-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/22322/
-----------------------------------------------------------
(Updated June 7, 2014, 1:32 a.m.)
Review request for sentry, Arun Suresh, Jarek Cecho, and Prasad Mujumdar.
Changes
-------
Updated the patch as per Jarcec's feedback.
Bugs: sentry-238 and sentry-261
https://issues.apache.org/jira/browse/sentry-238
https://issues.apache.org/jira/browse/sentry-261
Repository: sentry
Description
-------
This patch adds the following test cases for Sentry Grant/Revoke feature
through Hive end to end tests(a few of them are already there).
Apart from these test cases it does:
- Fix sentry-238, denied show roles/show grant/show role grant throws
SentryAccessDeniedException instead of Thrift exception.
- Adds a test case for SENTRY-264 ( although, it is not fixed in this patch)
1. Grant/Revoke privileges test cases:
1.1. All on server
1.2. All on database
1.3. All on URI
1.4. All on table
1.5. Insert on table
1.6. Select on table
1.7. Partial privileges on table
1.7.1. Grant all, revoke insert leads to select on table
1.7.2. Grant all, revoke select leads to select on table
2.Create/Drop role
3. Show roles
3.1. When there are no roles, returns empty list
3.2. When there are roles, returns correct list with correct schema.
4. Show role grant
4.1. When there are no roles and group, throws SentryNoSuchObjectException
4.2. When there are roles, returns correct list with correct schema.
5. Show privileges
5.1. When there are no privileges granted to a role, returns an empty list
5.2. When there are privileges, returns correct list with correct schema.
5.3. Given privileges on table, show grant on table should return table
privilege.
5.4. Privileges on database
5.4.1. Show grant on database should return correct priv
5.4.2. Show grant on table should return correct priv
5.5. Privileges on server
5.5.1. Show grant on database should return correct priv
5.5.2. Show grant on table should return correct priv
5.5.3. Show grant on server should return correct priv (sql not supported yet
in hive)
5.6. Show grant on uri (sql not supported yet in hive)
6. Show current role
7. Corner test cases:
7.1. Drop role which doesn't exist, throws SentryNoSuchObjectException
7.2. Create role which already exists, throws SentryAlreadyExitsException
7.3. Drop role when privileges mapping exists and create role with same name,
old mappings should not exist
7.4. Grant role, when role doesn't exist, throws SentryNoSuchObjectException
7.5. Grant role when mapping exists, silently allows
7.6. Grant multiple roles to a group
7.7. Revoke role after role has been dropped, SentryNoSuchObjectException
7.8. Revoke role from a group when mapping doesn't exist, silently allows
7.9. Grant privilege to a role, privilege already exists, silently allows
7.10. Grant privilege to a role, mapping already exists, silently allows
7.11. Multiple privileges to a role
7.12. Revoke privilege when privilege doesn't exist, silently allows
7.13. Revoke privilege, when role doesn't exist, SentryNoSuchObjectException
7.14. Revoke privilege when mapping doesn't exist, silently allows
8. Sentry Auth DDL by non admin user tests, should fire SentryOnFailureHook and
should throw SentryAccessDeniedException
8.1. Create role
8.2. Drop role
8.3. Grant role
8.4. Revoke role
8.5. Grant privilege
8.6. Revoke privilege
8.7. Show roles
8.8. Show role grant
8.9. Show grant
8.10. Grant Revoke on data objects, do not expose database/table entities
8.10.1. table
8.10.1. database
9. Denied non auth DDLs and Queries, should invoke SentryOnFailureHook
9.1. Denied create table, when table exists: Exposes only db object
9.2. Denied create table, when table does not exist: exposes only db object
9.3. select when table exist: doesn't expose database and table
9.4. alter table, doesn't invoke failure hook. (this test fails)
Diffs (updated)
-----
sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
6ea1ca0027c35bfd1eec1f9028f031b7178fe35d
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
62113c89607a7194fef79a3f9d89e89a5a96c51c
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
322e90e5785d20d250be19e75fd2ed4c1c9b817a
sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift
5d584c0a856fbf2bc563481c99dcb69a36a2b507
sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
1089390dc6b2bd709591093b583f1cd5bc32e787
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/PolicyProviderForTest.java
79ca38774818f5cc812a9810bb84784f8429001a
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java
84223a941e8072683681ef41e265d0c8e3570f82
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbEndToEnd.java
9c0c8b5b65de1db4fbb50357258a982c1b8a2a10
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbSentryOnFailureHookLoading.java
8beedd7ba837b132a39da5b794118ab919fc203f
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/Context.java
39d411e3c9138d50b6dc3ead5cd0a45653f4873f
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/DummySentryOnFailureHook.java
079f273f20753c4de90f448f1de47c56b810e18d
Diff: https://reviews.apache.org/r/22322/diff/
Testing
-------
Yes.
Thanks,
Sravya Tirukkovalur
