Repository: incubator-sentry Updated Branches: refs/heads/master 60bb10037 -> bf3eb482e
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/bf3eb482/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericPolicyProcessor.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericPolicyProcessor.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericPolicyProcessor.java new file mode 100644 index 0000000..b86c6b2 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericPolicyProcessor.java @@ -0,0 +1,316 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.provider.db.generic.service.thrift; + +import static junit.framework.Assert.assertEquals; +import static org.mockito.Matchers.any; +import static org.mockito.Matchers.anyListOf; +import static org.mockito.Matchers.anySetOf; +import static org.mockito.Matchers.anyString; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; + +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Set; +import java.util.UUID; + +import org.apache.hadoop.conf.Configuration; +import org.apache.sentry.core.common.Authorizable; +import org.apache.sentry.core.model.search.Collection; +import org.apache.sentry.core.model.search.Field; +import org.apache.sentry.core.model.search.SearchConstants; +import org.apache.sentry.provider.common.GroupMappingService; +import org.apache.sentry.provider.db.SentryAlreadyExistsException; +import org.apache.sentry.provider.db.SentryGrantDeniedException; +import org.apache.sentry.provider.db.SentryInvalidInputException; +import org.apache.sentry.provider.db.SentryNoSuchObjectException; +import org.apache.sentry.provider.db.generic.service.persistent.PrivilegeObject; +import org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer; +import org.apache.sentry.provider.db.generic.service.persistent.PrivilegeObject.Builder; +import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor; +import org.apache.sentry.provider.db.service.persistent.CommitContext; +import org.apache.sentry.provider.db.service.thrift.PolicyStoreConstants; +import org.apache.sentry.provider.db.service.thrift.SentryConfigurationException; +import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; +import org.apache.sentry.service.thrift.Status; +import org.apache.sentry.service.thrift.TSentryResponseStatus; +import org.junit.Before; +import org.junit.Test; + +import com.google.common.collect.Sets; + +public class TestSentryGenericPolicyProcessor { + private static final String ADMIN_GROUP = "admin_group"; + private static final String ADMIN_USER = "admin_user"; + private static final UUID SERVER_UUID = UUID.randomUUID(); + private static final long SEQ_ID = 10000; + + private SentryStoreLayer mockStore = mock(SentryStoreLayer.class); + private SentryGenericPolicyProcessor processor; + + @Before + public void setup() throws Exception { + Configuration conf = new Configuration(); + conf.set(ServerConfig.ADMIN_GROUPS, ADMIN_GROUP); + conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING, MockGroupMapping.class.getName()); + processor = new SentryGenericPolicyProcessor(conf, mockStore); + } + + @Test + public void testNotAdminOperation() throws Exception { + String requestUser = "not_" + ADMIN_USER; + Status validateStatus = Status.ACCESS_DENIED; + testOperation(requestUser, validateStatus); + } + + private void testOperation(String requestUser, Status validateStatus) throws Exception { + TCreateSentryRoleRequest createrequest = new TCreateSentryRoleRequest(); + createrequest.setRequestorUserName(requestUser); + createrequest.setRoleName("r1"); + assertEquals(validateStatus, fromTSentryStatus(processor.create_sentry_role(createrequest).getStatus())); + + TDropSentryRoleRequest dropRequest = new TDropSentryRoleRequest(); + dropRequest.setRequestorUserName(requestUser); + dropRequest.setRoleName("r1"); + assertEquals(validateStatus, fromTSentryStatus(processor.drop_sentry_role(dropRequest).getStatus())); + + TAlterSentryRoleAddGroupsRequest addRequest = new TAlterSentryRoleAddGroupsRequest(); + addRequest.setRequestorUserName(requestUser); + addRequest.setRoleName("r1"); + addRequest.setGroups(Sets.newHashSet("g1")); + assertEquals(validateStatus, fromTSentryStatus(processor.alter_sentry_role_add_groups(addRequest).getStatus())); + + TAlterSentryRoleDeleteGroupsRequest delRequest = new TAlterSentryRoleDeleteGroupsRequest(); + delRequest.setRequestorUserName(requestUser); + delRequest.setRoleName("r1"); + delRequest.setGroups(Sets.newHashSet("g1")); + assertEquals(validateStatus, fromTSentryStatus(processor.alter_sentry_role_delete_groups(delRequest).getStatus())); + + TDropPrivilegesRequest dropPrivRequest = new TDropPrivilegesRequest(); + dropPrivRequest.setRequestorUserName(requestUser); + dropPrivRequest.setPrivilege(new TSentryPrivilege("test", "test", new ArrayList<TAuthorizable>(), "test")); + assertEquals(validateStatus, fromTSentryStatus(processor.drop_sentry_privilege(dropPrivRequest).getStatus())); + + TRenamePrivilegesRequest renameRequest = new TRenamePrivilegesRequest(); + renameRequest.setRequestorUserName(requestUser); + assertEquals(validateStatus, fromTSentryStatus(processor.rename_sentry_privilege(renameRequest).getStatus())); + } + + private Status fromTSentryStatus(TSentryResponseStatus status) { + return Status.fromCode(status.getValue()); + } + + @Test + public void testAdminOperation() throws Exception { + when(mockStore.createRole(anyString(), anyString(), anyString())) + .thenReturn(new CommitContext(SERVER_UUID, SEQ_ID)); + + when(mockStore.dropRole(anyString(), anyString(), anyString())) + .thenReturn(new CommitContext(SERVER_UUID, SEQ_ID + 1)); + + when(mockStore.alterRoleAddGroups(anyString(), anyString(), anySetOf(String.class),anyString())) + .thenReturn(new CommitContext(SERVER_UUID, SEQ_ID + 2)); + + when(mockStore.alterRoleDeleteGroups(anyString(), anyString(),anySetOf(String.class), anyString())) + .thenReturn(new CommitContext(SERVER_UUID, SEQ_ID + 3)); + + when(mockStore.dropPrivilege(anyString(), any(PrivilegeObject.class), anyString())) + .thenReturn(new CommitContext(SERVER_UUID, SEQ_ID + 4)); + + when(mockStore.renamePrivilege(anyString(), anyString(), anyListOf(Authorizable.class), + anyListOf(Authorizable.class), anyString())) + .thenReturn(new CommitContext(SERVER_UUID, SEQ_ID + 5)); + testOperation(ADMIN_USER, Status.OK); + } + + @Test + public void testGrantAndRevokePrivilege() throws Exception { + when(mockStore.alterRoleGrantPrivilege(anyString(), anyString(), any(PrivilegeObject.class), anyString())) + .thenReturn(new CommitContext(SERVER_UUID, SEQ_ID + 6)); + + when(mockStore.alterRoleRevokePrivilege(anyString(), anyString(),any(PrivilegeObject.class), anyString())) + .thenReturn(new CommitContext(SERVER_UUID, SEQ_ID + 7)); + setup(); + + TSentryPrivilege tprivilege = new TSentryPrivilege("test", "test", new ArrayList<TAuthorizable>(), "test"); + tprivilege.setGrantOption(TSentryGrantOption.UNSET); + + TAlterSentryRoleGrantPrivilegeRequest grantRequest = new TAlterSentryRoleGrantPrivilegeRequest(); + grantRequest.setRequestorUserName(ADMIN_USER); + grantRequest.setRoleName("r1"); + grantRequest.setPrivilege(tprivilege); + assertEquals(Status.OK, fromTSentryStatus(processor.alter_sentry_role_grant_privilege(grantRequest).getStatus())); + + TAlterSentryRoleRevokePrivilegeRequest revokeRequest = new TAlterSentryRoleRevokePrivilegeRequest(); + revokeRequest.setRequestorUserName(ADMIN_USER); + revokeRequest.setRoleName("r1"); + revokeRequest.setPrivilege(tprivilege); + assertEquals(Status.OK, fromTSentryStatus(processor.alter_sentry_role_revoke_privilege(revokeRequest).getStatus())); + } + + @Test + public void testOperationWithException() throws Exception { + when(mockStore.createRole(anyString(), anyString(), anyString())) + .thenThrow(new SentryAlreadyExistsException("role already exists")); + + when(mockStore.dropRole(anyString(), anyString(), anyString())) + .thenThrow(new SentryNoSuchObjectException("role isn't exist")); + + when(mockStore.alterRoleAddGroups(anyString(), anyString(), anySetOf(String.class),anyString())) + .thenThrow(new SentryNoSuchObjectException("role isn't exist")); + + when(mockStore.alterRoleDeleteGroups(anyString(), anyString(),anySetOf(String.class), anyString())) + .thenThrow(new SentryNoSuchObjectException("role isn't exist")); + + when(mockStore.alterRoleGrantPrivilege(anyString(), anyString(), any(PrivilegeObject.class), anyString())) + .thenThrow(new SentryGrantDeniedException("has no grant")); + + when(mockStore.alterRoleRevokePrivilege(anyString(), anyString(),any(PrivilegeObject.class), anyString())) + .thenThrow(new SentryGrantDeniedException("has no grant")); + + when(mockStore.dropPrivilege(anyString(), any(PrivilegeObject.class), anyString())) + .thenThrow(new SentryInvalidInputException("nvalid input privilege object")); + + when(mockStore.renamePrivilege(anyString(), anyString(), anyListOf(Authorizable.class), + anyListOf(Authorizable.class), anyString())) + .thenThrow(new RuntimeException("Unknown error")); + + setup(); + + TCreateSentryRoleRequest createrequest = new TCreateSentryRoleRequest(); + createrequest.setRequestorUserName(ADMIN_USER); + createrequest.setRoleName("r1"); + assertEquals(Status.ALREADY_EXISTS, fromTSentryStatus(processor.create_sentry_role(createrequest).getStatus())); + + TDropSentryRoleRequest dropRequest = new TDropSentryRoleRequest(); + dropRequest.setRequestorUserName(ADMIN_USER); + dropRequest.setRoleName("r1"); + assertEquals(Status.NO_SUCH_OBJECT, fromTSentryStatus(processor.drop_sentry_role(dropRequest).getStatus())); + + TAlterSentryRoleAddGroupsRequest addRequest = new TAlterSentryRoleAddGroupsRequest(); + addRequest.setRequestorUserName(ADMIN_USER); + addRequest.setRoleName("r1"); + addRequest.setGroups(Sets.newHashSet("g1")); + assertEquals(Status.NO_SUCH_OBJECT, fromTSentryStatus(processor.alter_sentry_role_add_groups(addRequest).getStatus())); + + TAlterSentryRoleDeleteGroupsRequest delRequest = new TAlterSentryRoleDeleteGroupsRequest(); + delRequest.setRequestorUserName(ADMIN_USER); + delRequest.setRoleName("r1"); + delRequest.setGroups(Sets.newHashSet("g1")); + assertEquals(Status.NO_SUCH_OBJECT, fromTSentryStatus(processor.alter_sentry_role_delete_groups(delRequest).getStatus())); + + TDropPrivilegesRequest dropPrivRequest = new TDropPrivilegesRequest(); + dropPrivRequest.setRequestorUserName(ADMIN_USER); + dropPrivRequest.setPrivilege(new TSentryPrivilege("test", "test", new ArrayList<TAuthorizable>(), "test")); + assertEquals(Status.INVALID_INPUT, fromTSentryStatus(processor.drop_sentry_privilege(dropPrivRequest).getStatus())); + + TRenamePrivilegesRequest renameRequest = new TRenamePrivilegesRequest(); + renameRequest.setRequestorUserName(ADMIN_USER); + assertEquals(Status.RUNTIME_ERROR, fromTSentryStatus(processor.rename_sentry_privilege(renameRequest).getStatus())); + + TSentryPrivilege tprivilege = new TSentryPrivilege("test", "test", new ArrayList<TAuthorizable>(), "test"); + tprivilege.setGrantOption(TSentryGrantOption.UNSET); + + TAlterSentryRoleGrantPrivilegeRequest grantRequest = new TAlterSentryRoleGrantPrivilegeRequest(); + grantRequest.setRequestorUserName(ADMIN_USER); + grantRequest.setRoleName("r1"); + grantRequest.setPrivilege(tprivilege); + assertEquals(Status.ACCESS_DENIED, fromTSentryStatus(processor.alter_sentry_role_grant_privilege(grantRequest).getStatus())); + + TAlterSentryRoleRevokePrivilegeRequest revokeRequest = new TAlterSentryRoleRevokePrivilegeRequest(); + revokeRequest.setRequestorUserName(ADMIN_USER); + revokeRequest.setRoleName("r1"); + revokeRequest.setPrivilege(tprivilege); + assertEquals(Status.ACCESS_DENIED, fromTSentryStatus(processor.alter_sentry_role_revoke_privilege(revokeRequest).getStatus())); + } + + @Test + public void testGetRolesAndPrivileges() throws Exception { + String roleName = "r1"; + String groupName = "g1"; + PrivilegeObject queryPrivilege = new Builder() + .setComponent("SOLR") + .setAction(SearchConstants.QUERY) + .setService("service1") + .setAuthorizables(Arrays.asList(new Collection("c1"), new Field("f1"))) + .build(); + PrivilegeObject updatePrivilege = new Builder(queryPrivilege) + .setAction(SearchConstants.UPDATE) + .build(); + + when(mockStore.getRolesByGroups(anyString(), anySetOf(String.class))) + .thenReturn(Sets.newHashSet(roleName)); + + when(mockStore.getPrivilegesByProvider(anyString(), anyString(), anySetOf(String.class), + anySetOf(String.class), anyListOf(Authorizable.class))) + .thenReturn(Sets.newHashSet(queryPrivilege, updatePrivilege)); + + when(mockStore.getGroupsByRoles(anyString(), anySetOf(String.class))) + .thenReturn(Sets.newHashSet(groupName)); + + TListSentryPrivilegesRequest request1 = new TListSentryPrivilegesRequest(); + request1.setRoleName(roleName); + request1.setRequestorUserName(ADMIN_USER); + TListSentryPrivilegesResponse response1 = processor.list_sentry_privileges_by_role(request1); + assertEquals(Status.OK, fromTSentryStatus(response1.getStatus())); + assertEquals(2, response1.getPrivileges().size()); + + TListSentryRolesRequest request2 = new TListSentryRolesRequest(); + request2.setRequestorUserName(ADMIN_USER); + request2.setGroupName(groupName); + TListSentryRolesResponse response2 = processor.list_sentry_roles_by_group(request2); + assertEquals(Status.OK, fromTSentryStatus(response2.getStatus())); + assertEquals(1, response2.getRoles().size()); + + TListSentryPrivilegesForProviderRequest request3 = new TListSentryPrivilegesForProviderRequest(); + request3.setGroups(Sets.newHashSet(groupName)); + request3.setRoleSet(new TSentryActiveRoleSet(true, null)); + TListSentryPrivilegesForProviderResponse response3 = processor.list_sentry_privileges_for_provider(request3); + assertEquals(Status.OK, fromTSentryStatus(response3.getStatus())); + assertEquals(2, response3.getPrivileges().size()); + } + + @Test(expected=SentryConfigurationException.class) + public void testConfigCannotCreateNotificationHandler() throws Exception { + Configuration conf = new Configuration(); + conf.set(PolicyStoreConstants.SENTRY_GENERIC_POLICY_NOTIFICATION,"junk"); + SentryGenericPolicyProcessor.createHandlers(conf); + } + + @Test(expected=SentryConfigurationException.class) + public void testConfigCannotCreateSentryStore() throws Exception { + Configuration conf = new Configuration(); + conf.set(PolicyStoreConstants.SENTRY_GENERIC_POLICY_STORE,"junk"); + SentryGenericPolicyProcessor.createStore(conf); + } + + public static class MockGroupMapping implements GroupMappingService { + public MockGroupMapping(Configuration conf, String resource) { + } + @Override + public Set<String> getGroups(String user) { + if (user.equalsIgnoreCase(ADMIN_USER)) { + return Sets.newHashSet(ADMIN_GROUP); + } else { + return Sets.newHashSet("not" + ADMIN_GROUP); + } + } + } + +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/bf3eb482/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericServiceIntegration.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericServiceIntegration.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericServiceIntegration.java new file mode 100644 index 0000000..596a8c7 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericServiceIntegration.java @@ -0,0 +1,439 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.provider.db.generic.service.thrift; + +import static junit.framework.Assert.assertEquals; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + +import java.security.PrivilegedExceptionAction; +import java.util.Arrays; +import java.util.HashSet; +import java.util.List; +import java.util.Set; + +import javax.security.auth.Subject; +import javax.security.auth.kerberos.KerberosPrincipal; +import javax.security.auth.login.LoginContext; + +import org.apache.sentry.SentryUserException; +import org.apache.sentry.core.common.ActiveRoleSet; +import org.apache.sentry.core.common.Authorizable; +import org.apache.sentry.core.model.search.Collection; +import org.apache.sentry.core.model.search.Field; +import org.apache.sentry.core.model.search.SearchConstants; +import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient; +import org.apache.sentry.service.thrift.KerberosConfiguration; +import org.apache.sentry.service.thrift.SentryServiceIntegrationBase; +import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; +import org.junit.Test; + +import com.google.common.collect.Lists; +import com.google.common.collect.Sets; + +public class TestSentryGenericServiceIntegration extends SentryServiceIntegrationBase { + private static final String SOLR = "SOLR"; + private SentryGenericServiceClient client; + + /** + * use the generic client to connect sentry service + */ + @Override + public void connectToSentryService() throws Exception { + // The client should already be logged in when running in solr + // therefore we must manually login in the integration tests + if (kerberos) { + conf.set(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "false"); + clientSubject = new Subject(false, Sets.newHashSet( + new KerberosPrincipal(CLIENT_KERBEROS_NAME)), new HashSet<Object>(), + new HashSet<Object>()); + clientLoginContext = new LoginContext("", clientSubject, null, + KerberosConfiguration.createClientConfig(CLIENT_KERBEROS_NAME, clientKeytab)); + clientLoginContext.login(); + clientSubject = clientLoginContext.getSubject(); + this.client = Subject.doAs(clientSubject, new PrivilegedExceptionAction<SentryGenericServiceClient>() { + @Override + public SentryGenericServiceClient run() throws Exception { + return new SentryGenericServiceClient(conf); + } + }); + } else { + this.client = new SentryGenericServiceClient(conf); + } + } + + @Test + public void testCreateDropShowRole() throws Exception { + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + String roleName = "admin_r"; + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + writePolicyFile(); + + client.dropRoleIfExists(requestorUserName, roleName, SOLR); + + client.createRole(requestorUserName, roleName, SOLR); + + client.addRoleToGroups(requestorUserName, roleName, SOLR, Sets.newHashSet(requestorUserGroupNames)); + + Set<TSentryRole> roles = client.listUserRoles(requestorUserName,SOLR); + assertEquals("Incorrect number of roles", 1, roles.size()); + for (TSentryRole role:roles) { + assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName)); + } + client.dropRole(requestorUserName, roleName, SOLR); + } + + @Test + public void testAddDeleteRoleToGroup() throws Exception { + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + String testGroupName = "g1"; + String roleName = "admin_r"; + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + setLocalGroupMapping(requestorUserName, Sets.newHashSet(testGroupName)); + writePolicyFile(); + + client.dropRoleIfExists(requestorUserName, roleName, SOLR); + + client.createRole(requestorUserName, roleName, SOLR); + + client.addRoleToGroups(requestorUserName, roleName, SOLR, Sets.newHashSet(testGroupName)); + + Set<TSentryRole> roles = client.listUserRoles(requestorUserName,SOLR); + assertEquals("Incorrect number of roles", 1, roles.size()); + for (TSentryRole role:roles) { + assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName)); + assertTrue(role.getGroups().size() == 1); + for (String group :role.getGroups()) { + assertEquals(testGroupName, group); + } + } + + client.deleteRoleToGroups(requestorUserName, roleName, SOLR, Sets.newHashSet(testGroupName)); + roles = client.listUserRoles(requestorUserName,SOLR); + assertEquals("Incorrect number of roles", 0, roles.size()); + + client.dropRole(requestorUserName, roleName, SOLR); + } + + @Test + public void testGranRevokePrivilege() throws Exception { + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + writePolicyFile(); + String roleName1 = "admin_r1"; + String roleName2 = "admin_r2"; + + client.dropRoleIfExists(requestorUserName, roleName1, SOLR); + client.createRole(requestorUserName, roleName1, SOLR); + + client.dropRoleIfExists(requestorUserName, roleName2, SOLR); + client.createRole(requestorUserName, roleName2, SOLR); + + TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1", + fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))), + SearchConstants.QUERY); + + TSentryPrivilege updatePrivilege = new TSentryPrivilege(SOLR, "service1", + fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))), + SearchConstants.UPDATE); + + client.grantPrivilege(requestorUserName, roleName1, SOLR, queryPrivilege); + client.grantPrivilege(requestorUserName, roleName2, SOLR, updatePrivilege); + + client.revokePrivilege(requestorUserName, roleName1, SOLR, queryPrivilege); + client.revokePrivilege(requestorUserName, roleName2, SOLR, updatePrivilege); + + } + + @Test + public void testMultipleRolesSamePrivilege() throws Exception { + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + writePolicyFile(); + String roleName1 = "admin_r1"; + String roleName2 = "admin_r2"; + + client.dropRoleIfExists(requestorUserName, roleName1, SOLR); + client.createRole(requestorUserName, roleName1, SOLR); + + client.dropRoleIfExists(requestorUserName, roleName2, SOLR); + client.createRole(requestorUserName, roleName2, SOLR); + + TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1", + fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))), + SearchConstants.QUERY); + + client.grantPrivilege(requestorUserName, roleName1, SOLR, queryPrivilege); + Set<TSentryPrivilege> listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName1, SOLR, "service1"); + assertTrue("Privilege not assigned to role1 !!", listPrivilegesByRoleName.size() == 1); + + client.grantPrivilege(requestorUserName, roleName2, SOLR, queryPrivilege); + listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, SOLR, "service1"); + assertTrue("Privilege not assigned to role2 !!", listPrivilegesByRoleName.size() == 1); + } + + @Test + public void testShowRoleGrant() throws Exception { + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + String roleName = "admin_r1"; + String groupName = "group1"; + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + setLocalGroupMapping(requestorUserName, Sets.newHashSet(groupName)); + writePolicyFile(); + + client.dropRoleIfExists(requestorUserName, roleName, SOLR); + client.createRole(requestorUserName, roleName, SOLR); + client.addRoleToGroups(requestorUserName, roleName, SOLR, Sets.newHashSet(groupName)); + + Set<TSentryRole> groupRoles = client.listRolesByGroupName(requestorUserName, groupName,SOLR); + assertTrue(groupRoles.size() == 1); + for (TSentryRole role:groupRoles) { + assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName)); + assertTrue(role.getGroups().size() == 1); + for (String group :role.getGroups()) { + assertEquals(groupName, group); + } + } + + client.dropRole(requestorUserName, roleName, SOLR); + } + + @Test + public void testShowGrant() throws Exception { + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + String roleName = "admin_r1"; + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + writePolicyFile(); + + client.dropRoleIfExists(requestorUserName, roleName, SOLR); + client.createRole(requestorUserName, roleName, SOLR); + + TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1", + fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))), + SearchConstants.QUERY); + + TSentryPrivilege updatePrivilege = new TSentryPrivilege(SOLR, "service1", + fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))), + SearchConstants.UPDATE); + + client.grantPrivilege(requestorUserName, roleName, SOLR, updatePrivilege); + client.grantPrivilege(requestorUserName, roleName, SOLR, queryPrivilege); + Set<TSentryPrivilege> privileges = client.listPrivilegesByRoleName(requestorUserName, roleName, SOLR, "service1"); + assertTrue(privileges.size() == 2); + + client.revokePrivilege(requestorUserName, roleName, SOLR, updatePrivilege); + privileges = client.listPrivilegesByRoleName(requestorUserName, roleName, SOLR, "service1"); + assertTrue(privileges.size() == 1); + } + + @Test + public void testSameGrantTwice() throws Exception { + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + writePolicyFile(); + String roleName = "admin_r1"; + + client.createRole(requestorUserName, roleName, SOLR); + + TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1", + fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))), + SearchConstants.QUERY); + + client.grantPrivilege(requestorUserName, roleName, SOLR, queryPrivilege); + assertEquals(1, client.listPrivilegesByRoleName(requestorUserName, roleName, SOLR, "service1").size()); + } + + @Test + public void testGrantRevokeWithGrantOption() throws Exception { + String adminUser = ADMIN_USER; + Set<String> adminGroup = Sets.newHashSet(ADMIN_GROUP); + String grantOptionUser = "user1"; + Set<String> grantOptionGroup = Sets.newHashSet("group1"); + String noGrantOptionUser = "user2"; + Set<String> noGrantOptionGroup = Sets.newHashSet("group2"); + + setLocalGroupMapping(adminUser, adminGroup); + setLocalGroupMapping(grantOptionUser, grantOptionGroup); + setLocalGroupMapping(noGrantOptionUser, noGrantOptionGroup); + writePolicyFile(); + + String grantRole = "grant_r"; + String noGrantRole = "no_grant_r"; + String testRole = "test_role"; + + client.createRole(adminUser, grantRole, SOLR); + client.createRole(adminUser, noGrantRole, SOLR); + client.createRole(adminUser, testRole, SOLR); + + TSentryPrivilege grantPrivilege = new TSentryPrivilege(SOLR, "service1", + fromAuthorizable(Arrays.asList(new Collection("c1"))), + SearchConstants.QUERY); + grantPrivilege.setGrantOption(TSentryGrantOption.TRUE); + + TSentryPrivilege noGrantPrivilege = new TSentryPrivilege(SOLR, "service1", + fromAuthorizable(Arrays.asList(new Collection("c1"))), + SearchConstants.QUERY); + noGrantPrivilege.setGrantOption(TSentryGrantOption.FALSE); + + TSentryPrivilege testPrivilege = new TSentryPrivilege(SOLR, "service1", + fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))), + SearchConstants.QUERY); + testPrivilege.setGrantOption(TSentryGrantOption.FALSE); + + client.grantPrivilege(adminUser, grantRole, SOLR, grantPrivilege); + client.grantPrivilege(adminUser, noGrantRole, SOLR, noGrantPrivilege); + + client.addRoleToGroups(adminUser, grantRole, SOLR, grantOptionGroup); + client.addRoleToGroups(adminUser, noGrantRole, SOLR, noGrantOptionGroup); + + try { + client.grantPrivilege(grantOptionUser,testRole,SOLR, testPrivilege); + } catch (SentryUserException e) { + fail("grantOptionUser failed grant privilege to user"); + } + + try { + client.grantPrivilege(noGrantOptionUser, testRole, SOLR, testPrivilege); + fail("noGrantOptionUser can't grant privilege to user"); + } catch (SentryUserException e) { + } + + try { + client.revokePrivilege(grantOptionUser, testRole, SOLR, testPrivilege); + } catch(SentryUserException e) { + fail("grantOptionUser failed revoke privilege to user"); + } + + try { + client.revokePrivilege(noGrantOptionUser, testRole, SOLR, testPrivilege); + fail("noGrantOptionUser can't revoke privilege to user"); + } catch (SentryUserException e) { + } + } + + @Test + public void testGetPrivilegeByHierarchy() throws Exception { + String adminUser = ADMIN_USER; + Set<String> adminGroup = Sets.newHashSet(ADMIN_GROUP); + String testRole = "role1"; + Set<String> testGroup = Sets.newHashSet("group1"); + String testUser = "user1"; + setLocalGroupMapping(adminUser, adminGroup); + setLocalGroupMapping(testUser, testGroup); + writePolicyFile(); + + + client.createRole(adminUser, testRole, SOLR); + client.addRoleToGroups(adminUser, testRole, SOLR, testGroup); + + TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1", + fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))), + SearchConstants.QUERY); + + TSentryPrivilege updatePrivilege = new TSentryPrivilege(SOLR, "service1", + fromAuthorizable(Arrays.asList(new Collection("c2"), new Field("f2"))), + SearchConstants.UPDATE); + + client.grantPrivilege(adminUser, testRole, SOLR, queryPrivilege); + client.grantPrivilege(adminUser, testRole, SOLR, updatePrivilege); + + assertEquals(2, client.listPrivilegesByRoleName(testUser, testRole, SOLR, "service1").size()); + + assertEquals(1, client.listPrivilegesByRoleName(testUser, testRole, + SOLR, "service1", Arrays.asList(new Collection("c1"))).size()); + + assertEquals(1, client.listPrivilegesByRoleName(testUser, testRole, + SOLR, "service1", Arrays.asList(new Collection("c2"))).size()); + + assertEquals(1, client.listPrivilegesByRoleName(testUser, testRole, + SOLR, "service1", Arrays.asList(new Collection("c1"), new Field("f1"))).size()); + + assertEquals(1, client.listPrivilegesByRoleName(testUser, testRole, + SOLR, "service1", Arrays.asList(new Collection("c2"), new Field("f2"))).size()); + + //test listPrivilegesForProvider by group(testGroup) + ActiveRoleSet roleSet = ActiveRoleSet.ALL; + + assertEquals(1, client.listPrivilegesForProvider(SOLR, "service1", roleSet, + testGroup, Arrays.asList(new Collection("c1"))).size()); + + assertEquals(1, client.listPrivilegesForProvider(SOLR, "service1", roleSet, + testGroup, Arrays.asList(new Collection("c2"))).size()); + + assertEquals(1, client.listPrivilegesForProvider(SOLR, "service1", roleSet, + testGroup, Arrays.asList(new Collection("c1"), new Field("f1"))).size()); + + assertEquals(1, client.listPrivilegesForProvider(SOLR, "service1", roleSet, + testGroup, Arrays.asList(new Collection("c2"), new Field("f2"))).size()); + } + + @Test + public void testDropAndRenamePrivilege() throws Exception { + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + writePolicyFile(); + String roleName = "admin_r1"; + + client.createRole(requestorUserName, roleName, SOLR); + + TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1", + fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))), + SearchConstants.QUERY); + client.grantPrivilege(requestorUserName, roleName, SOLR, queryPrivilege); + + assertEquals(1, client.listPrivilegesByRoleName(requestorUserName, roleName, + SOLR, "service1", Arrays.asList(new Collection("c1"), new Field("f1"))).size()); + + assertEquals(0, client.listPrivilegesByRoleName(requestorUserName, roleName, + SOLR, "service1", Arrays.asList(new Collection("c2"), new Field("f2"))).size()); + + client.renamePrivilege(requestorUserName, SOLR, "service1", Arrays.asList(new Collection("c1"), new Field("f1")), + Arrays.asList(new Collection("c2"), new Field("f2"))); + + assertEquals(0, client.listPrivilegesByRoleName(requestorUserName, roleName, + SOLR, "service1", Arrays.asList(new Collection("c1"), new Field("f1"))).size()); + + assertEquals(1, client.listPrivilegesByRoleName(requestorUserName, roleName, + SOLR, "service1", Arrays.asList(new Collection("c2"), new Field("f2"))).size()); + + TSentryPrivilege dropPrivilege = new TSentryPrivilege(SOLR, "service1", + fromAuthorizable(Arrays.asList(new Collection("c2"), new Field("f2"))), + SearchConstants.QUERY); + + client.dropPrivilege(requestorUserName, SOLR, dropPrivilege); + + assertEquals(0, client.listPrivilegesByRoleName(requestorUserName, roleName, + SOLR, "service1", Arrays.asList(new Collection("c2"), new Field("f2"))).size()); + } + + private List<TAuthorizable> fromAuthorizable(List<? extends Authorizable> authorizables) { + List<TAuthorizable> tAuthorizables = Lists.newArrayList(); + for (Authorizable authorizable : authorizables) { + tAuthorizables.add(new TAuthorizable(authorizable.getTypeName(), authorizable.getName())); + } + return tAuthorizables; + } +}
