Repository: incubator-sentry Updated Branches: refs/heads/master 89a9243fd -> fd704487d
SENTRY-417: Allow all users "Show role GRANT" as long as they belong to that group ( Prasad Mujumdar via Sravya Tirukkovalur) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/fd704487 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/fd704487 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/fd704487 Branch: refs/heads/master Commit: fd704487df49428cba258c8ef26db970dbc9d211 Parents: 89a9243 Author: Sravya Tirukkovalur <[email protected]> Authored: Tue Sep 16 09:59:12 2014 -0700 Committer: Sravya Tirukkovalur <[email protected]> Committed: Tue Sep 16 09:59:12 2014 -0700 ---------------------------------------------------------------------- .../thrift/SentryPolicyStoreProcessor.java | 13 +++-- .../e2e/dbprovider/TestDatabaseProvider.java | 54 ++++++++++++++++++++ 2 files changed, 62 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/fd704487/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java index 070c494..ad66838 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java @@ -337,17 +337,20 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { TListSentryRolesResponse response = new TListSentryRolesResponse(); TSentryResponseStatus status; Set<TSentryRole> roleSet = new HashSet<TSentryRole>(); - Set<String> groups = new HashSet<String>(); + String subject = request.getRequestorUserName(); boolean checkAllGroups = false; try { + Set<String> groups = getRequestorGroups(subject); // Don't check admin permissions for listing requestor's own roles if (AccessConstants.ALL.equalsIgnoreCase(request.getGroupName())) { - groups = getRequestorGroups(request.getRequestorUserName()); checkAllGroups = true; } else { - authorize(request.getRequestorUserName(), - getRequestorGroups(request.getRequestorUserName())); - groups.add(request.getGroupName()); + if (!inAdminGroups(groups)) { + // non-admin can only list roles for their own group + if (!groups.contains(request.getGroupName())) { + throw new SentryAccessDeniedException("Access denied to " + subject); + } + } } roleSet = sentryStore.getTSentryRolesByGroupName(groups, checkAllGroups); response.setRoles(roleSet); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/fd704487/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java index 066e909..2865a6f 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java @@ -19,6 +19,7 @@ package org.apache.sentry.tests.e2e.dbprovider; import static org.hamcrest.Matchers.equalToIgnoringCase; import static org.hamcrest.Matchers.is; +import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertThat; import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; @@ -1369,6 +1370,59 @@ public class TestDatabaseProvider extends AbstractTestWithStaticConfiguration { } /** + * SHOW ROLE GRANT GROUP groupName + * @throws Exception + 4.1. Show role grant works for non-admin users when the user belongs to the requested group + 4.2. Show role grant FAILS for non-admin users when the user doesn't belongs to the requested group + */ + @Test + public void testShowRolesByGroupNonAdmin() throws Exception { + Connection connection = context.createConnection(ADMIN1); + Statement statement = context.createStatement(connection); + //This is non deterministic as we are now using same sentry service across the tests + // and orphan groups are not cleaned up. + //context.assertSentryException(statement,"SHOW ROLE GRANT GROUP " + ADMINGROUP, + // SentryNoSuchObjectException.class.getSimpleName()); + statement.execute("CREATE ROLE role1"); + statement.execute("CREATE ROLE role2"); + statement.execute("GRANT ROLE role1 to GROUP " + USERGROUP1); + statement.execute("GRANT ROLE role2 to GROUP " + USERGROUP2); + statement.execute("GRANT ROLE role1 to GROUP " + ADMINGROUP); + statement.execute("GRANT ROLE role2 to GROUP " + ADMINGROUP); + statement.close(); + connection.close(); + + connection = context.createConnection(USER1_1); + statement = context.createStatement(connection); + // show role ADMINGROUP should fail for user1 + context.assertSentryException(statement, "SHOW ROLE GRANT GROUP " + ADMINGROUP, SentryAccessDeniedException.class.getSimpleName()); + ResultSet resultSet = statement.executeQuery("SHOW ROLE GRANT GROUP " + USERGROUP1); + assertTrue(resultSet.next()); + assertThat(resultSet.getString(1), equalToIgnoringCase("role1")); + assertFalse(resultSet.next()); + statement.close(); + connection.close(); + + connection = context.createConnection(USER2_1); + statement = context.createStatement(connection); + // show role group1 should fail for user2 + context.assertSentryException(statement, "SHOW ROLE GRANT GROUP " + USERGROUP1, SentryAccessDeniedException.class.getSimpleName()); + resultSet = statement.executeQuery("SHOW ROLE GRANT GROUP " + USERGROUP2); + assertTrue(resultSet.next()); + assertThat(resultSet.getString(1), equalToIgnoringCase("role2")); + assertFalse(resultSet.next()); + statement.close(); + connection.close(); + + connection = context.createConnection(USER3_1); + statement = context.createStatement(connection); + // show role group1 should fail for user3 + context.assertSentryException(statement, "SHOW ROLE GRANT GROUP " + USERGROUP1, SentryAccessDeniedException.class.getSimpleName()); + statement.close(); + connection.close(); + } + + /** * SHOW GRANT ROLE roleName * @throws Exception 5.1. When there are no privileges granted to a role, returns an empty list
