Repository: incubator-sentry Updated Branches: refs/heads/master 6cb65f9f3 -> 78b61c9af
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/78b61c9a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java index 4a6cac9..033af1c 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java @@ -50,548 +50,598 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase { @Test public void testCreateDropShowRole() throws Exception { - String requestorUserName = ADMIN_USER; - Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); - String roleName = "admin_r"; - setLocalGroupMapping(requestorUserName, requestorUserGroupNames); - writePolicyFile(); - - client.dropRoleIfExists(requestorUserName, roleName); - - client.createRole(requestorUserName, roleName); - - Set<TSentryRole> roles = client.listRoles(requestorUserName); - assertEquals("Incorrect number of roles", 1, roles.size()); - - for (TSentryRole role:roles) { - assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName)); - } - client.dropRole(requestorUserName, roleName); + runTestAsSubject(new TestOperation(){ + @Override + public void runTestAsSubject() throws Exception { + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + String roleName = "admin_r"; + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + writePolicyFile(); + + client.dropRoleIfExists(requestorUserName, roleName); + + client.createRole(requestorUserName, roleName); + + Set<TSentryRole> roles = client.listRoles(requestorUserName); + assertEquals("Incorrect number of roles", 1, roles.size()); + + for (TSentryRole role:roles) { + assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName)); + } + client.dropRole(requestorUserName, roleName); + }}); } - @Test public void testGranRevokePrivilegeOnTableForRole() throws Exception { - String requestorUserName = ADMIN_USER; - Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); - setLocalGroupMapping(requestorUserName, requestorUserGroupNames); - writePolicyFile(); - String roleName1 = "admin_r1"; - String roleName2 = "admin_r2"; - - client.dropRoleIfExists(requestorUserName, roleName1); - client.createRole(requestorUserName, roleName1); - - client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL"); - client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL"); - client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL"); - client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL"); - - - client.dropRoleIfExists(requestorUserName, roleName2); - client.createRole(requestorUserName, roleName2); - - client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL"); - client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL"); - client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL"); - client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL"); - - Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); - assertEquals("Privilege not assigned to role1 !!", 4, listPrivilegesByRoleName.size()); - - listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2); - assertEquals("Privilege not assigned to role2 !!", 4, listPrivilegesByRoleName.size()); - - - client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL"); - listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); - assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 3); - listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2); - assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 4); - - client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL"); - listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2); - assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 3); - listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); - assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 3); - - client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL"); - client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL"); - client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL"); - listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); - assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0); - - client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL"); - client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL"); - client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL"); - listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2); - assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0); + runTestAsSubject(new TestOperation(){ + @Override + public void runTestAsSubject() throws Exception { + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + writePolicyFile(); + String roleName1 = "admin_r1"; + String roleName2 = "admin_r2"; + + client.dropRoleIfExists(requestorUserName, roleName1); + client.createRole(requestorUserName, roleName1); + + client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL"); + client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL"); + client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL"); + client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL"); + + + client.dropRoleIfExists(requestorUserName, roleName2); + client.createRole(requestorUserName, roleName2); + + client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL"); + client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL"); + client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL"); + client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL"); + + Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); + assertEquals("Privilege not assigned to role1 !!", 4, listPrivilegesByRoleName.size()); + + listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2); + assertEquals("Privilege not assigned to role2 !!", 4, listPrivilegesByRoleName.size()); + + + client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL"); + listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); + assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 3); + listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2); + assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 4); + + client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL"); + listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2); + assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 3); + listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); + assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 3); + + client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL"); + client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL"); + client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL"); + listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); + assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0); + + client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL"); + client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL"); + client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL"); + listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2); + assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0); + }}); } @Test public void testMultipleRolesSamePrivilege() throws Exception { - String requestorUserName = ADMIN_USER; - Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); - setLocalGroupMapping(requestorUserName, requestorUserGroupNames); - writePolicyFile(); - String roleName1 = "admin_r1"; - String roleName2 = "admin_r2"; - - client.dropRoleIfExists(requestorUserName, roleName1); - client.createRole(requestorUserName, roleName1); - - client.dropRoleIfExists(requestorUserName, roleName2); - client.createRole(requestorUserName, roleName2); - - client.grantTablePrivilege(requestorUserName, roleName1, "server", "db", "table", "ALL"); - Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); - assertTrue("Privilege not assigned to role1 !!", listPrivilegesByRoleName.size() == 1); - - client.grantTablePrivilege(requestorUserName, roleName2, "server", "db", "table", "ALL"); - listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2); - assertTrue("Privilege not assigned to role2 !!", listPrivilegesByRoleName.size() == 1); + runTestAsSubject(new TestOperation(){ + @Override + public void runTestAsSubject() throws Exception { + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + writePolicyFile(); + String roleName1 = "admin_r1"; + String roleName2 = "admin_r2"; + + client.dropRoleIfExists(requestorUserName, roleName1); + client.createRole(requestorUserName, roleName1); + + client.dropRoleIfExists(requestorUserName, roleName2); + client.createRole(requestorUserName, roleName2); + + client.grantTablePrivilege(requestorUserName, roleName1, "server", "db", "table", "ALL"); + Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); + assertTrue("Privilege not assigned to role1 !!", listPrivilegesByRoleName.size() == 1); + + client.grantTablePrivilege(requestorUserName, roleName2, "server", "db", "table", "ALL"); + listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2); + assertTrue("Privilege not assigned to role2 !!", listPrivilegesByRoleName.size() == 1); + }}); } - @Test public void testShowRoleGrant() throws Exception { - String requestorUserName = ADMIN_USER; - Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); - String roleName = "admin_testdb"; - String groupName = "group1"; - setLocalGroupMapping(requestorUserName, requestorUserGroupNames); - writePolicyFile(); - - client.dropRoleIfExists(requestorUserName, roleName); - client.createRole(requestorUserName, roleName); - - Set<TSentryRole> roles = client.listRoles(requestorUserName); - assertEquals("Incorrect number of roles", 1, roles.size()); - - client.grantRoleToGroup(requestorUserName, groupName, roleName); - Set<TSentryRole> groupRoles = client.listRolesByGroupName(requestorUserName, groupName); - assertTrue(groupRoles.size() == 1); - for (TSentryRole role:groupRoles) { - assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName)); - assertTrue(role.getGroups().size() == 1); - for (TSentryGroup group :role.getGroups()) { - assertTrue(group.getGroupName(), group.getGroupName().equalsIgnoreCase(groupName)); - } - } - - client.dropRole(requestorUserName, roleName); + runTestAsSubject(new TestOperation(){ + @Override + public void runTestAsSubject() throws Exception { + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + String roleName = "admin_testdb"; + String groupName = "group1"; + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + writePolicyFile(); + + client.dropRoleIfExists(requestorUserName, roleName); + client.createRole(requestorUserName, roleName); + + Set<TSentryRole> roles = client.listRoles(requestorUserName); + assertEquals("Incorrect number of roles", 1, roles.size()); + + client.grantRoleToGroup(requestorUserName, groupName, roleName); + Set<TSentryRole> groupRoles = client.listRolesByGroupName(requestorUserName, groupName); + assertTrue(groupRoles.size() == 1); + for (TSentryRole role:groupRoles) { + assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName)); + assertTrue(role.getGroups().size() == 1); + for (TSentryGroup group :role.getGroups()) { + assertTrue(group.getGroupName(), group.getGroupName().equalsIgnoreCase(groupName)); + } + } + + client.dropRole(requestorUserName, roleName); + }}); } @Test public void testShowGrant() throws Exception { - String requestorUserName = ADMIN_USER; - Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); - String roleName = "admin_testdb"; - String server = "server1"; - String db = "testDB"; - setLocalGroupMapping(requestorUserName, requestorUserGroupNames); - writePolicyFile(); - - client.dropRoleIfExists(requestorUserName, roleName); - client.createRole(requestorUserName, roleName); - - Set<TSentryRole> roles = client.listRoles(requestorUserName); - assertEquals("Incorrect number of roles", 1, roles.size()); - - client.grantDatabasePrivilege(requestorUserName, roleName, server, db, AccessConstants.ALL); - Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorUserName, roleName); - assertTrue(privileges.size() == 1); - - client.revokeDatabasePrivilege(requestorUserName, roleName, server, db, AccessConstants.ALL); - client.dropRole(requestorUserName, roleName); + runTestAsSubject(new TestOperation(){ + @Override + public void runTestAsSubject() throws Exception { + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + String roleName = "admin_testdb"; + String server = "server1"; + String db = "testDB"; + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + writePolicyFile(); + + client.dropRoleIfExists(requestorUserName, roleName); + client.createRole(requestorUserName, roleName); + + Set<TSentryRole> roles = client.listRoles(requestorUserName); + assertEquals("Incorrect number of roles", 1, roles.size()); + + client.grantDatabasePrivilege(requestorUserName, roleName, server, db, AccessConstants.ALL); + Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorUserName, roleName); + assertTrue(privileges.size() == 1); + + client.revokeDatabasePrivilege(requestorUserName, roleName, server, db, AccessConstants.ALL); + client.dropRole(requestorUserName, roleName); + }}); } - // See SENTRY-166 + //See SENTRY-166 @Test public void testUriWithEquals() throws Exception { - String requestorUserName = ADMIN_USER; - Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); - String roleName = "admin_testdb"; - String server = "server1"; - String uri = "file://u/w/h/t/partition=value/"; - setLocalGroupMapping(requestorUserName, requestorUserGroupNames); - writePolicyFile(); - - // Creating associated role - client.dropRoleIfExists(requestorUserName, roleName); - client.createRole(requestorUserName, roleName); - Set<TSentryRole> roles = client.listRoles(requestorUserName); - assertEquals("Incorrect number of roles", 1, roles.size()); - - client.grantURIPrivilege(requestorUserName, roleName, server, uri); - Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorUserName, roleName); - assertTrue(privileges.size() == 1); - - // Revoking the same privilege - client.revokeURIPrivilege(requestorUserName, roleName, server, uri); - privileges = client.listAllPrivilegesByRoleName(requestorUserName, roleName); - assertTrue(privileges.size() == 0); - - // Clean up - client.dropRole(requestorUserName, roleName); + runTestAsSubject(new TestOperation(){ + @Override + public void runTestAsSubject() throws Exception { + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + String roleName = "admin_testdb"; + String server = "server1"; + String uri = "file://u/w/h/t/partition=value/"; + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + writePolicyFile(); + + // Creating associated role + client.dropRoleIfExists(requestorUserName, roleName); + client.createRole(requestorUserName, roleName); + Set<TSentryRole> roles = client.listRoles(requestorUserName); + assertEquals("Incorrect number of roles", 1, roles.size()); + + client.grantURIPrivilege(requestorUserName, roleName, server, uri); + Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorUserName, roleName); + assertTrue(privileges.size() == 1); + + // Revoking the same privilege + client.revokeURIPrivilege(requestorUserName, roleName, server, uri); + privileges = client.listAllPrivilegesByRoleName(requestorUserName, roleName); + assertTrue(privileges.size() == 0); + + // Clean up + client.dropRole(requestorUserName, roleName); + }}); } - // See SENTRY-181 + + //See SENTRY-181 @Test public void testSameGrantTwice() throws Exception { - String requestorUserName = ADMIN_USER; - Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); - setLocalGroupMapping(requestorUserName, requestorUserGroupNames); - writePolicyFile(); - String roleName = "admin_r1"; - - client.createRole(requestorUserName, roleName); - client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL"); - client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL"); - assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size()); + runTestAsSubject(new TestOperation(){ + @Override + public void runTestAsSubject() throws Exception { + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + writePolicyFile(); + String roleName = "admin_r1"; + + client.createRole(requestorUserName, roleName); + client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL"); + client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL"); + assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size()); + }}); } @Test public void testGrantRevokeWithGrantOption() throws Exception { - // Grant a privilege with Grant Option - String requestorUserName = ADMIN_USER; - Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); - setLocalGroupMapping(requestorUserName, requestorUserGroupNames); - writePolicyFile(); - String roleName = "admin_r1"; - boolean grantOption = true; - boolean withoutGrantOption = false; - - client.dropRoleIfExists(requestorUserName, roleName); - client.createRole(requestorUserName, roleName); - - client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", grantOption); - assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size()); - - // Try to revoke the privilege without grantOption and can't revoke the privilege. - client.revokeTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", withoutGrantOption); - assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size()); - - // Try to revoke the privilege with grantOption, the privilege will be revoked. - client.revokeTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", grantOption); - assertEquals(0, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size()); - + runTestAsSubject(new TestOperation(){ + @Override + public void runTestAsSubject() throws Exception { + // Grant a privilege with Grant Option + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + writePolicyFile(); + String roleName = "admin_r1"; + boolean grantOption = true; + boolean withoutGrantOption = false; + + client.dropRoleIfExists(requestorUserName, roleName); + client.createRole(requestorUserName, roleName); + + client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", grantOption); + assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size()); + + // Try to revoke the privilege without grantOption and can't revoke the privilege. + client.revokeTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", withoutGrantOption); + assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size()); + + // Try to revoke the privilege with grantOption, the privilege will be revoked. + client.revokeTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", grantOption); + assertEquals(0, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size()); + }}); } @Test public void testGrantTwoPrivilegeDiffInGrantOption() throws Exception { - // Grant a privilege with 'Grant Option'. - String requestorUserName = ADMIN_USER; - Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); - setLocalGroupMapping(requestorUserName, requestorUserGroupNames); - writePolicyFile(); - String roleName = "admin_r1"; - boolean grantOption = true; - boolean withoutGrantOption = false; - - client.dropRoleIfExists(requestorUserName, roleName); - client.createRole(requestorUserName, roleName); - - client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", grantOption); - assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size()); - - // Grant a privilege without 'Grant Option'. - client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", withoutGrantOption); - assertEquals(2, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size()); - - // Use 'grantOption = null', the two privileges will be revoked. - client.revokeTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", null); - assertEquals(0, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size()); + runTestAsSubject(new TestOperation(){ + @Override + public void runTestAsSubject() throws Exception { + // Grant a privilege with 'Grant Option'. + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + writePolicyFile(); + String roleName = "admin_r1"; + boolean grantOption = true; + boolean withoutGrantOption = false; + + client.dropRoleIfExists(requestorUserName, roleName); + client.createRole(requestorUserName, roleName); + + client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", grantOption); + assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size()); + + // Grant a privilege without 'Grant Option'. + client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", withoutGrantOption); + assertEquals(2, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size()); + + // Use 'grantOption = null', the two privileges will be revoked. + client.revokeTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", null); + assertEquals(0, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size()); + }}); } @Test public void testGranRevokePrivilegeOnColumnForRole() throws Exception { - String requestorUserName = ADMIN_USER; - Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); - setLocalGroupMapping(requestorUserName, requestorUserGroupNames); - writePolicyFile(); - String roleName1 = "admin_r1"; - String roleName2 = "admin_r2"; - - client.dropRoleIfExists(requestorUserName, roleName1); - client.createRole(requestorUserName, roleName1); - - client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table1", "col1", "ALL"); - client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table1", "col2", "ALL"); - client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table2", "col1", "ALL"); - client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table2", "col2", "ALL"); - client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table1", "col1", "ALL"); - client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table2", "col1", "ALL"); - - - client.dropRoleIfExists(requestorUserName, roleName2); - client.createRole(requestorUserName, roleName2); - - client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table1", "col1", "ALL"); - client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table1", "col2", "ALL"); - client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col1", "ALL"); - client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col2", "ALL"); - client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table1", "col1", "ALL"); - client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table2", "col1", "ALL"); - - Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); - assertEquals("Privilege not assigned to role1 !!", 6, listPrivilegesByRoleName.size()); - - listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2); - assertEquals("Privilege not assigned to role2 !!", 6, listPrivilegesByRoleName.size()); - - - client.revokeColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table1", "col1", "ALL"); - listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); - assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 5); - listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2); - assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 6); - - client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL"); - listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2); - assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 4); - listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); - assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 5); - - client.revokeDatabasePrivilege(requestorUserName, roleName1, "server", "db1", "ALL"); - listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); - assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 2); - client.revokeColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table1", "col1", "ALL"); - client.revokeColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table2", "col1", "ALL"); - listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); - assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0); - - client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col1", "ALL"); - client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col2", "ALL"); - client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table1", "col1", "ALL"); - client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table2", "col1", "ALL"); - listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2); - assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0); + runTestAsSubject(new TestOperation(){ + @Override + public void runTestAsSubject() throws Exception { + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + writePolicyFile(); + String roleName1 = "admin_r1"; + String roleName2 = "admin_r2"; + + client.dropRoleIfExists(requestorUserName, roleName1); + client.createRole(requestorUserName, roleName1); + + client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table1", "col1", "ALL"); + client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table1", "col2", "ALL"); + client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table2", "col1", "ALL"); + client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table2", "col2", "ALL"); + client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table1", "col1", "ALL"); + client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table2", "col1", "ALL"); + + + client.dropRoleIfExists(requestorUserName, roleName2); + client.createRole(requestorUserName, roleName2); + + client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table1", "col1", "ALL"); + client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table1", "col2", "ALL"); + client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col1", "ALL"); + client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col2", "ALL"); + client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table1", "col1", "ALL"); + client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table2", "col1", "ALL"); + + Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); + assertEquals("Privilege not assigned to role1 !!", 6, listPrivilegesByRoleName.size()); + + listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2); + assertEquals("Privilege not assigned to role2 !!", 6, listPrivilegesByRoleName.size()); + + + client.revokeColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table1", "col1", "ALL"); + listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); + assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 5); + listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2); + assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 6); + + client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL"); + listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2); + assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 4); + listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); + assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 5); + + client.revokeDatabasePrivilege(requestorUserName, roleName1, "server", "db1", "ALL"); + listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); + assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 2); + client.revokeColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table1", "col1", "ALL"); + client.revokeColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table2", "col1", "ALL"); + listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); + assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0); + + client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col1", "ALL"); + client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col2", "ALL"); + client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table1", "col1", "ALL"); + client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table2", "col1", "ALL"); + listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2); + assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0); + }}); } public void testListByAuthDB() throws Exception { - String requestorUserName = ADMIN_USER; - Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); - String roleName1 = "role1"; - String roleName2 = "role2"; - Set<String> testRoleSet = Sets.newHashSet(roleName1, roleName2); - String group1 = "group1"; - String group2 = "group2"; - Set<String> testGroupSet = Sets.newHashSet(group1, group2); - String server = "server1"; - String db = "testDB"; - String db2 = "testDB2"; - String tab = "testTab"; - setLocalGroupMapping(requestorUserName, requestorUserGroupNames); - String group1user = "group1user"; - setLocalGroupMapping(group1user, Sets.newHashSet(group1)); - String group2user = "group2user"; - setLocalGroupMapping(group2user, Sets.newHashSet(group2)); - setLocalGroupMapping("random", Sets.newHashSet("foo")); - writePolicyFile(); - - client.dropRoleIfExists(requestorUserName, roleName1); - client.createRole(requestorUserName, roleName1); - client.dropRoleIfExists(requestorUserName, roleName2); - client.createRole(requestorUserName, roleName2); - - TSentryPrivilege role1db1 = client.grantDatabasePrivilege( - requestorUserName, roleName1, server, db, AccessConstants.SELECT); - client.grantTablePrivilege(requestorUserName, roleName1, server, db, tab, - AccessConstants.ALL); - client.grantTablePrivilege(requestorUserName, roleName1, server, db2, tab, - AccessConstants.SELECT); - client.grantURIPrivilege(requestorUserName, roleName1, server, "hdfs:///fooUri"); - client.grantRoleToGroup(requestorUserName, group1, roleName1); - - TSentryPrivilege role2db1 = client.grantDatabasePrivilege( - requestorUserName, roleName2, server, db, - AccessConstants.ALL); - client.grantDatabasePrivilege(requestorUserName, roleName2, server, db2, - AccessConstants.SELECT); - client.grantTablePrivilege(requestorUserName, roleName2, server, db2, tab, - AccessConstants.ALL); - client.grantRoleToGroup(requestorUserName, group2, roleName2); - - // build expected output - TSentryPrivilegeMap db1RoleToPrivMap = new TSentryPrivilegeMap( - new TreeMap<String, Set<TSentryPrivilege>>()); - db1RoleToPrivMap.getPrivilegeMap() - .put(roleName1, Sets.newHashSet(role1db1)); - db1RoleToPrivMap.getPrivilegeMap() - .put(roleName2, Sets.newHashSet(role2db1)); - Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults = Maps - .newTreeMap(); - List<? extends Authorizable> db1Authrizable = Lists.newArrayList( - new Server(server), new Database(db)); - expectedResults.put( - SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(db1Authrizable), - db1RoleToPrivMap); - - Set<List<? extends Authorizable>> authorizableSet = Sets.newHashSet(); - authorizableSet.add(db1Authrizable); - - // verify for null group and null roleset - Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client - .listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null, null); - assertEquals(expectedResults, authPrivMap); - - // verify for null group and specific roleset - authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, - null, new ActiveRoleSet(testRoleSet)); - assertEquals(expectedResults, authPrivMap); - - // verify for null group and specific roleset - authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null, - ActiveRoleSet.ALL); - assertEquals(expectedResults, authPrivMap); - - // verify for specific group and null roleset - authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, - testGroupSet, null); - assertEquals(expectedResults, authPrivMap); - - // verify for specific group and specific roleset - authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, - testGroupSet, new ActiveRoleSet(testRoleSet)); - assertEquals(expectedResults, authPrivMap); - - // verify for specific group and ALL roleset - authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, - testGroupSet, ActiveRoleSet.ALL); - assertEquals(expectedResults, authPrivMap); - - // verify users not belonging to any group are not shown anything - authPrivMap = client - .listPrivilegsbyAuthorizable("random", authorizableSet, - new HashSet<String>(), ActiveRoleSet.ALL); - expectedResults.clear(); - expectedResults.put( - SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(db1Authrizable), - new TSentryPrivilegeMap(new HashMap<String, Set<TSentryPrivilege>>())); - assertEquals(expectedResults, authPrivMap); + runTestAsSubject(new TestOperation(){ + @Override + public void runTestAsSubject() throws Exception { + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + String roleName1 = "role1"; + String roleName2 = "role2"; + Set<String> testRoleSet = Sets.newHashSet(roleName1, roleName2); + String group1 = "group1"; + String group2 = "group2"; + Set<String> testGroupSet = Sets.newHashSet(group1, group2); + String server = "server1"; + String db = "testDB"; + String db2 = "testDB2"; + String tab = "testTab"; + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + String group1user = "group1user"; + setLocalGroupMapping(group1user, Sets.newHashSet(group1)); + String group2user = "group2user"; + setLocalGroupMapping(group2user, Sets.newHashSet(group2)); + setLocalGroupMapping("random", Sets.newHashSet("foo")); + writePolicyFile(); + + client.dropRoleIfExists(requestorUserName, roleName1); + client.createRole(requestorUserName, roleName1); + client.dropRoleIfExists(requestorUserName, roleName2); + client.createRole(requestorUserName, roleName2); + + TSentryPrivilege role1db1 = client.grantDatabasePrivilege( + requestorUserName, roleName1, server, db, AccessConstants.SELECT); + client.grantTablePrivilege(requestorUserName, roleName1, server, db, tab, + AccessConstants.ALL); + client.grantTablePrivilege(requestorUserName, roleName1, server, db2, tab, + AccessConstants.SELECT); + client.grantURIPrivilege(requestorUserName, roleName1, server, "hdfs:///fooUri"); + client.grantRoleToGroup(requestorUserName, group1, roleName1); + + TSentryPrivilege role2db1 = client.grantDatabasePrivilege( + requestorUserName, roleName2, server, db, + AccessConstants.ALL); + client.grantDatabasePrivilege(requestorUserName, roleName2, server, db2, + AccessConstants.SELECT); + client.grantTablePrivilege(requestorUserName, roleName2, server, db2, tab, + AccessConstants.ALL); + client.grantRoleToGroup(requestorUserName, group2, roleName2); + + // build expected output + TSentryPrivilegeMap db1RoleToPrivMap = new TSentryPrivilegeMap( + new TreeMap<String, Set<TSentryPrivilege>>()); + db1RoleToPrivMap.getPrivilegeMap() + .put(roleName1, Sets.newHashSet(role1db1)); + db1RoleToPrivMap.getPrivilegeMap() + .put(roleName2, Sets.newHashSet(role2db1)); + Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults = Maps + .newTreeMap(); + List<? extends Authorizable> db1Authrizable = Lists.newArrayList( + new Server(server), new Database(db)); + expectedResults.put( + SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(db1Authrizable), + db1RoleToPrivMap); + + Set<List<? extends Authorizable>> authorizableSet = Sets.newHashSet(); + authorizableSet.add(db1Authrizable); + + // verify for null group and null roleset + Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client + .listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null, null); + assertEquals(expectedResults, authPrivMap); + + // verify for null group and specific roleset + authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, + null, new ActiveRoleSet(testRoleSet)); + assertEquals(expectedResults, authPrivMap); + + // verify for null group and specific roleset + authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null, + ActiveRoleSet.ALL); + assertEquals(expectedResults, authPrivMap); + + // verify for specific group and null roleset + authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, + testGroupSet, null); + assertEquals(expectedResults, authPrivMap); + + // verify for specific group and specific roleset + authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, + testGroupSet, new ActiveRoleSet(testRoleSet)); + assertEquals(expectedResults, authPrivMap); + + // verify for specific group and ALL roleset + authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, + testGroupSet, ActiveRoleSet.ALL); + assertEquals(expectedResults, authPrivMap); + + // verify users not belonging to any group are not shown anything + authPrivMap = client + .listPrivilegsbyAuthorizable("random", authorizableSet, + new HashSet<String>(), ActiveRoleSet.ALL); + expectedResults.clear(); + expectedResults.put( + SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(db1Authrizable), + new TSentryPrivilegeMap(new HashMap<String, Set<TSentryPrivilege>>())); + assertEquals(expectedResults, authPrivMap); + }}); } @Test public void testListByAuthTab() throws Exception { - String requestorUserName = ADMIN_USER; - Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); - String roleName1 = "role1"; - String roleName2 = "role2"; - String server = "server1"; - String db = "testDB"; - String db2 = "testDB2"; - String tab = "testTab"; - setLocalGroupMapping(requestorUserName, requestorUserGroupNames); - writePolicyFile(); - - client.dropRoleIfExists(requestorUserName, roleName1); - client.createRole(requestorUserName, roleName1); - client.dropRoleIfExists(requestorUserName, roleName2); - client.createRole(requestorUserName, roleName2); - - client.grantDatabasePrivilege( - requestorUserName, roleName1, server, db, AccessConstants.SELECT); - client.grantTablePrivilege(requestorUserName, roleName1, server, db, tab, - AccessConstants.ALL); - TSentryPrivilege role1db2tab = client.grantTablePrivilege( - requestorUserName, roleName1, server, db2, tab, - AccessConstants.SELECT); - - client.grantDatabasePrivilege( - requestorUserName, roleName2, server, db, - AccessConstants.ALL); - client.grantDatabasePrivilege(requestorUserName, roleName2, server, db2, - AccessConstants.SELECT); - TSentryPrivilege role2db2tab = client.grantTablePrivilege( - requestorUserName, roleName2, server, db2, tab, - AccessConstants.ALL); - client.grantURIPrivilege(requestorUserName, roleName1, server, - "hdfs:///fooUri"); - - // build expected output - TSentryPrivilegeMap db1RoleToPrivMap = new TSentryPrivilegeMap( - new TreeMap<String, Set<TSentryPrivilege>>()); - db1RoleToPrivMap.getPrivilegeMap() -.put(roleName1, - Sets.newHashSet(role1db2tab)); - db1RoleToPrivMap.getPrivilegeMap() -.put(roleName2, - Sets.newHashSet(role2db2tab)); - Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults = Maps - .newTreeMap(); - List<? extends Authorizable> db2TabAuthrizable = Lists.newArrayList( - new Server(server), new Database(db2), new Table(tab)); - expectedResults.put( - SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(db2TabAuthrizable), - db1RoleToPrivMap); - - Set<List<? extends Authorizable>> authorizableSet = Sets.newHashSet(); - authorizableSet.add(db2TabAuthrizable); - Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client - .listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null, null); - - assertEquals(expectedResults, authPrivMap); + runTestAsSubject(new TestOperation(){ + @Override + public void runTestAsSubject() throws Exception { + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + String roleName1 = "role1"; + String roleName2 = "role2"; + String server = "server1"; + String db = "testDB"; + String db2 = "testDB2"; + String tab = "testTab"; + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + writePolicyFile(); + + client.dropRoleIfExists(requestorUserName, roleName1); + client.createRole(requestorUserName, roleName1); + client.dropRoleIfExists(requestorUserName, roleName2); + client.createRole(requestorUserName, roleName2); + + client.grantDatabasePrivilege( + requestorUserName, roleName1, server, db, AccessConstants.SELECT); + client.grantTablePrivilege(requestorUserName, roleName1, server, db, tab, + AccessConstants.ALL); + TSentryPrivilege role1db2tab = client.grantTablePrivilege( + requestorUserName, roleName1, server, db2, tab, + AccessConstants.SELECT); + + client.grantDatabasePrivilege( + requestorUserName, roleName2, server, db, + AccessConstants.ALL); + client.grantDatabasePrivilege(requestorUserName, roleName2, server, db2, + AccessConstants.SELECT); + TSentryPrivilege role2db2tab = client.grantTablePrivilege( + requestorUserName, roleName2, server, db2, tab, + AccessConstants.ALL); + client.grantURIPrivilege(requestorUserName, roleName1, server, + "hdfs:///fooUri"); + + // build expected output + TSentryPrivilegeMap db1RoleToPrivMap = new TSentryPrivilegeMap( + new TreeMap<String, Set<TSentryPrivilege>>()); + db1RoleToPrivMap.getPrivilegeMap() + .put(roleName1, + Sets.newHashSet(role1db2tab)); + db1RoleToPrivMap.getPrivilegeMap() + .put(roleName2, + Sets.newHashSet(role2db2tab)); + Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults = Maps + .newTreeMap(); + List<? extends Authorizable> db2TabAuthrizable = Lists.newArrayList( + new Server(server), new Database(db2), new Table(tab)); + expectedResults.put( + SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(db2TabAuthrizable), + db1RoleToPrivMap); + + Set<List<? extends Authorizable>> authorizableSet = Sets.newHashSet(); + authorizableSet.add(db2TabAuthrizable); + Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client + .listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null, null); + + assertEquals(expectedResults, authPrivMap); + }}); } @Test public void testListByAuthUri() throws Exception { - String requestorUserName = ADMIN_USER; - Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); - String roleName1 = "role1"; - String roleName2 = "role2"; - String server = "server1"; - String db = "testDB"; - String db2 = "testDB2"; - String tab = "testTab"; - String uri1 = "hdfs:///fooUri"; - setLocalGroupMapping(requestorUserName, requestorUserGroupNames); - writePolicyFile(); - - client.dropRoleIfExists(requestorUserName, roleName1); - client.createRole(requestorUserName, roleName1); - client.dropRoleIfExists(requestorUserName, roleName2); - client.createRole(requestorUserName, roleName2); - - client.grantDatabasePrivilege(requestorUserName, roleName1, server, db, - AccessConstants.SELECT); - client.grantTablePrivilege(requestorUserName, roleName1, server, db, tab, - AccessConstants.ALL); - client.grantTablePrivilege(requestorUserName, roleName1, server, db2, tab, - AccessConstants.SELECT); - TSentryPrivilege role1uri1 = client.grantURIPrivilege(requestorUserName, - roleName1, server, uri1); - - client.grantDatabasePrivilege(requestorUserName, roleName2, server, db, - AccessConstants.ALL); - client.grantDatabasePrivilege(requestorUserName, roleName2, server, db2, - AccessConstants.SELECT); - client.grantTablePrivilege(requestorUserName, roleName2, server, db2, tab, - AccessConstants.ALL); - TSentryPrivilege role2uri2 = client.grantURIPrivilege(requestorUserName, - roleName2, server, uri1); - - // build expected output - TSentryPrivilegeMap db1RoleToPrivMap = new TSentryPrivilegeMap( - new TreeMap<String, Set<TSentryPrivilege>>()); - db1RoleToPrivMap.getPrivilegeMap().put(roleName1, - Sets.newHashSet(role1uri1)); - db1RoleToPrivMap.getPrivilegeMap().put(roleName2, - Sets.newHashSet(role2uri2)); - Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults = Maps - .newTreeMap(); - List<? extends Authorizable> uri1Authrizable = Lists.newArrayList( - new Server(server), new AccessURI(uri1)); - expectedResults.put( - SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(uri1Authrizable), - db1RoleToPrivMap); - - Set<List<? extends Authorizable>> authorizableSet = Sets.newHashSet(); - authorizableSet.add(uri1Authrizable); - Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client - .listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null, null); - - assertEquals(expectedResults, authPrivMap); + runTestAsSubject(new TestOperation(){ + @Override + public void runTestAsSubject() throws Exception { + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + String roleName1 = "role1"; + String roleName2 = "role2"; + String server = "server1"; + String db = "testDB"; + String db2 = "testDB2"; + String tab = "testTab"; + String uri1 = "hdfs:///fooUri"; + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + writePolicyFile(); + + client.dropRoleIfExists(requestorUserName, roleName1); + client.createRole(requestorUserName, roleName1); + client.dropRoleIfExists(requestorUserName, roleName2); + client.createRole(requestorUserName, roleName2); + + client.grantDatabasePrivilege(requestorUserName, roleName1, server, db, + AccessConstants.SELECT); + client.grantTablePrivilege(requestorUserName, roleName1, server, db, tab, + AccessConstants.ALL); + client.grantTablePrivilege(requestorUserName, roleName1, server, db2, tab, + AccessConstants.SELECT); + TSentryPrivilege role1uri1 = client.grantURIPrivilege(requestorUserName, + roleName1, server, uri1); + + client.grantDatabasePrivilege(requestorUserName, roleName2, server, db, + AccessConstants.ALL); + client.grantDatabasePrivilege(requestorUserName, roleName2, server, db2, + AccessConstants.SELECT); + client.grantTablePrivilege(requestorUserName, roleName2, server, db2, tab, + AccessConstants.ALL); + TSentryPrivilege role2uri2 = client.grantURIPrivilege(requestorUserName, + roleName2, server, uri1); + + // build expected output + TSentryPrivilegeMap db1RoleToPrivMap = new TSentryPrivilegeMap( + new TreeMap<String, Set<TSentryPrivilege>>()); + db1RoleToPrivMap.getPrivilegeMap().put(roleName1, + Sets.newHashSet(role1uri1)); + db1RoleToPrivMap.getPrivilegeMap().put(roleName2, + Sets.newHashSet(role2uri2)); + Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults = Maps + .newTreeMap(); + List<? extends Authorizable> uri1Authrizable = Lists.newArrayList( + new Server(server), new AccessURI(uri1)); + expectedResults.put( + SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(uri1Authrizable), + db1RoleToPrivMap); + + Set<List<? extends Authorizable>> authorizableSet = Sets.newHashSet(); + authorizableSet.add(uri1Authrizable); + Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client + .listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null, null); + + assertEquals(expectedResults, authPrivMap); + }}); } /** @@ -601,105 +651,109 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase { */ @Test public void testListByAuthTabForNonAdmin() throws Exception { - String requestorUserName = ADMIN_USER; - String user1 = "user1"; - String group1 = "group1"; - String group2 = "group2"; - Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); - Set<String> userGroupNames1 = Sets.newHashSet(group1); - Set<String> userGroupNames2 = Sets.newHashSet(group2); - String roleName1 = "role1"; - String roleName2 = "role2"; - String server = "server1"; - String db = "testDB"; - String db2 = "testDB2"; - String tab = "testTab"; - setLocalGroupMapping(requestorUserName, requestorUserGroupNames); - setLocalGroupMapping(user1, userGroupNames1); - writePolicyFile(); - - client.dropRoleIfExists(requestorUserName, roleName1); - client.createRole(requestorUserName, roleName1); - client.dropRoleIfExists(requestorUserName, roleName2); - client.createRole(requestorUserName, roleName2); - - client.grantDatabasePrivilege(requestorUserName, roleName1, server, db, - AccessConstants.SELECT); - client.grantTablePrivilege(requestorUserName, roleName1, server, db, tab, - AccessConstants.ALL); - TSentryPrivilege role1db2tab = client.grantTablePrivilege( - requestorUserName, roleName1, server, db2, tab, AccessConstants.SELECT); - client.grantRoleToGroup(requestorUserName, group1, roleName1); - - client.grantDatabasePrivilege(requestorUserName, roleName2, server, db, - AccessConstants.ALL); - client.grantDatabasePrivilege(requestorUserName, roleName2, server, db2, - AccessConstants.SELECT); - client.grantTablePrivilege(requestorUserName, roleName2, server, db2, tab, - AccessConstants.ALL); - client.grantURIPrivilege(requestorUserName, roleName1, server, - "hdfs:///fooUri"); - - // build expected output. user1 should see privileges on tab1 from role1 - TSentryPrivilegeMap db1RoleToPrivMap = new TSentryPrivilegeMap( - new TreeMap<String, Set<TSentryPrivilege>>()); - db1RoleToPrivMap.getPrivilegeMap().put(roleName1, Sets.newHashSet(role1db2tab)); - Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults = Maps.newTreeMap(); - List<? extends Authorizable> db2TabAuthorizable = Lists.newArrayList( - new Server(server), new Database(db2), new Table(tab)); - expectedResults.put( - SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(db2TabAuthorizable), - db1RoleToPrivMap); - - Set<List<? extends Authorizable>> authorizableSet = Sets.newHashSet(); - authorizableSet.add(db2TabAuthorizable); - - // list privileges with null group and roles - Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client - .listPrivilegsbyAuthorizable(user1, authorizableSet, null, null); - assertEquals(expectedResults, authPrivMap); - - // list privileges with empty group set and null roles - authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet, - new HashSet<String>(), null); - assertEquals(expectedResults, authPrivMap); - - // list privileges with null group set and ALL roleset - authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet, - null, new ActiveRoleSet(true)); - assertEquals(expectedResults, authPrivMap); - - // list privileges with user1's group set and null roles - authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet, - userGroupNames1, null); - assertEquals(expectedResults, authPrivMap); - - // list privileges with user1's group set and ALL roles - authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet, - userGroupNames1, new ActiveRoleSet(true)); - assertEquals(expectedResults, authPrivMap); - - // list privileges with null group and user's specific roles with uppercase name - authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet, - null, new ActiveRoleSet(Sets.newHashSet(roleName1.toUpperCase()))); - assertEquals(expectedResults, authPrivMap); - - // verify that user1 can't query group2 - try { - client.listPrivilegsbyAuthorizable(user1, authorizableSet, userGroupNames2, null); - fail("listPrivilegsbyAuthorizable() should fail for user1 accessing " + group2); - } catch (SentryAccessDeniedException e) { - // expected - } - - // verify that user1 can't query role2 - ActiveRoleSet roleSet2 = new ActiveRoleSet(Sets.newHashSet(roleName2)); - try { - client.listPrivilegsbyAuthorizable(user1, authorizableSet, null, roleSet2); - fail("listPrivilegsbyAuthorizable() should fail for user1 accessing " + roleName2); - } catch (SentryAccessDeniedException e) { - // expected - } + runTestAsSubject(new TestOperation(){ + @Override + public void runTestAsSubject() throws Exception { + String requestorUserName = ADMIN_USER; + String user1 = "user1"; + String group1 = "group1"; + String group2 = "group2"; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + Set<String> userGroupNames1 = Sets.newHashSet(group1); + Set<String> userGroupNames2 = Sets.newHashSet(group2); + String roleName1 = "role1"; + String roleName2 = "role2"; + String server = "server1"; + String db = "testDB"; + String db2 = "testDB2"; + String tab = "testTab"; + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + setLocalGroupMapping(user1, userGroupNames1); + writePolicyFile(); + + client.dropRoleIfExists(requestorUserName, roleName1); + client.createRole(requestorUserName, roleName1); + client.dropRoleIfExists(requestorUserName, roleName2); + client.createRole(requestorUserName, roleName2); + + client.grantDatabasePrivilege(requestorUserName, roleName1, server, db, + AccessConstants.SELECT); + client.grantTablePrivilege(requestorUserName, roleName1, server, db, tab, + AccessConstants.ALL); + TSentryPrivilege role1db2tab = client.grantTablePrivilege( + requestorUserName, roleName1, server, db2, tab, AccessConstants.SELECT); + client.grantRoleToGroup(requestorUserName, group1, roleName1); + + client.grantDatabasePrivilege(requestorUserName, roleName2, server, db, + AccessConstants.ALL); + client.grantDatabasePrivilege(requestorUserName, roleName2, server, db2, + AccessConstants.SELECT); + client.grantTablePrivilege(requestorUserName, roleName2, server, db2, tab, + AccessConstants.ALL); + client.grantURIPrivilege(requestorUserName, roleName1, server, + "hdfs:///fooUri"); + + // build expected output. user1 should see privileges on tab1 from role1 + TSentryPrivilegeMap db1RoleToPrivMap = new TSentryPrivilegeMap( + new TreeMap<String, Set<TSentryPrivilege>>()); + db1RoleToPrivMap.getPrivilegeMap().put(roleName1, Sets.newHashSet(role1db2tab)); + Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults = Maps.newTreeMap(); + List<? extends Authorizable> db2TabAuthorizable = Lists.newArrayList( + new Server(server), new Database(db2), new Table(tab)); + expectedResults.put( + SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(db2TabAuthorizable), + db1RoleToPrivMap); + + Set<List<? extends Authorizable>> authorizableSet = Sets.newHashSet(); + authorizableSet.add(db2TabAuthorizable); + + // list privileges with null group and roles + Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client + .listPrivilegsbyAuthorizable(user1, authorizableSet, null, null); + assertEquals(expectedResults, authPrivMap); + + // list privileges with empty group set and null roles + authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet, + new HashSet<String>(), null); + assertEquals(expectedResults, authPrivMap); + + // list privileges with null group set and ALL roleset + authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet, + null, new ActiveRoleSet(true)); + assertEquals(expectedResults, authPrivMap); + + // list privileges with user1's group set and null roles + authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet, + userGroupNames1, null); + assertEquals(expectedResults, authPrivMap); + + // list privileges with user1's group set and ALL roles + authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet, + userGroupNames1, new ActiveRoleSet(true)); + assertEquals(expectedResults, authPrivMap); + + // list privileges with null group and user's specific roles with uppercase name + authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet, + null, new ActiveRoleSet(Sets.newHashSet(roleName1.toUpperCase()))); + assertEquals(expectedResults, authPrivMap); + + // verify that user1 can't query group2 + try { + client.listPrivilegsbyAuthorizable(user1, authorizableSet, userGroupNames2, null); + fail("listPrivilegsbyAuthorizable() should fail for user1 accessing " + group2); + } catch (SentryAccessDeniedException e) { + // expected + } + + // verify that user1 can't query role2 + ActiveRoleSet roleSet2 = new ActiveRoleSet(Sets.newHashSet(roleName2)); + try { + client.listPrivilegsbyAuthorizable(user1, authorizableSet, null, roleSet2); + fail("listPrivilegsbyAuthorizable() should fail for user1 accessing " + roleName2); + } catch (SentryAccessDeniedException e) { + // expected + } + }}); } /** @@ -708,58 +762,66 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase { * @param defaultVal A default to pass to getConfigValue * @throws Exception */ - private void checkBannedConfigVal(String configVal, String defaultVal) + private void checkBannedConfigVal(final String configVal, final String defaultVal) throws Exception { - try { - client.getConfigValue(configVal, defaultVal); - fail("Attempt to access " + configVal + " succeeded"); - } catch (SentryAccessDeniedException e) { - assertTrue(e.toString().contains("was denied")); - assertTrue(e.toString().contains(configVal)); - } + runTestAsSubject(new TestOperation(){ + @Override + public void runTestAsSubject() throws Exception { + try { + client.getConfigValue(configVal, defaultVal); + fail("Attempt to access " + configVal + " succeeded"); + } catch (SentryAccessDeniedException e) { + assertTrue(e.toString().contains("was denied")); + assertTrue(e.toString().contains(configVal)); + } + }}); } @Test public void testGetConfigVal() throws Exception { - String val; - - // Basic success case - val = client.getConfigValue("sentry.service.admin.group", "xxx"); - assertEquals(val, "admin_group"); - - // Undefined value gets the default back - val = client.getConfigValue("sentry.this.is.not.defined", "hello"); - assertEquals(val, "hello"); - - // Undefined value and null default gets null back - val = client.getConfigValue("sentry.this.is.not.defined", null); - assertEquals(val, null); - - // Known config value with null default works as expected - val = client.getConfigValue("sentry.service.admin.group", null); - assertEquals(val, "admin_group"); - - // Value that is forbidden (anything not starting with "sentry") dies - checkBannedConfigVal("notsentry", "xxx"); - - // Ditto with a null default - checkBannedConfigVal("notsentry", null); - - // Values with .jdbc. are forbidden - checkBannedConfigVal("sentry.xxx.jdbc.xxx", null); - - // Values with password are forbidden - checkBannedConfigVal("sentry.xxx.password", null); - - // Attempt to get the location of the keytab also fails - checkBannedConfigVal("sentry.service.server.keytab", null); - - // null parameter name fails - try { - val = client.getConfigValue(null, null); - fail("null parameter succeeded"); - } catch (SentryUserException e) { - // expected - } + runTestAsSubject(new TestOperation(){ + @Override + public void runTestAsSubject() throws Exception { + String val; + + // Basic success case + val = client.getConfigValue("sentry.service.admin.group", "xxx"); + assertEquals(val, "admin_group"); + + // Undefined value gets the default back + val = client.getConfigValue("sentry.this.is.not.defined", "hello"); + assertEquals(val, "hello"); + + // Undefined value and null default gets null back + val = client.getConfigValue("sentry.this.is.not.defined", null); + assertEquals(val, null); + + // Known config value with null default works as expected + val = client.getConfigValue("sentry.service.admin.group", null); + assertEquals(val, "admin_group"); + + // Value that is forbidden (anything not starting with "sentry") dies + checkBannedConfigVal("notsentry", "xxx"); + + // Ditto with a null default + checkBannedConfigVal("notsentry", null); + + // Values with .jdbc. are forbidden + checkBannedConfigVal("sentry.xxx.jdbc.xxx", null); + + // Values with password are forbidden + checkBannedConfigVal("sentry.xxx.password", null); + + // Attempt to get the location of the keytab also fails + checkBannedConfigVal("sentry.service.server.keytab", null); + + // null parameter name fails + try { + val = client.getConfigValue(null, null); + fail("null parameter succeeded"); + } catch (SentryUserException e) { + // expected + } + }}); } } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/78b61c9a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java index be14afd..0bdc3a2 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java @@ -277,4 +277,21 @@ public abstract class SentryServiceIntegrationBase extends SentryMiniKdcTestcase } + protected void runTestAsSubject(final TestOperation test) throws Exception { + if (this.kerberos) { + Subject.doAs(clientSubject, new PrivilegedExceptionAction<Void>() { + @Override + public Void run() throws Exception { + test.runTestAsSubject(); + return null; + }}); + } else { + test.runTestAsSubject(); + } + } + + protected interface TestOperation { + public void runTestAsSubject() throws Exception; + } + }
