saihemanth-cloudera commented on code in PR #5819:
URL: https://github.com/apache/hive/pull/5819#discussion_r2141139115
##########
ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/TestHiveMetaStoreAuthorizer.java:
##########
@@ -112,16 +134,61 @@ public void setUp() throws Exception {
} catch (Exception e) {
// NoSuchObjectException will be ignored if the step objects are not
there
}
+ // Reset the mock for each test
+ mockHiveAuthorizer = Mockito.mock(HiveAuthorizer.class);
+ configureMockAuthorizer();
+ }
+
+ /**
+ * Configures the mock authorizer to check permissions based on username
+ */
+ private static void configureMockAuthorizer() throws
HiveAuthzPluginException, HiveAccessControlException {
+ doAnswer(invocation -> {
+ HiveOperationType opType = invocation.getArgument(0);
+ String user;
+ try {
+ user = UserGroupInformation.getLoginUser().getShortUserName();
+ } catch (Exception e) {
+ throw new HiveAuthzPluginException("Unable to get
UserGroupInformation");
+ }
+
+ if (!allowedUsers.contains(user) && !user.equals(superUser)) {
+ throw new HiveAuthzPluginException("Operation type " + opType + " not
allowed for user:" + user);
+ }
+ return null;
+ }).when(mockHiveAuthorizer).checkPrivileges(any(HiveOperationType.class),
any(), any(), any(HiveAuthzContext.class));
+ }
+
+ /**
+ * Factory class that provides MockHiveAuthorizer instance
+ */
+ public static class MockHiveAuthorizerFactory implements
HiveAuthorizerFactory {
+ @Override
+ public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory
metastoreClientFactory, HiveConf conf, HiveAuthenticationProvider
hiveAuthenticator, HiveAuthzSessionContext ctx) {
+ return mockHiveAuthorizer;
+ }
+ }
+
+ /**
+ * Captures and returns the privilege objects passed to the authorizer
+ */
+ private Pair<List<HivePrivilegeObject>, List<HivePrivilegeObject>>
getHivePrivilegeObjectsFromLastCall() throws HiveAuthzPluginException,
HiveAccessControlException {
+ @SuppressWarnings("unchecked") Class<List<HivePrivilegeObject>>
class_listPrivObjects = (Class) List.class;
+ ArgumentCaptor<List<HivePrivilegeObject>> inputsCapturer =
ArgumentCaptor.forClass(class_listPrivObjects);
+ ArgumentCaptor<List<HivePrivilegeObject>> outputsCapturer =
ArgumentCaptor.forClass(class_listPrivObjects);
+
+ verify(mockHiveAuthorizer).checkPrivileges(any(HiveOperationType.class),
inputsCapturer.capture(), outputsCapturer.capture(),
any(HiveAuthzContext.class));
+
+ return new ImmutablePair<>(inputsCapturer.getValue(),
outputsCapturer.getValue());
}
@Test
public void testA_CreateDatabase_unAuthorizedUser() throws Exception {
UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser(unAuthorizedUser));
try {
- Database db = new DatabaseBuilder()
- .setName(dbName)
- .build(conf);
+ Database db = new DatabaseBuilder().setName(dbName).build(conf);
hmsHandler.create_database(db);
+ fail("Expected authorization exception for unauthorized user");
Review Comment:
The newly added fail statements are not acceptable to me because the test
framework should fail the query if the user is unauthorized.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org
For additional commands, e-mail: gitbox-h...@hive.apache.org
