Repository: incubator-sentry Updated Branches: refs/heads/master 2fb35eb9c -> e4dc61d52
SENTRY-507: Ban additional configs in getConfigVal() (Mike Yoder via Lenni Kuff) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/e4dc61d5 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/e4dc61d5 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/e4dc61d5 Branch: refs/heads/master Commit: e4dc61d52b159b21ab2cced635a789c2b1e551d6 Parents: 2fb35eb Author: Lenni Kuff <[email protected]> Authored: Tue Oct 28 15:02:06 2014 -0700 Committer: Lenni Kuff <[email protected]> Committed: Tue Oct 28 15:02:47 2014 -0700 ---------------------------------------------------------------------- .../thrift/SentryPolicyStoreProcessor.java | 7 ++- .../thrift/TestSentryServiceIntegration.java | 49 +++++++++++--------- 2 files changed, 31 insertions(+), 25 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/e4dc61d5/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java index 6de9992..d64d019 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java @@ -602,12 +602,15 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { public TSentryConfigValueResponse get_sentry_config_value( TSentryConfigValueRequest request) throws TException { + final String requirePattern = "^sentry\\..*"; + final String excludePattern = ".*keytab.*|.*\\.jdbc\\..*|.*password.*"; + TSentryConfigValueResponse response = new TSentryConfigValueResponse(); String attr = request.getPropertyName(); // Only allow config parameters like... - if (!Pattern.matches("^sentry\\..*", attr) || - Pattern.matches(".*keytab.*", attr)) { + if (!Pattern.matches(requirePattern, attr) || + Pattern.matches(excludePattern, attr)) { String msg = "Attempted access of the configuration property " + attr + " was denied"; LOGGER.error(msg); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/e4dc61d5/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java index 23bd765..50ee559 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java @@ -638,6 +638,23 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase { } } + /** + * Attempt to access a configuration value that is forbidden in getConfigVal + * @param configVal The banned value + * @param defaultVal A default to pass to getConfigValue + * @throws Exception + */ + private void checkBannedConfigVal(String configVal, String defaultVal) + throws Exception { + try { + client.getConfigValue(configVal, defaultVal); + fail("Attempt to access " + configVal + " succeeded"); + } catch (SentryAccessDeniedException e) { + assertTrue(e.toString().contains("was denied")); + assertTrue(e.toString().contains(configVal)); + } + } + @Test public void testGetConfigVal() throws Exception { String val; @@ -659,33 +676,19 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase { assertEquals(val, "admin_group"); // Value that is forbidden (anything not starting with "sentry") dies - try { - val = client.getConfigValue("notsentry", "xxx"); - fail("Attempt to access banned config value succeeded"); - } catch (SentryAccessDeniedException e) { - assertTrue(e.toString().contains("was denied")); - assertTrue(e.toString().contains("notsentry")); - // expected - } + checkBannedConfigVal("notsentry", "xxx"); // Ditto with a null default - try { - val = client.getConfigValue("notsentry", null); - fail("Attempt to access banned config value succeeded"); - } catch (SentryAccessDeniedException e) { - assertTrue(e.toString().contains("was denied")); - assertTrue(e.toString().contains("notsentry")); - // expected - } + checkBannedConfigVal("notsentry", null); + + // Values with .jdbc. are forbidden + checkBannedConfigVal("sentry.xxx.jdbc.xxx", null); + + // Values with password are forbidden + checkBannedConfigVal("sentry.xxx.password", null); // Attempt to get the location of the keytab also fails - try { - val = client.getConfigValue("sentry.service.server.keytab", "xxx"); - fail("Attempt to access banned keytab succeeded"); - } catch (SentryAccessDeniedException e) { - assertTrue(e.toString().contains("was denied")); - assertTrue(e.toString().contains("keytab")); - } + checkBannedConfigVal("sentry.service.server.keytab", null); // null parameter name fails try {
