Repository: incubator-sentry Updated Branches: refs/heads/master 540424d50 -> 3226ce992
SENTRY-216: Support SHOW CURRENT ROLES (Sravya Tirukkovalur via Prasad Mujumdar) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/3226ce99 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/3226ce99 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/3226ce99 Branch: refs/heads/master Commit: 3226ce992a32c52e76dd3ae5fdb1c9e870b0214f Parents: 540424d Author: Prasad Mujumdar <[email protected]> Authored: Wed May 21 14:33:39 2014 -0700 Committer: Prasad Mujumdar <[email protected]> Committed: Wed May 21 14:33:39 2014 -0700 ---------------------------------------------------------------------- .../hive/ql/exec/SentryGrantRevokeTask.java | 31 +++++++++++++-- .../binding/hive/authz/HiveAuthzBinding.java | 4 ++ .../tests/e2e/hive/TestDatabaseProvider.java | 42 ++++++++++++++++---- 3 files changed, 65 insertions(+), 12 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/3226ce99/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java index ec0b658..faa71c7 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java @@ -49,6 +49,7 @@ import org.apache.sentry.SentryUserException; import org.apache.sentry.binding.hive.authz.HiveAuthzBinding; import org.apache.sentry.binding.hive.conf.HiveAuthzConf; import org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars; +import org.apache.sentry.core.common.ActiveRoleSet; import org.apache.sentry.core.common.Subject; import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; @@ -196,10 +197,21 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable writeToFile(writeRoleGrantsInfo(roles), desc.getResFile()); return RETURN_CODE_SUCCESS; } else if(operation.equals(RoleDDLDesc.RoleOperation.SHOW_ROLES)) { - Set<TSentryRole> roles = sentryClient.listRoles(subject, subjectGroups); - writeToFile(writeRolesInfo(roles), desc.getResFile()); - return RETURN_CODE_SUCCESS; - } else { + Set<TSentryRole> roles = sentryClient.listRoles(subject, subjectGroups); + writeToFile(writeRolesInfo(roles), desc.getResFile()); + return RETURN_CODE_SUCCESS; + } else if(operation.equals(RoleDDLDesc.RoleOperation.SHOW_CURRENT_ROLE)) { + ActiveRoleSet roleSet = hiveAuthzBinding.getActiveRoleSet(); + if( roleSet.isAll()) { + Set<TSentryRole> roles = sentryClient.listRoles(subject, subjectGroups); + writeToFile(writeRolesInfo(roles), desc.getResFile()); + return RETURN_CODE_SUCCESS; + } else { + Set<String> roles = roleSet.getRoles(); + writeToFile(writeActiveRolesInfo(roles), desc.getResFile()); + return RETURN_CODE_SUCCESS; + } + } else { throw new HiveException("Unknown role operation " + operation.getOperationName()); } @@ -360,6 +372,17 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable return builder.toString(); } + static String writeActiveRolesInfo(Set<String> roles) { + if (roles == null || roles.isEmpty()) { + return ""; + } + StringBuilder builder = new StringBuilder(); + for (String role : roles) { + appendNonNull(builder, role, true); + } + return builder.toString(); + } + static StringBuilder appendNonNull(StringBuilder builder, Object value) { return appendNonNull(builder, value, false); } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/3226ce99/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java index 7a561ef..63484a8 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java @@ -269,6 +269,10 @@ public class HiveAuthzBinding { hiveConf.set(HiveAuthzConf.SENTRY_ACTIVE_ROLE_SET, activeRoleSet); } + public ActiveRoleSet getActiveRoleSet() { + return activeRoleSet; + } + public Set<String> getGroups(Subject subject) { return authProvider.getGroupMapping().getGroups(subject.getName()); } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/3226ce99/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestDatabaseProvider.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestDatabaseProvider.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestDatabaseProvider.java index 176acee..7564829 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestDatabaseProvider.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestDatabaseProvider.java @@ -41,6 +41,7 @@ import static org.hamcrest.Matchers.*; import java.io.File; import java.sql.Connection; import java.sql.ResultSet; +import java.sql.ResultSetMetaData; import java.sql.SQLException; import java.sql.Statement; import java.util.HashSet; @@ -168,6 +169,10 @@ public class TestDatabaseProvider extends AbstractTestWithHiveServer { statement.execute("CREATE ROLE role1"); statement.execute("CREATE ROLE role2"); ResultSet resultSet = statement.executeQuery("SHOW ROLES"); + ResultSetMetaData resultSetMetaData = resultSet.getMetaData(); + assertThat(resultSetMetaData.getColumnCount(), is(1)); + assertThat(resultSetMetaData.getColumnName(1), equalToIgnoringCase("role")); + Set<String> roles = new HashSet<String>(); while ( resultSet.next()) { roles.add(resultSet.getString(1)); @@ -196,7 +201,12 @@ public class TestDatabaseProvider extends AbstractTestWithHiveServer { statement.execute("GRANT ROLE role1 to GROUP " + ADMINGROUP); ResultSet resultSet = statement.executeQuery("SHOW ROLE GRANT GROUP " + ADMINGROUP); - Set<String> roles = new HashSet<String>(); + ResultSetMetaData resultSetMetaData = resultSet.getMetaData(); + assertThat(resultSetMetaData.getColumnCount(), is(4)); + assertThat(resultSetMetaData.getColumnName(1), equalToIgnoringCase("role")); + assertThat(resultSetMetaData.getColumnName(2), equalToIgnoringCase("grant_option")); + assertThat(resultSetMetaData.getColumnName(3), equalToIgnoringCase("grant_time")); + assertThat(resultSetMetaData.getColumnName(4), equalToIgnoringCase("grantor")); while ( resultSet.next()) { assertThat(resultSet.getString(1), equalToIgnoringCase("role1")); assertThat(resultSet.getBoolean(2), is(new Boolean("False"))); @@ -224,6 +234,21 @@ public class TestDatabaseProvider extends AbstractTestWithHiveServer { statement.execute("GRANT SELECT ON TABLE t1 TO ROLE role1"); ResultSet resultSet = statement.executeQuery("SHOW GRANT ROLE role1"); + ResultSetMetaData resultSetMetaData = resultSet.getMetaData(); + //| database | table | partition | column | principal_name | + // principal_type | privilege | grant_option | grant_time | grantor | + assertThat(resultSetMetaData.getColumnCount(), is(10)); + assertThat(resultSetMetaData.getColumnName(1), equalToIgnoringCase("database")); + assertThat(resultSetMetaData.getColumnName(2), equalToIgnoringCase("table")); + assertThat(resultSetMetaData.getColumnName(3), equalToIgnoringCase("partition")); + assertThat(resultSetMetaData.getColumnName(4), equalToIgnoringCase("column")); + assertThat(resultSetMetaData.getColumnName(5), equalToIgnoringCase("principal_name")); + assertThat(resultSetMetaData.getColumnName(6), equalToIgnoringCase("principal_type")); + assertThat(resultSetMetaData.getColumnName(7), equalToIgnoringCase("privilege")); + assertThat(resultSetMetaData.getColumnName(8), equalToIgnoringCase("grant_option")); + assertThat(resultSetMetaData.getColumnName(9), equalToIgnoringCase("grant_time")); + assertThat(resultSetMetaData.getColumnName(10), equalToIgnoringCase("grantor")); + while ( resultSet.next()) { assertThat(resultSet.getString(1), equalToIgnoringCase("default")); assertThat(resultSet.getString(2), equalToIgnoringCase("t1")); @@ -267,7 +292,6 @@ public class TestDatabaseProvider extends AbstractTestWithHiveServer { * SHOW CURRENT ROLE not supported yet * @throws Exception */ - @Ignore @Test public void testShowCurrentRole() throws Exception { policyFile @@ -277,13 +301,15 @@ public class TestDatabaseProvider extends AbstractTestWithHiveServer { Statement statement = context.createStatement(connection); statement.execute("CREATE ROLE role1"); statement.execute("SET ROLE role1"); + ResultSet resultSet = statement.executeQuery("SHOW CURRENT ROLES"); + ResultSetMetaData resultSetMetaData = resultSet.getMetaData(); + assertThat(resultSetMetaData.getColumnCount(), is(1)); + assertThat(resultSetMetaData.getColumnName(1), equalToIgnoringCase("role")); - try { - ResultSet resultSet = statement.executeQuery("SHOW CURRENT ROLE"); - assertTrue("Expected an exception", false); - } catch(SQLException e) { - statement.close(); - connection.close(); + while( resultSet.next()) { + assertThat(resultSet.getString(1), equalToIgnoringCase("role1")); } + statement.close(); + connection.close(); } }
