Repository: incubator-sentry Updated Branches: refs/heads/master bc755d77d -> 7a9fd90c3
SENTRY-243: The operation type needs to be set in the grant/revoke task context for the failure hook ( Prasad Mujumdar via Sravya Tirukkovalur) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/7a9fd90c Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/7a9fd90c Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/7a9fd90c Branch: refs/heads/master Commit: 7a9fd90c345a6e3f9656366773d452f18e0d5b15 Parents: bc755d7 Author: Sravya Tirukkovalur <[email protected]> Authored: Wed Jun 4 01:13:11 2014 -0700 Committer: Sravya Tirukkovalur <[email protected]> Committed: Wed Jun 4 01:13:11 2014 -0700 ---------------------------------------------------------------------- .../hive/ql/exec/SentryGrantRevokeTask.java | 11 +++- .../binding/hive/HiveAuthzBindingHook.java | 1 + .../TestDbSentryOnFailureHookLoading.java | 53 +++++++++++++++++--- 3 files changed, 56 insertions(+), 9 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/7a9fd90c/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java index 54c9a41..6ea1ca0 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java @@ -41,6 +41,7 @@ import org.apache.hadoop.hive.ql.metadata.HiveException; import org.apache.hadoop.hive.ql.plan.DDLWork; import org.apache.hadoop.hive.ql.plan.GrantDesc; import org.apache.hadoop.hive.ql.plan.GrantRevokeRoleDDL; +import org.apache.hadoop.hive.ql.plan.HiveOperation; import org.apache.hadoop.hive.ql.plan.PrincipalDesc; import org.apache.hadoop.hive.ql.plan.PrivilegeDesc; import org.apache.hadoop.hive.ql.plan.PrivilegeObjectDesc; @@ -66,6 +67,7 @@ import org.apache.sentry.core.model.db.Database; import org.apache.sentry.core.model.db.Server; import org.apache.sentry.core.model.db.Table; import org.apache.sentry.core.model.db.AccessConstants; +import org.apache.sentry.provider.db.SentryAccessDeniedException; import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; import org.apache.sentry.provider.db.service.thrift.TSentryRole; @@ -97,6 +99,7 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable private Subject subject; private Set<String> subjectGroups; private String ipAddress; + private HiveOperation stmtOperation; public SentryGrantRevokeTask() { @@ -153,13 +156,13 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable } throw new AssertionError( "Unknown command passed to Sentry Grant/Revoke Task"); - } catch (SentryUserException e) { + } catch (SentryAccessDeniedException e) { String csHooks = authzConf.get( HiveAuthzConf.AuthzConfVars.AUTHZ_ONFAILURE_HOOKS.getVar(), "") .trim(); SentryOnFailureHookContext hookContext = new SentryOnFailureHookContextImpl( queryPlan.getQueryString(), new HashSet<ReadEntity>(), - new HashSet<WriteEntity>(), SessionState.get().getHiveOperation(), + new HashSet<WriteEntity>(), stmtOperation, null, null, null, null, subject.getName(), ipAddress, new AuthorizationException(e), conf); HiveAuthzBindingHook.runFailureHook(hookContext, csHooks); @@ -203,6 +206,10 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable this.ipAddress = ipAddress; } + public void setOperation(HiveOperation stmtOperation) { + this.stmtOperation = stmtOperation; + } + private int processRoleDDL(HiveConf conf, LogHelper console, SentryPolicyServiceClient sentryClient, String subject, HiveAuthzBinding hiveAuthzBinding, RoleDDLDesc desc) http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/7a9fd90c/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java index a362363..812f310 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java @@ -288,6 +288,7 @@ implements HiveDriverFilterHook { sentryTask.setSubject(subject); sentryTask.setSubjectGroups(subjectGroups); sentryTask.setIpAddress(context.getIpAddress()); + sentryTask.setOperation(stmtOperation); } } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/7a9fd90c/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbSentryOnFailureHookLoading.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbSentryOnFailureHookLoading.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbSentryOnFailureHookLoading.java index 41a31e8..8beedd7 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbSentryOnFailureHookLoading.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbSentryOnFailureHookLoading.java @@ -157,21 +157,60 @@ public class TestDbSentryOnFailureHookLoading extends AbstractTestWithDbProvider .setUserGroupMapping(StaticUserGroup.getStaticMapping()) .write(context.getPolicyFile()); - Connection connection = context.createConnection(USER1_1); + // setup db objects needed by the test + Connection connection = context.createConnection(ADMIN1); Statement statement = context.createStatement(connection); + statement.execute("CREATE ROLE admin_role"); + statement.execute("GRANT ALL ON SERVER " + + HiveServerFactory.DEFAULT_AUTHZ_SERVER_NAME + " TO ROLE admin_role"); + statement.execute("GRANT ROLE admin_role TO GROUP " + ADMINGROUP); + statement.execute("DROP DATABASE IF EXISTS DB_1 CASCADE"); + statement.execute("DROP DATABASE IF EXISTS DB_2 CASCADE"); + statement.execute("CREATE DATABASE DB_1"); + statement.execute("CREATE ROLE all_db1"); + statement.execute("GRANT ALL ON DATABASE DB_1 TO ROLE all_db1"); + statement.execute("GRANT ROLE all_db1 TO GROUP " + USERGROUP1); + connection.close(); + connection = context.createConnection(USER1_1); + statement = context.createStatement(connection); + + statement.execute("USE DB_1"); + statement.execute("CREATE TABLE foo (id int)"); + + verifyFailureHook(statement, "CREATE ROLE fooTest", + HiveOperation.CREATEROLE); + verifyFailureHook(statement, "DROP ROLE fooTest", HiveOperation.DROPROLE); + verifyFailureHook(statement, + "GRANT ALL ON SERVER server1 TO ROLE admin_role", + HiveOperation.GRANT_PRIVILEGE); + verifyFailureHook(statement, + "REVOKE ALL ON SERVER server1 FROM ROLE admin_role", + HiveOperation.REVOKE_PRIVILEGE); + verifyFailureHook(statement, "GRANT ROLE all_db1 TO GROUP " + USERGROUP1, + HiveOperation.GRANT_ROLE); + verifyFailureHook(statement, + "REVOKE ROLE all_db1 FROM GROUP " + USERGROUP1, + HiveOperation.GRANT_ROLE); + + statement.close(); + connection.close(); + context.close(); + } + + // run the given statement and verify that failure hook is invoked as expected + private void verifyFailureHook(Statement statement, String sqlStr, + HiveOperation expectedOp) throws Exception { // negative test case: non admin user can't create role assertFalse(DummySentryOnFailureHook.invoked); DummySentryOnFailureHook.setHiveOp(HiveOperation.CREATEROLE); try { - statement.execute("CREATE ROLE fooTest"); - Assert.fail("Expected SQL exception"); + statement.execute(sqlStr); + Assert.fail("Expected SQL exception for " + sqlStr); } catch (SQLException e) { assertTrue(DummySentryOnFailureHook.invoked); + } finally { + DummySentryOnFailureHook.invoked = false; } - - statement.close(); - connection.close(); - context.close(); } }
