Repository: incubator-sentry Updated Branches: refs/heads/master 977d69f22 -> f31450c93
SENTRY-445: WITH GRANT OPTION does not allow delegated user to grant less permissive privileges (Prasad Mujumdar, reviewed by Linni Kuff Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/f31450c9 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/f31450c9 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/f31450c9 Branch: refs/heads/master Commit: f31450c93e564cbcbc7f9a2c264887d056b2aecf Parents: 977d69f Author: Prasad Mujumdar <[email protected]> Authored: Tue Sep 30 11:20:10 2014 -0700 Committer: Prasad Mujumdar <[email protected]> Committed: Tue Sep 30 11:20:10 2014 -0700 ---------------------------------------------------------------------- .../sentry/core/model/db/AccessConstants.java | 1 + .../db/service/model/MSentryPrivilege.java | 6 ++- .../service/persistent/TestSentryPrivilege.java | 49 +++++++++++++------- 3 files changed, 38 insertions(+), 18 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/f31450c9/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/AccessConstants.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/AccessConstants.java b/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/AccessConstants.java index 26007d9..99cefb7 100644 --- a/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/AccessConstants.java +++ b/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/AccessConstants.java @@ -26,6 +26,7 @@ public class AccessConstants { */ public static final String ALL = "*"; public static final String SOME = "+"; + public static final String ACTION_ALL = "ALL"; public static final String SELECT = "select"; public static final String INSERT = "insert"; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/f31450c9/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java index 0667cb5..1150e47 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java @@ -24,6 +24,7 @@ import java.util.Set; import javax.jdo.annotations.PersistenceCapable; import org.apache.sentry.core.common.utils.PathUtils; +import org.apache.sentry.core.model.db.AccessConstants; import org.apache.sentry.provider.db.service.persistent.SentryStore; /** @@ -268,8 +269,9 @@ public boolean equals(Object obj) { } // check action implies - if (!action.equalsIgnoreCase("*") && - !action.equalsIgnoreCase(other.action)) { + if (!action.equalsIgnoreCase(AccessConstants.ALL) + && !action.equalsIgnoreCase(other.action) + && !action.equalsIgnoreCase(AccessConstants.ACTION_ALL)) { return false; } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/f31450c9/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryPrivilege.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryPrivilege.java index 91d3171..47caf07 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryPrivilege.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryPrivilege.java @@ -50,28 +50,45 @@ public class TestSentryPrivilege { my.setDbName(""); assertTrue(my.implies(your)); - // 2.test server+URI+action - my = new MSentryPrivilege(); - your = new MSentryPrivilege(); - my.setServerName("server1"); - my.setAction(AccessConstants.ALL); - your.setServerName("server1"); - your.setAction(AccessConstants.ALL); - my.setURI("hdfs://namenode:9000/path"); - your.setURI("hdfs://namenode:9000/path"); + my.setAction(AccessConstants.ACTION_ALL); assertTrue(my.implies(your)); - my.setURI("hdfs://namenode:9000/path"); - your.setURI("hdfs://namenode:9000/path/to/some/dir"); + my.setTableName(""); assertTrue(my.implies(your)); - my.setURI("file:///path"); - your.setURI("file:///path"); + my.setDbName(""); assertTrue(my.implies(your)); - my.setURI("file:///path"); - your.setURI("file:///path/to/some/dir"); - assertTrue(my.implies(your)); + // 2.test server+URI+action using all combinations of * and ALL for action + String[][] actionMap = new String[][] { + { AccessConstants.ALL, AccessConstants.ALL }, + { AccessConstants.ALL, AccessConstants.ACTION_ALL }, + { AccessConstants.ACTION_ALL, AccessConstants.ALL }, + { AccessConstants.ACTION_ALL, AccessConstants.ACTION_ALL } }; + + for (int actions = 0; actions < actionMap.length; actions++) { + my = new MSentryPrivilege(); + your = new MSentryPrivilege(); + my.setServerName("server1"); + my.setAction(actionMap[actions][0]); + your.setServerName("server1"); + your.setAction(actionMap[actions][1]); + my.setURI("hdfs://namenode:9000/path"); + your.setURI("hdfs://namenode:9000/path"); + assertTrue(my.implies(your)); + + my.setURI("hdfs://namenode:9000/path"); + your.setURI("hdfs://namenode:9000/path/to/some/dir"); + assertTrue(my.implies(your)); + + my.setURI("file:///path"); + your.setURI("file:///path"); + assertTrue(my.implies(your)); + + my.setURI("file:///path"); + your.setURI("file:///path/to/some/dir"); + assertTrue(my.implies(your)); + } } @Test
