Repository: sentry Updated Branches: refs/heads/master 3278c714c -> 748420809
SENTRY-2235: Add hive tests to verify column privileges for views. (Kalyan Kumar Kalvagadda reviewed by Sergio Pena) Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/74842080 Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/74842080 Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/74842080 Branch: refs/heads/master Commit: 74842080936b93a8ef9b874774fd841764adc42c Parents: 3278c71 Author: Kalyan Kumar Kalvagadda <kkal...@cloudera.com> Authored: Mon Jun 25 09:32:24 2018 -0500 Committer: Kalyan Kumar Kalvagadda <kkal...@cloudera.com> Committed: Mon Jun 25 09:32:24 2018 -0500 ---------------------------------------------------------------------- .../tests/e2e/dbprovider/TestDbComplexView.java | 68 ++++++++++++++++++++ 1 file changed, 68 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/74842080/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbComplexView.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbComplexView.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbComplexView.java index 35f41c6..bb7ccfe 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbComplexView.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbComplexView.java @@ -199,6 +199,54 @@ public class TestDbComplexView extends AbstractTestWithStaticConfiguration { } } + private void grantAndValidateColumnPrivilege(String testView, String column, String testRole, String testGroup, + String user, boolean revoke) throws Exception { + createTestRole(ADMIN1, testRole); + List<String> sqls = new ArrayList<String>(); + + // grant privilege + sqls.add("USE " + TEST_VIEW_DB); + sqls.add("GRANT SELECT(" + column + ")" + " ON TABLE " + testView + " TO ROLE " + testRole); + sqls.add("GRANT ROLE " + testRole + " TO GROUP " + testGroup); + execBatch(ADMIN1, sqls); + + // show grant should pass and could list view + assertTrue("can not find select privilege from " + testRole, + execValidate(ADMIN1, "SHOW GRANT ROLE " + testRole + " ON TABLE " + testView, + TEST_VIEW_DB, "privilege", "select")); + assertTrue("can not find " + testView, + execValidate(user, "SHOW TABLES", TEST_VIEW_DB, "tab_name", testView)); + + // select from view should pass + sqls.clear(); + sqls.add("USE " + TEST_VIEW_DB); + sqls.add("SELECT "+ column +" FROM " + testView); + execBatch(user, sqls); + + if (revoke) { + // revoke privilege + sqls.clear(); + sqls.add("USE " + TEST_VIEW_DB); + sqls.add("REVOKE SELECT(" + column + ")" + " ON TABLE " + testView + " FROM ROLE " + testRole); + execBatch(ADMIN1, sqls); + + // shouldn't be able to show grant + assertFalse("should not find select from " + testRole, + execValidate(ADMIN1, "SHOW GRANT ROLE " + testRole + " ON TABLE " + testView, + TEST_VIEW_DB, "privilege", "select")); + + // select from view should fail + sqls.clear(); + sqls.add("USE " + TEST_VIEW_DB); + sqls.add("SELECT * FROM " + testView); + try { + execBatch(user, sqls); + } catch (SQLException ex) { + LOGGER.info("Expected SQLException here", ex); + } + } + } + private void grantAndValidatePrivilege(String testView, String testRole, String testGroup, String user) throws Exception { grantAndValidatePrivilege(testView, testRole, testGroup, user, true); @@ -237,6 +285,26 @@ public class TestDbComplexView extends AbstractTestWithStaticConfiguration { } /** + * Create view1 and view2 from view1 + * Grant and validate select privileges to both views + * @throws Exception + */ + @Test + public void testColumnPrivilegeOnView() throws Exception { + List<String> sqls = new ArrayList<String>(); + // create a simple view + sqls.add("USE " + TEST_VIEW_DB); + sqls.add("CREATE VIEW " + TEST_VIEW + + "(userid,link) AS SELECT userid,link from " + TEST_VIEW_TB); + + execBatch(ADMIN1, sqls); + + // validate privileges + grantAndValidateColumnPrivilege(TEST_VIEW, "userid", TEST_VIEW_ROLE, USERGROUP1, USER1_1, true); + } + + + /** * Create a view by join two tables * Grant and verify select privilege * @throws Exception