Repository: incubator-sentry Updated Branches: refs/heads/master 112dd60bc -> bc755d77d
SENTRY-255: Revoke on Server privilege fails (Sravya Tirukkovalur via Jarek Jarcec Cecho) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/bc755d77 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/bc755d77 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/bc755d77 Branch: refs/heads/master Commit: bc755d77d28691f1ff522b53633adb5da83c3e1a Parents: 112dd60 Author: Jarek Jarcec Cecho <[email protected]> Authored: Tue Jun 3 19:59:01 2014 -0700 Committer: Jarek Jarcec Cecho <[email protected]> Committed: Tue Jun 3 19:59:01 2014 -0700 ---------------------------------------------------------------------- .../hive/ql/exec/SentryGrantRevokeTask.java | 6 +- .../e2e/dbprovider/TestDatabaseProvider.java | 121 +++++++++++++++++++ 2 files changed, 126 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/bc755d77/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java index 4a50bd0..54c9a41 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java @@ -531,7 +531,11 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable tableName, toSentryAction(privDesc.getPrivilege().getPriv())); } } else { - if (tableName == null) { + if (serverName != null) { + sentryClient.revokeServerPrivilege(subject, princ.getName(), serverName); + } else if (uriPath != null) { + sentryClient.revokeURIPrivilege(subject, princ.getName(), server, uriPath); + } else if (tableName == null) { sentryClient.revokeDatabasePrivilege(subject, princ.getName(), server, dbName); } else { sentryClient.revokeTablePrivilege(subject, princ.getName(), server, dbName, http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/bc755d77/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java index 05e5218..84223a9 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java @@ -17,6 +17,8 @@ package org.apache.sentry.tests.e2e.dbprovider; +import org.apache.sentry.SentryUserException; +import org.apache.sentry.provider.db.SentryAccessDeniedException; import org.apache.sentry.tests.e2e.hive.StaticUserGroup; import static org.hamcrest.Matchers.equalToIgnoringCase; import static org.hamcrest.Matchers.is; @@ -103,6 +105,125 @@ public class TestDatabaseProvider extends AbstractTestWithDbProvider { connection.close(); } + + /** + * Revoke privilege + * @throws Exception + */ + @Test + public void testRevokePrivileges() throws Exception { + Connection connection; + Statement statement; + ResultSet resultSet; + + connection = context.createConnection(ADMIN1); + statement = context.createStatement(connection); + statement.execute("CREATE ROLE role1"); + + //Revoke All on server by admin + statement.execute("GRANT ALL ON SERVER server1 to role role1"); + resultSet = statement.executeQuery("SHOW GRANT ROLE role1"); + assertResultSize(resultSet, 1); + statement.execute("REVOKE ALL ON SERVER server1 from role role1"); + resultSet = statement.executeQuery("SHOW GRANT ROLE role1"); + assertResultSize(resultSet, 0); + + //Revoke All on database by admin + statement.execute("GRANT ALL ON DATABASE default to role role1"); + resultSet = statement.executeQuery("SHOW GRANT ROLE role1"); + assertResultSize(resultSet, 1); + statement.execute("REVOKE ALL ON DATABASE default from role role1"); + resultSet = statement.executeQuery("SHOW GRANT ROLE role1"); + assertResultSize(resultSet, 0); + + //Revoke All on URI by admin + statement.execute("GRANT ALL ON URI 'file:///path' to role role1"); + resultSet = statement.executeQuery("SHOW GRANT ROLE role1"); + assertResultSize(resultSet, 1); + statement.execute("REVOKE ALL ON URI 'file:///path' from role role1"); + resultSet = statement.executeQuery("SHOW GRANT ROLE role1"); + assertResultSize(resultSet, 0); + + //Revoke All on table by admin + statement.execute("GRANT ALL ON TABLE tab1 to role role1"); + resultSet = statement.executeQuery("SHOW GRANT ROLE role1"); + assertResultSize(resultSet, 1); + statement.execute("REVOKE ALL ON TABLE tab1 from role role1"); + resultSet = statement.executeQuery("SHOW GRANT ROLE role1"); + assertResultSize(resultSet, 0); + + //Revoke INSERT on table by admin + statement.execute("GRANT INSERT ON TABLE tab1 to role role1"); + resultSet = statement.executeQuery("SHOW GRANT ROLE role1"); + assertResultSize(resultSet, 1); + statement.execute("REVOKE INSERT ON TABLE tab1 from role role1"); + resultSet = statement.executeQuery("SHOW GRANT ROLE role1"); + assertResultSize(resultSet, 0); + + //Revoke SELECT on table by admin + statement.execute("GRANT SELECT ON TABLE tab1 to role role1"); + resultSet = statement.executeQuery("SHOW GRANT ROLE role1"); + assertResultSize(resultSet, 1); + statement.execute("REVOKE SELECT ON TABLE tab1 from role role1"); + resultSet = statement.executeQuery("SHOW GRANT ROLE role1"); + assertResultSize(resultSet, 0); + + //Revoke Partial privilege on table by admin + statement.execute("GRANT ALL ON TABLE tab1 to role role1"); + resultSet = statement.executeQuery("SHOW GRANT ROLE role1"); + assertResultSize(resultSet, 1); + statement.execute("REVOKE INSERT ON TABLE tab1 from role role1"); + resultSet = statement.executeQuery("SHOW GRANT ROLE role1"); + assertResultSize(resultSet, 1); + while(resultSet.next()) { + assertThat(resultSet.getString(1), equalToIgnoringCase("default")); + assertThat(resultSet.getString(2), equalToIgnoringCase("tab1")); + assertThat(resultSet.getString(3), equalToIgnoringCase(""));//partition + assertThat(resultSet.getString(4), equalToIgnoringCase(""));//column + assertThat(resultSet.getString(5), equalToIgnoringCase("role1"));//principalName + assertThat(resultSet.getString(6), equalToIgnoringCase("role"));//principalType + assertThat(resultSet.getString(7), equalToIgnoringCase("select")); + assertThat(resultSet.getBoolean(8), is(new Boolean("False")));//grantOption + //Create time is not tested + //assertThat(resultSet.getLong(9), is(new Long(0))); + assertThat(resultSet.getString(10), equalToIgnoringCase(ADMIN1));//grantor + + } + + //Revoke Partial privilege on table by admin + statement.execute("GRANT ALL ON TABLE tab1 to role role1"); + resultSet = statement.executeQuery("SHOW GRANT ROLE role1"); + assertResultSize(resultSet, 1); + statement.execute("REVOKE SELECT ON TABLE tab1 from role role1"); + resultSet = statement.executeQuery("SHOW GRANT ROLE role1"); + assertResultSize(resultSet, 1); + while(resultSet.next()) { + assertThat(resultSet.getString(1), equalToIgnoringCase("default")); + assertThat(resultSet.getString(2), equalToIgnoringCase("tab1")); + assertThat(resultSet.getString(3), equalToIgnoringCase(""));//partition + assertThat(resultSet.getString(4), equalToIgnoringCase(""));//column + assertThat(resultSet.getString(5), equalToIgnoringCase("role1"));//principalName + assertThat(resultSet.getString(6), equalToIgnoringCase("role"));//principalType + assertThat(resultSet.getString(7), equalToIgnoringCase("insert")); + assertThat(resultSet.getBoolean(8), is(new Boolean("False")));//grantOption + //Create time is not tested + //assertThat(resultSet.getLong(9), is(new Long(0))); + assertThat(resultSet.getString(10), equalToIgnoringCase(ADMIN1));//grantor + + } + + statement.close(); + connection.close(); + } + + private void assertResultSize(ResultSet resultSet, int expected) throws SQLException{ + int count = 0; + while(resultSet.next()) { + count++; + } + assertThat(count, is(expected)); + } + /** * SHOW ROLES * @throws Exception
