SENTRY-647: Add e2e tests for Sqoop Sentry integration (Guoquan Shen,reviewed by Dapeng Sun)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/98761811 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/98761811 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/98761811 Branch: refs/heads/hive_plugin_v2 Commit: 987618115b39d33937a44c0bdcdde3ff0c6be2f3 Parents: c8d5fce Author: Guoquan Shen <[email protected]> Authored: Thu Jul 9 12:43:19 2015 +0800 Committer: Guoquan Shen <[email protected]> Committed: Thu Jul 9 12:43:19 2015 +0800 ---------------------------------------------------------------------- pom.xml | 1 + sentry-tests/pom.xml | 1 + sentry-tests/sentry-tests-sqoop/pom.xml | 153 +++++++++ .../e2e/sqoop/AbstractSqoopSentryTestBase.java | 225 +++++++++++++ .../tests/e2e/sqoop/StaticUserGroupRole.java | 62 ++++ .../tests/e2e/sqoop/TestConnectorEndToEnd.java | 111 +++++++ .../tests/e2e/sqoop/TestGrantPrivilege.java | 215 +++++++++++++ .../sentry/tests/e2e/sqoop/TestJobEndToEnd.java | 305 ++++++++++++++++++ .../tests/e2e/sqoop/TestLinkEndToEnd.java | 238 ++++++++++++++ .../tests/e2e/sqoop/TestOwnerPrivilege.java | 156 +++++++++ .../tests/e2e/sqoop/TestRevokePrivilege.java | 175 ++++++++++ .../tests/e2e/sqoop/TestRoleOperation.java | 209 ++++++++++++ .../e2e/sqoop/TestServerScopeEndToEnd.java | 185 +++++++++++ .../tests/e2e/sqoop/TestShowPrivilege.java | 92 ++++++ .../tests/e2e/sqoop/TomcatSqoopRunner.java | 320 +++++++++++++++++++ 15 files changed, 2448 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index c623819..839eb1d 100644 --- a/pom.xml +++ b/pom.xml @@ -754,6 +754,7 @@ limitations under the License. <exclude>**/datanucleus.log</exclude> <exclude>**/metastore_db/</exclude> <exclude>**/*.rej</exclude> + <exclude>**/thirdparty/</exclude> </excludes> </configuration> </execution> http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/sentry-tests/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-tests/pom.xml b/sentry-tests/pom.xml index 37f0f3e..c12b118 100644 --- a/sentry-tests/pom.xml +++ b/sentry-tests/pom.xml @@ -30,6 +30,7 @@ limitations under the License. <modules> <module>sentry-tests-hive</module> <module>sentry-tests-solr</module> + <module>sentry-tests-sqoop</module> </modules> </project> http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/sentry-tests/sentry-tests-sqoop/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-sqoop/pom.xml b/sentry-tests/sentry-tests-sqoop/pom.xml new file mode 100644 index 0000000..491dbaa --- /dev/null +++ b/sentry-tests/sentry-tests-sqoop/pom.xml @@ -0,0 +1,153 @@ +<?xml version="1.0"?> +<!-- +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +--> +<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"; xmlns="http://maven.apache.org/POM/4.0.0"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> + <modelVersion>4.0.0</modelVersion> + + <parent> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-tests</artifactId> + <version>1.6.0-incubating-SNAPSHOT</version> + </parent> + + <artifactId>sentry-tests-sqoop</artifactId> + <name>Sentry Sqoop Tests</name> + <description>end to end tests for sentry-sqoop integration</description> + + <dependencies> + <dependency> + <groupId>junit</groupId> + <artifactId>junit</artifactId> + </dependency> + <dependency> + <groupId>log4j</groupId> + <artifactId>log4j</artifactId> + <version>1.2.16</version> + </dependency> + <dependency> + <groupId>org.apache.sqoop</groupId> + <artifactId>test</artifactId> + </dependency> + <dependency> + <groupId>org.apache.hadoop</groupId> + <artifactId>hadoop-common</artifactId> + <exclusions> + <exclusion> + <groupId>javax.servlet</groupId> + <artifactId>servlet-api</artifactId> + </exclusion> + </exclusions> + </dependency> + <dependency> + <groupId>org.apache.hadoop</groupId> + <artifactId>hadoop-minicluster</artifactId> + <exclusions> + <exclusion> + <groupId>javax.servlet</groupId> + <artifactId>servlet-api</artifactId> + </exclusion> + </exclusions> + </dependency> + <dependency> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-servlet</artifactId> + <version>8.1.10.v20130312</version> + </dependency> + <dependency> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-server</artifactId> + <version>8.1.10.v20130312</version> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-provider-db</artifactId> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-provider-file</artifactId> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-binding-sqoop</artifactId> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-core-model-sqoop</artifactId> + </dependency> + <dependency> + <groupId>com.google.guava</groupId> + <artifactId>guava</artifactId> + </dependency> + </dependencies> + <profiles> + <profile> + <id>download-sqoop2</id> + <activation> + <activeByDefault>true</activeByDefault> + <property><name>!skipTests</name></property> + </activation> + <build> + <plugins> + <plugin> + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-antrun-plugin</artifactId> + <configuration> + <skipTests>true</skipTests> + </configuration> + <executions> + <execution> + <id>download-sqoop2</id> + <phase>generate-sources</phase> + <goals> + <goal>run</goal> + </goals> + <configuration> + <target> + <echo file="target/download.sh"> + set -e + set -x + /bin/pwd + BASE_DIR=./target + DOWNLOAD_DIR=./thirdparty + download() { + url=$1; + packageName=$2 + if [[ ! -f $DOWNLOAD_DIR/$packageName ]] + then + wget --no-check-certificate -nv -O $DOWNLOAD_DIR/$packageName $url + fi + } + mkdir -p $DOWNLOAD_DIR + download "https://repository.apache.org/content/repositories/snapshots/org/apache/sqoop/sqoop-server/2.0.0-SNAPSHOT/sqoop-server-2.0.0-20150530.005523-4.war"; sqoop.war + download "http://archive.apache.org/dist/tomcat/tomcat-6/v6.0.36/bin/apache-tomcat-6.0.36.zip"; apache-tomcat-6.0.36.zip + </echo> + <exec executable="bash" dir="${basedir}" failonerror="true"> + <arg line="target/download.sh"/> + </exec> + </target> + </configuration> + </execution> + </executions> + </plugin> + </plugins> + </build> + </profile> + </profiles> +</project> http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/AbstractSqoopSentryTestBase.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/AbstractSqoopSentryTestBase.java b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/AbstractSqoopSentryTestBase.java new file mode 100644 index 0000000..2c6f329 --- /dev/null +++ b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/AbstractSqoopSentryTestBase.java @@ -0,0 +1,225 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * This class used to test the Sqoop integration with Sentry. + * It will set up a miniSqoopCluster and Sentry service in a JVM process. + */ +package org.apache.sentry.tests.e2e.sqoop; + +import static org.junit.Assert.assertTrue; + +import java.io.File; +import java.io.FileOutputStream; +import java.util.ArrayList; +import java.util.Set; +import java.util.UUID; +import java.util.concurrent.TimeoutException; + + +import org.apache.commons.io.FileUtils; +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.net.NetUtils; +import org.apache.hadoop.security.UserGroupInformation; + +import org.apache.sentry.core.model.sqoop.SqoopActionConstant; +import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient; +import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable; +import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege; +import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider; +import org.apache.sentry.provider.file.PolicyFile; +import org.apache.sentry.service.thrift.SentryService; +import org.apache.sentry.service.thrift.SentryServiceFactory; +import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig; +import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; + +import org.apache.sentry.sqoop.binding.SqoopProviderBackend; +import org.apache.sentry.sqoop.conf.SqoopAuthConf.AuthzConfVars; + +import org.junit.AfterClass; +import org.junit.BeforeClass; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.google.common.base.Joiner; +import com.google.common.collect.Sets; + +public class AbstractSqoopSentryTestBase { + private static final Logger LOGGER = LoggerFactory + .getLogger(AbstractSqoopSentryTestBase.class); + + private static final String SERVER_HOST = NetUtils + .createSocketAddr("localhost:80").getAddress().getCanonicalHostName(); + private static final int PORT = 8038; + + protected static final String COMPONENT = "sqoop"; + protected static final String ADMIN_USER = "sqoop"; + protected static final String ADMIN_GROUP = "sqoop"; + protected static final String ADMIN_ROLE = "sqoop"; + protected static final String SQOOP_SERVER_NAME = "sqoopServer1"; + /** test users, groups and roles */ + protected static final String USER1 = StaticUserGroupRole.USER_1; + protected static final String USER2 = StaticUserGroupRole.USER_2; + protected static final String USER3 = StaticUserGroupRole.USER_3; + protected static final String USER4 = StaticUserGroupRole.USER_4; + protected static final String USER5 = StaticUserGroupRole.USER_5; + + protected static final String GROUP1 = StaticUserGroupRole.GROUP_1; + protected static final String GROUP2 = StaticUserGroupRole.GROUP_2; + protected static final String GROUP3 = StaticUserGroupRole.GROUP_3; + protected static final String GROUP4 = StaticUserGroupRole.GROUP_4; + protected static final String GROUP5 = StaticUserGroupRole.GROUP_5; + + protected static final String ROLE1 = StaticUserGroupRole.ROLE_1; + protected static final String ROLE2 = StaticUserGroupRole.ROLE_2; + protected static final String ROLE3 = StaticUserGroupRole.ROLE_3; + protected static final String ROLE4 = StaticUserGroupRole.ROLE_4; + protected static final String ROLE5 = StaticUserGroupRole.ROLE_5; + + protected static SentryService server; + protected static TomcatSqoopRunner sqoopServerRunner; + + protected static File baseDir; + protected static File sqoopDir; + protected static File dbDir; + protected static File policyFilePath; + + protected static PolicyFile policyFile; + + @BeforeClass + public static void beforeTestEndToEnd() throws Exception { + setupConf(); + startSentryService(); + setUserGroups(); + setAdminPrivilege(); + startSqoopWithSentryEnable(); + } + + @AfterClass + public static void afterTestEndToEnd() throws Exception { + if (server != null) { + server.stop(); + } + if (sqoopServerRunner != null) { + sqoopServerRunner.stop(); + } + + FileUtils.deleteDirectory(baseDir); + } + + public static void setupConf() throws Exception { + baseDir = createTempDir(); + sqoopDir = new File(baseDir, "sqoop"); + dbDir = new File(baseDir, "sentry_policy_db"); + policyFilePath = new File(baseDir, "local_policy_file.ini"); + policyFile = new PolicyFile(); + + /** set the configuratoion for Sentry Service */ + Configuration conf = new Configuration(); + + conf.set(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_NONE); + conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false"); + conf.set(ServerConfig.ADMIN_GROUPS, Joiner.on(",").join(ADMIN_GROUP, + UserGroupInformation.getLoginUser().getPrimaryGroupName())); + conf.set(ServerConfig.RPC_ADDRESS, SERVER_HOST); + conf.set(ServerConfig.RPC_PORT, String.valueOf(PORT)); + conf.set(ServerConfig.SENTRY_STORE_JDBC_URL, + "jdbc:derby:;databaseName=" + dbDir.getPath() + ";create=true"); + conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING, + ServerConfig.SENTRY_STORE_LOCAL_GROUP_MAPPING); + conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING_RESOURCE, + policyFilePath.getPath()); + server = new SentryServiceFactory().create(conf); + } + + public static File createTempDir() { + File baseDir = new File(System.getProperty("java.io.tmpdir")); + String baseName = "sqoop-e2e-"; + File tempDir = new File(baseDir, baseName + UUID.randomUUID().toString()); + if (tempDir.mkdir()) { + return tempDir; + } + throw new IllegalStateException("Failed to create temp directory"); + } + + public static void startSentryService() throws Exception { + server.start(); + final long start = System.currentTimeMillis(); + while(!server.isRunning()) { + Thread.sleep(1000); + if(System.currentTimeMillis() - start > 60000L) { + throw new TimeoutException("Server did not start after 60 seconds"); + } + } + } + + public static void startSqoopWithSentryEnable() throws Exception { + File sentrySitePath = new File(baseDir, "sentry-site.xml"); + getClientConfig().writeXml(new FileOutputStream(sentrySitePath)); + sqoopServerRunner = new TomcatSqoopRunner(sqoopDir.toString(), SQOOP_SERVER_NAME, + sentrySitePath.toURI().toURL().toString()); + sqoopServerRunner.start(); + } + + private static Configuration getClientConfig() { + Configuration conf = new Configuration(); + /** set the Sentry client configuration for Sqoop Service integration */ + conf.set(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_NONE); + conf.set(ClientConfig.SERVER_RPC_ADDRESS, server.getAddress().getHostName()); + conf.set(ClientConfig.SERVER_RPC_PORT, String.valueOf(server.getAddress().getPort())); + + conf.set(AuthzConfVars.AUTHZ_PROVIDER.getVar(), + LocalGroupResourceAuthorizationProvider.class.getName()); + conf.set(AuthzConfVars.AUTHZ_PROVIDER_BACKEND.getVar(), SqoopProviderBackend.class.getName()); + conf.set(AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar(), policyFilePath.getPath()); + conf.set(AuthzConfVars.AUTHZ_TESTING_MODE.getVar(), "true"); + return conf; + } + + public static void setUserGroups() throws Exception { + for (String user : StaticUserGroupRole.getUsers()) { + Set<String> groups = StaticUserGroupRole.getGroups(user); + policyFile.addGroupsToUser(user, + groups.toArray(new String[groups.size()])); + } + policyFile.addGroupsToUser(ADMIN_USER, ADMIN_GROUP); + UserGroupInformation loginUser = UserGroupInformation.getLoginUser(); + policyFile.addGroupsToUser(loginUser.getShortUserName(), loginUser.getGroupNames()); + policyFile.write(policyFilePath); + } + + public static void setAdminPrivilege() throws Exception { + SentryGenericServiceClient sentryClient = null; + try { + /** grant all privilege to admin user */ + sentryClient = new SentryGenericServiceClient(getClientConfig()); + sentryClient.createRoleIfNotExist(ADMIN_USER, ADMIN_ROLE, COMPONENT); + sentryClient.addRoleToGroups(ADMIN_USER, ADMIN_ROLE, COMPONENT, Sets.newHashSet(ADMIN_GROUP)); + sentryClient.grantPrivilege(ADMIN_USER, ADMIN_ROLE, COMPONENT, + new TSentryPrivilege(COMPONENT, SQOOP_SERVER_NAME, new ArrayList<TAuthorizable>(), + SqoopActionConstant.ALL)); + } finally { + if (sentryClient != null) { + sentryClient.close(); + } + } + } + + public static void assertCausedMessage(Exception e, String message) { + assertTrue(e.getCause().getMessage().contains(message)); + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/StaticUserGroupRole.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/StaticUserGroupRole.java b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/StaticUserGroupRole.java new file mode 100644 index 0000000..e51ee00 --- /dev/null +++ b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/StaticUserGroupRole.java @@ -0,0 +1,62 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.tests.e2e.sqoop; + +import java.util.HashMap; +import java.util.Map; +import java.util.Set; + +import com.google.common.collect.Sets; + +public class StaticUserGroupRole { + public static final String USER_1 = "user1"; + public static final String USER_2 = "user2"; + public static final String USER_3 = "user3"; + public static final String USER_4 = "user4"; + public static final String USER_5 = "user5"; + + public static final String GROUP_1 = "group1"; + public static final String GROUP_2 = "group2"; + public static final String GROUP_3 = "group3"; + public static final String GROUP_4 = "group4"; + public static final String GROUP_5 = "group5"; + + public static final String ROLE_1 = "role1"; + public static final String ROLE_2 = "role2"; + public static final String ROLE_3 = "role3"; + public static final String ROLE_4 = "role4"; + public static final String ROLE_5 = "role5"; + + private static Map<String, Set<String>> userToGroupsMapping = + new HashMap<String, Set<String>>(); + + static { + userToGroupsMapping.put(USER_1, Sets.newHashSet(GROUP_1)); + userToGroupsMapping.put(USER_2, Sets.newHashSet(GROUP_2)); + userToGroupsMapping.put(USER_3, Sets.newHashSet(GROUP_3)); + userToGroupsMapping.put(USER_4, Sets.newHashSet(GROUP_4)); + userToGroupsMapping.put(USER_5, Sets.newHashSet(GROUP_5)); + } + + public static Set<String> getUsers() { + return userToGroupsMapping.keySet(); + } + + public static Set<String> getGroups(String user) { + return userToGroupsMapping.get(user); + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestConnectorEndToEnd.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestConnectorEndToEnd.java b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestConnectorEndToEnd.java new file mode 100644 index 0000000..9e13b13 --- /dev/null +++ b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestConnectorEndToEnd.java @@ -0,0 +1,111 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.tests.e2e.sqoop; + +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + +import java.util.Collection; + +import org.apache.sentry.core.model.sqoop.SqoopActionConstant; +import org.apache.sqoop.client.SqoopClient; +import org.apache.sqoop.model.MConnector; +import org.apache.sqoop.model.MPrincipal; +import org.apache.sqoop.model.MPrivilege; +import org.apache.sqoop.model.MResource; +import org.apache.sqoop.model.MRole; +import org.junit.Test; + +import com.google.common.collect.Lists; + +public class TestConnectorEndToEnd extends AbstractSqoopSentryTestBase { + private static String JDBC_CONNECTOR_NAME = "generic-jdbc-connector"; + private static String HDFS_CONNECTOR_NAME = "hdfs-connector"; + + @Test + public void testShowAllConnector() throws Exception { + // USER3 at firstly has no privilege on any Sqoop resource + SqoopClient client = sqoopServerRunner.getSqoopClient(USER3); + assertTrue(client.getConnectors().size() == 0); + /** + * ADMIN_USER grant read action privilege on connector all to role ROLE3 + * ADMIN_USER grant role ROLE3 to group GROUP3 + */ + client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + MRole role3 = new MRole(ROLE3); + MPrincipal group3 = new MPrincipal(GROUP3, MPrincipal.TYPE.GROUP); + MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR); + MPrivilege readPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false); + client.createRole(role3); + client.grantRole(Lists.newArrayList(role3), Lists.newArrayList(group3)); + client.grantPrivilege(Lists.newArrayList(new MPrincipal(role3.getName(), MPrincipal.TYPE.ROLE)), + Lists.newArrayList(readPriv)); + + // check USER3 has the read privilege on all connector + client = sqoopServerRunner.getSqoopClient(USER3); + assertTrue(client.getConnectors().size() > 0); + } + + @Test + public void testShowSpecificConnector() throws Exception { + // USER1 and USER2 at firstly has no privilege on any Sqoop resource + SqoopClient client = sqoopServerRunner.getSqoopClient(USER1); + assertTrue(client.getConnectors().size() == 0); + client = sqoopServerRunner.getSqoopClient(USER2); + assertTrue(client.getConnectors().size() == 0); + + /** + * ADMIN_USER grant read action privilege on jdbc connector to role ROLE1 + * ADMIN_USER grant read action privilege on hdfs connector to role ROLE2 + */ + client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + MConnector hdfsConnector = client.getConnector(HDFS_CONNECTOR_NAME); + MConnector jdbcConnector = client.getConnector(JDBC_CONNECTOR_NAME); + + MRole role1 = new MRole(ROLE1); + MPrincipal group1 = new MPrincipal(GROUP1, MPrincipal.TYPE.GROUP); + MPrivilege readHdfsPriv = new MPrivilege(new MResource(String.valueOf(hdfsConnector.getPersistenceId()), MResource.TYPE.CONNECTOR), + SqoopActionConstant.READ, false); + client.createRole(role1); + client.grantRole(Lists.newArrayList(role1), Lists.newArrayList(group1)); + client.grantPrivilege(Lists.newArrayList(new MPrincipal(role1.getName(), MPrincipal.TYPE.ROLE)), + Lists.newArrayList(readHdfsPriv)); + + MRole role2 = new MRole(ROLE2); + MPrincipal group2 = new MPrincipal(GROUP2, MPrincipal.TYPE.GROUP); + MPrivilege readJdbcPriv = new MPrivilege(new MResource(String.valueOf(jdbcConnector.getPersistenceId()), MResource.TYPE.CONNECTOR), + SqoopActionConstant.READ, false); + client.createRole(role2); + client.grantRole(Lists.newArrayList(role2), Lists.newArrayList(group2)); + client.grantPrivilege(Lists.newArrayList(new MPrincipal(role2.getName(), MPrincipal.TYPE.ROLE)), + Lists.newArrayList(readJdbcPriv)); + + client = sqoopServerRunner.getSqoopClient(USER1); + assertTrue(client.getConnectors().size() == 1); + // user1 can show hdfs connector + assertTrue(client.getConnector(HDFS_CONNECTOR_NAME) != null); + // user1 can't show jdbc connector + assertTrue(client.getConnector(JDBC_CONNECTOR_NAME) == null); + + client = sqoopServerRunner.getSqoopClient(USER2); + assertTrue(client.getConnectors().size() == 1); + // user2 can show jdbc connector + assertTrue(client.getConnector(JDBC_CONNECTOR_NAME) != null); + // user2 can't show hdfs connector + assertTrue(client.getConnector(HDFS_CONNECTOR_NAME) == null); + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestGrantPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestGrantPrivilege.java b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestGrantPrivilege.java new file mode 100644 index 0000000..bc9dd13 --- /dev/null +++ b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestGrantPrivilege.java @@ -0,0 +1,215 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.tests.e2e.sqoop; + +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.fail; + +import java.util.List; + +import org.apache.sentry.core.model.sqoop.SqoopActionConstant; +import org.apache.sentry.sqoop.SentrySqoopError; +import org.apache.sqoop.client.SqoopClient; +import org.apache.sqoop.model.MPrincipal; +import org.apache.sqoop.model.MPrivilege; +import org.apache.sqoop.model.MResource; +import org.apache.sqoop.model.MRole; +import org.junit.Test; + +import com.google.common.collect.Lists; + +public class TestGrantPrivilege extends AbstractSqoopSentryTestBase { + + @Test + public void testNotSupportGrantPrivilegeToUser() throws Exception { + SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + MPrincipal user1 = new MPrincipal("not_support_grant_user_1", MPrincipal.TYPE.GROUP); + MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR); + MPrivilege readPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false); + try { + client.grantPrivilege(Lists.newArrayList(user1), Lists.newArrayList(readPriv)); + fail("expected not support exception happend"); + } catch (Exception e) { + assertCausedMessage(e, SentrySqoopError.GRANT_REVOKE_PRIVILEGE_NOT_SUPPORT_FOR_PRINCIPAL); + } + } + + @Test + public void testNotSupportGrantPrivilegeToGroup() throws Exception { + SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + MPrincipal group1 = new MPrincipal("not_support_grant_group_1", MPrincipal.TYPE.GROUP); + MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR); + MPrivilege readPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false); + try { + client.grantPrivilege(Lists.newArrayList(group1), Lists.newArrayList(readPriv)); + fail("expected not support exception happend"); + } catch (Exception e) { + assertCausedMessage(e, SentrySqoopError.GRANT_REVOKE_PRIVILEGE_NOT_SUPPORT_FOR_PRINCIPAL); + } + } + + @Test + public void testGrantPrivilege() throws Exception { + /** + * user1 belongs to group group1 + * admin user grant role role1 to group group1 + * admin user grant read privilege on connector all to role role1 + */ + SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + MRole role1 = new MRole(ROLE1); + MPrincipal group1Princ = new MPrincipal(GROUP1, MPrincipal.TYPE.GROUP); + MPrincipal role1Princ = new MPrincipal(ROLE1, MPrincipal.TYPE.ROLE); + MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR); + MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false); + client.createRole(role1); + client.grantRole(Lists.newArrayList(role1), Lists.newArrayList(group1Princ)); + client.grantPrivilege(Lists.newArrayList(role1Princ), Lists.newArrayList(readPrivilege)); + + // check user1 has privilege on role1 + client = sqoopServerRunner.getSqoopClient(USER1); + assertTrue(client.getPrivilegesByPrincipal(role1Princ, allConnector).size() == 1); + } + + @Test + public void testGrantPrivilegeTwice() throws Exception { + /** + * user2 belongs to group group2 + * admin user grant role role2 to group group2 + * admin user grant write privilege on connector all to role role2 + */ + SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + MRole role2 = new MRole(ROLE2); + MPrincipal group2Princ = new MPrincipal(GROUP2, MPrincipal.TYPE.GROUP); + MPrincipal role2Princ = new MPrincipal(ROLE2, MPrincipal.TYPE.ROLE); + MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR); + MPrivilege writePrivilege = new MPrivilege(allConnector, SqoopActionConstant.WRITE, false); + client.createRole(role2); + client.grantRole(Lists.newArrayList(role2), Lists.newArrayList(group2Princ)); + client.grantPrivilege(Lists.newArrayList(role2Princ), Lists.newArrayList(writePrivilege)); + + // check user2 has one privilege on role2 + client = sqoopServerRunner.getSqoopClient(USER2); + assertTrue(client.getPrivilegesByPrincipal(role2Princ, allConnector).size() == 1); + + // grant privilege to role role2 again + client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + client.grantPrivilege(Lists.newArrayList(role2Princ), Lists.newArrayList(writePrivilege)); + + // check user2 has only one privilege on role2 + client = sqoopServerRunner.getSqoopClient(USER2); + assertTrue(client.getPrivilegesByPrincipal(role2Princ, allConnector).size() == 1); + } + + @Test + public void testGrantPrivilegeWithAllPrivilegeExist() throws Exception { + /** + * user3 belongs to group group3 + * admin user grant role role3 to group group3 + * admin user grant all privilege on connector all to role role3 + */ + SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + MRole role3 = new MRole(ROLE3); + MPrincipal group3Princ = new MPrincipal(GROUP3, MPrincipal.TYPE.GROUP); + MPrincipal role3Princ = new MPrincipal(ROLE3, MPrincipal.TYPE.ROLE); + MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR); + MPrivilege allPrivilege = new MPrivilege(allConnector, SqoopActionConstant.ALL_NAME, false); + client.createRole(role3); + client.grantRole(Lists.newArrayList(role3), Lists.newArrayList(group3Princ)); + client.grantPrivilege(Lists.newArrayList(role3Princ), Lists.newArrayList(allPrivilege)); + + // check user3 has one privilege on role3 + client = sqoopServerRunner.getSqoopClient(USER3); + assertTrue(client.getPrivilegesByPrincipal(role3Princ, allConnector).size() == 1); + // user3 has the all action on role3 + MPrivilege user3Privilege = client.getPrivilegesByPrincipal(role3Princ, allConnector).get(0); + assertEquals(user3Privilege.getAction(), SqoopActionConstant.ALL_NAME); + + /** + * admin user grant read privilege on connector all to role role3 + * because the role3 has already the all privilege, the read privilege granting has + * no impact on the role3 + */ + client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false); + client.grantPrivilege(Lists.newArrayList(role3Princ), Lists.newArrayList(readPrivilege)); + // check user3 has only one privilege on role3 + client = sqoopServerRunner.getSqoopClient(USER3); + assertTrue(client.getPrivilegesByPrincipal(role3Princ, allConnector).size() == 1); + // user3 has the all action on role3 + user3Privilege = client.getPrivilegesByPrincipal(role3Princ, allConnector).get(0); + assertEquals(user3Privilege.getAction(), SqoopActionConstant.ALL_NAME); + } + + @Test + public void testGrantALLPrivilegeWithOtherPrivilegesExist() throws Exception { + /** + * user4 belongs to group group4 + * admin user grant role role4 to group group4 + * admin user grant read privilege on connector all to role role4 + */ + SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + MRole role4 = new MRole(ROLE4); + MPrincipal group4Princ = new MPrincipal(GROUP4, MPrincipal.TYPE.GROUP); + MPrincipal role4Princ = new MPrincipal(ROLE4, MPrincipal.TYPE.ROLE); + MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR); + MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false); + client.createRole(role4); + client.grantRole(Lists.newArrayList(role4), Lists.newArrayList(group4Princ)); + client.grantPrivilege(Lists.newArrayList(role4Princ), Lists.newArrayList(readPrivilege)); + + // check user4 has one privilege on role1 + client = sqoopServerRunner.getSqoopClient(USER4); + assertTrue(client.getPrivilegesByPrincipal(role4Princ, allConnector).size() == 1); + // user4 has the read action on collector all + MPrivilege user4Privilege = client.getPrivilegesByPrincipal(role4Princ, allConnector).get(0); + assertEquals(user4Privilege.getAction().toLowerCase(), SqoopActionConstant.READ); + + /** + * admin user grant write privilege on connector all to role role4 + */ + client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + MPrivilege writePrivilege = new MPrivilege(allConnector, SqoopActionConstant.WRITE, false); + client.grantPrivilege(Lists.newArrayList(role4Princ), Lists.newArrayList(writePrivilege)); + + // check user4 has two privileges on role1 + client = sqoopServerRunner.getSqoopClient(USER4); + assertTrue(client.getPrivilegesByPrincipal(role4Princ, allConnector).size() == 2); + // user4 has the read and write action on collector all + List<String> actions = Lists.newArrayList(); + for (MPrivilege privilege : client.getPrivilegesByPrincipal(role4Princ, allConnector)) { + actions.add(privilege.getAction().toLowerCase()); + } + assertEquals(Lists.newArrayList(SqoopActionConstant.READ, SqoopActionConstant.WRITE), actions); + + /** + * admin user grant all privilege on connector all to role role4 + * because the all privilege includes the read and write privileges, these privileges will + * be removed + */ + client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + MPrivilege allPrivilege = new MPrivilege(allConnector, SqoopActionConstant.ALL_NAME, false); + client.grantPrivilege(Lists.newArrayList(role4Princ), Lists.newArrayList(allPrivilege)); + + // check user4 has only privilege on role1 + client = sqoopServerRunner.getSqoopClient(USER4); + assertTrue(client.getPrivilegesByPrincipal(role4Princ, allConnector).size() == 1); + // user4 has the all action on role3 + user4Privilege = client.getPrivilegesByPrincipal(role4Princ, allConnector).get(0); + assertEquals(user4Privilege.getAction(), SqoopActionConstant.ALL_NAME); + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestJobEndToEnd.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestJobEndToEnd.java b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestJobEndToEnd.java new file mode 100644 index 0000000..636e269 --- /dev/null +++ b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestJobEndToEnd.java @@ -0,0 +1,305 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.tests.e2e.sqoop; + +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + +import org.apache.sentry.core.model.sqoop.SqoopActionConstant; +import org.apache.sqoop.client.SqoopClient; +import org.apache.sqoop.model.MJob; +import org.apache.sqoop.model.MLink; +import org.apache.sqoop.model.MPrincipal; +import org.apache.sqoop.model.MPrivilege; +import org.apache.sqoop.model.MResource; +import org.apache.sqoop.model.MRole; +import org.apache.sqoop.security.SecurityError; +import org.junit.Test; + +import com.google.common.collect.Lists; + +public class TestJobEndToEnd extends AbstractSqoopSentryTestBase { + @Test + public void testShowJob() throws Exception { + /** + * ADMIN_USER create two links and one job + */ + SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + MLink rdbmsLink = client.createLink("generic-jdbc-connector"); + sqoopServerRunner.fillRdbmsLinkConfig(rdbmsLink); + sqoopServerRunner.saveLink(client, rdbmsLink); + + MLink hdfsLink = client.createLink("hdfs-connector"); + sqoopServerRunner.fillHdfsLink(hdfsLink); + sqoopServerRunner.saveLink(client, hdfsLink); + + MJob job1 = client.createJob(hdfsLink.getPersistenceId(), rdbmsLink.getPersistenceId()); + // set HDFS "FROM" config for the job, since the connector test case base class only has utilities for HDFS! + sqoopServerRunner.fillHdfsFromConfig(job1); + // set the RDBM "TO" config here + sqoopServerRunner.fillRdbmsToConfig(job1); + // create job + sqoopServerRunner.saveJob(client, job1); + /** + * ADMIN_USER grant read privilege on all job to role1 + */ + MRole role1 = new MRole(ROLE1); + MPrincipal group1 = new MPrincipal(GROUP1, MPrincipal.TYPE.GROUP); + MResource allJob = new MResource(SqoopActionConstant.ALL, MResource.TYPE.JOB); + MPrivilege readAllPrivilege = new MPrivilege(allJob,SqoopActionConstant.READ, false); + client.createRole(role1); + client.grantRole(Lists.newArrayList(role1), Lists.newArrayList(group1)); + client.grantPrivilege(Lists.newArrayList(new MPrincipal(role1.getName(), MPrincipal.TYPE.ROLE)), + Lists.newArrayList(readAllPrivilege)); + + /** + * ADMIN_USER grant read privilege on job1 to role2 + */ + MRole role2 = new MRole(ROLE2); + MPrincipal group2 = new MPrincipal(GROUP2, MPrincipal.TYPE.GROUP); + MResource job1Resource = new MResource(String.valueOf(job1.getPersistenceId()), MResource.TYPE.JOB); + MPrivilege readJob1Privilege = new MPrivilege(job1Resource,SqoopActionConstant.READ, false); + client.createRole(role2); + client.grantRole(Lists.newArrayList(role2), Lists.newArrayList(group2)); + client.grantPrivilege(Lists.newArrayList(new MPrincipal(role2.getName(), MPrincipal.TYPE.ROLE)), + Lists.newArrayList(readJob1Privilege)); + + // user1 can show all jobs + client = sqoopServerRunner.getSqoopClient(USER1); + try { + assertTrue(client.getJobs().size() == 1); + assertTrue(client.getJob(job1.getPersistenceId()) != null); + } catch (Exception e) { + fail("unexpected Authorization exception happend"); + } + + // user2 can show job1 + client = sqoopServerRunner.getSqoopClient(USER2); + try { + assertTrue(client.getJobs().size() == 1); + assertTrue(client.getJob(job1.getPersistenceId()) != null); + } catch (Exception e) { + fail("unexpected Authorization exception happend"); + } + + // user3 can't show job1 + client = sqoopServerRunner.getSqoopClient(USER3); + try { + assertTrue(client.getJobs().size() == 0); + client.getJob(job1.getPersistenceId()); + fail("expected Authorization exception happend"); + } catch (Exception e) { + assertCausedMessage(e, SecurityError.AUTH_0014.getMessage()); + } + + client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + client.deleteJob(job1.getPersistenceId()); + } + + @Test + public void testUpdateDeleteJob() throws Exception { + /** + * ADMIN_USER create two links and one job + */ + SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + MLink rdbmsLink = client.createLink("generic-jdbc-connector"); + sqoopServerRunner.fillRdbmsLinkConfig(rdbmsLink); + rdbmsLink.setName("rdbm_testUpdateJob"); + sqoopServerRunner.saveLink(client, rdbmsLink); + + MLink hdfsLink = client.createLink("hdfs-connector"); + sqoopServerRunner.fillHdfsLink(hdfsLink); + hdfsLink.setName("hdfs_testUpdateJob"); + sqoopServerRunner.saveLink(client, hdfsLink); + + MJob job2 = client.createJob(hdfsLink.getPersistenceId(), rdbmsLink.getPersistenceId()); + // set HDFS "FROM" config for the job, since the connector test case base class only has utilities for HDFS! + sqoopServerRunner.fillHdfsFromConfig(job2); + // set the RDBM "TO" config here + sqoopServerRunner.fillRdbmsToConfig(job2); + // create job + sqoopServerRunner.saveJob(client, job2); + + /** + * ADMIN_USER grant update privilege on job2 to role4 + * ADMIN_USER grant read privilege on all connector to role4 + * ADMIN_USER grant read privilege on all link to role4 + */ + MRole role4 = new MRole(ROLE4); + MPrincipal group4 = new MPrincipal(GROUP4, MPrincipal.TYPE.GROUP); + MResource job2Resource = new MResource(String.valueOf(job2.getPersistenceId()), MResource.TYPE.JOB); + MPrivilege writeJob2Privilege = new MPrivilege(job2Resource,SqoopActionConstant.WRITE, false); + MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR); + MPrivilege readConnectorPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false); + MResource allLink = new MResource(SqoopActionConstant.ALL, MResource.TYPE.LINK); + MPrivilege readLinkPriv = new MPrivilege(allLink,SqoopActionConstant.READ, false); + client.createRole(role4); + client.grantRole(Lists.newArrayList(role4), Lists.newArrayList(group4)); + client.grantPrivilege(Lists.newArrayList(new MPrincipal(role4.getName(), MPrincipal.TYPE.ROLE)), + Lists.newArrayList(writeJob2Privilege, readConnectorPriv, readLinkPriv)); + + // user4 can't show job2 + client = sqoopServerRunner.getSqoopClient(USER4); + try { + assertTrue(client.getJobs().size() == 0); + client.getJob(job2.getPersistenceId()); + fail("expected Authorization exception happend"); + } catch (Exception e) { + assertCausedMessage(e, SecurityError.AUTH_0014.getMessage()); + } + // user4 can update job2 + try { + job2.setName("job2_update_user4_1"); + client.updateJob(job2); + } catch (Exception e) { + fail("unexpected Authorization exception happend"); + } + // user3 can't update job2 + client = sqoopServerRunner.getSqoopClient(USER3); + try { + assertTrue(client.getJobs().size() == 0); + job2.setName("job2_update_user3_1"); + client.updateJob(job2); + fail("expected Authorization exception happend"); + } catch (Exception e) { + assertCausedMessage(e, SecurityError.AUTH_0014.getMessage()); + } + + // user3 can't delete job2 + try { + client.deleteJob(job2.getPersistenceId()); + fail("expected Authorization exception happend"); + } catch (Exception e) { + assertCausedMessage(e, SecurityError.AUTH_0014.getMessage()); + } + + //user4 can delete job2 because user4 has write privilege on job2 + client = sqoopServerRunner.getSqoopClient(USER4); + try { + client.deleteJob(job2.getPersistenceId()); + } catch (Exception e) { + fail("unexpected Authorization exception happend"); + } + + client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + client.dropRole(role4); + } + + @Test + public void testEnableAndStartJob() throws Exception { + /** + * ADMIN_USER create two links and one job + */ + SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + MLink rdbmsLink = client.createLink("generic-jdbc-connector"); + sqoopServerRunner.fillRdbmsLinkConfig(rdbmsLink); + rdbmsLink.setName("rdbm_testEnableAndStartJob"); + sqoopServerRunner.saveLink(client, rdbmsLink); + + MLink hdfsLink = client.createLink("hdfs-connector"); + sqoopServerRunner.fillHdfsLink(hdfsLink); + hdfsLink.setName("hdfs_testEnableAndStartJob"); + sqoopServerRunner.saveLink(client, hdfsLink); + + MJob job2 = client.createJob(hdfsLink.getPersistenceId(), rdbmsLink.getPersistenceId()); + // set HDFS "FROM" config for the job, since the connector test case base class only has utilities for HDFS! + sqoopServerRunner.fillHdfsFromConfig(job2); + // set the RDBM "TO" config here + sqoopServerRunner.fillRdbmsToConfig(job2); + // create job + sqoopServerRunner.saveJob(client, job2); + + /** + * ADMIN_USER grant update privilege on job2 to role4 + * ADMIN_USER grant read privilege on all connector to role4 + * ADMIN_USER grant read privilege on all link to role4 + */ + MRole role4 = new MRole(ROLE4); + MPrincipal group4 = new MPrincipal(GROUP4, MPrincipal.TYPE.GROUP); + MResource job2Resource = new MResource(String.valueOf(job2.getPersistenceId()), MResource.TYPE.JOB); + MPrivilege writeJob2Privilege = new MPrivilege(job2Resource,SqoopActionConstant.WRITE, false); + MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR); + MPrivilege readConnectorPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false); + MResource allLink = new MResource(SqoopActionConstant.ALL, MResource.TYPE.LINK); + MPrivilege readLinkPriv = new MPrivilege(allLink,SqoopActionConstant.READ, false); + client.createRole(role4); + client.grantRole(Lists.newArrayList(role4), Lists.newArrayList(group4)); + client.grantPrivilege(Lists.newArrayList(new MPrincipal(role4.getName(), MPrincipal.TYPE.ROLE)), + Lists.newArrayList(writeJob2Privilege, readConnectorPriv, readLinkPriv)); + + + /** + * ADMIN_USER grant read privilege on job2 to role5 + * ADMIN_USER grant read privilege on all connector to role5 + * ADMIN_USER grant read privilege on all link to role5 + */ + MRole role5 = new MRole(ROLE5); + MPrincipal group5 = new MPrincipal(GROUP5, MPrincipal.TYPE.GROUP); + MPrivilege readJob2Privilege = new MPrivilege(job2Resource,SqoopActionConstant.READ, false); + client.createRole(role5); + client.grantRole(Lists.newArrayList(role5), Lists.newArrayList(group5)); + client.grantPrivilege(Lists.newArrayList(new MPrincipal(role5.getName(), MPrincipal.TYPE.ROLE)), + Lists.newArrayList(readJob2Privilege, readConnectorPriv, readLinkPriv)); + + // user5 can't enable and start job2 + client = sqoopServerRunner.getSqoopClient(USER5); + try { + client.enableJob(job2.getPersistenceId(), true); + fail("expected Authorization exception happend"); + } catch (Exception e) { + assertCausedMessage(e, SecurityError.AUTH_0014.getMessage()); + } + + try { + client.startJob(job2.getPersistenceId()); + fail("expected Authorization exception happend"); + } catch (Exception e) { + assertCausedMessage(e, SecurityError.AUTH_0014.getMessage()); + } + + // user3 can't enable and start job2 + client = sqoopServerRunner.getSqoopClient(USER3); + try { + client.enableJob(job2.getPersistenceId(), true); + fail("expected Authorization exception happend"); + } catch (Exception e) { + assertCausedMessage(e, SecurityError.AUTH_0014.getMessage()); + } + + try { + client.startJob(job2.getPersistenceId()); + fail("expected Authorization exception happend"); + } catch (Exception e) { + assertCausedMessage(e, SecurityError.AUTH_0014.getMessage()); + } + + // user4 can enable or start job2 + client = sqoopServerRunner.getSqoopClient(USER4); + try { + client.enableJob(job2.getPersistenceId(), false); + client.enableJob(job2.getPersistenceId(), true); + client.deleteJob(job2.getPersistenceId()); + } catch (Exception e) { + fail("unexpected Authorization exception happend"); + } + + + client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + client.dropRole(role4); + client.dropRole(role5); + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestLinkEndToEnd.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestLinkEndToEnd.java b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestLinkEndToEnd.java new file mode 100644 index 0000000..a67ef63 --- /dev/null +++ b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestLinkEndToEnd.java @@ -0,0 +1,238 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.tests.e2e.sqoop; + +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + +import org.apache.sentry.core.model.sqoop.SqoopActionConstant; +import org.apache.sqoop.client.SqoopClient; +import org.apache.sqoop.model.MLink; +import org.apache.sqoop.model.MPrincipal; +import org.apache.sqoop.model.MPrivilege; +import org.apache.sqoop.model.MResource; +import org.apache.sqoop.model.MRole; +import org.apache.sqoop.security.SecurityError; +import org.junit.Test; + +import com.google.common.collect.Lists; + +public class TestLinkEndToEnd extends AbstractSqoopSentryTestBase { + + @Test + public void testShowLink() throws Exception { + /** + * ADMIN_USER create a hdfs link + */ + SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + MLink hdfsLink = client.createLink("hdfs-connector"); + sqoopServerRunner.fillHdfsLink(hdfsLink); + sqoopServerRunner.saveLink(client, hdfsLink); + + /** + * ADMIN_USER grant read privilege on all link to role1 + */ + MRole role1 = new MRole(ROLE1); + MPrincipal group1 = new MPrincipal(GROUP1, MPrincipal.TYPE.GROUP); + MResource allLink = new MResource(SqoopActionConstant.ALL, MResource.TYPE.LINK); + MPrivilege readAllPrivilege = new MPrivilege(allLink,SqoopActionConstant.READ, false); + client.createRole(role1); + client.grantRole(Lists.newArrayList(role1), Lists.newArrayList(group1)); + client.grantPrivilege(Lists.newArrayList(new MPrincipal(role1.getName(), MPrincipal.TYPE.ROLE)), + Lists.newArrayList(readAllPrivilege)); + + /** + * ADMIN_USER grant read privilege on hdfs link to role2 + */ + MRole role2 = new MRole(ROLE2); + MPrincipal group2 = new MPrincipal(GROUP2, MPrincipal.TYPE.GROUP); + MResource hdfsLinkResource = new MResource(String.valueOf(hdfsLink.getPersistenceId()), MResource.TYPE.LINK); + MPrivilege readHdfsLinkPrivilege = new MPrivilege(hdfsLinkResource,SqoopActionConstant.READ, false); + client.createRole(role2); + client.grantRole(Lists.newArrayList(role2), Lists.newArrayList(group2)); + client.grantPrivilege(Lists.newArrayList(new MPrincipal(role2.getName(), MPrincipal.TYPE.ROLE)), + Lists.newArrayList(readHdfsLinkPrivilege)); + + // user1 can show all link + client = sqoopServerRunner.getSqoopClient(USER1); + try { + assertTrue(client.getLinks().size() == 1); + assertTrue(client.getLink(hdfsLink.getPersistenceId()) != null); + } catch (Exception e) { + fail("unexpected Authorization exception happend"); + } + + // user2 can show hdfs link + client = sqoopServerRunner.getSqoopClient(USER2); + try { + assertTrue(client.getLinks().size() == 1); + assertTrue(client.getLink(hdfsLink.getPersistenceId()) != null); + } catch (Exception e) { + fail("unexpected Authorization exception happend"); + } + + // user3 can't show hdfs link + client = sqoopServerRunner.getSqoopClient(USER3); + try { + assertTrue(client.getLinks().size() == 0); + client.getLink(hdfsLink.getPersistenceId()); + fail("expected Authorization exception happend"); + } catch (Exception e) { + assertCausedMessage(e, SecurityError.AUTH_0014.getMessage()); + } + + client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + client.deleteLink(hdfsLink.getPersistenceId()); + } + + @Test + public void testUpdateDtestUpdateDeleteLinkeleteLink() throws Exception { + /** + * ADMIN_USER create a hdfs link + */ + SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + MLink hdfsLink = client.createLink("hdfs-connector"); + sqoopServerRunner.fillHdfsLink(hdfsLink); + sqoopServerRunner.saveLink(client, hdfsLink); + + /** + * ADMIN_USER grant update privilege on hdfs link to role4 + * ADMIN_USER grant read privilege on all connector to role4 + */ + MRole role4 = new MRole(ROLE4); + MPrincipal group4 = new MPrincipal(GROUP4, MPrincipal.TYPE.GROUP); + MResource hdfsLinkResource = new MResource(String.valueOf(hdfsLink.getPersistenceId()), MResource.TYPE.LINK); + MPrivilege writeHdfsPrivilege = new MPrivilege(hdfsLinkResource,SqoopActionConstant.WRITE, false); + MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR); + MPrivilege readConnectorPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false); + client.createRole(role4); + client.grantRole(Lists.newArrayList(role4), Lists.newArrayList(group4)); + client.grantPrivilege(Lists.newArrayList(new MPrincipal(role4.getName(), MPrincipal.TYPE.ROLE)), + Lists.newArrayList(writeHdfsPrivilege, readConnectorPriv)); + + // user4 can't show hdfs link + client = sqoopServerRunner.getSqoopClient(USER4); + try { + assertTrue(client.getLinks().size() == 0); + client.getLink(hdfsLink.getPersistenceId()); + fail("expected Authorization exception happend"); + } catch (Exception e) { + assertCausedMessage(e, SecurityError.AUTH_0014.getMessage()); + } + // user4 can update hdfs link + try { + hdfsLink.setName("hdfs_link_update_user4_1"); + client.updateLink(hdfsLink); + } catch (Exception e) { + fail("unexpected Authorization exception happend"); + } + // user3 can't update hdfs link + client = sqoopServerRunner.getSqoopClient(USER3); + try { + assertTrue(client.getLinks().size() == 0); + hdfsLink.setName("hdfs_link_update_user3_1"); + client.updateLink(hdfsLink); + fail("expected Authorization exception happend"); + } catch (Exception e) { + assertCausedMessage(e, SecurityError.AUTH_0014.getMessage()); + } + + // user3 can't delete hdfs link + try { + client.deleteLink(hdfsLink.getPersistenceId()); + fail("expected Authorization exception happend"); + } catch (Exception e) { + assertCausedMessage(e, SecurityError.AUTH_0014.getMessage()); + } + + //user4 can delete hdfs link because user4 has write privilege on hdfs link + client = sqoopServerRunner.getSqoopClient(USER4); + try { + client.deleteLink(hdfsLink.getPersistenceId()); + } catch (Exception e) { + fail("unexpected Authorization exception happend"); + } + + client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + client.dropRole(role4); + } + + @Test + public void testEnableLink() throws Exception { + /** + * ADMIN_USER create a hdfs link + */ + SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + MLink hdfsLink = client.createLink("hdfs-connector"); + sqoopServerRunner.fillHdfsLink(hdfsLink); + sqoopServerRunner.saveLink(client, hdfsLink); + + /** + * ADMIN_USER grant read privilege on hdfs link to role4 + * ADMIN_USER grant read privilege on all connector to role4 + */ + MRole role4 = new MRole(ROLE4); + MPrincipal group4 = new MPrincipal(GROUP4, MPrincipal.TYPE.GROUP); + MResource hdfsLinkResource = new MResource(String.valueOf(hdfsLink.getPersistenceId()), MResource.TYPE.LINK); + MPrivilege readHdfsPrivilege = new MPrivilege(hdfsLinkResource,SqoopActionConstant.READ, false); + MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR); + MPrivilege readConnectorPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false); + client.createRole(role4); + client.grantRole(Lists.newArrayList(role4), Lists.newArrayList(group4)); + client.grantPrivilege(Lists.newArrayList(new MPrincipal(role4.getName(), MPrincipal.TYPE.ROLE)), + Lists.newArrayList(readHdfsPrivilege, readConnectorPriv)); + + /** + * ADMIN_USER grant write privilege on hdfs link to role5 + * ADMIN_USER grant read privilege on all connector to role5 + */ + MRole role5 = new MRole(ROLE5); + MPrincipal group5 = new MPrincipal(GROUP5, MPrincipal.TYPE.GROUP); + MPrivilege writeHdfsPrivilege = new MPrivilege(hdfsLinkResource,SqoopActionConstant.WRITE, false); + client.createRole(role5); + client.grantRole(Lists.newArrayList(role5), Lists.newArrayList(group5)); + client.grantPrivilege(Lists.newArrayList(new MPrincipal(role5.getName(), MPrincipal.TYPE.ROLE)), + Lists.newArrayList(writeHdfsPrivilege, readConnectorPriv)); + + // user4 can't enable hdfs link + client = sqoopServerRunner.getSqoopClient(USER4); + try { + client.enableLink(hdfsLink.getPersistenceId(), true); + fail("expected Authorization exception happend"); + } catch (Exception e) { + assertCausedMessage(e, SecurityError.AUTH_0014.getMessage()); + } + // user5 can enbale hdfs link + client = sqoopServerRunner.getSqoopClient(USER5); + try { + client.enableLink(hdfsLink.getPersistenceId(), true); + } catch (Exception e) { + fail("unexpected Authorization exception happend"); + } + // user3 can't update hdfs link + client = sqoopServerRunner.getSqoopClient(USER3); + try { + client.enableLink(hdfsLink.getPersistenceId(), true); + fail("expected Authorization exception happend"); + } catch (Exception e) { + assertCausedMessage(e, SecurityError.AUTH_0014.getMessage()); + } + + client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + client.deleteLink(hdfsLink.getPersistenceId()); + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestOwnerPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestOwnerPrivilege.java b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestOwnerPrivilege.java new file mode 100644 index 0000000..9bed526 --- /dev/null +++ b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestOwnerPrivilege.java @@ -0,0 +1,156 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.tests.e2e.sqoop; + +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.fail; + +import org.apache.sentry.core.model.sqoop.SqoopActionConstant; +import org.apache.sqoop.client.SqoopClient; +import org.apache.sqoop.model.MConnector; +import org.apache.sqoop.model.MDriverConfig; +import org.apache.sqoop.model.MJob; +import org.apache.sqoop.model.MLink; +import org.apache.sqoop.model.MPrincipal; +import org.apache.sqoop.model.MPrivilege; +import org.apache.sqoop.model.MResource; +import org.apache.sqoop.model.MRole; +import org.apache.sqoop.security.SecurityError; +import org.junit.Test; + +import com.google.common.collect.Lists; + +public class TestOwnerPrivilege extends AbstractSqoopSentryTestBase { + + @Test + public void testLinkOwner() throws Exception { + // USER1 at firstly has no privilege on any Sqoop resource + SqoopClient client = sqoopServerRunner.getSqoopClient(USER1); + assertTrue(client.getConnectors().size() == 0); + /** + * ADMIN_USER grant read action privilege on connector all to role ROLE1 + * ADMIN_USER grant role ROLE1 to group GROUP1 + */ + client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + MRole role1 = new MRole(ROLE1); + MPrincipal group1 = new MPrincipal(GROUP1, MPrincipal.TYPE.GROUP); + MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR); + MPrivilege readPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false); + client.createRole(role1); + client.grantRole(Lists.newArrayList(role1), Lists.newArrayList(group1)); + client.grantPrivilege(Lists.newArrayList(new MPrincipal(role1.getName(), MPrincipal.TYPE.ROLE)), + Lists.newArrayList(readPriv)); + + // check USER1 has the read privilege on all connector + client = sqoopServerRunner.getSqoopClient(USER1); + assertTrue(client.getConnectors().size() > 0); + + // USER1 create a new HDFS link + MLink hdfsLink = client.createLink("hdfs-connector"); + sqoopServerRunner.fillHdfsLink(hdfsLink); + sqoopServerRunner.saveLink(client, hdfsLink); + + // USER1 is the owner of HDFS link, so he can show and update HDFS link + assertEquals(client.getLink(hdfsLink.getPersistenceId()), hdfsLink); + + // USER1 update the name of HDFS link + hdfsLink.setName("HDFS_update1"); + sqoopServerRunner.updateLink(client, hdfsLink); + + // USER2 has no privilege on HDFS link + client = sqoopServerRunner.getSqoopClient(USER2); + assertTrue(client.getLinks().size() == 0); + + //delete the HDFS link + client = sqoopServerRunner.getSqoopClient(USER1); + client.deleteLink(hdfsLink.getPersistenceId()); + } + + @Test + public void testJobOwner() throws Exception { + // USER3 at firstly has no privilege on any Sqoop resource + SqoopClient client = sqoopServerRunner.getSqoopClient(USER3); + assertTrue(client.getConnectors().size() == 0); + /** + * ADMIN_USER grant read action privilege on connector all to role ROLE3 + * ADMIN_USER grant role ROLE3 to group GROUP3 + */ + client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + MRole role3 = new MRole(ROLE3); + MPrincipal group3 = new MPrincipal(GROUP3, MPrincipal.TYPE.GROUP); + MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR); + MPrivilege readPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false); + client.createRole(role3); + client.grantRole(Lists.newArrayList(role3), Lists.newArrayList(group3)); + client.grantPrivilege(Lists.newArrayList(new MPrincipal(ROLE3, MPrincipal.TYPE.ROLE)), + Lists.newArrayList(readPriv)); + + // check USER3 has the read privilege on all connector + client = sqoopServerRunner.getSqoopClient(USER3); + assertTrue(client.getConnectors().size() > 0); + + // USER3 create two links: hdfs link and rdbm link + MLink rdbmsLink = client.createLink("generic-jdbc-connector"); + sqoopServerRunner.fillRdbmsLinkConfig(rdbmsLink); + sqoopServerRunner.saveLink(client, rdbmsLink); + + MLink hdfsLink = client.createLink("hdfs-connector"); + sqoopServerRunner.fillHdfsLink(hdfsLink); + sqoopServerRunner.saveLink(client, hdfsLink); + + // USER3 is the owner of hdfs and link, so he can show and update hdfs link + assertTrue(client.getLinks().size() == 2); + hdfsLink.setName("HDFS_update2"); + client.updateLink(hdfsLink); + rdbmsLink.setName("RDBM_update"); + client.updateLink(rdbmsLink); + + // USER_3 create a job: transfer date from HDFS to RDBM + MJob job1 = client.createJob(hdfsLink.getPersistenceId(), rdbmsLink.getPersistenceId()); + // set HDFS "FROM" config for the job, since the connector test case base class only has utilities for HDFS! + sqoopServerRunner.fillHdfsFromConfig(job1); + + // set the RDBM "TO" config here + sqoopServerRunner.fillRdbmsToConfig(job1); + + // create job + sqoopServerRunner.saveJob(client, job1); + + /** + * USER3 is the owner of job1 , so he can show and delete job1. + * USER4 has no privilege on job1 + */ + client = sqoopServerRunner.getSqoopClient(USER4); + assertTrue(client.getJobs().size() == 0); + try { + client.deleteJob(job1.getPersistenceId()); + fail("expected Authorization exception happend"); + } catch (Exception e) { + assertCausedMessage(e, SecurityError.AUTH_0014.getMessage()); + } + client = sqoopServerRunner.getSqoopClient(USER3); + assertEquals(client.getJob(job1.getPersistenceId()), job1); + client.deleteJob(job1.getPersistenceId()); + + // delete the HDFS and RDBM links + client.deleteLink(hdfsLink.getPersistenceId()); + client.deleteLink(rdbmsLink.getPersistenceId()); + } + +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestRevokePrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestRevokePrivilege.java b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestRevokePrivilege.java new file mode 100644 index 0000000..f71595c --- /dev/null +++ b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestRevokePrivilege.java @@ -0,0 +1,175 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.tests.e2e.sqoop; + +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.fail; + +import org.apache.sentry.core.model.sqoop.SqoopActionConstant; +import org.apache.sentry.sqoop.SentrySqoopError; +import org.apache.sqoop.client.SqoopClient; +import org.apache.sqoop.model.MPrincipal; +import org.apache.sqoop.model.MPrivilege; +import org.apache.sqoop.model.MResource; +import org.apache.sqoop.model.MRole; +import org.junit.Test; + +import com.google.common.collect.Lists; + +public class TestRevokePrivilege extends AbstractSqoopSentryTestBase { + @Test + public void testNotSupportRevokePrivilegeFromUser() throws Exception { + SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + MPrincipal user1 = new MPrincipal("not_support_revoke_user_1", MPrincipal.TYPE.GROUP); + MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR); + MPrivilege readPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false); + try { + client.revokePrivilege(Lists.newArrayList(user1), Lists.newArrayList(readPriv)); + fail("expected not support exception happend"); + } catch (Exception e) { + assertCausedMessage(e, SentrySqoopError.GRANT_REVOKE_PRIVILEGE_NOT_SUPPORT_FOR_PRINCIPAL); + } + } + + @Test + public void testNotSupportRevokePrivilegeFromGroup() throws Exception { + SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + MPrincipal group1 = new MPrincipal("not_support_revoke_group_1", MPrincipal.TYPE.GROUP); + MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR); + MPrivilege readPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false); + try { + client.revokePrivilege(Lists.newArrayList(group1), Lists.newArrayList(readPriv)); + fail("expected not support exception happend"); + } catch (Exception e) { + assertCausedMessage(e, SentrySqoopError.GRANT_REVOKE_PRIVILEGE_NOT_SUPPORT_FOR_PRINCIPAL); + } + } + + @Test + public void testRevokeNotExistPrivilege() throws Exception { + SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + MRole testRole = new MRole("noexist_privilege_role1"); + MPrincipal testPrinc = new MPrincipal(testRole.getName(), MPrincipal.TYPE.ROLE); + MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR); + MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false); + client.createRole(testRole); + assertTrue(client.getPrivilegesByPrincipal(testPrinc, allConnector).size() == 0); + + client.revokePrivilege(Lists.newArrayList(testPrinc), Lists.newArrayList(readPrivilege)); + assertTrue(client.getPrivilegesByPrincipal(testPrinc, allConnector).size() == 0); + } + + + @Test + public void testRevokePrivilege() throws Exception { + /** + * user1 belongs to group group1 + * admin user grant role role1 to group group1 + * admin user grant read privilege on connector all to role role1 + */ + SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + MRole role1 = new MRole(ROLE1); + MPrincipal group1Princ = new MPrincipal(GROUP1, MPrincipal.TYPE.GROUP); + MPrincipal role1Princ = new MPrincipal(ROLE1, MPrincipal.TYPE.ROLE); + MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR); + MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false); + client.createRole(role1); + client.grantRole(Lists.newArrayList(role1), Lists.newArrayList(group1Princ)); + client.grantPrivilege(Lists.newArrayList(role1Princ), Lists.newArrayList(readPrivilege)); + + // check user1 has privilege on role1 + client = sqoopServerRunner.getSqoopClient(USER1); + assertTrue(client.getPrivilegesByPrincipal(role1Princ, allConnector).size() == 1); + + // admin user revoke read privilege from role1 + client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + client.revokePrivilege(Lists.newArrayList(role1Princ), Lists.newArrayList(readPrivilege)); + + // check user1 has no privilege on role1 + client = sqoopServerRunner.getSqoopClient(USER1); + assertTrue(client.getPrivilegesByPrincipal(role1Princ, allConnector).size() == 0); + } + + @Test + public void testRevokeAllPrivilege() throws Exception { + /** + * user2 belongs to group group2 + * admin user grant role role2 to group group2 + * admin user grant read and write privilege on connector all to role role2 + */ + SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + MRole role2 = new MRole(ROLE2); + MPrincipal group2Princ = new MPrincipal(GROUP2, MPrincipal.TYPE.GROUP); + MPrincipal role2Princ = new MPrincipal(ROLE2, MPrincipal.TYPE.ROLE); + MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR); + MPrivilege writePrivilege = new MPrivilege(allConnector, SqoopActionConstant.WRITE, false); + MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false); + client.createRole(role2); + client.grantRole(Lists.newArrayList(role2), Lists.newArrayList(group2Princ)); + client.grantPrivilege(Lists.newArrayList(role2Princ), Lists.newArrayList(writePrivilege, readPrivilege)); + + // check user2 has two privileges on role2 + client = sqoopServerRunner.getSqoopClient(USER2); + assertTrue(client.getPrivilegesByPrincipal(role2Princ, allConnector).size() == 2); + + // admin user revoke all privilege from role2 + MPrivilege allPrivilege = new MPrivilege(allConnector, SqoopActionConstant.ALL_NAME, false); + client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + client.revokePrivilege(Lists.newArrayList(role2Princ), Lists.newArrayList(allPrivilege)); + + // check user2 has no privilege on role2 + client = sqoopServerRunner.getSqoopClient(USER2); + assertTrue(client.getPrivilegesByPrincipal(role2Princ, allConnector).size() == 0); + } + + @Test + public void testRevokePrivilegeWithAllPrivilegeExist() throws Exception { + /** + * user3 belongs to group group3 + * admin user grant role role3 to group group3 + * admin user grant all privilege on connector all to role role3 + */ + SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + MRole role3 = new MRole(ROLE3); + MPrincipal group3Princ = new MPrincipal(GROUP3, MPrincipal.TYPE.GROUP); + MPrincipal role3Princ = new MPrincipal(ROLE3, MPrincipal.TYPE.ROLE); + MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR); + MPrivilege allPrivilege = new MPrivilege(allConnector, SqoopActionConstant.ALL_NAME, false); + client.createRole(role3); + client.grantRole(Lists.newArrayList(role3), Lists.newArrayList(group3Princ)); + client.grantPrivilege(Lists.newArrayList(role3Princ), Lists.newArrayList(allPrivilege)); + + // check user3 has one privilege on role3 + client = sqoopServerRunner.getSqoopClient(USER3); + assertTrue(client.getPrivilegesByPrincipal(role3Princ, allConnector).size() == 1); + // user3 has the all action on role3 + MPrivilege user3Privilege = client.getPrivilegesByPrincipal(role3Princ, allConnector).get(0); + assertEquals(user3Privilege.getAction(), SqoopActionConstant.ALL_NAME); + + // admin user revoke the read privilege on connector all from role role3 + MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false); + client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + client.revokePrivilege(Lists.newArrayList(role3Princ), Lists.newArrayList(readPrivilege)); + + // check user3 has only the write privilege on role3 + client = sqoopServerRunner.getSqoopClient(USER3); + assertTrue(client.getPrivilegesByPrincipal(role3Princ, allConnector).size() == 1); + user3Privilege = client.getPrivilegesByPrincipal(role3Princ, allConnector).get(0); + assertEquals(user3Privilege.getAction().toLowerCase(), SqoopActionConstant.WRITE); + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestRoleOperation.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestRoleOperation.java b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestRoleOperation.java new file mode 100644 index 0000000..1a6ca02 --- /dev/null +++ b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestRoleOperation.java @@ -0,0 +1,209 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.tests.e2e.sqoop; + +import org.apache.sentry.sqoop.SentrySqoopError; +import org.apache.sqoop.client.SqoopClient; +import org.apache.sqoop.model.MPrincipal; +import org.apache.sqoop.model.MRole; +import org.junit.Test; + +import com.google.common.collect.Lists; + +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.fail; + +public class TestRoleOperation extends AbstractSqoopSentryTestBase { + + @Test + public void testAdminToCreateDeleteRole() throws Exception { + SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + MRole role1 = new MRole("create_delete_role_1"); + MRole role2 = new MRole("create_delete_role_2"); + client.createRole(role1); + client.createRole(role2); + assertTrue( client.getRoles().size() > 0); + } + + @Test + public void testNotAdminToCreateDeleteRole() throws Exception { + SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + MRole role1 = new MRole("not_admin_create_delete_role_1"); + MRole role2 = new MRole("not_admin_create_delete_role_2"); + client.createRole(role1); + + client = sqoopServerRunner.getSqoopClient(USER1); + try { + client.createRole(role2); + fail("expected SentryAccessDeniedException happend"); + } catch (Exception e) { + assertCausedMessage(e, "SentryAccessDeniedException"); + } + try { + client.dropRole(role1); + fail("expected SentryAccessDeniedException happend"); + } catch (Exception e) { + assertCausedMessage(e, "SentryAccessDeniedException"); + } + } + + @Test + public void testCreateExistedRole() throws Exception { + SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + MRole role1 = new MRole("create_exist_role_1"); + client.createRole(role1); + try { + client.createRole(role1); + fail("expected SentryAlreadyExistsException happend"); + } catch (Exception e) { + assertCausedMessage(e, "SentryAlreadyExistsException"); + } + } + + @Test + public void testDropNotExistedRole() throws Exception { + SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + try { + client.dropRole(new MRole("drop_noexisted_role_1")); + fail("expected SentryNoSuchObjectException happend"); + } catch (Exception e) { + assertCausedMessage(e, "SentryNoSuchObjectException"); + } + } + + @Test + public void testAdminShowAllRole() throws Exception { + SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + client.createRole(new MRole("show_all_role")); + assertTrue(client.getRoles().size() > 0); + } + + @Test + public void testNotAdminShowAllRole() throws Exception { + SqoopClient client = sqoopServerRunner.getSqoopClient(USER1); + try { + client.getRoles(); + fail("expected SentryAccessDeniedException happend"); + } catch (Exception e) { + assertCausedMessage(e, "SentryAccessDeniedException"); + } + } + + @Test + public void testNotSupportAddRoleToUser() throws Exception { + SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + MRole role1 = new MRole("add_to_user_role"); + MPrincipal user1 = new MPrincipal("add_to_user", MPrincipal.TYPE.USER); + try { + client.grantRole(Lists.newArrayList(role1), Lists.newArrayList(user1)); + fail("expected not support exception happend"); + } catch (Exception e) { + assertCausedMessage(e, SentrySqoopError.GRANT_REVOKE_ROLE_NOT_SUPPORT_FOR_PRINCIPAL); + } + } + + @Test + public void testShowRoleOnGroup() throws Exception { + SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + // admin user grant role1 to group1 + MRole role1 = new MRole(ROLE1); + client.createRole(role1); + MPrincipal group1 = new MPrincipal(GROUP1, MPrincipal.TYPE.GROUP); + client.grantRole(Lists.newArrayList(role1), Lists.newArrayList(group1)); + // admin user grant role2 to group2 + MRole role2 = new MRole(ROLE2); + client.createRole(role2); + MPrincipal group2 = new MPrincipal(GROUP2, MPrincipal.TYPE.GROUP); + client.grantRole(Lists.newArrayList(role2), Lists.newArrayList(group2)); + + // use1 can show role on group1 + client = sqoopServerRunner.getSqoopClient(USER1); + assertEquals(role1.getName(), client.getRolesByPrincipal(group1).get(0).getName()); + + // use1 can't show role on group2 + try { + client.getRolesByPrincipal(group2); + fail("expected SentryAccessDeniedException happend"); + } catch (Exception e) { + assertCausedMessage(e, "SentryAccessDeniedException"); + } + + // user2 can show role on group2 + client = sqoopServerRunner.getSqoopClient(USER2); + assertEquals(role2.getName(), client.getRolesByPrincipal(group2).get(0).getName()); + + // use2 can't show role on group1 + try { + client.getRolesByPrincipal(group1); + fail("expected SentryAccessDeniedException happend"); + } catch (Exception e) { + assertCausedMessage(e, "SentryAccessDeniedException"); + } + } + + @Test + public void testAddDeleteRoleOnGroup() throws Exception { + SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + // admin user grant role3 to group3 + MRole role3 = new MRole(ROLE3); + client.createRole(role3); + MPrincipal group3 = new MPrincipal(GROUP3, MPrincipal.TYPE.GROUP); + client.grantRole(Lists.newArrayList(role3), Lists.newArrayList(group3)); + // admin user grant role4 to group4 + MRole role4 = new MRole(ROLE4); + client.createRole(role4); + MPrincipal group4 = new MPrincipal(GROUP4, MPrincipal.TYPE.GROUP); + client.grantRole(Lists.newArrayList(role4), Lists.newArrayList(group4)); + + // use3 can show role on group3 + client = sqoopServerRunner.getSqoopClient(USER3); + assertEquals(role3.getName(), client.getRolesByPrincipal(group3).get(0).getName()); + + // user4 can show role on group4 + client = sqoopServerRunner.getSqoopClient(USER4); + assertEquals(role4.getName(), client.getRolesByPrincipal(group4).get(0).getName()); + + /** + * admin delete role3 from group3 + * admin delete role4 from group4 + */ + client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + client.revokeRole(Lists.newArrayList(role3), Lists.newArrayList(group3)); + client.revokeRole(Lists.newArrayList(role4), Lists.newArrayList(group4)); + + // use3 show role on group3, empty role list return + client = sqoopServerRunner.getSqoopClient(USER3); + assertTrue(client.getRolesByPrincipal(group3).isEmpty()); + + // use4 show role on group4, empty role list return + client = sqoopServerRunner.getSqoopClient(USER4); + assertTrue(client.getRolesByPrincipal(group4).isEmpty()); + } + + @Test + public void testNotSupportShowRoleonUser() throws Exception { + SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER); + MPrincipal user1 = new MPrincipal("showRoleOnUser", MPrincipal.TYPE.USER); + try { + client.getRolesByPrincipal(user1); + fail("expected not support exception happend"); + } catch (Exception e) { + assertCausedMessage(e, SentrySqoopError.SHOW_GRANT_NOT_SUPPORTED_FOR_PRINCIPAL); + } + } +}
