http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/util/TestCommandUtil.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/util/TestCommandUtil.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/util/TestCommandUtil.java index 5da8591..0a2b0b2 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/util/TestCommandUtil.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/util/TestCommandUtil.java @@ -34,6 +34,8 @@ import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope; import org.junit.Test; +import com.google.common.collect.Sets; + public class TestCommandUtil extends TestCase { @Test @@ -103,8 +105,10 @@ public class TestCommandUtil extends TestCase { TSentryPrivilege privilege = getPrivilege(AccessConstants.ALL, PrivilegeScope.DATABASE.name(), "dbTest", "tableTest", "serverTest", "hdfs://namenode:port/path/to/dir"); - grantRequest.setPrivilege(privilege); - revokeRequest.setPrivilege(privilege); + Set<TSentryPrivilege> privileges = Sets.newHashSet(); + privileges.add(privilege); + grantRequest.setPrivileges(privileges); + revokeRequest.setPrivileges(privileges); String createGrantPrivilegeCmdResult = CommandUtil .createCmdForGrantPrivilege(grantRequest); @@ -126,8 +130,10 @@ public class TestCommandUtil extends TestCase { TSentryPrivilege privilege = getPrivilege(AccessConstants.INSERT, PrivilegeScope.DATABASE.name(), "dbTest", "tableTest", "serverTest", "hdfs://namenode:port/path/to/dir"); - grantRequest.setPrivilege(privilege); - revokeRequest.setPrivilege(privilege); + Set<TSentryPrivilege> privileges = Sets.newHashSet(); + privileges.add(privilege); + grantRequest.setPrivileges(privileges); + revokeRequest.setPrivileges(privileges); String createGrantPrivilegeCmdResult = CommandUtil .createCmdForGrantPrivilege(grantRequest); @@ -149,8 +155,10 @@ public class TestCommandUtil extends TestCase { TSentryPrivilege privilege = getPrivilege(AccessConstants.SELECT, PrivilegeScope.DATABASE.name(), "dbTest", "tableTest", "serverTest", "hdfs://namenode:port/path/to/dir"); - grantRequest.setPrivilege(privilege); - revokeRequest.setPrivilege(privilege); + Set<TSentryPrivilege> privileges = Sets.newHashSet(); + privileges.add(privilege); + grantRequest.setPrivileges(privileges); + revokeRequest.setPrivileges(privileges); String createGrantPrivilegeCmdResult = CommandUtil .createCmdForGrantPrivilege(grantRequest); @@ -172,8 +180,10 @@ public class TestCommandUtil extends TestCase { TSentryPrivilege privilege = getPrivilege(null, PrivilegeScope.DATABASE.name(), "dbTest", "tableTest", "serverTest", "hdfs://namenode:port/path/to/dir"); - grantRequest.setPrivilege(privilege); - revokeRequest.setPrivilege(privilege); + Set<TSentryPrivilege> privileges = Sets.newHashSet(); + privileges.add(privilege); + grantRequest.setPrivileges(privileges); + revokeRequest.setPrivileges(privileges); String createGrantPrivilegeCmdResult = CommandUtil .createCmdForGrantPrivilege(grantRequest); @@ -195,8 +205,10 @@ public class TestCommandUtil extends TestCase { TSentryPrivilege privilege = getPrivilege(AccessConstants.SELECT, PrivilegeScope.TABLE.name(), "dbTest", "tableTest", "serverTest", "hdfs://namenode:port/path/to/dir"); - grantRequest.setPrivilege(privilege); - revokeRequest.setPrivilege(privilege); + Set<TSentryPrivilege> privileges = Sets.newHashSet(); + privileges.add(privilege); + grantRequest.setPrivileges(privileges); + revokeRequest.setPrivileges(privileges); String createGrantPrivilegeCmdResult = CommandUtil .createCmdForGrantPrivilege(grantRequest); @@ -218,8 +230,10 @@ public class TestCommandUtil extends TestCase { TSentryPrivilege privilege = getPrivilege(AccessConstants.SELECT, PrivilegeScope.SERVER.name(), "dbTest", "tableTest", "serverTest", "hdfs://namenode:port/path/to/dir"); - grantRequest.setPrivilege(privilege); - revokeRequest.setPrivilege(privilege); + Set<TSentryPrivilege> privileges = Sets.newHashSet(); + privileges.add(privilege); + grantRequest.setPrivileges(privileges); + revokeRequest.setPrivileges(privileges); String createGrantPrivilegeCmdResult = CommandUtil .createCmdForGrantPrivilege(grantRequest); @@ -241,8 +255,10 @@ public class TestCommandUtil extends TestCase { TSentryPrivilege privilege = getPrivilege(AccessConstants.SELECT, PrivilegeScope.URI.name(), "dbTest", "tableTest", "serverTest", "hdfs://namenode:port/path/to/dir"); - grantRequest.setPrivilege(privilege); - revokeRequest.setPrivilege(privilege); + Set<TSentryPrivilege> privileges = Sets.newHashSet(); + privileges.add(privilege); + grantRequest.setPrivileges(privileges); + revokeRequest.setPrivileges(privileges); String createGrantPrivilegeCmdResult = CommandUtil .createCmdForGrantPrivilege(grantRequest); @@ -264,8 +280,10 @@ public class TestCommandUtil extends TestCase { TSentryPrivilege privilege = getPrivilege(AccessConstants.SELECT, PrivilegeScope.SERVER.name(), "dbTest", "tableTest", "serverTest", "hdfs://namenode:port/path/to/dir"); privilege.setGrantOption(TSentryGrantOption.TRUE); - grantRequest.setPrivilege(privilege); - revokeRequest.setPrivilege(privilege); + Set<TSentryPrivilege> privileges = Sets.newHashSet(); + privileges.add(privilege); + grantRequest.setPrivileges(privileges); + revokeRequest.setPrivileges(privileges); String createGrantPrivilegeCmdResult = CommandUtil.createCmdForGrantPrivilege(grantRequest); String createGrantPrivilegeCmdExcepted = "GRANT SELECT ON SERVER serverTest TO ROLE testRole WITH GRANT OPTION";
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryPrivilege.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryPrivilege.java index 47caf07..fc62fab 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryPrivilege.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryPrivilege.java @@ -182,4 +182,51 @@ public class TestSentryPrivilege { your.setURI("hdfs://namenode:9000/path1"); assertFalse(my.implies(your)); } + + @Test + public void testImpliesPrivilegePositiveWithColumn() throws Exception { + // 1.test server+database+table+column+action + MSentryPrivilege my = new MSentryPrivilege(); + MSentryPrivilege your = new MSentryPrivilege(); + my.setServerName("server1"); + my.setAction(AccessConstants.SELECT); + your.setServerName("server1"); + your.setDbName("db1"); + your.setTableName("tb1"); + your.setColumnName("c1"); + your.setAction(AccessConstants.SELECT); + assertTrue(my.implies(your)); + + my.setDbName("db1"); + assertTrue(my.implies(your)); + + my.setTableName("tb1"); + assertTrue(my.implies(your)); + + my.setColumnName("c1"); + assertTrue(my.implies(your)); + } + + @Test + public void testImpliesPrivilegeNegativeWithColumn() throws Exception { + // 1.test server+database+table+column+action + MSentryPrivilege my = new MSentryPrivilege(); + MSentryPrivilege your = new MSentryPrivilege(); + // bad column + my.setServerName("server1"); + my.setDbName("db1"); + my.setTableName("tb1"); + my.setColumnName("c1"); + my.setAction(AccessConstants.SELECT); + your.setServerName("server1"); + your.setDbName("db1"); + your.setTableName("tb1"); + your.setColumnName("c2"); + your.setAction(AccessConstants.SELECT); + assertFalse(my.implies(your)); + + // bad scope + your.setColumnName(""); + assertFalse(my.implies(your)); + } } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java index 2e829d6..60cec1f 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java @@ -240,6 +240,122 @@ public class TestSentryStore { } @Test + public void testGrantRevokeMultiPrivileges() throws Exception { + String roleName = "test-privilege"; + String grantor = "g1"; + String server = "server1"; + String db = "db1"; + String table = "tbl1"; + String[] columns = {"c1","c2","c3","c4"}; + long seqId = sentryStore.createSentryRole(roleName).getSequenceId(); + Set<TSentryPrivilege> tPrivileges = Sets.newHashSet(); + for (String column : columns) { + TSentryPrivilege privilege = new TSentryPrivilege(); + privilege.setPrivilegeScope("Column"); + privilege.setServerName(server); + privilege.setDbName(db); + privilege.setTableName(table); + privilege.setColumnName(column); + privilege.setAction(AccessConstants.SELECT); + privilege.setCreateTime(System.currentTimeMillis()); + tPrivileges.add(privilege); + } + assertEquals(seqId + 1, sentryStore.alterSentryRoleGrantPrivileges(grantor, roleName, tPrivileges) + .getSequenceId()); + MSentryRole role = sentryStore.getMSentryRoleByName(roleName); + Set<MSentryPrivilege> privileges = role.getPrivileges(); + assertEquals(privileges.toString(), 4, privileges.size()); + + tPrivileges = Sets.newHashSet(); + for (int i = 0; i < 2; i++) { + TSentryPrivilege privilege = new TSentryPrivilege(); + privilege.setPrivilegeScope("Column"); + privilege.setServerName(server); + privilege.setDbName(db); + privilege.setTableName(table); + privilege.setColumnName(columns[i]); + privilege.setAction(AccessConstants.SELECT); + privilege.setCreateTime(System.currentTimeMillis()); + tPrivileges.add(privilege); + } + assertEquals(seqId + 2, sentryStore.alterSentryRoleRevokePrivileges(grantor, roleName, tPrivileges) + .getSequenceId()); + role = sentryStore.getMSentryRoleByName(roleName); + privileges = role.getPrivileges(); + assertEquals(privileges.toString(), 2, privileges.size()); + + TSentryPrivilege privilege = new TSentryPrivilege(); + privilege.setPrivilegeScope("Table"); + privilege.setServerName(server); + privilege.setDbName(db); + privilege.setTableName(table); + privilege.setAction(AccessConstants.SELECT); + privilege.setCreateTime(System.currentTimeMillis()); + assertEquals(seqId + 3, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege) + .getSequenceId()); + // After revoking table scope, we will have 0 privileges + role = sentryStore.getMSentryRoleByName(roleName); + privileges = role.getPrivileges(); + assertEquals(privileges.toString(), 0, privileges.size()); + } + + @Test + public void testGrantRevokePrivilegeWithColumn() throws Exception { + String roleName = "test-privilege"; + String grantor = "g1"; + String server = "server1"; + String db = "db1"; + String table = "tbl1"; + String column1 = "c1"; + String column2 = "c2"; + long seqId = sentryStore.createSentryRole(roleName).getSequenceId(); + TSentryPrivilege privilege = new TSentryPrivilege(); + privilege.setPrivilegeScope("COLUMN"); + privilege.setServerName(server); + privilege.setDbName(db); + privilege.setTableName(table); + privilege.setColumnName(column1); + privilege.setAction(AccessConstants.ALL); + privilege.setCreateTime(System.currentTimeMillis()); + assertEquals(seqId + 1, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege) + .getSequenceId()); + privilege.setColumnName(column2); + assertEquals(seqId + 2, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege) + .getSequenceId()); + MSentryRole role = sentryStore.getMSentryRoleByName(roleName); + Set<MSentryPrivilege> privileges = role.getPrivileges(); + assertEquals(privileges.toString(), 2, privileges.size()); + privilege.setAction(AccessConstants.SELECT); + assertEquals(seqId + 3, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege) + .getSequenceId()); + + // after having ALL and revoking SELECT, we should have INSERT + role = sentryStore.getMSentryRoleByName(roleName); + privileges = role.getPrivileges(); + assertEquals(privileges.toString(), 2, privileges.size()); + MSentryPrivilege mPrivilege = Iterables.get(privileges, 0); + assertEquals(server, mPrivilege.getServerName()); + assertEquals(db, mPrivilege.getDbName()); + assertEquals(table, mPrivilege.getTableName()); + assertEquals(AccessConstants.INSERT, mPrivilege.getAction()); + assertFalse(mPrivilege.getGrantOption()); + + // after revoking table level privilege, we will remove the two column level items + privilege = new TSentryPrivilege(); + privilege.setPrivilegeScope("TABLE"); + privilege.setServerName(server); + privilege.setDbName(db); + privilege.setTableName(table); + privilege.setAction(AccessConstants.INSERT); + privilege.setCreateTime(System.currentTimeMillis()); + assertEquals(seqId + 4, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege) + .getSequenceId()); + role = sentryStore.getMSentryRoleByName(roleName); + privileges = role.getPrivileges(); + assertEquals(privileges.toString(), 0, privileges.size()); + } + + @Test public void testGrantRevokePrivilegeWithGrantOption() throws Exception { String roleName = "test-grantOption-table"; String grantor = "g1"; @@ -553,6 +669,80 @@ public class TestSentryStore { } @Test + public void testGrantCheckWithColumn() throws Exception { + // 1. set local group mapping + // user0->group0->role0 + // user1->group1->role1 + String grantor = "g1"; + String[] users = {"user0","user1"}; + String[] roles = {"role0","role1"}; + String[] groups = {"group0","group1"}; + for (int i = 0; i < users.length; i++) { + addGroupsToUser(users[i], groups[i]); + sentryStore.createSentryRole(roles[i]); + Set<TSentryGroup> tGroups = Sets.newHashSet(); + TSentryGroup tGroup = new TSentryGroup(groups[i]); + tGroups.add(tGroup); + sentryStore.alterSentryRoleAddGroups(grantor, roles[i], tGroups); + } + writePolicyFile(); + + // 2. g1 grant select on table tb1 to role0, with grant option + String server = "server1"; + String db = "db1"; + String table = "tbl1"; + String roleName = roles[0]; + grantor = "g1"; + TSentryPrivilege privilege1 = new TSentryPrivilege(); + privilege1.setPrivilegeScope("TABLE"); + privilege1.setServerName(server); + privilege1.setDbName(db); + privilege1.setTableName(table); + privilege1.setAction(AccessConstants.SELECT); + privilege1.setCreateTime(System.currentTimeMillis()); + privilege1.setGrantOption(TSentryGrantOption.TRUE); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege1); + MSentryRole role = sentryStore.getMSentryRoleByName(roleName); + Set<MSentryPrivilege> privileges = role.getPrivileges(); + assertEquals(privileges.toString(), 1, privileges.size()); + + // 3. user0 grant select on column tb1.c1 to role1, with grant option + roleName = roles[1]; + grantor = users[0]; + String column = "c1"; + TSentryPrivilege privilege2 = new TSentryPrivilege(); + privilege2.setPrivilegeScope("COLUMN"); + privilege2.setServerName(server); + privilege2.setDbName(db); + privilege2.setTableName(table); + privilege2.setColumnName(column); + privilege2.setAction(AccessConstants.SELECT); + privilege2.setCreateTime(System.currentTimeMillis()); + privilege2.setGrantOption(TSentryGrantOption.TRUE); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege2); + + // 4. user1 revoke table level privilege from user0, will throw grant denied exception + roleName = roles[0]; + grantor = users[1]; + boolean isGrantOptionException = false; + try { + sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege1); + } catch (SentryGrantDeniedException e) { + isGrantOptionException = true; + System.err.println(e.getMessage()); + } + assertTrue(isGrantOptionException); + + // 5. user0 revoke column level privilege from user1 + roleName = roles[1]; + grantor = users[0]; + sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege2); + role = sentryStore.getMSentryRoleByName(roleName); + privileges = role.getPrivileges(); + assertEquals(0, privileges.size()); + } + + @Test public void testListSentryPrivilegesForProvider() throws Exception { String roleName1 = "list-privs-r1", roleName2 = "list-privs-r2"; String groupName1 = "list-privs-g1", groupName2 = "list-privs-g2"; @@ -752,6 +942,56 @@ public class TestSentryStore { } @Test + public void testDropTableWithColumn() throws Exception { + String roleName1 = "role1", roleName2 = "role2"; + String grantor = "g1"; + String table1 = "tbl1"; + + sentryStore.createSentryRole(roleName1); + sentryStore.createSentryRole(roleName2); + + TSentryPrivilege privilege_tbl1 = new TSentryPrivilege(); + privilege_tbl1.setPrivilegeScope("TABLE"); + privilege_tbl1.setServerName("server1"); + privilege_tbl1.setDbName("db1"); + privilege_tbl1.setTableName(table1); + privilege_tbl1.setAction(AccessConstants.SELECT); + privilege_tbl1.setCreateTime(System.currentTimeMillis()); + + TSentryPrivilege privilege_tbl1_c1 = new TSentryPrivilege(privilege_tbl1); + privilege_tbl1_c1.setPrivilegeScope("COLUMN"); + privilege_tbl1_c1.setColumnName("c1"); + privilege_tbl1_c1.setCreateTime(System.currentTimeMillis()); + + TSentryPrivilege privilege_tbl1_c2 = new TSentryPrivilege(privilege_tbl1); + privilege_tbl1_c2.setPrivilegeScope("COLUMN"); + privilege_tbl1_c2.setColumnName("c2"); + privilege_tbl1_c2.setCreateTime(System.currentTimeMillis()); + + TSentryPrivilege privilege_tbl1_c3 = new TSentryPrivilege(privilege_tbl1); + privilege_tbl1_c3.setPrivilegeScope("COLUMN"); + privilege_tbl1_c3.setColumnName("c3"); + privilege_tbl1_c3.setCreateTime(System.currentTimeMillis()); + + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_c1); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_c2); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName2, privilege_tbl1_c3); + + Set<TSentryPrivilege> privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName1); + assertEquals(2, privilegeSet.size()); + privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName2); + assertEquals(1, privilegeSet.size()); + + TSentryAuthorizable tableAuthorizable = toTSentryAuthorizable(privilege_tbl1); + sentryStore.dropPrivilege(tableAuthorizable); + + privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName1); + assertEquals(0, privilegeSet.size()); + privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName2); + assertEquals(0, privilegeSet.size()); + } + + @Test public void testDropOverlappedPrivileges() throws Exception { String roleName1 = "list-privs-r1"; String grantor = "g1"; @@ -904,6 +1144,62 @@ public class TestSentryStore { assertEquals(new Long(2), sentryStore.getGroupCountGauge().getValue()); } + + @Test + public void testRenameTableWithColumn() throws Exception { + String roleName1 = "role1", roleName2 = "role2"; + String grantor = "g1"; + String table1 = "tbl1", table2 = "tbl2"; + + sentryStore.createSentryRole(roleName1); + sentryStore.createSentryRole(roleName2); + + TSentryPrivilege privilege_tbl1 = new TSentryPrivilege(); + privilege_tbl1.setPrivilegeScope("TABLE"); + privilege_tbl1.setServerName("server1"); + privilege_tbl1.setDbName("db1"); + privilege_tbl1.setTableName(table1); + privilege_tbl1.setAction(AccessConstants.SELECT); + privilege_tbl1.setCreateTime(System.currentTimeMillis()); + + TSentryPrivilege privilege_tbl1_c1 = new TSentryPrivilege(privilege_tbl1); + privilege_tbl1_c1.setPrivilegeScope("COLUMN"); + privilege_tbl1_c1.setColumnName("c1"); + privilege_tbl1_c1.setCreateTime(System.currentTimeMillis()); + + TSentryPrivilege privilege_tbl1_c2 = new TSentryPrivilege(privilege_tbl1); + privilege_tbl1_c2.setPrivilegeScope("COLUMN"); + privilege_tbl1_c2.setColumnName("c2"); + privilege_tbl1_c2.setCreateTime(System.currentTimeMillis()); + + TSentryPrivilege privilege_tbl1_c3 = new TSentryPrivilege(privilege_tbl1); + privilege_tbl1_c3.setPrivilegeScope("COLUMN"); + privilege_tbl1_c3.setColumnName("c3"); + privilege_tbl1_c3.setCreateTime(System.currentTimeMillis()); + + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_c1); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_c2); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName2, privilege_tbl1_c3); + + Set<TSentryPrivilege> privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName1); + assertEquals(2, privilegeSet.size()); + privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName2); + assertEquals(1, privilegeSet.size()); + + TSentryAuthorizable oldTable = toTSentryAuthorizable(privilege_tbl1); + TSentryAuthorizable newTable = toTSentryAuthorizable(privilege_tbl1); + newTable.setTable(table2); + sentryStore.renamePrivilege(oldTable, newTable); + + privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName1); + assertEquals(2, privilegeSet.size()); + for (TSentryPrivilege privilege : privilegeSet) { + assertTrue(table2.equalsIgnoreCase(privilege.getTableName())); + } + privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName2); + assertEquals(1, privilegeSet.size()); + } + protected void addGroupsToUser(String user, String... groupNames) { policyFile.addGroupsToUser(user, groupNames); } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreToAuthorizable.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreToAuthorizable.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreToAuthorizable.java index d77786a..922cbc2 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreToAuthorizable.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreToAuthorizable.java @@ -30,10 +30,10 @@ public class TestSentryStoreToAuthorizable { @Test public void testServer() { - privilege = new MSentryPrivilege(null, null, "server1", null, null, null, null); + privilege = new MSentryPrivilege(null, null, "server1", null, null, null, null, null); assertEquals("server=server1", SentryStore.toAuthorizable(privilege)); - privilege = new MSentryPrivilege(null, null, "server1", null, null, null, + privilege = new MSentryPrivilege(null, null, "server1", null, null, null, null, AccessConstants.ALL); assertEquals("server=server1", SentryStore.toAuthorizable(privilege)); @@ -41,18 +41,18 @@ public class TestSentryStoreToAuthorizable { @Test public void testTable() { - privilege = new MSentryPrivilege(null, null, "server1", "db1", "tbl1", null, null); + privilege = new MSentryPrivilege(null, null, "server1", "db1", "tbl1", null, null, null); assertEquals("server=server1->db=db1->table=tbl1", SentryStore.toAuthorizable(privilege)); - privilege = new MSentryPrivilege(null, null, "server1", "db1", "tbl1", null, + privilege = new MSentryPrivilege(null, null, "server1", "db1", "tbl1", null, null, AccessConstants.INSERT); assertEquals("server=server1->db=db1->table=tbl1->action=insert", SentryStore.toAuthorizable(privilege)); - privilege = new MSentryPrivilege(null, null, "server1", "db1", "tbl1", null, + privilege = new MSentryPrivilege(null, null, "server1", "db1", "tbl1", null, null, AccessConstants.SELECT); assertEquals("server=server1->db=db1->table=tbl1->action=select", SentryStore.toAuthorizable(privilege)); - privilege = new MSentryPrivilege(null, null, "server1", "db1", "tbl1", null, + privilege = new MSentryPrivilege(null, null, "server1", "db1", "tbl1", null, null, AccessConstants.ALL); assertEquals("server=server1->db=db1->table=tbl1", SentryStore.toAuthorizable(privilege)); @@ -60,10 +60,10 @@ public class TestSentryStoreToAuthorizable { @Test public void testDb() { - privilege = new MSentryPrivilege(null, null, "server1", "db1", null, null, null); + privilege = new MSentryPrivilege(null, null, "server1", "db1", null, null, null, null); assertEquals("server=server1->db=db1", SentryStore.toAuthorizable(privilege)); - privilege = new MSentryPrivilege(null, null, "server1", "db1", null, null, + privilege = new MSentryPrivilege(null, null, "server1", "db1", null, null, null, AccessConstants.ALL); assertEquals("server=server1->db=db1", SentryStore.toAuthorizable(privilege)); @@ -71,14 +71,14 @@ public class TestSentryStoreToAuthorizable { @Test public void testUri() { - privilege = new MSentryPrivilege(null, null, "server1", null, null, "file:///", null); + privilege = new MSentryPrivilege(null, null, "server1", null, null, null, "file:///", null); assertEquals("server=server1->uri=file:///", SentryStore.toAuthorizable(privilege)); - privilege = new MSentryPrivilege(null, null, "server1", null, null, "file:///", + privilege = new MSentryPrivilege(null, null, "server1", null, null, null, "file:///", AccessConstants.SELECT); assertEquals("server=server1->uri=file:///->action=select", SentryStore.toAuthorizable(privilege)); - privilege = new MSentryPrivilege(null, null, "server1", null, null, "file:///", + privilege = new MSentryPrivilege(null, null, "server1", null, null, null, "file:///", AccessConstants.ALL); assertEquals("server=server1->uri=file:///", SentryStore.toAuthorizable(privilege)); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java index 50ee559..5c2934a 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java @@ -305,6 +305,70 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase { } @Test + public void testGranRevokePrivilegeOnColumnForRole() throws Exception { + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + writePolicyFile(); + String roleName1 = "admin_r1"; + String roleName2 = "admin_r2"; + + client.dropRoleIfExists(requestorUserName, roleName1); + client.createRole(requestorUserName, roleName1); + + client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table1", "col1", "ALL"); + client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table1", "col2", "ALL"); + client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table2", "col1", "ALL"); + client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table2", "col2", "ALL"); + client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table1", "col1", "ALL"); + client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table2", "col1", "ALL"); + + + client.dropRoleIfExists(requestorUserName, roleName2); + client.createRole(requestorUserName, roleName2); + + client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table1", "col1", "ALL"); + client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table1", "col2", "ALL"); + client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col1", "ALL"); + client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col2", "ALL"); + client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table1", "col1", "ALL"); + client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table2", "col1", "ALL"); + + Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); + assertEquals("Privilege not assigned to role1 !!", 6, listPrivilegesByRoleName.size()); + + listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2); + assertEquals("Privilege not assigned to role2 !!", 6, listPrivilegesByRoleName.size()); + + + client.revokeColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table1", "col1", "ALL"); + listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); + assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 5); + listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2); + assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 6); + + client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL"); + listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2); + assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 4); + listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); + assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 5); + + client.revokeDatabasePrivilege(requestorUserName, roleName1, "server", "db1", "ALL"); + listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); + assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 2); + client.revokeColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table1", "col1", "ALL"); + client.revokeColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table2", "col1", "ALL"); + listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); + assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0); + + client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col1", "ALL"); + client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col2", "ALL"); + client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table1", "col1", "ALL"); + client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table2", "col1", "ALL"); + listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2); + assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0); + } + public void testListByAuthDB() throws Exception { String requestorUserName = ADMIN_USER; Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestColumnEndToEnd.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestColumnEndToEnd.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestColumnEndToEnd.java new file mode 100644 index 0000000..742c74f --- /dev/null +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestColumnEndToEnd.java @@ -0,0 +1,247 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.tests.e2e.dbprovider; + +import static org.junit.Assert.assertTrue; + +import java.io.File; +import java.io.FileOutputStream; +import java.sql.Connection; +import java.sql.Statement; + +import org.apache.sentry.provider.db.SentryAccessDeniedException; +import org.apache.sentry.provider.file.PolicyFile; +import org.apache.sentry.tests.e2e.hive.AbstractTestWithStaticConfiguration; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; + +import com.google.common.io.Resources; + +public class TestColumnEndToEnd extends AbstractTestWithStaticConfiguration { + private final String SINGLE_TYPE_DATA_FILE_NAME = "kv1.dat"; + private File dataFile; + private PolicyFile policyFile; + + @BeforeClass + public static void setupTestStaticConfiguration() throws Exception{ + useSentryService = true; + AbstractTestWithStaticConfiguration.setupTestStaticConfiguration(); + } + + @Override + @Before + public void setup() throws Exception { + super.setupAdmin(); + super.setup(); + dataFile = new File(dataDir, SINGLE_TYPE_DATA_FILE_NAME); + FileOutputStream to = new FileOutputStream(dataFile); + Resources.copy(Resources.getResource(SINGLE_TYPE_DATA_FILE_NAME), to); + to.close(); + policyFile = PolicyFile.setAdminOnServer1(ADMINGROUP); + } + + @Test + public void testBasic() throws Exception { + Connection connection = context.createConnection(ADMIN1); + Statement statement = context.createStatement(connection); + statement.execute("CREATE database " + DB1); + statement.execute("USE " + DB1); + statement.execute("CREATE TABLE t1 (c1 string)"); + statement.execute("CREATE ROLE user_role"); + statement.execute("GRANT SELECT ON TABLE t1 TO ROLE user_role"); + statement.execute("GRANT ROLE user_role TO GROUP " + USERGROUP1); + statement.close(); + connection.close(); + connection = context.createConnection(USER1_1); + statement = context.createStatement(connection); + context.assertSentryException(statement, "CREATE ROLE r2", + SentryAccessDeniedException.class.getSimpleName()); + + statement.execute("SELECT * FROM " + DB1 + ".t1"); + statement.close(); + connection.close(); + } + + @Test + public void testNegative() throws Exception { + Connection connection = context.createConnection(ADMIN1); + Statement statement = context.createStatement(connection); + statement.execute("CREATE TABLE t1 (c1 string, c2 string, c3 string)"); + statement.execute("CREATE ROLE user_role1"); + statement.execute("CREATE ROLE user_role2"); + statement.execute("GRANT SELECT (c1) ON TABLE t1 TO ROLE user_role1"); + statement.execute("GRANT SELECT (c1,c2) ON TABLE t1 TO ROLE user_role2"); + try { + statement.execute("GRANT INSERT (c2) ON TABLE t1 TO ROLE user_role2"); + assertTrue("Sentry should not support privilege: Insert on Column", false); + } catch (Exception e) { + assertTrue("The error should be 'Sentry does not support privilege: Insert on Column'", + e.getMessage().contains("Sentry does not support privilege: Insert on Column")); + } + try { + statement.execute("GRANT ALL (c2) ON TABLE t1 TO ROLE user_role2"); + assertTrue("Sentry should not support privilege: ALL on Column", false); + } catch (Exception e) { + assertTrue("The error should be 'Sentry does not support privilege: All on Column'", + e.getMessage().contains("Sentry does not support privilege: All on Column")); + } + statement.execute("GRANT ROLE user_role1 TO GROUP " + USERGROUP1); + statement.execute("GRANT ROLE user_role2 TO GROUP " + USERGROUP2); + statement.close(); + connection.close(); + + // 1.1 user_role1 select c1,c2 from t1, will throw exception + connection = context.createConnection(USER1_1); + statement = context.createStatement(connection); + try { + statement.execute("SELECT c1,c2 FROM t1"); + assertTrue("only SELECT allowed on t1.c1!!", false); + } catch (Exception e) { + // Ignore + } + + // 1.2 user_role1 select * from t1, will throw exception + try { + statement.execute("SELECT * FROM t1"); + assertTrue("only SELECT allowed on t1.c1!!", false); + } catch (Exception e) { + // Ignore + } + + // 2.1 user_role2 select c1,c2,c3 from t1, will throw exception + connection = context.createConnection(USER2_1); + statement = context.createStatement(connection); + try { + statement.execute("SELECT c1,c2,c3 FROM t1"); + assertTrue("no permission on table t1!!", false); + } catch (Exception e) { + // Ignore + } + + // 2.2 user_role2 select * from t1, will throw exception + connection = context.createConnection(USER2_1); + statement = context.createStatement(connection); + try { + statement.execute("SELECT * FROM t1"); + assertTrue("no permission on table t1!!", false); + } catch (Exception e) { + // Ignore + } + + statement.close(); + connection.close(); + } + + @Test + public void testPostive() throws Exception { + Connection connection = context.createConnection(ADMIN1); + Statement statement = context.createStatement(connection); + statement.execute("CREATE database " + DB1); + statement.execute("use " + DB1); + statement.execute("CREATE TABLE t1 (c1 string, c2 string)"); + statement.execute("CREATE ROLE user_role1"); + statement.execute("CREATE ROLE user_role2"); + statement.execute("CREATE ROLE user_role3"); + statement.execute("GRANT SELECT (c1) ON TABLE t1 TO ROLE user_role1"); + statement.execute("GRANT SELECT (c1, c2) ON TABLE t1 TO ROLE user_role2"); + statement.execute("GRANT SELECT ON TABLE t1 TO ROLE user_role3"); + statement.execute("GRANT ROLE user_role1 TO GROUP " + USERGROUP1); + statement.execute("GRANT ROLE user_role2 TO GROUP " + USERGROUP2); + statement.execute("GRANT ROLE user_role3 TO GROUP " + USERGROUP3); + statement.close(); + connection.close(); + + // 1 user_role1 select c1 on t1 + connection = context.createConnection(USER1_1); + statement = context.createStatement(connection); + statement.execute("use " + DB1); + statement.execute("SELECT c1 FROM t1"); + + // 2.1 user_role2 select c1,c2 on t1 + connection = context.createConnection(USER2_1); + statement = context.createStatement(connection); + statement.execute("use " + DB1); + statement.execute("SELECT c1,c2 FROM t1"); + // 2.2 user_role2 select * on t1 + statement.execute("SELECT * FROM t1"); + + // 3.1 user_role3 select * on t1 + connection = context.createConnection(USER3_1); + statement = context.createStatement(connection); + statement.execute("use " + DB1); + statement.execute("SELECT * FROM t1"); + // 3.2 user_role3 select c1,c2 on t1 + statement.execute("SELECT c1,c2 FROM t1"); + + statement.close(); + connection.close(); + } + + @Test + public void testCreateTableAsSelect() throws Exception { + Connection connection = context.createConnection(ADMIN1); + Statement statement = context.createStatement(connection); + statement.execute("CREATE database " + DB1); + statement.execute("use " + DB1); + statement.execute("CREATE TABLE t1 (c1 string, c2 string)"); + statement.execute("CREATE ROLE user_role1"); + statement.execute("CREATE ROLE user_role2"); + statement.execute("CREATE ROLE user_role3"); + statement.execute("GRANT SELECT (c1) ON TABLE t1 TO ROLE user_role1"); + statement.execute("GRANT SELECT (c1, c2) ON TABLE t1 TO ROLE user_role2"); + statement.execute("GRANT SELECT ON TABLE t1 TO ROLE user_role3"); + statement.execute("GRANT CREATE ON DATABASE " + DB1 + " TO ROLE user_role1"); + statement.execute("GRANT CREATE ON DATABASE " + DB1 + " TO ROLE user_role2"); + statement.execute("GRANT CREATE ON DATABASE " + DB1 + " TO ROLE user_role3"); + statement.execute("GRANT ROLE user_role1 TO GROUP " + USERGROUP1); + statement.execute("GRANT ROLE user_role2 TO GROUP " + USERGROUP2); + statement.execute("GRANT ROLE user_role3 TO GROUP " + USERGROUP3); + statement.close(); + connection.close(); + + // 1 user_role1 create table as select + connection = context.createConnection(USER1_1); + statement = context.createStatement(connection); + statement.execute("use " + DB1); + statement.execute("CREATE TABLE t1_1 AS SELECT c1 FROM t1"); + try { + statement.execute("CREATE TABLE t1_2 AS SELECT * FROM t1"); + assertTrue("no permission on table t1!!", false); + } catch (Exception e) { + // Ignore + } + + // 2 user_role2 create table as select + connection = context.createConnection(USER2_1); + statement = context.createStatement(connection); + statement.execute("use " + DB1); + statement.execute("CREATE TABLE t2_1 AS SELECT c1 FROM t1"); + statement.execute("CREATE TABLE t2_2 AS SELECT * FROM t1"); + + // 3 user_role3 create table as select + connection = context.createConnection(USER3_1); + statement = context.createStatement(connection); + statement.execute("use " + DB1); + statement.execute("CREATE TABLE t3_1 AS SELECT c1 FROM t1"); + statement.execute("CREATE TABLE t3_2 AS SELECT * FROM t1"); + + statement.close(); + connection.close(); + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java index 38fa69e..7fa7600 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java @@ -1495,6 +1495,141 @@ public class TestDatabaseProvider extends AbstractTestWithStaticConfiguration { } /** + * SHOW GRANT ROLE roleName ON COLUMN colName + * @throws Exception + */ + @Test + public void testShowPrivilegesByRoleOnObjectGivenColumn() throws Exception { + Connection connection = context.createConnection(ADMIN1); + Statement statement = context.createStatement(connection); + statement.execute("CREATE ROLE role1"); + statement.execute("GRANT SELECT (c1) ON TABLE t1 TO ROLE role1"); + statement.execute("GRANT SELECT (c2) ON TABLE t2 TO ROLE role1"); + statement.execute("GRANT SELECT (c1,c2) ON TABLE t3 TO ROLE role1"); + statement.execute("GRANT SELECT (c1,c2) ON TABLE t4 TO ROLE role1 with grant option"); + + //On column - positive + ResultSet resultSet = statement.executeQuery("SHOW GRANT ROLE role1 ON TABLE t1 (c1)"); + int rowCount = 0 ; + while ( resultSet.next()) { + rowCount++; + assertThat(resultSet.getString(1), equalToIgnoringCase("default")); + assertThat(resultSet.getString(2), equalToIgnoringCase("t1")); + assertThat(resultSet.getString(3), equalToIgnoringCase(""));//partition + assertThat(resultSet.getString(4), equalToIgnoringCase("c1"));//column + assertThat(resultSet.getString(5), equalToIgnoringCase("role1"));//principalName + assertThat(resultSet.getString(6), equalToIgnoringCase("role"));//principalType + assertThat(resultSet.getString(7), equalToIgnoringCase("select")); + assertThat(resultSet.getBoolean(8), is(new Boolean("False")));//grantOption + //Create time is not tested + //assertThat(resultSet.getLong(9), is(new Long(0))); + assertThat(resultSet.getString(10), equalToIgnoringCase("--"));//grantor + } + assertThat(rowCount, is(1)); + resultSet = statement.executeQuery("SHOW GRANT ROLE role1 ON TABLE t2 (c2)"); + rowCount = 0 ; + while (resultSet.next()) { + rowCount++; + assertThat(resultSet.getString(1), equalToIgnoringCase("default")); + assertThat(resultSet.getString(2), equalToIgnoringCase("t2")); + assertThat(resultSet.getString(3), equalToIgnoringCase(""));//partition + assertThat(resultSet.getString(4), equalToIgnoringCase("c2"));//column + assertThat(resultSet.getString(5), equalToIgnoringCase("role1"));//principalName + assertThat(resultSet.getString(6), equalToIgnoringCase("role"));//principalType + assertThat(resultSet.getString(7), equalToIgnoringCase("select")); + assertThat(resultSet.getBoolean(8), is(new Boolean("False")));//grantOption + //Create time is not tested + //assertThat(resultSet.getLong(9), is(new Long(0))); + assertThat(resultSet.getString(10), equalToIgnoringCase("--"));//grantor + } + assertThat(rowCount, is(1)); + resultSet = statement.executeQuery("SHOW GRANT ROLE role1 ON TABLE t3 (c1)"); + rowCount = 0 ; + while (resultSet.next()) { + rowCount++; + assertThat(resultSet.getString(1), equalToIgnoringCase("default")); + assertThat(resultSet.getString(2), equalToIgnoringCase("t3")); + assertThat(resultSet.getString(3), equalToIgnoringCase(""));//partition + assertThat(resultSet.getString(4), equalToIgnoringCase("c1"));//column + assertThat(resultSet.getString(5), equalToIgnoringCase("role1"));//principalName + assertThat(resultSet.getString(6), equalToIgnoringCase("role"));//principalType + assertThat(resultSet.getString(7), equalToIgnoringCase("select")); + assertThat(resultSet.getBoolean(8), is(new Boolean("False")));//grantOption + //Create time is not tested + //assertThat(resultSet.getLong(9), is(new Long(0))); + assertThat(resultSet.getString(10), equalToIgnoringCase("--"));//grantor + } + assertThat(rowCount, is(1)); + resultSet = statement.executeQuery("SHOW GRANT ROLE role1 ON TABLE t3 (c2)"); + rowCount = 0 ; + while (resultSet.next()) { + rowCount++; + assertThat(resultSet.getString(1), equalToIgnoringCase("default")); + assertThat(resultSet.getString(2), equalToIgnoringCase("t3")); + assertThat(resultSet.getString(3), equalToIgnoringCase(""));//partition + assertThat(resultSet.getString(4), equalToIgnoringCase("c2"));//column + assertThat(resultSet.getString(5), equalToIgnoringCase("role1"));//principalName + assertThat(resultSet.getString(6), equalToIgnoringCase("role"));//principalType + assertThat(resultSet.getString(7), equalToIgnoringCase("select")); + assertThat(resultSet.getBoolean(8), is(new Boolean("False")));//grantOption + //Create time is not tested + //assertThat(resultSet.getLong(9), is(new Long(0))); + assertThat(resultSet.getString(10), equalToIgnoringCase("--"));//grantor + } + assertThat(rowCount, is(1)); + resultSet = statement.executeQuery("SHOW GRANT ROLE role1 ON TABLE t4 (c1)"); + rowCount = 0 ; + while (resultSet.next()) { + rowCount++; + assertThat(resultSet.getString(1), equalToIgnoringCase("default")); + assertThat(resultSet.getString(2), equalToIgnoringCase("t4")); + assertThat(resultSet.getString(3), equalToIgnoringCase(""));//partition + assertThat(resultSet.getString(4), equalToIgnoringCase("c1"));//column + assertThat(resultSet.getString(5), equalToIgnoringCase("role1"));//principalName + assertThat(resultSet.getString(6), equalToIgnoringCase("role"));//principalType + assertThat(resultSet.getString(7), equalToIgnoringCase("select")); + assertThat(resultSet.getBoolean(8), is(new Boolean("True")));//grantOption + //Create time is not tested + //assertThat(resultSet.getLong(9), is(new Long(0))); + assertThat(resultSet.getString(10), equalToIgnoringCase("--"));//grantor + } + assertThat(rowCount, is(1)); + resultSet = statement.executeQuery("SHOW GRANT ROLE role1 ON TABLE t4 (c2)"); + rowCount = 0 ; + while (resultSet.next()) { + rowCount++; + assertThat(resultSet.getString(1), equalToIgnoringCase("default")); + assertThat(resultSet.getString(2), equalToIgnoringCase("t4")); + assertThat(resultSet.getString(3), equalToIgnoringCase(""));//partition + assertThat(resultSet.getString(4), equalToIgnoringCase("c2"));//column + assertThat(resultSet.getString(5), equalToIgnoringCase("role1"));//principalName + assertThat(resultSet.getString(6), equalToIgnoringCase("role"));//principalType + assertThat(resultSet.getString(7), equalToIgnoringCase("select")); + assertThat(resultSet.getBoolean(8), is(new Boolean("True")));//grantOption + //Create time is not tested + //assertThat(resultSet.getLong(9), is(new Long(0))); + assertThat(resultSet.getString(10), equalToIgnoringCase("--"));//grantor + } + assertThat(rowCount, is(1)); + //On column - negative + resultSet = statement.executeQuery("SHOW GRANT ROLE role1 ON TABLE t1 (c2)"); + rowCount = 0 ; + while (resultSet.next()) { + rowCount++; + } + assertThat(rowCount, is(0)); + resultSet = statement.executeQuery("SHOW GRANT ROLE role1 ON TABLE t2 (c1)"); + rowCount = 0 ; + while (resultSet.next()) { + rowCount++; + } + assertThat(rowCount, is(0)); + + statement.close(); + connection.close(); + } + + /** * SHOW GRANT ROLE roleName ON TABLE tableName * @throws Exception */ @@ -1535,7 +1670,7 @@ public class TestDatabaseProvider extends AbstractTestWithStaticConfiguration { } /** - * SHOW GRANT ROLE roleName ON TABLE tableName + * SHOW GRANT ROLE roleName ON DATABASE databaseName * @throws Exception */ @Test @@ -1591,7 +1726,7 @@ public class TestDatabaseProvider extends AbstractTestWithStaticConfiguration { } /** - * SHOW GRANT ROLE roleName ON TABLE tableName + * SHOW GRANT ROLE roleName ON SERVER serverName * @throws Exception */ @Test @@ -1638,7 +1773,7 @@ public class TestDatabaseProvider extends AbstractTestWithStaticConfiguration { } /** - * SHOW GRANT ROLE roleName ON DATABASE dbName: Needs Hive patch + * SHOW GRANT ROLE roleName ON URI uriName: Needs Hive patch * @throws Exception */ @Ignore http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbPrivilegesAtColumnScope.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbPrivilegesAtColumnScope.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbPrivilegesAtColumnScope.java new file mode 100644 index 0000000..a4de2c0 --- /dev/null +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbPrivilegesAtColumnScope.java @@ -0,0 +1,39 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.tests.e2e.dbprovider; + +import org.apache.sentry.tests.e2e.hive.AbstractTestWithStaticConfiguration; +import org.apache.sentry.tests.e2e.hive.TestPrivilegesAtColumnScope; +import org.junit.Before; +import org.junit.BeforeClass; + +public class TestDbPrivilegesAtColumnScope extends TestPrivilegesAtColumnScope { + @Override + @Before + public void setup() throws Exception { + super.setupAdmin(); + super.setup(); + } + @BeforeClass + public static void setupTestStaticConfiguration() throws Exception { + useSentryService = true; + AbstractTestWithStaticConfiguration.setupTestStaticConfiguration(); + + } + +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java index 84b91c3..9aa03f8 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java @@ -290,7 +290,7 @@ public abstract class AbstractTestWithStaticConfiguration { } private void addPrivilege(String roleName, String privileges, Statement statement) throws IOException, SQLException{ - String serverName = null, dbName = null, tableName = null, uriPath = null; + String serverName = null, dbName = null, tableName = null, uriPath = null, columnName = null; String action = "ALL";//AccessConstants.ALL; for (String privilege : ROLE_SPLITTER.split(privileges)) { for(String section : AUTHORIZABLE_SPLITTER.split(privilege)) { @@ -307,6 +307,8 @@ public abstract class AbstractTestWithStaticConfiguration { dbName = dbAuthorizable.getName(); } else if (DBModelAuthorizable.AuthorizableType.Table.equals(dbAuthorizable.getAuthzType())) { tableName = dbAuthorizable.getName(); + } else if (DBModelAuthorizable.AuthorizableType.Column.equals(dbAuthorizable.getAuthzType())) { + columnName = dbAuthorizable.getName(); } else if (DBModelAuthorizable.AuthorizableType.URI.equals(dbAuthorizable.getAuthzType())) { uriPath = dbAuthorizable.getName(); } else { @@ -320,7 +322,11 @@ public abstract class AbstractTestWithStaticConfiguration { } } - if (tableName != null) { + if (columnName != null) { + statement.execute("CREATE DATABASE IF NOT EXISTS " + dbName); + statement.execute("USE " + dbName); + statement.execute("GRANT " + action + " ( " + columnName + " ) ON TABLE " + tableName + " TO ROLE " + roleName); + } else if (tableName != null) { statement.execute("CREATE DATABASE IF NOT EXISTS " + dbName); statement.execute("USE " + dbName); statement.execute("GRANT " + action + " ON TABLE " + tableName + " TO ROLE " + roleName); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestConfigTool.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestConfigTool.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestConfigTool.java index c186a42..cd5a75f 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestConfigTool.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestConfigTool.java @@ -155,12 +155,20 @@ public class TestConfigTool extends AbstractTestWithStaticConfiguration { policyFile .addRolesToGroup(USERGROUP1, "select_tab1", "insert_tab2") .addRolesToGroup(USERGROUP2, "select_tab3") + .addRolesToGroup(USERGROUP3, "select_colA") + .addRolesToGroup(USERGROUP4, "select_colAB") .addPermissionsToRole("select_tab1", "server=server1->db=db1->table=tab1->action=select") .addPermissionsToRole("insert_tab2", "server=server1->db=db1->table=tab2->action=insert") .addPermissionsToRole("select_tab3", "server=server1->db=db1->table=tab3->action=select") + .addPermissionsToRole("select_colA", + "server=server1->db=db1->table=tab3->column=a->action=select") + .addPermissionsToRole("select_colAB", + "server=server1->db=db1->table=tab3->column=a->action=select") + .addPermissionsToRole("select_colAB", + "server=server1->db=db1->table=tab3->column=b->action=select") .setUserGroupMapping(StaticUserGroup.getStaticMapping()); policyFile.write(context.getPolicyFile()); @@ -181,6 +189,18 @@ public class TestConfigTool extends AbstractTestWithStaticConfiguration { .contains("server=server1->db=db1->table=tab3->action=select")); permList = configTool.getSentryProvider().listPrivilegesForSubject( + new Subject(USER3_1)); + assertTrue(permList + .contains("server=server1->db=db1->table=tab3->column=a->action=select")); + + permList = configTool.getSentryProvider().listPrivilegesForSubject( + new Subject(USER4_1)); + assertTrue(permList + .contains("server=server1->db=db1->table=tab3->column=a->action=select")); + assertTrue(permList + .contains("server=server1->db=db1->table=tab3->column=b->action=select")); + + permList = configTool.getSentryProvider().listPrivilegesForSubject( new Subject(ADMIN1)); assertTrue(permList.contains("server=server1")); } @@ -223,12 +243,20 @@ public class TestConfigTool extends AbstractTestWithStaticConfiguration { policyFile .addRolesToGroup(USERGROUP1, "select_tab1", "insert_tab2") .addRolesToGroup(USERGROUP2, "select_tab3") + .addRolesToGroup(USERGROUP3, "select_colAB") + .addRolesToGroup(USERGROUP4, "select_colA") .addPermissionsToRole("select_tab1", "server=server1->db=default->table=tab1->action=select") .addPermissionsToRole("insert_tab2", "server=server1->db=default->table=tab2->action=insert") .addPermissionsToRole("select_tab3", "server=server1->db=default->table=tab3->action=select") + .addPermissionsToRole("select_colA", + "server=server1->db=default->table=tab1->column=a->action=select") + .addPermissionsToRole("select_colAB", + "server=server1->db=default->table=tab1->column=a->action=select") + .addPermissionsToRole("select_colAB", + "server=server1->db=default->table=tab1->column=b->action=select") .setUserGroupMapping(StaticUserGroup.getStaticMapping()); policyFile.write(context.getPolicyFile()); @@ -239,11 +267,11 @@ public class TestConfigTool extends AbstractTestWithStaticConfiguration { statement.execute("DROP TABLE IF EXISTS tab1"); statement.execute("DROP TABLE IF EXISTS tab2"); statement.execute("DROP TABLE IF EXISTS tab3"); - statement.execute("CREATE TABLE tab1(B INT, A STRING) " + statement.execute("CREATE TABLE tab1(b INT, a STRING) " + " row format delimited fields terminated by '|' stored as textfile"); - statement.execute("CREATE TABLE tab2(B INT, A STRING) " + statement.execute("CREATE TABLE tab2(b INT, a STRING) " + " row format delimited fields terminated by '|' stored as textfile"); - statement.execute("CREATE TABLE tab3(B INT, A STRING) " + statement.execute("CREATE TABLE tab3(b INT, a STRING) " + " row format delimited fields terminated by '|' stored as textfile"); statement.close(); connection.close(); @@ -279,7 +307,41 @@ public class TestConfigTool extends AbstractTestWithStaticConfiguration { } catch (SQLException e) { assertTrue(errBuffer.toString().contains( "Server=server1->Db=default->Table=tab2->action=insert")); + errBuffer.flush(); } + // user3_1 can select A from tab1, but can't select B from tab1 + configTool.setUser(USER3_1); + configTool.verifyRemoteQuery("SELECT a FROM tab1"); + configTool.verifyRemoteQuery("SELECT COUNT(a) FROM tab1"); + configTool.verifyRemoteQuery("SELECT b FROM tab1"); + configTool.verifyRemoteQuery("SELECT COUNT(b) FROM tab1"); + configTool.verifyRemoteQuery("SELECT a,b FROM tab1"); + + // user4_1 can select A from tab1, but can't select B from tab1 + configTool.setUser(USER4_1); + configTool.verifyRemoteQuery("SELECT a FROM tab1"); + configTool.verifyRemoteQuery("SELECT COUNT(a) FROM tab1"); + + try { + configTool.setUser(USER4_1); + configTool + .verifyRemoteQuery("SELECT b FROM tab1"); + fail("Query should have failed with insufficient perms"); + } catch (SQLException e) { + assertTrue(errBuffer.toString().contains( + "Server=server1->Db=default->Table=tab1->Column=b->action=select")); + errBuffer.flush(); + } + + try { + configTool.setUser(USER4_1); + configTool + .verifyRemoteQuery("SELECT COUNT(b) FROM tab1"); + fail("Query should have failed with insufficient perms"); + } catch (SQLException e) { + assertTrue(errBuffer.toString().contains( + "Server=server1->Db=default->Table=tab1->Column=b->action=select")); + } } } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestExportImportPrivileges.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestExportImportPrivileges.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestExportImportPrivileges.java index eaf3816..b9e4da9 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestExportImportPrivileges.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestExportImportPrivileges.java @@ -101,8 +101,10 @@ public class TestExportImportPrivileges extends AbstractTestWithStaticConfigurat policyFile .addRolesToGroup(USERGROUP1, "tab1_read", "tab1_write", "db1_all", "data_read", "data_export") .addRolesToGroup(USERGROUP2, "tab1_write", "tab1_read") + .addRolesToGroup(USERGROUP3, "col1_read") .addPermissionsToRole("tab1_write", "server=server1->db=" + DB1 + "->table=" + TBL1 + "->action=INSERT") .addPermissionsToRole("tab1_read", "server=server1->db=" + DB1 + "->table=" + TBL1 + "->action=SELECT") + .addPermissionsToRole("col1_read", "server=server1->db=" + DB1 + "->table=" + TBL1 + "->column=under_col->action=SELECT") .addPermissionsToRole("db1_all", "server=server1->db=" + DB1) .addPermissionsToRole("data_read", "server=server1->URI=file://" + dataFile.getPath()) .addPermissionsToRole("data_export", "server=server1->URI=" + exportDir); @@ -139,5 +141,13 @@ public class TestExportImportPrivileges extends AbstractTestWithStaticConfigurat statement.execute("IMPORT TABLE " + TBL2 + " FROM '" + exportDir + "'"); statement.close(); connection.close(); + + // Positive test, user3 have access to the target directory + connection = context.createConnection(USER3_1); + statement = context.createStatement(connection); + statement.execute("use " + DB1); + statement.execute("SELECT under_col FROM " + TBL1); + statement.close(); + connection.close(); } } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPolicyImport.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPolicyImport.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPolicyImport.java index a67556b..f43a310 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPolicyImport.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPolicyImport.java @@ -68,7 +68,7 @@ public class TestPolicyImport extends AbstractTestWithStaticConfiguration { @Test public void testImportPolicy() throws Exception { - policyFile.addRolesToGroup("analyst", "analyst_role", "customers_select_role"); + policyFile.addRolesToGroup("analyst", "analyst_role", "customers_select_role", "analyst_salary_role"); policyFile.addRolesToGroup("jranalyst", "junior_analyst_role"); policyFile.addRolesToGroup("manager", "analyst_role", "junior_analyst_role", "customers_insert_role", "customers_select_role"); @@ -80,6 +80,7 @@ public class TestPolicyImport extends AbstractTestWithStaticConfiguration { policyFile.addPermissionsToRole("customers_admin_role", "server=server1->db=customers"); policyFile.addPermissionsToRole("customers_insert_role", "server=server1->db=customers->table=*->action=insert"); policyFile.addPermissionsToRole("customers_select_role", "server=server1->db=customers->table=*->action=select"); + policyFile.addPermissionsToRole("analyst_salary_role", "server=server1->db=customers->table=customer_info->column=salary->action=select"); policyFile.write(context.getPolicyFile()); @@ -90,7 +91,7 @@ public class TestPolicyImport extends AbstractTestWithStaticConfiguration { configTool.importPolicy(); SentryPolicyServiceClient client = new SentryPolicyServiceClient(configTool.getAuthzConf()); - verifyRoles(client, "analyst", "analyst_role", "customers_select_role"); + verifyRoles(client, "analyst", "analyst_role", "customers_select_role", "analyst_salary_role"); verifyRoles(client, "jranalyst", "junior_analyst_role"); verifyRoles(client, "manager", "analyst_role", "junior_analyst_role", "customers_insert_role", "customers_select_role"); @@ -107,6 +108,8 @@ public class TestPolicyImport extends AbstractTestWithStaticConfiguration { createPrivilege(AccessConstants.INSERT, "customers", null, null)); verifyPrivileges(client, "customers_select_role", createPrivilege(AccessConstants.SELECT, "customers", null, null)); + verifyPrivileges(client, "analyst_salary_role", + createPrivilege(AccessConstants.SELECT, "customers", "customer_info", "salary", null)); } private void verifyRoles(SentryPolicyServiceClient client, String group, String ... roles) throws SentryUserException { @@ -159,4 +162,37 @@ public class TestPolicyImport extends AbstractTestWithStaticConfiguration { return privilege; } + private TSentryPrivilege createPrivilege(String action, String dbName, String tableName, String columnName, String uri) { + String scope = "SERVER"; + if (uri != null) { + scope = "URI"; + } else if (dbName != null) { + if (columnName != null) { + scope = "COLUMN"; + } else if (tableName != null) { + scope = "TABLE"; + } else { + scope = "DATABASE"; + } + } + + TSentryPrivilege privilege = new TSentryPrivilege(scope, "server1", action); + if (dbName != null) { + privilege.setDbName(dbName); + } + + if (tableName != null) { + privilege.setTableName(tableName); + } + + if (columnName != null) { + privilege.setColumnName(columnName); + } + + if (uri != null) { + privilege.setURI(uri); + } + + return privilege; + } }
