http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c8c88786/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestInMemSentryStore.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestInMemSentryStore.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestInMemSentryStore.java new file mode 100644 index 0000000..e99b9fe --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestInMemSentryStore.java @@ -0,0 +1,1250 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.db.service.persistent; + +import static junit.framework.Assert.assertEquals; +import static junit.framework.Assert.assertFalse; +import static junit.framework.Assert.assertTrue; +import static junit.framework.Assert.fail; + +import java.io.File; +import java.util.Arrays; +import java.util.Collections; +import java.util.HashSet; +import java.util.Set; + +import org.apache.commons.io.FileUtils; +import org.apache.hadoop.conf.Configuration; +import org.apache.sentry.core.model.db.AccessConstants; +import org.apache.sentry.provider.db.SentryAlreadyExistsException; +import org.apache.sentry.provider.db.SentryGrantDeniedException; +import org.apache.sentry.provider.db.SentryNoSuchObjectException; +import org.apache.sentry.provider.db.service.thrift.TSentryActiveRoleSet; +import org.apache.sentry.provider.db.service.thrift.TSentryAuthorizable; +import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption; +import org.apache.sentry.provider.db.service.thrift.TSentryGroup; +import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; +import org.apache.sentry.provider.file.PolicyFile; +import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; + +import com.google.common.collect.Iterables; +import com.google.common.collect.Sets; +import com.google.common.io.Files; + +public class TestInMemSentryStore { + + private File dataDir; + private String[] adminGroups = {"adminGroup1"}; + private PolicyFile policyFile; + private File policyFilePath; + protected SentryStore sentryStore; + + @Before + public void setup() throws Exception { + dataDir = new File(Files.createTempDir(), "sentry_policy_db"); + dataDir.mkdirs(); + Configuration conf = new Configuration(false); + conf.setStrings(ServerConfig.ADMIN_GROUPS, adminGroups); + conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING, + ServerConfig.SENTRY_STORE_LOCAL_GROUP_MAPPING); + policyFilePath = new File(dataDir, "local_policy_file.ini"); + conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING_RESOURCE, + policyFilePath.getPath()); + policyFile = new PolicyFile(); + sentryStore = new InMemSentryStore(conf); + + String adminUser = "g1"; + addGroupsToUser(adminUser, adminGroups); + writePolicyFile(); + } + + @After + public void teardown() { + if (dataDir != null) { + FileUtils.deleteQuietly(dataDir); + } + } + + protected void addGroupsToUser(String user, String... groupNames) { + policyFile.addGroupsToUser(user, groupNames); + } + + protected void writePolicyFile() throws Exception { + policyFile.write(policyFilePath); + } + + @Test + public void testCaseInsensitiveRole() throws Exception { + String roleName = "newRole"; + String grantor = "g1"; + Set<TSentryGroup> groups = Sets.newHashSet(); + TSentryGroup group = new TSentryGroup(); + group.setGroupName("test-groups-g1"); + groups.add(group); + + TSentryPrivilege privilege = new TSentryPrivilege(); + privilege.setPrivilegeScope("TABLE"); + privilege.setServerName("server1"); + privilege.setDbName("default"); + privilege.setTableName("table1"); + privilege.setAction(AccessConstants.ALL); + privilege.setCreateTime(System.currentTimeMillis()); + + long seqId = sentryStore.createSentryRole(roleName).getSequenceId(); + assertEquals(seqId + 1, sentryStore.alterSentryRoleAddGroups(grantor, roleName, groups).getSequenceId()); + assertEquals(seqId + 2, sentryStore.alterSentryRoleDeleteGroups(roleName, groups).getSequenceId()); + assertEquals(seqId + 3, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege).getSequenceId()); + assertEquals(seqId + 4, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege).getSequenceId()); + } + + @Test + public void testURI() throws Exception { + String roleName = "test-dup-role"; + String grantor = "g1"; + String uri = "file:///var/folders/dt/9zm44z9s6bjfxbrm4v36lzdc0000gp/T/1401860678102-0/data/kv1.dat"; + sentryStore.createSentryRole(roleName); + TSentryPrivilege tSentryPrivilege = new TSentryPrivilege("URI", "server1", "ALL"); + tSentryPrivilege.setURI(uri); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, tSentryPrivilege); + + TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable(); + tSentryAuthorizable.setUri(uri); + tSentryAuthorizable.setServer("server1"); + + Set<TSentryPrivilege> privileges = + sentryStore.getTSentryPrivileges(new HashSet<String>(Arrays.asList(roleName)), tSentryAuthorizable); + + assertTrue(privileges.size() == 1); + + Set<TSentryGroup> tSentryGroups = new HashSet<TSentryGroup>(); + tSentryGroups.add(new TSentryGroup("group1")); + sentryStore.alterSentryRoleAddGroups(grantor, roleName, tSentryGroups); + + TSentryActiveRoleSet thriftRoleSet = new TSentryActiveRoleSet(true, new HashSet<String>(Arrays.asList(roleName))); + + Set<String> privs = + sentryStore.listSentryPrivilegesForProvider(new HashSet<String>(Arrays.asList("group1")), thriftRoleSet, tSentryAuthorizable); + + assertTrue(privs.size()==1); + assertTrue(privs.contains("server=server1->uri=" + uri + "->action=all")); + } + + @Test + public void testCreateDuplicateRole() throws Exception { + String roleName = "test-dup-role"; + String grantor = "g1"; + sentryStore.createSentryRole(roleName); + try { + sentryStore.createSentryRole(roleName); + fail("Expected SentryAlreadyExistsException"); + } catch(SentryAlreadyExistsException e) { + // expected + } + } + + @Test + public void testCaseSensitiveScope() throws Exception { + String roleName = "role1"; + String grantor = "g1"; + long seqId = sentryStore.createSentryRole(roleName).getSequenceId(); + TSentryPrivilege sentryPrivilege = new TSentryPrivilege("Database", "server1", "all"); + sentryPrivilege.setDbName("db1"); + assertEquals(seqId + 1, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, sentryPrivilege).getSequenceId()); + } + + @Test + public void testCreateDropRole() throws Exception { + String roleName = "test-drop-role"; + String grantor = "g1"; + long seqId = sentryStore.createSentryRole(roleName).getSequenceId(); + assertEquals(seqId + 1, sentryStore.dropSentryRole(roleName).getSequenceId()); + } + + @Test(expected = SentryNoSuchObjectException.class) + public void testAddDeleteGroupsNonExistantRole() + throws Exception { + String roleName = "non-existant-role"; + String grantor = "g1"; + Set<TSentryGroup> groups = Sets.newHashSet(); + sentryStore.alterSentryRoleAddGroups(grantor, roleName, groups); + } + + @Test + public void testAddDeleteGroups() throws Exception { + String roleName = "test-groups"; + String grantor = "g1"; + long seqId = sentryStore.createSentryRole(roleName).getSequenceId(); + Set<TSentryGroup> groups = Sets.newHashSet(); + TSentryGroup group = new TSentryGroup(); + group.setGroupName("test-groups-g1"); + groups.add(group); + group = new TSentryGroup(); + group.setGroupName("test-groups-g2"); + groups.add(group); + assertEquals(seqId + 1, sentryStore.alterSentryRoleAddGroups(grantor, + roleName, groups).getSequenceId()); + assertEquals(seqId + 2, sentryStore.alterSentryRoleDeleteGroups(roleName, groups) + .getSequenceId()); + assertEquals(Collections.emptySet(), sentryStore.getGroupsForRole(roleName)); + } + + @Test + public void testGrantRevokePrivilege() throws Exception { + String roleName = "test-privilege"; + String grantor = "g1"; + String server = "server1"; + String db = "db1"; + String table = "tbl1"; + long seqId = sentryStore.createSentryRole(roleName).getSequenceId(); + TSentryPrivilege privilege = new TSentryPrivilege(); + privilege.setPrivilegeScope("TABLE"); + privilege.setServerName(server); + privilege.setDbName(db); + privilege.setTableName(table); + privilege.setAction(AccessConstants.ALL); + privilege.setCreateTime(System.currentTimeMillis()); + assertEquals(seqId + 1, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege) + .getSequenceId()); + Set<TSentryPrivilege> privileges = sentryStore.getAllTSentryPrivilegesByRoleName(roleName); + assertEquals(privileges.toString(), 1, privileges.size()); + privilege.setAction(AccessConstants.SELECT); + assertEquals(seqId + 2, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege) + .getSequenceId()); + // after having ALL and revoking SELECT, we should have INSERT + privileges = sentryStore.getAllTSentryPrivilegesByRoleName(roleName); + assertEquals(privileges.toString(), 1, privileges.size()); + TSentryPrivilege tPrivilege = Iterables.get(privileges, 0); + assertEquals(server, tPrivilege.getServerName()); + assertEquals(db, tPrivilege.getDbName()); + assertEquals(table, tPrivilege.getTableName()); + assertEquals(AccessConstants.INSERT, tPrivilege.getAction()); + assertEquals(TSentryGrantOption.FALSE, tPrivilege.getGrantOption()); + } + + @Test + public void testGrantRevokeMultiPrivileges() throws Exception { + String roleName = "test-privilege"; + String grantor = "g1"; + String server = "server1"; + String db = "db1"; + String table = "tbl1"; + String[] columns = {"c1","c2","c3","c4"}; + long seqId = sentryStore.createSentryRole(roleName).getSequenceId(); + Set<TSentryPrivilege> tPrivileges = Sets.newHashSet(); + for (String column : columns) { + TSentryPrivilege privilege = new TSentryPrivilege(); + privilege.setPrivilegeScope("Column"); + privilege.setServerName(server); + privilege.setDbName(db); + privilege.setTableName(table); + privilege.setColumnName(column); + privilege.setAction(AccessConstants.SELECT); + privilege.setCreateTime(System.currentTimeMillis()); + tPrivileges.add(privilege); + } + assertEquals(seqId + 4, sentryStore.alterSentryRoleGrantPrivileges(grantor, roleName, tPrivileges) + .getSequenceId()); + Set<TSentryPrivilege> privileges = sentryStore.getAllTSentryPrivilegesByRoleName(roleName); + assertEquals(privileges.toString(), 4, privileges.size()); + + tPrivileges = Sets.newHashSet(); + for (int i = 0; i < 2; i++) { + TSentryPrivilege privilege = new TSentryPrivilege(); + privilege.setPrivilegeScope("Column"); + privilege.setServerName(server); + privilege.setDbName(db); + privilege.setTableName(table); + privilege.setColumnName(columns[i]); + privilege.setAction(AccessConstants.SELECT); + privilege.setCreateTime(System.currentTimeMillis()); + tPrivileges.add(privilege); + } + assertEquals(seqId + 6, sentryStore.alterSentryRoleRevokePrivileges(grantor, roleName, tPrivileges) + .getSequenceId()); + privileges = sentryStore.getAllTSentryPrivilegesByRoleName(roleName); + assertEquals(privileges.toString(), 2, privileges.size()); + + TSentryPrivilege privilege = new TSentryPrivilege(); + privilege.setPrivilegeScope("Table"); + privilege.setServerName(server); + privilege.setDbName(db); + privilege.setTableName(table); + privilege.setAction(AccessConstants.SELECT); + privilege.setCreateTime(System.currentTimeMillis()); + assertEquals(seqId + 7, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege) + .getSequenceId()); + // After revoking table scope, we will have 0 privileges + privileges = sentryStore.getAllTSentryPrivilegesByRoleName(roleName); + assertEquals(privileges.toString(), 0, privileges.size()); + } + + /** + * Regression test for SENTRY-74 and SENTRY-552 + */ + @Test + public void testGrantRevokePrivilegeWithColumn() throws Exception { + String roleName = "test-col-privilege"; + String grantor = "g1"; + String server = "server1"; + String db = "db1"; + String table = "tbl1"; + String column1 = "c1"; + String column2 = "c2"; + long seqId = sentryStore.createSentryRole(roleName).getSequenceId(); + TSentryPrivilege privilege = new TSentryPrivilege(); + privilege.setPrivilegeScope("COLUMN"); + privilege.setServerName(server); + privilege.setDbName(db); + privilege.setTableName(table); + privilege.setColumnName(column1); + privilege.setAction(AccessConstants.ALL); + privilege.setCreateTime(System.currentTimeMillis()); + + // Grant ALL on c1 and c2 + assertEquals(seqId + 1, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege) + .getSequenceId()); + privilege.setColumnName(column2); + assertEquals(seqId + 2, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege) + .getSequenceId()); + Set<TSentryPrivilege> privileges = sentryStore.getAllTSentryPrivilegesByRoleName(roleName); + assertEquals(privileges.toString(), 2, privileges.size()); + + // Revoke SELECT on c2 + privilege.setAction(AccessConstants.SELECT); + assertEquals(seqId + 3, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege) + .getSequenceId()); + + // At this point c1 has ALL privileges and c2 should have INSERT after revoking SELECT + privileges = sentryStore.getAllTSentryPrivilegesByRoleName(roleName); + assertEquals(privileges.toString(), 2, privileges.size()); + for (TSentryPrivilege mPrivilege: privileges) { + assertEquals(server, mPrivilege.getServerName()); + assertEquals(db, mPrivilege.getDbName()); + assertEquals(table, mPrivilege.getTableName()); + assertEquals(TSentryGrantOption.FALSE, mPrivilege.getGrantOption()); + if (mPrivilege.getColumnName().equals(column1)) { + assertEquals(AccessConstants.ALL, mPrivilege.getAction()); + } else if (mPrivilege.getColumnName().equals(column2)) { + assertEquals(AccessConstants.INSERT, mPrivilege.getAction()); + } else { + fail("Unexpected column name: " + mPrivilege.getColumnName()); + } + } + + // after revoking INSERT table level privilege will remove privileges from column2 + // and downgrade column1 to SELECT privileges. + privilege = new TSentryPrivilege(); + privilege.setPrivilegeScope("TABLE"); + privilege.setServerName(server); + privilege.setDbName(db); + privilege.setTableName(table); + privilege.setAction(AccessConstants.INSERT); + privilege.setCreateTime(System.currentTimeMillis()); + assertEquals(seqId + 4, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege) + .getSequenceId()); + privileges = sentryStore.getAllTSentryPrivilegesByRoleName(roleName); + assertEquals(privileges.toString(), 1, privileges.size()); + assertEquals(column1, Iterables.get(privileges, 0).getColumnName()); + assertEquals(AccessConstants.SELECT, Iterables.get(privileges, 0).getAction()); + + // Revoke ALL from the table should now remove all the column privileges. + privilege.setAction(AccessConstants.ALL); + privilege.setCreateTime(System.currentTimeMillis()); + assertEquals(seqId + 5, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege) + .getSequenceId()); + privileges = sentryStore.getAllTSentryPrivilegesByRoleName(roleName); + assertEquals(privileges.toString(), 0, privileges.size()); + } + + /** + * Regression test for SENTRY-552 + */ + @Test + public void testGrantRevokeTablePrivilegeDowngradeByDb() throws Exception { + String roleName = "test-table-db-downgrade-privilege"; + String grantor = "g1"; + String server = "server1"; + String db = "db1"; + String table1 = "tbl1"; + String table2 = "tbl2"; + long seqId = sentryStore.createSentryRole(roleName).getSequenceId(); + TSentryPrivilege privilegeTable1 = new TSentryPrivilege(); + privilegeTable1.setPrivilegeScope("TABLE"); + privilegeTable1.setServerName(server); + privilegeTable1.setDbName(db); + privilegeTable1.setTableName(table1); + privilegeTable1.setAction(AccessConstants.ALL); + privilegeTable1.setCreateTime(System.currentTimeMillis()); + TSentryPrivilege privilegeTable2 = privilegeTable1.deepCopy();; + privilegeTable2.setTableName(table2); + + // Grant ALL on table1 and table2 + assertEquals(seqId + 1, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilegeTable1) + .getSequenceId()); + assertEquals(seqId + 2, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilegeTable2) + .getSequenceId()); + Set<TSentryPrivilege> privileges = + sentryStore.getAllTSentryPrivilegesByRoleName(roleName); + assertEquals(privileges.toString(), 2, privileges.size()); + + // Revoke SELECT on table2 + privilegeTable2.setAction(AccessConstants.SELECT); + assertEquals(seqId + 3, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilegeTable2) + .getSequenceId()); + // after having ALL and revoking SELECT, we should have INSERT + privileges = sentryStore.getAllTSentryPrivilegesByRoleName(roleName); + assertEquals(privileges.toString(), 2, privileges.size()); + + // At this point table1 has ALL privileges and table2 should have INSERT after revoking SELECT + privileges = sentryStore.getAllTSentryPrivilegesByRoleName(roleName); + assertEquals(privileges.toString(), 2, privileges.size()); + for (TSentryPrivilege mPrivilege: privileges) { + assertEquals(server, mPrivilege.getServerName()); + assertEquals(db, mPrivilege.getDbName()); + assertEquals(TSentryGrantOption.FALSE, mPrivilege.getGrantOption()); + if (mPrivilege.getTableName().equals(table1)) { + assertEquals(AccessConstants.ALL, mPrivilege.getAction()); + } else if (mPrivilege.getTableName().equals(table2)) { + assertEquals(AccessConstants.INSERT, mPrivilege.getAction()); + } else { + fail("Unexpected table name: " + mPrivilege.getTableName()); + } + } + + // Revoke INSERT on Database + privilegeTable2.setAction(AccessConstants.INSERT); + privilegeTable2.setPrivilegeScope("DATABASE"); + privilegeTable2.unsetTableName(); + assertEquals(seqId + 4, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilegeTable2) + .getSequenceId()); + privileges = sentryStore.getAllTSentryPrivilegesByRoleName(roleName); + + // after revoking INSERT database level privilege will remove privileges from table2 + // and downgrade table1 to SELECT privileges. + assertEquals(privileges.toString(), 1, privileges.size()); + TSentryPrivilege mPrivilege = Iterables.get(privileges, 0); + assertEquals(server, mPrivilege.getServerName()); + assertEquals(db, mPrivilege.getDbName()); + assertEquals(table1, mPrivilege.getTableName()); + assertEquals(AccessConstants.SELECT, mPrivilege.getAction()); + assertEquals(TSentryGrantOption.FALSE, mPrivilege.getGrantOption()); + } + + /** + * Regression test for SENTRY-552 + */ + @Test + public void testGrantRevokeColumnPrivilegeDowngradeByDb() throws Exception { + String roleName = "test-column-db-downgrade-privilege"; + String grantor = "g1"; + String server = "server1"; + String db = "db1"; + String table = "tbl1"; + String column1 = "c1"; + String column2 = "c2"; + long seqId = sentryStore.createSentryRole(roleName).getSequenceId(); + TSentryPrivilege privilegeCol1 = new TSentryPrivilege(); + privilegeCol1.setPrivilegeScope("COLUMN"); + privilegeCol1.setServerName(server); + privilegeCol1.setDbName(db); + privilegeCol1.setTableName(table); + privilegeCol1.setColumnName(column1); + privilegeCol1.setAction(AccessConstants.ALL); + privilegeCol1.setCreateTime(System.currentTimeMillis()); + TSentryPrivilege privilegeCol2 = privilegeCol1.deepCopy();; + privilegeCol2.setColumnName(column2); + + // Grant ALL on column1 and column2 + assertEquals(seqId + 1, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilegeCol1) + .getSequenceId()); + assertEquals(seqId + 2, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilegeCol2) + .getSequenceId()); + Set<TSentryPrivilege> privileges = sentryStore.getAllTSentryPrivilegesByRoleName(roleName); + assertEquals(privileges.toString(), 2, privileges.size()); + + // Revoke SELECT on column2 + privilegeCol2.setAction(AccessConstants.SELECT); + assertEquals(seqId + 3, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilegeCol2) + .getSequenceId()); + // after having ALL and revoking SELECT, we should have INSERT + privileges = sentryStore.getAllTSentryPrivilegesByRoleName(roleName); + assertEquals(privileges.toString(), 2, privileges.size()); + + // At this point column1 has ALL privileges and column2 should have INSERT after revoking SELECT + privileges = sentryStore.getAllTSentryPrivilegesByRoleName(roleName); + assertEquals(privileges.toString(), 2, privileges.size()); + for (TSentryPrivilege tPrivilege: privileges) { + assertEquals(server, tPrivilege.getServerName()); + assertEquals(db, tPrivilege.getDbName()); + assertEquals(table, tPrivilege.getTableName()); + assertEquals(TSentryGrantOption.FALSE, tPrivilege.getGrantOption()); + if (tPrivilege.getColumnName().equals(column1)) { + assertEquals(AccessConstants.ALL, tPrivilege.getAction()); + } else if (tPrivilege.getColumnName().equals(column2)) { + assertEquals(AccessConstants.INSERT, tPrivilege.getAction()); + } else { + fail("Unexpected column name: " + tPrivilege.getColumnName()); + } + } + + // Revoke INSERT on Database + privilegeCol2.setAction(AccessConstants.INSERT); + privilegeCol2.setPrivilegeScope("DATABASE"); + privilegeCol2.unsetTableName(); + privilegeCol2.unsetColumnName(); + assertEquals(seqId + 4, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilegeCol2) + .getSequenceId()); + privileges = sentryStore.getAllTSentryPrivilegesByRoleName(roleName); + + // after revoking INSERT database level privilege will remove privileges from column2 + // and downgrade column1 to SELECT privileges. + assertEquals(privileges.toString(), 1, privileges.size()); + TSentryPrivilege tPrivilege = Iterables.get(privileges, 0); + assertEquals(server, tPrivilege.getServerName()); + assertEquals(db, tPrivilege.getDbName()); + assertEquals(table, tPrivilege.getTableName()); + assertEquals(column1, tPrivilege.getColumnName()); + assertEquals(AccessConstants.SELECT, tPrivilege.getAction()); + assertEquals(TSentryGrantOption.FALSE, tPrivilege.getGrantOption()); + } + + @Test + public void testGrantRevokePrivilegeWithGrantOption() throws Exception { + String roleName = "test-grantOption-table"; + String grantor = "g1"; + String server = "server1"; + String db = "db1"; + String table = "tbl1"; + TSentryGrantOption grantOption = TSentryGrantOption.TRUE; + long seqId = sentryStore.createSentryRole(roleName).getSequenceId(); + TSentryPrivilege privilege = new TSentryPrivilege(); + privilege.setPrivilegeScope("TABLE"); + privilege.setServerName(server); + privilege.setDbName(db); + privilege.setTableName(table); + privilege.setAction(AccessConstants.ALL); + privilege.setCreateTime(System.currentTimeMillis()); + privilege.setGrantOption(grantOption); + assertEquals(seqId + 1, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege) + .getSequenceId()); + Set<TSentryPrivilege> privileges = sentryStore.getAllTSentryPrivilegesByRoleName(roleName); + assertEquals(privileges.toString(), 1, privileges.size()); + assertEquals(privilege.getGrantOption(), Iterables.get(privileges, 0).getGrantOption()); + assertEquals(seqId + 2, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege) + .getSequenceId()); + privileges = sentryStore.getAllTSentryPrivilegesByRoleName(roleName); + assertEquals(0, privileges.size()); + + roleName = "test-grantOption-db"; + sentryStore.createSentryRole(roleName); + privilege = new TSentryPrivilege(); + privilege.setPrivilegeScope("DATABASE"); + privilege.setServerName(server); + privilege.setDbName(db); + privilege.setAction(AccessConstants.ALL); + privilege.setGrantOption(TSentryGrantOption.TRUE); + privilege.setCreateTime(System.currentTimeMillis()); + privilege.setGrantOption(grantOption); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege); + privileges = sentryStore.getAllTSentryPrivilegesByRoleName(roleName); + assertEquals(privileges.toString(), 1, privileges.size()); + + privilege.setAction(AccessConstants.SELECT); + privilege.setGrantOption(TSentryGrantOption.UNSET); + sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege); + // after having ALL and revoking SELECT, we should have INSERT + privileges = sentryStore.getAllTSentryPrivilegesByRoleName(roleName); + Set<String> privActions = new HashSet<String>(); + assertEquals(privileges.toString(), 5, privileges.size()); + for (TSentryPrivilege p : privileges) { + privActions.add(p.getAction()); + } + TSentryPrivilege tPrivilege = Iterables.get(privileges, 0); + assertEquals(server, tPrivilege.getServerName()); + assertEquals(db, tPrivilege.getDbName()); + assertFalse(privActions.contains(AccessConstants.SELECT)); + } + + @Test + public void testGrantCheckWithGrantOption() throws Exception { + // 1. set local group mapping + // user0->group0->role0 + // user1->group1->role1 + // user2->group2->role2 + // user3->group3->role3 + // user4->group4->role4 + String grantor = "g1"; + String[] users = {"user0","user1","user2","user3","user4"}; + String[] roles = {"role0","role1","role2","role3","role4"}; + String[] groups = {"group0","group1","group2","group3","group4"}; + for (int i = 0; i < users.length; i++) { + addGroupsToUser(users[i], groups[i]); + sentryStore.createSentryRole(roles[i]); + Set<TSentryGroup> tGroups = Sets.newHashSet(); + TSentryGroup tGroup = new TSentryGroup(groups[i]); + tGroups.add(tGroup); + sentryStore.alterSentryRoleAddGroups(grantor, roles[i], tGroups); + } + writePolicyFile(); + + // 2. g1 grant all on database db1 to role0 with grant option + String server = "server1"; + String db = "db1"; + String table = "tbl1"; + String roleName = roles[0]; + grantor = "g1"; + TSentryPrivilege privilege1 = new TSentryPrivilege(); + privilege1.setPrivilegeScope("DATABASE"); + privilege1.setServerName(server); + privilege1.setDbName(db); + privilege1.setAction(AccessConstants.ALL); + privilege1.setCreateTime(System.currentTimeMillis()); + privilege1.setGrantOption(TSentryGrantOption.TRUE); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege1); + Set<TSentryPrivilege> privileges = sentryStore.getAllTSentryPrivilegesByRoleName(roleName); + assertEquals(privileges.toString(), 1, privileges.size()); + + // 3. user0 grant select on database db1 to role1, with grant option + roleName = roles[1]; + grantor = users[0]; + TSentryPrivilege privilege2 = new TSentryPrivilege(); + privilege2.setPrivilegeScope("DATABASE"); + privilege2.setServerName(server); + privilege2.setDbName(db); + privilege2.setAction(AccessConstants.SELECT); + privilege2.setCreateTime(System.currentTimeMillis()); + privilege2.setGrantOption(TSentryGrantOption.TRUE); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege2); + + // 4. user0 grant all on table tb1 to role2, no grant option + roleName = roles[2]; + grantor = users[0]; + TSentryPrivilege privilege3 = new TSentryPrivilege(); + privilege3.setPrivilegeScope("TABLE"); + privilege3.setServerName(server); + privilege3.setDbName(db); + privilege3.setTableName(table); + privilege3.setAction(AccessConstants.ALL); + privilege3.setCreateTime(System.currentTimeMillis()); + privilege3.setGrantOption(TSentryGrantOption.FALSE); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege3); + + // 5. user1 has role1, no insert privilege, + // grant insert to role3, will throw no grant exception + roleName = roles[3]; + grantor = users[1]; + TSentryPrivilege privilege4 = new TSentryPrivilege(); + privilege4.setPrivilegeScope("DATABASE"); + privilege4.setServerName(server); + privilege4.setDbName(db); + privilege4.setAction(AccessConstants.INSERT); + privilege4.setCreateTime(System.currentTimeMillis()); + privilege4.setGrantOption(TSentryGrantOption.FALSE); + boolean isGrantOptionException = false; + try { + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege4); + } catch (SentryGrantDeniedException e) { + isGrantOptionException = true; + System.err.println(e.getMessage()); + } + assertTrue(isGrantOptionException); + + // 6. user2 has role2, no grant option, + // grant insert to role4, will throw no grant exception + roleName = roles[4]; + grantor = users[2]; + TSentryPrivilege privilege5 = new TSentryPrivilege(); + privilege5.setPrivilegeScope("TABLE"); + privilege5.setServerName(server); + privilege5.setDbName(db); + privilege5.setTableName(table); + privilege5.setAction(AccessConstants.INSERT); + privilege5.setCreateTime(System.currentTimeMillis()); + privilege5.setGrantOption(TSentryGrantOption.FALSE); + isGrantOptionException = false; + + // TODO : FIgure out why this fails !! + try { + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege5); + } catch (SentryGrantDeniedException e) { + isGrantOptionException = true; + System.err.println(e.getMessage()); + } + assertTrue(isGrantOptionException); + } + + @Test + public void testRevokeCheckWithGrantOption() throws Exception { + // 1. set local group mapping + // user0->group0->role0 + // user1->group1->role1 + // user2->group2->role2 + String grantor = "g1"; + String[] users = {"user0","user1","user2"}; + String[] roles = {"role0","role1","role2"}; + String[] groups = {"group0","group1","group2"}; + for (int i = 0; i < users.length; i++) { + addGroupsToUser(users[i], groups[i]); + sentryStore.createSentryRole(roles[i]); + Set<TSentryGroup> tGroups = Sets.newHashSet(); + TSentryGroup tGroup = new TSentryGroup(groups[i]); + tGroups.add(tGroup); + sentryStore.alterSentryRoleAddGroups(grantor, roles[i], tGroups); + } + writePolicyFile(); + + // 2. g1 grant select on database db1 to role0, with grant option + String server = "server1"; + String db = "db1"; + String table = "tbl1"; + String roleName = roles[0]; + grantor = "g1"; + TSentryPrivilege privilege1 = new TSentryPrivilege(); + privilege1.setPrivilegeScope("DATABASE"); + privilege1.setServerName(server); + privilege1.setDbName(db); + privilege1.setAction(AccessConstants.SELECT); + privilege1.setCreateTime(System.currentTimeMillis()); + privilege1.setGrantOption(TSentryGrantOption.TRUE); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege1); + Set<TSentryPrivilege> privileges = sentryStore.getAllTSentryPrivilegesByRoleName(roleName); + assertEquals(privileges.toString(), 1, privileges.size()); + + // 3. g1 grant all on table tb1 to role1, no grant option + roleName = roles[1]; + grantor = "g1"; + TSentryPrivilege privilege2 = new TSentryPrivilege(); + privilege2.setPrivilegeScope("TABLE"); + privilege2.setServerName(server); + privilege2.setDbName(db); + privilege2.setTableName(table); + privilege2.setAction(AccessConstants.ALL); + privilege2.setCreateTime(System.currentTimeMillis()); + privilege2.setGrantOption(TSentryGrantOption.FALSE); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege2); + + // 4. g1 grant select on table tb1 to role2, no grant option + roleName = roles[2]; + grantor = "g1"; + TSentryPrivilege privilege3 = new TSentryPrivilege(); + privilege3.setPrivilegeScope("TABLE"); + privilege3.setServerName(server); + privilege3.setDbName(db); + privilege3.setTableName(table); + privilege3.setAction(AccessConstants.SELECT); + privilege3.setCreateTime(System.currentTimeMillis()); + privilege3.setGrantOption(TSentryGrantOption.FALSE); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege3); + + // 5. user1 has role1, no grant option, + // revoke from role2 will throw no grant exception + roleName = roles[2]; + grantor = users[1]; + boolean isGrantOptionException = false; + try { + sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege3); + } catch (SentryGrantDeniedException e) { + isGrantOptionException = true; + System.err.println(e.getMessage()); + } + assertTrue(isGrantOptionException); + + // 6. user0 has role0, only have select, + // revoke all from role1 will throw no grant exception + roleName = roles[1]; + grantor = users[0]; + try { + sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege2); + } catch (SentryGrantDeniedException e) { + isGrantOptionException = true; + System.err.println(e.getMessage()); + } + assertTrue(isGrantOptionException); + + // 7. user0 has role0, has select and grant option, + // revoke select from role2 + roleName = roles[2]; + grantor = users[0]; + sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege3); + privileges = sentryStore.getAllTSentryPrivilegesByRoleName(roleName); + assertEquals(0, privileges.size()); + } + + @Test + public void testRevokeAllGrantOption() throws Exception { + // 1. set local group mapping + // user0->group0->role0 + String grantor = "g1"; + String[] users = {"user0"}; + String[] roles = {"role0"}; + String[] groups = {"group0"}; + for (int i = 0; i < users.length; i++) { + addGroupsToUser(users[i], groups[i]); + sentryStore.createSentryRole(roles[i]); + Set<TSentryGroup> tGroups = Sets.newHashSet(); + TSentryGroup tGroup = new TSentryGroup(groups[i]); + tGroups.add(tGroup); + sentryStore.alterSentryRoleAddGroups(grantor, roles[i], tGroups); + } + writePolicyFile(); + + // 2. g1 grant select on table tb1 to role0, with grant option + String server = "server1"; + String db = "db1"; + String table = "tbl1"; + String roleName = roles[0]; + grantor = "g1"; + TSentryPrivilege privilege = new TSentryPrivilege(); + privilege.setPrivilegeScope("TABLE"); + privilege.setServerName(server); + privilege.setDbName(db); + privilege.setTableName(table); + privilege.setAction(AccessConstants.SELECT); + privilege.setCreateTime(System.currentTimeMillis()); + privilege.setGrantOption(TSentryGrantOption.TRUE); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege); + + // 3. g1 grant select on table tb1 to role0, no grant option + roleName = roles[0]; + grantor = "g1"; + privilege.setGrantOption(TSentryGrantOption.FALSE); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege); + + // 4. g1 revoke all privilege from role0 + roleName = roles[0]; + grantor = "g1"; + privilege.setGrantOption(TSentryGrantOption.UNSET); + sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege); + Set<TSentryPrivilege> privileges = sentryStore.getAllTSentryPrivilegesByRoleName(roleName); + assertEquals(privileges.toString(), 0, privileges.size()); + } + + @Test + public void testGrantCheckWithColumn() throws Exception { + // 1. set local group mapping + // user0->group0->role0 + // user1->group1->role1 + String grantor = "g1"; + String[] users = {"user0","user1"}; + String[] roles = {"role0","role1"}; + String[] groups = {"group0","group1"}; + for (int i = 0; i < users.length; i++) { + addGroupsToUser(users[i], groups[i]); + sentryStore.createSentryRole(roles[i]); + Set<TSentryGroup> tGroups = Sets.newHashSet(); + TSentryGroup tGroup = new TSentryGroup(groups[i]); + tGroups.add(tGroup); + sentryStore.alterSentryRoleAddGroups(grantor, roles[i], tGroups); + } + writePolicyFile(); + + // 2. g1 grant select on table tb1 to role0, with grant option + String server = "server1"; + String db = "db1"; + String table = "tbl1"; + String roleName = roles[0]; + grantor = "g1"; + TSentryPrivilege privilege1 = new TSentryPrivilege(); + privilege1.setPrivilegeScope("TABLE"); + privilege1.setServerName(server); + privilege1.setDbName(db); + privilege1.setTableName(table); + privilege1.setAction(AccessConstants.SELECT); + privilege1.setCreateTime(System.currentTimeMillis()); + privilege1.setGrantOption(TSentryGrantOption.TRUE); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege1); + Set<TSentryPrivilege> privileges = sentryStore.getAllTSentryPrivilegesByRoleName(roleName); + assertEquals(privileges.toString(), 1, privileges.size()); + + // 3. user0 grant select on column tb1.c1 to role1, with grant option + roleName = roles[1]; + grantor = users[0]; + String column = "c1"; + TSentryPrivilege privilege2 = new TSentryPrivilege(); + privilege2.setPrivilegeScope("COLUMN"); + privilege2.setServerName(server); + privilege2.setDbName(db); + privilege2.setTableName(table); + privilege2.setColumnName(column); + privilege2.setAction(AccessConstants.SELECT); + privilege2.setCreateTime(System.currentTimeMillis()); + privilege2.setGrantOption(TSentryGrantOption.TRUE); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege2); + + // 4. user1 revoke table level privilege from user0, will throw grant denied exception + roleName = roles[0]; + grantor = users[1]; + boolean isGrantOptionException = false; + try { + sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege1); + } catch (SentryGrantDeniedException e) { + isGrantOptionException = true; + System.err.println(e.getMessage()); + } + assertTrue(isGrantOptionException); + + // 5. user0 revoke column level privilege from user1 + roleName = roles[1]; + grantor = users[0]; + sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege2); + privileges = sentryStore.getAllTSentryPrivilegesByRoleName(roleName); + assertEquals(0, privileges.size()); + } + + @Test + public void testGrantDuplicatePrivilege() throws Exception { + String roleName = "test-privilege"; + String grantor = "g1"; + String server = "server1"; + String db = "db1"; + String table = "tbl1"; + long seqId = sentryStore.createSentryRole(roleName).getSequenceId(); + TSentryPrivilege privilege = new TSentryPrivilege(); + privilege.setPrivilegeScope("TABLE"); + privilege.setServerName(server); + privilege.setDbName(db); + privilege.setTableName(table); + privilege.setAction(AccessConstants.ALL); + privilege.setCreateTime(System.currentTimeMillis()); + assertEquals(seqId + 1, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege) + .getSequenceId()); + assertEquals(seqId + 2, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege) + .getSequenceId()); + privilege.setServerName("Server1"); + privilege.setDbName("DB1"); + privilege.setTableName("TBL1"); + assertEquals(seqId + 3, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege) + .getSequenceId()); + Set<TSentryPrivilege> privileges = sentryStore.getAllTSentryPrivilegesByRoleName(roleName); + assertEquals(privileges.toString(), 1, privileges.size()); + } + + @Test + public void testListSentryPrivilegesForProvider() throws Exception { + String roleName1 = "list-privs-r1", roleName2 = "list-privs-r2"; + String groupName1 = "list-privs-g1", groupName2 = "list-privs-g2"; + String grantor = "g1"; + long seqId = sentryStore.createSentryRole(roleName1).getSequenceId(); + assertEquals(seqId + 1, sentryStore.createSentryRole(roleName2).getSequenceId()); + TSentryPrivilege privilege1 = new TSentryPrivilege(); + privilege1.setPrivilegeScope("TABLE"); + privilege1.setServerName("server1"); + privilege1.setDbName("db1"); + privilege1.setTableName("tbl1"); + privilege1.setAction("SELECT"); + privilege1.setCreateTime(System.currentTimeMillis()); + assertEquals(seqId + 2, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege1) + .getSequenceId()); + assertEquals(seqId + 3, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName2, privilege1) + .getSequenceId()); + TSentryPrivilege privilege2 = new TSentryPrivilege(); + privilege2.setPrivilegeScope("SERVER"); + privilege2.setServerName("server1"); + privilege2.setAction(AccessConstants.ALL); + privilege2.setCreateTime(System.currentTimeMillis()); + assertEquals(seqId + 4, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName2, privilege2) + .getSequenceId()); + Set<TSentryGroup> groups = Sets.newHashSet(); + TSentryGroup group = new TSentryGroup(); + group.setGroupName(groupName1); + groups.add(group); + assertEquals(seqId + 5, sentryStore.alterSentryRoleAddGroups(grantor, + roleName1, groups).getSequenceId()); + groups.clear(); + group = new TSentryGroup(); + group.setGroupName(groupName2); + groups.add(group); + // group 2 has both roles 1 and 2 + assertEquals(seqId + 6, sentryStore.alterSentryRoleAddGroups(grantor, + roleName1, groups).getSequenceId()); + assertEquals(seqId + 7, sentryStore.alterSentryRoleAddGroups(grantor, + roleName2, groups).getSequenceId()); + // group1 all roles + assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"), + StoreUtils.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1), + new TSentryActiveRoleSet(true, new HashSet<String>())))); + // one active role + assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"), + StoreUtils.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1), + new TSentryActiveRoleSet(false, Sets.newHashSet(roleName1))))); + // unknown active role + assertEquals(Sets.newHashSet(), + StoreUtils.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1), + new TSentryActiveRoleSet(false, Sets.newHashSet("not a role"))))); + // no active roles + assertEquals(Sets.newHashSet(), + StoreUtils.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1), + new TSentryActiveRoleSet(false, new HashSet<String>())))); + + // group2 all roles + assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select", "server=server1"), + StoreUtils.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2), + new TSentryActiveRoleSet(true, new HashSet<String>())))); + // one active role + assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"), + StoreUtils.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2), + new TSentryActiveRoleSet(false, Sets.newHashSet(roleName1))))); + assertEquals(Sets.newHashSet( + "server=server1->db=db1->table=tbl1->action=select", "server=server1"), + StoreUtils.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2), + new TSentryActiveRoleSet(false, Sets.newHashSet(roleName2))))); + // unknown active role + assertEquals(Sets.newHashSet(), + StoreUtils.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2), + new TSentryActiveRoleSet(false, Sets.newHashSet("not a role"))))); + // no active roles + assertEquals(Sets.newHashSet(), + StoreUtils.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2), + new TSentryActiveRoleSet(false, new HashSet<String>())))); + + // both groups, all active roles + assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select", "server=server1"), + StoreUtils.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets. + newHashSet(groupName1, groupName2), + new TSentryActiveRoleSet(true, new HashSet<String>())))); + // one active role + assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"), + StoreUtils.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets. + newHashSet(groupName1, groupName2), + new TSentryActiveRoleSet(false, Sets.newHashSet(roleName1))))); + assertEquals(Sets.newHashSet( + "server=server1->db=db1->table=tbl1->action=select", "server=server1"), + StoreUtils.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets. + newHashSet(groupName1, groupName2), + new TSentryActiveRoleSet(false, Sets.newHashSet(roleName2))))); + // unknown active role + assertEquals(Sets.newHashSet(), + StoreUtils.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets. + newHashSet(groupName1, groupName2), + new TSentryActiveRoleSet(false, Sets.newHashSet("not a role"))))); +// // no active roles + assertEquals(Sets.newHashSet(), + StoreUtils.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets. + newHashSet(groupName1, groupName2), + new TSentryActiveRoleSet(false, new HashSet<String>())))); + } + + @Test + public void testListRole() throws Exception { + String roleName1 = "role1", roleName2 = "role2", roleName3 = "role3"; + String group1 = "group1", group2 = "group2"; + String grantor = "g1"; + + sentryStore.createSentryRole(roleName1); + sentryStore.createSentryRole(roleName2); + sentryStore.createSentryRole(roleName3); + + sentryStore.alterSentryRoleAddGroups(grantor, roleName1, Sets.newHashSet(new TSentryGroup(group1))); + sentryStore.alterSentryRoleAddGroups(grantor, roleName2, Sets.newHashSet(new TSentryGroup(group2))); + sentryStore.alterSentryRoleAddGroups(grantor, roleName3, + Sets.newHashSet(new TSentryGroup(group1), new TSentryGroup(group2))); + + assertEquals(2, sentryStore.getTSentryRolesByGroupName(Sets.newHashSet(group1), false).size()); + assertEquals(2, sentryStore.getTSentryRolesByGroupName(Sets.newHashSet(group2), false).size()); + assertEquals(3, sentryStore.getTSentryRolesByGroupName(Sets.newHashSet(group1,group2), false).size()); +// assertEquals(0, +// sentryStore.getTSentryRolesByGroupName(Sets.newHashSet("foo"), true) +// .size()); + } + + /*** + * Create roles and assign privileges for same table rename the privileges for + * the table and verify the new privileges + * @throws Exception + */ + @Test + public void testRenameTable() throws Exception { + String roleName1 = "role1", roleName2 = "role2", roleName3 = "role3"; + String grantor = "g1"; + String table1 = "tbl1", table2 = "tbl2"; + + sentryStore.createSentryRole(roleName1); + sentryStore.createSentryRole(roleName2); + sentryStore.createSentryRole(roleName3); + + TSentryPrivilege privilege_tbl1 = new TSentryPrivilege(); + privilege_tbl1.setPrivilegeScope("TABLE"); + privilege_tbl1.setServerName("server1"); + privilege_tbl1.setDbName("db1"); + privilege_tbl1.setTableName(table1); + privilege_tbl1.setCreateTime(System.currentTimeMillis()); + + TSentryPrivilege privilege_tbl1_insert = new TSentryPrivilege( + privilege_tbl1); + privilege_tbl1_insert.setAction(AccessConstants.INSERT); + + TSentryPrivilege privilege_tbl1_select = new TSentryPrivilege( + privilege_tbl1); + privilege_tbl1_select.setAction(AccessConstants.SELECT); + + TSentryPrivilege privilege_tbl1_all = new TSentryPrivilege(privilege_tbl1); + privilege_tbl1_all.setAction(AccessConstants.ALL); + + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_insert); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName2, privilege_tbl1_select); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName3, privilege_tbl1_all); + + TSentryAuthorizable oldTable = toTSentryAuthorizable(privilege_tbl1); + TSentryAuthorizable newTable = toTSentryAuthorizable(privilege_tbl1); + newTable.setTable(table2); + sentryStore.renamePrivilege(oldTable, newTable); + + for (String roleName : Sets.newHashSet(roleName1, roleName2, roleName3)) { + Set<TSentryPrivilege> privilegeSet = sentryStore + .getAllTSentryPrivilegesByRoleName(roleName); + assertEquals(1, privilegeSet.size()); + for (TSentryPrivilege privilege : privilegeSet) { + assertTrue(table2.equalsIgnoreCase(privilege.getTableName())); + } + } + } + + @Test + public void testSentryRoleSize() throws Exception { + for( long i = 0; i< 5; i++ ) { + assertEquals(i, sentryStore.getRoleCount()); + sentryStore.createSentryRole("role" + i); + } + } + + @Test + public void testSentryPrivilegeSize() throws Exception { + String role1 = "role1"; + String role2 = "role2"; + + sentryStore.createSentryRole(role1); + sentryStore.createSentryRole(role2); + + TSentryPrivilege privilege = new TSentryPrivilege(); + privilege.setPrivilegeScope("TABLE"); + privilege.setServerName("server1"); + privilege.setDbName("db1"); + privilege.setTableName("tb1"); + privilege.setCreateTime(System.currentTimeMillis()); + + String grantor = "g1"; + + assertEquals(0, sentryStore.getPrivilegeCount()); + + sentryStore.alterSentryRoleGrantPrivilege(grantor, role1, privilege); + assertEquals(1, sentryStore.getPrivilegeCount()); + + sentryStore.alterSentryRoleGrantPrivilege(grantor, role2, privilege); + // TODO : figure out why the discrepency + assertEquals(2, sentryStore.getPrivilegeCount()); + + privilege.setTableName("tb2"); + sentryStore.alterSentryRoleGrantPrivilege(grantor, role2, privilege); + assertEquals(3, sentryStore.getPrivilegeCount()); + } + + @Test + public void testSentryGroupsSize() throws Exception { + String role1 = "role1"; + String role2 = "role2"; + + sentryStore.createSentryRole(role1); + sentryStore.createSentryRole(role2); + + Set<TSentryGroup> groups = Sets.newHashSet(); + TSentryGroup group = new TSentryGroup(); + group.setGroupName("group1"); + groups.add(group); + + String grantor = "g1"; + + sentryStore.alterSentryRoleAddGroups(grantor, role1, groups); + assertEquals(1, sentryStore.getGroupCount()); + + sentryStore.alterSentryRoleAddGroups(grantor, role2, groups); + assertEquals(1, sentryStore.getGroupCount()); + + groups.add(new TSentryGroup("group2")); + sentryStore.alterSentryRoleAddGroups(grantor, role2, groups); + assertEquals(2, sentryStore.getGroupCount()); + } + + @Test + public void testRenameTableWithColumn() throws Exception { + String roleName1 = "role1", roleName2 = "role2"; + String grantor = "g1"; + String table1 = "tbl1", table2 = "tbl2"; + + sentryStore.createSentryRole(roleName1); + sentryStore.createSentryRole(roleName2); + + TSentryPrivilege privilege_tbl1 = new TSentryPrivilege(); + privilege_tbl1.setPrivilegeScope("TABLE"); + privilege_tbl1.setServerName("server1"); + privilege_tbl1.setDbName("db1"); + privilege_tbl1.setTableName(table1); + privilege_tbl1.setAction(AccessConstants.SELECT); + privilege_tbl1.setCreateTime(System.currentTimeMillis()); + + TSentryPrivilege privilege_tbl1_c1 = new TSentryPrivilege(privilege_tbl1); + privilege_tbl1_c1.setPrivilegeScope("COLUMN"); + privilege_tbl1_c1.setColumnName("c1"); + privilege_tbl1_c1.setCreateTime(System.currentTimeMillis()); + + TSentryPrivilege privilege_tbl1_c2 = new TSentryPrivilege(privilege_tbl1); + privilege_tbl1_c2.setPrivilegeScope("COLUMN"); + privilege_tbl1_c2.setColumnName("c2"); + privilege_tbl1_c2.setCreateTime(System.currentTimeMillis()); + + TSentryPrivilege privilege_tbl1_c3 = new TSentryPrivilege(privilege_tbl1); + privilege_tbl1_c3.setPrivilegeScope("COLUMN"); + privilege_tbl1_c3.setColumnName("c3"); + privilege_tbl1_c3.setCreateTime(System.currentTimeMillis()); + + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_c1); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_c2); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName2, privilege_tbl1_c3); + + Set<TSentryPrivilege> privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName1); + assertEquals(2, privilegeSet.size()); + privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName2); + assertEquals(1, privilegeSet.size()); + + TSentryAuthorizable oldTable = toTSentryAuthorizable(privilege_tbl1); + TSentryAuthorizable newTable = toTSentryAuthorizable(privilege_tbl1); + newTable.setTable(table2); + sentryStore.renamePrivilege(oldTable, newTable); + + privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName1); + assertEquals(2, privilegeSet.size()); + for (TSentryPrivilege privilege : privilegeSet) { + assertTrue(table2.equalsIgnoreCase(privilege.getTableName())); + } + privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName2); + assertEquals(1, privilegeSet.size()); + } + + private TSentryAuthorizable toTSentryAuthorizable( + TSentryPrivilege tSentryPrivilege) { + TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable(); + tSentryAuthorizable.setServer(tSentryPrivilege.getServerName()); + tSentryAuthorizable.setDb(tSentryPrivilege.getDbName()); + tSentryAuthorizable.setTable(tSentryPrivilege.getTableName()); + tSentryAuthorizable.setUri(tSentryPrivilege.getURI()); + return tSentryAuthorizable; + } +}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c8c88786/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java index 8fbe3f4..73b4b7b 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java @@ -56,7 +56,7 @@ import com.google.common.io.Files; public class TestSentryStore { private File dataDir; - private SentryStore sentryStore; + private DbSentryStore sentryStore; private String[] adminGroups = {"adminGroup1"}; private PolicyFile policyFile; private File policyFilePath; @@ -76,7 +76,7 @@ public class TestSentryStore { conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING_RESOURCE, policyFilePath.getPath()); policyFile = new PolicyFile(); - sentryStore = new SentryStore(conf); + sentryStore = new DbSentryStore(conf); String adminUser = "g1"; addGroupsToUser(adminUser, adminGroups); @@ -1102,65 +1102,65 @@ public class TestSentryStore { roleName2, groups).getSequenceId()); // group1 all roles assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"), - SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1), + StoreUtils.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1), new TSentryActiveRoleSet(true, new HashSet<String>())))); // one active role assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"), - SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1), + StoreUtils.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1), new TSentryActiveRoleSet(false, Sets.newHashSet(roleName1))))); // unknown active role assertEquals(Sets.newHashSet(), - SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1), + StoreUtils.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1), new TSentryActiveRoleSet(false, Sets.newHashSet("not a role"))))); // no active roles assertEquals(Sets.newHashSet(), - SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1), + StoreUtils.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1), new TSentryActiveRoleSet(false, new HashSet<String>())))); // group2 all roles assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select", "server=server1"), - SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2), + StoreUtils.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2), new TSentryActiveRoleSet(true, new HashSet<String>())))); // one active role assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"), - SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2), + StoreUtils.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2), new TSentryActiveRoleSet(false, Sets.newHashSet(roleName1))))); assertEquals(Sets.newHashSet( "server=server1->db=db1->table=tbl1->action=select", "server=server1"), - SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2), + StoreUtils.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2), new TSentryActiveRoleSet(false, Sets.newHashSet(roleName2))))); // unknown active role assertEquals(Sets.newHashSet(), - SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2), + StoreUtils.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2), new TSentryActiveRoleSet(false, Sets.newHashSet("not a role"))))); // no active roles assertEquals(Sets.newHashSet(), - SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2), + StoreUtils.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2), new TSentryActiveRoleSet(false, new HashSet<String>())))); // both groups, all active roles assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select", "server=server1"), - SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets. + StoreUtils.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets. newHashSet(groupName1, groupName2), new TSentryActiveRoleSet(true, new HashSet<String>())))); // one active role assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"), - SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets. + StoreUtils.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets. newHashSet(groupName1, groupName2), new TSentryActiveRoleSet(false, Sets.newHashSet(roleName1))))); assertEquals(Sets.newHashSet( "server=server1->db=db1->table=tbl1->action=select", "server=server1"), - SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets. + StoreUtils.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets. newHashSet(groupName1, groupName2), new TSentryActiveRoleSet(false, Sets.newHashSet(roleName2))))); // unknown active role assertEquals(Sets.newHashSet(), - SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets. + StoreUtils.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets. newHashSet(groupName1, groupName2), new TSentryActiveRoleSet(false, Sets.newHashSet("not a role"))))); // no active roles assertEquals(Sets.newHashSet(), - SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets. + StoreUtils.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets. newHashSet(groupName1, groupName2), new TSentryActiveRoleSet(false, new HashSet<String>())))); } @@ -1515,7 +1515,7 @@ public class TestSentryStore { @Test public void testSentryRoleSize() throws Exception { for( long i = 0; i< 5; i++ ) { - assertEquals((Long)i, sentryStore.getRoleCountGauge().getValue()); + assertEquals(i, sentryStore.getRoleCount()); sentryStore.createSentryRole("role" + i); } } @@ -1536,17 +1536,17 @@ public class TestSentryStore { String grantor = "g1"; - assertEquals(new Long(0), sentryStore.getPrivilegeCountGauge().getValue()); + assertEquals(0, sentryStore.getPrivilegeCount()); sentryStore.alterSentryRoleGrantPrivilege(grantor, role1, privilege); - assertEquals(new Long(1), sentryStore.getPrivilegeCountGauge().getValue()); + assertEquals(1, sentryStore.getPrivilegeCount()); sentryStore.alterSentryRoleGrantPrivilege(grantor, role2, privilege); - assertEquals(new Long(1), sentryStore.getPrivilegeCountGauge().getValue()); + assertEquals(1, sentryStore.getPrivilegeCount()); privilege.setTableName("tb2"); sentryStore.alterSentryRoleGrantPrivilege(grantor, role2, privilege); - assertEquals(new Long(2), sentryStore.getPrivilegeCountGauge().getValue()); + assertEquals(2, sentryStore.getPrivilegeCount()); } @Test @@ -1565,14 +1565,14 @@ public class TestSentryStore { String grantor = "g1"; sentryStore.alterSentryRoleAddGroups(grantor, role1, groups); - assertEquals(new Long(1), sentryStore.getGroupCountGauge().getValue()); + assertEquals(1, sentryStore.getGroupCount()); sentryStore.alterSentryRoleAddGroups(grantor, role2, groups); - assertEquals(new Long(1), sentryStore.getGroupCountGauge().getValue()); + assertEquals(1, sentryStore.getGroupCount()); groups.add(new TSentryGroup("group2")); sentryStore.alterSentryRoleAddGroups(grantor, role2, groups); - assertEquals(new Long(2), sentryStore.getGroupCountGauge().getValue()); + assertEquals(2, sentryStore.getGroupCount()); } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c8c88786/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreToAuthorizable.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreToAuthorizable.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreToAuthorizable.java index 922cbc2..2e6f190 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreToAuthorizable.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreToAuthorizable.java @@ -32,55 +32,55 @@ public class TestSentryStoreToAuthorizable { public void testServer() { privilege = new MSentryPrivilege(null, null, "server1", null, null, null, null, null); assertEquals("server=server1", - SentryStore.toAuthorizable(privilege)); + StoreUtils.toAuthorizable(privilege)); privilege = new MSentryPrivilege(null, null, "server1", null, null, null, null, AccessConstants.ALL); assertEquals("server=server1", - SentryStore.toAuthorizable(privilege)); + StoreUtils.toAuthorizable(privilege)); } @Test public void testTable() { privilege = new MSentryPrivilege(null, null, "server1", "db1", "tbl1", null, null, null); assertEquals("server=server1->db=db1->table=tbl1", - SentryStore.toAuthorizable(privilege)); + StoreUtils.toAuthorizable(privilege)); privilege = new MSentryPrivilege(null, null, "server1", "db1", "tbl1", null, null, AccessConstants.INSERT); assertEquals("server=server1->db=db1->table=tbl1->action=insert", - SentryStore.toAuthorizable(privilege)); + StoreUtils.toAuthorizable(privilege)); privilege = new MSentryPrivilege(null, null, "server1", "db1", "tbl1", null, null, AccessConstants.SELECT); assertEquals("server=server1->db=db1->table=tbl1->action=select", - SentryStore.toAuthorizable(privilege)); + StoreUtils.toAuthorizable(privilege)); privilege = new MSentryPrivilege(null, null, "server1", "db1", "tbl1", null, null, AccessConstants.ALL); assertEquals("server=server1->db=db1->table=tbl1", - SentryStore.toAuthorizable(privilege)); + StoreUtils.toAuthorizable(privilege)); } @Test public void testDb() { privilege = new MSentryPrivilege(null, null, "server1", "db1", null, null, null, null); assertEquals("server=server1->db=db1", - SentryStore.toAuthorizable(privilege)); + StoreUtils.toAuthorizable(privilege)); privilege = new MSentryPrivilege(null, null, "server1", "db1", null, null, null, AccessConstants.ALL); assertEquals("server=server1->db=db1", - SentryStore.toAuthorizable(privilege)); + StoreUtils.toAuthorizable(privilege)); } @Test public void testUri() { privilege = new MSentryPrivilege(null, null, "server1", null, null, null, "file:///", null); assertEquals("server=server1->uri=file:///", - SentryStore.toAuthorizable(privilege)); + StoreUtils.toAuthorizable(privilege)); privilege = new MSentryPrivilege(null, null, "server1", null, null, null, "file:///", AccessConstants.SELECT); assertEquals("server=server1->uri=file:///->action=select", - SentryStore.toAuthorizable(privilege)); + StoreUtils.toAuthorizable(privilege)); privilege = new MSentryPrivilege(null, null, "server1", null, null, null, "file:///", AccessConstants.ALL); assertEquals("server=server1->uri=file:///", - SentryStore.toAuthorizable(privilege)); + StoreUtils.toAuthorizable(privilege)); } } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c8c88786/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreWithFileLog.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreWithFileLog.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreWithFileLog.java new file mode 100644 index 0000000..08d212b --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreWithFileLog.java @@ -0,0 +1,156 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.db.service.persistent; + +import java.io.File; + +import org.apache.hadoop.conf.Configuration; +import org.apache.sentry.provider.db.service.persistent.FileLog.Entry; +import org.apache.sentry.provider.db.service.thrift.TSentryStoreOp; +import org.junit.After; +import org.junit.Assert; +import org.junit.Before; +import org.junit.Test; + +import com.google.common.io.Files; + +public class TestSentryStoreWithFileLog { + + private String logDir; + + @Before + public void setup() { + logDir = Files.createTempDir().getAbsolutePath(); + System.out.println("Creating dir : [" + logDir + "]"); + } + + @After + public void tearDown() { + File l = new File(logDir); + for (File f : l.listFiles()) { + f.delete(); + } + l.delete(); + } + + @Test + public void testBasicStoreOperations() throws Exception { + Configuration conf = new Configuration(false); + conf.set(FileLog.SENTRY_FILE_LOG_STORE_LOCATION, logDir); + SentryStoreWithFileLog store = new SentryStoreWithFileLog(new InMemSentryStore(conf)); + store.createSentryRole("role1"); + store.createSentryRole("role2"); + store.createSentryRole("role3"); + store.stop(); + + FileLog fileLog = new FileLog(conf); + Assert.assertTrue(fileLog.hasNext()); + Entry next = fileLog.next(); + Assert.assertEquals(TSentryStoreOp.CREATE_ROLE, next.record.getStoreOp()); + Assert.assertEquals("role1", next.record.getRoleName()); + Assert.assertTrue(fileLog.hasNext()); + next = fileLog.next(); + Assert.assertEquals(TSentryStoreOp.CREATE_ROLE, next.record.getStoreOp()); + Assert.assertEquals("role2", next.record.getRoleName()); + Assert.assertTrue(fileLog.hasNext()); + next = fileLog.next(); + Assert.assertEquals(TSentryStoreOp.CREATE_ROLE, next.record.getStoreOp()); + Assert.assertEquals("role3", next.record.getRoleName()); + Assert.assertFalse(fileLog.hasNext()); + fileLog.close(); + + store = new SentryStoreWithFileLog(new InMemSentryStore(conf)); + Assert.assertEquals(3, store.getRoleCount()); + store.dropSentryRole("role3"); + store.dropSentryRole("role2"); + store.dropSentryRole("role1"); + store.stop(); + + fileLog = new FileLog(conf); + Assert.assertTrue(fileLog.hasNext()); + next = fileLog.next(); + Assert.assertEquals(TSentryStoreOp.CREATE_ROLE, next.record.getStoreOp()); + Assert.assertTrue(fileLog.hasNext()); + next = fileLog.next(); + Assert.assertEquals(TSentryStoreOp.CREATE_ROLE, next.record.getStoreOp()); + Assert.assertTrue(fileLog.hasNext()); + next = fileLog.next(); + Assert.assertEquals(TSentryStoreOp.CREATE_ROLE, next.record.getStoreOp()); + Assert.assertTrue(fileLog.hasNext()); + next = fileLog.next(); + Assert.assertEquals(TSentryStoreOp.DROP_ROLE, next.record.getStoreOp()); + Assert.assertEquals("role3", next.record.getRoleName()); + Assert.assertTrue(fileLog.hasNext()); + next = fileLog.next(); + Assert.assertEquals(TSentryStoreOp.DROP_ROLE, next.record.getStoreOp()); + Assert.assertEquals("role2", next.record.getRoleName()); + Assert.assertTrue(fileLog.hasNext()); + next = fileLog.next(); + Assert.assertEquals(TSentryStoreOp.DROP_ROLE, next.record.getStoreOp()); + Assert.assertEquals("role1", next.record.getRoleName()); + Assert.assertFalse(fileLog.hasNext()); + fileLog.close(); + + store = new SentryStoreWithFileLog(new InMemSentryStore(conf)); + Assert.assertEquals(0, store.getRoleCount()); + store.stop(); + } + + @Test + public void testLogSnapshotting() throws Exception { + Configuration conf = new Configuration(false); + conf.setInt(SentryStoreWithFileLog.SENTRY_STORE_FILE_LOG_SNAPSHOT_THRESHOLD, 2); + conf.set(FileLog.SENTRY_FILE_LOG_STORE_LOCATION, logDir); + SentryStoreWithFileLog store = new SentryStoreWithFileLog(new InMemSentryStore(conf)); + store.createSentryRole("role1"); + store.createSentryRole("role2"); + store.createSentryRole("role3"); + store.createSentryRole("role4"); + store.createSentryRole("role5"); + store.stop(); + + FileLog fileLog = new FileLog(conf); + Assert.assertTrue(fileLog.hasNext()); + Entry next = fileLog.next(); + Assert.assertEquals(TSentryStoreOp.SNAPSHOT, next.record.getStoreOp()); + Assert.assertTrue(fileLog.hasNext()); + next = fileLog.next(); + Assert.assertEquals(TSentryStoreOp.CREATE_ROLE, next.record.getStoreOp()); + Assert.assertFalse(fileLog.hasNext()); + fileLog.close(); + + store = new SentryStoreWithFileLog(new InMemSentryStore(conf)); + Assert.assertEquals(5, store.getRoleCount()); + store.dropSentryRole("role3"); + store.dropSentryRole("role2"); + store.dropSentryRole("role1"); + store.stop(); + + fileLog = new FileLog(conf); + Assert.assertTrue(fileLog.hasNext()); + next = fileLog.next(); + Assert.assertEquals(TSentryStoreOp.SNAPSHOT, next.record.getStoreOp()); + Assert.assertFalse(fileLog.hasNext()); + fileLog.close(); + + store = new SentryStoreWithFileLog(new InMemSentryStore(conf)); + Assert.assertEquals(2, store.getRoleCount()); + store.stop(); + } +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c8c88786/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreWithReplicatedLog.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreWithReplicatedLog.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreWithReplicatedLog.java new file mode 100644 index 0000000..04b5906 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreWithReplicatedLog.java @@ -0,0 +1,187 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.db.service.persistent; + +import java.io.File; +import java.util.Set; + +import org.apache.hadoop.conf.Configuration; +import org.apache.sentry.provider.db.service.persistent.FileLog.Entry; +import org.apache.sentry.provider.db.service.thrift.TSentryGroup; +import org.apache.sentry.provider.db.service.thrift.TSentryStoreOp; +import org.junit.After; +import org.junit.Assert; +import org.junit.Before; +import org.junit.Test; + +import com.google.common.collect.Sets; +import com.google.common.io.Files; +import com.hazelcast.core.HazelcastInstance; + +public class TestSentryStoreWithReplicatedLog { + + private String logDir1; + private String logDir2; + private String logDir3; + + @Before + public void setup() { + logDir1 = Files.createTempDir().getAbsolutePath(); + System.out.println("Creating dir1 : [" + logDir1 + "]"); + logDir2 = Files.createTempDir().getAbsolutePath(); + System.out.println("Creating dir2 : [" + logDir2 + "]"); + logDir3 = Files.createTempDir().getAbsolutePath(); + System.out.println("Creating dir3 : [" + logDir2 + "]"); + } + + @After + public void tearDown() { + for (String s : new String[]{logDir1, logDir2, logDir3}) { + File l = new File(s); + for (File f : l.listFiles()) { + f.delete(); + } + l.delete(); + } + } + + @Test + public void testSimpleCase() throws Exception { + Configuration conf1 = new Configuration(false); + conf1.set(FileLog.SENTRY_FILE_LOG_STORE_LOCATION, logDir1); + HazelcastInstance hInst1 = DistributedUtils.getHazelcastInstance(conf1, true); + SentryStoreWithReplicatedLog store1 = new SentryStoreWithReplicatedLog(new InMemSentryStore(conf1), hInst1); + + Configuration conf2 = new Configuration(false); + conf2.set(FileLog.SENTRY_FILE_LOG_STORE_LOCATION, logDir2); + HazelcastInstance hInst2 = DistributedUtils.getHazelcastInstance(conf2, true); + SentryStoreWithReplicatedLog store2 = new SentryStoreWithReplicatedLog(new InMemSentryStore(conf2), hInst2); + + store1.createSentryRole("role1"); + store1.alterSentryRoleAddGroups("admin", "role1", + Sets.newHashSet( + new TSentryGroup("group1"), + new TSentryGroup("group2"))); + store1.alterSentryRoleDeleteGroups("role1", + Sets.newHashSet(new TSentryGroup("group2"))); + + store2.waitForReplicattionToComplete(2000); + FileLog fileLog = new FileLog(conf2); + Assert.assertTrue(fileLog.hasNext()); + Entry next = fileLog.next(); + Assert.assertEquals(TSentryStoreOp.CREATE_ROLE, next.record.getStoreOp()); + Assert.assertEquals("role1", next.record.getRoleName()); + Assert.assertTrue(fileLog.hasNext()); + next = fileLog.next(); + Assert.assertEquals(TSentryStoreOp.ADD_GROUPS, next.record.getStoreOp()); + Assert.assertEquals("role1", next.record.getRoleName()); + Assert.assertEquals(Sets.newHashSet("group1", "group2"), next.record.getGroups()); + Assert.assertTrue(fileLog.hasNext()); + next = fileLog.next(); + Assert.assertEquals(TSentryStoreOp.DEL_GROUPS, next.record.getStoreOp()); + Assert.assertEquals("role1", next.record.getRoleName()); + Assert.assertEquals(Sets.newHashSet("group2"), next.record.getGroups()); + Assert.assertFalse(fileLog.hasNext()); + fileLog.close(); + + Assert.assertEquals(1, store2.getRoleCount()); + Assert.assertEquals(Sets.newHashSet("group1"), store2.getGroupsForRole("role1")); + hInst1.shutdown(); + hInst2.shutdown(); + } + + @Test + public void testSecondNodeAfterAWhile() throws Exception { + Configuration conf1 = new Configuration(false); + conf1.set(FileLog.SENTRY_FILE_LOG_STORE_LOCATION, logDir1); + HazelcastInstance hInst1 = DistributedUtils.getHazelcastInstance(conf1, true); + SentryStoreWithReplicatedLog store1 = new SentryStoreWithReplicatedLog(new InMemSentryStore(conf1), hInst1); + store1.createSentryRole("role1"); + store1.createSentryRole("role2"); + store1.createSentryRole("role3"); + + FileLog fileLog = new FileLog(conf1); + Assert.assertTrue(fileLog.hasNext()); + Entry next = fileLog.next(); + Assert.assertEquals(TSentryStoreOp.CREATE_ROLE, next.record.getStoreOp()); + Assert.assertEquals("role1", next.record.getRoleName()); + Assert.assertTrue(fileLog.hasNext()); + next = fileLog.next(); + Assert.assertEquals(TSentryStoreOp.CREATE_ROLE, next.record.getStoreOp()); + Assert.assertEquals("role2", next.record.getRoleName()); + Assert.assertTrue(fileLog.hasNext()); + next = fileLog.next(); + Assert.assertEquals(TSentryStoreOp.CREATE_ROLE, next.record.getStoreOp()); + Assert.assertEquals("role3", next.record.getRoleName()); + Assert.assertFalse(fileLog.hasNext()); + fileLog.close(); + + Configuration conf2 = new Configuration(false); + conf2.set(FileLog.SENTRY_FILE_LOG_STORE_LOCATION, logDir2); + HazelcastInstance hInst2 = DistributedUtils.getHazelcastInstance(conf2, true); + SentryStoreWithReplicatedLog store2 = new SentryStoreWithReplicatedLog(new InMemSentryStore(conf2), hInst2); + Assert.assertEquals(3, store2.getRoleCount()); + hInst1.shutdown(); + hInst2.shutdown(); + } + + @Test + public void testThreeNodes() throws Exception { + Configuration conf1 = new Configuration(false); + conf1.set(FileLog.SENTRY_FILE_LOG_STORE_LOCATION, logDir1); + HazelcastInstance hInst1 = DistributedUtils.getHazelcastInstance(conf1, true); + SentryStoreWithReplicatedLog store1 = new SentryStoreWithReplicatedLog(new InMemSentryStore(conf1), hInst1); + + Configuration conf2 = new Configuration(false); + conf2.set(FileLog.SENTRY_FILE_LOG_STORE_LOCATION, logDir2); + HazelcastInstance hInst2 = DistributedUtils.getHazelcastInstance(conf2, true); + SentryStoreWithReplicatedLog store2 = new SentryStoreWithReplicatedLog(new InMemSentryStore(conf2), hInst2); + + store1.createSentryRole("role1"); + store1.alterSentryRoleAddGroups("admin", "role1", + Sets.newHashSet( + new TSentryGroup("group1"), + new TSentryGroup("group2"))); + store1.alterSentryRoleDeleteGroups("role1", + Sets.newHashSet(new TSentryGroup("group2"))); + + Configuration conf3 = new Configuration(false); + conf3.set(FileLog.SENTRY_FILE_LOG_STORE_LOCATION, logDir3); + HazelcastInstance hInst3 = DistributedUtils.getHazelcastInstance(conf3, true); + SentryStoreWithReplicatedLog store3 = new SentryStoreWithReplicatedLog(new InMemSentryStore(conf3), hInst3); + + store1.createSentryRole("role2"); + store1.alterSentryRoleAddGroups("admin", "role2", + Sets.newHashSet(new TSentryGroup("group3"))); + + Thread.sleep(2000); + Assert.assertEquals(2, store1.getRoleCount()); + Assert.assertEquals(Sets.newHashSet("group1"), store1.getGroupsForRole("role1")); + Assert.assertEquals(Sets.newHashSet("group3"), store1.getGroupsForRole("role2")); + Assert.assertEquals(2, store2.getRoleCount()); + Assert.assertEquals(Sets.newHashSet("group1"), store2.getGroupsForRole("role1")); + Assert.assertEquals(Sets.newHashSet("group3"), store2.getGroupsForRole("role2")); + Assert.assertEquals(2, store3.getRoleCount()); + Assert.assertEquals(Sets.newHashSet("group1"), store3.getGroupsForRole("role1")); + Assert.assertEquals(Sets.newHashSet("group3"), store3.getGroupsForRole("role2")); + hInst1.shutdown(); + hInst2.shutdown(); + hInst3.shutdown(); + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c8c88786/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryVersion.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryVersion.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryVersion.java index 0add58b..2428688 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryVersion.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryVersion.java @@ -52,10 +52,10 @@ public class TestSentryVersion { @Test public void testVerifySentryVersionCheck() throws Exception { conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false"); - SentryStore sentryStore = new SentryStore(conf); + DbSentryStore sentryStore = new DbSentryStore(conf); sentryStore.stop(); conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "true"); - sentryStore = new SentryStore(conf); + sentryStore = new DbSentryStore(conf); } /** @@ -65,7 +65,7 @@ public class TestSentryVersion { */ @Test(expected = SentryNoSuchObjectException.class) public void testNegSentrySchemaDefault() throws Exception { - SentryStore sentryStore = new SentryStore(conf); + DbSentryStore sentryStore = new DbSentryStore(conf); } /** @@ -76,7 +76,7 @@ public class TestSentryVersion { @Test public void testSentryImplicitVersion() throws Exception { conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false"); - SentryStore sentryStore = new SentryStore(conf); + DbSentryStore sentryStore = new DbSentryStore(conf); assertEquals(SentryStoreSchemaInfo.getSentryVersion(), sentryStore.getSentryVersion()); }
