Repository: lens Updated Branches: refs/heads/master 5a73df0d2 -> 1c3dff25b
LENS-1529: Authorization test cases and LENS-1532 : Authorization conf fix. Project: http://git-wip-us.apache.org/repos/asf/lens/repo Commit: http://git-wip-us.apache.org/repos/asf/lens/commit/1c3dff25 Tree: http://git-wip-us.apache.org/repos/asf/lens/tree/1c3dff25 Diff: http://git-wip-us.apache.org/repos/asf/lens/diff/1c3dff25 Branch: refs/heads/master Commit: 1c3dff25b6547478d66cae13ac795d63f0e54c10 Parents: 5a73df0 Author: Rajitha R <[email protected]> Authored: Thu Sep 6 13:30:32 2018 +0530 Committer: Rajitha.R <[email protected]> Committed: Thu Sep 6 13:30:32 2018 +0530 ---------------------------------------------------------------------- .../cube/authorization/AuthorizationUtil.java | 16 +++--- .../lens/cube/metadata/CubeMetastoreClient.java | 5 +- .../cube/parse/QueryAuthorizationResolver.java | 4 +- .../cube/metadata/TestCubeMetastoreClient.java | 60 ++++++++++++++------ .../resources/schema/cubes/base/basecube.xml | 1 + 5 files changed, 59 insertions(+), 27 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/lens/blob/1c3dff25/lens-cube/src/main/java/org/apache/lens/cube/authorization/AuthorizationUtil.java ---------------------------------------------------------------------- diff --git a/lens-cube/src/main/java/org/apache/lens/cube/authorization/AuthorizationUtil.java b/lens-cube/src/main/java/org/apache/lens/cube/authorization/AuthorizationUtil.java index ccd46a3..5ae2cfd 100644 --- a/lens-cube/src/main/java/org/apache/lens/cube/authorization/AuthorizationUtil.java +++ b/lens-cube/src/main/java/org/apache/lens/cube/authorization/AuthorizationUtil.java @@ -38,24 +38,26 @@ public class AuthorizationUtil { private AuthorizationUtil(){} public static boolean isAuthorized(Authorizer authorizer, String tableName, - LensPrivilegeObject.LensPrivilegeObjectType privilegeObjectType, ActionType actionType, Configuration configuration) + LensPrivilegeObject.LensPrivilegeObjectType privilegeObjectType, ActionType actionType, Configuration hconf, + Configuration sessionConf) throws LensException { - return isAuthorized(authorizer, tableName, null, privilegeObjectType, actionType, configuration); + return isAuthorized(authorizer, tableName, null, privilegeObjectType, actionType, hconf, sessionConf); } public static boolean isAuthorized(Authorizer authorizer, String tableName, String colName, - LensPrivilegeObject.LensPrivilegeObjectType privilegeObjectType, ActionType actionType, Configuration configuration) + LensPrivilegeObject.LensPrivilegeObjectType privilegeObjectType, ActionType actionType, Configuration hconf, + Configuration sessionConf) throws LensException { String user = null; Set<String> userGroups = new HashSet<>(); - if (configuration.getBoolean(LensConfConstants.USER_NAME_BASED_AUTHORIZATION, + if (hconf.getBoolean(LensConfConstants.USER_NAME_BASED_AUTHORIZATION, LensConfConstants.DEFAULT_USER_NAME_AUTHORIZATION)){ - user = configuration.get(LensConfConstants.SESSION_LOGGEDIN_USER); + user = sessionConf.get(LensConfConstants.SESSION_LOGGEDIN_USER); } - if (configuration.getBoolean(LensConfConstants.USER_GROUPS_BASED_AUTHORIZATION, + if (hconf.getBoolean(LensConfConstants.USER_GROUPS_BASED_AUTHORIZATION, LensConfConstants.DEFAULT_USER_GROUPS_AUTHORIZATION)) { userGroups = (Set<String>) - configuration.getTrimmedStringCollection(LensConfConstants.SESSION_USER_GROUPS); + sessionConf.getTrimmedStringCollection(LensConfConstants.SESSION_USER_GROUPS); } LensPrivilegeObject lp = new LensPrivilegeObject(privilegeObjectType, tableName, colName); if (!authorizer.authorize(lp, actionType, user, userGroups)) { http://git-wip-us.apache.org/repos/asf/lens/blob/1c3dff25/lens-cube/src/main/java/org/apache/lens/cube/metadata/CubeMetastoreClient.java ---------------------------------------------------------------------- diff --git a/lens-cube/src/main/java/org/apache/lens/cube/metadata/CubeMetastoreClient.java b/lens-cube/src/main/java/org/apache/lens/cube/metadata/CubeMetastoreClient.java index e6afcff..b1c1ae4 100644 --- a/lens-cube/src/main/java/org/apache/lens/cube/metadata/CubeMetastoreClient.java +++ b/lens-cube/src/main/java/org/apache/lens/cube/metadata/CubeMetastoreClient.java @@ -129,7 +129,7 @@ public class CubeMetastoreClient { return completenessChecker; } - public Authorizer getAuthorizer() { + private Authorizer getAuthorizer() { if (authorizer == null) { authorizer = ReflectionUtils.newInstance(config.getClass(MetastoreConstants.AUTHORIZER_CLASS, LensConfConstants.DEFAULT_AUTHORIZER, Authorizer.class), this.config); @@ -157,7 +157,8 @@ public class CubeMetastoreClient { if (isAuthorizationEnabled()) { String currentdb = SessionState.get().getCurrentDatabase(); AuthorizationUtil.isAuthorized(getAuthorizer(), currentdb, - LensPrivilegeObject.LensPrivilegeObjectType.DATABASE, ActionType.UPDATE, getConf()); + LensPrivilegeObject.LensPrivilegeObjectType.DATABASE, ActionType.UPDATE, getConf(), + SessionState.getSessionConf()); } } http://git-wip-us.apache.org/repos/asf/lens/blob/1c3dff25/lens-cube/src/main/java/org/apache/lens/cube/parse/QueryAuthorizationResolver.java ---------------------------------------------------------------------- diff --git a/lens-cube/src/main/java/org/apache/lens/cube/parse/QueryAuthorizationResolver.java b/lens-cube/src/main/java/org/apache/lens/cube/parse/QueryAuthorizationResolver.java index 78dd642..f1376ca 100644 --- a/lens-cube/src/main/java/org/apache/lens/cube/parse/QueryAuthorizationResolver.java +++ b/lens-cube/src/main/java/org/apache/lens/cube/parse/QueryAuthorizationResolver.java @@ -29,6 +29,7 @@ import org.apache.lens.server.api.authorization.LensPrivilegeObject; import org.apache.lens.server.api.error.LensException; import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.hive.ql.session.SessionState; import org.apache.hadoop.util.ReflectionUtils; import lombok.Getter; @@ -69,7 +70,8 @@ public class QueryAuthorizationResolver implements ContextRewriter { if (restrictedFieldsQueried != null && !restrictedFieldsQueried.isEmpty()) { for (String col : restrictedFieldsQueried) { AuthorizationUtil.isAuthorized(getAuthorizer(), tbl.getName(), col, - LensPrivilegeObject.LensPrivilegeObjectType.COLUMN, ActionType.SELECT, cubeql.getConf()); + LensPrivilegeObject.LensPrivilegeObjectType.COLUMN, ActionType.SELECT, cubeql.getConf(), + SessionState.getSessionConf()); } } } http://git-wip-us.apache.org/repos/asf/lens/blob/1c3dff25/lens-cube/src/test/java/org/apache/lens/cube/metadata/TestCubeMetastoreClient.java ---------------------------------------------------------------------- diff --git a/lens-cube/src/test/java/org/apache/lens/cube/metadata/TestCubeMetastoreClient.java b/lens-cube/src/test/java/org/apache/lens/cube/metadata/TestCubeMetastoreClient.java index 6f054c4..9499f0c 100644 --- a/lens-cube/src/test/java/org/apache/lens/cube/metadata/TestCubeMetastoreClient.java +++ b/lens-cube/src/test/java/org/apache/lens/cube/metadata/TestCubeMetastoreClient.java @@ -38,7 +38,9 @@ import org.apache.lens.cube.metadata.timeline.EndsAndHolesPartitionTimeline; import org.apache.lens.cube.metadata.timeline.PartitionTimeline; import org.apache.lens.cube.metadata.timeline.StoreAllPartitionTimeline; import org.apache.lens.cube.metadata.timeline.TestPartitionTimelines; +import org.apache.lens.server.api.LensConfConstants; import org.apache.lens.server.api.error.LensException; +import org.apache.lens.server.api.query.save.exception.PrivilegeException; import org.apache.lens.server.api.util.LensUtil; import org.apache.hadoop.hive.conf.HiveConf; @@ -63,6 +65,7 @@ import com.google.common.collect.ImmutableMap; import com.google.common.collect.Lists; import com.google.common.collect.Maps; import com.google.common.collect.Sets; + public class TestCubeMetastoreClient { private static CubeMetastoreClient client; @@ -143,6 +146,10 @@ public class TestCubeMetastoreClient { Hive.get(conf).createDatabase(database); SessionState.get().setCurrentDatabase(TestCubeMetastoreClient.class.getSimpleName()); client = CubeMetastoreClient.getInstance(conf); + client.getConf().setBoolean(LensConfConstants.ENABLE_METASTORE_SCHEMA_AUTHORIZATION_CHECK, true); + client.getConf().setBoolean(LensConfConstants.USER_GROUPS_BASED_AUTHORIZATION, true); + client.getConf().set(MetastoreConstants.AUTHORIZER_CLASS, "org.apache.lens.cube.parse.MockAuthorizer"); + SessionState.getSessionConf().set(LensConfConstants.SESSION_USER_GROUPS, "lens-auth-test1"); defineCube(CUBE_NAME, CUBE_NAME_WITH_PROPS, DERIVED_CUBE_NAME, DERIVED_CUBE_NAME_WITH_PROPS); defineUberDims(); } @@ -154,8 +161,8 @@ public class TestCubeMetastoreClient { client.dropCube(VIRTUAL_CUBE_NAME); client = CubeMetastoreClient.getInstance(conf); assertFalse(client.tableExists(CUBE_NAME)); - Hive.get().dropDatabase(TestCubeMetastoreClient.class.getSimpleName(), true, true, true); + CubeMetastoreClient.close(); } @@ -350,12 +357,12 @@ public class TestCubeMetastoreClient { cube = new Cube(cubeName, cubeMeasures, cubeDimensions, cubeExpressions, joinChains, emptyHashMap, 0.0); measures = Sets.newHashSet("msr1", "msr2", "msr3"); moreMeasures.addAll(measures); - for(CubeMeasure measure: dummyMeasure) { + for (CubeMeasure measure : dummyMeasure) { moreMeasures.add(measure.getName()); } dimensions = Sets.newHashSet("dim1", "dim2", "dim3"); moreDimensions.addAll(dimensions); - for(CubeDimAttribute dimAttribute: dummyDimAttributes) { + for (CubeDimAttribute dimAttribute : dummyDimAttributes) { moreDimensions.add(dimAttribute.getName()); } derivedCube = new DerivedCube(derivedCubeName, measures, dimensions, cube); @@ -854,25 +861,25 @@ public class TestCubeMetastoreClient { tag2.put("is_ui_visible", "true"); Set<CubeMeasure> cubeMeasures = new HashSet<>(); cubeMeasures.add(new ColumnMeasure( - new FieldSchema("msr1", "int", "measure1 with tag"), null, null, null, null, null, null, null, 0.0, - 9999.0, tag1)); + new FieldSchema("msr1", "int", "measure1 with tag"), null, null, null, null, null, null, null, 0.0, + 9999.0, tag1)); cubeMeasures.add(new ColumnMeasure( - new FieldSchema("msr2", "int", "measure2 with tag"), - "measure2 with tag", null, null, null, NOW, null, null, 0.0, 999999.0, tag2)); + new FieldSchema("msr2", "int", "measure2 with tag"), + "measure2 with tag", null, null, null, NOW, null, null, 0.0, 999999.0, tag2)); Set<CubeDimAttribute> cubeDimensions = new HashSet<>(); cubeDimensions.add(new BaseDimAttribute(new FieldSchema("dim1", "id", "ref dim"), "dim with tag", - null, null, null, null, null, tag1)); + null, null, null, null, null, tag1)); ExprSpec expr1 = new ExprSpec("avg(msr1 + msr2)", null, null); ExprSpec expr2 = new ExprSpec("avg(msr2 + msr1)", null, null); Set<ExprColumn> cubeExpressions = new HashSet<>(); cubeExpressions.add(new ExprColumn(new FieldSchema("expr_measure", "double", "expression measure"), - "expr with tag", tag2, expr1, expr2)); + "expr with tag", tag2, expr1, expr2)); client.createCube(cubename, - cubeMeasures, cubeDimensions, cubeExpressions, null, null); + cubeMeasures, cubeDimensions, cubeExpressions, null, null); Table cubeTbl = client.getHiveTable(cubename); assertTrue(client.isCube(cubeTbl)); Cube cube2 = new Cube(cubeTbl); @@ -983,7 +990,7 @@ public class TestCubeMetastoreClient { factColumns.add(new FieldSchema("zipcode", "int", "zip")); FieldSchema itPart = new FieldSchema("it", "string", "date part"); FieldSchema etPart = new FieldSchema("et", "string", "date part"); - String[] partColNames = new String[] { getDatePartitionKey(), itPart.getName(), etPart.getName() }; + String[] partColNames = new String[]{getDatePartitionKey(), itPart.getName(), etPart.getName()}; StorageTableDesc s1 = new StorageTableDesc(TextInputFormat.class, HiveIgnoreKeyTextOutputFormat.class, Lists.newArrayList(getDatePartition(), itPart, etPart), @@ -1034,7 +1041,7 @@ public class TestCubeMetastoreClient { EndsAndHolesPartitionTimeline.class.getCanonicalName()); client.pushHiveTable(c2TableHourly); - assertSameTimelines(factName, new String[] { c1, c2 }, HOURLY, partColNames); + assertSameTimelines(factName, new String[]{c1, c2}, HOURLY, partColNames); StoreAllPartitionTimeline timelineDtC1 = ((StoreAllPartitionTimeline) client.partitionTimelineCache .get(factName, c1, HOURLY, getDatePartitionKey())); @@ -1076,7 +1083,7 @@ public class TestCubeMetastoreClient { assertEquals(client.getAllParts(c1TableNameHourly).size(), 3); assertEquals(client.getAllParts(c2TableNameHourly).size(), 3); - assertSameTimelines(factName, new String[] { c1, c2 }, HOURLY, partColNames); + assertSameTimelines(factName, new String[]{c1, c2}, HOURLY, partColNames); assertTimeline(timelineDt, timelineDtC1, HOURLY, 0, 0); assertTimeline(timelineEt, timelineEtC1, HOURLY, 0, 1); @@ -1361,7 +1368,7 @@ public class TestCubeMetastoreClient { } private void assertRangeValidityForStorageTable(String storageTable) throws HiveException, LensException { - Object[][] testCases = new Object[][] { + Object[][] testCases = new Object[][]{ {"now - 15 days", "now - 11 days", false}, {"now - 15 days", "now.day - 10 days", false}, {"now - 15 days", "now - 1 hour", true}, @@ -1868,7 +1875,7 @@ public class TestCubeMetastoreClient { StoreAllPartitionTimeline storeAllPartitionTimeline, UpdatePeriod updatePeriod, int firstOffset, int latestOffset, int... holeOffsets) throws LensException { Date[] holeDates = new Date[holeOffsets.length]; - for(int i = 0; i < holeOffsets.length; i++) { + for (int i = 0; i < holeOffsets.length; i++) { holeDates[i] = getDateWithOffset(HOURLY, holeOffsets[i]); } assertTimeline(endsAndHolesPartitionTimeline, storeAllPartitionTimeline, updatePeriod, @@ -2191,9 +2198,9 @@ public class TestCubeMetastoreClient { // test partition List<StoragePartitionDesc> storageDescs = new ArrayList<>(); StoragePartitionDesc sPartSpecNow = - new StoragePartitionDesc(cubeFactWithParts.getName(), timePartsNow, partSpec, HOURLY); + new StoragePartitionDesc(cubeFactWithParts.getName(), timePartsNow, partSpec, HOURLY); StoragePartitionDesc sPartSpecTwoMonthsBack = - new StoragePartitionDesc(cubeFactWithParts.getName(), timePartsBeforeTwoMonths, partSpec, HOURLY); + new StoragePartitionDesc(cubeFactWithParts.getName(), timePartsBeforeTwoMonths, partSpec, HOURLY); storageDescs.add(sPartSpecNow); storageDescs.add(sPartSpecTwoMonthsBack); @@ -2981,4 +2988,23 @@ public class TestCubeMetastoreClient { conf.setBoolean(MetastoreConstants.METASTORE_ENABLE_CACHING, true); client = CubeMetastoreClient.getInstance(conf); } + + @Test(priority = 4) + public void testMetastoreAuthorization() throws HiveException, LensException { + + client = CubeMetastoreClient.getInstance(new HiveConf(TestCubeMetastoreClient.class)); + SessionState.getSessionConf().set(LensConfConstants.SESSION_USER_GROUPS, "lens-auth-test2"); + try { + client.createCube("testcache5", cubeMeasures, cubeDimensions); + fail("Privilege exception supposed to be thrown for updating TestCubeMetastoreClient" + + " database, however not seeing expected behaviour"); + } catch (PrivilegeException actualException) { + PrivilegeException expectedException = + new PrivilegeException("DATABASE", "TestCubeMetastoreClient", "UPDATE"); + assertEquals(expectedException, actualException); + } + SessionState.getSessionConf().set(LensConfConstants.SESSION_USER_GROUPS, "lens-auth-test1"); + client.createCube("testcache5", cubeMeasures, cubeDimensions); + } + } http://git-wip-us.apache.org/repos/asf/lens/blob/1c3dff25/lens-cube/src/test/resources/schema/cubes/base/basecube.xml ---------------------------------------------------------------------- diff --git a/lens-cube/src/test/resources/schema/cubes/base/basecube.xml b/lens-cube/src/test/resources/schema/cubes/base/basecube.xml index 6cc3201..c8a015e 100644 --- a/lens-cube/src/test/resources/schema/cubes/base/basecube.xml +++ b/lens-cube/src/test/resources/schema/cubes/base/basecube.xml @@ -21,6 +21,7 @@ --> <x_base_cube name="basecube" xmlns="uri:lens:cube:0.1"> <properties> + <property name="cube.basecube.restricted.columns" value="dim11"/> <property name="cube.timedim.partition.et" value="et"/> <property name="cube.timedim.partition.it" value="it"/> <property name="cube.timedim.partition.d_time" value="dt"/>
