Repository: sentry Updated Branches: refs/heads/master 50e1d23e4 -> 85cf7f296
http://git-wip-us.apache.org/repos/asf/sentry/blob/85cf7f29/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationEnd2End.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationEnd2End.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationEnd2End.java index 061900a..574bc4b 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationEnd2End.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationEnd2End.java @@ -84,7 +84,7 @@ public class TestHDFSIntegrationEnd2End extends TestHDFSIntegrationBase { stmt.execute( "create table ext101 (s string) location \'/tmp/external/ext101\'"); verifyQuery(stmt, "ext100", 5); - verifyOnAllSubDirs("/tmp/external/ext100", FsAction.ALL, "hbase", true); + verifyGroupPermOnAllSubDirs("/tmp/external/ext100", FsAction.ALL, "hbase", true); stmt.execute("drop table ext100"); stmt.execute("drop table ext101"); stmt.execute("use default"); @@ -128,26 +128,26 @@ public class TestHDFSIntegrationEnd2End extends TestHDFSIntegrationBase { stmt.execute("grant role p1_admin to group hbase"); // Verify default db is inaccessible initially - verifyOnAllSubDirs("/user/hive/warehouse", null, "hbase", false); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse", null, "hbase", false); - verifyOnAllSubDirs("/user/hive/warehouse/p1", null, "hbase", false); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/p1", null, "hbase", false); stmt.execute("grant all on database db5 to role db_role"); stmt.execute("use db5"); stmt.execute("grant all on table p2 to role tab_role"); stmt.execute("use default"); - verifyOnAllSubDirs("/user/hive/warehouse/db5.db", FsAction.ALL, "hbase", true); - verifyOnAllSubDirs("/user/hive/warehouse/db5.db/p2", FsAction.ALL, "hbase", true); - verifyOnAllSubDirs("/user/hive/warehouse/db5.db/p2", FsAction.ALL, "flume", true); - verifyOnPath("/user/hive/warehouse/db5.db", FsAction.ALL, "flume", false); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/db5.db", FsAction.ALL, "hbase", true); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/db5.db/p2", FsAction.ALL, "hbase", true); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/db5.db/p2", FsAction.ALL, "flume", true); + verifyGroupPermOnPath("/user/hive/warehouse/db5.db", FsAction.ALL, "flume", false); loadData(stmt); verifyHDFSandMR(stmt); // Verify default db is STILL inaccessible after grants but tables are fine - verifyOnPath("/user/hive/warehouse", null, "hbase", false); - verifyOnAllSubDirs("/user/hive/warehouse/p1", FsAction.READ_EXECUTE, + verifyGroupPermOnPath("/user/hive/warehouse", null, "hbase", false); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/p1", FsAction.READ_EXECUTE, "hbase", true); adminUgi.doAs(new PrivilegedExceptionAction<Void>() { @@ -169,38 +169,38 @@ public class TestHDFSIntegrationEnd2End extends TestHDFSIntegrationBase { }); stmt.execute("revoke select on table p1 from role p1_admin"); - verifyOnAllSubDirs("/user/hive/warehouse/p1", null, "hbase", false); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/p1", null, "hbase", false); // Verify default db grants work stmt.execute("grant select on database default to role p1_admin"); - verifyOnPath("/user/hive/warehouse", FsAction.READ_EXECUTE, "hbase", true); + verifyGroupPermOnPath("/user/hive/warehouse", FsAction.READ_EXECUTE, "hbase", true); // Verify default db grants are propagated to the tables - verifyOnAllSubDirs("/user/hive/warehouse/p1", FsAction.READ_EXECUTE, + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/p1", FsAction.READ_EXECUTE, "hbase", true); // Verify default db revokes work stmt.execute("revoke select on database default from role p1_admin"); - verifyOnPath("/user/hive/warehouse", null, "hbase", false); - verifyOnAllSubDirs("/user/hive/warehouse/p1", null, "hbase", false); + verifyGroupPermOnPath("/user/hive/warehouse", null, "hbase", false); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/p1", null, "hbase", false); stmt.execute("grant all on table p1 to role p1_admin"); - verifyOnAllSubDirs("/user/hive/warehouse/p1", FsAction.ALL, "hbase", true); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/p1", FsAction.ALL, "hbase", true); stmt.execute("revoke select on table p1 from role p1_admin"); - verifyOnAllSubDirs("/user/hive/warehouse/p1", FsAction.WRITE_EXECUTE, "hbase", true); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/p1", FsAction.WRITE_EXECUTE, "hbase", true); // Verify table rename works when locations are also changed stmt.execute("alter table p1 rename to p3"); - verifyOnAllSubDirs("/user/hive/warehouse/p3", FsAction.WRITE_EXECUTE, "hbase", true); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/p3", FsAction.WRITE_EXECUTE, "hbase", true); //This is true as parent hive object's (p3) ACLS are used. - verifyOnAllSubDirs("/user/hive/warehouse/p3/month=1/day=1", FsAction.WRITE_EXECUTE, "hbase", true); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/p3/month=1/day=1", FsAction.WRITE_EXECUTE, "hbase", true); // Verify when oldName == newName and oldPath != newPath stmt.execute("alter table p3 partition (month=1, day=1) rename to partition (month=1, day=3)"); - verifyOnAllSubDirs("/user/hive/warehouse/p3", FsAction.WRITE_EXECUTE, "hbase", true); - verifyOnAllSubDirs("/user/hive/warehouse/p3/month=1/day=3", FsAction.WRITE_EXECUTE, "hbase", true); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/p3", FsAction.WRITE_EXECUTE, "hbase", true); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/p3/month=1/day=3", FsAction.WRITE_EXECUTE, "hbase", true); // Test DB case insensitivity stmt.execute("create database extdb"); @@ -211,18 +211,18 @@ public class TestHDFSIntegrationEnd2End extends TestHDFSIntegrationBase { stmt.execute( "create table ext100 (s string) location \'/tmp/external/ext100\'"); verifyQuery(stmt, "ext100", 5); - verifyOnAllSubDirs("/tmp/external/ext100", FsAction.ALL, "hbase", true); + verifyGroupPermOnAllSubDirs("/tmp/external/ext100", FsAction.ALL, "hbase", true); stmt.execute("use default"); stmt.execute("use EXTDB"); stmt.execute( "create table ext101 (s string) location \'/tmp/external/ext101\'"); verifyQuery(stmt, "ext101", 5); - verifyOnAllSubDirs("/tmp/external/ext101", FsAction.ALL, "hbase", true); + verifyGroupPermOnAllSubDirs("/tmp/external/ext101", FsAction.ALL, "hbase", true); // Test table case insensitivity stmt.execute("grant all on table exT100 to role tab_role"); - verifyOnAllSubDirs("/tmp/external/ext100", FsAction.ALL, "flume", true); + verifyGroupPermOnAllSubDirs("/tmp/external/ext100", FsAction.ALL, "flume", true); stmt.execute("drop table ext100"); stmt.execute("drop table ext101"); @@ -237,20 +237,20 @@ public class TestHDFSIntegrationEnd2End extends TestHDFSIntegrationBase { // Verify that Sentry permission are still enforced for the "stale" period only if stop did not take too long if(timeTakenForStopMs < STALE_THRESHOLD) { - verifyOnAllSubDirs("/user/hive/warehouse/p3", FsAction.WRITE_EXECUTE, "hbase", true); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/p3", FsAction.WRITE_EXECUTE, "hbase", true); Thread.sleep((STALE_THRESHOLD - timeTakenForStopMs)); } else { LOGGER.warn("Sentry server stop took too long"); } // Verify that Sentry permission are NOT enforced AFTER "stale" period - verifyOnAllSubDirs("/user/hive/warehouse/p3", null, "hbase", false); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/p3", null, "hbase", false); sentryServer.startAll(); } // Verify that After Sentry restart permissions are re-enforced - verifyOnAllSubDirs("/user/hive/warehouse/p3", FsAction.WRITE_EXECUTE, "hbase", true); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/p3", FsAction.WRITE_EXECUTE, "hbase", true); // Create new table and verify everything is fine after restart... stmt.execute("create table p2 (s string) partitioned by (month int, day int)"); @@ -259,13 +259,13 @@ public class TestHDFSIntegrationEnd2End extends TestHDFSIntegrationBase { stmt.execute("alter table p2 add partition (month=2, day=1)"); stmt.execute("alter table p2 add partition (month=2, day=2)"); - verifyOnAllSubDirs("/user/hive/warehouse/p2", null, "hbase", false); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/p2", null, "hbase", false); stmt.execute("grant select on table p2 to role p1_admin"); - verifyOnAllSubDirs("/user/hive/warehouse/p2", FsAction.READ_EXECUTE, "hbase", true); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/p2", FsAction.READ_EXECUTE, "hbase", true); stmt.execute("grant select on table p2 to role p1_admin"); - verifyOnAllSubDirs("/user/hive/warehouse/p2", FsAction.READ_EXECUTE, "hbase", true); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/p2", FsAction.READ_EXECUTE, "hbase", true); // Create external table writeToPath("/tmp/external/ext1", 5, "foo", "bar"); @@ -274,65 +274,65 @@ public class TestHDFSIntegrationEnd2End extends TestHDFSIntegrationBase { verifyQuery(stmt, "ext1", 5); // Ensure existing group permissions are never returned.. - verifyOnAllSubDirs("/tmp/external/ext1", null, "bar", false); - verifyOnAllSubDirs("/tmp/external/ext1", null, "hbase", false); + verifyGroupPermOnAllSubDirs("/tmp/external/ext1", null, "bar", false); + verifyGroupPermOnAllSubDirs("/tmp/external/ext1", null, "hbase", false); stmt.execute("grant all on table ext1 to role p1_admin"); - verifyOnAllSubDirs("/tmp/external/ext1", FsAction.ALL, "hbase", true); + verifyGroupPermOnAllSubDirs("/tmp/external/ext1", FsAction.ALL, "hbase", true); stmt.execute("revoke select on table ext1 from role p1_admin"); - verifyOnAllSubDirs("/tmp/external/ext1", FsAction.WRITE_EXECUTE, "hbase", true); + verifyGroupPermOnAllSubDirs("/tmp/external/ext1", FsAction.WRITE_EXECUTE, "hbase", true); // Verify database operations works correctly stmt.execute("create database db1"); - verifyOnAllSubDirs("/user/hive/warehouse/db1.db", null, "hbase", false); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/db1.db", null, "hbase", false); stmt.execute("create table db1.tbl1 (s string)"); - verifyOnAllSubDirs("/user/hive/warehouse/db1.db/tbl1", null, "hbase", false); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/db1.db/tbl1", null, "hbase", false); stmt.execute("create table db1.tbl2 (s string)"); - verifyOnAllSubDirs("/user/hive/warehouse/db1.db/tbl2", null, "hbase", false); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/db1.db/tbl2", null, "hbase", false); // Verify default db grants do not affect other dbs stmt.execute("grant all on database default to role p1_admin"); - verifyOnPath("/user/hive/warehouse", FsAction.ALL, "hbase", true); - verifyOnAllSubDirs("/user/hive/warehouse/db1.db", null, "hbase", false); + verifyGroupPermOnPath("/user/hive/warehouse", FsAction.ALL, "hbase", true); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/db1.db", null, "hbase", false); // Verify table rename works stmt.execute("create table q1 (s string)"); - verifyOnAllSubDirs("/user/hive/warehouse/q1", FsAction.ALL, "hbase", true); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/q1", FsAction.ALL, "hbase", true); stmt.execute("alter table q1 rename to q2"); - verifyOnAllSubDirs("/user/hive/warehouse/q2", FsAction.ALL, "hbase", true); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/q2", FsAction.ALL, "hbase", true); // Verify table GRANTS do not trump db GRANTS stmt.execute("grant select on table q2 to role p1_admin"); - verifyOnAllSubDirs("/user/hive/warehouse/q2", FsAction.ALL, "hbase", true); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/q2", FsAction.ALL, "hbase", true); stmt.execute("create table q3 (s string)"); - verifyOnAllSubDirs("/user/hive/warehouse/q3", FsAction.ALL, "hbase", true); - verifyOnAllSubDirs("/user/hive/warehouse/q2", FsAction.ALL, "hbase", true); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/q3", FsAction.ALL, "hbase", true); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/q2", FsAction.ALL, "hbase", true); // Verify db privileges are propagated to tables stmt.execute("grant select on database db1 to role p1_admin"); - verifyOnAllSubDirs("/user/hive/warehouse/db1.db/tbl1", FsAction.READ_EXECUTE, "hbase", true); - verifyOnAllSubDirs("/user/hive/warehouse/db1.db/tbl2", FsAction.READ_EXECUTE, "hbase", true); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/db1.db/tbl1", FsAction.READ_EXECUTE, "hbase", true); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/db1.db/tbl2", FsAction.READ_EXECUTE, "hbase", true); // Verify default db revokes do not affect other dbs stmt.execute("revoke all on database default from role p1_admin"); - verifyOnPath("/user/hive/warehouse", null, "hbase", false); - verifyOnAllSubDirs("/user/hive/warehouse/db1.db/tbl1", FsAction.READ_EXECUTE, "hbase", true); - verifyOnAllSubDirs("/user/hive/warehouse/db1.db/tbl2", FsAction.READ_EXECUTE, "hbase", true); + verifyGroupPermOnPath("/user/hive/warehouse", null, "hbase", false); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/db1.db/tbl1", FsAction.READ_EXECUTE, "hbase", true); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/db1.db/tbl2", FsAction.READ_EXECUTE, "hbase", true); stmt.execute("use db1"); stmt.execute("grant all on table tbl1 to role p1_admin"); - verifyOnAllSubDirs("/user/hive/warehouse/db1.db/tbl1", FsAction.ALL, "hbase", true); - verifyOnAllSubDirs("/user/hive/warehouse/db1.db/tbl2", FsAction.READ_EXECUTE, "hbase", true); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/db1.db/tbl1", FsAction.ALL, "hbase", true); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/db1.db/tbl2", FsAction.READ_EXECUTE, "hbase", true); // Verify recursive revoke stmt.execute("revoke select on database db1 from role p1_admin"); - verifyOnAllSubDirs("/user/hive/warehouse/db1.db/tbl1", FsAction.WRITE_EXECUTE, "hbase", true); - verifyOnAllSubDirs("/user/hive/warehouse/db1.db/tbl2", null, "hbase", false); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/db1.db/tbl1", FsAction.WRITE_EXECUTE, "hbase", true); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/db1.db/tbl2", null, "hbase", false); // Verify cleanup.. stmt.execute("drop table tbl1"); @@ -353,13 +353,13 @@ public class TestHDFSIntegrationEnd2End extends TestHDFSIntegrationBase { stmt.execute("alter table ext2 add partition (i=1)"); stmt.execute("alter table ext2 add partition (i=2)"); verifyQuery(stmt, "ext2", 10); - verifyOnAllSubDirs("/tmp/external/tables/ext2_before", null, "hbase", false); + verifyGroupPermOnAllSubDirs("/tmp/external/tables/ext2_before", null, "hbase", false); stmt.execute("grant all on table ext2 to role p1_admin"); - verifyOnPath("/tmp/external/tables/ext2_before", FsAction.ALL, "hbase", true); - verifyOnPath("/tmp/external/tables/ext2_before/i=1", FsAction.ALL, "hbase", true); - verifyOnPath("/tmp/external/tables/ext2_before/i=2", FsAction.ALL, "hbase", true); - verifyOnPath("/tmp/external/tables/ext2_before/i=1/stuff.txt", FsAction.ALL, "hbase", true); - verifyOnPath("/tmp/external/tables/ext2_before/i=2/stuff.txt", FsAction.ALL, "hbase", true); + verifyGroupPermOnPath("/tmp/external/tables/ext2_before", FsAction.ALL, "hbase", true); + verifyGroupPermOnPath("/tmp/external/tables/ext2_before/i=1", FsAction.ALL, "hbase", true); + verifyGroupPermOnPath("/tmp/external/tables/ext2_before/i=2", FsAction.ALL, "hbase", true); + verifyGroupPermOnPath("/tmp/external/tables/ext2_before/i=1/stuff.txt", FsAction.ALL, "hbase", true); + verifyGroupPermOnPath("/tmp/external/tables/ext2_before/i=2/stuff.txt", FsAction.ALL, "hbase", true); writeToPath("/tmp/external/tables/ext2_after/i=1", 6, "foo", "bar"); writeToPath("/tmp/external/tables/ext2_after/i=2", 6, "foo", "bar"); @@ -368,27 +368,27 @@ public class TestHDFSIntegrationEnd2End extends TestHDFSIntegrationBase { // Even though table location is altered, partition location is still old (still 10 rows) verifyQuery(stmt, "ext2", 10); // You have to explicitly alter partition location.. - verifyOnPath("/tmp/external/tables/ext2_before", null, "hbase", false); - verifyOnPath("/tmp/external/tables/ext2_before/i=1", FsAction.ALL, "hbase", true); - verifyOnPath("/tmp/external/tables/ext2_before/i=2", FsAction.ALL, "hbase", true); - verifyOnPath("/tmp/external/tables/ext2_before/i=1/stuff.txt", FsAction.ALL, "hbase", true); - verifyOnPath("/tmp/external/tables/ext2_before/i=2/stuff.txt", FsAction.ALL, "hbase", true); + verifyGroupPermOnPath("/tmp/external/tables/ext2_before", null, "hbase", false); + verifyGroupPermOnPath("/tmp/external/tables/ext2_before/i=1", FsAction.ALL, "hbase", true); + verifyGroupPermOnPath("/tmp/external/tables/ext2_before/i=2", FsAction.ALL, "hbase", true); + verifyGroupPermOnPath("/tmp/external/tables/ext2_before/i=1/stuff.txt", FsAction.ALL, "hbase", true); + verifyGroupPermOnPath("/tmp/external/tables/ext2_before/i=2/stuff.txt", FsAction.ALL, "hbase", true); stmt.execute("alter table ext2 partition (i=1) set location \'hdfs:///tmp/external/tables/ext2_after/i=1\'"); stmt.execute("alter table ext2 partition (i=2) set location \'hdfs:///tmp/external/tables/ext2_after/i=2\'"); // Now that partition location is altered, it picks up new data (12 rows instead of 10) verifyQuery(stmt, "ext2", 12); - verifyOnPath("/tmp/external/tables/ext2_before", null, "hbase", false); - verifyOnPath("/tmp/external/tables/ext2_before/i=1", null, "hbase", false); - verifyOnPath("/tmp/external/tables/ext2_before/i=2", null, "hbase", false); - verifyOnPath("/tmp/external/tables/ext2_before/i=1/stuff.txt", null, "hbase", false); - verifyOnPath("/tmp/external/tables/ext2_before/i=2/stuff.txt", null, "hbase", false); - verifyOnPath("/tmp/external/tables/ext2_after", FsAction.ALL, "hbase", true); - verifyOnPath("/tmp/external/tables/ext2_after/i=1", FsAction.ALL, "hbase", true); - verifyOnPath("/tmp/external/tables/ext2_after/i=2", FsAction.ALL, "hbase", true); - verifyOnPath("/tmp/external/tables/ext2_after/i=1/stuff.txt", FsAction.ALL, "hbase", true); - verifyOnPath("/tmp/external/tables/ext2_after/i=2/stuff.txt", FsAction.ALL, "hbase", true); + verifyGroupPermOnPath("/tmp/external/tables/ext2_before", null, "hbase", false); + verifyGroupPermOnPath("/tmp/external/tables/ext2_before/i=1", null, "hbase", false); + verifyGroupPermOnPath("/tmp/external/tables/ext2_before/i=2", null, "hbase", false); + verifyGroupPermOnPath("/tmp/external/tables/ext2_before/i=1/stuff.txt", null, "hbase", false); + verifyGroupPermOnPath("/tmp/external/tables/ext2_before/i=2/stuff.txt", null, "hbase", false); + verifyGroupPermOnPath("/tmp/external/tables/ext2_after", FsAction.ALL, "hbase", true); + verifyGroupPermOnPath("/tmp/external/tables/ext2_after/i=1", FsAction.ALL, "hbase", true); + verifyGroupPermOnPath("/tmp/external/tables/ext2_after/i=2", FsAction.ALL, "hbase", true); + verifyGroupPermOnPath("/tmp/external/tables/ext2_after/i=1/stuff.txt", FsAction.ALL, "hbase", true); + verifyGroupPermOnPath("/tmp/external/tables/ext2_after/i=2/stuff.txt", FsAction.ALL, "hbase", true); // END : Verify external table set location.. //Create a new table partition on the existing partition @@ -396,17 +396,17 @@ public class TestHDFSIntegrationEnd2End extends TestHDFSIntegrationBase { stmt.execute("alter table tmp add partition (i=1)"); stmt.execute("alter table tmp partition (i=1) set location \'hdfs:///tmp/external/tables/ext2_after/i=1\'"); stmt.execute("grant all on table tmp to role tab_role"); - verifyOnPath("/tmp/external/tables/ext2_after/i=1", FsAction.ALL, "flume", true); + verifyGroupPermOnPath("/tmp/external/tables/ext2_after/i=1", FsAction.ALL, "flume", true); //Alter table rename of external table => oldName != newName, oldPath == newPath stmt.execute("alter table ext2 rename to ext3"); //Verify all original paths still have the privileges - verifyOnPath("/tmp/external/tables/ext2_after", FsAction.ALL, "hbase", true); - verifyOnPath("/tmp/external/tables/ext2_after/i=1", FsAction.ALL, "hbase", true); - verifyOnPath("/tmp/external/tables/ext2_after/i=1", FsAction.ALL, "flume", true); - verifyOnPath("/tmp/external/tables/ext2_after/i=2", FsAction.ALL, "hbase", true); - verifyOnPath("/tmp/external/tables/ext2_after/i=1/stuff.txt", FsAction.ALL, "hbase", true); - verifyOnPath("/tmp/external/tables/ext2_after/i=2/stuff.txt", FsAction.ALL, "hbase", true); + verifyGroupPermOnPath("/tmp/external/tables/ext2_after", FsAction.ALL, "hbase", true); + verifyGroupPermOnPath("/tmp/external/tables/ext2_after/i=1", FsAction.ALL, "hbase", true); + verifyGroupPermOnPath("/tmp/external/tables/ext2_after/i=1", FsAction.ALL, "flume", true); + verifyGroupPermOnPath("/tmp/external/tables/ext2_after/i=2", FsAction.ALL, "hbase", true); + verifyGroupPermOnPath("/tmp/external/tables/ext2_after/i=1/stuff.txt", FsAction.ALL, "hbase", true); + verifyGroupPermOnPath("/tmp/external/tables/ext2_after/i=2/stuff.txt", FsAction.ALL, "hbase", true); // Restart HDFS to verify if things are fine after re-start.. @@ -418,8 +418,8 @@ public class TestHDFSIntegrationEnd2End extends TestHDFSIntegrationBase { // miniDFS.shutdown(); // miniDFS.restartNameNode(true); // miniDFS.waitActive(); - // verifyOnPath("/tmp/external/tables/ext2_after", FsAction.ALL, "hbase", true); - // verifyOnAllSubDirs("/user/hive/warehouse/p2", FsAction.READ_EXECUTE, "hbase", true); + // verifyGroupPermOnPath("/tmp/external/tables/ext2_after", FsAction.ALL, "hbase", true); + // verifyGroupPermOnAllSubDirs("/user/hive/warehouse/p2", FsAction.READ_EXECUTE, "hbase", true); stmt.close(); conn.close(); @@ -500,7 +500,7 @@ TODO:SENTRY-819 Thread.sleep(100); //User with privileges on all columns of the data cannot still read the HDFS files - verifyOnAllSubDirs("/user/hive/warehouse/" + dbName + ".db/p1", null, StaticUserGroup.USERGROUP1, false); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/" + dbName + ".db/p1", null, StaticUserGroup.USERGROUP1, false); stmt.close(); conn.close(); @@ -559,17 +559,17 @@ TODO:SENTRY-819 Thread.sleep(WAIT_BEFORE_TESTVERIFY);//Wait till sentry cache is updated in Namenode //User with just column level privileges cannot read HDFS - verifyOnAllSubDirs("/user/hive/warehouse/" + dbName + ".db/p1", null, StaticUserGroup.USERGROUP1, false); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/" + dbName + ".db/p1", null, StaticUserGroup.USERGROUP1, false); //User with permissions on table and column can read HDFS file - verifyOnAllSubDirs("/user/hive/warehouse/" + dbName + ".db/p1", FsAction.READ_EXECUTE, StaticUserGroup.USERGROUP2, true); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/" + dbName + ".db/p1", FsAction.READ_EXECUTE, StaticUserGroup.USERGROUP2, true); //User with permissions on db and column can read HDFS file - verifyOnAllSubDirs("/user/hive/warehouse/" + dbName + ".db/p1", FsAction.READ_EXECUTE, StaticUserGroup.USERGROUP3, true); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/" + dbName + ".db/p1", FsAction.READ_EXECUTE, StaticUserGroup.USERGROUP3, true); //User with permissions on server and column cannot read HDFS file //TODO:SENTRY-751 - verifyOnAllSubDirs("/user/hive/warehouse/" + dbName + ".db/p1", null, StaticUserGroup.ADMINGROUP, false); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/" + dbName + ".db/p1", null, StaticUserGroup.ADMINGROUP, false); stmt.close(); conn.close(); @@ -601,7 +601,7 @@ TODO:SENTRY-819 stmt = conn.createStatement(); stmt.execute("create database " + dbName); stmt.execute("create external table tab1(a int) location '/tmp/external/tab1_loc'"); - verifyOnAllSubDirs("/tmp/external/tab1_loc", FsAction.ALL, StaticUserGroup.ADMINGROUP, true); + verifyGroupPermOnAllSubDirs("/tmp/external/tab1_loc", FsAction.ALL, StaticUserGroup.ADMINGROUP, true); stmt.close(); conn.close(); http://git-wip-us.apache.org/repos/asf/sentry/blob/85cf7f29/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationTogglingConf.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationTogglingConf.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationTogglingConf.java index 7f1ec7b..e504a8a 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationTogglingConf.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationTogglingConf.java @@ -106,9 +106,9 @@ public class TestHDFSIntegrationTogglingConf extends TestHDFSIntegrationBase { stmt.execute("use db1"); stmt.execute("grant all on table p2 to role tab_role"); stmt.execute("use default"); - verifyOnAllSubDirs("/user/hive/warehouse/db1.db", FsAction.ALL, "hbase", false); - verifyOnAllSubDirs("/user/hive/warehouse/db1.db/p2", FsAction.ALL, "flume", false); - verifyOnPath("/user/hive/warehouse/db1.db", FsAction.ALL, "flume", false); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/db1.db", FsAction.ALL, "hbase", false); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/db1.db/p2", FsAction.ALL, "flume", false); + verifyGroupPermOnPath("/user/hive/warehouse/db1.db", FsAction.ALL, "flume", false); //Enabling HDFS sync back in sentry server enableHdfsSync(0); @@ -157,18 +157,18 @@ public class TestHDFSIntegrationTogglingConf extends TestHDFSIntegrationBase { stmt.execute("grant role p1_admin to group hbase"); // Verify default db is inaccessible initially - verifyOnAllSubDirs("/user/hive/warehouse", null, "hbase", false); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse", null, "hbase", false); - verifyOnAllSubDirs("/user/hive/warehouse/p1", null, "hbase", false); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/p1", null, "hbase", false); stmt.execute("grant all on database db1 to role db_role"); stmt.execute("use db1"); stmt.execute("grant all on table p2 to role tab_role"); stmt.execute("use default"); - verifyOnAllSubDirs("/user/hive/warehouse/db1.db", FsAction.ALL, "hbase", true); - verifyOnAllSubDirs("/user/hive/warehouse/db1.db/p2", FsAction.ALL, "hbase", true); - verifyOnAllSubDirs("/user/hive/warehouse/db1.db/p2", FsAction.ALL, "flume", true); - verifyOnPath("/user/hive/warehouse/db1.db", FsAction.ALL, "flume", false); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/db1.db", FsAction.ALL, "hbase", true); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/db1.db/p2", FsAction.ALL, "hbase", true); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/db1.db/p2", FsAction.ALL, "flume", true); + verifyGroupPermOnPath("/user/hive/warehouse/db1.db", FsAction.ALL, "flume", false); loadData(stmt); @@ -178,14 +178,14 @@ public class TestHDFSIntegrationTogglingConf extends TestHDFSIntegrationBase { disableHdfsSync(0); stmt.execute("revoke all on database db1 from role db_role"); - verifyOnAllSubDirs("/user/hive/warehouse/db1.db", FsAction.ALL, "hbase", false); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/db1.db", FsAction.ALL, "hbase", false); // create a table and grant all to db_role stmt.execute("create database db6"); stmt.execute("grant all on database db6 to role db_role"); // verify that db_role does not have required ACL's as HDFS sync is disabled in sentry server. - verifyOnAllSubDirs("/user/hive/warehouse/db6.db", FsAction.ALL, "hbase", false); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/db6.db", FsAction.ALL, "hbase", false); //Create table in db6 and grant all privileges to tab role stmt.execute("use db6"); @@ -193,7 +193,7 @@ public class TestHDFSIntegrationTogglingConf extends TestHDFSIntegrationBase { stmt.execute("grant all on table db6.p1 to role tab_role"); // verify that tab_role does not have required permissions - verifyOnAllSubDirs("/user/hive/warehouse/db6.db/p1", FsAction.ALL, "flume", false); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/db6.db/p1", FsAction.ALL, "flume", false); //Enabling HDFS sync in sentry server enableHdfsSync(0); @@ -202,8 +202,8 @@ public class TestHDFSIntegrationTogglingConf extends TestHDFSIntegrationBase { // db_role and tab_role should have required privileges. // Checks below will make sure that sentry/NN have the updates that happened // to HMS objects when HDFS was disabled. - verifyOnAllSubDirs("/user/hive/warehouse/db6.db", FsAction.ALL, "hbase", true); - verifyOnAllSubDirs("/user/hive/warehouse/db6.db/p1", FsAction.ALL, "flume", true); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/db6.db", FsAction.ALL, "hbase", true); + verifyGroupPermOnAllSubDirs("/user/hive/warehouse/db6.db/p1", FsAction.ALL, "flume", true); stmt.close(); conn.close();
