Repository: incubator-sentry Updated Branches: refs/heads/master 5fc968e6c -> cbbb3bd7a
SENTRY-158: Hive bindings should enable MR level ACLs for session user (Prasad Mujumdar via Jarek Jarcec Cecho) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/cbbb3bd7 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/cbbb3bd7 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/cbbb3bd7 Branch: refs/heads/master Commit: cbbb3bd7ae1053ae3794fada66160aee10664014 Parents: 5fc968e Author: Jarek Jarcec Cecho <[email protected]> Authored: Mon May 19 08:23:54 2014 -0700 Committer: Jarek Jarcec Cecho <[email protected]> Committed: Mon May 19 08:23:54 2014 -0700 ---------------------------------------------------------------------- .../hive/HiveAuthzBindingSessionHook.java | 24 ++++++++++++++------ .../apache/sentry/tests/e2e/hive/Context.java | 22 ++++++++++++++++++ .../tests/e2e/hive/TestUserManagement.java | 10 ++++++++ 3 files changed, 49 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/cbbb3bd7/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java index 2e53acb..aacad66 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java @@ -18,6 +18,7 @@ package org.apache.sentry.binding.hive; import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.conf.HiveConf.ConfVars; +import org.apache.hadoop.mapreduce.JobContext; import org.apache.hive.service.cli.HiveSQLException; import org.apache.hive.service.cli.session.HiveSessionHookContext; import org.apache.sentry.binding.hive.conf.HiveAuthzConf; @@ -69,9 +70,11 @@ public class HiveAuthzBindingSessionHook // Add sentry hooks to the session configuration HiveConf sessionConf = sessionHookContext.getSessionConf(); - appendConfVar(sessionConf, ConfVars.SEMANTIC_ANALYZER_HOOK, SEMANTIC_HOOK); - appendConfVar(sessionConf, ConfVars.PREEXECHOOKS, PRE_EXEC_HOOK); - appendConfVar(sessionConf, ConfVars.HIVE_EXEC_FILTER_HOOK, FILTER_HOOK); + appendConfVar(sessionConf, ConfVars.SEMANTIC_ANALYZER_HOOK.varname, + SEMANTIC_HOOK); + appendConfVar(sessionConf, ConfVars.PREEXECHOOKS.varname, PRE_EXEC_HOOK); + appendConfVar(sessionConf, ConfVars.HIVE_EXEC_FILTER_HOOK.varname, + FILTER_HOOK); // setup config sessionConf.setBoolVar(ConfVars.HIVE_EXTENDED_ENITITY_CAPTURE, true); @@ -82,18 +85,25 @@ public class HiveAuthzBindingSessionHook sessionConf.set(HiveAuthzConf.HIVE_ACCESS_SUBJECT_NAME, sessionHookContext.getSessionUser()); sessionConf.set(HiveAuthzConf.HIVE_SENTRY_SUBJECT_NAME, sessionHookContext.getSessionUser()); + // Set MR ACLs to session user + appendConfVar(sessionConf, JobContext.JOB_ACL_VIEW_JOB, + sessionHookContext.getSessionUser()); + appendConfVar(sessionConf, JobContext.JOB_ACL_MODIFY_JOB, + sessionHookContext.getSessionUser()); + // setup restrict list sessionConf.addToRestrictList(ACCESS_RESTRICT_LIST); } // Setup given sentry hooks - private void appendConfVar(HiveConf sessionConf, ConfVars confVar, String sentryConfVal) { - String currentValue = sessionConf.getVar(confVar); - if ((currentValue == null) || currentValue.isEmpty()) { + private void appendConfVar(HiveConf sessionConf, String confVar, + String sentryConfVal) { + String currentValue = sessionConf.get(confVar, "").trim(); + if (currentValue.isEmpty()) { currentValue = sentryConfVal; } else { currentValue = sentryConfVal + "," + currentValue; } - sessionConf.setVar(confVar, currentValue); + sessionConf.set(confVar, currentValue); } } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/cbbb3bd7/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/Context.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/Context.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/Context.java index 99ca16e..ce374c2 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/Context.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/Context.java @@ -17,8 +17,10 @@ package org.apache.sentry.tests.e2e.hive; +import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertTrue; import java.io.File; import java.io.FileNotFoundException; @@ -27,6 +29,7 @@ import java.io.IOException; import java.io.PrintWriter; import java.net.URI; import java.sql.Connection; +import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; import java.util.Set; @@ -226,4 +229,23 @@ public class Context { public String getConnectionURL() { return hiveServer.getURL(); } + + /** + * Execute "set x" and extract value from key=val format result Verify the + * extracted value + * + * @param stmt + * @return + * @throws Exception + */ + public void verifySessionConf(Connection con, String key, String expectedVal) + throws Exception { + Statement stmt = con.createStatement(); + ResultSet res = stmt.executeQuery("set " + key); + assertTrue(res.next()); + String resultValues[] = res.getString(1).split("="); // "key=val" + assertEquals("Result not in key = val format", 2, resultValues.length); + assertEquals("Conf value should be set by execute()", expectedVal, + resultValues[1]); + } } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/cbbb3bd7/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java index d88609a..e1cf073 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java @@ -26,6 +26,7 @@ import java.sql.Connection; import java.sql.ResultSet; import java.sql.Statement; +import org.apache.hadoop.mapreduce.JobContext; import org.apache.sentry.provider.file.PolicyFile; import org.junit.After; import org.junit.Before; @@ -339,4 +340,13 @@ public class TestUserManagement extends AbstractTestWithStaticConfiguration { connection.close(); } } + + @Test + public void testMrAclsSetting() throws Exception { + Connection connection = context.createConnection("admin1"); + context + .verifySessionConf(connection, JobContext.JOB_ACL_VIEW_JOB, "admin1"); + context + .verifySessionConf(connection, JobContext.JOB_ACL_VIEW_JOB, "admin1"); + } }
