRoleSet(new HashSet<String>()); + } else if (AccessConstants.ALL_ROLE.equalsIgnoreCase(name)) { + return ActiveRoleSet.ALL; + } else if (AccessConstants.RESERVED_ROLE_NAMES.contains(name.toUpperCase())) { + String msg = "Role " + name + " is reserved"; + throw new IllegalArgumentException(msg); + } else { + return new ActiveRoleSet(Sets.newHashSet(ROLE_SET_SPLITTER.split(name))); + } } /** @@ -179,7 +206,8 @@ public class HiveAuthzBinding { * @throws AuthorizationException */ public void authorize(HiveOperation hiveOp, HiveAuthzPrivileges stmtAuthPrivileges, - Subject subject, List<List<DBModelAuthorizable>> inputHierarchyList, List<List<DBModelAuthorizable>> outputHierarchyList ) + Subject subject, List<List<DBModelAuthorizable>> inputHierarchyList, + List<List<DBModelAuthorizable>> outputHierarchyList) throws AuthorizationException { if (!open) { throw new IllegalStateException("Binding has been closed"); @@ -210,7 +238,7 @@ public class HiveAuthzBinding { if (requiredInputPrivileges.containsKey(getAuthzType(inputHierarchy))) { EnumSet<DBModelAction> inputPrivSet = requiredInputPrivileges.get(getAuthzType(inputHierarchy)); - if (!authProvider.hasAccess(subject, inputHierarchy, inputPrivSet, ActiveRoleSet.ALL)) { + if (!authProvider.hasAccess(subject, inputHierarchy, inputPrivSet, activeRoleSet)) { throw new AuthorizationException("User " + subject.getName() + " does not have privileges for " + hiveOp.name()); } @@ -228,7 +256,7 @@ public class HiveAuthzBinding { if (requiredOutputPrivileges.containsKey(getAuthzType(outputHierarchy))) { EnumSet<DBModelAction> outputPrivSet = requiredOutputPrivileges.get(getAuthzType(outputHierarchy)); - if (!authProvider.hasAccess(subject, outputHierarchy, outputPrivSet, ActiveRoleSet.ALL)) { + if (!authProvider.hasAccess(subject, outputHierarchy, outputPrivSet, activeRoleSet)) { throw new AuthorizationException("User " + subject.getName() + " does not have priviliedges for " + hiveOp.name()); } @@ -236,6 +264,11 @@ public class HiveAuthzBinding { } } + public void setActiveRoleSet(String activeRoleSet) { + this.activeRoleSet = parseActiveRoleSet(activeRoleSet); + hiveConf.set(HiveAuthzConf.SENTRY_ACTIVE_ROLE_SET, activeRoleSet); + } + public Set<String> getGroups(Subject subject) { return authProvider.getGroupMapping().getGroups(subject.getName()); } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a6821a61/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java index 336b925..e162bbd 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java @@ -42,6 +42,11 @@ public class HiveAuthzConf extends Configuration { public static final String HIVE_SENTRY_MOCK_COMPILATION = "hive.sentry.mock.compilation"; public static final String HIVE_SENTRY_MOCK_ERROR = "hive.sentry.mock.error"; public static final String HIVE_SENTRY_PRIVILEGE_ERROR_MESSAGE = "No valid privileges"; + /** + * Property used to persist the role set in the session. This is not public for now. + */ + public static final String SENTRY_ACTIVE_ROLE_SET = "hive.sentry.active.role.set"; + /** * Config setting definitions http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a6821a61/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestSentryHiveAuthorizationTaskFactory.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestSentryHiveAuthorizationTaskFactory.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestSentryHiveAuthorizationTaskFactory.java index 817537d..a61f609 100644 --- a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestSentryHiveAuthorizationTaskFactory.java +++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestSentryHiveAuthorizationTaskFactory.java @@ -55,7 +55,7 @@ import org.mockito.Mockito; public class TestSentryHiveAuthorizationTaskFactory { - private static final String SELECT = "SELECT"; + private static final String ALL = "ALL"; private static final String DB = "default"; private static final String TABLE = "table1"; private static final String GROUP = "group1"; @@ -124,7 +124,7 @@ public class TestSentryHiveAuthorizationTaskFactory { */ @Test public void testGrantUserTable() throws Exception { - expectSemanticException("GRANT " + SELECT + " ON TABLE " + TABLE + " TO USER " + USER, + expectSemanticException("GRANT " + ALL + " ON TABLE " + TABLE + " TO USER " + USER, SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + "USER"); } @@ -133,7 +133,7 @@ public class TestSentryHiveAuthorizationTaskFactory { */ @Test public void testGrantRoleTable() throws Exception { - DDLWork work = analyze(parse("GRANT " + SELECT + " ON TABLE " + TABLE + DDLWork work = analyze(parse("GRANT " + ALL + " ON TABLE " + TABLE + " TO ROLE " + ROLE)); GrantDesc grantDesc = work.getGrantDesc(); Assert.assertNotNull("Grant should not be null", grantDesc); @@ -142,7 +142,7 @@ public class TestSentryHiveAuthorizationTaskFactory { Assert.assertEquals(ROLE, principal.getName()); } for (PrivilegeDesc privilege : assertSize(1, grantDesc.getPrivileges())) { - Assert.assertEquals(Privilege.SELECT, privilege.getPrivilege()); + Assert.assertEquals(Privilege.ALL, privilege.getPrivilege()); } Assert.assertTrue("Expected table", grantDesc.getPrivilegeSubjectDesc() .getTable()); @@ -153,7 +153,7 @@ public class TestSentryHiveAuthorizationTaskFactory { */ @Test public void testGrantRoleTableWithGrantOption() throws Exception { - expectSemanticException("GRANT " + SELECT + " ON TABLE " + TABLE + " TO ROLE " + ROLE + + expectSemanticException("GRANT " + ALL + " ON TABLE " + TABLE + " TO ROLE " + ROLE + " WITH GRANT OPTION", "Sentry does not allow WITH GRANT OPTION"); } @@ -162,7 +162,7 @@ public class TestSentryHiveAuthorizationTaskFactory { */ @Test public void testGrantGroupTable() throws Exception { - expectSemanticException("GRANT " + SELECT + " ON TABLE " + TABLE + " TO GROUP " + GROUP, + expectSemanticException("GRANT " + ALL + " ON TABLE " + TABLE + " TO GROUP " + GROUP, SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + "GROUP"); } @@ -171,7 +171,7 @@ public class TestSentryHiveAuthorizationTaskFactory { */ @Test public void testRevokeUserTable() throws Exception { - expectSemanticException("REVOKE " + SELECT + " ON TABLE " + TABLE + " FROM USER " + USER, + expectSemanticException("REVOKE " + ALL + " ON TABLE " + TABLE + " FROM USER " + USER, SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + "USER"); } @@ -180,7 +180,7 @@ public class TestSentryHiveAuthorizationTaskFactory { */ @Test public void testRevokeRoleTable() throws Exception { - DDLWork work = analyze(parse("REVOKE " + SELECT + " ON TABLE " + TABLE + DDLWork work = analyze(parse("REVOKE " + ALL + " ON TABLE " + TABLE + " FROM ROLE " + ROLE)); RevokeDesc grantDesc = work.getRevokeDesc(); Assert.assertNotNull("Revoke should not be null", grantDesc); @@ -189,7 +189,7 @@ public class TestSentryHiveAuthorizationTaskFactory { Assert.assertEquals(ROLE, principal.getName()); } for (PrivilegeDesc privilege : assertSize(1, grantDesc.getPrivileges())) { - Assert.assertEquals(Privilege.SELECT, privilege.getPrivilege()); + Assert.assertEquals(Privilege.ALL, privilege.getPrivilege()); } Assert.assertTrue("Expected table", grantDesc.getPrivilegeSubjectDesc() .getTable()); @@ -201,7 +201,7 @@ public class TestSentryHiveAuthorizationTaskFactory { */ @Test public void testRevokeGroupTable() throws Exception { - expectSemanticException("REVOKE " + SELECT + " ON TABLE " + TABLE + " FROM GROUP " + GROUP, + expectSemanticException("REVOKE " + ALL + " ON TABLE " + TABLE + " FROM GROUP " + GROUP, SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + "GROUP"); } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a6821a61/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/AccessConstants.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/AccessConstants.java b/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/AccessConstants.java index 4be391f..9f5035e 100644 --- a/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/AccessConstants.java +++ b/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/AccessConstants.java @@ -16,6 +16,8 @@ */ package org.apache.sentry.core.model.db; +import com.google.common.collect.ImmutableSet; + public class AccessConstants { /** @@ -27,4 +29,8 @@ public class AccessConstants { public static final String SELECT = "select"; public static final String INSERT = "insert"; + public static final String ALL_ROLE = "ALL", DEFAULT_ROLE = "DEFAULT", NONE_ROLE = "NONE", + SUPERUSER_ROLE = "SUPERUSER", PUBLIC_ROLE = "PUBLIC"; + public static final ImmutableSet<String> RESERVED_ROLE_NAMES = ImmutableSet.of(ALL_ROLE, + DEFAULT_ROLE, NONE_ROLE, SUPERUSER_ROLE, PUBLIC_ROLE); } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a6821a61/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestDatabaseProvider.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestDatabaseProvider.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestDatabaseProvider.java index b8163b3..0e72a8b 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestDatabaseProvider.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestDatabaseProvider.java @@ -116,9 +116,18 @@ public class TestDatabaseProvider extends AbstractTestWithHiveServer { connection = context.createConnection(USER1_1); statement = context.createStatement(connection); context.assertSentryServiceAccessDenied(statement, "CREATE ROLE r2"); + // test default of ALL + statement.execute("SELECT * FROM t1"); + // test a specific role + statement.execute("SET ROLE user_role"); + statement.execute("SELECT * FROM t1"); + // test NONE + statement.execute("SET ROLE NONE"); + context.assertAuthzException(statement, "SELECT * FROM t1"); + // test ALL + statement.execute("SET ROLE ALL"); statement.execute("SELECT * FROM t1"); statement.close(); connection.close(); - } }
