http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92cde111/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreImportExport.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreImportExport.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreImportExport.java new file mode 100644 index 0000000..9350a50 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreImportExport.java @@ -0,0 +1,899 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.db.service.persistent; + +import static junit.framework.Assert.assertEquals; +import static junit.framework.Assert.assertTrue; + +import java.io.File; +import java.util.List; +import java.util.Map; +import java.util.Set; + +import org.apache.commons.io.FileUtils; +import org.apache.hadoop.conf.Configuration; +import org.apache.sentry.core.model.db.AccessConstants; +import org.apache.sentry.provider.db.service.model.MSentryGroup; +import org.apache.sentry.provider.db.service.model.MSentryPrivilege; +import org.apache.sentry.provider.db.service.model.MSentryRole; +import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption; +import org.apache.sentry.provider.db.service.thrift.TSentryMappingData; +import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; +import org.apache.sentry.provider.file.PolicyFile; +import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope; +import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; +import org.junit.After; +import org.junit.AfterClass; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; + +import com.google.common.collect.Maps; +import com.google.common.collect.Sets; +import com.google.common.io.Files; + +public class TestSentryStoreImportExport { + + private static File dataDir; + private static SentryStore sentryStore; + private static String[] adminGroups = { "adminGroup1" }; + private static PolicyFile policyFile; + private static File policyFilePath; + private TSentryPrivilege tSentryPrivilege1; + private TSentryPrivilege tSentryPrivilege2; + private TSentryPrivilege tSentryPrivilege3; + private TSentryPrivilege tSentryPrivilege4; + private TSentryPrivilege tSentryPrivilege5; + private TSentryPrivilege tSentryPrivilege6; + private TSentryPrivilege tSentryPrivilege7; + private TSentryPrivilege tSentryPrivilege8; + + @BeforeClass + public static void setupEnv() throws Exception { + dataDir = new File(Files.createTempDir(), "sentry_policy_db"); + Configuration conf = new Configuration(false); + conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false"); + conf.set(ServerConfig.SENTRY_STORE_JDBC_URL, "jdbc:derby:;databaseName=" + dataDir.getPath() + + ";create=true"); + conf.set(ServerConfig.SENTRY_STORE_JDBC_PASS, "sentry"); + conf.setStrings(ServerConfig.ADMIN_GROUPS, adminGroups); + conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING, ServerConfig.SENTRY_STORE_LOCAL_GROUP_MAPPING); + policyFilePath = new File(dataDir, "local_policy_file.ini"); + conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING_RESOURCE, policyFilePath.getPath()); + policyFile = new PolicyFile(); + sentryStore = new SentryStore(conf); + + String adminUser = "g1"; + addGroupsToUser(adminUser, adminGroups); + writePolicyFile(); + } + + @Before + public void setupPrivilege() { + preparePrivilege(); + } + + @After + public void clearStore() { + sentryStore.clearAllTables(); + } + + // create the privileges instance for test case: + // privilege1=[server=server1] + // privilege2=[server=server1, action=select, grantOption=false] + // privilege3=[server=server1, db=db2, action=insert, grantOption=true] + // privilege4=[server=server1, db=db1, table=tbl1, action=insert, grantOption=false] + // privilege5=[server=server1, db=db1, table=tbl2, column=col1, action=insert, grantOption=false] + // privilege6=[server=server1, db=db1, table=tbl3, column=col1, action=*, grantOption=true] + // privilege7=[server=server1, db=db1, table=tbl4, column=col1, action=all, grantOption=true] + // privilege8=[server=server1, uri=hdfs://testserver:9999/path1, action=insert, grantOption=false] + private void preparePrivilege() { + tSentryPrivilege1 = createTSentryPrivilege(PrivilegeScope.SERVER.name(), "server1", "", "", "", + "", "", TSentryGrantOption.UNSET); + tSentryPrivilege2 = createTSentryPrivilege(PrivilegeScope.SERVER.name(), "server1", "", "", "", + "", AccessConstants.SELECT, TSentryGrantOption.FALSE); + tSentryPrivilege3 = createTSentryPrivilege(PrivilegeScope.DATABASE.name(), "server1", "db2", + "", "", "", AccessConstants.INSERT, TSentryGrantOption.TRUE); + tSentryPrivilege4 = createTSentryPrivilege(PrivilegeScope.TABLE.name(), "server1", "db1", + "tbl1", "", "", AccessConstants.INSERT, TSentryGrantOption.FALSE); + tSentryPrivilege5 = createTSentryPrivilege(PrivilegeScope.COLUMN.name(), "server1", "db1", + "tbl2", "col1", "", AccessConstants.INSERT, TSentryGrantOption.FALSE); + tSentryPrivilege6 = createTSentryPrivilege(PrivilegeScope.COLUMN.name(), "server1", "db1", + "tbl3", "col1", "", AccessConstants.ALL, TSentryGrantOption.TRUE); + tSentryPrivilege7 = createTSentryPrivilege(PrivilegeScope.COLUMN.name(), "server1", "db1", + "tbl4", "col1", "", AccessConstants.ACTION_ALL, TSentryGrantOption.TRUE); + tSentryPrivilege8 = createTSentryPrivilege(PrivilegeScope.URI.name(), "server1", "", "", "", + "hdfs://testserver:9999/path1", AccessConstants.INSERT, TSentryGrantOption.FALSE); + } + + @AfterClass + public static void teardown() { + if (sentryStore != null) { + sentryStore.stop(); + } + if (dataDir != null) { + FileUtils.deleteQuietly(dataDir); + } + } + + protected static void addGroupsToUser(String user, String... groupNames) { + policyFile.addGroupsToUser(user, groupNames); + } + + protected static void writePolicyFile() throws Exception { + policyFile.write(policyFilePath); + } + + // Befor import, database is empty. + // The following information is imported: + // group1=role1,role2,role3 + // group2=role1,role2,role3 + // group3=role1,role2,role3 + // role1=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8 + // role2=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8 + // role3=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8 + // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap, + // getPrivilegesList are tested. + @Test + public void testImportExportPolicy1() throws Exception { + TSentryMappingData tSentryMappingData = new TSentryMappingData(); + Map<String, Set<String>> sentryGroupRolesMap = Maps.newHashMap(); + Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap = Maps.newHashMap(); + sentryGroupRolesMap.put("group1", Sets.newHashSet("Role1", "role2", "role3")); + sentryGroupRolesMap.put("group2", Sets.newHashSet("Role1", "role2", "role3")); + sentryGroupRolesMap.put("group3", Sets.newHashSet("Role1", "role2", "role3")); + sentryRolePrivilegesMap.put("Role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7, tSentryPrivilege8)); + sentryRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7, tSentryPrivilege8)); + sentryRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7, tSentryPrivilege8)); + tSentryMappingData.setGroupRolesMap(sentryGroupRolesMap); + tSentryMappingData.setRolePrivilegesMap(sentryRolePrivilegesMap); + sentryStore.importSentryMetaData(tSentryMappingData, false); + + Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap(); + Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameTGroupMap(); + List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList(); + + // test the result data for the role + verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3")); + + // test the result data for the group + verifyGroups(groupsMap, Sets.newHashSet("group1", "group2", "group3")); + + // test the result data for the privilege + verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7, tSentryPrivilege8)); + + // test the mapping data for group and role + Map<String, Set<String>> actualGroupRolesMap = sentryStore.getGroupNameRoleNamesMap(); + Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap(); + exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3")); + exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2", "role3")); + exceptedGroupRolesMap.put("group3", Sets.newHashSet("role1", "role2", "role3")); + verifyGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap); + + // test the mapping data for role and privilege + Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore + .getRoleNameTPrivilegesMap(); + Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap(); + exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7, tSentryPrivilege8)); + exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7, tSentryPrivilege8)); + exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7, tSentryPrivilege8)); + + verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap); + } + + // call import twice, and there has no duplicate data: + // The data for 1st import: + // group1=role1 + // role1=privilege1,privilege2,privilege3,privilege4 + // The data for 2nd import: + // group2=role2,role3 + // group3=role2,role3 + // role2=privilege5,privilege6,privilege7,privilege8 + // role3=privilege5,privilege6,privilege7,privilege8 + // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap, + // getPrivilegesList are tested. + @Test + public void testImportExportPolicy2() throws Exception { + TSentryMappingData tSentryMappingData1 = new TSentryMappingData(); + Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap(); + Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap(); + sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1")); + sentryRolePrivilegesMap1 + .put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, tSentryPrivilege3, + tSentryPrivilege4)); + tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1); + tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1); + sentryStore.importSentryMetaData(tSentryMappingData1, false); + + TSentryMappingData tSentryMappingData2 = new TSentryMappingData(); + Map<String, Set<String>> sentryGroupRolesMap2 = Maps.newHashMap(); + Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap2 = Maps.newHashMap(); + sentryGroupRolesMap2.put("group2", Sets.newHashSet("role2", "role3")); + sentryGroupRolesMap2.put("group3", Sets.newHashSet("role2", "role3")); + sentryRolePrivilegesMap2 + .put("role2", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7, + tSentryPrivilege8)); + sentryRolePrivilegesMap2 + .put("role3", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7, + tSentryPrivilege8)); + tSentryMappingData2.setGroupRolesMap(sentryGroupRolesMap2); + tSentryMappingData2.setRolePrivilegesMap(sentryRolePrivilegesMap2); + sentryStore.importSentryMetaData(tSentryMappingData2, false); + + Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap(); + Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameTGroupMap(); + List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList(); + + // test the result data for the role + verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3")); + + // test the result data for the group + verifyGroups(groupsMap, Sets.newHashSet("group1", "group2", "group3")); + + // test the result data for the privilege + verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7, tSentryPrivilege8)); + + // test the mapping data for group and role + Map<String, Set<String>> actualGroupRolesMap = sentryStore.getGroupNameRoleNamesMap(); + Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap(); + exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1")); + exceptedGroupRolesMap.put("group2", Sets.newHashSet("role2", "role3")); + exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3")); + verifyGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap); + + // test the mapping data for role and privilege + Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore + .getRoleNameTPrivilegesMap(); + Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap(); + exceptedRolePrivilegesMap + .put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, tSentryPrivilege3, + tSentryPrivilege4)); + exceptedRolePrivilegesMap + .put("role2", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7, + tSentryPrivilege8)); + exceptedRolePrivilegesMap + .put("role3", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7, + tSentryPrivilege8)); + verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap); + } + + // call import twice, and there has data overlap: + // The data for 1st import: + // group1=role1, role2 + // group2=role1, role2 + // group3=role1, role2 + // role1=privilege1,privilege2,privilege3,privilege4,privilege5 + // role2=privilege1,privilege2,privilege3,privilege4,privilege5 + // The data for 2nd import: + // group1=role2,role3 + // group2=role2,role3 + // group3=role2,role3 + // role2=privilege4,privilege5,privilege6,privilege7,privilege8 + // role3=privilege4,privilege5,privilege6,privilege7,privilege8 + // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap, + // getPrivilegesList are tested. + @Test + public void testImportExportPolicy3() throws Exception { + TSentryMappingData tSentryMappingData1 = new TSentryMappingData(); + Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap(); + Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap(); + sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2")); + sentryGroupRolesMap1.put("group2", Sets.newHashSet("role1", "role2")); + sentryGroupRolesMap1.put("group3", Sets.newHashSet("role1", "role2")); + sentryRolePrivilegesMap1.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5)); + sentryRolePrivilegesMap1.put("role2", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5)); + tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1); + tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1); + sentryStore.importSentryMetaData(tSentryMappingData1, false); + + TSentryMappingData tSentryMappingData2 = new TSentryMappingData(); + Map<String, Set<String>> sentryGroupRolesMap2 = Maps.newHashMap(); + Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap2 = Maps.newHashMap(); + sentryGroupRolesMap2.put("group1", Sets.newHashSet("role2", "role3")); + sentryGroupRolesMap2.put("group2", Sets.newHashSet("role2", "role3")); + sentryGroupRolesMap2.put("group3", Sets.newHashSet("role2", "role3")); + sentryRolePrivilegesMap2.put("role2", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5, + tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8)); + sentryRolePrivilegesMap2.put("role3", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5, + tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8)); + tSentryMappingData2.setGroupRolesMap(sentryGroupRolesMap2); + tSentryMappingData2.setRolePrivilegesMap(sentryRolePrivilegesMap2); + sentryStore.importSentryMetaData(tSentryMappingData2, false); + + Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap(); + Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameTGroupMap(); + List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList(); + + // test the result data for the role + verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3")); + + // test the result data for the group + verifyGroups(groupsMap, Sets.newHashSet("group1", "group2", "group3")); + + // test the result data for the privilege + verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7, tSentryPrivilege8)); + + // test the mapping data for group and role + Map<String, Set<String>> actualGroupRolesMap = sentryStore.getGroupNameRoleNamesMap(); + Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap(); + exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3")); + exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2", "role3")); + exceptedGroupRolesMap.put("group3", Sets.newHashSet("role1", "role2", "role3")); + verifyGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap); + + // test the mapping data for role and privilege + Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore + .getRoleNameTPrivilegesMap(); + Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap(); + exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5)); + exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7, tSentryPrivilege8)); + exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5, + tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8)); + verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap); + } + + // call import twice, and there has one role without group. + // The data for 1st import: + // group1=role1, role2 + // role1=privilege1,privilege2 + // role2=privilege3,privilege4 + // The data for 2nd import: + // group2=role2 + // role2=privilege5,privilege6 + // role3=privilege7,privilege8 + // role3 is without group, will be imported also + @Test + public void testImportExportPolicy4() throws Exception { + TSentryMappingData tSentryMappingData1 = new TSentryMappingData(); + Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap(); + Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap(); + sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2")); + sentryRolePrivilegesMap1.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2)); + sentryRolePrivilegesMap1.put("role2", Sets.newHashSet(tSentryPrivilege3, tSentryPrivilege4)); + tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1); + tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1); + sentryStore.importSentryMetaData(tSentryMappingData1, false); + + TSentryMappingData tSentryMappingData2 = new TSentryMappingData(); + Map<String, Set<String>> sentryGroupRolesMap2 = Maps.newHashMap(); + Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap2 = Maps.newHashMap(); + sentryGroupRolesMap2.put("group2", Sets.newHashSet("role2")); + sentryRolePrivilegesMap2.put("role2", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6)); + sentryRolePrivilegesMap2.put("role3", Sets.newHashSet(tSentryPrivilege7, tSentryPrivilege8)); + tSentryMappingData2.setGroupRolesMap(sentryGroupRolesMap2); + tSentryMappingData2.setRolePrivilegesMap(sentryRolePrivilegesMap2); + sentryStore.importSentryMetaData(tSentryMappingData2, false); + + Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap(); + Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameTGroupMap(); + List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList(); + + // test the result data for the role + verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3")); + + // test the result data for the group + verifyGroups(groupsMap, Sets.newHashSet("group1", "group2")); + + // test the result data for the privilege + verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7, tSentryPrivilege8)); + + // test the mapping data for group and role + Map<String, Set<String>> actualGroupRolesMap = sentryStore.getGroupNameRoleNamesMap(); + Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap(); + exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2")); + exceptedGroupRolesMap.put("group2", Sets.newHashSet("role2")); + verifyGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap); + + // test the mapping data for role and privilege + Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore + .getRoleNameTPrivilegesMap(); + Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap(); + exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2)); + exceptedRolePrivilegesMap + .put("role2", Sets.newHashSet(tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, + tSentryPrivilege6)); + exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege7, tSentryPrivilege8)); + verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap); + } + + // test for import mapping data for [group,role] only: + // group1=role1, role2 + @Test + public void testImportExportPolicy5() throws Exception { + TSentryMappingData tSentryMappingData1 = new TSentryMappingData(); + Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap(); + Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap(); + sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2")); + tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1); + tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1); + sentryStore.importSentryMetaData(tSentryMappingData1, false); + + Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap(); + Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameTGroupMap(); + List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList(); + + // test the result data for the role + verifyRoles(rolesMap, Sets.newHashSet("role1", "role2")); + + // test the result data for the group + verifyGroups(groupsMap, Sets.newHashSet("group1")); + + // test the result data for the privilege + assertTrue(privilegesList.isEmpty()); + + // test the mapping data for group and role + Map<String, Set<String>> actualGroupRolesMap = sentryStore.getGroupNameRoleNamesMap(); + Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap(); + exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2")); + verifyGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap); + + // test the mapping data for role and privilege + Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore + .getRoleNameTPrivilegesMap(); + assertTrue(actualRolePrivilegesMap.isEmpty()); + } + + // test for filter the orphaned group: + // group1=role1, role2 + // group2=role2 + @Test + public void testImportExportPolicy6() throws Exception { + TSentryMappingData tSentryMappingData1 = new TSentryMappingData(); + Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap(); + Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap(); + sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2")); + sentryGroupRolesMap1.put("group2", Sets.newHashSet("role2")); + tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1); + tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1); + sentryStore.importSentryMetaData(tSentryMappingData1, false); + + // drop the role2, the group2 is orphaned group + sentryStore.dropSentryRole("role2"); + + Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap(); + Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameTGroupMap(); + List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList(); + + // test the result data for the role + verifyRoles(rolesMap, Sets.newHashSet("role1")); + + // test the result data for the group + verifyGroups(groupsMap, Sets.newHashSet("group1", "group2")); + + // test the result data for the privilege + assertTrue(privilegesList.isEmpty()); + + // test the mapping data for group and role + Map<String, Set<String>> actualGroupRolesMap = sentryStore.getGroupNameRoleNamesMap(); + Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap(); + exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1")); + verifyGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap); + + // test the mapping data for role and privilege + Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore + .getRoleNameTPrivilegesMap(); + assertTrue(actualRolePrivilegesMap.isEmpty()); + } + + // call import twice, and there has no duplicate data, the import will be with the overwrite mode: + // The data for 1st import: + // group1=role1 + // role1=privilege1 + // The data for 2nd import: + // group2=role2,role3 + // group3=role2,role3 + // role2=privilege2 + // role3=privilege2 + // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap, + // getPrivilegesList are tested. + @Test + public void testImportExportPolicy7() throws Exception { + TSentryMappingData tSentryMappingData1 = new TSentryMappingData(); + Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap(); + Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap(); + sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1")); + sentryRolePrivilegesMap1.put("role1", Sets.newHashSet(tSentryPrivilege1)); + tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1); + tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1); + // the import with overwrite mode + sentryStore.importSentryMetaData(tSentryMappingData1, true); + + TSentryMappingData tSentryMappingData2 = new TSentryMappingData(); + Map<String, Set<String>> sentryGroupRolesMap2 = Maps.newHashMap(); + Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap2 = Maps.newHashMap(); + sentryGroupRolesMap2.put("group2", Sets.newHashSet("role2", "role3")); + sentryGroupRolesMap2.put("group3", Sets.newHashSet("role2", "role3")); + sentryRolePrivilegesMap2.put("role2", Sets.newHashSet(tSentryPrivilege2)); + sentryRolePrivilegesMap2.put("role3", Sets.newHashSet(tSentryPrivilege2)); + tSentryMappingData2.setGroupRolesMap(sentryGroupRolesMap2); + tSentryMappingData2.setRolePrivilegesMap(sentryRolePrivilegesMap2); + // the import with overwrite mode + sentryStore.importSentryMetaData(tSentryMappingData2, true); + + Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap(); + Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameTGroupMap(); + List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList(); + + // test the result data for the role + verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3")); + + // test the result data for the group + verifyGroups(groupsMap, Sets.newHashSet("group1", "group2", "group3")); + + // test the result data for the privilege + verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2)); + + // test the mapping data for group and role + Map<String, Set<String>> actualGroupRolesMap = sentryStore.getGroupNameRoleNamesMap(); + Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap(); + exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1")); + exceptedGroupRolesMap.put("group2", Sets.newHashSet("role2", "role3")); + exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3")); + verifyGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap); + + // test the mapping data for role and privilege + Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore + .getRoleNameTPrivilegesMap(); + Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap(); + exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1)); + exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege2)); + exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege2)); + verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap); + } + + // call import twice, and there has data overlap, the import will be with the overwrite mode: + // The data for 1st import: + // group1=role1, role2 + // group2=role1, role2 + // group3=role1, role2 + // role1=privilege1,privilege2,privilege3,privilege4,privilege5 + // role2=privilege1,privilege2,privilege3,privilege4,privilege5 + // The data for 2nd import: + // group1=role2,role3 + // group2=role2,role3 + // group3=role2,role3 + // role2=privilege4,privilege5,privilege6,privilege7,privilege8 + // role3=privilege4,privilege5,privilege6,privilege7,privilege8 + // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap, + // getPrivilegesList are tested. + @Test + public void testImportExportPolicy8() throws Exception { + TSentryMappingData tSentryMappingData1 = new TSentryMappingData(); + Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap(); + Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap(); + sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2")); + sentryGroupRolesMap1.put("group2", Sets.newHashSet("role1", "role2")); + sentryGroupRolesMap1.put("group3", Sets.newHashSet("role1", "role2")); + sentryRolePrivilegesMap1.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5)); + sentryRolePrivilegesMap1.put("role2", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5)); + tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1); + tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1); + // the import with overwrite mode + sentryStore.importSentryMetaData(tSentryMappingData1, true); + + TSentryMappingData tSentryMappingData2 = new TSentryMappingData(); + Map<String, Set<String>> sentryGroupRolesMap2 = Maps.newHashMap(); + Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap2 = Maps.newHashMap(); + sentryGroupRolesMap2.put("group1", Sets.newHashSet("role2", "role3")); + sentryGroupRolesMap2.put("group2", Sets.newHashSet("role2", "role3")); + sentryGroupRolesMap2.put("group3", Sets.newHashSet("role2", "role3")); + sentryRolePrivilegesMap2.put("role2", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5, + tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8)); + sentryRolePrivilegesMap2.put("role3", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5, + tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8)); + tSentryMappingData2.setGroupRolesMap(sentryGroupRolesMap2); + tSentryMappingData2.setRolePrivilegesMap(sentryRolePrivilegesMap2); + // the import with overwrite mode + sentryStore.importSentryMetaData(tSentryMappingData2, true); + + Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap(); + Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameTGroupMap(); + List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList(); + + // test the result data for the role + verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3")); + + // test the result data for the group + verifyGroups(groupsMap, Sets.newHashSet("group1", "group2", "group3")); + + // test the result data for the privilege + verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7, tSentryPrivilege8)); + + // test the mapping data for group and role + Map<String, Set<String>> actualGroupRolesMap = sentryStore.getGroupNameRoleNamesMap(); + Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap(); + exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3")); + exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2", "role3")); + exceptedGroupRolesMap.put("group3", Sets.newHashSet("role1", "role2", "role3")); + verifyGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap); + + // test the mapping data for role and privilege + Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore + .getRoleNameTPrivilegesMap(); + Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap(); + exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5)); + // role2 should be overwrite + exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5, + tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8)); + exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5, + tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8)); + verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap); + } + + // test the import privileges with the action: All, *, select, insert + // All and * should replace the select and insert + // The data for import: + // group1=role1, role2 + // role1=testPrivilege1,testPrivilege2,testPrivilege3,testPrivilege4 + // role2=testPrivilege5, testPrivilege6,testPrivilege7,testPrivilege8 + @Test + public void testImportExportPolicy9() throws Exception { + TSentryPrivilege testPrivilege1 = createTSentryPrivilege(PrivilegeScope.TABLE.name(), + "server1", "db1", "tbl1", "", "", AccessConstants.SELECT, TSentryGrantOption.TRUE); + TSentryPrivilege testPrivilege2 = createTSentryPrivilege(PrivilegeScope.TABLE.name(), + "server1", "db1", "tbl1", "", "", AccessConstants.INSERT, TSentryGrantOption.FALSE); + TSentryPrivilege testPrivilege3 = createTSentryPrivilege(PrivilegeScope.TABLE.name(), + "server1", "db1", "tbl1", "", "", AccessConstants.ACTION_ALL, TSentryGrantOption.TRUE); + TSentryPrivilege testPrivilege4 = createTSentryPrivilege(PrivilegeScope.TABLE.name(), + "server1", "db1", "tbl1", "", "", AccessConstants.INSERT, TSentryGrantOption.TRUE); + TSentryPrivilege testPrivilege5 = createTSentryPrivilege(PrivilegeScope.TABLE.name(), + "server1", "db1", "tbl2", "", "", AccessConstants.SELECT, TSentryGrantOption.TRUE); + TSentryPrivilege testPrivilege6 = createTSentryPrivilege(PrivilegeScope.TABLE.name(), + "server1", "db1", "tbl2", "", "", AccessConstants.INSERT, TSentryGrantOption.FALSE); + TSentryPrivilege testPrivilege7 = createTSentryPrivilege(PrivilegeScope.TABLE.name(), + "server1", "db1", "tbl2", "", "", AccessConstants.ALL, TSentryGrantOption.TRUE); + TSentryPrivilege testPrivilege8 = createTSentryPrivilege(PrivilegeScope.TABLE.name(), + "server1", "db1", "tbl2", "", "", AccessConstants.INSERT, TSentryGrantOption.TRUE); + + TSentryMappingData tSentryMappingData1 = new TSentryMappingData(); + Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap(); + Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap(); + sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2")); + // after import there should be only testPrivilege2, testPrivilege3 + sentryRolePrivilegesMap1.put("role1", + Sets.newHashSet(testPrivilege1, testPrivilege2, testPrivilege3, testPrivilege4)); + // after import there should be only testPrivilege6,testPrivilege7 + sentryRolePrivilegesMap1.put("role2", + Sets.newHashSet(testPrivilege5, testPrivilege6, testPrivilege7, testPrivilege8)); + tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1); + tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1); + // the import with overwrite mode + sentryStore.importSentryMetaData(tSentryMappingData1, true); + + Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap(); + Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameTGroupMap(); + + // test the result data for the role + verifyRoles(rolesMap, Sets.newHashSet("role1", "role2")); + + // test the result data for the group + verifyGroups(groupsMap, Sets.newHashSet("group1")); + + // test the mapping data for group and role + Map<String, Set<String>> actualGroupRolesMap = sentryStore.getGroupNameRoleNamesMap(); + Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap(); + exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2")); + verifyGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap); + + // test the mapping data for role and privilege + Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore + .getRoleNameTPrivilegesMap(); + Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap(); + exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(testPrivilege2, testPrivilege3)); + exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(testPrivilege6, testPrivilege7)); + verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap); + } + + private void verifyRoles(Map<String, MSentryRole> actualRoleMap, Set<String> expectedRoleNameSet) { + assertEquals(expectedRoleNameSet.size(), actualRoleMap.keySet().size()); + for (String roleName : actualRoleMap.keySet()) { + assertTrue(expectedRoleNameSet.contains(roleName)); + } + } + + private void verifyGroups(Map<String, MSentryGroup> actualGroupsMap, + Set<String> expectedGroupNameSet) { + assertEquals(expectedGroupNameSet.size(), actualGroupsMap.keySet().size()); + for (String groupName : actualGroupsMap.keySet()) { + assertTrue(expectedGroupNameSet.contains(groupName)); + } + } + + private void verifyPrivileges(List<MSentryPrivilege> actualPrivileges, + Set<TSentryPrivilege> expectedTSentryPrivilegeSet) { + assertEquals(expectedTSentryPrivilegeSet.size(), actualPrivileges.size()); + for (MSentryPrivilege mSentryPrivilege : actualPrivileges) { + boolean isFound = false; + for (TSentryPrivilege tSentryPrivilege : expectedTSentryPrivilegeSet) { + isFound = compareTSentryPrivilege(sentryStore.convertToTSentryPrivilege(mSentryPrivilege), + tSentryPrivilege); + if (isFound) { + break; + } + } + assertTrue(isFound); + } + } + + private void verifyGroupRolesMap(Map<String, Set<String>> actualGroupRolesMap, + Map<String, Set<String>> exceptedGroupRolesMap) { + assertEquals(exceptedGroupRolesMap.keySet().size(), actualGroupRolesMap.keySet().size()); + for (String groupName : actualGroupRolesMap.keySet()) { + Set<String> exceptedRoles = exceptedGroupRolesMap.get(groupName); + Set<String> actualRoles = actualGroupRolesMap.get(groupName); + assertEquals(actualRoles.size(), exceptedRoles.size()); + assertTrue(actualRoles.equals(exceptedRoles)); + } + } + + private void verifyRolePrivilegesMap(Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap, + Map<String, Set<TSentryPrivilege>> expectedRolePrivilegesMap) { + assertEquals(expectedRolePrivilegesMap.keySet().size(), actualRolePrivilegesMap.keySet().size()); + for (String roleName : expectedRolePrivilegesMap.keySet()) { + Set<TSentryPrivilege> exceptedTSentryPrivileges = expectedRolePrivilegesMap.get(roleName); + Set<TSentryPrivilege> actualTSentryPrivileges = actualRolePrivilegesMap.get(roleName); + assertEquals(exceptedTSentryPrivileges.size(), actualTSentryPrivileges.size()); + for (TSentryPrivilege actualPrivilege : actualTSentryPrivileges) { + boolean isFound = false; + for (TSentryPrivilege expectedPrivilege : exceptedTSentryPrivileges) { + isFound = compareTSentryPrivilege(expectedPrivilege, actualPrivilege); + if (isFound) { + break; + } + } + assertTrue(isFound); + } + } + } + + private TSentryPrivilege createTSentryPrivilege(String scope, String server, String dbName, + String tableName, String columnName, String uri, String action, TSentryGrantOption grantOption) { + TSentryPrivilege tSentryPrivilege = new TSentryPrivilege(); + tSentryPrivilege.setPrivilegeScope(scope); + tSentryPrivilege.setServerName(server); + tSentryPrivilege.setDbName(dbName); + tSentryPrivilege.setTableName(tableName); + tSentryPrivilege.setColumnName(columnName); + tSentryPrivilege.setURI(uri); + tSentryPrivilege.setAction(action); + tSentryPrivilege.setGrantOption(grantOption); + return tSentryPrivilege; + } + + // compare the TSentryPrivilege without the create time + private boolean compareTSentryPrivilege(TSentryPrivilege tSentryPrivilege1, + TSentryPrivilege tSentryPrivilege2) { + if (tSentryPrivilege1 == null) { + if (tSentryPrivilege2 == null) { + return true; + } else { + return false; + } + } else { + if (tSentryPrivilege2 == null) { + return false; + } + } + + boolean this_present_privilegeScope = true && tSentryPrivilege1.isSetPrivilegeScope(); + boolean that_present_privilegeScope = true && tSentryPrivilege2.isSetPrivilegeScope(); + if (this_present_privilegeScope || that_present_privilegeScope) { + if (!(this_present_privilegeScope && that_present_privilegeScope)) + return false; + if (!tSentryPrivilege1.getPrivilegeScope().equalsIgnoreCase( + tSentryPrivilege2.getPrivilegeScope())) + return false; + } + + boolean this_present_serverName = true && tSentryPrivilege1.isSetServerName(); + boolean that_present_serverName = true && tSentryPrivilege2.isSetServerName(); + if (this_present_serverName || that_present_serverName) { + if (!(this_present_serverName && that_present_serverName)) + return false; + if (!tSentryPrivilege1.getServerName().equalsIgnoreCase(tSentryPrivilege2.getServerName())) + return false; + } + + boolean this_present_dbName = true && tSentryPrivilege1.isSetDbName(); + boolean that_present_dbName = true && tSentryPrivilege2.isSetDbName(); + if (this_present_dbName || that_present_dbName) { + if (!(this_present_dbName && that_present_dbName)) + return false; + if (!tSentryPrivilege1.getDbName().equalsIgnoreCase(tSentryPrivilege2.getDbName())) + return false; + } + + boolean this_present_tableName = true && tSentryPrivilege1.isSetTableName(); + boolean that_present_tableName = true && tSentryPrivilege2.isSetTableName(); + if (this_present_tableName || that_present_tableName) { + if (!(this_present_tableName && that_present_tableName)) + return false; + if (!tSentryPrivilege1.getTableName().equalsIgnoreCase(tSentryPrivilege2.getTableName())) + return false; + } + + boolean this_present_URI = true && tSentryPrivilege1.isSetURI(); + boolean that_present_URI = true && tSentryPrivilege2.isSetURI(); + if (this_present_URI || that_present_URI) { + if (!(this_present_URI && that_present_URI)) + return false; + if (!tSentryPrivilege1.getURI().equalsIgnoreCase(tSentryPrivilege2.getURI())) + return false; + } + + boolean this_present_action = true && tSentryPrivilege1.isSetAction(); + boolean that_present_action = true && tSentryPrivilege2.isSetAction(); + if (this_present_action || that_present_action) { + if (!(this_present_action && that_present_action)) + return false; + if (!tSentryPrivilege1.getAction().equalsIgnoreCase(tSentryPrivilege2.getAction())) + return false; + } + + boolean this_present_grantOption = true && tSentryPrivilege1.isSetGrantOption(); + boolean that_present_grantOption = true && tSentryPrivilege2.isSetGrantOption(); + if (this_present_grantOption || that_present_grantOption) { + if (!(this_present_grantOption && that_present_grantOption)) + return false; + if (!tSentryPrivilege1.getGrantOption().equals(tSentryPrivilege2.getGrantOption())) + return false; + } + + boolean this_present_columnName = true && tSentryPrivilege1.isSetColumnName(); + boolean that_present_columnName = true && tSentryPrivilege2.isSetColumnName(); + if (this_present_columnName || that_present_columnName) { + if (!(this_present_columnName && that_present_columnName)) + return false; + if (!tSentryPrivilege1.getColumnName().equalsIgnoreCase(tSentryPrivilege2.getColumnName())) + return false; + } + + return true; + } +}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92cde111/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceImportExport.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceImportExport.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceImportExport.java new file mode 100644 index 0000000..9d0a2d6 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceImportExport.java @@ -0,0 +1,538 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.db.service.thrift; + +import static junit.framework.Assert.assertEquals; +import static junit.framework.Assert.assertTrue; +import static org.junit.Assert.fail; + +import java.util.Map; +import java.util.Set; + +import org.apache.sentry.provider.common.PolicyFileConstants; +import org.apache.sentry.provider.common.ProviderConstants; +import org.apache.sentry.service.thrift.SentryServiceIntegrationBase; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; + +import com.google.common.collect.Maps; +import com.google.common.collect.Sets; + +public class TestSentryServiceImportExport extends SentryServiceIntegrationBase { + + // define the privileges + public static String PRIVILIEGE1 = "server=server1"; + public static String PRIVILIEGE2 = "server=server1->action=select->grantoption=false"; + public static String PRIVILIEGE3 = "server=server1->db=db2->action=insert->grantoption=true"; + public static String PRIVILIEGE4 = "server=server1->db=db1->table=tbl1->action=insert"; + public static String PRIVILIEGE5 = "server=server1->db=db1->table=tbl2->column=col1->action=insert"; + public static String PRIVILIEGE6 = "server=server1->db=db1->table=tbl3->column=col1->action=*->grantoption=true"; + public static String PRIVILIEGE7 = "server=server1->db=db1->table=tbl4->column=col1->action=all->grantoption=true"; + public static String PRIVILIEGE8 = "server=server1->uri=hdfs://testserver:9999/path2->action=insert"; + + @BeforeClass + public static void setup() throws Exception { + kerberos = false; + setupConf(); + startSentryService(); + } + + @Before + public void preparePolicyFile() throws Exception { + super.before(); + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + writePolicyFile(); + } + + // Befor import, database is empty. + // The following information is imported: + // group1=role1,role2,role3 + // group2=role1,role2,role3 + // group3=role1,role2,role3 + // role1=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8 + // role2=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8 + // role3=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8 + // Both import API importPolicy and export API exportPoicy are tested. + @Test + public void testImportExportPolicy1() throws Exception { + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + Map<String, Map<String, Set<String>>> policyFileMappingData = Maps.newHashMap(); + Map<String, Set<String>> groupRolesMap = Maps.newHashMap(); + Set<String> roles = Sets.newHashSet("role1", "role2", "role3"); + groupRolesMap.put("group1", roles); + groupRolesMap.put("group2", roles); + groupRolesMap.put("group3", roles); + Map<String, Set<String>> rolePrivilegesMap = Maps.newHashMap(); + for (String roleName : roles) { + rolePrivilegesMap.put(roleName, Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, + PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8)); + } + policyFileMappingData.put(PolicyFileConstants.GROUPS, groupRolesMap); + policyFileMappingData.put(PolicyFileConstants.ROLES, rolePrivilegesMap); + client.importPolicy(policyFileMappingData, ADMIN_USER, false); + + Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER); + validateSentryMappingData(sentryMappingData, + policyFileMappingData); + } + }); + } + + // call import twice, and there has no duplicate data: + // The data for 1st import: + // group1=role1 + // role1=privilege1,privilege2,privilege3,privilege4 + // The data for 2nd import: + // group2=role2,role3 + // group3=role2,role3 + // role2=privilege5,privilege6,privilege7,privilege8 + // role3=privilege5,privilege6,privilege7,privilege8 + // Both import API importPolicy and export API exportPoicy are tested. + @Test + public void testImportExportPolicy2() throws Exception { + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap(); + Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap(); + groupRolesMap1.put("group1", Sets.newHashSet("role1")); + Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap(); + rolePrivilegesMap1.put("role1", + Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4)); + policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1); + policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1); + client.importPolicy(policyFileMappingData1, ADMIN_USER, false); + + Map<String, Map<String, Set<String>>> policyFileMappingData2 = Maps.newHashMap(); + Map<String, Set<String>> groupRolesMap2 = Maps.newHashMap(); + groupRolesMap2.put("group2", Sets.newHashSet("role2", "role3")); + groupRolesMap2.put("group3", Sets.newHashSet("role2", "role3")); + Map<String, Set<String>> rolePrivilegesMap2 = Maps.newHashMap(); + rolePrivilegesMap2.put("role2", + Sets.newHashSet(PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8)); + rolePrivilegesMap2.put("role3", + Sets.newHashSet(PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8)); + policyFileMappingData2.put(PolicyFileConstants.GROUPS, groupRolesMap2); + policyFileMappingData2.put(PolicyFileConstants.ROLES, rolePrivilegesMap2); + client.importPolicy(policyFileMappingData2, ADMIN_USER, false); + + Map<String, Map<String, Set<String>>> exceptedMappingData = Maps.newHashMap(); + // for exceptedMappingData, combine policyFileMappingData1 and policyFileMappingData2 + exceptedMappingData.put(PolicyFileConstants.GROUPS, + policyFileMappingData1.get(PolicyFileConstants.GROUPS)); + exceptedMappingData.get(PolicyFileConstants.GROUPS).putAll( + policyFileMappingData2.get(PolicyFileConstants.GROUPS)); + exceptedMappingData.put(PolicyFileConstants.ROLES, + policyFileMappingData1.get(PolicyFileConstants.ROLES)); + exceptedMappingData.get(PolicyFileConstants.ROLES).putAll( + policyFileMappingData2.get(PolicyFileConstants.ROLES)); + + Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER); + validateSentryMappingData(sentryMappingData, exceptedMappingData); + } + }); + } + + // Call import twice, and there has overlapping groups + // The data for 1st import: + // group1=role1, role2 + // group2=role1, role2 + // group3=role1, role2 + // role1=privilege1,privilege2,privilege3,privilege4,privilege5 + // role2=privilege1,privilege2,privilege3,privilege4,privilege5 + // The data for 2nd import: + // group1=role2,role3 + // group2=role2,role3 + // group3=role2,role3 + // role2=privilege4,privilege5,privilege6,privilege7,privilege8 + // role3=privilege4,privilege5,privilege6,privilege7,privilege8 + // Both import API importPolicy and export API exportPoicy are tested. + @Test + public void testImportExportPolicy3() throws Exception { + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap(); + Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap(); + groupRolesMap1.put("group1", Sets.newHashSet("role1", "role2")); + groupRolesMap1.put("group2", Sets.newHashSet("role1", "role2")); + groupRolesMap1.put("group3", Sets.newHashSet("role1", "role2")); + Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap(); + rolePrivilegesMap1.put("role1", + Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5)); + rolePrivilegesMap1.put("role2", + Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5)); + policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1); + policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1); + client.importPolicy(policyFileMappingData1, ADMIN_USER, false); + + Map<String, Map<String, Set<String>>> policyFileMappingData2 = Maps.newHashMap(); + Map<String, Set<String>> groupRolesMap2 = Maps.newHashMap(); + groupRolesMap2.put("group1", Sets.newHashSet("role2", "role3")); + groupRolesMap2.put("group2", Sets.newHashSet("role2", "role3")); + groupRolesMap2.put("group3", Sets.newHashSet("role2", "role3")); + Map<String, Set<String>> rolePrivilegesMap2 = Maps.newHashMap(); + rolePrivilegesMap2.put("role2", + Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8)); + rolePrivilegesMap2.put("role3", + Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8)); + policyFileMappingData2.put(PolicyFileConstants.GROUPS, groupRolesMap2); + policyFileMappingData2.put(PolicyFileConstants.ROLES, rolePrivilegesMap2); + client.importPolicy(policyFileMappingData2, ADMIN_USER, false); + + Map<String, Map<String, Set<String>>> exceptedMappingData = Maps.newHashMap(); + Map<String, Set<String>> exceptedRolesMap = Maps.newHashMap(); + exceptedRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3")); + exceptedRolesMap.put("group2", Sets.newHashSet("role1", "role2", "role3")); + exceptedRolesMap.put("group3", Sets.newHashSet("role1", "role2", "role3")); + Map<String, Set<String>> exceptedPrivilegesMap = Maps.newHashMap(); + exceptedPrivilegesMap.put("role1", + Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5)); + exceptedPrivilegesMap.put("role2", Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, + PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8)); + exceptedPrivilegesMap.put("role3", + Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8)); + exceptedMappingData.put(PolicyFileConstants.GROUPS, exceptedRolesMap); + exceptedMappingData.put(PolicyFileConstants.ROLES, exceptedPrivilegesMap); + + Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER); + validateSentryMappingData(sentryMappingData, exceptedMappingData); + } + }); + } + + // Only mapping data for [group,role] is imported: + // group1=role1,role2 + @Test + public void testImportExportPolicy4() throws Exception { + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + Map<String, Map<String, Set<String>>> policyFileMappingData = Maps.newHashMap(); + Map<String, Set<String>> groupRolesMap = Maps.newHashMap(); + Set<String> roles = Sets.newHashSet("role1", "role2"); + groupRolesMap.put("group1", roles); + Map<String, Set<String>> rolePrivilegesMap = Maps.newHashMap(); + policyFileMappingData.put(PolicyFileConstants.GROUPS, groupRolesMap); + policyFileMappingData.put(PolicyFileConstants.ROLES, rolePrivilegesMap); + client.importPolicy(policyFileMappingData, ADMIN_USER, false); + + Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER); + validateSentryMappingData(sentryMappingData, + policyFileMappingData); + } + }); + } + + // call import twice, and there has no duplicate data, the import will be with the overwrite mode: + // The data for 1st import: + // group1=role1 + // role1=privilege1 + // The data for 2nd import: + // group2=role2,role3 + // group3=role2,role3 + // role2=privilege2 + // role3=privilege2 + // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap, + // getPrivilegesList are tested. + @Test + public void testImportExportPolicy5() throws Exception { + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap(); + Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap(); + groupRolesMap1.put("group1", Sets.newHashSet("role1")); + Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap(); + rolePrivilegesMap1.put("role1", Sets.newHashSet(PRIVILIEGE1)); + policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1); + policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1); + client.importPolicy(policyFileMappingData1, ADMIN_USER, true); + + Map<String, Map<String, Set<String>>> policyFileMappingData2 = Maps.newHashMap(); + Map<String, Set<String>> groupRolesMap2 = Maps.newHashMap(); + groupRolesMap2.put("group2", Sets.newHashSet("role2", "role3")); + groupRolesMap2.put("group3", Sets.newHashSet("role2", "role3")); + Map<String, Set<String>> rolePrivilegesMap2 = Maps.newHashMap(); + rolePrivilegesMap2.put("role2", Sets.newHashSet(PRIVILIEGE2)); + rolePrivilegesMap2.put("role3", Sets.newHashSet(PRIVILIEGE2)); + policyFileMappingData2.put(PolicyFileConstants.GROUPS, groupRolesMap2); + policyFileMappingData2.put(PolicyFileConstants.ROLES, rolePrivilegesMap2); + client.importPolicy(policyFileMappingData2, ADMIN_USER, true); + + Map<String, Map<String, Set<String>>> exceptedMappingData = Maps.newHashMap(); + Map<String, Set<String>> exceptedRolesMap = Maps.newHashMap(); + exceptedRolesMap.put("group1", Sets.newHashSet("role1")); + exceptedRolesMap.put("group2", Sets.newHashSet("role2", "role3")); + exceptedRolesMap.put("group3", Sets.newHashSet("role2", "role3")); + Map<String, Set<String>> exceptedPrivilegesMap = Maps.newHashMap(); + exceptedPrivilegesMap.put("role1", Sets.newHashSet(PRIVILIEGE1)); + exceptedPrivilegesMap.put("role2", Sets.newHashSet(PRIVILIEGE2)); + exceptedPrivilegesMap.put("role3", Sets.newHashSet(PRIVILIEGE2)); + exceptedMappingData.put(PolicyFileConstants.GROUPS, exceptedRolesMap); + exceptedMappingData.put(PolicyFileConstants.ROLES, exceptedPrivilegesMap); + + Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER); + validateSentryMappingData(sentryMappingData, exceptedMappingData); + } + }); + } + + // call import twice, and there has data overlap, the import will be with the overwrite mode: + // The data for 1st import: + // group1=role1, role2 + // group2=role1, role2 + // group3=role1, role2 + // role1=privilege1,privilege2,privilege3,privilege4,privilege5 + // role2=privilege1,privilege2,privilege3,privilege4,privilege5 + // The data for 2nd import: + // group1=role2,role3 + // group2=role2,role3 + // group3=role2,role3 + // role2=privilege4,privilege5,privilege6,privilege7,privilege8 + // role3=privilege4,privilege5,privilege6,privilege7,privilege8 + // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap, + // getPrivilegesList are tested. + @Test + public void testImportExportPolicy6() throws Exception { + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap(); + Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap(); + groupRolesMap1.put("group1", Sets.newHashSet("role1", "role2")); + groupRolesMap1.put("group2", Sets.newHashSet("role1", "role2")); + groupRolesMap1.put("group3", Sets.newHashSet("role1", "role2")); + Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap(); + rolePrivilegesMap1.put("role1", + Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5)); + rolePrivilegesMap1.put("role2", + Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5)); + policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1); + policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1); + client.importPolicy(policyFileMappingData1, ADMIN_USER, true); + + Map<String, Map<String, Set<String>>> policyFileMappingData2 = Maps.newHashMap(); + Map<String, Set<String>> groupRolesMap2 = Maps.newHashMap(); + groupRolesMap2.put("group1", Sets.newHashSet("role2", "role3")); + groupRolesMap2.put("group2", Sets.newHashSet("role2", "role3")); + groupRolesMap2.put("group3", Sets.newHashSet("role2", "role3")); + Map<String, Set<String>> rolePrivilegesMap2 = Maps.newHashMap(); + rolePrivilegesMap2.put("role2", + Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8)); + rolePrivilegesMap2.put("role3", + Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8)); + policyFileMappingData2.put(PolicyFileConstants.GROUPS, groupRolesMap2); + policyFileMappingData2.put(PolicyFileConstants.ROLES, rolePrivilegesMap2); + client.importPolicy(policyFileMappingData2, ADMIN_USER, true); + + Map<String, Map<String, Set<String>>> exceptedMappingData = Maps.newHashMap(); + Map<String, Set<String>> exceptedRolesMap = Maps.newHashMap(); + exceptedRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3")); + exceptedRolesMap.put("group2", Sets.newHashSet("role1", "role2", "role3")); + exceptedRolesMap.put("group3", Sets.newHashSet("role1", "role2", "role3")); + Map<String, Set<String>> exceptedPrivilegesMap = Maps.newHashMap(); + exceptedPrivilegesMap.put("role1", + Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5)); + exceptedPrivilegesMap.put("role2", + Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8)); + exceptedPrivilegesMap.put("role3", + Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8)); + exceptedMappingData.put(PolicyFileConstants.GROUPS, exceptedRolesMap); + exceptedMappingData.put(PolicyFileConstants.ROLES, exceptedPrivilegesMap); + + Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER); + validateSentryMappingData(sentryMappingData, exceptedMappingData); + } + }); + } + + // test the import privileges with the action: All, *, select, insert + // All and * should replace the select and insert + // The data for import: + // group1=role1, role2 + // role1=testPrivilege1,testPrivilege2,testPrivilege3,testPrivilege4 + // role2=testPrivilege5, testPrivilege6,testPrivilege7,testPrivilege8 + @Test + public void testImportExportPolicy7() throws Exception { + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + String testPrivilege1 = "server=server1->db=db1->table=tbl1->action=select->grantoption=true"; + String testPrivilege2 = "server=server1->db=db1->table=tbl1->action=insert->grantoption=false"; + String testPrivilege3 = "server=server1->db=db1->table=tbl1->action=all->grantoption=true"; + String testPrivilege4 = "server=server1->db=db1->table=tbl1->action=insert->grantoption=true"; + String testPrivilege5 = "server=server1->db=db1->table=tbl2->action=select->grantoption=true"; + String testPrivilege6 = "server=server1->db=db1->table=tbl2->action=insert->grantoption=false"; + String testPrivilege7 = "server=server1->db=db1->table=tbl2->action=*->grantoption=true"; + String testPrivilege8 = "server=server1->db=db1->table=tbl2->action=insert->grantoption=true"; + + Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap(); + Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap(); + groupRolesMap1.put("group1", Sets.newHashSet("role1", "role2")); + Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap(); + rolePrivilegesMap1.put("role1", + Sets.newHashSet(testPrivilege1, testPrivilege2, testPrivilege3, testPrivilege4)); + rolePrivilegesMap1.put("role2", + Sets.newHashSet(testPrivilege5, testPrivilege6, testPrivilege7, testPrivilege8)); + policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1); + policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1); + client.importPolicy(policyFileMappingData1, ADMIN_USER, true); + + Map<String, Map<String, Set<String>>> exceptedMappingData = Maps.newHashMap(); + Map<String, Set<String>> exceptedRolesMap = Maps.newHashMap(); + exceptedRolesMap.put("group1", Sets.newHashSet("role1", "role2")); + Map<String, Set<String>> exceptedPrivilegesMap = Maps.newHashMap(); + exceptedPrivilegesMap.put("role1", Sets.newHashSet(testPrivilege2, testPrivilege3)); + exceptedPrivilegesMap.put("role2", Sets.newHashSet(testPrivilege6, testPrivilege7)); + exceptedMappingData.put(PolicyFileConstants.GROUPS, exceptedRolesMap); + exceptedMappingData.put(PolicyFileConstants.ROLES, exceptedPrivilegesMap); + + Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER); + validateSentryMappingData(sentryMappingData, exceptedMappingData); + } + }); + } + + // Call import twice, and there has overlapping actions, all and * should replace the select and + // insert + // The data for 1st import: + // group1=role1, role2 + // role1=privilege1(with select action),privilege2(with insert action) + // role2=privilege4(with select action),privilege5(with insert action) + // The data for 2nd import: + // group1=role1, role2 + // role1=privilege3(with all action) + // role2=privilege6(with * action) + @Test + public void testImportExportPolicy8() throws Exception { + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + String testPrivilege1 = "server=server1->db=db1->table=tbl1->action=select->grantoption=true"; + String testPrivilege2 = "server=server1->db=db1->table=tbl1->action=insert->grantoption=true"; + String testPrivilege3 = "server=server1->db=db1->table=tbl1->action=all->grantoption=true"; + String testPrivilege4 = "server=server1->db=db1->table=tbl2->action=select->grantoption=true"; + String testPrivilege5 = "server=server1->db=db1->table=tbl2->action=insert->grantoption=true"; + String testPrivilege6 = "server=server1->db=db1->table=tbl2->action=*->grantoption=true"; + + Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap(); + Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap(); + groupRolesMap1.put("group1", Sets.newHashSet("role1", "role2")); + Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap(); + rolePrivilegesMap1.put("role1", Sets.newHashSet(testPrivilege1, testPrivilege2)); + rolePrivilegesMap1.put("role2", Sets.newHashSet(testPrivilege4, testPrivilege5)); + policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1); + policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1); + client.importPolicy(policyFileMappingData1, ADMIN_USER, false); + + Map<String, Map<String, Set<String>>> policyFileMappingData2 = Maps.newHashMap(); + Map<String, Set<String>> groupRolesMap2 = Maps.newHashMap(); + groupRolesMap2.put("group1", Sets.newHashSet("role1", "role2")); + Map<String, Set<String>> rolePrivilegesMap2 = Maps.newHashMap(); + rolePrivilegesMap2.put("role1", Sets.newHashSet(testPrivilege3)); + rolePrivilegesMap2.put("role2", Sets.newHashSet(testPrivilege6)); + policyFileMappingData2.put(PolicyFileConstants.GROUPS, groupRolesMap2); + policyFileMappingData2.put(PolicyFileConstants.ROLES, rolePrivilegesMap2); + client.importPolicy(policyFileMappingData2, ADMIN_USER, false); + + Map<String, Map<String, Set<String>>> exceptedMappingData = policyFileMappingData2; + Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER); + // all and * should replace the select and insert + validateSentryMappingData(sentryMappingData, exceptedMappingData); + } + }); + } + + // test the user not in the admin group can't do the import/export + @Test + public void testImportExportPolicy9() throws Exception { + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap(); + Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap(); + Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap(); + policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1); + policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1); + try { + client.importPolicy(policyFileMappingData1, "no-admin-user", false); + fail("non-admin can't do the import."); + } catch (Exception e) { + // excepted exception + } + + try { + client.exportPolicy("no-admin-user"); + fail("non-admin can't do the export."); + } catch (Exception e) { + // excepted exception + } + } + }); + } + + // verify the mapping data + public void validateSentryMappingData( + Map<String, Map<String, Set<String>>> actualMappingData, + Map<String, Map<String, Set<String>>> expectedMappingData) { + validateGroupRolesMap(actualMappingData.get(PolicyFileConstants.GROUPS), + expectedMappingData.get(PolicyFileConstants.GROUPS)); + validateRolePrivilegesMap(actualMappingData.get(PolicyFileConstants.ROLES), + expectedMappingData.get(PolicyFileConstants.ROLES)); + } + + // verify the mapping data for [group,role] + private void validateGroupRolesMap(Map<String, Set<String>> actualMap, + Map<String, Set<String>> expectedMap) { + assertEquals(expectedMap.keySet().size(), actualMap.keySet().size()); + for (String groupName : actualMap.keySet()) { + Set<String> actualRoles = actualMap.get(groupName); + Set<String> expectedRoles = expectedMap.get(groupName); + assertEquals(actualRoles.size(), expectedRoles.size()); + assertTrue(actualRoles.equals(expectedRoles)); + } + } + + // verify the mapping data for [role,privilege] + private void validateRolePrivilegesMap(Map<String, Set<String>> actualMap, + Map<String, Set<String>> expectedMap) { + assertEquals(expectedMap.keySet().size(), actualMap.keySet().size()); + for (String roleName : actualMap.keySet()) { + Set<String> actualPrivileges = actualMap.get(roleName); + Set<String> exceptedPrivileges = expectedMap.get(roleName); + assertEquals(exceptedPrivileges.size(), actualPrivileges.size()); + for (String actualPrivilege : actualPrivileges) { + boolean isFound = exceptedPrivileges.contains(actualPrivilege); + if (!isFound) { + String withOptionPrivilege = ProviderConstants.AUTHORIZABLE_JOINER.join(actualPrivilege, + ProviderConstants.KV_JOINER.join(PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME, + "false")); + isFound = exceptedPrivileges.contains(withOptionPrivilege); + } + assertTrue(isFound); + } + } + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92cde111/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPolicyImport.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPolicyImport.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPolicyImport.java deleted file mode 100644 index 7ebc0e4..0000000 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPolicyImport.java +++ /dev/null @@ -1,199 +0,0 @@ -/* - * Copyright 2014 The Apache Software Foundation. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.tests.e2e.hive; - -import static org.junit.Assert.*; - -import java.util.Arrays; -import java.util.HashSet; -import java.util.Set; -import org.apache.sentry.SentryUserException; -import org.apache.sentry.binding.hive.authz.SentryConfigTool; -import org.apache.sentry.core.model.db.AccessConstants; -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; -import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; -import org.apache.sentry.provider.db.service.thrift.TSentryRole; -import org.apache.sentry.provider.file.PolicyFile; -import org.apache.sentry.service.thrift.SentryServiceClientFactory; -import org.junit.Before; -import org.junit.BeforeClass; -import org.junit.Test; - -public class TestPolicyImport extends AbstractTestWithStaticConfiguration { - - private static String prefix; - private PolicyFile policyFile; - private SentryConfigTool configTool; - - @BeforeClass - public static void setupTestStaticConfiguration() throws Exception{ - useSentryService = true; - AbstractTestWithStaticConfiguration.setupTestStaticConfiguration(); - } - - @Before - public void setup() throws Exception { - policyFile = PolicyFile.setAdminOnServer1(ADMINGROUP); - policyFile.addGroupsToUser("hive", ADMINGROUP); - policyFile.addGroupsToUser(ADMIN1, ADMINGROUP); - - configTool = new SentryConfigTool(); - String hiveServer2 = System.getProperty("sentry.e2etest.hiveServer2Type", - "InternalHiveServer2"); - String policyOnHDFS = System.getProperty( - "sentry.e2etest.hive.policyOnHDFS", "true"); - if (policyOnHDFS.trim().equalsIgnoreCase("true") - && (hiveServer2.equals("UnmanagedHiveServer2"))) { - String policyLocation = System.getProperty( - "sentry.e2etest.hive.policy.location", "/user/hive/sentry"); - prefix = "hdfs://" + policyLocation + "/"; - } else { - prefix = "file://" + context.getPolicyFile().getParent() + "/"; - } - - } - - @Test - public void testImportPolicy() throws Exception { - policyFile.addRolesToGroup("analyst", "analyst_role", "customers_select_role", "analyst_salary_role"); - policyFile.addRolesToGroup("jranalyst", "junior_analyst_role"); - policyFile.addRolesToGroup("manager", "analyst_role", "junior_analyst_role", - "customers_insert_role", "customers_select_role"); - policyFile.addRolesToGroup("customers_admin", "customers_admin_role"); - - policyFile.addPermissionsToRole("analyst_role", "server=server1->db=analyst_db", - "server=server1->db=jranalyst_db->table=*->action=select"); - policyFile.addPermissionsToRole("junior_analyst_role", "server=server1->db=jranalyst_db"); - policyFile.addPermissionsToRole("customers_admin_role", "server=server1->db=customers"); - policyFile.addPermissionsToRole("customers_insert_role", "server=server1->db=customers->table=*->action=insert"); - policyFile.addPermissionsToRole("customers_select_role", "server=server1->db=customers->table=*->action=select"); - policyFile.addPermissionsToRole("analyst_salary_role", "server=server1->db=customers->table=customer_info->column=salary->action=select"); - - policyFile.write(context.getPolicyFile()); - - configTool.setImportPolicy(true); - configTool.setPolicyFile(context.getPolicyFile().getPath()); - configTool.setupConfig(); - - configTool.importPolicy(); - - SentryPolicyServiceClient client = SentryServiceClientFactory.create(configTool.getAuthzConf()); - verifyRoles(client, "analyst", "analyst_role", "customers_select_role", "analyst_salary_role"); - verifyRoles(client, "jranalyst", "junior_analyst_role"); - verifyRoles(client, "manager", "analyst_role", "junior_analyst_role", - "customers_insert_role", "customers_select_role"); - verifyRoles(client, "customers_admin", "customers_admin_role"); - - verifyPrivileges(client, "analyst_role", - createPrivilege(AccessConstants.ALL, "analyst_db", null, null), - createPrivilege(AccessConstants.SELECT, "jranalyst_db", null, null)); - verifyPrivileges(client, "junior_analyst_role", - createPrivilege(AccessConstants.ALL, "jranalyst_db", null, null)); - verifyPrivileges(client, "customers_admin_role", - createPrivilege(AccessConstants.ALL, "customers", null, null)); - verifyPrivileges(client, "customers_insert_role", - createPrivilege(AccessConstants.INSERT, "customers", null, null)); - verifyPrivileges(client, "customers_select_role", - createPrivilege(AccessConstants.SELECT, "customers", null, null)); - verifyPrivileges(client, "analyst_salary_role", - createPrivilege(AccessConstants.SELECT, "customers", "customer_info", "salary", null)); - } - - private void verifyRoles(SentryPolicyServiceClient client, String group, String ... roles) throws SentryUserException { - Set<String> expectedRoles = new HashSet<String>(Arrays.asList(roles)); - Set<String> actualRoles = new HashSet<String>(); - - Set<TSentryRole> groupRoles = client.listRolesByGroupName("hive", group); - for (TSentryRole role : groupRoles) { - actualRoles.add(role.getRoleName()); - } - - assertEquals("Expected roles don't match.", expectedRoles, actualRoles); - } - - private void verifyPrivileges(SentryPolicyServiceClient client, String role, TSentryPrivilege ... privileges) throws SentryUserException { - Set<TSentryPrivilege> expectedPrivileges = new HashSet<TSentryPrivilege>(Arrays.asList(privileges)); - Set<TSentryPrivilege> actualPrivileges = client.listAllPrivilegesByRoleName("hive", role); - for (TSentryPrivilege privilege : actualPrivileges) { - privilege.unsetCreateTime(); - } - - assertEquals("Expected privileges don't match.", expectedPrivileges, actualPrivileges); - } - - private TSentryPrivilege createPrivilege(String action, String dbName, String tableName, String uri) { - String scope = "SERVER"; - if (uri != null) { - scope = "URI"; - } else if (dbName != null) { - if (tableName != null) { - scope = "TABLE"; - } else { - scope = "DATABASE"; - } - } - - TSentryPrivilege privilege = new TSentryPrivilege(scope, "server1", action); - if (dbName != null) { - privilege.setDbName(dbName); - } - - if (tableName != null) { - privilege.setDbName(tableName); - } - - if (uri != null) { - privilege.setURI(uri); - } - - return privilege; - } - - private TSentryPrivilege createPrivilege(String action, String dbName, String tableName, String columnName, String uri) { - String scope = "SERVER"; - if (uri != null) { - scope = "URI"; - } else if (dbName != null) { - if (columnName != null) { - scope = "COLUMN"; - } else if (tableName != null) { - scope = "TABLE"; - } else { - scope = "DATABASE"; - } - } - - TSentryPrivilege privilege = new TSentryPrivilege(scope, "server1", action); - if (dbName != null) { - privilege.setDbName(dbName); - } - - if (tableName != null) { - privilege.setTableName(tableName); - } - - if (columnName != null) { - privilege.setColumnName(columnName); - } - - if (uri != null) { - privilege.setURI(uri); - } - - return privilege; - } -}
