[42/50] [abbrv] incubator-sentry git commit: SENTRY-827: Server scope always grants ALL (Ryan P via Lenni Kuff)

Fri, 14 Aug 2015 00:29:27 -0700 

SENTRY-827: Server scope always grants ALL (Ryan P via Lenni Kuff)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/1e26d56e
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/1e26d56e
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/1e26d56e

Branch: refs/heads/hive_plugin_v2
Commit: 1e26d56ef36af04dc1b58d549dea95141be243a2
Parents: 7613ede
Author: Lenni Kuff <lsk...@cloudera.com>
Authored: Wed Aug 5 00:52:35 2015 -0700
Committer: Lenni Kuff <lsk...@cloudera.com>
Committed: Wed Aug 5 00:52:35 2015 -0700

----------------------------------------------------------------------
 .../hive/ql/exec/SentryGrantRevokeTask.java     |  3 +-
 .../thrift/SentryPolicyServiceClient.java       |  6 +-
 .../SentryPolicyServiceClientDefaultImpl.java   |  8 +-
 .../e2e/dbprovider/TestDatabaseProvider.java    | 93 ++++++++++++++++++--
 4 files changed, 95 insertions(+), 15 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/1e26d56e/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
----------------------------------------------------------------------
diff --git 
a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
 
b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
index 2a60a23..13c2c58 100644
--- 
a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
+++ 
b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
@@ -590,7 +590,8 @@ public class SentryGrantRevokeTask extends Task<DDLWork> 
implements Serializable
             }
           } else {
             if (serverName != null) {
-              sentryClient.revokeServerPrivilege(subject, princ.getName(), 
serverName, grantOption);
+              sentryClient.revokeServerPrivilege(subject, princ.getName(), 
serverName,
+                toSentryAction(privDesc.getPrivilege().getPriv()), 
grantOption);
             } else if (uriPath != null) {
               sentryClient.revokeURIPrivilege(subject, princ.getName(), 
server, uriPath, grantOption);
             } else if (tableName == null) {

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/1e26d56e/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
----------------------------------------------------------------------
diff --git 
a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
 
b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
index 9c2d384..3c2c7c6 100644
--- 
a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
+++ 
b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
@@ -107,11 +107,11 @@ public interface SentryPolicyServiceClient {
   public void revokeURIPrivilege(String requestorUserName, String roleName, 
String server,
       String uri, Boolean grantOption) throws SentryUserException;
 
-  public void revokeServerPrivilege(String requestorUserName, String roleName, 
String server)
-      throws SentryUserException;
+  public void revokeServerPrivilege(String requestorUserName, String roleName, 
String server,
+      String action) throws SentryUserException;
 
   public void revokeServerPrivilege(String requestorUserName, String roleName, 
String server,
-      Boolean grantOption) throws SentryUserException;
+      String action, Boolean grantOption) throws SentryUserException;
 
   public void revokeDatabasePrivilege(String requestorUserName, String 
roleName, String server,
       String db, String action) throws SentryUserException;

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/1e26d56e/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
----------------------------------------------------------------------
diff --git 
a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
 
b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
index 09b3d99..4afe1b4 100644
--- 
a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
+++ 
b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
@@ -484,17 +484,17 @@ public class SentryPolicyServiceClientDefaultImpl 
implements SentryPolicyService
   }
 
   public void revokeServerPrivilege(String requestorUserName,
-      String roleName, String server)
+      String roleName, String server, String action)
   throws SentryUserException {
     revokePrivilege(requestorUserName, roleName,
-        PrivilegeScope.SERVER, server, null, null, null, null, 
AccessConstants.ALL);
+        PrivilegeScope.SERVER, server, null, null, null, null, action);
   }
 
   public void revokeServerPrivilege(String requestorUserName,
-      String roleName, String server, Boolean grantOption)
+      String roleName, String server, String action, Boolean grantOption)
   throws SentryUserException {
     revokePrivilege(requestorUserName, roleName,
-        PrivilegeScope.SERVER, server, null, null, null, null, 
AccessConstants.ALL, grantOption);
+        PrivilegeScope.SERVER, server, null, null, null, null, action, 
grantOption);
   }
 
   public void revokeDatabasePrivilege(String requestorUserName,

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/1e26d56e/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java
----------------------------------------------------------------------
diff --git 
a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java
 
b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java
index f9e8f80..7df32fb 100644
--- 
a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java
+++ 
b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java
@@ -83,12 +83,6 @@ public class TestDatabaseProvider extends 
AbstractTestWithStaticConfiguration {
     }
   }
 
-  @Ignore
-  @Test
-  public void beelineTest() throws Exception{
-    while(true) {}
-  }
-
   @Test
   public void testBasic() throws Exception {
     Connection connection = context.createConnection(ADMIN1);
@@ -319,7 +313,7 @@ public class TestDatabaseProvider extends 
AbstractTestWithStaticConfiguration {
     ResultSet resultSet = statement.executeQuery("SHOW GRANT ROLE user_role");
     assertResultSize(resultSet, 2);
     statement.close();
-    connection.close();;
+    connection.close();
 
     // Revoke on Server
     connection = context.createConnection(ADMIN1);
@@ -2069,4 +2063,89 @@ public class TestDatabaseProvider extends 
AbstractTestWithStaticConfiguration {
     connection.close();
   }
 
+  /*  SENTRY-827 */
+  @Test
+  public void serverActions() throws Exception {
+    String[] dbs = {DB1, DB2};
+    String tbl = TBL1;
+
+    //To test Insert
+    File dataDir = context.getDataDir();
+    File dataFile = new File(dataDir, SINGLE_TYPE_DATA_FILE_NAME);
+    FileOutputStream to = new FileOutputStream(dataFile);
+    Resources.copy(Resources.getResource(SINGLE_TYPE_DATA_FILE_NAME), to);
+    to.close();
+
+    //setup roles and group mapping
+    Connection connection = context.createConnection(ADMIN1);
+    Statement statement = context.createStatement(connection);
+
+    statement.execute("CREATE ROLE server_all");
+    statement.execute("CREATE ROLE server_select");
+    statement.execute("CREATE ROLE server_insert");
+
+    statement.execute("GRANT ALL ON SERVER server1 to ROLE server_all");
+    statement.execute("GRANT SELECT ON SERVER server1 to ROLE server_select");
+    statement.execute("GRANT INSERT ON SERVER server1 to ROLE server_insert");
+    statement.execute("GRANT ALL ON URI 'file://" + dataFile.getPath() + "' TO 
ROLE server_select");
+    statement.execute("GRANT ALL ON URI 'file://" + dataFile.getPath() + "' TO 
ROLE server_insert");
+
+    statement.execute("GRANT ROLE server_all to GROUP " + ADMINGROUP);
+    statement.execute("GRANT ROLE server_select to GROUP " + USERGROUP1);
+    statement.execute("GRANT ROLE server_insert to GROUP " + USERGROUP2);
+
+    for (String db : dbs) {
+      statement.execute("CREATE DATABASE IF NOT EXISTS " + db);
+      statement.execute("CREATE TABLE IF NOT EXISTS " + db + "." + tbl + "(a 
String)");
+    }
+    statement.close();
+    connection.close();
+
+    connection = context.createConnection(USER1_1);
+    statement = context.createStatement(connection);
+    //Test SELECT, ensure INSERT fails
+    for (String db : dbs) {
+      statement.execute("SELECT * FROM " + db + "." + tbl);
+      try{
+        statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() +
+          "' INTO TABLE " + db + "." + tbl);
+        assertTrue("INSERT should not be capable here:",true);
+        }catch(SQLException e){}
+      }
+    statement.close();
+    connection.close();
+
+    connection = context.createConnection(USER2_1);
+    statement = context.createStatement(connection);
+    //Test INSERT, ensure SELECT fails
+    for (String db : dbs){
+      statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() +
+        "' INTO TABLE " + db + "." + tbl);
+      try{
+        statement.execute("SELECT * FROM " + db + "." + tbl);
+      }catch(SQLException e){}
+    }
+
+    statement.close();
+    connection.close();
+
+    //Enusre revoke worked
+    connection = context.createConnection(ADMIN1);
+    statement = context.createStatement(connection);
+    statement.execute("REVOKE SELECT ON SERVER server1 from ROLE 
server_select");
+
+    statement.close();
+    connection.close();
+
+    connection = context.createConnection(USER1_1);
+    statement = context.createStatement(connection);
+
+    try {
+      statement.execute("SELECT * FROM " + dbs[0] + "." + tbl);
+      assertTrue("Revoke Select on server Failed", false);
+    } catch (SQLException e) {}
+
+    statement.close();
+    connection.close();
+  }
 }

Reply via email to