Repository: incubator-sentry Updated Branches: refs/heads/master a989b17b4 -> a7b456223
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java index 7e2323c..a7734df 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java @@ -22,7 +22,9 @@ import static org.apache.sentry.provider.common.ProviderConstants.AUTHORIZABLE_J import static org.apache.sentry.provider.common.ProviderConstants.KV_JOINER; import java.util.ArrayList; +import java.util.Collection; import java.util.HashSet; +import java.util.LinkedList; import java.util.List; import java.util.Map; import java.util.Properties; @@ -39,6 +41,7 @@ import javax.jdo.Transaction; import org.apache.commons.lang.StringUtils; import org.apache.hadoop.conf.Configuration; import org.apache.sentry.core.model.db.AccessConstants; +import org.apache.sentry.core.model.db.DBModelAuthorizable; import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType; import org.apache.sentry.provider.common.ProviderConstants; import org.apache.sentry.provider.db.SentryAccessDeniedException; @@ -50,6 +53,7 @@ import org.apache.sentry.provider.db.service.model.MSentryPrivilege; import org.apache.sentry.provider.db.service.model.MSentryRole; import org.apache.sentry.provider.db.service.model.MSentryVersion; import org.apache.sentry.provider.db.service.thrift.TSentryActiveRoleSet; +import org.apache.sentry.provider.db.service.thrift.TSentryAuthorizable; import org.apache.sentry.provider.db.service.thrift.TSentryGroup; import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; import org.apache.sentry.provider.db.service.thrift.TSentryRole; @@ -58,7 +62,9 @@ import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; import org.datanucleus.store.rdbms.exceptions.MissingTableException; import com.google.common.annotations.VisibleForTesting; +import com.google.common.base.Joiner; import com.google.common.base.Preconditions; +import com.google.common.base.Splitter; import com.google.common.base.Strings; import com.google.common.collect.HashMultimap; import com.google.common.collect.Lists; @@ -84,7 +90,7 @@ public class SentryStore { private final PersistenceManagerFactory pmf; public SentryStore(Configuration conf) throws SentryNoSuchObjectException, - SentryAccessDeniedException { + SentryAccessDeniedException { commitSequenceId = 0; Properties prop = new Properties(); prop.putAll(ServerConfig.SENTRY_STORE_DEFAULTS); @@ -114,7 +120,7 @@ public class SentryStore { boolean checkSchemaVersion = conf.get( ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, ServerConfig.SENTRY_VERIFY_SCHEM_VERSION_DEFAULT).equalsIgnoreCase( - "true"); + "true"); if (!checkSchemaVersion) { prop.setProperty("datanucleus.autoCreateSchema", "true"); prop.setProperty("datanucleus.fixedDatastore", "false"); @@ -126,7 +132,7 @@ public class SentryStore { // ensure that the backend DB schema is set private void verifySentryStoreSchema(Configuration serverConf, boolean checkVersion) - throws SentryNoSuchObjectException, SentryAccessDeniedException { + throws SentryNoSuchObjectException, SentryAccessDeniedException { if (!checkVersion) { setSentryVersion(SentryStoreSchemaInfo.getSentryVersion(), "Schema version set implicitly"); @@ -135,8 +141,8 @@ public class SentryStore { if (!SentryStoreSchemaInfo.getSentryVersion().equals(currentVersion)) { throw new SentryAccessDeniedException( "The Sentry store schema version " + currentVersion - + " is different from distribution version " - + SentryStoreSchemaInfo.getSentryVersion()); + + " is different from distribution version " + + SentryStoreSchemaInfo.getSentryVersion()); } } } @@ -235,7 +241,7 @@ public class SentryStore { * @throws SentryAlreadyExistsException */ public CommitContext createSentryRole(String roleName, String grantorPrincipal) - throws SentryAlreadyExistsException { + throws SentryAlreadyExistsException { roleName = trimAndLower(roleName); boolean rollbackTransaction = true; PersistenceManager pm = null; @@ -338,7 +344,7 @@ public class SentryStore { */ private void revokePartialPrivilege(PersistenceManager pm, MSentryRole role, TSentryPrivilege tPrivilege) - throws SentryNoSuchObjectException, SentryInvalidInputException { + throws SentryNoSuchObjectException, SentryInvalidInputException { // only perform partial revoke if INSERT/SELECT were the action // and the privilege being revoked is on a table String action = tPrivilege.getAction(); @@ -452,7 +458,7 @@ public class SentryStore { public CommitContext dropSentryRole(String roleName) - throws SentryNoSuchObjectException { + throws SentryNoSuchObjectException { boolean rollbackTransaction = true; PersistenceManager pm = null; roleName = roleName.trim().toLowerCase(); @@ -483,7 +489,7 @@ public class SentryStore { public CommitContext alterSentryRoleAddGroups(String grantorPrincipal, String roleName, Set<TSentryGroup> groupNames) - throws SentryNoSuchObjectException { + throws SentryNoSuchObjectException { boolean rollbackTransaction = true; PersistenceManager pm = null; roleName = roleName.trim().toLowerCase(); @@ -526,7 +532,7 @@ public class SentryStore { public CommitContext alterSentryRoleDeleteGroups(String roleName, Set<TSentryGroup> groupNames) - throws SentryNoSuchObjectException { + throws SentryNoSuchObjectException { boolean rollbackTransaction = true; PersistenceManager pm = null; roleName = roleName.trim().toLowerCase(); @@ -567,7 +573,7 @@ public class SentryStore { @VisibleForTesting MSentryRole getMSentryRoleByName(String roleName) - throws SentryNoSuchObjectException { + throws SentryNoSuchObjectException { boolean rollbackTransaction = true; PersistenceManager pm = null; roleName = roleName.trim().toLowerCase(); @@ -593,11 +599,50 @@ public class SentryStore { } } - private Set<MSentryPrivilege> getMSentryPrivilegesByRoleName(String roleName) - throws SentryNoSuchObjectException { - MSentryRole mSentryRole = getMSentryRoleByName(roleName); - return mSentryRole.getPrivileges(); + List<MSentryPrivilege> getMSentryPrivileges(Set<String> roleNames, TSentryAuthorizable authHierarchy) { + if ((roleNames.size() == 0)||(roleNames == null)) return new ArrayList<MSentryPrivilege>(); + boolean rollbackTransaction = true; + PersistenceManager pm = null; + try { + pm = openTransaction(); + Query query = pm.newQuery(MSentryPrivilege.class); + query.declareVariables("org.apache.sentry.provider.db.service.model.MSentryRole role"); + List<String> rolesFiler = new LinkedList<String>(); + for (String rName : roleNames) { + rolesFiler.add("role.roleName == \"" + rName.trim().toLowerCase() + "\""); + } + StringBuilder filters = new StringBuilder("roles.contains(role) " + + "&& (" + Joiner.on(" || ").join(rolesFiler) + ") "); + if ((authHierarchy != null) && (authHierarchy.getServer() != null)) { + filters.append("&& serverName == \"" + authHierarchy.getServer().toLowerCase() + "\""); + if (authHierarchy.getDb() != null) { + filters.append(" && ((dbName == \"" + authHierarchy.getDb().toLowerCase() + "\") || (dbName == null)) && (URI == null)"); + if (authHierarchy.getTable() != null) { + filters.append(" && ((tableName == \"" + authHierarchy.getTable().toLowerCase() + "\") || (tableName == null)) && (URI == null)"); + } + } + if (authHierarchy.getUri() != null) { + filters.append(" && ((\"" + authHierarchy.getUri() + "\".startsWith(URI)) || (URI == null)) && (dbName == null)"); + } + } + + query.setFilter(filters.toString()); + List<MSentryPrivilege> privileges = (List<MSentryPrivilege>) query.execute(); + rollbackTransaction = false; + commitTransaction(pm); + return privileges; + } finally { + if (rollbackTransaction) { + rollbackTransaction(pm); + } } + } + + private Set<MSentryPrivilege> getMSentryPrivilegesByRoleName(String roleName) + throws SentryNoSuchObjectException { + MSentryRole mSentryRole = getMSentryRoleByName(roleName); + return mSentryRole.getPrivileges(); + } /** * Gets sentry privilege objects for a given roleName from the persistence layer @@ -606,11 +651,37 @@ public class SentryStore { * @throws SentryNoSuchObjectException */ - public Set<TSentryPrivilege> getTSentryPrivilegesByRoleName(String roleName) + public Set<TSentryPrivilege> getAllTSentryPrivilegesByRoleName(String roleName) throws SentryNoSuchObjectException { return convertToTSentryPrivileges(getMSentryPrivilegesByRoleName(roleName)); } + + /** + * Gets sentry privilege objects for criteria from the persistence layer + * @param roleName : roleName to look up + * @param serverName : serverName (required) + * @param uri : URI (optional) + * @param dbName : dbName (optional if tableName is null else required) + * @param tableName : tableName (optional) + * @return : Set of thrift sentry privilege objects + * @throws SentryNoSuchObjectException + */ + + public Set<TSentryPrivilege> getTSentryPrivileges(Set<String> roleNames, TSentryAuthorizable authHierarchy) throws SentryInvalidInputException { + if (authHierarchy.getServer() == null) { + throw new SentryInvalidInputException("serverName cannot be null !!"); + } + if ((authHierarchy.getTable() != null) && (authHierarchy.getDb() == null)) { + throw new SentryInvalidInputException("dbName cannot be null when tableName is present !!"); + } + if ((authHierarchy.getUri() == null) && (authHierarchy.getDb() == null)) { + throw new SentryInvalidInputException("One of uri or dbName must not be null !!"); + } + return convertToTSentryPrivileges(getMSentryPrivileges(roleNames, authHierarchy)); + } + + private Set<MSentryRole> getMSentryRolesByGroupName(String groupName) throws SentryNoSuchObjectException { boolean rollbackTransaction = true; @@ -692,18 +763,52 @@ public class SentryStore { } } + private Set<String> getRoleNamesForGroups(Set<String> groups) { + Set<String> result = new HashSet<String>(); + boolean rollbackTransaction = true; + PersistenceManager pm = null; + try { + pm = openTransaction(); + Query query = pm.newQuery(MSentryGroup.class); + query.setFilter("this.groupName == t"); + query.declareParameters("java.lang.String t"); + query.setUnique(true); + for (String group : toTrimedLower(groups)) { + MSentryGroup sentryGroup = (MSentryGroup) query.execute(group); + if (sentryGroup != null) { + for (MSentryRole role : sentryGroup.getRoles()) { + result.add(role.getRoleName()); + } + } + } + rollbackTransaction = false; + commitTransaction(pm); + return result; + } finally { + if (rollbackTransaction) { + rollbackTransaction(pm); + } + } + } + + public Set<String> listAllSentryPrivilegesForProvider(Set<String> groups, TSentryActiveRoleSet roleSet) throws SentryInvalidInputException { + return listSentryPrivilegesForProvider(groups, roleSet, null); + } + + public Set<String> listSentryPrivilegesForProvider(Set<String> groups, - TSentryActiveRoleSet roleSet) { - Set<String> result = Sets.newHashSet(); - Set<String> activeRoleNames = toTrimedLower(roleSet.getRoles()); - for (Map.Entry<String, String> entry : getRoleToPrivilegeMap(groups).entries()) { - if (roleSet.isAll()) { - result.add(entry.getValue()); - } else if (activeRoleNames.contains(entry.getKey())) { - result.add(entry.getValue()); - } - } - return result; + TSentryActiveRoleSet roleSet, TSentryAuthorizable authHierarchy) throws SentryInvalidInputException { + Set<String> result = Sets.newHashSet(); + Set<String> activeRoleNames = toTrimedLower(roleSet.getRoles()); + + Set<String> roleNamesForGroups = toTrimedLower(getRoleNamesForGroups(groups)); + Set<String> rolesToQuery = roleSet.isAll() ? roleNamesForGroups : Sets.intersection(activeRoleNames, roleNamesForGroups); + List<MSentryPrivilege> mSentryPrivileges = getMSentryPrivileges(rolesToQuery, authHierarchy); + + for (MSentryPrivilege priv : mSentryPrivileges) { + result.add(toAuthorizable(priv)); + } + return result; } @VisibleForTesting @@ -727,7 +832,7 @@ public class SentryStore { if (!Strings.nullToEmpty(privilege.getAction()).isEmpty() && !privilege.getAction().equalsIgnoreCase(AccessConstants.ALL)) { authorizable - .add(KV_JOINER.join(ProviderConstants.PRIVILEGE_NAME.toLowerCase(), + .add(KV_JOINER.join(ProviderConstants.PRIVILEGE_NAME.toLowerCase(), privilege.getAction())); } return AUTHORIZABLE_JOINER.join(authorizable); @@ -735,6 +840,7 @@ public class SentryStore { @VisibleForTesting static Set<String> toTrimedLower(Set<String> s) { + if (null == s) return new HashSet<String>(); Set<String> result = Sets.newHashSet(); for (String v : s) { result.add(v.trim().toLowerCase()); @@ -750,7 +856,7 @@ public class SentryStore { * time. */ - private Set<TSentryPrivilege> convertToTSentryPrivileges(Set<MSentryPrivilege> mSentryPrivileges) { + private Set<TSentryPrivilege> convertToTSentryPrivileges(Collection<MSentryPrivilege> mSentryPrivileges) { Set<TSentryPrivilege> privileges = new HashSet<TSentryPrivilege>(); for(MSentryPrivilege mSentryPrivilege:mSentryPrivileges) { privileges.add(convertToTSentryPrivilege(mSentryPrivilege)); @@ -809,9 +915,9 @@ public class SentryStore { private MSentryPrivilege convertToMSentryPrivilege(TSentryPrivilege privilege) throws SentryInvalidInputException { MSentryPrivilege mSentryPrivilege = new MSentryPrivilege(); - mSentryPrivilege.setServerName(safeTrim(privilege.getServerName())); - mSentryPrivilege.setDbName(safeTrim(privilege.getDbName())); - mSentryPrivilege.setTableName(safeTrim(privilege.getTableName())); + mSentryPrivilege.setServerName(safeTrimLower(privilege.getServerName())); + mSentryPrivilege.setDbName(safeTrimLower(privilege.getDbName())); + mSentryPrivilege.setTableName(safeTrimLower(privilege.getTableName())); mSentryPrivilege.setPrivilegeScope(safeTrim(privilege.getPrivilegeScope())); mSentryPrivilege.setAction(safeTrim(privilege.getAction())); mSentryPrivilege.setCreateTime(System.currentTimeMillis()); @@ -826,9 +932,15 @@ public class SentryStore { } return s.trim(); } + private String safeTrimLower(String s) { + if (s == null) { + return null; + } + return s.trim().toLowerCase(); + } public String getSentryVersion() throws SentryNoSuchObjectException, - SentryAccessDeniedException { + SentryAccessDeniedException { MSentryVersion mVersion = getMSentryVersion(); return mVersion.getSchemaVersion(); } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java index 2aac409..3660607 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java @@ -18,6 +18,8 @@ package org.apache.sentry.provider.db.service.thrift; +import com.google.common.base.Preconditions; +import com.google.common.collect.Sets; import java.io.IOException; import java.net.InetSocketAddress; import java.util.HashSet; @@ -29,7 +31,9 @@ import org.apache.hadoop.security.SaslRpcServer; import org.apache.hadoop.security.SaslRpcServer.AuthMethod; import org.apache.sentry.SentryUserException; import org.apache.sentry.core.common.ActiveRoleSet; +import org.apache.sentry.core.common.Authorizable; import org.apache.sentry.core.model.db.AccessConstants; +import org.apache.sentry.core.model.db.DBModelAuthorizable; import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig; import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope; import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; @@ -45,8 +49,7 @@ import org.apache.thrift.transport.TTransportException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import com.google.common.base.Preconditions; -import com.google.common.collect.Sets; +import java.util.List; public class SentryPolicyServiceClient { @@ -171,21 +174,43 @@ public class SentryPolicyServiceClient { } } + public Set<TSentryPrivilege> listAllPrivilegesByRoleName(String requestorUserName, String roleName) + throws SentryUserException { + return listPrivilegesByRoleName(requestorUserName, roleName, null); + } + /** * Gets sentry privilege objects for a given roleName using the Sentry service * @param requestorUserName : user on whose behalf the request is issued * @param requestorUserGroupNames :groups the requesting user belongs to * @param roleName : roleName to look up + * @param authorizable : authorizable Hierarchy (server->db->table etc) * @return Set of thrift sentry privilege objects * @throws SentryUserException */ - public Set<TSentryPrivilege> listPrivilegesByRoleName( - String requestorUserName, String roleName) + public Set<TSentryPrivilege> listPrivilegesByRoleName(String requestorUserName, + String roleName, List<? extends Authorizable> authorizable) throws SentryUserException { TListSentryPrivilegesRequest request = new TListSentryPrivilegesRequest(); request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); request.setRequestorUserName(requestorUserName); request.setRoleName(roleName); + if (authorizable != null) { + TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable(); + // TODO : Needed to support SearchModelAuthorizable + for (Authorizable authzble : authorizable) { + if (authzble.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.Server.toString())) { + tSentryAuthorizable.setServer(authzble.getName()); + } else if (authzble.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.URI.toString())) { + tSentryAuthorizable.setUri(authzble.getName()); + } else if (authzble.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.Db.toString())) { + tSentryAuthorizable.setDb(authzble.getName()); + } else if (authzble.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.Table.toString())) { + tSentryAuthorizable.setTable(authzble.getName()); + } + } + request.setAuthorizableHierarchy(tSentryAuthorizable); + } TListSentryPrivilegesResponse response; try { response = client.list_sentry_privileges_by_role(request); @@ -309,12 +334,28 @@ public class SentryPolicyServiceClient { } } - public Set<String> listPrivilegesForProvider(Set<String> groups, ActiveRoleSet roleSet) + public Set<String> listPrivilegesForProvider(Set<String> groups, ActiveRoleSet roleSet, Authorizable... authorizable) throws SentryUserException { TSentryActiveRoleSet thriftRoleSet = new TSentryActiveRoleSet(roleSet.isAll(), roleSet.getRoles()); TListSentryPrivilegesForProviderRequest request = new TListSentryPrivilegesForProviderRequest(ThriftConstants. TSENTRY_SERVICE_VERSION_CURRENT, groups, thriftRoleSet); + if ((authorizable != null)&&(authorizable.length > 0)) { + TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable(); + // TODO : Needed to support SearchModelAuthorizable + for (Authorizable authzble : authorizable) { + if (authzble.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.Server.toString())) { + tSentryAuthorizable.setServer(authzble.getName()); + } else if (authzble.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.URI.toString())) { + tSentryAuthorizable.setUri(authzble.getName()); + } else if (authzble.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.Db.toString())) { + tSentryAuthorizable.setDb(authzble.getName()); + } else if (authzble.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.Table.toString())) { + tSentryAuthorizable.setTable(authzble.getName()); + } + } + request.setAuthorizableHierarchy(tSentryAuthorizable); + } try { TListSentryPrivilegesForProviderResponse response = client.list_sentry_privileges_for_provider(request); Status.throwIfNotOk(response.getStatus()); @@ -357,4 +398,4 @@ TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName, transport.close(); } } -} \ No newline at end of file +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java index f92c78a..f06568f 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java @@ -344,7 +344,12 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { // or allow all users as long as user is granted this role? authorize(request.getRequestorUserName(), getRequestorGroups(request.getRequestorUserName())); - privilegeSet = sentryStore.getTSentryPrivilegesByRoleName(request.getRoleName()); + if (request.isSetAuthorizableHierarchy()) { + TSentryAuthorizable authorizableHierarchy = request.getAuthorizableHierarchy(); + privilegeSet = sentryStore.getTSentryPrivileges(Sets.newHashSet(request.getRoleName()), authorizableHierarchy); + } else { + privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(request.getRoleName()); + } response.setPrivileges(privilegeSet); response.setStatus(Status.OK()); } catch (SentryNoSuchObjectException e) { @@ -371,7 +376,7 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { response.setPrivileges(new HashSet<String>()); try { response.setPrivileges(sentryStore.listSentryPrivilegesForProvider( - request.getGroups(), request.getRoleSet())); + request.getGroups(), request.getRoleSet(), request.getAuthorizableHierarchy())); response.setStatus(Status.OK()); } catch (Exception e) { String msg = "Unknown error for request: " + request + ", message: " + e.getMessage(); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift b/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift index b4281c7..5d584c0 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift @@ -130,11 +130,19 @@ struct TListSentryRolesResponse { 2: required set<TSentryRole> roles } +struct TSentryAuthorizable { +1: required string server, +2: optional string uri, +3: optional string db, +4: optional string table, +} + # SHOW GRANT struct TListSentryPrivilegesRequest { 1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1, 2: required string requestorUserName, # user on whose behalf the request is issued -3: required string roleName # get privileges assigned for this role +4: required string roleName, # get privileges assigned for this role +5: optional TSentryAuthorizable authorizableHierarchy # get privileges assigned for this role } struct TListSentryPrivilegesResponse { 1: required sentry_common_service.TSentryResponseStatus status @@ -153,6 +161,7 @@ struct TListSentryPrivilegesForProviderRequest { 1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1, 2: required set<string> groups, 3: required TSentryActiveRoleSet roleSet, +4: optional TSentryAuthorizable authorizableHierarchy, } struct TListSentryPrivilegesForProviderResponse { 1: required sentry_common_service.TSentryResponseStatus status http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java index 67b05e6..524eea3 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java @@ -235,65 +235,65 @@ public class TestSentryStore { roleName2, groups).getSequenceId()); // group1 all roles assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"), - SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName1), + SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1), new TSentryActiveRoleSet(true, new HashSet<String>())))); // one active role assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"), - SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName1), + SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1), new TSentryActiveRoleSet(false, Sets.newHashSet(roleName1))))); // unknown active role assertEquals(Sets.newHashSet(), - SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName1), + SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1), new TSentryActiveRoleSet(false, Sets.newHashSet("not a role"))))); // no active roles assertEquals(Sets.newHashSet(), - SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName1), + SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1), new TSentryActiveRoleSet(false, new HashSet<String>())))); // group2 all roles assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select", "server=server1"), - SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName2), + SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2), new TSentryActiveRoleSet(true, new HashSet<String>())))); // one active role assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"), - SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName2), + SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2), new TSentryActiveRoleSet(false, Sets.newHashSet(roleName1))))); assertEquals(Sets.newHashSet( "server=server1->db=db1->table=tbl1->action=select", "server=server1"), - SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName2), + SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2), new TSentryActiveRoleSet(false, Sets.newHashSet(roleName2))))); // unknown active role assertEquals(Sets.newHashSet(), - SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName2), + SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2), new TSentryActiveRoleSet(false, Sets.newHashSet("not a role"))))); // no active roles assertEquals(Sets.newHashSet(), - SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName2), + SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2), new TSentryActiveRoleSet(false, new HashSet<String>())))); // both groups, all active roles assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select", "server=server1"), - SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets. + SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets. newHashSet(groupName1, groupName2), new TSentryActiveRoleSet(true, new HashSet<String>())))); // one active role assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"), - SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets. + SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets. newHashSet(groupName1, groupName2), new TSentryActiveRoleSet(false, Sets.newHashSet(roleName1))))); assertEquals(Sets.newHashSet( "server=server1->db=db1->table=tbl1->action=select", "server=server1"), - SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets. + SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets. newHashSet(groupName1, groupName2), new TSentryActiveRoleSet(false, Sets.newHashSet(roleName2))))); // unknown active role assertEquals(Sets.newHashSet(), - SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets. + SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets. newHashSet(groupName1, groupName2), new TSentryActiveRoleSet(false, Sets.newHashSet("not a role"))))); // no active roles assertEquals(Sets.newHashSet(), - SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets. + SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets. newHashSet(groupName1, groupName2), new TSentryActiveRoleSet(false, new HashSet<String>())))); } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java index 56dcaf9..1089390 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java @@ -18,17 +18,22 @@ package org.apache.sentry.provider.db.service.thrift; -import org.apache.sentry.core.common.ActiveRoleSet; -import static junit.framework.Assert.assertEquals; -import static org.junit.Assert.assertTrue; - -import java.util.Set; +import com.google.common.collect.Lists; +import com.google.common.collect.Sets; +import org.apache.sentry.core.common.ActiveRoleSet; +import org.apache.sentry.core.model.db.Database; +import org.apache.sentry.core.model.db.Server; +import org.apache.sentry.core.model.db.Table; import org.apache.sentry.provider.db.service.persistent.SentryStore; import org.apache.sentry.service.thrift.SentryServiceIntegrationBase; import org.junit.Test; -import com.google.common.collect.Sets; +import java.util.HashSet; +import java.util.Set; + +import static junit.framework.Assert.assertEquals; +import static org.junit.Assert.assertTrue; public class TestSentryServiceIntegration extends SentryServiceIntegrationBase { @@ -55,6 +60,66 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase { } @Test + public void testQueryPushDown() throws Exception { + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + writePolicyFile(); + + String roleName1 = "admin_r1"; + String roleName2 = "admin_r2"; + + String group1 = "g1"; + String group2 = "g2"; + + client.dropRoleIfExists(requestorUserName, roleName1); + client.createRole(requestorUserName, roleName1); + client.grantRoleToGroup(requestorUserName, group1, roleName1); + + client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL"); + client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL"); + client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL"); + client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL"); + + + client.dropRoleIfExists(requestorUserName, roleName2); + client.createRole(requestorUserName, roleName2); + client.grantRoleToGroup(requestorUserName, group1, roleName2); + client.grantRoleToGroup(requestorUserName, group2, roleName2); + + client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL"); + client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL"); + client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL"); + client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL"); + client.grantTablePrivilege(requestorUserName, roleName2, "server", "db3", "table5", "ALL"); + + Set<TSentryPrivilege> listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db1"))); + assertEquals("Privilege not assigned to role2 !!", 2, listPrivilegesByRoleName.size()); + + listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db2"), new Table("table1"))); + assertEquals("Privilege not assigned to role2 !!", 0, listPrivilegesByRoleName.size()); + + listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db1"), new Table("table1"))); + assertEquals("Privilege not assigned to role2 !!", 1, listPrivilegesByRoleName.size()); + + listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db3"))); + assertEquals("Privilege not assigned to role2 !!", 1, listPrivilegesByRoleName.size()); + + Set<String> listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), ActiveRoleSet.ALL, new Server("server"), new Database("db2")); + assertEquals("Privilege not correctly assigned to roles !!", + Sets.newHashSet("server=server->db=db2->table=table4->action=ALL", "server=server->db=db2->table=table3->action=ALL"), + listPrivilegesForProvider); + + listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), ActiveRoleSet.ALL, new Server("server"), new Database("db3")); + assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet("server=server->db=db3->table=table5->action=ALL"), listPrivilegesForProvider); + + listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), new ActiveRoleSet(Sets.newHashSet(roleName1)), new Server("server"), new Database("db3")); + assertEquals("Privilege not correctly assigned to roles !!", new HashSet<String>(), listPrivilegesForProvider); + } + + + + @Test public void testGranRevokePrivilegeOnTableForRole() throws Exception { String requestorUserName = ADMIN_USER; Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); @@ -66,49 +131,49 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase { client.dropRoleIfExists(requestorUserName, roleName1); client.createRole(requestorUserName, roleName1); - client.grantTablePrivilege(requestorUserName, roleName1, "server", "db", "table1", "ALL"); - client.grantTablePrivilege(requestorUserName, roleName1, "server", "db", "table2", "ALL"); - client.grantTablePrivilege(requestorUserName, roleName1, "server", "db", "table3", "ALL"); - client.grantTablePrivilege(requestorUserName, roleName1, "server", "db", "table4", "ALL"); + client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL"); + client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL"); + client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL"); + client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL"); client.dropRoleIfExists(requestorUserName, roleName2); client.createRole(requestorUserName, roleName2); - client.grantTablePrivilege(requestorUserName, roleName2, "server", "db", "table1", "ALL"); - client.grantTablePrivilege(requestorUserName, roleName2, "server", "db", "table2", "ALL"); - client.grantTablePrivilege(requestorUserName, roleName2, "server", "db", "table3", "ALL"); - client.grantTablePrivilege(requestorUserName, roleName2, "server", "db", "table4", "ALL"); + client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL"); + client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL"); + client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL"); + client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL"); - Set<TSentryPrivilege> listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName1); + Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); assertEquals("Privilege not assigned to role1 !!", 4, listPrivilegesByRoleName.size()); - listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2); + listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2); assertEquals("Privilege not assigned to role2 !!", 4, listPrivilegesByRoleName.size()); - client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db", "table1", "ALL"); - listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName1); + client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL"); + listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 3); - listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2); + listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2); assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 4); - client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db", "table1", "ALL"); - listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2); + client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL"); + listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2); assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 3); - listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName1); + listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 3); - client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db", "table2", "ALL"); - client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db", "table3", "ALL"); - client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db", "table4", "ALL"); - listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName1); + client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL"); + client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL"); + client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL"); + listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0); - client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db", "table2", "ALL"); - client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db", "table3", "ALL"); - client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db", "table4", "ALL"); - listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2); + client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL"); + client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL"); + client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL"); + listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2); assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0); } @@ -127,12 +192,12 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase { client.dropRoleIfExists(requestorUserName, roleName2); client.createRole(requestorUserName, roleName2); - client.grantTablePrivilege(requestorUserName, roleName1, "server", "db", "table", "ALL"); - Set<TSentryPrivilege> listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName1); + client.grantTablePrivilege(requestorUserName, roleName1, "server", "db", "table", "ALL"); + Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); assertTrue("Privilege not assigned to role1 !!", listPrivilegesByRoleName.size() == 1); - client.grantTablePrivilege(requestorUserName, roleName2, "server", "db", "table", "ALL"); - listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2); + client.grantTablePrivilege(requestorUserName, roleName2, "server", "db", "table", "ALL"); + listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2); assertTrue("Privilege not assigned to role2 !!", listPrivilegesByRoleName.size() == 1); } @@ -183,8 +248,7 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase { assertEquals("Incorrect number of roles", 1, roles.size()); client.grantDatabasePrivilege(requestorUserName, roleName, server, db); - Set<TSentryPrivilege> privileges = client.listPrivilegesByRoleName(requestorUserName, - roleName); + Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorUserName, roleName); assertTrue(privileges.size() == 1); for (TSentryPrivilege privilege:privileges) { assertTrue(privilege.getPrivilegeName(), http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java index 6e8f02f..5245eb4 100644 --- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java +++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java @@ -29,10 +29,12 @@ import com.google.common.collect.Multimap; import com.google.common.collect.Sets; import com.google.common.collect.Table; import com.google.common.collect.Table.Cell; + import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.fs.FileSystem; import org.apache.hadoop.fs.Path; import org.apache.sentry.core.common.ActiveRoleSet; +import org.apache.sentry.core.common.Authorizable; import org.apache.sentry.core.common.SentryConfigurationException; import org.apache.sentry.policy.common.PrivilegeUtils; import org.apache.sentry.policy.common.PrivilegeValidator; @@ -44,6 +46,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import javax.annotation.Nullable; + import java.io.IOException; import java.net.URI; import java.util.HashSet; @@ -140,7 +143,7 @@ public class SimpleFileProviderBackend implements ProviderBackend { * {@inheritDoc} */ @Override - public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet) { + public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet, Authorizable... authorizableHierarchy) { if (!initialized) { throw new IllegalStateException("Backend has not been properly initialized"); } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbEndToEnd.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbEndToEnd.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbEndToEnd.java index 1d89e1a..ab65cfd 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbEndToEnd.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbEndToEnd.java @@ -139,7 +139,7 @@ public class TestDbEndToEnd extends AbstractTestWithDbProvider { statement.execute("create table " + dbName2 + "." + tableName2 + " (under_col int comment 'the under column', value string)"); statement.execute("load data local inpath '" + dataFile.getPath() - + "' into table " + tableName2); + + "' into table " + tableName2); // 3 statement.execute("CREATE ROLE all_db1"); @@ -163,8 +163,8 @@ public class TestDbEndToEnd extends AbstractTestWithDbProvider { + " TO ROLE select_tb1"); statement - .execute("GRANT ROLE all_db1, select_tb1, insert_tb1, insert_tb2, data_uri TO GROUP " - + USERGROUP1); + .execute("GRANT ROLE all_db1, select_tb1, insert_tb1, insert_tb2, data_uri TO GROUP " + + USERGROUP1); statement.close(); connection.close(); @@ -177,7 +177,7 @@ public class TestDbEndToEnd extends AbstractTestWithDbProvider { statement.execute("create table " + dbName1 + "." + tableName1 + " (under_col int comment 'the under column', value string)"); statement.execute("load data local inpath '" + dataFile.getPath() - + "' into table " + tableName1); + + "' into table " + tableName1); // 5 statement.execute("CREATE VIEW " + viewName1 + " (value) AS SELECT value from " + tableName1 + " LIMIT 10"); @@ -197,7 +197,30 @@ public class TestDbEndToEnd extends AbstractTestWithDbProvider { // 8 connection = context.createConnection(USER1_1); statement = context.createStatement(connection); + Exception ex = null; + try { + statement.execute("USE " + dbName2); + } catch (Exception e) { + ex = e; + } finally { + statement.close(); + connection.close(); + } + System.out.println("Message : " + ex.getMessage()); + assertTrue("This should not be allowed !!", ex != null); + + connection = context.createConnection(ADMIN1); + statement = context.createStatement(connection); + statement.execute("CREATE ROLE all_db2"); + statement.execute("GRANT ALL ON DATABASE " + dbName2 + " TO ROLE all_db2"); + statement.execute("GRANT ROLE all_db2 TO GROUP " + USERGROUP1); + statement.close(); + connection.close(); + + connection = context.createConnection(USER1_1); + statement = context.createStatement(connection); statement.execute("USE " + dbName2); + statement.execute("INSERT OVERWRITE TABLE " + dbName2 + "." + tableName2 + " SELECT * FROM " + dbName1 + "." + tableName1);
