Repository: incubator-sentry Updated Branches: refs/heads/master 644e8be34 -> 90cdbefd5
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/90cdbefd/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java index be3d078..f500c2d 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java @@ -23,17 +23,22 @@ import static junit.framework.Assert.fail; import java.io.File; import java.util.Collections; +import java.util.HashSet; import java.util.Set; import org.apache.commons.io.FileUtils; +import org.apache.hadoop.conf.Configuration; +import org.apache.sentry.provider.db.SentryAlreadyExistsException; +import org.apache.sentry.provider.db.SentryNoSuchObjectException; import org.apache.sentry.provider.db.service.model.MSentryPrivilege; import org.apache.sentry.provider.db.service.model.MSentryRole; import org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor; +import org.apache.sentry.provider.db.service.thrift.TSentryActiveRoleSet; import org.apache.sentry.provider.db.service.thrift.TSentryGroup; import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; -import org.apache.sentry.provider.db.service.thrift.TSentryRole; -import org.junit.AfterClass; -import org.junit.BeforeClass; +import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; +import org.junit.After; +import org.junit.Before; import org.junit.Test; import com.google.common.collect.Iterables; @@ -42,17 +47,20 @@ import com.google.common.io.Files; public class TestSentryStore { - private static File dataDir; - private static SentryStore sentryStore; + private File dataDir; + private SentryStore sentryStore; - @BeforeClass - public static void setup() throws Exception { - dataDir = new File(Files.createTempDir(), SentryStore.DEFAULT_DATA_DIR); - sentryStore = new SentryStore(dataDir.getPath()); + @Before + public void setup() throws Exception { + dataDir = new File(Files.createTempDir(), "sentry_policy_db"); + Configuration conf = new Configuration(false); + conf.set(ServerConfig.SENTRY_STORE_JDBC_URL, + "jdbc:derby:;databaseName=" + dataDir.getPath() + ";create=true"); + sentryStore = new SentryStore(conf); } - @AfterClass - public static void teardown() { + @After + public void teardown() { if (sentryStore != null) { sentryStore.stop(); } @@ -61,21 +69,13 @@ public class TestSentryStore { } } - private static CommitContext createRole(String r, String g) throws Exception { - TSentryRole role = new TSentryRole(); - role.setGrantorPrincipal(g); - role.setRoleName(r); - return sentryStore.createSentryRole(role); - } - - @Test public void testCreateDuplicateRole() throws Exception { String roleName = "test-dup-role"; String grantor = "g1"; - createRole(roleName, grantor); + sentryStore.createSentryRole(roleName, grantor); try { - createRole(roleName, grantor); + sentryStore.createSentryRole(roleName, grantor); fail("Expected SentryAlreadyExistsException"); } catch(SentryAlreadyExistsException e) { // expected @@ -86,7 +86,7 @@ public class TestSentryStore { public void testCreateDropRole() throws Exception { String roleName = "test-drop-role"; String grantor = "g1"; - long seqId = createRole(roleName, grantor).getSequenceId(); + long seqId = sentryStore.createSentryRole(roleName, grantor).getSequenceId(); assertEquals(seqId + 1, sentryStore.dropSentryRole(roleName).getSequenceId()); } @@ -103,7 +103,7 @@ public class TestSentryStore { public void testAddDeleteGroups() throws Exception { String roleName = "test-groups"; String grantor = "g1"; - long seqId = createRole(roleName, grantor).getSequenceId(); + long seqId = sentryStore.createSentryRole(roleName, grantor).getSequenceId(); Set<TSentryGroup> groups = Sets.newHashSet(); TSentryGroup group = new TSentryGroup(); group.setGroupName("test-groups-g1"); @@ -123,7 +123,7 @@ public class TestSentryStore { public void testGrantRevokePrivilege() throws Exception { String roleName = "test-privilege"; String grantor = "g1"; - long seqId = createRole(roleName, grantor).getSequenceId(); + long seqId = sentryStore.createSentryRole(roleName, grantor).getSequenceId(); TSentryPrivilege privilege = new TSentryPrivilege(); privilege.setPrivilegeScope("TABLE"); privilege.setServerName("server1"); @@ -142,4 +142,110 @@ public class TestSentryStore { assertEquals(seqId + 2, sentryStore.alterSentryRoleRevokePrivilege(roleName, privilege.getPrivilegeName()) .getSequenceId()); } + + @Test + public void testListSentryPrivilegesForProvider() throws Exception { + String roleName1 = "list-privs-r1", roleName2 = "list-privs-r2"; + String groupName1 = "list-privs-g1", groupName2 = "list-privs-g2"; + String grantor = "g1"; + long seqId = sentryStore.createSentryRole(roleName1, grantor).getSequenceId(); + assertEquals(seqId + 1, sentryStore.createSentryRole(roleName2, grantor).getSequenceId()); + TSentryPrivilege privilege1 = new TSentryPrivilege(); + privilege1.setPrivilegeScope("TABLE"); + privilege1.setServerName("server1"); + privilege1.setDbName("db1"); + privilege1.setTableName("tbl1"); + privilege1.setAction("SELECT"); + privilege1.setGrantorPrincipal(grantor); + privilege1.setCreateTime(System.currentTimeMillis()); + privilege1.setPrivilegeName(SentryPolicyStoreProcessor.constructPrivilegeName(privilege1)); + assertEquals(seqId + 2, sentryStore.alterSentryRoleGrantPrivilege(roleName1, privilege1) + .getSequenceId()); + assertEquals(seqId + 3, sentryStore.alterSentryRoleGrantPrivilege(roleName2, privilege1) + .getSequenceId()); + TSentryPrivilege privilege2 = new TSentryPrivilege(); + privilege2.setPrivilegeScope("SERVER"); + privilege2.setServerName("server1"); + privilege2.setGrantorPrincipal(grantor); + privilege2.setCreateTime(System.currentTimeMillis()); + privilege2.setPrivilegeName(SentryPolicyStoreProcessor.constructPrivilegeName(privilege2)); + assertEquals(seqId + 4, sentryStore.alterSentryRoleGrantPrivilege(roleName2, privilege2) + .getSequenceId()); + Set<TSentryGroup> groups = Sets.newHashSet(); + TSentryGroup group = new TSentryGroup(); + group.setGroupName(groupName1); + groups.add(group); + assertEquals(seqId + 5, sentryStore.alterSentryRoleAddGroups(grantor, + roleName1, groups).getSequenceId()); + groups.clear(); + group = new TSentryGroup(); + group.setGroupName(groupName2); + groups.add(group); + // group 2 has both roles 1 and 2 + assertEquals(seqId + 6, sentryStore.alterSentryRoleAddGroups(grantor, + roleName1, groups).getSequenceId()); + assertEquals(seqId + 7, sentryStore.alterSentryRoleAddGroups(grantor, + roleName2, groups).getSequenceId()); + // group1 all roles + assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"), + SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName1), + new TSentryActiveRoleSet(true, new HashSet<String>())))); + // one active role + assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"), + SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName1), + new TSentryActiveRoleSet(false, Sets.newHashSet(roleName1))))); + // unknown active role + assertEquals(Sets.newHashSet(), + SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName1), + new TSentryActiveRoleSet(false, Sets.newHashSet("not a role"))))); + // no active roles + assertEquals(Sets.newHashSet(), + SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName1), + new TSentryActiveRoleSet(false, new HashSet<String>())))); + + // group2 all roles + assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select", "server=server1"), + SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName2), + new TSentryActiveRoleSet(true, new HashSet<String>())))); + // one active role + assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"), + SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName2), + new TSentryActiveRoleSet(false, Sets.newHashSet(roleName1))))); + assertEquals(Sets.newHashSet("server=server1"), + SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName2), + new TSentryActiveRoleSet(false, Sets.newHashSet(roleName2))))); + // unknown active role + assertEquals(Sets.newHashSet(), + SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName2), + new TSentryActiveRoleSet(false, Sets.newHashSet("not a role"))))); + // no active roles + assertEquals(Sets.newHashSet(), + SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName2), + new TSentryActiveRoleSet(false, new HashSet<String>())))); + + // both groups, all active roles + assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select", "server=server1"), + SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets. + newHashSet(groupName1, groupName2), + new TSentryActiveRoleSet(true, new HashSet<String>())))); + // one active role + assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"), + SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets. + newHashSet(groupName1, groupName2), + new TSentryActiveRoleSet(false, Sets.newHashSet(roleName1))))); + assertEquals(Sets.newHashSet("server=server1"), + SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets. + newHashSet(groupName1, groupName2), + new TSentryActiveRoleSet(false, Sets.newHashSet(roleName2))))); + // unknown active role + assertEquals(Sets.newHashSet(), + SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets. + newHashSet(groupName1, groupName2), + new TSentryActiveRoleSet(false, Sets.newHashSet("not a role"))))); + // no active roles + assertEquals(Sets.newHashSet(), + SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets. + newHashSet(groupName1, groupName2), + new TSentryActiveRoleSet(false, new HashSet<String>())))); + } } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/90cdbefd/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreToAuthorizable.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreToAuthorizable.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreToAuthorizable.java new file mode 100644 index 0000000..9c851eb --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreToAuthorizable.java @@ -0,0 +1,86 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.db.service.persistent; + +import static junit.framework.Assert.assertEquals; + +import org.apache.sentry.core.model.db.AccessConstants; +import org.apache.sentry.provider.db.service.model.MSentryPrivilege; +import org.junit.Test; + +public class TestSentryStoreToAuthorizable { + + private MSentryPrivilege privilege; + + @Test + public void testServer() { + privilege = new MSentryPrivilege(null, null, "server1", null, null, null, null); + assertEquals("server=server1", + SentryStore.toAuthorizable(privilege)); + privilege = new MSentryPrivilege(null, null, "server1", null, null, null, + AccessConstants.ALL); + assertEquals("server=server1->action=*", + SentryStore.toAuthorizable(privilege)); + } + + @Test + public void testTable() { + privilege = new MSentryPrivilege(null, null, "server1", "db1", "tbl1", null, null); + assertEquals("server=server1->db=db1->table=tbl1", + SentryStore.toAuthorizable(privilege)); + privilege = new MSentryPrivilege(null, null, "server1", "db1", "tbl1", null, + AccessConstants.INSERT); + assertEquals("server=server1->db=db1->table=tbl1->action=insert", + SentryStore.toAuthorizable(privilege)); + privilege = new MSentryPrivilege(null, null, "server1", "db1", "tbl1", null, + AccessConstants.SELECT); + assertEquals("server=server1->db=db1->table=tbl1->action=select", + SentryStore.toAuthorizable(privilege)); + privilege = new MSentryPrivilege(null, null, "server1", "db1", "tbl1", null, + AccessConstants.ALL); + assertEquals("server=server1->db=db1->table=tbl1->action=*", + SentryStore.toAuthorizable(privilege)); + } + + @Test + public void testDb() { + privilege = new MSentryPrivilege(null, null, "server1", "db1", null, null, null); + assertEquals("server=server1->db=db1", + SentryStore.toAuthorizable(privilege)); + privilege = new MSentryPrivilege(null, null, "server1", "db1", null, null, + AccessConstants.ALL); + assertEquals("server=server1->db=db1->action=*", + SentryStore.toAuthorizable(privilege)); + } + + @Test + public void testUri() { + privilege = new MSentryPrivilege(null, null, "server1", null, null, "file:///", null); + assertEquals("server=server1->uri=file:///", + SentryStore.toAuthorizable(privilege)); + privilege = new MSentryPrivilege(null, null, "server1", null, null, "file:///", + AccessConstants.SELECT); + assertEquals("server=server1->uri=file:///->action=select", + SentryStore.toAuthorizable(privilege)); + privilege = new MSentryPrivilege(null, null, "server1", null, null, "file:///", + AccessConstants.ALL); + assertEquals("server=server1->uri=file:///->action=*", + SentryStore.toAuthorizable(privilege)); + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/90cdbefd/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java index d073d8b..aa1e860 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java @@ -17,154 +17,83 @@ */ package org.apache.sentry.provider.db.service.thrift; +import static junit.framework.Assert.assertEquals; + import java.util.HashSet; import java.util.Set; +import org.apache.sentry.core.common.ActiveRoleSet; +import org.apache.sentry.provider.common.ProviderBackendContext; +import org.apache.sentry.provider.db.SimpleDBProviderBackend; import org.apache.sentry.service.thrift.SentryServiceIntegrationBase; import org.apache.sentry.service.thrift.ServiceConstants.ThriftConstants; -import org.apache.sentry.service.thrift.Status; import org.junit.Test; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import com.google.common.base.Preconditions; +import com.google.common.collect.Sets; + public class TestSentryServiceIntegration extends SentryServiceIntegrationBase { - private static final Logger LOGGER = LoggerFactory.getLogger(TestSentryServiceIntegration.class); @Test public void testCreateRole() throws Exception { - Set<String> groupSet = new HashSet<String>(); - TDropSentryRoleRequest dropReq = new TDropSentryRoleRequest(); - dropReq.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); - dropReq.setRoleName("admin_r"); - dropReq.setRequestorUserName("user_1"); - groupSet.add("admin"); - dropReq.setRequestorGroupName(groupSet); - TDropSentryRoleResponse dropResp = client.dropRole(dropReq); - assertStatus(Status.NO_SUCH_OBJECT, dropResp.getStatus()); - LOGGER.info("Successfully dropped role: admin_r"); - groupSet.clear(); - - TCreateSentryRoleRequest createReq = new TCreateSentryRoleRequest(); - createReq.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); - createReq.setRequestorUserName("user_1"); - groupSet.add("admin"); - createReq.setRequestorGroupName(groupSet); - TSentryRole role = new TSentryRole(); - role.setRoleName("admin_r"); - role.setCreateTime(System.currentTimeMillis()); - role.setGrantorPrincipal("test"); - role.setPrivileges(new HashSet<TSentryPrivilege>()); - createReq.setRole(role); - TCreateSentryRoleResponse createResp = client.createRole(createReq); - assertOK(createResp.getStatus()); - LOGGER.info("Successfully create role: admin_r"); - groupSet.clear(); + String requestorUserName = "user_1"; + Set<String> requestorUserGroupNames = new HashSet<String>(); + String roleName = "admin_r"; + + client.dropRoleIfExists(requestorUserName, requestorUserGroupNames, roleName); + + client.createRole(requestorUserName, requestorUserGroupNames, roleName); TListSentryRolesRequest listReq = new TListSentryRolesRequest(); listReq.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); - listReq.setRoleName("admin_r"); - listReq.setRequestorUserName("user_1"); - groupSet.add("admin"); - listReq.setRequestorGroupName(groupSet); + listReq.setRoleName(roleName); + listReq.setRequestorUserName(requestorUserName); TListSentryRolesResponse listResp = client.listRoleByName(listReq); Set<TSentryRole> roles = listResp.getRoles(); - Preconditions.checkArgument(roles.size() == 1, "Incorrect number of roles"); - groupSet.clear(); - - dropReq.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); - dropReq.setRoleName("admin_r"); - dropReq.setRequestorUserName("user_1"); - groupSet.add("admin"); - dropReq.setRequestorGroupName(groupSet); - dropResp = client.dropRole(dropReq); - assertOK(dropResp.getStatus()); - LOGGER.info("Successfully dropped role: admin_r"); - groupSet.clear(); + assertEquals("Incorrect number of roles:" + roles, 1, roles.size()); + + client.dropRole(requestorUserName, requestorUserGroupNames, roleName); } @Test public void testGrantRevokePrivilege() throws Exception { - Set<String> groupSet = new HashSet<String>(); - TDropSentryRoleRequest dropReq = new TDropSentryRoleRequest(); - dropReq.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); - dropReq.setRoleName("admin_testdb"); - dropReq.setRequestorUserName("server_admin"); - groupSet.add("admin"); - dropReq.setRequestorGroupName(groupSet); - TDropSentryRoleResponse dropResp = client.dropRole(dropReq); - assertStatus(Status.NO_SUCH_OBJECT, dropResp.getStatus()); - LOGGER.info("Successfully dropped role: admin_testdb"); - groupSet.clear(); - - TCreateSentryRoleRequest createReq = new TCreateSentryRoleRequest(); - createReq.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); - createReq.setRequestorUserName("server_admin"); - groupSet.add("admin"); - createReq.setRequestorGroupName(groupSet); - TSentryRole role = new TSentryRole(); - role.setRoleName("admin_testdb"); - role.setCreateTime(System.currentTimeMillis()); - role.setGrantorPrincipal("server_admin"); - role.setPrivileges(new HashSet<TSentryPrivilege>()); - createReq.setRole(role); - TCreateSentryRoleResponse createResp = client.createRole(createReq); - assertOK(createResp.getStatus()); - LOGGER.info("Successfully create role: admin_testdb"); - groupSet.clear(); + String server = "server1"; + String requestorUserName = "server_admin"; + Set<String> requestorUserGroupNames = new HashSet<String>(); + String roleName = "admin_testdb"; + String db = "testDB"; + String group = "group1"; + + client.dropRoleIfExists(requestorUserName, requestorUserGroupNames, roleName); + client.createRole(requestorUserName, requestorUserGroupNames, roleName); TListSentryRolesRequest listReq = new TListSentryRolesRequest(); listReq.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); listReq.setRoleName("admin_testdb"); - listReq.setRequestorUserName("server_admin"); - groupSet.add("admin"); - listReq.setRequestorGroupName(groupSet); + listReq.setRequestorUserName(requestorUserName); TListSentryRolesResponse listResp = client.listRoleByName(listReq); Set<TSentryRole> roles = listResp.getRoles(); - Preconditions.checkArgument(roles.size() == 1, "Incorrect number of roles"); - groupSet.clear(); - - TAlterSentryRoleGrantPrivilegeRequest grantReq = new TAlterSentryRoleGrantPrivilegeRequest(); - grantReq.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); - grantReq.setRoleName("admin_testdb"); - grantReq.setRequestorUserName("server_admin"); - groupSet.add("admin"); - grantReq.setRequestorGroupName(groupSet); - TSentryPrivilege privilege = new TSentryPrivilege(); - privilege.setPrivilegeScope("DB"); - privilege.setServerName("server1"); - privilege.setDbName("testDB"); - privilege.setAction("ALL"); - privilege.setGrantorPrincipal("server_admin"); - privilege.setCreateTime(System.currentTimeMillis()); - grantReq.setPrivilege(privilege); - TAlterSentryRoleGrantPrivilegeResponse grantResp = client.grantPrivilege(grantReq); - assertOK(grantResp.getStatus()); - LOGGER.info("Successfully granted privilege: " + privilege.toString()); - groupSet.clear(); - - TAlterSentryRoleRevokePrivilegeRequest revokeReq = new TAlterSentryRoleRevokePrivilegeRequest(); - revokeReq.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); - revokeReq.setRoleName("admin_testdb"); - revokeReq.setRequestorUserName("server_admin"); - groupSet.add("admin"); - revokeReq.setRequestorGroupName(groupSet); - revokeReq.setPrivilege(privilege); - TAlterSentryRoleRevokePrivilegeResponse revokeResp = client.revokePrivilege(revokeReq); - assertOK(revokeResp.getStatus()); - LOGGER.info("Successfully revoked privilege: " + privilege.toString()); - groupSet.clear(); - - dropReq.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); - dropReq.setRoleName("admin_testdb"); - dropReq.setRequestorUserName("server_admin"); - groupSet.add("admin"); - dropReq.setRequestorGroupName(groupSet); - dropResp = client.dropRole(dropReq); - assertOK(dropResp.getStatus()); - LOGGER.info("Successfully dropped role: admin_testdb"); - groupSet.clear(); + assertEquals("Incorrect number of roles:" + roles, 1, roles.size()); + + client.grantDatabasePrivilege(requestorUserName, requestorUserGroupNames, roleName, server, db); + + // verify we can get the privileges from the backend + SimpleDBProviderBackend dbBackend = new SimpleDBProviderBackend(client); + dbBackend.initialize(new ProviderBackendContext()); + assertEquals(Sets.newHashSet(), dbBackend.getPrivileges(Sets.newHashSet(group), + new ActiveRoleSet(true))); + client.grantRoleToGroup(requestorUserName, requestorUserGroupNames, group, roleName); + assertEquals(Sets.newHashSet(), dbBackend.getPrivileges(Sets.newHashSet(group), + new ActiveRoleSet(new HashSet<String>()))); + assertEquals(Sets.newHashSet("server="+ server + "->db=" + db + "->action=*"), + dbBackend.getPrivileges(Sets.newHashSet("group1"), + new ActiveRoleSet(true))); + assertEquals(Sets.newHashSet("server="+ server + "->db=" + db + "->action=*"), + dbBackend.getPrivileges(Sets.newHashSet(group), + new ActiveRoleSet(Sets.newHashSet(roleName)))); + + client.revokeDatabasePrivilege(requestorUserName, requestorUserGroupNames, roleName, server, db); + client.dropRole(requestorUserName, requestorUserGroupNames, roleName); } } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/90cdbefd/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java index db76aa8..ee5ca69 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java @@ -26,6 +26,7 @@ import javax.security.auth.Subject; import javax.security.auth.kerberos.KerberosPrincipal; import javax.security.auth.login.LoginContext; +import org.apache.commons.io.FileUtils; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.minikdc.KerberosSecurityTestcase; import org.apache.hadoop.minikdc.MiniKdc; @@ -40,6 +41,7 @@ import org.slf4j.LoggerFactory; import com.google.common.base.Strings; import com.google.common.collect.Sets; +import com.google.common.io.Files; public abstract class SentryServiceIntegrationBase extends KerberosSecurityTestcase { private static final Logger LOGGER = LoggerFactory.getLogger(SentryServiceIntegrationBase.class); @@ -61,6 +63,7 @@ public abstract class SentryServiceIntegrationBase extends KerberosSecurityTestc protected SentryPolicyServiceClient client; protected MiniKdc kdc; protected File kdcWorkDir; + protected File dbDir; protected File serverKeytab; protected File clientKeytab; protected Subject clientSubject; @@ -100,6 +103,9 @@ public abstract class SentryServiceIntegrationBase extends KerberosSecurityTestc conf.set(ServerConfig.RPC_ADDRESS, SERVER_HOST); conf.set(ServerConfig.RPC_PORT, String.valueOf(0)); conf.set(ServerConfig.ALLOW_CONNECT, CLIENT_KERBEROS_NAME); + dbDir = new File(Files.createTempDir(), "sentry_policy_db"); + conf.set(ServerConfig.SENTRY_STORE_JDBC_URL, + "jdbc:derby:;databaseName=" + dbDir.getPath() + ";create=true"); server = new SentryServiceFactory().create(conf); conf.set(ClientConfig.SERVER_RPC_ADDRESS, server.getAddress().getHostString()); conf.set(ClientConfig.SERVER_RPC_PORT, String.valueOf(server.getAddress().getPort())); @@ -139,6 +145,9 @@ public abstract class SentryServiceIntegrationBase extends KerberosSecurityTestc if(server != null) { server.stop(); } + if (dbDir != null) { + FileUtils.deleteQuietly(dbDir); + } afterTeardown(); } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/90cdbefd/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/HadoopGroupMappingService.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/HadoopGroupMappingService.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/HadoopGroupMappingService.java deleted file mode 100644 index f2bb39c..0000000 --- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/HadoopGroupMappingService.java +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.file; - -import java.io.IOException; -import java.util.Collections; -import java.util.HashSet; -import java.util.Set; - -import org.apache.hadoop.security.Groups; -import org.apache.sentry.provider.common.GroupMappingService; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -public class HadoopGroupMappingService implements GroupMappingService { - - private static final Logger LOGGER = LoggerFactory - .getLogger(HadoopGroupMappingService.class); - private final Groups groups; - - public HadoopGroupMappingService(Groups groups) { - this.groups = groups; - } - - @Override - public Set<String> getGroups(String user) { - try { - return new HashSet<String>(groups.getGroups(user)); - } catch (IOException e) { - LOGGER.warn("Unable to obtain groups for " + user, e); - } - return Collections.emptySet(); - } -} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/90cdbefd/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java deleted file mode 100644 index b2e4196..0000000 --- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java +++ /dev/null @@ -1,45 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.provider.file; - -import java.io.IOException; - -import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.security.Groups; -import org.apache.sentry.policy.common.PolicyEngine; -import org.apache.sentry.provider.common.GroupMappingService; - -import com.google.common.annotations.VisibleForTesting; - -public class HadoopGroupResourceAuthorizationProvider extends - ResourceAuthorizationProvider { - - // resource parameter present so that other AuthorizationProviders (e.g. - // LocalGroupResourceAuthorizationProvider) has the same constructor params. - public HadoopGroupResourceAuthorizationProvider(String resource, PolicyEngine policy) throws IOException { - this(policy, new HadoopGroupMappingService( - Groups.getUserToGroupsMappingService(new Configuration()))); - } - - @VisibleForTesting - public HadoopGroupResourceAuthorizationProvider(PolicyEngine policy, - GroupMappingService groupService) { - super(policy, groupService); - } - -} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/90cdbefd/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupResourceAuthorizationProvider.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupResourceAuthorizationProvider.java index e8293f6..e66361b 100644 --- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupResourceAuthorizationProvider.java +++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupResourceAuthorizationProvider.java @@ -21,6 +21,7 @@ import java.io.IOException; import org.apache.hadoop.fs.Path; import org.apache.sentry.policy.common.PolicyEngine; +import org.apache.sentry.provider.common.ResourceAuthorizationProvider; public class LocalGroupResourceAuthorizationProvider extends http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/90cdbefd/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFileConstants.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFileConstants.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFileConstants.java index d28cde2..b2bc531 100644 --- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFileConstants.java +++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFileConstants.java @@ -16,28 +16,13 @@ */ package org.apache.sentry.provider.file; -import com.google.common.base.Joiner; -import com.google.common.base.Splitter; +import org.apache.sentry.provider.common.ProviderConstants; -public class PolicyFileConstants { +public class PolicyFileConstants extends ProviderConstants { public static final String DATABASES = "databases"; public static final String GROUPS = "groups"; public static final String ROLES = "roles"; public static final String USERS = "users"; - public static final String ROLE_SEPARATOR = ","; - public static final String AUTHORIZABLE_SEPARATOR = "->"; - public static final String KV_SEPARATOR = "="; - - public static final Splitter ROLE_SPLITTER = Splitter.on(ROLE_SEPARATOR); - public static final Splitter AUTHORIZABLE_SPLITTER = Splitter.on(AUTHORIZABLE_SEPARATOR); - public static final Splitter KV_SPLITTER = Splitter.on(KV_SEPARATOR); - public static final Joiner ROLE_JOINER = Joiner.on(ROLE_SEPARATOR); - public static final Joiner AUTHORIZABLE_JOINER = Joiner.on(AUTHORIZABLE_SEPARATOR); - public static final Joiner KV_JOINER = Joiner.on(KV_SEPARATOR); - - // TODO change to privilege - public static final String PRIVILEGE_NAME = "action"; - public static final String PRIVILEGE_PREFIX = (PRIVILEGE_NAME + KV_SEPARATOR).toLowerCase(); } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/90cdbefd/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java deleted file mode 100644 index 448d7c1..0000000 --- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java +++ /dev/null @@ -1,179 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.file; - -import static org.apache.sentry.provider.file.PolicyFileConstants.AUTHORIZABLE_JOINER; -import static org.apache.sentry.provider.file.PolicyFileConstants.KV_JOINER; -import static org.apache.sentry.provider.file.PolicyFileConstants.PRIVILEGE_NAME; - -import java.util.ArrayList; -import java.util.HashSet; -import java.util.List; -import java.util.Set; - -import org.apache.sentry.core.common.Action; -import org.apache.sentry.core.common.ActiveRoleSet; -import org.apache.sentry.core.common.Authorizable; -import org.apache.sentry.core.common.SentryConfigurationException; -import org.apache.sentry.core.common.Subject; -import org.apache.sentry.policy.common.Privilege; -import org.apache.sentry.policy.common.PrivilegeFactory; -import org.apache.sentry.policy.common.PolicyEngine; -import org.apache.sentry.provider.common.AuthorizationProvider; -import org.apache.sentry.provider.common.GroupMappingService; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import com.google.common.base.Function; -import com.google.common.base.Preconditions; -import com.google.common.collect.Iterables; -import com.google.common.collect.Sets; - -public abstract class ResourceAuthorizationProvider implements AuthorizationProvider { - private static final Logger LOGGER = LoggerFactory - .getLogger(ResourceAuthorizationProvider.class); - private final GroupMappingService groupService; - private final PolicyEngine policy; - private final PrivilegeFactory privilegeFactory; - private final ThreadLocal<List<String>> lastFailedPrivileges; - - public ResourceAuthorizationProvider(PolicyEngine policy, - GroupMappingService groupService) { - this.policy = policy; - this.groupService = groupService; - this.privilegeFactory = policy.getPrivilegeFactory(); - this.lastFailedPrivileges = new ThreadLocal<List<String>>() { - @Override - protected List<String> initialValue() { - return new ArrayList<String>(); - } - }; - } - - /*** - * @param subject: UserID to validate privileges - * @param authorizableHierarchy : List of object according to namespace hierarchy. - * eg. Server->Db->Table or Server->Function - * The privileges will be validated from the higher to lower scope - * @param actions : Privileges to validate - * @return - * True if the subject is authorized to perform requested action on the given object - */ - @Override - public boolean hasAccess(Subject subject, List<? extends Authorizable> authorizableHierarchy, - Set<? extends Action> actions, ActiveRoleSet roleSet) { - if(LOGGER.isDebugEnabled()) { - LOGGER.debug("Authorization Request for " + subject + " " + - authorizableHierarchy + " and " + actions); - } - Preconditions.checkNotNull(subject, "Subject cannot be null"); - Preconditions.checkNotNull(authorizableHierarchy, "Authorizable cannot be null"); - Preconditions.checkArgument(!authorizableHierarchy.isEmpty(), "Authorizable cannot be empty"); - Preconditions.checkNotNull(actions, "Actions cannot be null"); - Preconditions.checkArgument(!actions.isEmpty(), "Actions cannot be empty"); - Preconditions.checkNotNull(roleSet, "ActiveRoleSet cannot be null"); - return doHasAccess(subject, authorizableHierarchy, actions, roleSet); - } - - private boolean doHasAccess(Subject subject, - List<? extends Authorizable> authorizables, Set<? extends Action> actions, - ActiveRoleSet roleSet) { - Set<String> groups = getGroups(subject); - Set<String> hierarchy = new HashSet<String>(); - for (Authorizable authorizable : authorizables) { - hierarchy.add(KV_JOINER.join(authorizable.getTypeName(), authorizable.getName())); - } - Iterable<Privilege> privileges = getPrivileges(groups, roleSet); - List<String> requestPrivileges = buildPermissions(authorizables, actions); - lastFailedPrivileges.get().clear(); - - for (String requestPrivilege : requestPrivileges) { - for (Privilege permission : privileges) { - /* - * Does the permission granted in the policy file imply the requested action? - */ - boolean result = permission.implies(privilegeFactory.createPrivilege(requestPrivilege)); - if(LOGGER.isDebugEnabled()) { - LOGGER.debug("ProviderPrivilege {}, RequestPrivilege {}, RoleSet, {}, Result {}", - new Object[]{ permission, requestPrivilege, roleSet, result}); - } - if (result) { - return true; - } - } - } - lastFailedPrivileges.get().addAll(requestPrivileges); - return false; - } - - private Iterable<Privilege> getPrivileges(Set<String> groups, ActiveRoleSet roleSet) { - return Iterables.transform(policy.getPrivileges(groups, roleSet), - new Function<String, Privilege>() { - @Override - public Privilege apply(String privilege) { - return privilegeFactory.createPrivilege(privilege); - } - }); - } - - @Override - public GroupMappingService getGroupMapping() { - return groupService; - } - - private Set<String> getGroups(Subject subject) { - return groupService.getGroups(subject.getName()); - } - - @Override - public void validateResource(boolean strictValidation) throws SentryConfigurationException { - policy.validatePolicy(strictValidation); - } - - @Override - public Set<String> listPrivilegesForSubject(Subject subject) throws SentryConfigurationException { - return policy.getPrivileges(getGroups(subject), ActiveRoleSet.ALL); - } - - @Override - public Set<String> listPrivilegesForGroup(String groupName) throws SentryConfigurationException { - return policy.getPrivileges(Sets.newHashSet(groupName), ActiveRoleSet.ALL); - } - - @Override - public List<String> getLastFailedPrivileges() { - return lastFailedPrivileges.get(); - } - - private List<String> buildPermissions(List<? extends Authorizable> authorizables, - Set<? extends Action> actions) { - List<String> hierarchy = new ArrayList<String>(); - List<String> requestedPermissions = new ArrayList<String>(); - - for (Authorizable authorizable : authorizables) { - hierarchy.add(KV_JOINER.join(authorizable.getTypeName(), authorizable.getName())); - } - - for (Action action : actions) { - String requestPermission = AUTHORIZABLE_JOINER.join(hierarchy); - requestPermission = AUTHORIZABLE_JOINER.join(requestPermission, - KV_JOINER.join(PRIVILEGE_NAME, action.getValue())); - requestedPermissions.add(requestPermission); - } - return requestedPermissions; - } -} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/90cdbefd/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java index 89a2d31..9fcebbb 100644 --- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java +++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java @@ -163,6 +163,11 @@ public class SimpleFileProviderBackend implements ProviderBackend { } @Override + public void close() { + groupRolePrivilegeTable.clear(); + } + + @Override public void validatePolicy(boolean strictValidation) throws SentryConfigurationException { if (!initialized) { throw new IllegalStateException("Backend has not been properly initialized"); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/90cdbefd/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java deleted file mode 100644 index d3127d7..0000000 --- a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java +++ /dev/null @@ -1,65 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.file; - -import static org.junit.Assert.assertSame; - -import java.util.Set; - -import org.apache.sentry.core.common.SentryConfigurationException; -import org.apache.sentry.core.common.ActiveRoleSet; -import org.apache.sentry.policy.common.PrivilegeFactory; -import org.apache.sentry.policy.common.PolicyEngine; -import org.apache.sentry.provider.common.GroupMappingService; -import org.junit.Test; - -import com.google.common.collect.ImmutableSet; -import com.google.common.collect.Sets; - -public class TestGetGroupMapping { - - private static class TestResourceAuthorizationProvider extends ResourceAuthorizationProvider { - public TestResourceAuthorizationProvider(PolicyEngine policy, - GroupMappingService groupService) { - super(policy, groupService); - } - }; - - @Test - public void testResourceAuthorizationProvider() { - final Set<String> set = Sets.newHashSet("a", "b", "c"); - GroupMappingService mappingService = new GroupMappingService() { - public Set<String> getGroups(String user) { return set; } - }; - PolicyEngine policyEngine = new PolicyEngine() { - public PrivilegeFactory getPrivilegeFactory() { return null; } - - public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet) { - return ImmutableSet.of(); - } - - public void validatePolicy(boolean strictValidation) - throws SentryConfigurationException { - return; - } - }; - - TestResourceAuthorizationProvider authProvider = - new TestResourceAuthorizationProvider(policyEngine, mappingService); - assertSame(authProvider.getGroupMapping(), mappingService); - } -}
