Repository: incubator-sentry Updated Branches: refs/heads/master 598849509 -> b11f5aab9
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b11f5aab/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java index cf381e5..78f41d3 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java @@ -65,6 +65,7 @@ import com.google.common.base.Joiner; import com.google.common.base.Preconditions; import com.google.common.base.Strings; import com.google.common.collect.HashMultimap; +import com.google.common.collect.ImmutableSet; import com.google.common.collect.Lists; import com.google.common.collect.SetMultimap; import com.google.common.collect.Sets; @@ -262,7 +263,6 @@ public class SentryStore { } } - //TODO: handle case where a) privilege already exists, b) role to privilege mapping already exists public CommitContext alterSentryRoleGrantPrivilege(String roleName, TSentryPrivilege privilege) throws SentryNoSuchObjectException, SentryInvalidInputException { boolean rollbackTransaction = true; @@ -270,54 +270,10 @@ public class SentryStore { roleName = trimAndLower(roleName); try { pm = openTransaction(); - MSentryRole mRole = getMSentryRole(pm, roleName); - if (mRole == null) { - throw new SentryNoSuchObjectException("Role: " + roleName); - } else { - - if ((privilege.getTableName() != null)||(privilege.getDbName() != null)) { - // If Grant is for ALL and Either INSERT/SELECT already exists.. - // need to remove it and GRANT ALL.. - if (privilege.getAction().equalsIgnoreCase("*")) { - TSentryPrivilege tNotAll = new TSentryPrivilege(privilege); - tNotAll.setAction(AccessConstants.SELECT); - MSentryPrivilege mSelect = getMSentryPrivilege(constructPrivilegeName(tNotAll), pm); - tNotAll.setAction(AccessConstants.INSERT); - MSentryPrivilege mInsert = getMSentryPrivilege(constructPrivilegeName(tNotAll), pm); - if ((mSelect != null)&&(mRole.getPrivileges().contains(mSelect))) { - mSelect.removeRole(mRole); - pm.makePersistent(mSelect); - } - if ((mInsert != null)&&(mRole.getPrivileges().contains(mInsert))) { - mInsert.removeRole(mRole); - pm.makePersistent(mInsert); - } - } else { - // If Grant is for Either INSERT/SELECT and ALL already exists.. - // do nothing.. - TSentryPrivilege tAll = new TSentryPrivilege(privilege); - tAll.setAction(AccessConstants.ALL); - MSentryPrivilege mAll = getMSentryPrivilege(constructPrivilegeName(tAll), pm); - if ((mAll != null)&&(mRole.getPrivileges().contains(mAll))) { - CommitContext commit = commitUpdateTransaction(pm); - rollbackTransaction = false; - return commit; - } - } - } - - MSentryPrivilege mPrivilege = getMSentryPrivilege(constructPrivilegeName(privilege), pm); - if (mPrivilege == null) { - mPrivilege = convertToMSentryPrivilege(privilege); - } - mPrivilege.appendRole(mRole); - pm.makePersistent(mRole); - pm.makePersistent(mPrivilege); - - CommitContext commit = commitUpdateTransaction(pm); - rollbackTransaction = false; - return commit; - } + alterSentryRoleGrantPrivilegeCore(pm, roleName, privilege); + CommitContext commit = commitUpdateTransaction(pm); + rollbackTransaction = false; + return commit; } finally { if (rollbackTransaction) { rollbackTransaction(pm); @@ -325,41 +281,70 @@ public class SentryStore { } } + private void alterSentryRoleGrantPrivilegeCore(PersistenceManager pm, + String roleName, TSentryPrivilege privilege) + throws SentryNoSuchObjectException, SentryInvalidInputException { + MSentryRole mRole = getMSentryRole(pm, roleName); + if (mRole == null) { + throw new SentryNoSuchObjectException("Role: " + roleName); + } else { + + if ((privilege.getTableName() != null) || (privilege.getDbName() != null)) { + // If Grant is for ALL and Either INSERT/SELECT already exists.. + // need to remove it and GRANT ALL.. + if (privilege.getAction().equalsIgnoreCase("*")) { + TSentryPrivilege tNotAll = new TSentryPrivilege(privilege); + tNotAll.setAction(AccessConstants.SELECT); + MSentryPrivilege mSelect = getMSentryPrivilege( + constructPrivilegeName(tNotAll), pm); + tNotAll.setAction(AccessConstants.INSERT); + MSentryPrivilege mInsert = getMSentryPrivilege( + constructPrivilegeName(tNotAll), pm); + if ((mSelect != null) && (mRole.getPrivileges().contains(mSelect))) { + mSelect.removeRole(mRole); + pm.makePersistent(mSelect); + } + if ((mInsert != null) && (mRole.getPrivileges().contains(mInsert))) { + mInsert.removeRole(mRole); + pm.makePersistent(mInsert); + } + } else { + // If Grant is for Either INSERT/SELECT and ALL already exists.. + // do nothing.. + TSentryPrivilege tAll = new TSentryPrivilege(privilege); + tAll.setAction(AccessConstants.ALL); + MSentryPrivilege mAll = getMSentryPrivilege( + constructPrivilegeName(tAll), pm); + if ((mAll != null) && (mRole.getPrivileges().contains(mAll))) { + return; + } + } + } + + MSentryPrivilege mPrivilege = getMSentryPrivilege( + constructPrivilegeName(privilege), pm); + if (mPrivilege == null) { + mPrivilege = convertToMSentryPrivilege(privilege); + } + mPrivilege.appendRole(mRole); + pm.makePersistent(mRole); + pm.makePersistent(mPrivilege); + } + return; + } public CommitContext alterSentryRoleRevokePrivilege(String roleName, TSentryPrivilege tPrivilege) throws SentryNoSuchObjectException, SentryInvalidInputException { boolean rollbackTransaction = true; PersistenceManager pm = null; - roleName = roleName.trim().toLowerCase(); + roleName = safeTrimLower(roleName); try { pm = openTransaction(); - Query query = pm.newQuery(MSentryRole.class); - query.setFilter("this.roleName == t"); - query.declareParameters("java.lang.String t"); - query.setUnique(true); - MSentryRole mRole = (MSentryRole) query.execute(roleName); - if (mRole == null) { - throw new SentryNoSuchObjectException("Role: " + roleName); - } else { - query = pm.newQuery(MSentryPrivilege.class); - MSentryPrivilege mPrivilege = getMSentryPrivilege(constructPrivilegeName(tPrivilege), pm); - if (mPrivilege == null) { - mPrivilege = convertToMSentryPrivilege(tPrivilege); - } else { - mPrivilege = (MSentryPrivilege)pm.detachCopy(mPrivilege); - } + alterSentryRoleRevokePrivilegeCore(pm, roleName, tPrivilege); - Set<MSentryPrivilege> privilegeGraph = Sets.newHashSet(mPrivilege); - // Get the privilege graph - populateChildren(Sets.newHashSet(roleName), mPrivilege, privilegeGraph); - for (MSentryPrivilege childPriv : privilegeGraph) { - revokePartial(pm, tPrivilege, mRole, childPriv); - } - pm.makePersistent(mRole); - CommitContext commit = commitUpdateTransaction(pm); - rollbackTransaction = false; - return commit; - } + CommitContext commit = commitUpdateTransaction(pm); + rollbackTransaction = false; + return commit; } finally { if (rollbackTransaction) { rollbackTransaction(pm); @@ -367,6 +352,35 @@ public class SentryStore { } } + private void alterSentryRoleRevokePrivilegeCore(PersistenceManager pm, + String roleName, TSentryPrivilege tPrivilege) + throws SentryNoSuchObjectException, SentryInvalidInputException { + Query query = pm.newQuery(MSentryRole.class); + query.setFilter("this.roleName == t"); + query.declareParameters("java.lang.String t"); + query.setUnique(true); + MSentryRole mRole = (MSentryRole) query.execute(roleName); + if (mRole == null) { + throw new SentryNoSuchObjectException("Role: " + roleName); + } else { + query = pm.newQuery(MSentryPrivilege.class); + MSentryPrivilege mPrivilege = getMSentryPrivilege( + constructPrivilegeName(tPrivilege), pm); + if (mPrivilege == null) { + mPrivilege = convertToMSentryPrivilege(tPrivilege); + } else { + mPrivilege = (MSentryPrivilege) pm.detachCopy(mPrivilege); + } + + Set<MSentryPrivilege> privilegeGraph = Sets.newHashSet(mPrivilege); + // Get the privilege graph + populateChildren(Sets.newHashSet(roleName), mPrivilege, privilegeGraph); + for (MSentryPrivilege childPriv : privilegeGraph) { + revokePartial(pm, tPrivilege, mRole, childPriv); + } + pm.makePersistent(mRole); + } + } /** * Roles can be granted ALL, SELECT, and INSERT on tables. When @@ -506,7 +520,7 @@ public class SentryStore { String dbName = safeTrimLower(privilege.getDbName()); String tableName = safeTrimLower(privilege.getTableName()); String uri = privilege.getURI(); - String action = privilege.getAction(); + String action = safeTrimLower(privilege.getAction()); PrivilegeScope scope; if (serverName == null) { @@ -520,6 +534,9 @@ public class SentryStore { throw new SentryInvalidInputException("Either Table name or Db name must be NON-NULL for SELECT/INSERT privilege"); } } + if (action == null) { + action = AccessConstants.ALL; + } // Validate privilege scope try { @@ -1175,8 +1192,153 @@ public class SentryStore { rollbackTransaction(pm); } } + } + + /** + * Drop given privilege from all roles + */ + public void dropPrivilege(TSentryAuthorizable tAuthorizable) + throws SentryNoSuchObjectException, SentryInvalidInputException { + PersistenceManager pm = null; + boolean rollbackTransaction = true; + + TSentryPrivilege tPrivilege = toSentryPrivilege(tAuthorizable); + try { + pm = openTransaction(); + + if (isMultiActionsSupported(tPrivilege)) { + for (String privilegeAction : Sets.newHashSet(AccessConstants.ALL, + AccessConstants.SELECT, AccessConstants.INSERT)) { + tPrivilege.setAction(privilegeAction); + dropPrivilegeForAllRoles(pm, new TSentryPrivilege(tPrivilege)); + } + } else { + dropPrivilegeForAllRoles(pm, new TSentryPrivilege(tPrivilege)); + } + rollbackTransaction = false; + commitTransaction(pm); + } catch (JDODataStoreException e) { + throw new SentryInvalidInputException("Failed to get privileges: " + + e.getMessage()); + } finally { + if (rollbackTransaction) { + rollbackTransaction(pm); + } + } + } + + /** + * Rename given privilege from all roles drop the old privilege and create the new one + * @param tAuthorizable + * @param newTAuthorizable + * @throws SentryNoSuchObjectException + * @throws SentryInvalidInputException + */ + public void renamePrivilege(TSentryAuthorizable tAuthorizable, + TSentryAuthorizable newTAuthorizable) throws SentryNoSuchObjectException, + SentryInvalidInputException { + PersistenceManager pm = null; + boolean rollbackTransaction = true; + TSentryPrivilege tPrivilege = toSentryPrivilege(tAuthorizable); + TSentryPrivilege newPrivilege = toSentryPrivilege(newTAuthorizable); + try { + pm = openTransaction(); + // In case of tables or DBs, check all actions + if (isMultiActionsSupported(tPrivilege)) { + for (String privilegeAction : Sets.newHashSet(AccessConstants.ALL, + AccessConstants.SELECT, AccessConstants.INSERT)) { + tPrivilege.setAction(privilegeAction); + newPrivilege.setAction(privilegeAction); + renamePrivilegeForAllRoles(pm, tPrivilege, newPrivilege); + } + } else { + renamePrivilegeForAllRoles(pm, tPrivilege, newPrivilege); + } + rollbackTransaction = false; + commitTransaction(pm); + } catch (JDODataStoreException e) { + throw new SentryInvalidInputException("Failed to get privileges: " + + e.getMessage()); + } finally { + if (rollbackTransaction) { + rollbackTransaction(pm); + } + } + } + + // Currently INSERT/SELECT/ALL are supported for Table and DB level privileges + private boolean isMultiActionsSupported(TSentryPrivilege tPrivilege) { + return tPrivilege.getDbName() != null; + + } + // wrapper for dropOrRename + private void renamePrivilegeForAllRoles(PersistenceManager pm, + TSentryPrivilege tPrivilege, + TSentryPrivilege newPrivilege) throws SentryNoSuchObjectException, + SentryInvalidInputException { + dropOrRenamePrivilegeForAllRoles(pm, tPrivilege, newPrivilege); + } + + /** + * Drop given privilege from all roles + * @param tPrivilege + * @throws SentryNoSuchObjectException + * @throws SentryInvalidInputException + */ + private void dropPrivilegeForAllRoles(PersistenceManager pm, + TSentryPrivilege tPrivilege) + throws SentryNoSuchObjectException, SentryInvalidInputException { + dropOrRenamePrivilegeForAllRoles(pm, tPrivilege, null); } + /** + * Drop given privilege from all roles Create the new privilege if asked + * @param tPrivilege + * @param pm + * @throws SentryNoSuchObjectException + * @throws SentryInvalidInputException + */ + private void dropOrRenamePrivilegeForAllRoles(PersistenceManager pm, + TSentryPrivilege tPrivilege, + TSentryPrivilege newTPrivilege) throws SentryNoSuchObjectException, + SentryInvalidInputException { + HashSet<MSentryRole> roleSet = Sets.newHashSet(); + tPrivilege.setPrivilegeName(constructPrivilegeName(tPrivilege)); + + MSentryPrivilege mPrivilege = getMSentryPrivilege( + tPrivilege.getPrivilegeName(), pm); + if (mPrivilege != null) { + roleSet.addAll(ImmutableSet.copyOf((mPrivilege.getRoles()))); + } + for (MSentryRole role : roleSet) { + alterSentryRoleRevokePrivilegeCore(pm, role.getRoleName(), tPrivilege); + if (newTPrivilege != null) { + alterSentryRoleGrantPrivilegeCore(pm, role.getRoleName(), newTPrivilege); + } + } + } + // convert TSentryAuthorizable to TSentryPrivilege + private TSentryPrivilege toSentryPrivilege(TSentryAuthorizable tAuthorizable) + throws SentryInvalidInputException { + TSentryPrivilege tSentryPrivilege = new TSentryPrivilege(); + tSentryPrivilege.setDbName(tAuthorizable.getDb()); + tSentryPrivilege.setServerName(tAuthorizable.getServer()); + tSentryPrivilege.setTableName(tAuthorizable.getTable()); + tSentryPrivilege.setURI(tAuthorizable.getUri()); + PrivilegeScope scope; + if (tSentryPrivilege.getTableName() != null) { + scope = PrivilegeScope.TABLE; + } else if (tSentryPrivilege.getDbName() != null) { + scope = PrivilegeScope.DATABASE; + } else if (tSentryPrivilege.getURI() != null) { + scope = PrivilegeScope.URI; + } else { + scope = PrivilegeScope.SERVER; + } + tSentryPrivilege.setPrivilegeScope(scope.name()); + tSentryPrivilege.setAction(AccessConstants.ALL); + return tSentryPrivilege; + } } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b11f5aab/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java index 2db73c6..5fd4f8f 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java @@ -55,6 +55,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import com.google.common.base.Preconditions; +import com.google.common.collect.Lists; import com.google.common.collect.Sets; public class SentryPolicyServiceClient { @@ -253,19 +254,7 @@ public class SentryPolicyServiceClient { request.setRequestorUserName(requestorUserName); request.setRoleName(roleName); if (authorizable != null) { - TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable(); - // TODO : Needed to support SearchModelAuthorizable - for (Authorizable authzble : authorizable) { - if (authzble.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.Server.toString())) { - tSentryAuthorizable.setServer(authzble.getName()); - } else if (authzble.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.URI.toString())) { - tSentryAuthorizable.setUri(authzble.getName()); - } else if (authzble.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.Db.toString())) { - tSentryAuthorizable.setDb(authzble.getName()); - } else if (authzble.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.Table.toString())) { - tSentryAuthorizable.setTable(authzble.getName()); - } - } + TSentryAuthorizable tSentryAuthorizable = setupSentryAuthorizable(authorizable); request.setAuthorizableHierarchy(tSentryAuthorizable); } TListSentryPrivilegesResponse response; @@ -317,6 +306,29 @@ public class SentryPolicyServiceClient { db, table, action); } + private TSentryAuthorizable setupSentryAuthorizable( + List<? extends Authorizable> authorizable) { + TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable(); + + for (Authorizable authzble : authorizable) { + if (authzble.getTypeName().equalsIgnoreCase( + DBModelAuthorizable.AuthorizableType.Server.toString())) { + tSentryAuthorizable.setServer(authzble.getName()); + } else if (authzble.getTypeName().equalsIgnoreCase( + DBModelAuthorizable.AuthorizableType.URI.toString())) { + tSentryAuthorizable.setUri(authzble.getName()); + } else if (authzble.getTypeName().equalsIgnoreCase( + DBModelAuthorizable.AuthorizableType.Db.toString())) { + tSentryAuthorizable.setDb(authzble.getName()); + } else if (authzble.getTypeName().equalsIgnoreCase( + DBModelAuthorizable.AuthorizableType.Table.toString())) { + tSentryAuthorizable.setTable(authzble.getName()); + } + } + return tSentryAuthorizable; + } + + private void grantPrivilege(String requestorUserName, String roleName, PrivilegeScope scope, String serverName, String uri, String db, String table, String action) throws SentryUserException { @@ -403,19 +415,8 @@ public class SentryPolicyServiceClient { new TListSentryPrivilegesForProviderRequest(ThriftConstants. TSENTRY_SERVICE_VERSION_CURRENT, groups, thriftRoleSet); if ((authorizable != null)&&(authorizable.length > 0)) { - TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable(); - // TODO : Needed to support SearchModelAuthorizable - for (Authorizable authzble : authorizable) { - if (authzble.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.Server.toString())) { - tSentryAuthorizable.setServer(authzble.getName()); - } else if (authzble.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.URI.toString())) { - tSentryAuthorizable.setUri(authzble.getName()); - } else if (authzble.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.Db.toString())) { - tSentryAuthorizable.setDb(authzble.getName()); - } else if (authzble.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.Table.toString())) { - tSentryAuthorizable.setTable(authzble.getName()); - } - } + TSentryAuthorizable tSentryAuthorizable = setupSentryAuthorizable(Lists + .newArrayList(authorizable)); request.setAuthorizableHierarchy(tSentryAuthorizable); } try { @@ -455,6 +456,40 @@ TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName, } } + public synchronized void dropPrivileges(String requestorUserName, + List<? extends Authorizable> authorizableObjects) + throws SentryUserException { + TSentryAuthorizable tSentryAuthorizable = setupSentryAuthorizable(authorizableObjects); + + TDropPrivilegesRequest request = new TDropPrivilegesRequest( + ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName, + tSentryAuthorizable); + try { + TDropPrivilegesResponse response = client.drop_sentry_privilege(request); + Status.throwIfNotOk(response.getStatus()); + } catch (TException e) { + throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); + } + } + + public synchronized void renamePrivileges(String requestorUserName, + List<? extends Authorizable> oldAuthorizables, + List<? extends Authorizable> newAuthorizables) throws SentryUserException { + TSentryAuthorizable tOldSentryAuthorizable = setupSentryAuthorizable(oldAuthorizables); + TSentryAuthorizable tNewSentryAuthorizable = setupSentryAuthorizable(newAuthorizables); + + TRenamePrivilegesRequest request = new TRenamePrivilegesRequest( + ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName, + tOldSentryAuthorizable, tNewSentryAuthorizable); + try { + TRenamePrivilegesResponse response = client + .rename_sentry_privilege(request); + Status.throwIfNotOk(response.getStatus()); + } catch (TException e) { + throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); + } + } + public void close() { if (transport != null) { transport.close(); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b11f5aab/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java index 724dfa9..8964a18 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java @@ -447,4 +447,46 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { } return groupMappingService.getGroups(userName); } + + @Override + public TDropPrivilegesResponse drop_sentry_privilege( + TDropPrivilegesRequest request) throws TException { + TDropPrivilegesResponse response = new TDropPrivilegesResponse(); + try { + authorize(request.getRequestorUserName(), adminGroups); + sentryStore.dropPrivilege(request.getAuthorizable()); + response.setStatus(Status.OK()); + } catch (SentryAccessDeniedException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.AccessDenied(e.getMessage(), e)); + } catch (Exception e) { + String msg = "Unknown error for request: " + request + ", message: " + + e.getMessage(); + LOGGER.error(msg, e); + response.setStatus(Status.RuntimeError(msg, e)); + } + return response; + } + + @Override + public TRenamePrivilegesResponse rename_sentry_privilege( + TRenamePrivilegesRequest request) throws TException { + TRenamePrivilegesResponse response = new TRenamePrivilegesResponse(); + try { + authorize(request.getRequestorUserName(), adminGroups); + sentryStore.renamePrivilege(request.getOldAuthorizable(), + request.getNewAuthorizable()); + response.setStatus(Status.OK()); + } catch (SentryAccessDeniedException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.AccessDenied(e.getMessage(), e)); + } catch (Exception e) { + String msg = "Unknown error for request: " + request + ", message: " + + e.getMessage(); + LOGGER.error(msg, e); + response.setStatus(Status.RuntimeError(msg, e)); + } + return response; + } + } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b11f5aab/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift b/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift index 86ff221..fdc7b9c 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift @@ -149,6 +149,28 @@ struct TListSentryPrivilegesResponse { 2: optional set<TSentryPrivilege> privileges } +# Drop privilege +struct TDropPrivilegesRequest { +1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1, +2: required string requestorUserName, # user on whose behalf the request is issued +3: required TSentryAuthorizable authorizable +} + +struct TDropPrivilegesResponse { +1: required sentry_common_service.TSentryResponseStatus status +} + +struct TRenamePrivilegesRequest { +1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1, +2: required string requestorUserName, # user on whose behalf the request is issued +3: required TSentryAuthorizable oldAuthorizable +4: required TSentryAuthorizable newAuthorizable +} + +struct TRenamePrivilegesResponse { +1: required sentry_common_service.TSentryResponseStatus status +} + # This API was created specifically for ProviderBackend.getPrivileges # and is not mean for general purpose privilege retrieval. # This request/response pair are created specifically so we can @@ -185,4 +207,8 @@ service SentryPolicyService # For use with ProviderBackend.getPrivileges only TListSentryPrivilegesForProviderResponse list_sentry_privileges_for_provider(1:TListSentryPrivilegesForProviderRequest request) + + TDropPrivilegesResponse drop_sentry_privilege(1:TDropPrivilegesRequest request); + + TRenamePrivilegesResponse rename_sentry_privilege(1:TRenamePrivilegesRequest request); } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b11f5aab/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java index 144e20e..acc8b3a 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java @@ -353,4 +353,193 @@ public class TestSentryStore { assertEquals(2, sentryStore.getTSentryRolesByGroupName(Sets.newHashSet(group2)).size()); assertEquals(3, sentryStore.getTSentryRolesByGroupName(Sets.newHashSet(group1,group2)).size()); } + + /** + * Assign multiple table and SERVER privileges to roles + * drop privilege for the object verify that it's removed correctl + * @throws Exception + */ + @Test + public void testDropDbObject() throws Exception { + String roleName1 = "list-privs-r1", roleName2 = "list-privs-r2", roleName3 = "list-privs-r3"; + String grantor = "g1"; + sentryStore.createSentryRole(roleName1, grantor); + sentryStore.createSentryRole(roleName2, grantor); + sentryStore.createSentryRole(roleName3, grantor); + + TSentryPrivilege privilege_tbl1 = new TSentryPrivilege(); + privilege_tbl1.setPrivilegeScope("TABLE"); + privilege_tbl1.setServerName("server1"); + privilege_tbl1.setDbName("db1"); + privilege_tbl1.setTableName("tbl1"); + privilege_tbl1.setGrantorPrincipal(grantor); + privilege_tbl1.setCreateTime(System.currentTimeMillis()); + privilege_tbl1.setPrivilegeName(SentryStore.constructPrivilegeName(privilege_tbl1)); + + TSentryPrivilege privilege1 = new TSentryPrivilege(privilege_tbl1); + privilege1.setAction("SELECT"); + privilege1.setPrivilegeName(SentryStore.constructPrivilegeName(privilege1)); + + TSentryPrivilege privilege2_1 = new TSentryPrivilege(privilege_tbl1); + privilege2_1.setAction("INSERT"); + privilege2_1.setPrivilegeName(SentryStore.constructPrivilegeName(privilege2_1)); + TSentryPrivilege privilege3_1 = new TSentryPrivilege(privilege_tbl1); + privilege3_1.setAction("*"); + privilege3_1.setPrivilegeName(SentryStore.constructPrivilegeName(privilege3_1)); + + TSentryPrivilege privilege_server = new TSentryPrivilege(); + privilege_server.setPrivilegeScope("SERVER"); + privilege_server.setServerName("server1"); + privilege_server.setGrantorPrincipal(grantor); + privilege_server.setCreateTime(System.currentTimeMillis()); + privilege_server.setPrivilegeName(SentryStore.constructPrivilegeName(privilege_server)); + + TSentryPrivilege privilege_tbl2 = new TSentryPrivilege(); + privilege_tbl2.setPrivilegeScope("TABLE"); + privilege_tbl2.setServerName("server1"); + privilege_tbl2.setDbName("db1"); + privilege_tbl2.setTableName("tbl2"); + privilege_tbl2.setGrantorPrincipal(grantor); + privilege_tbl2.setCreateTime(System.currentTimeMillis()); + + TSentryPrivilege privilege2_3 = new TSentryPrivilege(privilege_tbl2); + privilege2_3.setAction("SELECT"); + privilege2_3.setPrivilegeName(SentryStore + .constructPrivilegeName(privilege2_3)); + + TSentryPrivilege privilege3_2 = new TSentryPrivilege(privilege_tbl2); + privilege3_2.setAction("INSERT"); + privilege2_3.setPrivilegeName(SentryStore.constructPrivilegeName(privilege2_3)); + + sentryStore.alterSentryRoleGrantPrivilege(roleName1, privilege1); + + sentryStore.alterSentryRoleGrantPrivilege(roleName2, privilege2_1); + sentryStore.alterSentryRoleGrantPrivilege(roleName2, privilege_server); + sentryStore.alterSentryRoleGrantPrivilege(roleName2, privilege2_3); + + sentryStore.alterSentryRoleGrantPrivilege(roleName3, privilege3_1); + sentryStore.alterSentryRoleGrantPrivilege(roleName3, privilege3_2); + + sentryStore.dropPrivilege(toTSentryAuthorizable(privilege_tbl1)); + assertEquals(0, sentryStore.getAllTSentryPrivilegesByRoleName(roleName1) + .size()); + assertEquals(2, sentryStore.getAllTSentryPrivilegesByRoleName(roleName2) + .size()); + assertEquals(1, sentryStore.getAllTSentryPrivilegesByRoleName(roleName3) + .size()); + + sentryStore.dropPrivilege(toTSentryAuthorizable(privilege_tbl2)); + assertEquals(0, sentryStore.getAllTSentryPrivilegesByRoleName(roleName1) + .size()); + assertEquals(1, sentryStore.getAllTSentryPrivilegesByRoleName(roleName2) + .size()); + assertEquals(0, sentryStore.getAllTSentryPrivilegesByRoleName(roleName3) + .size()); + } + + @Test + public void testDropOverlappedPrivileges() throws Exception { + String roleName1 = "list-privs-r1"; + String grantor = "g1"; + sentryStore.createSentryRole(roleName1, grantor); + + TSentryPrivilege privilege_tbl1 = new TSentryPrivilege(); + privilege_tbl1.setPrivilegeScope("TABLE"); + privilege_tbl1.setServerName("server1"); + privilege_tbl1.setDbName("db1"); + privilege_tbl1.setTableName("tbl1"); + privilege_tbl1.setGrantorPrincipal(grantor); + privilege_tbl1.setCreateTime(System.currentTimeMillis()); + privilege_tbl1.setPrivilegeName(SentryStore + .constructPrivilegeName(privilege_tbl1)); + + TSentryPrivilege privilege_tbl1_insert = new TSentryPrivilege( + privilege_tbl1); + privilege_tbl1_insert.setAction("INSERT"); + privilege_tbl1_insert.setPrivilegeName(SentryStore + .constructPrivilegeName(privilege_tbl1_insert)); + + TSentryPrivilege privilege_tbl1_all = new TSentryPrivilege(privilege_tbl1); + privilege_tbl1_all.setAction("*"); + privilege_tbl1_all.setPrivilegeName(SentryStore + .constructPrivilegeName(privilege_tbl1_all)); + + sentryStore.alterSentryRoleGrantPrivilege(roleName1, privilege_tbl1_insert); + sentryStore.alterSentryRoleGrantPrivilege(roleName1, privilege_tbl1_all); + + sentryStore.dropPrivilege(toTSentryAuthorizable(privilege_tbl1)); + assertEquals(0, sentryStore.getAllTSentryPrivilegesByRoleName(roleName1) + .size()); + } + + private TSentryAuthorizable toTSentryAuthorizable( + TSentryPrivilege tSentryPrivilege) { + TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable(); + tSentryAuthorizable.setServer(tSentryPrivilege.getServerName()); + tSentryAuthorizable.setDb(tSentryPrivilege.getDbName()); + tSentryAuthorizable.setTable(tSentryPrivilege.getTableName()); + tSentryAuthorizable.setUri(tSentryPrivilege.getURI()); + return tSentryAuthorizable; + } + + /*** + * Create roles and assign privileges for same table rename the privileges for + * the table and verify the new privileges + * @throws Exception + */ + @Test + public void testRenameTable() throws Exception { + String roleName1 = "role1", roleName2 = "role2", roleName3 = "role3"; + String grantor = "g1"; + String table1 = "tbl1", table2 = "tbl2"; + + sentryStore.createSentryRole(roleName1, grantor); + sentryStore.createSentryRole(roleName2, grantor); + sentryStore.createSentryRole(roleName3, grantor); + + TSentryPrivilege privilege_tbl1 = new TSentryPrivilege(); + privilege_tbl1.setPrivilegeScope("TABLE"); + privilege_tbl1.setServerName("server1"); + privilege_tbl1.setDbName("db1"); + privilege_tbl1.setTableName(table1); + privilege_tbl1.setGrantorPrincipal(grantor); + privilege_tbl1.setCreateTime(System.currentTimeMillis()); + privilege_tbl1.setPrivilegeName(SentryStore + .constructPrivilegeName(privilege_tbl1)); + + TSentryPrivilege privilege_tbl1_insert = new TSentryPrivilege( + privilege_tbl1); + privilege_tbl1_insert.setAction(AccessConstants.INSERT); + privilege_tbl1_insert.setPrivilegeName(SentryStore + .constructPrivilegeName(privilege_tbl1_insert)); + + TSentryPrivilege privilege_tbl1_select = new TSentryPrivilege( + privilege_tbl1); + privilege_tbl1_select.setAction(AccessConstants.SELECT); + privilege_tbl1_select.setPrivilegeName(SentryStore + .constructPrivilegeName(privilege_tbl1_select)); + + TSentryPrivilege privilege_tbl1_all = new TSentryPrivilege(privilege_tbl1); + privilege_tbl1_all.setAction(AccessConstants.ALL); + privilege_tbl1_all.setPrivilegeName(SentryStore + .constructPrivilegeName(privilege_tbl1_all)); + + sentryStore.alterSentryRoleGrantPrivilege(roleName1, privilege_tbl1_insert); + sentryStore.alterSentryRoleGrantPrivilege(roleName2, privilege_tbl1_select); + sentryStore.alterSentryRoleGrantPrivilege(roleName3, privilege_tbl1_all); + + TSentryAuthorizable oldTable = toTSentryAuthorizable(privilege_tbl1); + TSentryAuthorizable newTable = toTSentryAuthorizable(privilege_tbl1); + newTable.setTable(table2); + sentryStore.renamePrivilege(oldTable, newTable); + + for (String roleName : Sets.newHashSet(roleName1, roleName2, roleName3)) { + Set<TSentryPrivilege> privilegeSet = sentryStore + .getAllTSentryPrivilegesByRoleName(roleName); + assertEquals(1, privilegeSet.size()); + for (TSentryPrivilege privilege : privilegeSet) { + assertTrue(table2.equalsIgnoreCase(privilege.getTableName())); + } + } + } } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b11f5aab/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbPrivilegeCleanupOnDrop.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbPrivilegeCleanupOnDrop.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbPrivilegeCleanupOnDrop.java new file mode 100644 index 0000000..a885b8f --- /dev/null +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbPrivilegeCleanupOnDrop.java @@ -0,0 +1,292 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.tests.e2e.dbprovider; + +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; + +import java.io.File; +import java.io.FileOutputStream; +import java.sql.Connection; +import java.sql.ResultSet; +import java.sql.Statement; +import java.util.ArrayList; +import java.util.List; + +import org.apache.sentry.tests.e2e.hive.AbstractTestWithStaticConfiguration; +import org.junit.After; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; + +import com.google.common.collect.Lists; +import com.google.common.io.Resources; + +public class TestDbPrivilegeCleanupOnDrop extends + AbstractTestWithStaticConfiguration { + + private final static int SHOW_GRANT_TABLE_POSITION = 2; + private final static int SHOW_GRANT_DB_POSITION = 1; + + private final String SINGLE_TYPE_DATA_FILE_NAME = "kv1.dat"; + + private final static String dbName1 = "db_1"; + private final static String dbName2 = "prod"; + private final static String tableName1 = "tb_1"; + private final static String tableName2 = "tb_2"; + private final static String tableName3 = "tb_3"; + private final static String tableName4 = "tb_4"; + private final static String renameTag = "_new"; + + @BeforeClass + public static void setupTestStaticConfiguration() throws Exception { + useSentryService = true; + setMetastoreListener = true; + AbstractTestWithStaticConfiguration.setupTestStaticConfiguration(); + } + + @Before + public void setUp() throws Exception { + // context = createContext(); + File dataFile = new File(dataDir, SINGLE_TYPE_DATA_FILE_NAME); + setupAdmin(); + FileOutputStream to = new FileOutputStream(dataFile); + Resources.copy(Resources.getResource(SINGLE_TYPE_DATA_FILE_NAME), to); + to.close(); + } + + @After + public void tearDown() throws Exception { + if (context != null) { + context.close(); + } + } + + /** + * drop table and verify that the no privileges are referring to it drop db + * and verify that the no privileges are referring to it drop db cascade + * verify that the no privileges are referring to db and tables under it + * + * @throws Exception + */ + @Test + public void testDropObjects() throws Exception { + Connection connection = context.createConnection(ADMIN1); + Statement statement = context.createStatement(connection); + + setupRoles(statement); // create required roles + setupDbObjects(statement); // create test DBs and Tables + setupPrivileges(statement); // setup privileges for USER1 + dropDbObjects(statement); // drop objects + verifyPrivilegesDropped(statement); // verify privileges are removed + + statement.close(); + connection.close(); + } + + /** + * drop table and verify that the no privileges are referring to it drop db + * and verify that the no privileges are referring to it drop db cascade + * verify that the no privileges are referring to db and tables under it + * + * @throws Exception + */ + @Test + public void testReCreateObjects() throws Exception { + Connection connection = context.createConnection(ADMIN1); + Statement statement = context.createStatement(connection); + setupRoles(statement); // create required roles + setupDbObjects(statement); // create test DBs and Tables + setupPrivileges(statement); // setup privileges for USER1 + dropDbObjects(statement); // drop DB and tables + + setupDbObjects(statement); // recreate same DBs and tables + verifyPrivilegesDropped(statement); // verify the stale privileges removed + } + + /** + * rename table and verify that the no privileges are referring to it old table + * verify that the same privileges are created for the new table name + * + * @throws Exception + */ + @Test + public void testRenameTables() throws Exception { + Connection connection = context.createConnection(ADMIN1); + Statement statement = context.createStatement(connection); + + setupRoles(statement); // create required roles + setupDbObjects(statement); // create test DBs and Tables + setupPrivileges(statement); // setup privileges for USER1 + + // verify privileges on the created tables + statement.execute("USE " + dbName2); + verifyTablePrivilegeExist(statement, + Lists.newArrayList("select_tbl1", "insert_tbl1", "all_tbl1"), + tableName1); + verifyTablePrivilegeExist(statement, Lists.newArrayList("all_tbl2"), + tableName2); + + renameTables(statement); // alter tables to rename + + // verify privileges removed for old tables + verifyTablePrivilegesDropped(statement); + + // verify privileges created for new tables + statement.execute("USE " + dbName2); + verifyTablePrivilegeExist(statement, + Lists.newArrayList("select_tbl1", "insert_tbl1", "all_tbl1"), + tableName1 + renameTag); + verifyTablePrivilegeExist(statement, Lists.newArrayList("all_tbl2"), + tableName2 + renameTag); + + statement.close(); + connection.close(); + } + + // Create test roles + private void setupRoles(Statement statement) throws Exception { + statement.execute("CREATE ROLE all_db1"); + statement.execute("CREATE ROLE read_db1"); + statement.execute("CREATE ROLE select_tbl1"); + statement.execute("CREATE ROLE insert_tbl1"); + statement.execute("CREATE ROLE all_tbl1"); + statement.execute("CREATE ROLE all_tbl2"); + statement.execute("CREATE ROLE all_prod"); + + statement.execute("GRANT ROLE all_db1, read_db1, select_tbl1, insert_tbl1," + + " all_tbl1, all_tbl2, all_prod to GROUP " + USERGROUP1); + + statement.execute("DROP DATABASE IF EXISTS " + dbName1 + " CASCADE"); + statement.execute("DROP DATABASE IF EXISTS " + dbName2 + " CASCADE"); + } + + // create test DBs and Tables + private void setupDbObjects(Statement statement) throws Exception { + statement.execute("CREATE DATABASE " + dbName1); + statement.execute("CREATE DATABASE " + dbName2); + statement.execute("create table " + dbName2 + "." + tableName1 + + " (under_col int comment 'the under column', value string)"); + statement.execute("create table " + dbName2 + "." + tableName2 + + " (under_col int comment 'the under column', value string)"); + statement.execute("create table " + dbName1 + "." + tableName3 + + " (under_col int comment 'the under column', value string)"); + statement.execute("create table " + dbName1 + "." + tableName4 + + " (under_col int comment 'the under column', value string)"); + } + + // Create privileges on DB and Tables + private void setupPrivileges(Statement statement) throws Exception { + statement.execute("GRANT ALL ON DATABASE " + dbName1 + " TO ROLE all_db1"); + statement.execute("GRANT SELECT ON DATABASE " + dbName1 + + " TO ROLE read_db1"); + statement.execute("GRANT ALL ON DATABASE " + dbName2 + " TO ROLE all_prod"); + statement.execute("USE " + dbName2); + statement.execute("GRANT SELECT ON TABLE " + tableName1 + + " TO ROLE select_tbl1"); + statement.execute("GRANT INSERT ON TABLE " + tableName1 + + " TO ROLE insert_tbl1"); + statement.execute("GRANT ALL ON TABLE " + tableName1 + " TO ROLE all_tbl1"); + statement.execute("GRANT ALL ON TABLE " + tableName2 + " TO ROLE all_tbl2"); + } + + // Drop test DBs and Tables + private void dropDbObjects(Statement statement) throws Exception { + statement.execute("DROP TABLE " + dbName2 + "." + tableName1); + statement.execute("DROP TABLE " + dbName2 + "." + tableName2); + statement.execute("DROP DATABASE " + dbName2); + statement.execute("DROP DATABASE " + dbName1 + " CASCADE"); + } + + // rename tables + private void renameTables(Statement statement) throws Exception { + statement.execute("USE " + dbName2); + statement.execute("ALTER TABLE " + tableName1 + " RENAME TO " + tableName1 + + renameTag); + statement.execute("ALTER TABLE " + tableName2 + " RENAME TO " + tableName2 + + renameTag); + statement.execute("USE " + dbName1); + statement.execute("ALTER TABLE " + tableName3 + " RENAME TO " + tableName3 + + renameTag); + statement.execute("ALTER TABLE " + tableName4 + " RENAME TO " + tableName4 + + renameTag); + } + + // verify all the test privileges are dropped as we drop the objects + private void verifyPrivilegesDropped(Statement statement) + throws Exception { + verifyDbPrivilegesDropped(statement); + verifyTablePrivilegesDropped(statement); + } + + // verify all the test privileges are dropped as we drop the objects + private void verifyTablePrivilegesDropped(Statement statement) + throws Exception { + List<String> roles = getRoles(statement); + verifyPrivilegeDropped(statement, roles, tableName1, + SHOW_GRANT_TABLE_POSITION); + verifyPrivilegeDropped(statement, roles, tableName2, + SHOW_GRANT_TABLE_POSITION); + verifyPrivilegeDropped(statement, roles, tableName3, + SHOW_GRANT_TABLE_POSITION); + verifyPrivilegeDropped(statement, roles, tableName4, + SHOW_GRANT_TABLE_POSITION); + + } + + // verify all the test privileges are dropped as we drop the objects + private void verifyDbPrivilegesDropped(Statement statement) throws Exception { + List<String> roles = getRoles(statement); + verifyPrivilegeDropped(statement, roles, dbName2, SHOW_GRANT_DB_POSITION); + verifyPrivilegeDropped(statement, roles, dbName1, SHOW_GRANT_DB_POSITION); + + } + + // verify given table/DB has no longer permissions + private void verifyPrivilegeDropped(Statement statement, List<String> roles, + String objectName, int resultPos) throws Exception { + for (String roleName : roles) { + ResultSet resultSet = statement.executeQuery("SHOW GRANT ROLE " + + roleName); + while (resultSet.next()) { + assertFalse(objectName.equalsIgnoreCase(resultSet.getString(resultPos))); + } + resultSet.close(); + } + } + + // verify given table is part of the role + private void verifyTablePrivilegeExist(Statement statement, + List<String> roles, String tableName) throws Exception { + for (String roleName : roles) { + ResultSet resultSet = statement.executeQuery("SHOW GRANT ROLE " + + roleName + " ON TABLE " + tableName); + assertTrue(resultSet.next()); + resultSet.close(); + } + } + + private List<String> getRoles(Statement statement) throws Exception { + ArrayList<String> roleList = Lists.newArrayList(); + ResultSet resultSet = statement.executeQuery("SHOW ROLES "); + while (resultSet.next()) { + roleList.add(resultSet.getString(1)); + } + return roleList; + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b11f5aab/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java index fd969a6..b92ca97 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java @@ -16,6 +16,10 @@ */ package org.apache.sentry.tests.e2e.hive; +import static org.apache.sentry.provider.common.ProviderConstants.AUTHORIZABLE_SPLITTER; +import static org.apache.sentry.provider.common.ProviderConstants.PRIVILEGE_PREFIX; +import static org.apache.sentry.provider.common.ProviderConstants.ROLE_SPLITTER; + import java.io.File; import java.io.IOException; import java.sql.Connection; @@ -33,14 +37,13 @@ import junit.framework.Assert; import org.apache.commons.io.FileUtils; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.fs.FileSystem; +import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.conf.HiveConf.ConfVars; import org.apache.sentry.binding.hive.SentryHiveAuthorizationTaskFactoryImpl; +import org.apache.sentry.binding.metastore.SentryMetastorePostEventListener; import org.apache.sentry.core.model.db.DBModelAction; import org.apache.sentry.core.model.db.DBModelAuthorizable; import org.apache.sentry.policy.db.DBModelAuthorizables; -import static org.apache.sentry.provider.common.ProviderConstants.AUTHORIZABLE_SPLITTER; -import static org.apache.sentry.provider.common.ProviderConstants.PRIVILEGE_PREFIX; -import static org.apache.sentry.provider.common.ProviderConstants.ROLE_SPLITTER; import org.apache.sentry.provider.db.SimpleDBProviderBackend; import org.apache.sentry.provider.file.PolicyFile; import org.apache.sentry.service.thrift.SentryService; @@ -103,8 +106,10 @@ public abstract class AbstractTestWithStaticConfiguration { protected static boolean policy_on_hdfs = false; protected static boolean useSentryService = false; + protected static boolean setMetastoreListener = false; protected static String testServerType = null; + protected static File baseDir; protected static File logDir; protected static File confDir; @@ -334,6 +339,10 @@ public abstract class AbstractTestWithStaticConfiguration { sentryConf.set(ClientConfig.SERVER_RPC_PORT, String.valueOf(sentryServer.getAddress().getPort())); startSentryService(); + if (setMetastoreListener) { + properties.put(HiveConf.ConfVars.METASTORE_EVENT_LISTENERS.varname, + SentryMetastorePostEventListener.class.getName()); + } } private static void startSentryService() throws Exception { http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b11f5aab/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java index 0165806..51acbf0 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java @@ -151,6 +151,7 @@ public class HiveServerFactory { properties.put(METASTORE_BYPASS, "hive,impala," + System.getProperty("user.name", "")); } + properties.put(METASTORE_SETUGI, "true"); properties.put(METASTORE_CLIENT_TIMEOUT, "100"); properties.put(ConfVars.HIVE_WAREHOUSE_SUBDIR_INHERIT_PERMS.varname, "true");
