Repository: lens Updated Branches: refs/heads/master 1c3dff25b -> 0eba44abd
LENS-1532 and LENS-1529 : Adding files missed in previous commit. Project: http://git-wip-us.apache.org/repos/asf/lens/repo Commit: http://git-wip-us.apache.org/repos/asf/lens/commit/0eba44ab Tree: http://git-wip-us.apache.org/repos/asf/lens/tree/0eba44ab Diff: http://git-wip-us.apache.org/repos/asf/lens/diff/0eba44ab Branch: refs/heads/master Commit: 0eba44abdca9d1840777ce70b26187608286bc0a Parents: 1c3dff2 Author: Rajitha R <[email protected]> Authored: Thu Sep 6 14:56:02 2018 +0530 Committer: Rajitha.R <[email protected]> Committed: Thu Sep 6 14:56:02 2018 +0530 ---------------------------------------------------------------------- .../apache/lens/cube/parse/MockAuthorizer.java | 57 +++++++++++++++++ .../parse/TestQueryAuthorizationResolver.java | 66 ++++++++++++++++++++ 2 files changed, 123 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/lens/blob/0eba44ab/lens-cube/src/test/java/org/apache/lens/cube/parse/MockAuthorizer.java ---------------------------------------------------------------------- diff --git a/lens-cube/src/test/java/org/apache/lens/cube/parse/MockAuthorizer.java b/lens-cube/src/test/java/org/apache/lens/cube/parse/MockAuthorizer.java new file mode 100644 index 0000000..d410083 --- /dev/null +++ b/lens-cube/src/test/java/org/apache/lens/cube/parse/MockAuthorizer.java @@ -0,0 +1,57 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.lens.cube.parse; + +import java.util.HashSet; +import java.util.Set; + +import org.apache.lens.server.api.authorization.ActionType; +import org.apache.lens.server.api.authorization.Authorizer; +import org.apache.lens.server.api.authorization.LensPrivilegeObject; + +import lombok.Getter; + +public class MockAuthorizer implements Authorizer { + + @Getter + Set<String> authorizedUserGroups; + MockAuthorizer(){ + init(); + } + + public void init(){ + this.authorizedUserGroups = new HashSet<>(); + this.authorizedUserGroups.add("lens-auth-test1"); + } + @Override + public boolean authorize(LensPrivilegeObject lensPrivilegeObject, ActionType accessType, String user, + Set<String> userGroups) { + //check query authorization + if (lensPrivilegeObject.getTable().equals("basecube") && accessType.equals(ActionType.SELECT)) { + userGroups.retainAll(getAuthorizedUserGroups()); + return !userGroups.isEmpty(); + } + // check metastore schema authorization + if (lensPrivilegeObject.getTable().equals("TestCubeMetastoreClient") && accessType.equals(ActionType.UPDATE)) { + userGroups.retainAll(getAuthorizedUserGroups()); + return !userGroups.isEmpty(); + } + return false; + } +} http://git-wip-us.apache.org/repos/asf/lens/blob/0eba44ab/lens-cube/src/test/java/org/apache/lens/cube/parse/TestQueryAuthorizationResolver.java ---------------------------------------------------------------------- diff --git a/lens-cube/src/test/java/org/apache/lens/cube/parse/TestQueryAuthorizationResolver.java b/lens-cube/src/test/java/org/apache/lens/cube/parse/TestQueryAuthorizationResolver.java new file mode 100644 index 0000000..13b345f --- /dev/null +++ b/lens-cube/src/test/java/org/apache/lens/cube/parse/TestQueryAuthorizationResolver.java @@ -0,0 +1,66 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.lens.cube.parse; + +import static org.apache.lens.cube.metadata.DateFactory.TWO_DAYS_RANGE; + +import static org.testng.Assert.assertEquals; +import static org.testng.Assert.fail; + +import org.apache.lens.cube.metadata.MetastoreConstants; +import org.apache.lens.server.api.LensConfConstants; +import org.apache.lens.server.api.error.LensException; +import org.apache.lens.server.api.query.save.exception.PrivilegeException; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.hive.ql.session.SessionState; + +import org.testng.annotations.BeforeClass; +import org.testng.annotations.Test; + +public class TestQueryAuthorizationResolver extends TestQueryRewrite { + private Configuration conf = new Configuration(); + + @BeforeClass + public void beforeClassTestQueryAuthorizationResolver() { + conf.setBoolean(LensConfConstants.ENABLE_QUERY_AUTHORIZATION_CHECK, true); + conf.setBoolean(LensConfConstants.USER_GROUPS_BASED_AUTHORIZATION, true); + conf.set(MetastoreConstants.AUTHORIZER_CLASS, "org.apache.lens.cube.parse.MockAuthorizer"); + } + + @Test + public void testRestrictedColumnsFromQuery() throws LensException { + + SessionState.getSessionConf().set(LensConfConstants.SESSION_USER_GROUPS, "lens-auth-test2"); + String testQuery = "select dim11 from basecube where " + TWO_DAYS_RANGE; + + try { + rewrite(testQuery, conf); + fail("Privilege exception supposed to be thrown for selecting restricted columns in basecube, " + + "however not seeing expected behaviour"); + } catch (PrivilegeException actualException) { + PrivilegeException expectedException = + new PrivilegeException("COLUMN", "basecube", "SELECT"); + assertEquals(expectedException, actualException); + } + SessionState.getSessionConf().set(LensConfConstants.SESSION_USER_GROUPS, "lens-auth-test1"); + rewrite(testQuery, conf); + } + +}
