Repository: incubator-sentry Updated Branches: refs/heads/master b20f200c5 -> 557c81834
SENTRY-769: [Improve error handling] Make sure groups in list_sentry_privileges_for_provider is not empty ( Colin Ma, Reviewed by: Sravya Tirukkovalur) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/557c8183 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/557c8183 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/557c8183 Branch: refs/heads/master Commit: 557c81834e3909f9b0d7325751b21e38129961df Parents: b20f200 Author: Sravya Tirukkovalur <[email protected]> Authored: Sun Oct 11 22:31:10 2015 -0700 Committer: Sravya Tirukkovalur <[email protected]> Committed: Sun Oct 11 22:31:10 2015 -0700 ---------------------------------------------------------------------- .../binding/hive/TestHiveAuthzBindings.java | 4 +- .../binding/solr/TestSolrAuthzBinding.java | 65 +++++++++++++++----- .../common/HadoopGroupMappingService.java | 14 +++-- .../common/SentryGroupNotFoundException.java | 61 ++++++++++++++++++ .../provider/file/LocalGroupMappingService.java | 10 +-- .../provider/file/TestLocalGroupMapping.java | 8 ++- .../sentry/test-authz-provider.ini | 1 + .../SentryIndexAuthorizationSingletonTest.java | 34 +++++++--- .../tests/e2e/hive/TestUserManagement.java | 46 +++++++++++++- .../metastore/TestAuthorizingObjectStore.java | 44 ++++++------- .../solr/sentry/test-authz-provider.ini | 4 +- 11 files changed, 227 insertions(+), 64 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/557c8183/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java index 0622b43..1fac0c7 100644 --- a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java +++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java @@ -42,6 +42,7 @@ import org.apache.sentry.core.model.db.DBModelAuthorizable; import org.apache.sentry.core.model.db.Database; import org.apache.sentry.core.model.db.Server; import org.apache.sentry.core.model.db.Table; +import org.apache.sentry.provider.common.SentryGroupNotFoundException; import org.apache.sentry.provider.file.PolicyFiles; import org.junit.After; import org.junit.Before; @@ -299,7 +300,8 @@ public class TestHiveAuthzBindings { testAuth.authorize(HiveOperation.CREATEFUNCTION, createFuncPrivileges, ANALYST_SUBJECT, inputTabHierarcyList, outputTabHierarcyList); } - @Test(expected=AuthorizationException.class) + + @Test(expected = SentryGroupNotFoundException.class) public void testValidateCreateFunctionRejectionForUnknownUser() throws Exception { inputTabHierarcyList.add(Arrays.asList(new DBModelAuthorizable[] { new Server(SERVER1), new AccessURI("file:///path/to/some/lib/dir/my.jar") http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/557c8183/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java index c37f8ff..c0445ab 100644 --- a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java +++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java @@ -43,6 +43,7 @@ import org.apache.sentry.binding.solr.conf.SolrAuthzConf.AuthzConfVars; import org.apache.sentry.core.common.Subject; import org.apache.sentry.core.model.search.Collection; import org.apache.sentry.core.model.search.SearchModelAction; +import org.apache.sentry.provider.common.SentryGroupNotFoundException; import org.apache.sentry.provider.file.PolicyFiles; import org.junit.After; import org.junit.Before; @@ -181,14 +182,38 @@ public class TestSolrAuthzBinding { Set<String> emptyList = Collections.emptySet(); // check non-existant users - assertEquals(binding.getGroups(null), emptyList); - assertEquals(binding.getGroups("nonExistantUser"), emptyList); + try { + binding.getGroups(null); + Assert.fail("Expected SentryGroupNotFoundException"); + } catch (SentryGroupNotFoundException e) { + } + try { + binding.getGroups("nonExistantUser"); + Assert.fail("Expected SentryGroupNotFoundException"); + } catch (SentryGroupNotFoundException e) { + } // check group names don't map to user names - assertEquals(binding.getGroups("corporal"), emptyList); - assertEquals(binding.getGroups("sergeant"), emptyList); - assertEquals(binding.getGroups("general"), emptyList); - assertEquals(binding.getGroups("othergeneralgroup"), emptyList); + try { + binding.getGroups("corporal"); + Assert.fail("Expected SentryGroupNotFoundException"); + } catch (SentryGroupNotFoundException e) { + } + try { + binding.getGroups("sergeant"); + Assert.fail("Expected SentryGroupNotFoundException"); + } catch (SentryGroupNotFoundException e) { + } + try { + binding.getGroups("general"); + Assert.fail("Expected SentryGroupNotFoundException"); + } catch (SentryGroupNotFoundException e) { + } + try { + binding.getGroups("othergeneralgroup"); + Assert.fail("Expected SentryGroupNotFoundException"); + } catch (SentryGroupNotFoundException e) { + } // check valid group names assertEquals(binding.getGroups("corporal1"), Sets.newHashSet("corporal")); @@ -207,19 +232,27 @@ public class TestSolrAuthzBinding { SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf); Set<String> emptySet = Collections.emptySet(); - // check non-existant users - assertEquals(binding.getRoles(null), emptySet); - assertEquals(binding.getRoles("nonExistantUser"), emptySet); - // check user with undefined group assertEquals(binding.getRoles("undefinedGroupUser"), emptySet); // check group with undefined role assertEquals(binding.getRoles("undefinedRoleUser"), emptySet); // check role names don't map in the other direction - assertEquals(binding.getRoles("corporal_role"), emptySet); - assertEquals(binding.getRoles("sergeant_role"), emptySet); - assertEquals(binding.getRoles("general_role"), emptySet); + try { + binding.getRoles("corporal_role"); + Assert.fail("Expected SentryGroupNotFoundException"); + } catch (SentryGroupNotFoundException e) { + } + try { + binding.getRoles("sergeant_role"); + Assert.fail("Expected SentryGroupNotFoundException"); + } catch (SentryGroupNotFoundException e) { + } + try { + binding.getRoles("general_role"); + Assert.fail("Expected SentryGroupNotFoundException"); + } catch (SentryGroupNotFoundException e) { + } // check valid users assertEquals(binding.getRoles("corporal1"), Sets.newHashSet("corporal_role")); @@ -260,7 +293,11 @@ public class TestSolrAuthzBinding { new SolrAuthzConf(Resources.getResource("sentry-site.xml")); setUsableAuthzConf(solrAuthzConf); SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf); - expectAuthException(binding, new Subject("bogus"), infoCollection, querySet); + try { + binding.authorizeCollection(new Subject("bogus"), infoCollection, querySet); + Assert.fail("Expected SentryGroupNotFoundException"); + } catch (SentryGroupNotFoundException e) { + } } /** http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/557c8183/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java index fb335a3..4214449 100644 --- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java +++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java @@ -17,8 +17,8 @@ package org.apache.sentry.provider.common; import java.io.IOException; -import java.util.Collections; import java.util.HashSet; +import java.util.List; import java.util.Set; import org.apache.commons.lang.StringUtils; @@ -27,6 +27,8 @@ import org.apache.hadoop.security.Groups; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import com.google.common.collect.Lists; + public class HadoopGroupMappingService implements GroupMappingService { private static final Logger LOGGER = LoggerFactory @@ -56,11 +58,15 @@ public class HadoopGroupMappingService implements GroupMappingService { @Override public Set<String> getGroups(String user) { + List<String> groupList = Lists.newArrayList(); try { - return new HashSet<String>(groups.getGroups(user)); + groupList = groups.getGroups(user); } catch (IOException e) { - LOGGER.warn("Unable to obtain groups for " + user, e); + throw new SentryGroupNotFoundException("Unable to obtain groups for " + user, e); + } + if (groupList == null || groupList.isEmpty()) { + throw new SentryGroupNotFoundException("Unable to obtain groups for " + user); } - return Collections.emptySet(); + return new HashSet<String>(groupList); } } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/557c8183/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/SentryGroupNotFoundException.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/SentryGroupNotFoundException.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/SentryGroupNotFoundException.java new file mode 100644 index 0000000..2609bd3 --- /dev/null +++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/SentryGroupNotFoundException.java @@ -0,0 +1,61 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.common; + +public class SentryGroupNotFoundException extends RuntimeException { + private static final long serialVersionUID = -116202866086371881L; + + /** + * Creates a new SentryGroupNotFoundException. + */ + public SentryGroupNotFoundException() { + super(); + } + + /** + * Constructs a new SentryGroupNotFoundException. + * + * @param message + * the reason for the exception + */ + public SentryGroupNotFoundException(String message) { + super(message); + } + + /** + * Constructs a new SentryGroupNotFoundException. + * + * @param cause + * the underlying Throwable that caused this exception to be thrown. + */ + public SentryGroupNotFoundException(Throwable cause) { + super(cause); + } + + /** + * Constructs a new SentryGroupNotFoundException. + * + * @param message + * the reason for the exception + * @param cause + * the underlying Throwable that caused this exception to be thrown. + */ + public SentryGroupNotFoundException(String message, Throwable cause) { + super(message, cause); + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/557c8183/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java index e22e6b6..1c12f11 100644 --- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java +++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java @@ -18,7 +18,6 @@ package org.apache.sentry.provider.file; import java.io.IOException; -import java.util.Collections; import java.util.HashMap; import java.util.Map; import java.util.Map.Entry; @@ -30,6 +29,7 @@ import org.apache.hadoop.fs.Path; import org.apache.sentry.provider.common.GroupMappingService; import org.apache.sentry.provider.common.PolicyFileConstants; import org.apache.sentry.provider.common.ProviderConstants; +import org.apache.sentry.provider.common.SentryGroupNotFoundException; import org.apache.shiro.config.Ini; import org.apache.shiro.config.Ini.Section; import org.slf4j.Logger; @@ -85,11 +85,11 @@ public class LocalGroupMappingService implements GroupMappingService { @Override public Set<String> getGroups(String user) { - if (groupMap.containsKey(user)) { - return groupMap.get(user); - } else { - return Collections.emptySet(); + Set<String> groups = groupMap.get(user); + if (groups == null || groups.isEmpty()) { + throw new SentryGroupNotFoundException("Unable to obtain groups for " + user); } + return groups; } private void parseGroups(FileSystem fileSystem, Path resourcePath) throws IOException { http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/557c8183/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java index c436009..c5345bc 100644 --- a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java +++ b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java @@ -23,6 +23,7 @@ import java.util.Set; import org.apache.commons.io.FileUtils; import org.apache.hadoop.fs.Path; +import org.apache.sentry.provider.common.SentryGroupNotFoundException; import org.junit.After; import org.junit.Assert; import org.junit.Before; @@ -63,7 +64,10 @@ public class TestLocalGroupMapping { Set<String> barGroupsFromResource = localGroupMapping.getGroups("bar"); Assert.assertEquals(barGroupsFromResource, barGroups); - Set<String> unknownGroupsFromResource = localGroupMapping.getGroups("unknown"); - Assert.assertTrue("List not empty " + unknownGroupsFromResource, unknownGroupsFromResource.isEmpty()); + try { + localGroupMapping.getGroups("unknown"); + Assert.fail("SentryGroupNotFoundException should be thrown."); + } catch (SentryGroupNotFoundException sgnfe) { + } } } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/557c8183/sentry-solr/solr-sentry-handlers/src/main/resources/sentry-handlers/sentry/test-authz-provider.ini ---------------------------------------------------------------------- diff --git a/sentry-solr/solr-sentry-handlers/src/main/resources/sentry-handlers/sentry/test-authz-provider.ini b/sentry-solr/solr-sentry-handlers/src/main/resources/sentry-handlers/sentry/test-authz-provider.ini index 8f48a8c..ec029c5 100644 --- a/sentry-solr/solr-sentry-handlers/src/main/resources/sentry-handlers/sentry/test-authz-provider.ini +++ b/sentry-solr/solr-sentry-handlers/src/main/resources/sentry-handlers/sentry/test-authz-provider.ini @@ -33,3 +33,4 @@ queryOnlyAdmin=queryOnlyAdmin updateOnlyAdmin=updateOnlyAdmin multiGroupUser=junit, queryOnlyAdmin, updateOnlyAdmin undefinedRoleUser=undefinedRoleGroup +bogusUser=bogusUserGroup http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/557c8183/sentry-solr/solr-sentry-handlers/src/test/java/org/apache/solr/sentry/SentryIndexAuthorizationSingletonTest.java ---------------------------------------------------------------------- diff --git a/sentry-solr/solr-sentry-handlers/src/test/java/org/apache/solr/sentry/SentryIndexAuthorizationSingletonTest.java b/sentry-solr/solr-sentry-handlers/src/test/java/org/apache/solr/sentry/SentryIndexAuthorizationSingletonTest.java index a3d7d19..694c486 100644 --- a/sentry-solr/solr-sentry-handlers/src/test/java/org/apache/solr/sentry/SentryIndexAuthorizationSingletonTest.java +++ b/sentry-solr/solr-sentry-handlers/src/test/java/org/apache/solr/sentry/SentryIndexAuthorizationSingletonTest.java @@ -23,6 +23,7 @@ import java.util.Set; import org.apache.commons.collections.CollectionUtils; import org.apache.sentry.core.model.search.SearchModelAction; +import org.apache.sentry.provider.common.SentryGroupNotFoundException; import org.apache.solr.cloud.CloudDescriptor; import org.apache.solr.common.SolrException; import org.apache.solr.common.params.ModifiableSolrParams; @@ -89,6 +90,17 @@ public class SentryIndexAuthorizationSingletonTest extends SentryTestBase { } } + private void doExpectExceptionWithoutGroup(SentryIndexAuthorizationSingleton singleton, + SolrQueryRequest request, Set<SearchModelAction> actions) + throws Exception { + try { + singleton.authorizeCollectionAction(request, actions, OPERATION_NAME); + Assert.fail("Expected SentryGroupNotFoundException"); + } catch (SentryGroupNotFoundException ex) { + // excepted exception, do nothing + } + } + @Test public void testNoBinding() throws Exception { // Use reflection to construct a non-singleton version of SentryIndexAuthorizationSingleton @@ -122,8 +134,7 @@ public class SentryIndexAuthorizationSingletonTest extends SentryTestBase { public void testNullUserName() throws Exception { SolrQueryRequest request = getRequest(); prepareCollAndUser(core, request, "collection1", null); - doExpectUnauthorized(request, EnumSet.of(SearchModelAction.ALL), - "User null does not have privileges for collection1"); + doExpectExceptionWithoutGroup(sentryInstance, request, EnumSet.of(SearchModelAction.ALL)); } @Test @@ -131,8 +142,7 @@ public class SentryIndexAuthorizationSingletonTest extends SentryTestBase { System.setProperty("solr.authorization.superuser", ""); SolrQueryRequest request = getRequest(); prepareCollAndUser(core, request, "collection1", "solr"); - doExpectUnauthorized(request, EnumSet.of(SearchModelAction.ALL), - "User solr does not have privileges for collection1"); + doExpectExceptionWithoutGroup(sentryInstance, request, EnumSet.of(SearchModelAction.ALL)); } /** @@ -212,15 +222,21 @@ public class SentryIndexAuthorizationSingletonTest extends SentryTestBase { Collection<String> emptyCollection = ImmutableSet.<String>of(); // null user - Collection<String> roles = sentryInstance.getRoles(null); - assertTrue(CollectionUtils.isEqualCollection(emptyCollection, roles)); + try { + sentryInstance.getRoles(null); + Assert.fail("Excepted SentryGroupNotFoundException"); + } catch (SentryGroupNotFoundException e) { + } // no group - roles = sentryInstance.getRoles("bogusUser"); - assertTrue(CollectionUtils.isEqualCollection(emptyCollection, roles)); + try { + sentryInstance.getRoles("withoutGroupUser"); + Assert.fail("Excepted SentryGroupNotFoundException"); + } catch (SentryGroupNotFoundException e) { + } // no role - roles = sentryInstance.getRoles("undefinedRoleUser"); + Collection<String> roles = sentryInstance.getRoles("undefinedRoleUser"); assertTrue(CollectionUtils.isEqualCollection(emptyCollection, roles)); // single member http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/557c8183/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java index 471af1a..02ac514 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java @@ -17,10 +17,9 @@ package org.apache.sentry.tests.e2e.hive; -import org.apache.sentry.provider.file.PolicyFile; -import org.junit.After; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; import java.io.File; import java.io.FileOutputStream; @@ -29,12 +28,16 @@ import java.sql.ResultSet; import java.sql.Statement; import org.apache.hadoop.mapreduce.JobContext; +import org.apache.hive.service.cli.HiveSQLException; +import org.apache.sentry.provider.file.PolicyFile; +import org.junit.After; import org.junit.Before; import org.junit.Test; import com.google.common.io.Resources; public class TestUserManagement extends AbstractTestWithStaticConfiguration { + private static final String SINGLE_TYPE_DATA_FILE_NAME = "kv1.dat"; private static final String dbName = "db1"; private static final String tableName = "t1"; @@ -343,6 +346,45 @@ public class TestUserManagement extends AbstractTestWithStaticConfiguration { } } + /** + * Tests that users without group information will cause the configuration exception + **/ + @Test + public void testGroup9() throws Exception { + policyFile = PolicyFile.setAdminOnServer1(ADMINGROUP); + policyFile.addGroupsToUser("admin1", ADMINGROUP); + writePolicyFile(policyFile); + + Connection connection = context.createConnection("admin1"); + Statement statement = connection.createStatement(); + statement.execute("DROP DATABASE IF EXISTS db1 CASCADE"); + statement.execute("CREATE DATABASE db1"); + statement.execute("USE db1"); + statement.execute("CREATE TABLE t1 (under_col int)"); + statement.close(); + connection.close(); + + // user1 hasn't any group + connection = context.createConnection("user1"); + statement = context.createStatement(connection); + // for any sql need to be authorized, exception will be thrown if the uer hasn't any group + // information + try { + statement.execute("CREATE TABLE db1.t1 (under_col int, value string)"); + fail("User without group configuration, SentryGroupNotFoundException should be thrown "); + } catch (HiveSQLException hse) { + assertTrue(hse.getMessage().indexOf("SentryGroupNotFoundException") >= 0); + } + try { + statement.execute("SELECT under_col from db1.t1"); + fail("User without group configuration, SentryGroupNotFoundException should be thrown "); + } catch (HiveSQLException hse) { + assertTrue(hse.getMessage().indexOf("SentryGroupNotFoundException") >= 0); + } + statement.close(); + connection.close(); + } + @Test public void testMrAclsSetting() throws Exception { Connection connection = context.createConnection("admin1"); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/557c8183/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestAuthorizingObjectStore.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestAuthorizingObjectStore.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestAuthorizingObjectStore.java index 44ed096..3c28fd0 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestAuthorizingObjectStore.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestAuthorizingObjectStore.java @@ -64,7 +64,9 @@ public class TestAuthorizingObjectStore extends @Before public void setup() throws Exception { policyFile = setAdminOnServer1(ADMINGROUP); - policyFile.setUserGroupMapping(StaticUserGroup.getStaticMapping()); + // add user ACCESSAllMETAUSER for the test case testPrivilegesForUserNameCaseSensitive + policyFile.addGroupsToUser(userWithoutAccess.toUpperCase(), "tempGroup").setUserGroupMapping( + StaticUserGroup.getStaticMapping()); writePolicyFile(policyFile); super.setup(); @@ -97,31 +99,21 @@ public class TestAuthorizingObjectStore extends client.close(); policyFile - .addRolesToGroup(USERGROUP1, all_role) - .addRolesToGroup(USERGROUP2, db1_t1_role) - .addPermissionsToRole(all_role, "server=server1->db=" + dbName1) - .addPermissionsToRole(all_role, "server=server1->db=" + dbName2) - .addPermissionsToRole( - all_role, - "server=server1->db=" + dbName1 + "->table=" + tabName1 - + "->action=SELECT") - .addPermissionsToRole( - all_role, - "server=server1->db=" + dbName1 + "->table=" + tabName2 - + "->action=SELECT") - .addPermissionsToRole( - all_role, - "server=server1->db=" + dbName2 + "->table=" + tabName3 - + "->action=SELECT") - .addPermissionsToRole( - all_role, - "server=server1->db=" + dbName2 + "->table=" + tabName4 - + "->action=SELECT") - .addPermissionsToRole( - db1_t1_role, - "server=server1->db=" + dbName1 + "->table=" + tabName1 - + "->action=SELECT") - .setUserGroupMapping(StaticUserGroup.getStaticMapping()); + .addRolesToGroup(USERGROUP1, all_role) + .addRolesToGroup(USERGROUP2, db1_t1_role) + .addPermissionsToRole(all_role, "server=server1->db=" + dbName1) + .addPermissionsToRole(all_role, "server=server1->db=" + dbName2) + .addPermissionsToRole(all_role, + "server=server1->db=" + dbName1 + "->table=" + tabName1 + "->action=SELECT") + .addPermissionsToRole(all_role, + "server=server1->db=" + dbName1 + "->table=" + tabName2 + "->action=SELECT") + .addPermissionsToRole(all_role, + "server=server1->db=" + dbName2 + "->table=" + tabName3 + "->action=SELECT") + .addPermissionsToRole(all_role, + "server=server1->db=" + dbName2 + "->table=" + tabName4 + "->action=SELECT") + .addPermissionsToRole(db1_t1_role, + "server=server1->db=" + dbName1 + "->table=" + tabName1 + "->action=SELECT") + .setUserGroupMapping(StaticUserGroup.getStaticMapping()); writePolicyFile(policyFile); } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/557c8183/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini b/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini index 34a030d..bccc63e 100644 --- a/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini +++ b/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini @@ -115,10 +115,12 @@ admin_q__sentryCollection_ = admin_query_group, admin_ua__sentryCollection_ = admin_update_group, admin_all_group, admin_u__sentryCollection_ = admin_update_group, admin_a__sentryCollection_ = admin_all_group, +admin___sentryCollection_ = sentryCollection_temp_group, sentryCollection_qua = sentryCollection_query_group, sentryCollection_update_group, sentryCollection_all_group, sentryCollection_qu = sentryCollection_query_group, sentryCollection_update_group, sentryCollection_qa = sentryCollection_query_group, sentryCollection_all_group, sentryCollection_q = sentryCollection_query_group, sentryCollection_ua = sentryCollection_update_group, sentryCollection_all_group, sentryCollection_u = sentryCollection_update_group, -sentryCollection_a = sentryCollection_all_group, \ No newline at end of file +sentryCollection_a = sentryCollection_all_group, +sentryCollection_ = sentryCollection_temp_group \ No newline at end of file
