Repository: incubator-sentry Updated Branches: refs/heads/master c643db28d -> a170f53bd
SENTRY-347: Generate the audit log in Json format (Colin Ma via Sravya Tirukkovalur) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/a170f53b Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/a170f53b Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/a170f53b Branch: refs/heads/master Commit: a170f53bde4a3947243ca0439544b2769c9240ee Parents: c643db2 Author: Sravya Tirukkovalur <[email protected]> Authored: Fri Aug 1 14:14:17 2014 -0700 Committer: Sravya Tirukkovalur <[email protected]> Committed: Fri Aug 1 14:14:17 2014 -0700 ---------------------------------------------------------------------- pom.xml | 12 + .../db/log/entity/AuditMetadataLogEntity.java | 227 ++++++++++++++ .../provider/db/log/entity/JsonLogEntity.java | 25 ++ .../db/log/entity/JsonLogEntityFactory.java | 143 +++++++++ .../provider/db/log/util/CommandUtil.java | 169 +++++++++++ .../sentry/provider/db/log/util/Constants.java | 98 ++++++ .../thrift/SentryPolicyStoreProcessor.java | 19 ++ .../SentryPolicyStoreProcessorFactory.java | 2 +- .../service/thrift/SentryProcessorWrapper.java | 83 +++++ .../sentry/service/thrift/ServiceConstants.java | 3 + .../log/entity/TestAuditMetadataLogEntity.java | 68 +++++ .../db/log/entity/TestJsonLogEntityFactory.java | 293 ++++++++++++++++++ .../provider/db/log/util/TestCommandUtil.java | 303 +++++++++++++++++++ 13 files changed, 1444 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index 3d5492d..01c87f1 100644 --- a/pom.xml +++ b/pom.xml @@ -166,6 +166,18 @@ limitations under the License. <artifactId>hive-metastore</artifactId> <version>${hive.version}</version> </dependency> + + <dependency> + <groupId>org.codehaus.jackson</groupId> + <artifactId>jackson-core-asl</artifactId> + <version>${jackson.version}</version> + </dependency> + <dependency> + <groupId>org.codehaus.jackson</groupId> + <artifactId>jackson-mapper-asl</artifactId> + <version>${jackson.version}</version> + </dependency> + <dependency> <groupId>org.apache.hive</groupId> <artifactId>hive-beeline</artifactId> http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/AuditMetadataLogEntity.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/AuditMetadataLogEntity.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/AuditMetadataLogEntity.java new file mode 100644 index 0000000..e1d8a9e --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/AuditMetadataLogEntity.java @@ -0,0 +1,227 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.db.log.entity; + +import java.io.IOException; +import java.io.StringWriter; + +import org.apache.sentry.provider.db.log.util.Constants; +import org.codehaus.jackson.JsonFactory; +import org.codehaus.jackson.JsonGenerator; +import org.codehaus.jackson.JsonNode; +import org.codehaus.jackson.map.MappingJsonFactory; +import org.codehaus.jackson.map.ObjectMapper; +import org.codehaus.jackson.node.ContainerNode; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class AuditMetadataLogEntity implements JsonLogEntity { + + private static final Logger LOGGER = LoggerFactory + .getLogger(AuditMetadataLogEntity.class); + private static final JsonFactory factory = new MappingJsonFactory(); + private String serviceName; + private String userName; + private String impersonator; + private String ipAddress; + private String operation; + private String eventTime; + private String operationText; + private String allowed; + private String databaseName; + private String tableName; + private String resourcePath; + private String objectType; + + public AuditMetadataLogEntity() { + } + + public AuditMetadataLogEntity(String serviceName, String userName, + String impersonator, String ipAddress, String operation, + String eventTime, String operationText, String allowed, + String databaseName, String tableName, String resourcePath, + String objectType) { + this.serviceName = serviceName; + this.userName = userName; + this.impersonator = impersonator; + this.ipAddress = ipAddress; + this.operation = operation; + this.eventTime = eventTime; + this.operationText = operationText; + this.allowed = allowed; + this.databaseName = databaseName; + this.tableName = tableName; + this.resourcePath = resourcePath; + this.objectType = objectType; + } + + @Override + public String toJsonFormatLog() { + StringWriter stringWriter = new StringWriter(); + JsonGenerator json = null; + try { + json = factory.createJsonGenerator(stringWriter); + json.writeStartObject(); + json.writeStringField(Constants.LOG_FIELD_SERVICE_NAME, serviceName); + json.writeStringField(Constants.LOG_FIELD_USER_NAME, userName); + json.writeStringField(Constants.LOG_FIELD_IMPERSONATOR, impersonator); + json.writeStringField(Constants.LOG_FIELD_IP_ADDRESS, ipAddress); + json.writeStringField(Constants.LOG_FIELD_OPERATION, operation); + json.writeStringField(Constants.LOG_FIELD_EVENT_TIME, eventTime); + json.writeStringField(Constants.LOG_FIELD_OPERATION_TEXT, operationText); + json.writeStringField(Constants.LOG_FIELD_ALLOWED, allowed); + json.writeStringField(Constants.LOG_FIELD_DATABASE_NAME, databaseName); + json.writeStringField(Constants.LOG_FIELD_TABLE_NAME, tableName); + json.writeStringField(Constants.LOG_FIELD_RESOURCE_PATH, resourcePath); + json.writeStringField(Constants.LOG_FIELD_OBJECT_TYPE, objectType); + json.writeEndObject(); + json.flush(); + } catch (IOException e) { + // if there has error when creating the audit log in json, set the audit + // log to empty. + stringWriter = new StringWriter(); + String msg = "Error creating audit log in json format: " + e.getMessage(); + LOGGER.error(msg, e); + } finally { + try { + if (json != null) { + json.close(); + } + } catch (IOException e) { + LOGGER.error("Error closing JsonGenerator", e); + } + } + + return stringWriter.toString(); + } + + public String getServiceName() { + return serviceName; + } + + public void setServiceName(String serviceName) { + this.serviceName = serviceName; + } + + public String getUserName() { + return userName; + } + + public void setUserName(String userName) { + this.userName = userName; + } + + public String getImpersonator() { + return impersonator; + } + + public void setImpersonator(String impersonator) { + this.impersonator = impersonator; + } + + public String getIpAddress() { + return ipAddress; + } + + public void setIpAddress(String ipAddress) { + this.ipAddress = ipAddress; + } + + public String getOperation() { + return operation; + } + + public void setOperation(String operation) { + this.operation = operation; + } + + public String getEventTime() { + return eventTime; + } + + public void setEventTime(String eventTime) { + this.eventTime = eventTime; + } + + public String getOperationText() { + return operationText; + } + + public void setOperationText(String operationText) { + this.operationText = operationText; + } + + public String getAllowed() { + return allowed; + } + + public void setAllowed(String allowed) { + this.allowed = allowed; + } + + public String getDatabaseName() { + return databaseName; + } + + public void setDatabaseName(String databaseName) { + this.databaseName = databaseName; + } + + public String getTableName() { + return tableName; + } + + public void setTableName(String tableName) { + this.tableName = tableName; + } + + public String getResourcePath() { + return resourcePath; + } + + public void setResourcePath(String resourcePath) { + this.resourcePath = resourcePath; + } + + public String getObjectType() { + return objectType; + } + + public void setObjectType(String objectType) { + this.objectType = objectType; + } + + /** + * For use in tests + * + * @param json + * incoming JSON to parse + * @return a node tree + * @throws IOException + * on any parsing problems + */ + public static ContainerNode parse(String json) throws IOException { + ObjectMapper mapper = new ObjectMapper(factory); + JsonNode jsonNode = mapper.readTree(json); + if (!(jsonNode instanceof ContainerNode)) { + throw new IOException("Wrong JSON data: " + json); + } + return (ContainerNode) jsonNode; + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntity.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntity.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntity.java new file mode 100644 index 0000000..7ad6966 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntity.java @@ -0,0 +1,25 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.db.log.entity; + +public interface JsonLogEntity { + + public String toJsonFormatLog(); + +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java new file mode 100644 index 0000000..2cc8194 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java @@ -0,0 +1,143 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.db.log.entity; + +import org.apache.hadoop.conf.Configuration; +import org.apache.sentry.provider.db.log.util.CommandUtil; +import org.apache.sentry.provider.db.log.util.Constants; +import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsRequest; +import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsResponse; +import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsRequest; +import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsResponse; +import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeRequest; +import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeResponse; +import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeRequest; +import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeResponse; +import org.apache.sentry.provider.db.service.thrift.TCreateSentryRoleRequest; +import org.apache.sentry.provider.db.service.thrift.TCreateSentryRoleResponse; +import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleRequest; +import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleResponse; +import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; +import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; +import org.apache.sentry.service.thrift.Status; +import org.apache.sentry.service.thrift.TSentryResponseStatus; + +public class JsonLogEntityFactory { + + private static JsonLogEntityFactory factory = new JsonLogEntityFactory(); + + private JsonLogEntityFactory() { + }; + + public static JsonLogEntityFactory getInstance() { + return factory; + } + + public JsonLogEntity createJsonLogEntity(TCreateSentryRoleRequest request, + TCreateSentryRoleResponse response, Configuration conf) { + AuditMetadataLogEntity amle = createCommonAMLE(conf, response.getStatus(), + request.getRequestorUserName(), request.getClass().getName()); + amle.setOperationText(CommandUtil.createCmdForCreateOrDropRole( + request.getRoleName(), true)); + + return amle; + } + + public JsonLogEntity createJsonLogEntity(TDropSentryRoleRequest request, + TDropSentryRoleResponse response, Configuration conf) { + AuditMetadataLogEntity amle = createCommonAMLE(conf, response.getStatus(), + request.getRequestorUserName(), request.getClass().getName()); + amle.setOperationText(CommandUtil.createCmdForCreateOrDropRole( + request.getRoleName(), false)); + + return amle; + } + + public JsonLogEntity createJsonLogEntity( + TAlterSentryRoleGrantPrivilegeRequest request, + TAlterSentryRoleGrantPrivilegeResponse response, Configuration conf) { + AuditMetadataLogEntity amle = createCommonAMLE(conf, response.getStatus(), + request.getRequestorUserName(), request.getClass().getName()); + amle.setOperationText(CommandUtil.createCmdForGrantPrivilege(request)); + TSentryPrivilege privilege = request.getPrivilege(); + amle.setDatabaseName(privilege.getDbName()); + amle.setTableName(privilege.getTableName()); + amle.setResourcePath(privilege.getURI()); + + return amle; + } + + public JsonLogEntity createJsonLogEntity( + TAlterSentryRoleRevokePrivilegeRequest request, + TAlterSentryRoleRevokePrivilegeResponse response, Configuration conf) { + AuditMetadataLogEntity amle = createCommonAMLE(conf, response.getStatus(), + request.getRequestorUserName(), request.getClass().getName()); + amle.setOperationText(CommandUtil.createCmdForRevokePrivilege(request)); + TSentryPrivilege privilege = request.getPrivilege(); + amle.setDatabaseName(privilege.getDbName()); + amle.setTableName(privilege.getTableName()); + amle.setResourcePath(privilege.getURI()); + + return amle; + } + + public JsonLogEntity createJsonLogEntity( + TAlterSentryRoleAddGroupsRequest request, + TAlterSentryRoleAddGroupsResponse response, Configuration conf) { + AuditMetadataLogEntity amle = createCommonAMLE(conf, response.getStatus(), + request.getRequestorUserName(), request.getClass().getName()); + amle.setOperationText(CommandUtil.createCmdForRoleAddGroup(request)); + + return amle; + } + + public JsonLogEntity createJsonLogEntity( + TAlterSentryRoleDeleteGroupsRequest request, + TAlterSentryRoleDeleteGroupsResponse response, Configuration conf) { + AuditMetadataLogEntity amle = createCommonAMLE(conf, response.getStatus(), + request.getRequestorUserName(), request.getClass().getName()); + amle.setOperationText(CommandUtil.createCmdForRoleDeleteGroup(request)); + + return amle; + } + + public String isAllowed(TSentryResponseStatus status) { + if (status.equals(Status.OK())) { + return Constants.TRUE; + } + return Constants.FALSE; + } + + private AuditMetadataLogEntity createCommonAMLE(Configuration conf, + TSentryResponseStatus responseStatus, String userName, + String requestClassName) { + AuditMetadataLogEntity amle = new AuditMetadataLogEntity(); + amle.setUserName(userName); + amle.setServiceName(conf.get(ServerConfig.SENTRY_SERVICE_NAME, + ServerConfig.SENTRY_SERVICE_NAME_DEFAULT).trim()); + amle.setImpersonator(CommandUtil.getImpersonator()); + amle.setIpAddress(CommandUtil.getIpAddress()); + amle.setOperation(Constants.requestTypeToOperationMap.get(requestClassName)); + amle.setEventTime(Long.toString(System.currentTimeMillis())); + amle.setAllowed(isAllowed(responseStatus)); + amle.setObjectType(Constants.requestTypeToObjectTypeMap + .get(requestClassName)); + return amle; + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java new file mode 100644 index 0000000..b2b5187 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java @@ -0,0 +1,169 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.db.log.util; + +import java.util.Iterator; + +import org.apache.sentry.core.model.db.AccessConstants; +import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsRequest; +import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsRequest; +import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeRequest; +import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeRequest; +import org.apache.sentry.provider.db.service.thrift.TSentryGroup; +import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; +import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope; + +public class CommandUtil { + + public static String createCmdForCreateOrDropRole(String roleName, + boolean isCreate) { + if (isCreate) { + return "CREATE ROLE " + roleName; + } + return "DROP ROLE " + roleName; + } + + public static String createCmdForRoleAddGroup( + TAlterSentryRoleAddGroupsRequest request) { + return createCmdForRoleAddOrDeleteGroup(request.getRoleName(), + request.getGroupsIterator(), true); + } + + public static String createCmdForRoleDeleteGroup( + TAlterSentryRoleDeleteGroupsRequest request) { + return createCmdForRoleAddOrDeleteGroup(request.getRoleName(), + request.getGroupsIterator(), false); + } + + private static String createCmdForRoleAddOrDeleteGroup(String roleName, + Iterator<TSentryGroup> iter, boolean isAddGroup) { + StringBuilder sb = new StringBuilder(); + if (isAddGroup) { + sb.append("GRANT ROLE "); + } else { + sb.append("REVOKE ROLE "); + } + sb.append(roleName); + if (isAddGroup) { + sb.append(" TO "); + } else { + sb.append(" FROM "); + } + + if (iter != null) { + sb.append("GROUP "); + boolean commaFlg = false; + while (iter.hasNext()) { + if (commaFlg) { + sb.append(", "); + } else { + commaFlg = true; + } + sb.append(iter.next().getGroupName()); + } + } else { + sb = new StringBuilder("Missing group information."); + } + + return sb.toString(); + } + + public static String createCmdForGrantPrivilege( + TAlterSentryRoleGrantPrivilegeRequest request) { + return createCmdForGrantOrRevokePrivilege(request.getRoleName(), + request.getPrivilege(), true); + } + + public static String createCmdForRevokePrivilege( + TAlterSentryRoleRevokePrivilegeRequest request) { + return createCmdForGrantOrRevokePrivilege(request.getRoleName(), + request.getPrivilege(), false); + } + + private static String createCmdForGrantOrRevokePrivilege(String roleName, + TSentryPrivilege privilege, boolean isGrant) { + StringBuilder sb = new StringBuilder(); + if (isGrant) { + sb.append("GRANT "); + } else { + sb.append("REVOKE "); + } + + String action = privilege.getAction(); + String privilegeScope = privilege.getPrivilegeScope(); + if (AccessConstants.ALL.equalsIgnoreCase(action)) { + sb.append("ALL"); + } else { + if (action != null) { + action = action.toUpperCase(); + } + sb.append(action); + } + + sb.append(" ON ").append(privilege.getPrivilegeScope()).append(" "); + if (PrivilegeScope.DATABASE.name().equalsIgnoreCase(privilegeScope)) { + sb.append(privilege.getDbName()); + } else if (PrivilegeScope.TABLE.name().equalsIgnoreCase(privilegeScope)) { + sb.append(privilege.getTableName()); + } else if (PrivilegeScope.SERVER.name().equalsIgnoreCase(privilegeScope)) { + sb.append(privilege.getServerName()); + } else if (PrivilegeScope.URI.name().equalsIgnoreCase(privilegeScope)) { + sb.append(privilege.getURI()); + } + + if (isGrant) { + sb.append(" TO ROLE "); + } else { + sb.append(" FROM ROLE "); + } + sb.append(roleName); + + return sb.toString(); + } + + private static ThreadLocal<String> threadLocalIpAddress = new ThreadLocal<String>() { + @Override + protected synchronized String initialValue() { + return ""; + } + }; + + public static void setIpAddress(String ipAddress) { + threadLocalIpAddress.set(ipAddress); + } + + public static String getIpAddress() { + return threadLocalIpAddress.get(); + } + + private static ThreadLocal<String> threadLocalImpersonator = new ThreadLocal<String>() { + @Override + protected synchronized String initialValue() { + return ""; + } + }; + + public static void setImpersonator(String impersonator) { + threadLocalImpersonator.set(impersonator); + } + + public static String getImpersonator() { + return threadLocalImpersonator.get(); + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java new file mode 100644 index 0000000..4b1d7de --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java @@ -0,0 +1,98 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.db.log.util; + +import java.util.HashMap; +import java.util.Map; + +import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsRequest; +import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsRequest; +import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeRequest; +import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeRequest; +import org.apache.sentry.provider.db.service.thrift.TCreateSentryRoleRequest; +import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleRequest; + +public class Constants { + public final static String AUDIT_LOGGER_NAME = "sentry.hive.authorization.ddl.logger"; + + public final static String LOG_FIELD_SERVICE_NAME = "serviceName"; + public final static String LOG_FIELD_USER_NAME = "userName"; + public final static String LOG_FIELD_IMPERSONATOR = "impersonator"; + public final static String LOG_FIELD_IP_ADDRESS = "ipAddress"; + public final static String LOG_FIELD_OPERATION = "operation"; + public final static String LOG_FIELD_EVENT_TIME = "eventTime"; + public final static String LOG_FIELD_OPERATION_TEXT = "operationText"; + public final static String LOG_FIELD_ALLOWED = "allowed"; + public final static String LOG_FIELD_DATABASE_NAME = "databaseName"; + public final static String LOG_FIELD_TABLE_NAME = "tableName"; + public final static String LOG_FIELD_RESOURCE_PATH = "resourcePath"; + public final static String LOG_FIELD_OBJECT_TYPE = "objectType"; + + public final static String OPERATION_CREATE_ROLE = "CREATE_ROLE"; + public final static String OPERATION_DROP_ROLE = "DROP_ROLE"; + public final static String OPERATION_ADD_ROLE = "ADD_ROLE_TO_GROUP"; + public final static String OPERATION_DELETE_ROLE = "DELETE_ROLE_FROM_GROUP"; + public final static String OPERATION_GRANT_PRIVILEGE = "GRANTE_PRIVILEGE"; + public final static String OPERATION_REVOKE_PRIVILEGE = "REVOKE_PRIVILEGE"; + + public final static String OBJECT_TYPE_PRINCIPAL = "PRINCIPAL"; + public final static String OBJECT_TYPE_ROLE = "ROLE"; + + public final static String TRUE = "true"; + public final static String FALSE = "false"; + + public static final Map<String, String> requestTypeToOperationMap = new HashMap<String, String>(); + public static final Map<String, String> requestTypeToObjectTypeMap = new HashMap<String, String>(); + + static { + requestTypeToOperationMap.put(TCreateSentryRoleRequest.class.getName(), + Constants.OPERATION_CREATE_ROLE); + requestTypeToOperationMap.put( + TAlterSentryRoleGrantPrivilegeRequest.class.getName(), + Constants.OPERATION_GRANT_PRIVILEGE); + requestTypeToOperationMap.put( + TAlterSentryRoleRevokePrivilegeRequest.class.getName(), + Constants.OPERATION_REVOKE_PRIVILEGE); + requestTypeToOperationMap.put(TDropSentryRoleRequest.class.getName(), + Constants.OPERATION_DROP_ROLE); + requestTypeToOperationMap.put( + TAlterSentryRoleAddGroupsRequest.class.getName(), + Constants.OPERATION_ADD_ROLE); + requestTypeToOperationMap.put( + TAlterSentryRoleDeleteGroupsRequest.class.getName(), + Constants.OPERATION_DELETE_ROLE); + + requestTypeToObjectTypeMap.put(TCreateSentryRoleRequest.class.getName(), + Constants.OBJECT_TYPE_ROLE); + requestTypeToObjectTypeMap.put(TDropSentryRoleRequest.class.getName(), + Constants.OBJECT_TYPE_ROLE); + requestTypeToObjectTypeMap.put( + TAlterSentryRoleAddGroupsRequest.class.getName(), + Constants.OBJECT_TYPE_ROLE); + requestTypeToObjectTypeMap.put( + TAlterSentryRoleDeleteGroupsRequest.class.getName(), + Constants.OBJECT_TYPE_ROLE); + requestTypeToObjectTypeMap.put( + TAlterSentryRoleGrantPrivilegeRequest.class.getName(), + Constants.OBJECT_TYPE_PRINCIPAL); + requestTypeToObjectTypeMap.put( + TAlterSentryRoleRevokePrivilegeRequest.class.getName(), + Constants.OBJECT_TYPE_PRINCIPAL); + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java index 1b05db3..5848e30 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java @@ -32,6 +32,8 @@ import org.apache.sentry.provider.db.SentryAccessDeniedException; import org.apache.sentry.provider.db.SentryAlreadyExistsException; import org.apache.sentry.provider.db.SentryInvalidInputException; import org.apache.sentry.provider.db.SentryNoSuchObjectException; +import org.apache.sentry.provider.db.log.entity.JsonLogEntityFactory; +import org.apache.sentry.provider.db.log.util.Constants; import org.apache.sentry.provider.db.service.persistent.CommitContext; import org.apache.sentry.provider.db.service.persistent.SentryStore; import org.apache.sentry.provider.db.service.thrift.PolicyStoreConstants.PolicyStoreServerConfig; @@ -52,6 +54,7 @@ import com.google.common.collect.Sets; @SuppressWarnings("unused") public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { private static final Logger LOGGER = LoggerFactory.getLogger(SentryPolicyStoreProcessor.class); + private static final Logger AUDIT_LOGGER = LoggerFactory.getLogger(Constants.AUDIT_LOGGER_NAME); public static final String SENTRY_POLICY_SERVICE_NAME = "SentryPolicyService"; @@ -158,6 +161,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { LOGGER.error(msg, e); response.setStatus(Status.RuntimeError(msg, e)); } + + AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity( + request, response, conf).toJsonFormatLog()); return response; } @@ -191,6 +197,8 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { response.setStatus(Status.RuntimeError(msg, e)); } + AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity( + request, response, conf).toJsonFormatLog()); return response; } @@ -227,6 +235,8 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { response.setStatus(Status.RuntimeError(msg, e)); } + AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity( + request, response, conf).toJsonFormatLog()); return response; } @@ -254,6 +264,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { LOGGER.error(msg, e); response.setStatus(Status.RuntimeError(msg, e)); } + + AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity( + request, response, conf).toJsonFormatLog()); return response; } @@ -281,6 +294,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { LOGGER.error(msg, e); response.setStatus(Status.RuntimeError(msg, e)); } + + AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity( + request, response, conf).toJsonFormatLog()); return response; } @@ -308,6 +324,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { LOGGER.error(msg, e); response.setStatus(Status.RuntimeError(msg, e)); } + + AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity( + request, response, conf).toJsonFormatLog()); return response; } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessorFactory.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessorFactory.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessorFactory.java index b37db2b..691c1fb 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessorFactory.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessorFactory.java @@ -32,7 +32,7 @@ public class SentryPolicyStoreProcessorFactory extends ProcessorFactory { new SentryPolicyStoreProcessor(SentryPolicyStoreProcessor.SENTRY_POLICY_SERVICE_NAME, conf); TProcessor processor = - new SentryPolicyService.Processor<SentryPolicyService.Iface>(sentryServiceHandler); + new SentryProcessorWrapper<SentryPolicyService.Iface>(sentryServiceHandler); multiplexedProcessor.registerProcessor(SentryPolicyStoreProcessor.SENTRY_POLICY_SERVICE_NAME, processor); return true; } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryProcessorWrapper.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryProcessorWrapper.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryProcessorWrapper.java new file mode 100644 index 0000000..33e741d --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryProcessorWrapper.java @@ -0,0 +1,83 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.db.service.thrift; + +import java.net.Socket; + +import org.apache.sentry.provider.db.log.util.CommandUtil; +import org.apache.thrift.TException; +import org.apache.thrift.protocol.TProtocol; +import org.apache.thrift.transport.TSaslClientTransport; +import org.apache.thrift.transport.TSaslServerTransport; +import org.apache.thrift.transport.TSocket; +import org.apache.thrift.transport.TTransport; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class SentryProcessorWrapper<I extends SentryPolicyService.Iface> extends + SentryPolicyService.Processor<SentryPolicyService.Iface> { + + private static final Logger LOGGER = LoggerFactory.getLogger(SentryProcessorWrapper.class); + + public SentryProcessorWrapper(I iface) { + super(iface); + } + + @Override + public boolean process(TProtocol in, TProtocol out) throws TException { + setIpAddress(in); + setImpersonator(in); + return super.process(in, out); + } + + private void setImpersonator(final TProtocol in) { + TTransport transport = in.getTransport(); + if (transport instanceof TSaslServerTransport) { + String impersonator = ((TSaslServerTransport) transport).getSaslServer().getAuthorizationID(); + CommandUtil.setImpersonator(impersonator); + } + } + + private void setIpAddress(final TProtocol in) { + TTransport transport = in.getTransport(); + TSocket tSocket = getUnderlyingSocketFromTransport(transport); + if (tSocket != null) { + setIpAddress(tSocket.getSocket()); + } else { + LOGGER.warn("Unknown Transport, cannot determine ipAddress"); + } + } + + private void setIpAddress(Socket socket) { + CommandUtil.setIpAddress(socket.getInetAddress().toString()); + } + + private TSocket getUnderlyingSocketFromTransport(TTransport transport) { + if (transport != null) { + if (transport instanceof TSaslServerTransport) { + transport = ((TSaslServerTransport) transport).getUnderlyingTransport(); + } else if (transport instanceof TSaslClientTransport) { + transport = ((TSaslClientTransport) transport).getUnderlyingTransport(); + } else if (transport instanceof TSocket) { + return (TSocket) transport; + } + } + return null; + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java index 111fabf..52eaeed 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java @@ -89,6 +89,9 @@ public class ServiceConstants { public static final String SENTRY_VERIFY_SCHEM_VERSION = "sentry.verify.schema.version"; public static final String SENTRY_VERIFY_SCHEM_VERSION_DEFAULT = "true"; + public static final String SENTRY_SERVICE_NAME = "sentry.service.name"; + public static final String SENTRY_SERVICE_NAME_DEFAULT = "Sentry-Service"; + public static final String SENTRY_STORE_GROUP_MAPPING = "sentry.store.group.mapping"; public static final String SENTRY_STORE_GROUP_MAPPING_RESOURCE = "sentry.store.group.mapping.resource"; public static final String SENTRY_STORE_HADOOP_GROUP_MAPPING = "org.apache.sentry.provider.common.HadoopGroupMappingService"; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestAuditMetadataLogEntity.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestAuditMetadataLogEntity.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestAuditMetadataLogEntity.java new file mode 100644 index 0000000..cd0a435 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestAuditMetadataLogEntity.java @@ -0,0 +1,68 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.db.log.entity; + +import junit.framework.TestCase; + +import org.apache.sentry.provider.db.log.util.Constants; +import org.codehaus.jackson.JsonNode; +import org.codehaus.jackson.node.ContainerNode; +import org.junit.Test; + +public class TestAuditMetadataLogEntity extends TestCase { + + @Test + public void testToJsonFormatLog() throws Throwable { + AuditMetadataLogEntity amle = new AuditMetadataLogEntity("serviceName", + "userName", "impersonator", "ipAddress", "operation", "eventTime", + "operationText", "allowed", "databaseName", "tableName", + "resourcePath", "objectType"); + String jsonAuditLog = amle.toJsonFormatLog(); + ContainerNode rootNode = AuditMetadataLogEntity.parse(jsonAuditLog); + assertEntryEquals(rootNode, Constants.LOG_FIELD_SERVICE_NAME, "serviceName"); + assertEntryEquals(rootNode, Constants.LOG_FIELD_USER_NAME, "userName"); + assertEntryEquals(rootNode, Constants.LOG_FIELD_IMPERSONATOR, + "impersonator"); + assertEntryEquals(rootNode, Constants.LOG_FIELD_IP_ADDRESS, "ipAddress"); + assertEntryEquals(rootNode, Constants.LOG_FIELD_OPERATION, "operation"); + assertEntryEquals(rootNode, Constants.LOG_FIELD_EVENT_TIME, "eventTime"); + assertEntryEquals(rootNode, Constants.LOG_FIELD_OPERATION_TEXT, + "operationText"); + assertEntryEquals(rootNode, Constants.LOG_FIELD_ALLOWED, "allowed"); + assertEntryEquals(rootNode, Constants.LOG_FIELD_DATABASE_NAME, + "databaseName"); + assertEntryEquals(rootNode, Constants.LOG_FIELD_TABLE_NAME, "tableName"); + assertEntryEquals(rootNode, Constants.LOG_FIELD_RESOURCE_PATH, + "resourcePath"); + assertEntryEquals(rootNode, Constants.LOG_FIELD_OBJECT_TYPE, "objectType"); + } + + void assertEntryEquals(ContainerNode rootNode, String key, String value) { + JsonNode node = assertNodeContains(rootNode, key); + assertEquals(value, node.getTextValue()); + } + + private JsonNode assertNodeContains(ContainerNode rootNode, String key) { + JsonNode node = rootNode.get(key); + if (node == null) { + fail("No entry of name \"" + key + "\" found in " + rootNode.toString()); + } + return node; + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java new file mode 100644 index 0000000..fc9c716 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java @@ -0,0 +1,293 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.db.log.entity; + +import static junit.framework.Assert.assertEquals; + +import java.util.LinkedHashSet; +import java.util.Set; + +import org.apache.hadoop.conf.Configuration; +import org.apache.log4j.Logger; +import org.apache.sentry.core.model.db.AccessConstants; +import org.apache.sentry.provider.db.log.util.CommandUtil; +import org.apache.sentry.provider.db.log.util.Constants; +import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsRequest; +import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsResponse; +import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsRequest; +import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsResponse; +import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeRequest; +import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeResponse; +import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeRequest; +import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeResponse; +import org.apache.sentry.provider.db.service.thrift.TCreateSentryRoleRequest; +import org.apache.sentry.provider.db.service.thrift.TCreateSentryRoleResponse; +import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleRequest; +import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleResponse; +import org.apache.sentry.provider.db.service.thrift.TSentryGroup; +import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; +import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope; +import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; +import org.apache.sentry.service.thrift.Status; +import org.junit.BeforeClass; +import org.junit.Test; + +public class TestJsonLogEntityFactory { + + private static Configuration conf; + private Logger sentryLogger = Logger.getRootLogger(); + + private static String TEST_IP = "localhost/127.0.0.1"; + private static String TEST_IMPERSONATOR = "impersonator"; + private static String TEST_ROLE_NAME = "testRole"; + private static String TEST_USER_NAME = "requestUser"; + private static String TEST_DATABASE_NAME = "testDB"; + private static String TEST_TABLE_NAME = "testTable"; + private static String TEST_GROUP = "testGroup"; + + @BeforeClass + public static void init() { + conf = new Configuration(); + conf.set(ServerConfig.SENTRY_SERVICE_NAME, + ServerConfig.SENTRY_SERVICE_NAME_DEFAULT); + CommandUtil.setIpAddress(TEST_IP); + CommandUtil.setImpersonator(TEST_IMPERSONATOR); + } + + @Test + public void testCreateRole() { + TCreateSentryRoleRequest request = new TCreateSentryRoleRequest(); + TCreateSentryRoleResponse response = new TCreateSentryRoleResponse(); + request.setRequestorUserName(TEST_USER_NAME); + request.setRoleName(TEST_ROLE_NAME); + response.setStatus(Status.OK()); + AuditMetadataLogEntity amle = (AuditMetadataLogEntity) JsonLogEntityFactory + .getInstance().createJsonLogEntity(request, response, conf); + assertCommon(amle, Constants.TRUE, Constants.OPERATION_CREATE_ROLE, + "CREATE ROLE testRole", null, null, null, Constants.OBJECT_TYPE_ROLE); + sentryLogger.debug(amle.toJsonFormatLog()); + + response.setStatus(Status.InvalidInput("", null)); + amle = (AuditMetadataLogEntity) JsonLogEntityFactory.getInstance() + .createJsonLogEntity(request, response, conf); + assertCommon(amle, Constants.FALSE, Constants.OPERATION_CREATE_ROLE, + "CREATE ROLE testRole", null, null, null, Constants.OBJECT_TYPE_ROLE); + sentryLogger.debug(amle.toJsonFormatLog()); + } + + @Test + public void testDropRole() { + TDropSentryRoleRequest request = new TDropSentryRoleRequest(); + TDropSentryRoleResponse response = new TDropSentryRoleResponse(); + request.setRequestorUserName(TEST_USER_NAME); + request.setRoleName(TEST_ROLE_NAME); + response.setStatus(Status.OK()); + AuditMetadataLogEntity amle = (AuditMetadataLogEntity) JsonLogEntityFactory + .getInstance().createJsonLogEntity(request, response, conf); + assertCommon(amle, Constants.TRUE, Constants.OPERATION_DROP_ROLE, + "DROP ROLE testRole", null, null, null, Constants.OBJECT_TYPE_ROLE); + sentryLogger.debug(amle.toJsonFormatLog()); + + response.setStatus(Status.InvalidInput("", null)); + amle = (AuditMetadataLogEntity) JsonLogEntityFactory.getInstance() + .createJsonLogEntity(request, response, conf); + assertCommon(amle, Constants.FALSE, Constants.OPERATION_DROP_ROLE, + "DROP ROLE testRole", null, null, null, Constants.OBJECT_TYPE_ROLE); + sentryLogger.debug(amle.toJsonFormatLog()); + } + + @Test + public void testGrantRole() { + TAlterSentryRoleGrantPrivilegeRequest request = new TAlterSentryRoleGrantPrivilegeRequest(); + request.setRequestorUserName(TEST_USER_NAME); + request.setRoleName(TEST_ROLE_NAME); + + TAlterSentryRoleGrantPrivilegeResponse response = new TAlterSentryRoleGrantPrivilegeResponse(); + + TSentryPrivilege privilege = getPrivilege(AccessConstants.ALL, + PrivilegeScope.DATABASE.name(), TEST_DATABASE_NAME, null, null, null); + request.setPrivilege(privilege); + response.setStatus(Status.OK()); + AuditMetadataLogEntity amle = (AuditMetadataLogEntity) JsonLogEntityFactory + .getInstance().createJsonLogEntity(request, response, conf); + assertCommon(amle, Constants.TRUE, Constants.OPERATION_GRANT_PRIVILEGE, + "GRANT ALL ON DATABASE testDB TO ROLE testRole", TEST_DATABASE_NAME, + null, null, Constants.OBJECT_TYPE_PRINCIPAL); + sentryLogger.debug(amle.toJsonFormatLog()); + + privilege = getPrivilege(AccessConstants.ALL, PrivilegeScope.TABLE.name(), + null, TEST_TABLE_NAME, null, null); + request.setPrivilege(privilege); + response.setStatus(Status.InvalidInput("", null)); + amle = (AuditMetadataLogEntity) JsonLogEntityFactory.getInstance() + .createJsonLogEntity(request, response, conf); + assertCommon(amle, Constants.FALSE, Constants.OPERATION_GRANT_PRIVILEGE, + "GRANT ALL ON TABLE testTable TO ROLE testRole", null, TEST_TABLE_NAME, + null, Constants.OBJECT_TYPE_PRINCIPAL); + sentryLogger.debug(amle.toJsonFormatLog()); + } + + @Test + public void testRevokeRole() { + TAlterSentryRoleRevokePrivilegeRequest request = new TAlterSentryRoleRevokePrivilegeRequest(); + TAlterSentryRoleRevokePrivilegeResponse response = new TAlterSentryRoleRevokePrivilegeResponse(); + request.setRequestorUserName(TEST_USER_NAME); + request.setRoleName(TEST_ROLE_NAME); + + TSentryPrivilege privilege = getPrivilege(AccessConstants.ALL, + PrivilegeScope.DATABASE.name(), TEST_DATABASE_NAME, null, null, null); + request.setPrivilege(privilege); + response.setStatus(Status.OK()); + AuditMetadataLogEntity amle = (AuditMetadataLogEntity) JsonLogEntityFactory + .getInstance().createJsonLogEntity(request, response, conf); + assertCommon(amle, Constants.TRUE, Constants.OPERATION_REVOKE_PRIVILEGE, + "REVOKE ALL ON DATABASE testDB FROM ROLE testRole", TEST_DATABASE_NAME, + null, null, Constants.OBJECT_TYPE_PRINCIPAL); + sentryLogger.debug(amle.toJsonFormatLog()); + + privilege = getPrivilege(AccessConstants.ALL, PrivilegeScope.TABLE.name(), + null, TEST_TABLE_NAME, null, null); + request.setPrivilege(privilege); + response.setStatus(Status.InvalidInput("", null)); + amle = (AuditMetadataLogEntity) JsonLogEntityFactory.getInstance() + .createJsonLogEntity(request, response, conf); + assertCommon(amle, Constants.FALSE, Constants.OPERATION_REVOKE_PRIVILEGE, + "REVOKE ALL ON TABLE testTable FROM ROLE testRole", null, + TEST_TABLE_NAME, null, Constants.OBJECT_TYPE_PRINCIPAL); + sentryLogger.debug(amle.toJsonFormatLog()); + } + + @Test + public void testAddRole() { + TAlterSentryRoleAddGroupsRequest request = new TAlterSentryRoleAddGroupsRequest(); + TAlterSentryRoleAddGroupsResponse response = new TAlterSentryRoleAddGroupsResponse(); + request.setRequestorUserName(TEST_USER_NAME); + request.setRoleName(TEST_ROLE_NAME); + request.setGroups(getGroups()); + response.setStatus(Status.OK()); + AuditMetadataLogEntity amle = (AuditMetadataLogEntity) JsonLogEntityFactory + .getInstance().createJsonLogEntity(request, response, conf); + assertCommon(amle, Constants.TRUE, Constants.OPERATION_ADD_ROLE, + "GRANT ROLE testRole TO GROUP testGroup", null, null, null, + Constants.OBJECT_TYPE_ROLE); + sentryLogger.debug(amle.toJsonFormatLog()); + + response.setStatus(Status.InvalidInput("", null)); + amle = (AuditMetadataLogEntity) JsonLogEntityFactory.getInstance() + .createJsonLogEntity(request, response, conf); + assertCommon(amle, Constants.FALSE, Constants.OPERATION_ADD_ROLE, + "GRANT ROLE testRole TO GROUP testGroup", null, null, null, + Constants.OBJECT_TYPE_ROLE); + sentryLogger.debug(amle.toJsonFormatLog()); + } + + @Test + public void testDeleteRole() { + TAlterSentryRoleDeleteGroupsRequest request = new TAlterSentryRoleDeleteGroupsRequest(); + TAlterSentryRoleDeleteGroupsResponse response = new TAlterSentryRoleDeleteGroupsResponse(); + request.setRequestorUserName(TEST_USER_NAME); + request.setRoleName(TEST_ROLE_NAME); + request.setGroups(getGroups()); + response.setStatus(Status.OK()); + AuditMetadataLogEntity amle = (AuditMetadataLogEntity) JsonLogEntityFactory + .getInstance().createJsonLogEntity(request, response, conf); + assertCommon(amle, Constants.TRUE, Constants.OPERATION_DELETE_ROLE, + "REVOKE ROLE testRole FROM GROUP testGroup", null, null, null, + Constants.OBJECT_TYPE_ROLE); + sentryLogger.debug(amle.toJsonFormatLog()); + + response.setStatus(Status.InvalidInput("", null)); + amle = (AuditMetadataLogEntity) JsonLogEntityFactory.getInstance() + .createJsonLogEntity(request, response, conf); + assertCommon(amle, Constants.FALSE, Constants.OPERATION_DELETE_ROLE, + "REVOKE ROLE testRole FROM GROUP testGroup", null, null, null, + Constants.OBJECT_TYPE_ROLE); + sentryLogger.debug(amle.toJsonFormatLog()); + } + + private void assertCommon(AuditMetadataLogEntity amle, + String allowedExcepted, String operationExcepted, + String operationTextExcepted, String databaseNameExcepted, + String tableNameExcepted, String resourcePathExcepted, + String objectTypeExcepted) { + assertEquals(ServerConfig.SENTRY_SERVICE_NAME_DEFAULT, + amle.getServiceName()); + assertEquals(TEST_IP, amle.getIpAddress()); + assertEquals(TEST_USER_NAME, amle.getUserName()); + assertEquals(TEST_IMPERSONATOR, amle.getImpersonator()); + assertEquals(allowedExcepted, amle.getAllowed()); + assertEquals(operationExcepted, amle.getOperation()); + assertEquals(operationTextExcepted, amle.getOperationText()); + assertEquals(tableNameExcepted, amle.getTableName()); + assertEquals(databaseNameExcepted, amle.getDatabaseName()); + assertEquals(resourcePathExcepted, amle.getResourcePath()); + assertEquals(objectTypeExcepted, amle.getObjectType()); + } + + // private TAlterSentryRoleGrantPrivilegeRequest getGrantPrivilegeRequest() { + // TAlterSentryRoleGrantPrivilegeRequest request = new + // TAlterSentryRoleGrantPrivilegeRequest(); + // request.setRoleName(TEST_ROLE_NAME); + // return request; + // } + // + // private TAlterSentryRoleGrantPrivilegeResponse getGrantPrivilegeResponse( + // TSentryResponseStatus status) { + // TAlterSentryRoleGrantPrivilegeResponse response = new + // TAlterSentryRoleGrantPrivilegeResponse(); + // response.setStatus(status); + // return response; + // } + + // private TAlterSentryRoleRevokePrivilegeRequest getRevokePrivilegeRequest() + // { + // TAlterSentryRoleRevokePrivilegeRequest request = new + // TAlterSentryRoleRevokePrivilegeRequest(); + // request.setRoleName(TEST_ROLE_NAME); + // return request; + // } + // + // private TAlterSentryRoleRevokePrivilegeResponse getRevokePrivilegeResponse( + // TSentryResponseStatus status) { + // TAlterSentryRoleRevokePrivilegeResponse response = new + // TAlterSentryRoleRevokePrivilegeResponse(); + // response.setStatus(status); + // return response; + // } + + private TSentryPrivilege getPrivilege(String action, String privilegeScope, + String dbName, String tableName, String serverName, String URI) { + TSentryPrivilege privilege = new TSentryPrivilege(); + privilege.setAction(action); + privilege.setPrivilegeScope(privilegeScope); + privilege.setDbName(dbName); + privilege.setTableName(tableName); + privilege.setServerName(serverName); + privilege.setURI(URI); + return privilege; + } + + private Set<TSentryGroup> getGroups() { + Set<TSentryGroup> groups = new LinkedHashSet<TSentryGroup>(); + TSentryGroup group = new TSentryGroup(); + group.setGroupName(TEST_GROUP); + groups.add(group); + return groups; + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/util/TestCommandUtil.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/util/TestCommandUtil.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/util/TestCommandUtil.java new file mode 100644 index 0000000..392289c --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/util/TestCommandUtil.java @@ -0,0 +1,303 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.db.log.util; + +import java.util.LinkedHashSet; +import java.util.Set; + +import junit.framework.TestCase; + +import org.apache.sentry.core.model.db.AccessConstants; +import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsRequest; +import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsRequest; +import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeRequest; +import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeRequest; +import org.apache.sentry.provider.db.service.thrift.TSentryGroup; +import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; +import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope; +import org.junit.Test; + +public class TestCommandUtil extends TestCase { + + @Test + public void testCreateCmdForCreateOrDropRole() { + String roleName = "testRole"; + + String createRoleCmdResult = CommandUtil.createCmdForCreateOrDropRole( + roleName, true); + String dropRoleCmdResult = CommandUtil.createCmdForCreateOrDropRole( + roleName, false); + String createRoleCmdExcepted = "CREATE ROLE testRole"; + String dropRoleCmdExcepted = "DROP ROLE testRole"; + + assertEquals(createRoleCmdExcepted, createRoleCmdResult); + assertEquals(dropRoleCmdResult, dropRoleCmdExcepted); + } + + @Test + public void testCreateCmdForRoleAddOrDeleteGroup1() { + + TAlterSentryRoleAddGroupsRequest requestAdd = getRoleAddGroupsRequest(); + TAlterSentryRoleDeleteGroupsRequest requestDelete = getRoleDeleteGroupsRequest(); + + Set<TSentryGroup> groups = getGroups(1); + requestAdd.setGroups(groups); + requestDelete.setGroups(groups); + + String createRoleAddGroupCmdResult = CommandUtil + .createCmdForRoleAddGroup(requestAdd); + String createRoleAddGroupCmdExcepted = "GRANT ROLE testRole TO GROUP testGroup1"; + String createRoleDeleteGroupCmdResult = CommandUtil + .createCmdForRoleDeleteGroup(requestDelete); + String createRoleDeleteGroupCmdExcepted = "REVOKE ROLE testRole FROM GROUP testGroup1"; + + assertEquals(createRoleAddGroupCmdExcepted, createRoleAddGroupCmdResult); + assertEquals(createRoleDeleteGroupCmdExcepted, + createRoleDeleteGroupCmdResult); + } + + @Test + public void testCreateCmdForRoleAddOrDeleteGroup2() { + + TAlterSentryRoleAddGroupsRequest requestAdd = getRoleAddGroupsRequest(); + TAlterSentryRoleDeleteGroupsRequest requestDelete = getRoleDeleteGroupsRequest(); + + Set<TSentryGroup> groups = getGroups(3); + requestAdd.setGroups(groups); + requestDelete.setGroups(groups); + + String createRoleAddGroupCmdResult = CommandUtil + .createCmdForRoleAddGroup(requestAdd); + String createRoleAddGroupCmdExcepted = "GRANT ROLE testRole TO GROUP testGroup1, testGroup2, testGroup3"; + String createRoleDeleteGroupCmdResult = CommandUtil + .createCmdForRoleDeleteGroup(requestDelete); + String createRoleDeleteGroupCmdExcepted = "REVOKE ROLE testRole FROM GROUP testGroup1, testGroup2, testGroup3"; + + assertEquals(createRoleAddGroupCmdExcepted, createRoleAddGroupCmdResult); + assertEquals(createRoleDeleteGroupCmdExcepted, + createRoleDeleteGroupCmdResult); + } + + @Test + public void testCreateCmdForGrantOrRevokePrivilege1() { + TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest(); + TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest(); + + TSentryPrivilege privilege = getPrivilege(AccessConstants.ALL, + PrivilegeScope.DATABASE.name(), "dbTest", "tableTest", "serverTest", + "hdfs://namenode:port/path/to/dir"); + grantRequest.setPrivilege(privilege); + revokeRequest.setPrivilege(privilege); + + String createGrantPrivilegeCmdResult = CommandUtil + .createCmdForGrantPrivilege(grantRequest); + String createGrantPrivilegeCmdExcepted = "GRANT ALL ON DATABASE dbTest TO ROLE testRole"; + String createRevokePrivilegeCmdResult = CommandUtil + .createCmdForRevokePrivilege(revokeRequest); + String createRevokePrivilegeCmdExcepted = "REVOKE ALL ON DATABASE dbTest FROM ROLE testRole"; + + assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult); + assertEquals(createRevokePrivilegeCmdExcepted, + createRevokePrivilegeCmdResult); + } + + @Test + public void testCreateCmdForGrantOrRevokePrivilege2() { + TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest(); + TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest(); + + TSentryPrivilege privilege = getPrivilege(AccessConstants.INSERT, + PrivilegeScope.DATABASE.name(), "dbTest", "tableTest", "serverTest", + "hdfs://namenode:port/path/to/dir"); + grantRequest.setPrivilege(privilege); + revokeRequest.setPrivilege(privilege); + + String createGrantPrivilegeCmdResult = CommandUtil + .createCmdForGrantPrivilege(grantRequest); + String createGrantPrivilegeCmdExcepted = "GRANT INSERT ON DATABASE dbTest TO ROLE testRole"; + String createRevokePrivilegeCmdResult = CommandUtil + .createCmdForRevokePrivilege(revokeRequest); + String createRevokePrivilegeCmdExcepted = "REVOKE INSERT ON DATABASE dbTest FROM ROLE testRole"; + + assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult); + assertEquals(createRevokePrivilegeCmdExcepted, + createRevokePrivilegeCmdResult); + } + + @Test + public void testCreateCmdForGrantOrRevokePrivilege3() { + TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest(); + TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest(); + + TSentryPrivilege privilege = getPrivilege(AccessConstants.SELECT, + PrivilegeScope.DATABASE.name(), "dbTest", "tableTest", "serverTest", + "hdfs://namenode:port/path/to/dir"); + grantRequest.setPrivilege(privilege); + revokeRequest.setPrivilege(privilege); + + String createGrantPrivilegeCmdResult = CommandUtil + .createCmdForGrantPrivilege(grantRequest); + String createGrantPrivilegeCmdExcepted = "GRANT SELECT ON DATABASE dbTest TO ROLE testRole"; + String createRevokePrivilegeCmdResult = CommandUtil + .createCmdForRevokePrivilege(revokeRequest); + String createRevokePrivilegeCmdExcepted = "REVOKE SELECT ON DATABASE dbTest FROM ROLE testRole"; + + assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult); + assertEquals(createRevokePrivilegeCmdExcepted, + createRevokePrivilegeCmdResult); + } + + @Test + public void testCreateCmdForGrantOrRevokePrivilege4() { + TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest(); + TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest(); + + TSentryPrivilege privilege = getPrivilege(null, + PrivilegeScope.DATABASE.name(), "dbTest", "tableTest", "serverTest", + "hdfs://namenode:port/path/to/dir"); + grantRequest.setPrivilege(privilege); + revokeRequest.setPrivilege(privilege); + + String createGrantPrivilegeCmdResult = CommandUtil + .createCmdForGrantPrivilege(grantRequest); + String createGrantPrivilegeCmdExcepted = "GRANT null ON DATABASE dbTest TO ROLE testRole"; + String createRevokePrivilegeCmdResult = CommandUtil + .createCmdForRevokePrivilege(revokeRequest); + String createRevokePrivilegeCmdExcepted = "REVOKE null ON DATABASE dbTest FROM ROLE testRole"; + + assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult); + assertEquals(createRevokePrivilegeCmdExcepted, + createRevokePrivilegeCmdResult); + } + + @Test + public void testCreateCmdForGrantOrRevokePrivilege5() { + TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest(); + TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest(); + + TSentryPrivilege privilege = getPrivilege(AccessConstants.SELECT, + PrivilegeScope.TABLE.name(), "dbTest", "tableTest", "serverTest", + "hdfs://namenode:port/path/to/dir"); + grantRequest.setPrivilege(privilege); + revokeRequest.setPrivilege(privilege); + + String createGrantPrivilegeCmdResult = CommandUtil + .createCmdForGrantPrivilege(grantRequest); + String createGrantPrivilegeCmdExcepted = "GRANT SELECT ON TABLE tableTest TO ROLE testRole"; + String createRevokePrivilegeCmdResult = CommandUtil + .createCmdForRevokePrivilege(revokeRequest); + String createRevokePrivilegeCmdExcepted = "REVOKE SELECT ON TABLE tableTest FROM ROLE testRole"; + + assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult); + assertEquals(createRevokePrivilegeCmdExcepted, + createRevokePrivilegeCmdResult); + } + + @Test + public void testCreateCmdForGrantOrRevokePrivilege6() { + TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest(); + TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest(); + + TSentryPrivilege privilege = getPrivilege(AccessConstants.SELECT, + PrivilegeScope.SERVER.name(), "dbTest", "tableTest", "serverTest", + "hdfs://namenode:port/path/to/dir"); + grantRequest.setPrivilege(privilege); + revokeRequest.setPrivilege(privilege); + + String createGrantPrivilegeCmdResult = CommandUtil + .createCmdForGrantPrivilege(grantRequest); + String createGrantPrivilegeCmdExcepted = "GRANT SELECT ON SERVER serverTest TO ROLE testRole"; + String createRevokePrivilegeCmdResult = CommandUtil + .createCmdForRevokePrivilege(revokeRequest); + String createRevokePrivilegeCmdExcepted = "REVOKE SELECT ON SERVER serverTest FROM ROLE testRole"; + + assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult); + assertEquals(createRevokePrivilegeCmdExcepted, + createRevokePrivilegeCmdResult); + } + + @Test + public void testCreateCmdForGrantOrRevokePrivilege7() { + TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest(); + TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest(); + + TSentryPrivilege privilege = getPrivilege(AccessConstants.SELECT, + PrivilegeScope.URI.name(), "dbTest", "tableTest", "serverTest", + "hdfs://namenode:port/path/to/dir"); + grantRequest.setPrivilege(privilege); + revokeRequest.setPrivilege(privilege); + + String createGrantPrivilegeCmdResult = CommandUtil + .createCmdForGrantPrivilege(grantRequest); + String createGrantPrivilegeCmdExcepted = "GRANT SELECT ON URI hdfs://namenode:port/path/to/dir TO ROLE testRole"; + String createRevokePrivilegeCmdResult = CommandUtil + .createCmdForRevokePrivilege(revokeRequest); + String createRevokePrivilegeCmdExcepted = "REVOKE SELECT ON URI hdfs://namenode:port/path/to/dir FROM ROLE testRole"; + + assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult); + assertEquals(createRevokePrivilegeCmdExcepted, + createRevokePrivilegeCmdResult); + } + + private TAlterSentryRoleAddGroupsRequest getRoleAddGroupsRequest() { + TAlterSentryRoleAddGroupsRequest request = new TAlterSentryRoleAddGroupsRequest(); + request.setRoleName("testRole"); + return request; + } + + private TAlterSentryRoleDeleteGroupsRequest getRoleDeleteGroupsRequest() { + TAlterSentryRoleDeleteGroupsRequest request = new TAlterSentryRoleDeleteGroupsRequest(); + request.setRoleName("testRole"); + return request; + } + + private Set<TSentryGroup> getGroups(int num) { + Set<TSentryGroup> groups = new LinkedHashSet<TSentryGroup>(); + for (int i = 0; i < num; i++) { + TSentryGroup group = new TSentryGroup(); + group.setGroupName("testGroup" + (i + 1)); + groups.add(group); + } + return groups; + } + + private TAlterSentryRoleGrantPrivilegeRequest getGrantPrivilegeRequest() { + TAlterSentryRoleGrantPrivilegeRequest request = new TAlterSentryRoleGrantPrivilegeRequest(); + request.setRoleName("testRole"); + return request; + } + + private TAlterSentryRoleRevokePrivilegeRequest getRevokePrivilegeRequest() { + TAlterSentryRoleRevokePrivilegeRequest request = new TAlterSentryRoleRevokePrivilegeRequest(); + request.setRoleName("testRole"); + return request; + } + + private TSentryPrivilege getPrivilege(String action, String privilegeScope, + String dbName, String tableName, String serverName, String URI) { + TSentryPrivilege privilege = new TSentryPrivilege(); + privilege.setAction(action); + privilege.setPrivilegeScope(privilegeScope); + privilege.setDbName(dbName); + privilege.setTableName(tableName); + privilege.setServerName(serverName); + privilege.setURI(URI); + return privilege; + } +}
