http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92cde111/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPolicyImportExport.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPolicyImportExport.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPolicyImportExport.java new file mode 100644 index 0000000..2482eb4 --- /dev/null +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPolicyImportExport.java @@ -0,0 +1,195 @@ +/* + * Copyright 2014 The Apache Software Foundation. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.tests.e2e.hive; + +import static junit.framework.Assert.assertEquals; +import static junit.framework.Assert.assertTrue; +import static org.junit.Assert.fail; + +import java.io.File; +import java.io.FileOutputStream; +import java.util.Map; +import java.util.Set; + +import org.apache.sentry.binding.hive.SentryPolicyFileFormatFactory; +import org.apache.sentry.binding.hive.SentryPolicyFileFormatter; +import org.apache.sentry.binding.hive.authz.SentryConfigTool; +import org.apache.sentry.provider.common.PolicyFileConstants; +import org.apache.sentry.provider.common.ProviderConstants; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; + +import com.google.common.collect.Maps; +import com.google.common.collect.Sets; +import com.google.common.io.Resources; + +public class TestPolicyImportExport extends AbstractTestWithStaticConfiguration { + + // resources/testPolicyImport.ini is used for the import test and all the following + // privileges(PRIVILIEGE1...8) are defined the same as in testPolicyImport.ini, used for verifying + // the test result. + public static String PRIVILIEGE1 = "server=server1"; + public static String PRIVILIEGE2 = "server=server1->action=select->grantoption=false"; + public static String PRIVILIEGE3 = "server=server1->db=db2->action=insert->grantoption=true"; + public static String PRIVILIEGE4 = "server=server1->db=db1->table=tbl1->action=insert"; + public static String PRIVILIEGE5 = "server=server1->db=db1->table=tbl2->column=col1->action=insert"; + public static String PRIVILIEGE6 = "server=server1->db=db1->table=tbl3->column=col1->action=*->grantoption=true"; + public static String PRIVILIEGE7 = "server=server1->db=db1->table=tbl4->column=col1->action=all->grantoption=true"; + public static String PRIVILIEGE8 = "server=server1->uri=hdfs://testserver:9999/path2->action=insert"; + + private SentryConfigTool configTool; + private Map<String, Map<String, Set<String>>> policyFileMappingData; + + @BeforeClass + public static void setupTestStaticConfiguration() throws Exception{ + useSentryService = true; + // add current user to admin group to get the permission for import/export + String requestorUserName = System.getProperty("user.name", ""); + StaticUserGroup.getStaticMapping().put(requestorUserName, ADMINGROUP); + AbstractTestWithStaticConfiguration.setupTestStaticConfiguration(); + } + + @Before + public void setup() throws Exception { + configTool = new SentryConfigTool(); + configTool.setPolicyFile(context.getPolicyFile().getPath()); + configTool.setupConfig(); + importAdminPrivilege(); + } + + private void importAdminPrivilege() throws Exception { + prepareForImport("testPolicyImportAdmin.ini"); + configTool.importPolicy(); + } + + private void prepareExceptedData() { + // test data for: + // [groups] + // group1=roleImport1,roleImport2 + // group2=roleImport1,roleImport2,roleImport3 + // group3=roleImport2,roleImport3 + // [roles] + // roleImport1=privilege1,privilege2,privilege3,privilege4 + // roleImport2=privilege3,privilege4,privilege5,privilege6 + // roleImport3=privilege5,privilege6,privilege7,privilege8 + policyFileMappingData = Maps.newHashMap(); + Map<String, Set<String>> groupRolesMap = Maps.newHashMap(); + Map<String, Set<String>> rolePrivilegesMap = Maps.newHashMap(); + groupRolesMap.put("group1", Sets.newHashSet("roleimport1", "roleimport2")); + groupRolesMap.put("group2", Sets.newHashSet("roleimport1", "roleimport2", "roleimport3")); + groupRolesMap.put("group3", Sets.newHashSet("roleimport2", "roleimport3")); + // the adminrole is defined in testPolicyImportAdmin.ini + groupRolesMap.put("admin", Sets.newHashSet("adminrole")); + rolePrivilegesMap.put("roleimport1", + Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4)); + rolePrivilegesMap.put("roleimport2", + Sets.newHashSet(PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6)); + rolePrivilegesMap.put("roleimport3", + Sets.newHashSet(PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8)); + // the adminrole is defined in testPolicyImportAdmin.ini + rolePrivilegesMap.put("adminrole", Sets.newHashSet(PRIVILIEGE1)); + policyFileMappingData.put(PolicyFileConstants.GROUPS, groupRolesMap); + policyFileMappingData.put(PolicyFileConstants.ROLES, rolePrivilegesMap); + + } + + @Test + public void testImportExportPolicy() throws Exception { + String importFileName = "testPolicyImport.ini"; + String exportFileName = "testPolicyExport.ini"; + File importFile = new File(dataDir, importFileName); + File exportFile = new File(dataDir, exportFileName); + FileOutputStream to = new FileOutputStream(importFile); + Resources.copy(Resources.getResource(importFileName), to); + to.close(); + configTool.setImportPolicyFilePath(importFile.getAbsolutePath()); + configTool.importPolicy(); + + configTool.setExportPolicyFilePath(exportFile.getAbsolutePath()); + configTool.exportPolicy(); + + SentryPolicyFileFormatter sentryPolicyFileFormatter = SentryPolicyFileFormatFactory + .createFileFormatter(configTool.getAuthzConf()); + Map<String, Map<String, Set<String>>> exportMappingData = sentryPolicyFileFormatter.parse( + exportFile.getAbsolutePath(), configTool.getAuthzConf()); + + prepareExceptedData(); + validateSentryMappingData(exportMappingData, policyFileMappingData); + } + + @Test + public void testImportExportPolicyForError() throws Exception { + prepareForImport("testPolicyImportError.ini"); + try { + configTool.importPolicy(); + fail("IllegalArgumentException should be thrown for: Invalid key value: server [server]"); + } catch (IllegalArgumentException ex) { + // ignore + } + } + + private void prepareForImport(String resorceName) throws Exception { + File importFile = new File(dataDir, resorceName); + FileOutputStream to = new FileOutputStream(importFile); + Resources.copy(Resources.getResource(resorceName), to); + to.close(); + configTool.setImportPolicyFilePath(importFile.getAbsolutePath()); + } + + // verify the mapping data + public void validateSentryMappingData(Map<String, Map<String, Set<String>>> actualMappingData, + Map<String, Map<String, Set<String>>> expectedMappingData) { + validateGroupRolesMap(actualMappingData.get(PolicyFileConstants.GROUPS), + expectedMappingData.get(PolicyFileConstants.GROUPS)); + validateRolePrivilegesMap(actualMappingData.get(PolicyFileConstants.ROLES), + expectedMappingData.get(PolicyFileConstants.ROLES)); + } + + // verify the mapping data for [group,role] + private void validateGroupRolesMap(Map<String, Set<String>> actualMap, + Map<String, Set<String>> expectedMap) { + assertEquals(expectedMap.keySet().size(), actualMap.keySet().size()); + for (String groupName : actualMap.keySet()) { + Set<String> actualRoles = actualMap.get(groupName); + Set<String> expectedRoles = expectedMap.get(groupName); + assertEquals(actualRoles.size(), expectedRoles.size()); + assertTrue(actualRoles.equals(expectedRoles)); + } + } + + // verify the mapping data for [role,privilege] + private void validateRolePrivilegesMap(Map<String, Set<String>> actualMap, + Map<String, Set<String>> expectedMap) { + assertEquals(expectedMap.keySet().size(), actualMap.keySet().size()); + for (String roleName : actualMap.keySet()) { + Set<String> actualPrivileges = actualMap.get(roleName); + Set<String> exceptedPrivileges = expectedMap.get(roleName); + assertEquals(exceptedPrivileges.size(), actualPrivileges.size()); + for (String actualPrivilege : actualPrivileges) { + boolean isFound = exceptedPrivileges.contains(actualPrivilege); + if (!isFound) { + String withOptionPrivilege = ProviderConstants.AUTHORIZABLE_JOINER.join(actualPrivilege, + ProviderConstants.KV_JOINER.join(PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME, + "false")); + isFound = exceptedPrivileges.contains(withOptionPrivilege); + } + assertTrue(isFound); + } + } + } +}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92cde111/sentry-tests/sentry-tests-hive/src/test/resources/testPolicyImport.ini ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/resources/testPolicyImport.ini b/sentry-tests/sentry-tests-hive/src/test/resources/testPolicyImport.ini new file mode 100644 index 0000000..15fc5bf --- /dev/null +++ b/sentry-tests/sentry-tests-hive/src/test/resources/testPolicyImport.ini @@ -0,0 +1,25 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +[groups] +group1=roleImport1,roleImport2 +group2=roleImport1,roleImport2,roleImport3 +group3=roleImport2,roleImport3 +[roles] +roleImport1=server=server1,server=server1->action=select->grantoption=false,server=server1->db=db2->action=insert->grantoption=true,server=server1->db=db1->table=tbl1->action=insert +roleImport2=server=server1->db=db2->action=insert->grantoption=true,server=server1->db=db1->table=tbl1->action=insert,server=server1->db=db1->table=tbl2->column=col1->action=insert,server=server1->db=db1->table=tbl3->column=col1->action=*->grantoption=true +roleImport3=server=server1->db=db1->table=tbl2->column=col1->action=insert,server=server1->db=db1->table=tbl3->column=col1->action=*->grantoption=true,server=server1->db=db1->table=tbl4->column=col1->action=all->grantoption=true,server=server1->uri=hdfs://testserver:9999/path2->action=insert http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92cde111/sentry-tests/sentry-tests-hive/src/test/resources/testPolicyImportAdmin.ini ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/resources/testPolicyImportAdmin.ini b/sentry-tests/sentry-tests-hive/src/test/resources/testPolicyImportAdmin.ini new file mode 100644 index 0000000..c778d05 --- /dev/null +++ b/sentry-tests/sentry-tests-hive/src/test/resources/testPolicyImportAdmin.ini @@ -0,0 +1,22 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +[groups] +admin=adminRole + +[roles] +adminRole=server=server1 http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92cde111/sentry-tests/sentry-tests-hive/src/test/resources/testPolicyImportError.ini ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/resources/testPolicyImportError.ini b/sentry-tests/sentry-tests-hive/src/test/resources/testPolicyImportError.ini new file mode 100644 index 0000000..4d53f2b --- /dev/null +++ b/sentry-tests/sentry-tests-hive/src/test/resources/testPolicyImportError.ini @@ -0,0 +1,21 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +[groups] +group1=roleImport1 +[roles] +roleImport1=server->db=db_1
