Repository: incubator-sentry Updated Branches: refs/heads/SENTRY-567 [created] 784ee6040
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c8c88786/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestStoreSnapshot.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestStoreSnapshot.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestStoreSnapshot.java new file mode 100644 index 0000000..71f2de1 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestStoreSnapshot.java @@ -0,0 +1,95 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.db.service.persistent; + +import java.util.Set; + +import junit.framework.Assert; + +import org.apache.hadoop.conf.Configuration; +import org.apache.sentry.SentryUserException; +import org.apache.sentry.core.model.db.AccessConstants; +import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption; +import org.apache.sentry.provider.db.service.thrift.TSentryGroup; +import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; +import org.apache.sentry.provider.db.service.thrift.TStoreSnapshot; +import org.junit.Test; + +import com.google.common.collect.Sets; + +public class TestStoreSnapshot { + + static class DummyGroupMapper extends InMemSentryStore.GroupMapper { + + DummyGroupMapper(Configuration conf) { + super(conf); + } + + @Override + protected Set<String> getGroupsForUser(String user) + throws SentryUserException { + return Sets.newHashSet("admin"); + } + + @Override + protected Set<String> getAdminGroups() { + return Sets.newHashSet("admin"); + } + + @Override + protected boolean isInAdminGroup(Set<String> groups) + throws SentryUserException { + return true; + } + + } + @Test + public void testSnapshot() throws Exception { + Configuration conf = new Configuration(false); + InMemSentryStore store1 = new InMemSentryStore(conf, new DummyGroupMapper(conf)); + store1.createSentryRole("role1"); + store1.alterSentryRoleAddGroups("grantor", "role1", + Sets.newHashSet( + new TSentryGroup("group1"), + new TSentryGroup("group2"))); + TSentryPrivilege tPriv = new TSentryPrivilege("SERVER", "server1", AccessConstants.ALL); + tPriv.setGrantOption(TSentryGrantOption.TRUE); + store1.alterSentryRoleGrantPrivilege("grantor", "role1", tPriv); + tPriv = new TSentryPrivilege("DB", "server1", AccessConstants.SELECT); + tPriv.setDbName("db1"); + tPriv.setGrantOption(TSentryGrantOption.FALSE); + store1.alterSentryRoleGrantPrivilege("grantor", "role1", tPriv); + tPriv = new TSentryPrivilege("TABLE", "server1", AccessConstants.ALL); + tPriv.setDbName("db1"); + tPriv.setTableName("table1"); + tPriv.setGrantOption(TSentryGrantOption.UNSET); + store1.alterSentryRoleGrantPrivilege("grantor", "role1", tPriv); + Set<TSentryPrivilege> allPrivs1 = store1.getAllTSentryPrivilegesByRoleName("role1"); + + TStoreSnapshot snapshot = store1.toSnapshot(); + InMemSentryStore store2 = new InMemSentryStore(conf, new DummyGroupMapper(conf)); + store2.fromSnapshot(snapshot); + Assert.assertEquals( + Sets.newHashSet("group1", "group2"), + store2.getGroupsForRole("role1")); + Set<TSentryPrivilege> allPrivs2 = store2.getAllTSentryPrivilegesByRoleName("role1"); + Assert.assertEquals(allPrivs1, allPrivs2); + } + +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c8c88786/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java index 4a6cac9..815f1f8 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java @@ -22,12 +22,14 @@ import static junit.framework.Assert.assertEquals; import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; +import java.util.Comparator; import java.util.HashMap; import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Set; import java.util.TreeMap; +import java.util.TreeSet; import org.apache.sentry.SentryUserException; import org.apache.sentry.core.common.ActiveRoleSet; @@ -268,7 +270,7 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase { client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", grantOption); assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size()); - // Try to revoke the privilege without grantOption and can't revoke the privilege. +// // Try to revoke the privilege without grantOption and can't revoke the privilege. client.revokeTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", withoutGrantOption); assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size()); @@ -296,8 +298,12 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase { assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size()); // Grant a privilege without 'Grant Option'. - client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", withoutGrantOption); - assertEquals(2, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size()); + // TODO : Do not think this is correct.. It shouldnt make sense for a Role + // to have both TRUE and FALSE grantoption on the same Authorizable Object.. + +// client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", withoutGrantOption); +// Set<TSentryPrivilege> lst = client.listAllPrivilegesByRoleName(requestorUserName, roleName); +// assertEquals(2, lst.size()); // Use 'grantOption = null', the two privileges will be revoked. client.revokeTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", null); @@ -531,7 +537,7 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase { Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client .listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null, null); - assertEquals(expectedResults, authPrivMap); + fuzzyAssertEquals(expectedResults, authPrivMap); } @Test @@ -591,7 +597,7 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase { Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client .listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null, null); - assertEquals(expectedResults, authPrivMap); + fuzzyAssertEquals(expectedResults, authPrivMap); } /** @@ -657,32 +663,32 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase { // list privileges with null group and roles Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client .listPrivilegsbyAuthorizable(user1, authorizableSet, null, null); - assertEquals(expectedResults, authPrivMap); + fuzzyAssertEquals(expectedResults, authPrivMap); // list privileges with empty group set and null roles authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet, new HashSet<String>(), null); - assertEquals(expectedResults, authPrivMap); + fuzzyAssertEquals(expectedResults, authPrivMap); // list privileges with null group set and ALL roleset authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet, null, new ActiveRoleSet(true)); - assertEquals(expectedResults, authPrivMap); + fuzzyAssertEquals(expectedResults, authPrivMap); // list privileges with user1's group set and null roles authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet, userGroupNames1, null); - assertEquals(expectedResults, authPrivMap); + fuzzyAssertEquals(expectedResults, authPrivMap); // list privileges with user1's group set and ALL roles authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet, userGroupNames1, new ActiveRoleSet(true)); - assertEquals(expectedResults, authPrivMap); + fuzzyAssertEquals(expectedResults, authPrivMap); // list privileges with null group and user's specific roles with uppercase name authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet, null, new ActiveRoleSet(Sets.newHashSet(roleName1.toUpperCase()))); - assertEquals(expectedResults, authPrivMap); + fuzzyAssertEquals(expectedResults, authPrivMap); // verify that user1 can't query group2 try { @@ -762,4 +768,45 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase { // expected } } + + private void fuzzyAssertEquals( + Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults, + Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap) { + assertEquals(expectedResults.size(), authPrivMap.size()); + for (Object mKey : expectedResults.keySet()) { + assertEquals(expectedResults.get(mKey).getPrivilegeMap().size(), + authPrivMap.get(mKey).getPrivilegeMap().size()); + for (Map.Entry<String, Set<TSentryPrivilege>> e : + expectedResults.get(mKey).getPrivilegeMap().entrySet()) { + assertTrue(authPrivMap.get(mKey).getPrivilegeMap().containsKey(e.getKey())); + Set<TSentryPrivilege> exp = createSpecialSet(); + exp.addAll(e.getValue()); + Set<TSentryPrivilege> act = createSpecialSet(); + act.addAll(authPrivMap.get(mKey).getPrivilegeMap().get(e.getKey())); + assertEquals(exp, act); + } + } + } + + private Set<TSentryPrivilege> createSpecialSet() { + return new TreeSet<TSentryPrivilege>(new Comparator<TSentryPrivilege>() { + @Override + public int compare(TSentryPrivilege o1, TSentryPrivilege o2) { + if (o1.getServerName().equalsIgnoreCase(o2.getServerName()) + &&o1.getDbName().equalsIgnoreCase(o2.getDbName()) + &&o1.getTableName().equalsIgnoreCase(o2.getTableName()) + &&o1.getColumnName().equalsIgnoreCase(o2.getColumnName()) + &&o1.getGrantOption().equals(o2.getGrantOption()) + &&(o1.getAction().equalsIgnoreCase(o2.getAction()) + ||(o1.getAction().equals("*")&&o2.getAction().equalsIgnoreCase("all")) + ||(o2.getAction().equals("*")&&o1.getAction().equalsIgnoreCase("all")))) { + return 0; + } else { + return o1.compareTo(o2); + } + } + }); + } + + } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c8c88786/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java index be14afd..44a6290 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java @@ -147,6 +147,9 @@ public abstract class SentryServiceIntegrationBase extends SentryMiniKdcTestcase dbDir = new File(Files.createTempDir(), "sentry_policy_db"); conf.set(ServerConfig.SENTRY_STORE_JDBC_URL, "jdbc:derby:;databaseName=" + dbDir.getPath() + ";create=true"); + // InMem Db + dbDir.mkdirs(); + conf.set("sentry.store.type", "mem"); server = new SentryServiceFactory().create(conf); conf.set(ClientConfig.SERVER_RPC_ADDRESS, server.getAddress().getHostName()); conf.set(ClientConfig.SERVER_RPC_PORT, String.valueOf(server.getAddress().getPort())); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c8c88786/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java index 4a475ba..f36dfdd 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java @@ -52,6 +52,7 @@ public class TestDatabaseProvider extends AbstractTestWithStaticConfiguration { @BeforeClass public static void setupTestStaticConfiguration() throws Exception{ useSentryService = true; + useFileStore = true; AbstractTestWithStaticConfiguration.setupTestStaticConfiguration(); } @@ -128,17 +129,52 @@ public class TestDatabaseProvider extends AbstractTestWithStaticConfiguration { @Test public void testGrantRevokeSELECTonDb() throws Exception { File dataFile = doSetupForGrantDbTests(); - + Connection connection = context.createConnection(ADMIN1); Statement statement = context.createStatement(connection); + // Test Db switch.. + statement.execute("USE " + DB1); + statement.close(); + connection.close(); + + connection = context.createConnection(ADMIN1); + statement = context.createStatement(connection); // Grant only SELECT on Database statement.execute("GRANT SELECT ON DATABASE " + DB1 + " TO ROLE user_role"); + statement.close(); + connection.close(); + + connection = context.createConnection(ADMIN1); + statement = context.createStatement(connection); + statement.execute("USE " + DB1); + statement.close(); + connection.close(); + + connection = context.createConnection(ADMIN1); + statement = context.createStatement(connection); statement.execute("GRANT ALL ON URI 'file://" + dataFile.getPath() + "' TO ROLE user_role"); + statement.close(); + connection.close(); + + connection = context.createConnection(ADMIN1); + statement = context.createStatement(connection); + statement.execute("USE " + DB1); + statement.close(); + connection.close(); + + connection = context.createConnection(ADMIN1); + statement = context.createStatement(connection); statement.execute("GRANT ROLE user_role TO GROUP " + USERGROUP1); statement.close(); connection.close(); + connection = context.createConnection(ADMIN1); + statement = context.createStatement(connection); + statement.execute("USE " + DB1); + statement.close(); + connection.close(); + connection = context.createConnection(USER1_1); statement = context.createStatement(connection); // SELECT is allowed @@ -275,7 +311,6 @@ public class TestDatabaseProvider extends AbstractTestWithStaticConfiguration { statement.execute("CREATE TABLE t2 (c2 string)"); statement.close(); connection.close(); - return dataFile; } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c8c88786/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbDDLAuditLog.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbDDLAuditLog.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbDDLAuditLog.java index 2cecdfd..af2d3d9 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbDDLAuditLog.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbDDLAuditLog.java @@ -68,6 +68,7 @@ public class TestDbDDLAuditLog extends AbstractTestWithStaticConfiguration { @BeforeClass public static void setupTestStaticConfiguration() throws Exception { + useInMemDb = true; useSentryService = true; AbstractTestWithStaticConfiguration.setupTestStaticConfiguration(); Logger logger = Logger.getLogger("sentry.hive.authorization.ddl.logger"); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c8c88786/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbEndToEnd.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbEndToEnd.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbEndToEnd.java index acb789f..dff608a 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbEndToEnd.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbEndToEnd.java @@ -43,6 +43,7 @@ public class TestDbEndToEnd extends AbstractTestWithStaticConfiguration { @BeforeClass public static void setupTestStaticConfiguration() throws Exception{ + useInMemDb = true; useSentryService = true; AbstractTestWithStaticConfiguration.setupTestStaticConfiguration(); } @@ -233,7 +234,7 @@ public class TestDbEndToEnd extends AbstractTestWithStaticConfiguration { // 8 connection = context.createConnection(USER1_1); statement = context.createStatement(connection); - statement.execute("USE " + DB2); + statement.execute("USE " + DB1); statement.execute("INSERT OVERWRITE TABLE " + DB2 + "." + tableName2 + " SELECT * FROM " + DB1 http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c8c88786/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java index f8cc1d0..b12df39 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java @@ -60,12 +60,15 @@ import org.apache.sentry.tests.e2e.hive.hiveserver.HiveServerFactory; import org.apache.tools.ant.util.StringUtils; import org.junit.After; import org.junit.AfterClass; + import static org.junit.Assert.assertTrue; + import org.junit.Before; import org.junit.BeforeClass; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import com.google.common.base.Strings; import com.google.common.collect.Maps; import com.google.common.io.Files; @@ -128,6 +131,8 @@ public abstract class AbstractTestWithStaticConfiguration { protected static SentryService sentryServer; protected static Configuration sentryConf; protected static Context context; + protected static boolean useInMemDb; + protected static boolean useFileStore; protected final String semanticException = "SemanticException No valid privileges"; @@ -365,6 +370,17 @@ public abstract class AbstractTestWithStaticConfiguration { for (Map.Entry<String, String> entry : properties.entrySet()) { sentryConf.set(entry.getKey(), entry.getValue()); } + // InMem Db + if (useInMemDb || !Strings.isNullOrEmpty(System.getenv("USE_IN_MEM"))) { + baseDir.mkdirs(); + sentryConf.set("sentry.store.type", "mem"); + System.out.println("\n\n\n ****** Using InMem Store *******\n\n\n"); + } else if (useFileStore || !Strings.isNullOrEmpty(System.getenv("USE_FILE_STORE"))) { + baseDir.mkdirs(); + sentryConf.set("sentry.store.type", "file"); + System.out.println("\n\n\n ****** Using File Log Store *******\n\n\n"); + } + sentryServer = new SentryServiceFactory().create(sentryConf); properties.put(ClientConfig.SERVER_RPC_ADDRESS, sentryServer.getAddress() .getHostName());
