SENTRY-1127: Move test cases from sentry-policy-xxx to sentry-binding-xxx(Colin Ma, Reviewed by Dapeng Sun)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/0c006517 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/0c006517 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/0c006517 Branch: refs/heads/SENTRY-999 Commit: 0c0065174528fd5783e85e156637dbcc175088e6 Parents: fbb9060 Author: Colin Ma <co...@apache.org> Authored: Tue Mar 15 15:16:10 2016 +0800 Committer: Colin Ma <co...@apache.org> Committed: Tue Mar 15 15:16:10 2016 +0800 ---------------------------------------------------------------------- sentry-binding/sentry-binding-hive/pom.xml | 5 + .../hive/AbstractTestSimplePolicyEngine.java | 156 ++++++++++++ .../sentry/policy/hive/DBPolicyTestUtil.java | 45 ++++ .../policy/hive/TestDBModelAuthorizables.java | 76 ++++++ .../policy/hive/TestDatabaseRequiredInRole.java | 50 ++++ .../policy/hive/TestPolicyParsingNegative.java | 194 +++++++++++++++ ...sourceAuthorizationProviderGeneralCases.java | 195 +++++++++++++++ ...sourceAuthorizationProviderSpecialCases.java | 123 ++++++++++ .../hive/TestSimpleDBPolicyEngineDFS.java | 115 +++++++++ .../hive/TestSimpleDBPolicyEngineLocalFS.java | 44 ++++ ...e-policy-test-authz-provider-other-group.ini | 22 ++ .../hive-policy-test-authz-provider.ini | 32 +++ .../solr/AbstractTestSearchPolicyEngine.java | 129 ++++++++++ .../policy/solr/SearchPolicyTestUtil.java | 45 ++++ .../solr/TestCollectionRequiredInRole.java | 64 +++++ ...SearchAuthorizationProviderGeneralCases.java | 192 +++++++++++++++ ...SearchAuthorizationProviderSpecialCases.java | 83 +++++++ .../solr/TestSearchModelAuthorizables.java | 54 +++++ .../policy/solr/TestSearchPolicyEngineDFS.java | 74 ++++++ .../solr/TestSearchPolicyEngineLocalFS.java | 43 ++++ .../policy/solr/TestSearchPolicyNegative.java | 101 ++++++++ .../solr-policy-test-authz-provider.ini | 31 +++ sentry-binding/sentry-binding-sqoop/pom.xml | 13 +- .../sqoop/AbstractTestSqoopPolicyEngine.java | 145 +++++++++++ .../policy/sqoop/SqoopPolicyTestUtil.java | 44 ++++ .../sqoop/TestServerNameRequiredMatch.java | 57 +++++ ...tSqoopAuthorizationProviderGeneralCases.java | 238 +++++++++++++++++++ ...tSqoopAuthorizationProviderSpecialCases.java | 88 +++++++ .../sqoop/TestSqoopModelAuthorizables.java | 54 +++++ .../policy/sqoop/TestSqoopPolicyEngineDFS.java | 75 ++++++ .../sqoop/TestSqoopPolicyEngineLocalFS.java | 45 ++++ .../policy/sqoop/TestSqoopPolicyNegative.java | 121 ++++++++++ .../sqoop-policy-test-authz-provider.ini | 40 ++++ .../db/AbstractTestSimplePolicyEngine.java | 156 ------------ .../sentry/policy/db/DBPolicyTestUtil.java | 44 ---- .../policy/db/TestDBModelAuthorizables.java | 76 ------ .../policy/db/TestDatabaseRequiredInRole.java | 50 ---- .../policy/db/TestPolicyParsingNegative.java | 194 --------------- ...sourceAuthorizationProviderGeneralCases.java | 180 -------------- ...sourceAuthorizationProviderSpecialCases.java | 123 ---------- .../policy/db/TestSimpleDBPolicyEngineDFS.java | 115 --------- .../db/TestSimpleDBPolicyEngineLocalFS.java | 44 ---- .../test-authz-provider-other-group.ini | 22 -- .../src/test/resources/test-authz-provider.ini | 32 --- .../search/AbstractTestSearchPolicyEngine.java | 129 ---------- .../policy/search/SearchPolicyTestUtil.java | 44 ---- .../search/TestCollectionRequiredInRole.java | 64 ----- ...SearchAuthorizationProviderGeneralCases.java | 178 -------------- ...SearchAuthorizationProviderSpecialCases.java | 83 ------- .../search/TestSearchModelAuthorizables.java | 54 ----- .../search/TestSearchPolicyEngineDFS.java | 74 ------ .../search/TestSearchPolicyEngineLocalFS.java | 43 ---- .../policy/search/TestSearchPolicyNegative.java | 101 -------- .../src/test/resources/test-authz-provider.ini | 31 --- .../sqoop/AbstractTestSqoopPolicyEngine.java | 145 ----------- .../sqoop/MockGroupMappingServiceProvider.java | 39 --- .../policy/sqoop/SqoopPolicyTestUtil.java | 44 ---- .../sqoop/TestServerNameRequiredMatch.java | 57 ----- ...tSqoopAuthorizationProviderGeneralCases.java | 224 ----------------- ...tSqoopAuthorizationProviderSpecialCases.java | 88 ------- .../sqoop/TestSqoopModelAuthorizables.java | 54 ----- .../policy/sqoop/TestSqoopPolicyEngineDFS.java | 75 ------ .../sqoop/TestSqoopPolicyEngineLocalFS.java | 45 ---- .../policy/sqoop/TestSqoopPolicyNegative.java | 121 ---------- .../src/test/resources/test-authz-provider.ini | 40 ---- 65 files changed, 2789 insertions(+), 2773 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-hive/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/pom.xml b/sentry-binding/sentry-binding-hive/pom.xml index fb5f214..4a25670 100644 --- a/sentry-binding/sentry-binding-hive/pom.xml +++ b/sentry-binding/sentry-binding-hive/pom.xml @@ -97,6 +97,11 @@ limitations under the License. <artifactId>mockito-all</artifactId> <scope>test</scope> </dependency> + <dependency> + <groupId>org.apache.hadoop</groupId> + <artifactId>hadoop-minicluster</artifactId> + <scope>test</scope> + </dependency> </dependencies> </project> http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/AbstractTestSimplePolicyEngine.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/AbstractTestSimplePolicyEngine.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/AbstractTestSimplePolicyEngine.java new file mode 100644 index 0000000..019a5ab --- /dev/null +++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/AbstractTestSimplePolicyEngine.java @@ -0,0 +1,156 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.policy.hive; + +import java.io.File; +import java.io.IOException; +import java.util.Set; +import java.util.TreeSet; + +import junit.framework.Assert; + +import org.apache.commons.io.FileUtils; +import org.apache.sentry.core.common.ActiveRoleSet; +import org.apache.sentry.policy.common.PolicyEngine; +import org.junit.After; +import org.junit.AfterClass; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; + +import com.google.common.collect.Sets; +import com.google.common.io.Files; + +public abstract class AbstractTestSimplePolicyEngine { + private static final String PERM_SERVER1_CUSTOMERS_SELECT = "server=server1->db=customers->table=purchases->action=select"; + private static final String PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT = "server=server1->db=customers->table=purchases_partial->action=select"; + private static final String PERM_SERVER1_ANALYST_ALL = "server=server1->db=analyst1"; + private static final String PERM_SERVER1_JUNIOR_ANALYST_ALL = "server=server1->db=jranalyst1"; + private static final String PERM_SERVER1_JUNIOR_ANALYST_READ = "server=server1->db=jranalyst1->table=*->action=select"; + private static final String PERM_SERVER1_OTHER_GROUP_DB_CUSTOMERS_SELECT = "server=server1->db=other_group_db->table=purchases->action=select"; + + private static final String PERM_SERVER1_ADMIN = "server=server1"; + private PolicyEngine policy; + private static File baseDir; + + @BeforeClass + public static void setupClazz() throws IOException { + baseDir = Files.createTempDir(); + } + + @AfterClass + public static void teardownClazz() throws IOException { + if(baseDir != null) { + FileUtils.deleteQuietly(baseDir); + } + } + + protected void setPolicy(PolicyEngine policy) { + this.policy = policy; + } + protected static File getBaseDir() { + return baseDir; + } + @Before + public void setup() throws IOException { + afterSetup(); + } + @After + public void teardown() throws IOException { + beforeTeardown(); + } + protected void afterSetup() throws IOException { + + } + + protected void beforeTeardown() throws IOException { + + } + + @Test + public void testManager() throws Exception { + Set<String> expected = Sets.newTreeSet(Sets.newHashSet( + PERM_SERVER1_CUSTOMERS_SELECT, PERM_SERVER1_ANALYST_ALL, + PERM_SERVER1_JUNIOR_ANALYST_ALL, PERM_SERVER1_JUNIOR_ANALYST_READ, + PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT + )); + Assert.assertEquals(expected.toString(), + new TreeSet<String>(policy.getAllPrivileges(set("manager"), ActiveRoleSet.ALL)) + .toString()); + } + + @Test + public void testAnalyst() throws Exception { + Set<String> expected = Sets.newTreeSet(Sets.newHashSet( + PERM_SERVER1_CUSTOMERS_SELECT, PERM_SERVER1_ANALYST_ALL, + PERM_SERVER1_JUNIOR_ANALYST_READ)); + Assert.assertEquals(expected.toString(), + new TreeSet<String>(policy.getAllPrivileges(set("analyst"), ActiveRoleSet.ALL)) + .toString()); + } + + @Test + public void testJuniorAnalyst() throws Exception { + Set<String> expected = Sets.newTreeSet(Sets + .newHashSet(PERM_SERVER1_JUNIOR_ANALYST_ALL, + PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT)); + Assert.assertEquals(expected.toString(), + new TreeSet<String>(policy.getAllPrivileges(set("jranalyst"), ActiveRoleSet.ALL)) + .toString()); + } + + @Test + public void testAdmin() throws Exception { + Set<String> expected = Sets.newTreeSet(Sets.newHashSet(PERM_SERVER1_ADMIN)); + Assert.assertEquals(expected.toString(), + new TreeSet<String>(policy.getAllPrivileges(set("admin"), ActiveRoleSet.ALL)) + .toString()); + } + + + @Test + public void testOtherGroup() throws Exception { + Set<String> expected = Sets.newTreeSet(Sets.newHashSet( + PERM_SERVER1_OTHER_GROUP_DB_CUSTOMERS_SELECT)); + Assert.assertEquals(expected.toString(), + new TreeSet<String>(policy.getAllPrivileges(set("other_group"), ActiveRoleSet.ALL)) + .toString()); + } + + @Test + public void testDbAll() throws Exception { + Set<String> expected = Sets.newTreeSet(Sets + .newHashSet(PERM_SERVER1_JUNIOR_ANALYST_ALL, + PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT)); + Assert.assertEquals(expected.toString(), + new TreeSet<String>(policy.getAllPrivileges(set("jranalyst"), ActiveRoleSet.ALL)) + .toString()); + } + + @Test + public void testDbAllforOtherGroup() throws Exception { + Set<String> expected = Sets.newTreeSet(Sets.newHashSet( + PERM_SERVER1_OTHER_GROUP_DB_CUSTOMERS_SELECT)); + Assert.assertEquals(expected.toString(), + new TreeSet<String>(policy.getAllPrivileges(set("other_group"), ActiveRoleSet.ALL)) + .toString()); + } + + private static Set<String> set(String... values) { + return Sets.newHashSet(values); + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/DBPolicyTestUtil.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/DBPolicyTestUtil.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/DBPolicyTestUtil.java new file mode 100644 index 0000000..c390b66 --- /dev/null +++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/DBPolicyTestUtil.java @@ -0,0 +1,45 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.policy.hive; + +import org.apache.hadoop.conf.Configuration; +import org.apache.sentry.core.model.db.HivePrivilegeModel; +import org.apache.sentry.policy.common.PolicyEngine; +import org.apache.sentry.policy.db.SimpleDBPolicyEngine; +import org.apache.sentry.provider.common.ProviderBackend; +import org.apache.sentry.provider.common.ProviderBackendContext; +import org.apache.sentry.provider.file.SimpleFileProviderBackend; + +import java.io.IOException; + +public class DBPolicyTestUtil { + + public static PolicyEngine createPolicyEngineForTest(String server, String resource) throws IOException { + + ProviderBackend providerBackend = new SimpleFileProviderBackend(new Configuration(), resource); + + // create backendContext + ProviderBackendContext context = new ProviderBackendContext(); + context.setAllowPerDatabase(true); + context.setValidators(HivePrivilegeModel.getInstance().getPrivilegeValidators(server)); + // initialize the backend with the context + providerBackend.initialize(context); + + + return new SimpleDBPolicyEngine(providerBackend); + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestDBModelAuthorizables.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestDBModelAuthorizables.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestDBModelAuthorizables.java new file mode 100644 index 0000000..03b6be3 --- /dev/null +++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestDBModelAuthorizables.java @@ -0,0 +1,76 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.sentry.policy.hive; +import static junit.framework.Assert.assertEquals; +import static junit.framework.Assert.assertNull; + +import org.apache.sentry.core.model.db.AccessURI; +import org.apache.sentry.core.model.db.DBModelAuthorizables; +import org.apache.sentry.core.model.db.Database; +import org.apache.sentry.core.model.db.Server; +import org.apache.sentry.core.model.db.Table; +import org.apache.sentry.core.model.db.View; +import org.junit.Test; + +public class TestDBModelAuthorizables { + + @Test + public void testServer() throws Exception { + Server server = (Server) DBModelAuthorizables.from("SeRvEr=server1"); + assertEquals("server1", server.getName()); + } + @Test + public void testDb() throws Exception { + Database db = (Database)DBModelAuthorizables.from("dB=db1"); + assertEquals("db1", db.getName()); + } + @Test + public void testTable() throws Exception { + Table table = (Table)DBModelAuthorizables.from("tAbLe=t1"); + assertEquals("t1", table.getName()); + } + @Test + public void testView() throws Exception { + View view = (View)DBModelAuthorizables.from("vIeW=v1"); + assertEquals("v1", view.getName()); + } + @Test + public void testURI() throws Exception { + AccessURI uri = (AccessURI)DBModelAuthorizables.from("UrI=hdfs://uri1:8200/blah"); + assertEquals("hdfs://uri1:8200/blah", uri.getName()); + } + + @Test(expected=IllegalArgumentException.class) + public void testNoKV() throws Exception { + System.out.println(DBModelAuthorizables.from("nonsense")); + } + + @Test(expected=IllegalArgumentException.class) + public void testEmptyKey() throws Exception { + System.out.println(DBModelAuthorizables.from("=v")); + } + @Test(expected=IllegalArgumentException.class) + public void testEmptyValue() throws Exception { + System.out.println(DBModelAuthorizables.from("k=")); + } + @Test + public void testNotAuthorizable() throws Exception { + assertNull(DBModelAuthorizables.from("k=v")); + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestDatabaseRequiredInRole.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestDatabaseRequiredInRole.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestDatabaseRequiredInRole.java new file mode 100644 index 0000000..9c361e3 --- /dev/null +++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestDatabaseRequiredInRole.java @@ -0,0 +1,50 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.sentry.policy.hive; + +import junit.framework.Assert; + +import org.apache.sentry.core.common.validator.PrivilegeValidatorContext; +import org.apache.sentry.core.model.db.validator.DatabaseRequiredInPrivilege; +import org.apache.shiro.config.ConfigurationException; +import org.junit.Test; + +public class TestDatabaseRequiredInRole { + + @Test + public void testURIInPerDbPolicyFile() throws Exception { + DatabaseRequiredInPrivilege dbRequiredInRole = new DatabaseRequiredInPrivilege(); + System.setProperty("sentry.allow.uri.db.policyfile", "true"); + dbRequiredInRole.validate(new PrivilegeValidatorContext("db1", + "server=server1->URI=file:///user/db/warehouse/tab1")); + System.setProperty("sentry.allow.uri.db.policyfile", "false"); + } + + @Test + public void testURIWithDBInPerDbPolicyFile() throws Exception { + DatabaseRequiredInPrivilege dbRequiredInRole = new DatabaseRequiredInPrivilege(); + try { + dbRequiredInRole.validate(new PrivilegeValidatorContext("db1", + "server=server1->db=db1->URI=file:///user/db/warehouse/tab1")); + Assert.fail("Expected ConfigurationException"); + } catch (ConfigurationException e) { + ; + } + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestPolicyParsingNegative.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestPolicyParsingNegative.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestPolicyParsingNegative.java new file mode 100644 index 0000000..80d284b --- /dev/null +++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestPolicyParsingNegative.java @@ -0,0 +1,194 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.policy.hive; + +import java.io.File; +import java.io.IOException; + +import junit.framework.Assert; + +import org.apache.commons.io.FileUtils; +import org.apache.sentry.core.common.ActiveRoleSet; +import org.apache.sentry.policy.common.PolicyEngine; +import org.apache.sentry.provider.file.PolicyFile; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.google.common.base.Charsets; +import com.google.common.collect.ImmutableSet; +import com.google.common.collect.Sets; +import com.google.common.io.Files; + +public class TestPolicyParsingNegative { + + @SuppressWarnings("unused") + private static final Logger LOGGER = LoggerFactory + .getLogger(TestPolicyParsingNegative.class); + + private File baseDir; + private File globalPolicyFile; + private File otherPolicyFile; + + @Before + public void setup() { + baseDir = Files.createTempDir(); + globalPolicyFile = new File(baseDir, "global.ini"); + otherPolicyFile = new File(baseDir, "other.ini"); + } + + @After + public void teardown() { + if(baseDir != null) { + FileUtils.deleteQuietly(baseDir); + } + } + + private void append(String from, File to) throws IOException { + Files.append(from + "\n", to, Charsets.UTF_8); + } + + @Test + public void testUnauthorizedDbSpecifiedInDBPolicyFile() throws Exception { + append("[databases]", globalPolicyFile); + append("other_group_db = " + otherPolicyFile.getPath(), globalPolicyFile); + append("[groups]", otherPolicyFile); + append("other_group = malicious_role", otherPolicyFile); + append("[roles]", otherPolicyFile); + append("malicious_role = server=server1->db=customers->table=purchases->action=select", otherPolicyFile); + PolicyEngine policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath()); + ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("other_group"), ActiveRoleSet.ALL); + Assert.assertTrue(permissions.toString(), permissions.isEmpty()); + } + @Test + public void testPerDbFileCannotContainUsersOrDatabases() throws Exception { + PolicyEngine policy; + ImmutableSet<String> permissions; + PolicyFile policyFile; + // test sanity + policyFile = PolicyFile.setAdminOnServer1("admin"); + policyFile.addGroupsToUser("admin1", "admin"); + policyFile.write(globalPolicyFile); + policyFile.write(otherPolicyFile); + policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath()); + permissions = policy.getAllPrivileges(Sets.newHashSet("admin"), ActiveRoleSet.ALL); + Assert.assertEquals(permissions.toString(), "[server=server1]"); + // test to ensure [users] fails parsing of per-db file + policyFile.addDatabase("other", otherPolicyFile.getPath()); + policyFile.write(globalPolicyFile); + policyFile.write(otherPolicyFile); + policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath()); + permissions = policy.getAllPrivileges(Sets.newHashSet("admin"), ActiveRoleSet.ALL); + Assert.assertEquals(permissions.toString(), "[server=server1]"); + // test to ensure [databases] fails parsing of per-db file + // by removing the user mapping from the per-db policy file + policyFile.removeGroupsFromUser("admin1", "admin") + .write(otherPolicyFile); + policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath()); + permissions = policy.getAllPrivileges(Sets.newHashSet("admin"), ActiveRoleSet.ALL); + Assert.assertEquals(permissions.toString(), "[server=server1]"); + } + + @Test + public void testDatabaseRequiredInRole() throws Exception { + append("[databases]", globalPolicyFile); + append("other_group_db = " + otherPolicyFile.getPath(), globalPolicyFile); + append("[groups]", otherPolicyFile); + append("other_group = malicious_role", otherPolicyFile); + append("[roles]", otherPolicyFile); + append("malicious_role = server=server1", otherPolicyFile); + PolicyEngine policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath()); + ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("other_group"), ActiveRoleSet.ALL); + Assert.assertTrue(permissions.toString(), permissions.isEmpty()); + } + + @Test + public void testServerAll() throws Exception { + append("[groups]", globalPolicyFile); + append("group = malicious_role", globalPolicyFile); + append("[roles]", globalPolicyFile); + append("malicious_role = server=*", globalPolicyFile); + PolicyEngine policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath()); + ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL); + Assert.assertTrue(permissions.toString(), permissions.isEmpty()); + } + + @Test + public void testServerIncorrect() throws Exception { + append("[groups]", globalPolicyFile); + append("group = malicious_role", globalPolicyFile); + append("[roles]", globalPolicyFile); + append("malicious_role = server=server2", globalPolicyFile); + PolicyEngine policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath()); + ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL); + Assert.assertTrue(permissions.toString(), permissions.isEmpty()); + } + + @Test + public void testAll() throws Exception { + append("[groups]", globalPolicyFile); + append("group = malicious_role", globalPolicyFile); + append("[roles]", globalPolicyFile); + append("malicious_role = *", globalPolicyFile); + PolicyEngine policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath()); + ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL); + Assert.assertTrue(permissions.toString(), permissions.isEmpty()); + } + + /** + * Create policy file with multiple per db files. + * Verify that a file with bad format is the only one that's ignored + * @throws Exception + */ + @Test + public void testMultiDbWithErrors() throws Exception { + File db1PolicyFile = new File(baseDir, "db1.ini"); + File db2PolicyFile = new File(baseDir, "db2.ini"); + + // global policy file + append("[databases]", globalPolicyFile); + append("db1 = " + db1PolicyFile.getPath(), globalPolicyFile); + append("db2 = " + db2PolicyFile.getPath(), globalPolicyFile); + append("[groups]", globalPolicyFile); + append("db3_group = db3_rule", globalPolicyFile); + append("[roles]", globalPolicyFile); + append("db3_rule = server=server1->db=db3->table=sales->action=select", globalPolicyFile); + + //db1 policy file with badly formatted rule + append("[groups]", db1PolicyFile); + append("db1_group = bad_rule", db1PolicyFile); + append("[roles]", db1PolicyFile); + append("bad_rule = server=server1->db=customers->=purchases->action=", db1PolicyFile); + + //db2 policy file with proper rule + append("[groups]", db2PolicyFile); + append("db2_group = db2_rule", db2PolicyFile); + append("[roles]", db2PolicyFile); + append("db2_rule = server=server1->db=db2->table=purchases->action=select", db2PolicyFile); + + PolicyEngine policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath()); + + // verify that the db1 rule is empty + ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("db1_group"), ActiveRoleSet.ALL); + Assert.assertTrue(permissions.toString(), permissions.isEmpty()); + + permissions = policy.getAllPrivileges(Sets.newHashSet("db2_group"), ActiveRoleSet.ALL); + Assert.assertEquals(permissions.toString(), 1, permissions.size()); + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderGeneralCases.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderGeneralCases.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderGeneralCases.java new file mode 100644 index 0000000..05dc449 --- /dev/null +++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderGeneralCases.java @@ -0,0 +1,195 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.policy.hive; + +import java.io.File; +import java.io.IOException; +import java.util.Arrays; +import java.util.Collection; +import java.util.EnumSet; +import java.util.List; +import java.util.Set; + +import com.google.common.collect.Sets; +import junit.framework.Assert; + +import org.apache.commons.io.FileUtils; +import org.apache.sentry.core.common.Action; +import org.apache.sentry.core.common.ActiveRoleSet; +import org.apache.sentry.core.common.Authorizable; +import org.apache.sentry.core.common.Subject; +import org.apache.sentry.core.model.db.AccessConstants; +import org.apache.sentry.core.model.db.DBModelAction; +import org.apache.sentry.core.model.db.Database; +import org.apache.sentry.core.model.db.Server; +import org.apache.sentry.core.model.db.Table; +import org.apache.sentry.provider.common.GroupMappingService; +import org.apache.sentry.provider.common.ResourceAuthorizationProvider; +import org.apache.sentry.provider.file.HadoopGroupResourceAuthorizationProvider; +import org.apache.sentry.provider.file.PolicyFiles; +import org.junit.After; +import org.junit.Test; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.google.common.base.Objects; +import com.google.common.collect.HashMultimap; +import com.google.common.collect.Multimap; +import com.google.common.io.Files; + + +public class TestResourceAuthorizationProviderGeneralCases { + + private static final Logger LOGGER = LoggerFactory + .getLogger(TestResourceAuthorizationProviderGeneralCases.class); + + private static final Multimap<String, String> USER_TO_GROUP_MAP = HashMultimap + .create(); + + private static final Subject SUB_ADMIN = new Subject("admin1"); + private static final Subject SUB_MANAGER = new Subject("manager1"); + private static final Subject SUB_ANALYST = new Subject("analyst1"); + private static final Subject SUB_JUNIOR_ANALYST = new Subject("jranalyst1"); + + private static final Server SVR_SERVER1 = new Server("server1"); + private static final Server SVR_ALL = new Server(AccessConstants.ALL); + + private static final Database DB_CUSTOMERS = new Database("customers"); + private static final Database DB_ANALYST = new Database("analyst1"); + private static final Database DB_JR_ANALYST = new Database("jranalyst1"); + + private static final Table TBL_PURCHASES = new Table("purchases"); + + private static final Set<? extends Action> ALL = EnumSet.of(DBModelAction.ALL); + private static final Set<? extends Action> SELECT = EnumSet.of(DBModelAction.SELECT); + private static final Set<? extends Action> INSERT = EnumSet.of(DBModelAction.INSERT); + + static { + USER_TO_GROUP_MAP.putAll(SUB_ADMIN.getName(), Arrays.asList("admin")); + USER_TO_GROUP_MAP.putAll(SUB_MANAGER.getName(), Arrays.asList("manager")); + USER_TO_GROUP_MAP.putAll(SUB_ANALYST.getName(), Arrays.asList("analyst")); + USER_TO_GROUP_MAP.putAll(SUB_JUNIOR_ANALYST.getName(), + Arrays.asList("jranalyst")); + } + + private final ResourceAuthorizationProvider authzProvider; + private File baseDir; + + public TestResourceAuthorizationProviderGeneralCases() throws IOException { + baseDir = Files.createTempDir(); + PolicyFiles.copyToDir(baseDir, "hive-policy-test-authz-provider.ini", "hive-policy-test-authz-provider-other-group.ini"); + authzProvider = new HadoopGroupResourceAuthorizationProvider( + DBPolicyTestUtil.createPolicyEngineForTest("server1", + new File(baseDir, "hive-policy-test-authz-provider.ini").getPath()), + new MockGroupMappingServiceProvider(USER_TO_GROUP_MAP)); + + } + + @After + public void teardown() { + if(baseDir != null) { + FileUtils.deleteQuietly(baseDir); + } + } + + private void doTestAuthorizables( + Subject subject, Set<? extends Action> privileges, boolean expected, + Authorizable... authorizables) throws Exception { + List<Authorizable> authzHierarchy = Arrays.asList(authorizables); + Objects.ToStringHelper helper = Objects.toStringHelper("TestParameters"); + helper.add("authorizables", authzHierarchy).add("Privileges", privileges); + LOGGER.info("Running with " + helper.toString()); + Assert.assertEquals(helper.toString(), expected, + authzProvider.hasAccess(subject, authzHierarchy, privileges, ActiveRoleSet.ALL)); + LOGGER.info("Passed " + helper.toString()); + } + + private void doTestResourceAuthorizationProvider(Subject subject, + Server server, Database database, Table table, + Set<? extends Action> privileges, boolean expected) throws Exception { + List<Authorizable> authzHierarchy = Arrays.asList(new Authorizable[] { + server, database, table + }); + Objects.ToStringHelper helper = Objects.toStringHelper("TestParameters"); + helper.add("Subject", subject).add("Server", server).add("DB", database) + .add("Table", table).add("Privileges", privileges).add("authzHierarchy", authzHierarchy); + LOGGER.info("Running with " + helper.toString()); + Assert.assertEquals(helper.toString(), expected, + authzProvider.hasAccess(subject, authzHierarchy, privileges, ActiveRoleSet.ALL)); + LOGGER.info("Passed " + helper.toString()); + } + + @Test + public void testAdmin() throws Exception { + doTestResourceAuthorizationProvider(SUB_ADMIN, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, ALL, true); + doTestResourceAuthorizationProvider(SUB_ADMIN, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, SELECT, true); + doTestResourceAuthorizationProvider(SUB_ADMIN, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, INSERT, true); + doTestAuthorizables(SUB_ADMIN, SELECT, true, SVR_ALL, DB_CUSTOMERS, TBL_PURCHASES); + + } + @Test + public void testManager() throws Exception { + doTestResourceAuthorizationProvider(SUB_MANAGER, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, ALL, false); + doTestResourceAuthorizationProvider(SUB_MANAGER, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, SELECT, true); + doTestResourceAuthorizationProvider(SUB_MANAGER, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, INSERT, false); + doTestResourceAuthorizationProvider(SUB_MANAGER, SVR_ALL, DB_CUSTOMERS, TBL_PURCHASES, SELECT, true); + } + @Test + public void testAnalyst() throws Exception { + doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, ALL, false); + doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, SELECT, true); + doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, INSERT, false); + doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_ALL, DB_CUSTOMERS, TBL_PURCHASES, SELECT, true); + + // analyst sandbox + doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_ANALYST, TBL_PURCHASES, ALL, true); + doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_ANALYST, TBL_PURCHASES, SELECT, true); + doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_ANALYST, TBL_PURCHASES, INSERT, true); + doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_ALL, DB_ANALYST, TBL_PURCHASES, SELECT, true); + + // jr analyst sandbox + doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_JR_ANALYST, TBL_PURCHASES, ALL, false); + doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_JR_ANALYST, TBL_PURCHASES, SELECT, true); + doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_JR_ANALYST, TBL_PURCHASES, INSERT, false); + doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_ALL, DB_JR_ANALYST, TBL_PURCHASES, SELECT, true); + } + @Test + public void testJuniorAnalyst() throws Exception { + doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, ALL, false); + doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, SELECT, false); + doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, INSERT, false); + doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_ALL, DB_CUSTOMERS, TBL_PURCHASES, SELECT, false); + // jr analyst sandbox + doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_SERVER1, DB_JR_ANALYST, TBL_PURCHASES, ALL, true); + doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_SERVER1, DB_JR_ANALYST, TBL_PURCHASES, SELECT, true); + doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_SERVER1, DB_JR_ANALYST, TBL_PURCHASES, INSERT, true); + doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_ALL, DB_JR_ANALYST, TBL_PURCHASES, SELECT, true); + } + + public class MockGroupMappingServiceProvider implements GroupMappingService { + private final Multimap<String, String> userToGroupMap; + + public MockGroupMappingServiceProvider(Multimap<String, String> userToGroupMap) { + this.userToGroupMap = userToGroupMap; + } + + @Override + public Set<String> getGroups(String user) { + return Sets.newHashSet(userToGroupMap.get(user)); + } + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderSpecialCases.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderSpecialCases.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderSpecialCases.java new file mode 100644 index 0000000..bf57bf2 --- /dev/null +++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderSpecialCases.java @@ -0,0 +1,123 @@ + /* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.policy.hive; + +import java.io.File; +import java.io.IOException; +import java.util.EnumSet; +import java.util.List; +import java.util.Set; + +import junit.framework.Assert; + +import org.apache.commons.io.FileUtils; +import org.apache.sentry.core.common.Action; +import org.apache.sentry.core.common.ActiveRoleSet; +import org.apache.sentry.core.common.Authorizable; +import org.apache.sentry.core.common.Subject; +import org.apache.sentry.core.model.db.AccessURI; +import org.apache.sentry.core.model.db.DBModelAction; +import org.apache.sentry.core.model.db.Server; +import org.apache.sentry.policy.common.PolicyEngine; +import org.apache.sentry.provider.common.AuthorizationProvider; +import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider; +import org.apache.sentry.provider.file.PolicyFile; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; + +import com.google.common.collect.ImmutableList; +import com.google.common.io.Files; + +public class TestResourceAuthorizationProviderSpecialCases { + private AuthorizationProvider authzProvider; + private PolicyFile policyFile; + private File baseDir; + private File iniFile; + private String initResource; + @Before + public void setup() throws IOException { + baseDir = Files.createTempDir(); + iniFile = new File(baseDir, "policy.ini"); + initResource = "file://" + iniFile.getPath(); + policyFile = new PolicyFile(); + } + + @After + public void teardown() throws IOException { + if(baseDir != null) { + FileUtils.deleteQuietly(baseDir); + } + } + + @Test + public void testDuplicateEntries() throws Exception { + Subject user1 = new Subject("user1"); + Server server1 = new Server("server1"); + AccessURI uri = new AccessURI("file:///path/to/"); + Set<? extends Action> actions = EnumSet.of(DBModelAction.ALL, DBModelAction.SELECT, DBModelAction.INSERT); + policyFile.addGroupsToUser(user1.getName(), true, "group1", "group1") + .addRolesToGroup("group1", true, "role1", "role1") + .addPermissionsToRole("role1", true, "server=" + server1.getName() + "->uri=" + uri.getName(), + "server=" + server1.getName() + "->uri=" + uri.getName()); + policyFile.write(iniFile); + PolicyEngine policy = DBPolicyTestUtil.createPolicyEngineForTest(server1.getName(), initResource); + authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy); + List<? extends Authorizable> authorizableHierarchy = ImmutableList.of(server1, uri); + Assert.assertTrue(authorizableHierarchy.toString(), + authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL)); + } + @Test + public void testNonAbolutePath() throws Exception { + Subject user1 = new Subject("user1"); + Server server1 = new Server("server1"); + AccessURI uri = new AccessURI("file:///path/to/"); + Set<? extends Action> actions = EnumSet.of(DBModelAction.ALL, DBModelAction.SELECT, DBModelAction.INSERT); + policyFile.addGroupsToUser(user1.getName(), "group1") + .addRolesToGroup("group1", "role1") + .addPermissionsToRole("role1", "server=" + server1.getName() + "->uri=" + uri.getName()); + policyFile.write(iniFile); + PolicyEngine policy = DBPolicyTestUtil.createPolicyEngineForTest(server1.getName(), initResource); + authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy); + // positive test + List<? extends Authorizable> authorizableHierarchy = ImmutableList.of(server1, uri); + Assert.assertTrue(authorizableHierarchy.toString(), + authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL)); + // negative tests + // TODO we should support the case of /path/to/./ but let's to that later + uri = new AccessURI("file:///path/to/./"); + authorizableHierarchy = ImmutableList.of(server1, uri); + Assert.assertFalse(authorizableHierarchy.toString(), + authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL)); + uri = new AccessURI("file:///path/to/../"); + authorizableHierarchy = ImmutableList.of(server1, uri); + Assert.assertFalse(authorizableHierarchy.toString(), + authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL)); + uri = new AccessURI("file:///path/to/../../"); + authorizableHierarchy = ImmutableList.of(server1, uri); + Assert.assertFalse(authorizableHierarchy.toString(), + authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL)); + uri = new AccessURI("file:///path/to/dir/../../"); + authorizableHierarchy = ImmutableList.of(server1, uri); + Assert.assertFalse(authorizableHierarchy.toString(), + authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL)); + } + @Test(expected=IllegalArgumentException.class) + public void testInvalidPath() throws Exception { + new AccessURI(":invaliduri"); + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestSimpleDBPolicyEngineDFS.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestSimpleDBPolicyEngineDFS.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestSimpleDBPolicyEngineDFS.java new file mode 100644 index 0000000..5d48280 --- /dev/null +++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestSimpleDBPolicyEngineDFS.java @@ -0,0 +1,115 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.policy.hive; + +import java.io.File; +import java.io.IOException; +import java.util.Set; + +import junit.framework.Assert; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.fs.FileSystem; +import org.apache.hadoop.fs.Path; +import org.apache.hadoop.hdfs.MiniDFSCluster; +import org.apache.sentry.core.common.ActiveRoleSet; +import org.apache.sentry.policy.common.PolicyEngine; +import org.apache.sentry.provider.file.PolicyFile; +import org.apache.sentry.provider.file.PolicyFiles; +import org.junit.AfterClass; +import org.junit.BeforeClass; +import org.junit.Test; + +import com.google.common.collect.ImmutableSet; +import com.google.common.collect.Sets; +import com.google.common.io.Files; + +public class TestSimpleDBPolicyEngineDFS extends AbstractTestSimplePolicyEngine { + + private static MiniDFSCluster dfsCluster; + private static FileSystem fileSystem; + private static Path root; + private static Path etc; + + @BeforeClass + public static void setupLocalClazz() throws IOException { + File baseDir = getBaseDir(); + Assert.assertNotNull(baseDir); + File dfsDir = new File(baseDir, "dfs"); + Assert.assertTrue(dfsDir.isDirectory() || dfsDir.mkdirs()); + Configuration conf = new Configuration(); + conf.set(MiniDFSCluster.HDFS_MINIDFS_BASEDIR, dfsDir.getPath()); + dfsCluster = new MiniDFSCluster.Builder(conf).numDataNodes(2).build(); + fileSystem = dfsCluster.getFileSystem(); + root = new Path(fileSystem.getUri().toString()); + etc = new Path(root, "/etc"); + fileSystem.mkdirs(etc); + } + @AfterClass + public static void teardownLocalClazz() { + if(dfsCluster != null) { + dfsCluster.shutdown(); + } + } + + @Override + protected void afterSetup() throws IOException { + fileSystem.delete(etc, true); + fileSystem.mkdirs(etc); + PolicyFiles.copyToDir(fileSystem, etc, "hive-policy-test-authz-provider.ini", "hive-policy-test-authz-provider-other-group.ini"); + setPolicy(DBPolicyTestUtil.createPolicyEngineForTest("server1", + new Path(etc, "hive-policy-test-authz-provider.ini").toString())); + } + @Override + protected void beforeTeardown() throws IOException { + fileSystem.delete(etc, true); + } + + @Test + public void testMultiFSPolicy() throws Exception { + File globalPolicyFile = new File(Files.createTempDir(), "global-policy.ini"); + File dbPolicyFile = new File(Files.createTempDir(), "db11-policy.ini"); + + // Create global policy file + PolicyFile dbPolicy = new PolicyFile() + .addPermissionsToRole("db11_role", "server=server1->db=db11") + .addRolesToGroup("group1", "db11_role"); + + dbPolicy.write(dbPolicyFile); + Path dbPolicyPath = new Path(etc, "db11-policy.ini"); + + // create per-db policy file + PolicyFile globalPolicy = new PolicyFile() + .addPermissionsToRole("admin_role", "server=server1") + .addRolesToGroup("admin_group", "admin_role") + .addGroupsToUser("db", "admin_group"); + globalPolicy.addDatabase("db11", dbPolicyPath.toUri().toString()); + globalPolicy.write(globalPolicyFile); + + + PolicyFiles.copyFilesToDir(fileSystem, etc, globalPolicyFile); + PolicyFiles.copyFilesToDir(fileSystem, etc, dbPolicyFile); + PolicyEngine multiFSEngine = + DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath()); + + Set<String> dbGroups = Sets.newHashSet(); + dbGroups.add("group1"); + ImmutableSet<String> dbPerms = + multiFSEngine.getAllPrivileges(dbGroups, ActiveRoleSet.ALL); + Assert.assertEquals("No DB permissions found", 1, dbPerms.size()); + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestSimpleDBPolicyEngineLocalFS.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestSimpleDBPolicyEngineLocalFS.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestSimpleDBPolicyEngineLocalFS.java new file mode 100644 index 0000000..b134c6d --- /dev/null +++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestSimpleDBPolicyEngineLocalFS.java @@ -0,0 +1,44 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.policy.hive; + +import java.io.File; +import java.io.IOException; + +import junit.framework.Assert; + +import org.apache.commons.io.FileUtils; +import org.apache.sentry.provider.file.PolicyFiles; + +public class TestSimpleDBPolicyEngineLocalFS extends AbstractTestSimplePolicyEngine { + + @Override + protected void afterSetup() throws IOException { + File baseDir = getBaseDir(); + Assert.assertNotNull(baseDir); + Assert.assertTrue(baseDir.isDirectory() || baseDir.mkdirs()); + PolicyFiles.copyToDir(baseDir, "hive-policy-test-authz-provider.ini", "hive-policy-test-authz-provider-other-group.ini"); + setPolicy(DBPolicyTestUtil.createPolicyEngineForTest("server1", + new File(baseDir, "hive-policy-test-authz-provider.ini").getPath())); + } + @Override + protected void beforeTeardown() throws IOException { + File baseDir = getBaseDir(); + Assert.assertNotNull(baseDir); + FileUtils.deleteQuietly(baseDir); + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-hive/src/test/resources/hive-policy-test-authz-provider-other-group.ini ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/test/resources/hive-policy-test-authz-provider-other-group.ini b/sentry-binding/sentry-binding-hive/src/test/resources/hive-policy-test-authz-provider-other-group.ini new file mode 100644 index 0000000..cd3695c --- /dev/null +++ b/sentry-binding/sentry-binding-hive/src/test/resources/hive-policy-test-authz-provider-other-group.ini @@ -0,0 +1,22 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +[groups] +other_group = analyst_role + +[roles] +analyst_role = server=server1->db=other_group_db->table=purchases->action=select \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-hive/src/test/resources/hive-policy-test-authz-provider.ini ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/test/resources/hive-policy-test-authz-provider.ini b/sentry-binding/sentry-binding-hive/src/test/resources/hive-policy-test-authz-provider.ini new file mode 100644 index 0000000..e9114ef --- /dev/null +++ b/sentry-binding/sentry-binding-hive/src/test/resources/hive-policy-test-authz-provider.ini @@ -0,0 +1,32 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +[databases] +other_group_db = hive-policy-test-authz-provider-other-group.ini + +[groups] +manager = analyst_role, junior_analyst_role +analyst = analyst_role +jranalyst = junior_analyst_role +admin = admin + +[roles] +analyst_role = server=server1->db=customers->table=purchases->action=select, \ + server=server1->db=analyst1, \ + server=server1->db=jranalyst1->table=*->action=select +junior_analyst_role = server=server1->db=jranalyst1, server=server1->db=customers->table=purchases_partial->action=select +admin = server=server1 http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/AbstractTestSearchPolicyEngine.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/AbstractTestSearchPolicyEngine.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/AbstractTestSearchPolicyEngine.java new file mode 100644 index 0000000..d92e1ad --- /dev/null +++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/AbstractTestSearchPolicyEngine.java @@ -0,0 +1,129 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.policy.solr; + +import java.io.File; +import java.io.IOException; +import java.util.Set; +import java.util.TreeSet; + +import junit.framework.Assert; + +import org.apache.commons.io.FileUtils; +import org.apache.sentry.core.common.ActiveRoleSet; +import org.apache.sentry.policy.common.PolicyEngine; +import org.junit.After; +import org.junit.AfterClass; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; + +import com.google.common.collect.Sets; +import com.google.common.io.Files; + +public abstract class AbstractTestSearchPolicyEngine { + private static final String ANALYST_PURCHASES_UPDATE = "collection=purchases->action=update"; + private static final String ANALYST_ANALYST1_ALL = "collection=analyst1"; + private static final String ANALYST_JRANALYST1_ACTION_ALL = "collection=jranalyst1->action=*"; + private static final String ANALYST_TMPCOLLECTION_UPDATE = "collection=tmpcollection->action=update"; + private static final String ANALYST_TMPCOLLECTION_QUERY = "collection=tmpcollection->action=query"; + private static final String JRANALYST_JRANALYST1_ALL = "collection=jranalyst1"; + private static final String JRANALYST_PURCHASES_PARTIAL_QUERY = "collection=purchases_partial->action=query"; + private static final String ADMIN_COLLECTION_ALL = "collection=*"; + + private PolicyEngine policy; + private static File baseDir; + + @BeforeClass + public static void setupClazz() throws IOException { + baseDir = Files.createTempDir(); + } + + @AfterClass + public static void teardownClazz() throws IOException { + if(baseDir != null) { + FileUtils.deleteQuietly(baseDir); + } + } + + protected void setPolicy(PolicyEngine policy) { + this.policy = policy; + } + protected static File getBaseDir() { + return baseDir; + } + @Before + public void setup() throws IOException { + afterSetup(); + } + @After + public void teardown() throws IOException { + beforeTeardown(); + } + protected void afterSetup() throws IOException { + + } + + protected void beforeTeardown() throws IOException { + + } + + @Test + public void testManager() throws Exception { + Set<String> expected = Sets.newTreeSet(Sets.newHashSet( + ANALYST_PURCHASES_UPDATE, ANALYST_ANALYST1_ALL, + ANALYST_JRANALYST1_ACTION_ALL, ANALYST_TMPCOLLECTION_UPDATE, + ANALYST_TMPCOLLECTION_QUERY, JRANALYST_JRANALYST1_ALL, + JRANALYST_PURCHASES_PARTIAL_QUERY)); + Assert.assertEquals(expected.toString(), + new TreeSet<String>(policy.getPrivileges(set("manager"), ActiveRoleSet.ALL)) + .toString()); + } + + @Test + public void testAnalyst() throws Exception { + Set<String> expected = Sets.newTreeSet(Sets.newHashSet( + ANALYST_PURCHASES_UPDATE, ANALYST_ANALYST1_ALL, + ANALYST_JRANALYST1_ACTION_ALL, ANALYST_TMPCOLLECTION_UPDATE, + ANALYST_TMPCOLLECTION_QUERY)); + Assert.assertEquals(expected.toString(), + new TreeSet<String>(policy.getPrivileges(set("analyst"), ActiveRoleSet.ALL)) + .toString()); + } + + @Test + public void testJuniorAnalyst() throws Exception { + Set<String> expected = Sets.newTreeSet(Sets + .newHashSet(JRANALYST_JRANALYST1_ALL, + JRANALYST_PURCHASES_PARTIAL_QUERY)); + Assert.assertEquals(expected.toString(), + new TreeSet<String>(policy.getPrivileges(set("jranalyst"), ActiveRoleSet.ALL)) + .toString()); + } + + @Test + public void testAdmin() throws Exception { + Set<String> expected = Sets.newTreeSet(Sets.newHashSet(ADMIN_COLLECTION_ALL)); + Assert.assertEquals(expected.toString(), + new TreeSet<String>(policy.getPrivileges(set("admin"), ActiveRoleSet.ALL)) + .toString()); + } + + private static Set<String> set(String... values) { + return Sets.newHashSet(values); + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/SearchPolicyTestUtil.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/SearchPolicyTestUtil.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/SearchPolicyTestUtil.java new file mode 100644 index 0000000..3856825 --- /dev/null +++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/SearchPolicyTestUtil.java @@ -0,0 +1,45 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.policy.solr; + +import org.apache.hadoop.conf.Configuration; +import org.apache.sentry.core.model.search.SearchPrivilegeModel; +import org.apache.sentry.policy.common.PolicyEngine; +import org.apache.sentry.policy.search.SimpleSearchPolicyEngine; +import org.apache.sentry.provider.common.ProviderBackend; +import org.apache.sentry.provider.common.ProviderBackendContext; +import org.apache.sentry.provider.file.SimpleFileProviderBackend; + +import java.io.IOException; + +public class SearchPolicyTestUtil { + + public static PolicyEngine createPolicyEngineForTest(String resource) throws IOException { + + ProviderBackend providerBackend = new SimpleFileProviderBackend(new Configuration(), resource); + + // create backendContext + ProviderBackendContext context = new ProviderBackendContext(); + context.setAllowPerDatabase(false); + context.setValidators(SearchPrivilegeModel.getInstance().getPrivilegeValidators()); + // initialize the backend with the context + providerBackend.initialize(context); + + + return new SimpleSearchPolicyEngine(providerBackend); + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestCollectionRequiredInRole.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestCollectionRequiredInRole.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestCollectionRequiredInRole.java new file mode 100644 index 0000000..a14f520 --- /dev/null +++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestCollectionRequiredInRole.java @@ -0,0 +1,64 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.sentry.policy.solr; + +import junit.framework.Assert; + +import org.apache.sentry.core.common.validator.PrivilegeValidatorContext; +import org.apache.sentry.core.model.search.validator.CollectionRequiredInPrivilege; +import org.apache.shiro.config.ConfigurationException; +import org.junit.Test; + +public class TestCollectionRequiredInRole { + + @Test + public void testEmptyRole() throws Exception { + CollectionRequiredInPrivilege collRequiredInRole = new CollectionRequiredInPrivilege(); + + // check no db + try { + collRequiredInRole.validate(new PrivilegeValidatorContext("index=index1")); + Assert.fail("Expected ConfigurationException"); + } catch (ConfigurationException e) { + ; + } + + // check with db + try { + collRequiredInRole.validate(new PrivilegeValidatorContext("db1","index=index2")); + Assert.fail("Expected ConfigurationException"); + } catch (ConfigurationException e) { + ; + } + } + + @Test + public void testCollectionWithoutAction() throws Exception { + CollectionRequiredInPrivilege collRequiredInRole = new CollectionRequiredInPrivilege(); + collRequiredInRole.validate(new PrivilegeValidatorContext("collection=nodb")); + collRequiredInRole.validate(new PrivilegeValidatorContext("db2","collection=db")); + } + + @Test + public void testCollectionWithAction() throws Exception { + CollectionRequiredInPrivilege collRequiredInRole = new CollectionRequiredInPrivilege(); + collRequiredInRole.validate(new PrivilegeValidatorContext(null,"collection=nodb->action=query")); + collRequiredInRole.validate(new PrivilegeValidatorContext("db2","collection=db->action=update")); + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderGeneralCases.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderGeneralCases.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderGeneralCases.java new file mode 100644 index 0000000..f460d7a --- /dev/null +++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderGeneralCases.java @@ -0,0 +1,192 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.policy.solr; + +import java.io.File; +import java.io.IOException; +import java.util.Arrays; +import java.util.EnumSet; +import java.util.List; +import java.util.Set; + +import com.google.common.collect.Sets; +import junit.framework.Assert; + +import org.apache.commons.io.FileUtils; +import org.apache.sentry.core.common.Action; +import org.apache.sentry.core.common.ActiveRoleSet; +import org.apache.sentry.core.common.Authorizable; +import org.apache.sentry.core.common.Subject; +import org.apache.sentry.core.model.search.Collection; +import org.apache.sentry.core.model.search.SearchModelAction; +import org.apache.sentry.provider.common.GroupMappingService; +import org.apache.sentry.provider.common.ResourceAuthorizationProvider; +import org.apache.sentry.provider.file.HadoopGroupResourceAuthorizationProvider; +import org.apache.sentry.provider.file.PolicyFiles; +import org.junit.After; +import org.junit.Test; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.google.common.base.Objects; +import com.google.common.collect.HashMultimap; +import com.google.common.collect.Multimap; +import com.google.common.io.Files; + + +public class TestSearchAuthorizationProviderGeneralCases { + + private static final Logger LOGGER = LoggerFactory + .getLogger(TestSearchAuthorizationProviderGeneralCases.class); + + private static final Multimap<String, String> USER_TO_GROUP_MAP = HashMultimap + .create(); + + private static final Subject SUB_ADMIN = new Subject("admin1"); + private static final Subject SUB_MANAGER = new Subject("manager1"); + private static final Subject SUB_ANALYST = new Subject("analyst1"); + private static final Subject SUB_JUNIOR_ANALYST = new Subject("jranalyst1"); + + private static final Collection COLL_PURCHASES = new Collection("purchases"); + private static final Collection COLL_ANALYST1 = new Collection("analyst1"); + private static final Collection COLL_JRANALYST1 = new Collection("jranalyst1"); + private static final Collection COLL_TMP = new Collection("tmpcollection"); + private static final Collection COLL_PURCHASES_PARTIAL = new Collection("purchases_partial"); + + private static final SearchModelAction QUERY = SearchModelAction.QUERY; + private static final SearchModelAction UPDATE = SearchModelAction.UPDATE; + + static { + USER_TO_GROUP_MAP.putAll(SUB_ADMIN.getName(), Arrays.asList("admin")); + USER_TO_GROUP_MAP.putAll(SUB_MANAGER.getName(), Arrays.asList("manager")); + USER_TO_GROUP_MAP.putAll(SUB_ANALYST.getName(), Arrays.asList("analyst")); + USER_TO_GROUP_MAP.putAll(SUB_JUNIOR_ANALYST.getName(), + Arrays.asList("jranalyst")); + } + + private final ResourceAuthorizationProvider authzProvider; + private File baseDir; + + public TestSearchAuthorizationProviderGeneralCases() throws IOException { + baseDir = Files.createTempDir(); + PolicyFiles.copyToDir(baseDir, "solr-policy-test-authz-provider.ini"); + authzProvider = new HadoopGroupResourceAuthorizationProvider( + SearchPolicyTestUtil.createPolicyEngineForTest(new File(baseDir, "solr-policy-test-authz-provider.ini").getPath()), + new MockGroupMappingServiceProvider(USER_TO_GROUP_MAP)); + + } + + @After + public void teardown() { + if(baseDir != null) { + FileUtils.deleteQuietly(baseDir); + } + } + + private void doTestAuthProviderOnCollection(Subject subject, + Collection collection, Set<? extends Action> expectedPass) throws Exception { + Set<SearchModelAction> allActions = EnumSet.of(SearchModelAction.ALL, SearchModelAction.QUERY, SearchModelAction.UPDATE); + for(SearchModelAction action : allActions) { + doTestResourceAuthorizationProvider(subject, collection, + EnumSet.of(action), expectedPass.contains(action)); + } + } + + private void doTestResourceAuthorizationProvider(Subject subject, + Collection collection, + Set<? extends Action> privileges, boolean expected) throws Exception { + List<Authorizable> authzHierarchy = Arrays.asList(new Authorizable[] { + collection + }); + Objects.ToStringHelper helper = Objects.toStringHelper("TestParameters"); + helper.add("Subject", subject).add("Collection", collection) + .add("Privileges", privileges).add("authzHierarchy", authzHierarchy); + LOGGER.info("Running with " + helper.toString()); + Assert.assertEquals(helper.toString(), expected, + authzProvider.hasAccess(subject, authzHierarchy, privileges, ActiveRoleSet.ALL)); + LOGGER.info("Passed " + helper.toString()); + } + + @Test + public void testAdmin() throws Exception { + Set<SearchModelAction> allActions = EnumSet.allOf(SearchModelAction.class); + doTestAuthProviderOnCollection(SUB_ADMIN, COLL_PURCHASES, allActions); + doTestAuthProviderOnCollection(SUB_ADMIN, COLL_ANALYST1, allActions); + doTestAuthProviderOnCollection(SUB_ADMIN, COLL_JRANALYST1, allActions); + doTestAuthProviderOnCollection(SUB_ADMIN, COLL_TMP, allActions); + doTestAuthProviderOnCollection(SUB_ADMIN, COLL_PURCHASES_PARTIAL, allActions); + } + + @Test + public void testManager() throws Exception { + Set<SearchModelAction> updateOnly = EnumSet.of(SearchModelAction.UPDATE); + doTestAuthProviderOnCollection(SUB_MANAGER, COLL_PURCHASES, updateOnly); + + Set<SearchModelAction> allActions = EnumSet.allOf(SearchModelAction.class); + doTestAuthProviderOnCollection(SUB_MANAGER, COLL_ANALYST1, allActions); + doTestAuthProviderOnCollection(SUB_MANAGER, COLL_JRANALYST1, allActions); + + Set<SearchModelAction> queryUpdateOnly = EnumSet.of(QUERY, UPDATE); + doTestAuthProviderOnCollection(SUB_MANAGER, COLL_TMP, queryUpdateOnly); + + Set<SearchModelAction> queryOnly = EnumSet.of(SearchModelAction.QUERY); + doTestAuthProviderOnCollection(SUB_MANAGER, COLL_PURCHASES_PARTIAL, queryOnly); + } + + @Test + public void testAnalyst() throws Exception { + Set<SearchModelAction> updateOnly = EnumSet.of(SearchModelAction.UPDATE); + doTestAuthProviderOnCollection(SUB_ANALYST, COLL_PURCHASES, updateOnly); + + Set<SearchModelAction> allActions = EnumSet.allOf(SearchModelAction.class); + doTestAuthProviderOnCollection(SUB_ANALYST, COLL_ANALYST1, allActions); + doTestAuthProviderOnCollection(SUB_ANALYST, COLL_JRANALYST1, allActions); + + Set<SearchModelAction> queryUpdateOnly = EnumSet.of(QUERY, UPDATE); + doTestAuthProviderOnCollection(SUB_ANALYST, COLL_TMP, queryUpdateOnly); + + Set<SearchModelAction> noActions = EnumSet.noneOf(SearchModelAction.class); + doTestAuthProviderOnCollection(SUB_ANALYST, COLL_PURCHASES_PARTIAL, noActions); + } + + @Test + public void testJuniorAnalyst() throws Exception { + Set<SearchModelAction> allActions = EnumSet.allOf(SearchModelAction.class); + doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_JRANALYST1, allActions); + + Set<SearchModelAction> queryOnly = EnumSet.of(SearchModelAction.QUERY); + doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_PURCHASES_PARTIAL, queryOnly); + + Set<SearchModelAction> noActions = EnumSet.noneOf(SearchModelAction.class); + doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_PURCHASES, noActions); + doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_ANALYST1, noActions); + doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_TMP, noActions); + } + + public class MockGroupMappingServiceProvider implements GroupMappingService { + private final Multimap<String, String> userToGroupMap; + + public MockGroupMappingServiceProvider(Multimap<String, String> userToGroupMap) { + this.userToGroupMap = userToGroupMap; + } + + @Override + public Set<String> getGroups(String user) { + return Sets.newHashSet(userToGroupMap.get(user)); + } + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderSpecialCases.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderSpecialCases.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderSpecialCases.java new file mode 100644 index 0000000..6d51dee --- /dev/null +++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderSpecialCases.java @@ -0,0 +1,83 @@ + /* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.policy.solr; + +import java.io.File; +import java.io.IOException; +import java.util.EnumSet; +import java.util.List; +import java.util.Set; + +import junit.framework.Assert; + +import org.apache.commons.io.FileUtils; +import org.apache.sentry.core.common.Action; +import org.apache.sentry.core.common.ActiveRoleSet; +import org.apache.sentry.core.common.Authorizable; +import org.apache.sentry.core.common.Subject; +import org.apache.sentry.core.model.search.Collection; +import org.apache.sentry.core.model.search.SearchModelAction; +import org.apache.sentry.policy.common.PolicyEngine; +import org.apache.sentry.provider.common.AuthorizationProvider; +import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider; +import org.apache.sentry.provider.file.PolicyFile; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; + +import com.google.common.collect.ImmutableList; +import com.google.common.io.Files; + +public class TestSearchAuthorizationProviderSpecialCases { + private AuthorizationProvider authzProvider; + private PolicyFile policyFile; + private File baseDir; + private File iniFile; + private String initResource; + @Before + public void setup() throws IOException { + baseDir = Files.createTempDir(); + iniFile = new File(baseDir, "policy.ini"); + initResource = "file://" + iniFile.getPath(); + policyFile = new PolicyFile(); + } + + @After + public void teardown() throws IOException { + if(baseDir != null) { + FileUtils.deleteQuietly(baseDir); + } + } + + @Test + public void testDuplicateEntries() throws Exception { + Subject user1 = new Subject("user1"); + Collection collection1 = new Collection("collection1"); + Set<? extends Action> actions = EnumSet.allOf(SearchModelAction.class); + policyFile.addGroupsToUser(user1.getName(), true, "group1", "group1") + .addRolesToGroup("group1", true, "role1", "role1") + .addPermissionsToRole("role1", true, "collection=" + collection1.getName(), + "collection=" + collection1.getName()); + policyFile.write(iniFile); + PolicyEngine policy = SearchPolicyTestUtil.createPolicyEngineForTest(initResource); + authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy); + List<? extends Authorizable> authorizableHierarchy = ImmutableList.of(collection1); + Assert.assertTrue(authorizableHierarchy.toString(), + authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL)); + } + +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchModelAuthorizables.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchModelAuthorizables.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchModelAuthorizables.java new file mode 100644 index 0000000..e7da13a --- /dev/null +++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchModelAuthorizables.java @@ -0,0 +1,54 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.sentry.policy.solr; +import static junit.framework.Assert.assertEquals; +import static junit.framework.Assert.assertNull; + +import org.apache.sentry.core.model.search.Collection; +import org.apache.sentry.core.model.search.SearchModelAuthorizables; +import org.junit.Test; + +public class TestSearchModelAuthorizables { + + @Test + public void testCollection() throws Exception { + Collection coll = (Collection) SearchModelAuthorizables.from("CoLleCtiOn=collection1"); + assertEquals("collection1", coll.getName()); + } + + @Test(expected=IllegalArgumentException.class) + public void testNoKV() throws Exception { + System.out.println(SearchModelAuthorizables.from("nonsense")); + } + + @Test(expected=IllegalArgumentException.class) + public void testEmptyKey() throws Exception { + System.out.println(SearchModelAuthorizables.from("=v")); + } + + @Test(expected=IllegalArgumentException.class) + public void testEmptyValue() throws Exception { + System.out.println(SearchModelAuthorizables.from("k=")); + } + + @Test + public void testNotAuthorizable() throws Exception { + assertNull(SearchModelAuthorizables.from("k=v")); + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyEngineDFS.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyEngineDFS.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyEngineDFS.java new file mode 100644 index 0000000..9813681 --- /dev/null +++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyEngineDFS.java @@ -0,0 +1,74 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.policy.solr; + +import java.io.File; +import java.io.IOException; + +import junit.framework.Assert; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.fs.FileSystem; +import org.apache.hadoop.fs.Path; +import org.apache.hadoop.hdfs.MiniDFSCluster; +import org.apache.sentry.provider.file.PolicyFiles; +import org.junit.AfterClass; +import org.junit.BeforeClass; + +public class TestSearchPolicyEngineDFS extends AbstractTestSearchPolicyEngine { + + private static MiniDFSCluster dfsCluster; + private static FileSystem fileSystem; + private static Path root; + private static Path etc; + + @BeforeClass + public static void setupLocalClazz() throws IOException { + File baseDir = getBaseDir(); + Assert.assertNotNull(baseDir); + File dfsDir = new File(baseDir, "dfs"); + Assert.assertTrue(dfsDir.isDirectory() || dfsDir.mkdirs()); + Configuration conf = new Configuration(); + conf.set(MiniDFSCluster.HDFS_MINIDFS_BASEDIR, dfsDir.getPath()); + dfsCluster = new MiniDFSCluster.Builder(conf).numDataNodes(2).build(); + fileSystem = dfsCluster.getFileSystem(); + root = new Path(fileSystem.getUri().toString()); + etc = new Path(root, "/etc"); + fileSystem.mkdirs(etc); + } + + @AfterClass + public static void teardownLocalClazz() { + if(dfsCluster != null) { + dfsCluster.shutdown(); + } + } + + @Override + protected void afterSetup() throws IOException { + fileSystem.delete(etc, true); + fileSystem.mkdirs(etc); + PolicyFiles.copyToDir(fileSystem, etc, "solr-policy-test-authz-provider.ini"); + setPolicy(SearchPolicyTestUtil.createPolicyEngineForTest(new Path(etc, + "solr-policy-test-authz-provider.ini").toString())); + } + + @Override + protected void beforeTeardown() throws IOException { + fileSystem.delete(etc, true); + } +}
