SENTRY-1123: Add test cases for Hive, Solr, Index, Sqoop with the CommonPrivilege(Colin Ma, Reviewed by Dapeng Sun)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/6c248e46 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/6c248e46 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/6c248e46 Branch: refs/heads/SENTRY-999 Commit: 6c248e4655f32f62baf00538cd4672b3373fc8cb Parents: 0c00651 Author: Colin Ma <[email protected]> Authored: Tue Mar 15 15:30:13 2016 +0800 Committer: Colin Ma <[email protected]> Committed: Tue Mar 15 15:30:13 2016 +0800 ---------------------------------------------------------------------- .../hive/TestCommonPrivilegeForHive.java | 345 +++++++++++++++++++ .../solr/TestCommonPrivilegeForSearch.java | 215 ++++++++++++ .../sqoop/TestCommonPrivilegeForSqoop.java | 197 +++++++++++ .../core/common/utils/SentryConstants.java | 2 + .../sentry/policy/common/CommonPrivilege.java | 41 ++- .../policy/db/TestDBWildcardPrivilege.java | 338 ------------------ .../indexer/TestCommonPrivilegeForIndexer.java | 215 ++++++++++++ .../indexer/TestIndexerWildcardPrivilege.java | 205 ----------- .../search/TestSearchWildcardPrivilege.java | 205 ----------- .../sqoop/TestSqoopWildcardPrivilege.java | 178 ---------- 10 files changed, 1005 insertions(+), 936 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/6c248e46/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/privilege/hive/TestCommonPrivilegeForHive.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/privilege/hive/TestCommonPrivilegeForHive.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/privilege/hive/TestCommonPrivilegeForHive.java new file mode 100644 index 0000000..28674bd --- /dev/null +++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/privilege/hive/TestCommonPrivilegeForHive.java @@ -0,0 +1,345 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.privilege.hive; + +import junit.framework.Assert; +import org.apache.sentry.core.common.Model; +import org.apache.sentry.core.common.utils.KeyValue; +import org.apache.sentry.core.common.utils.PathUtils; +import org.apache.sentry.core.model.db.AccessConstants; +import org.apache.sentry.core.model.db.HivePrivilegeModel; +import org.apache.sentry.policy.common.CommonPrivilege; +import org.apache.sentry.policy.common.Privilege; +import org.junit.Before; +import org.junit.Test; + +import static junit.framework.Assert.assertFalse; +import static junit.framework.Assert.assertTrue; +import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_JOINER; +import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER; +import static org.apache.sentry.core.common.utils.SentryConstants.KV_SEPARATOR; + +public class TestCommonPrivilegeForHive { + + private Model hivePrivilegeModel; + + private static final String ALL = AccessConstants.ALL; + + private static final CommonPrivilege ROLE_SERVER_SERVER1_DB_ALL = + create(new KeyValue("server", "server1"), new KeyValue("db", ALL)); + private static final CommonPrivilege ROLE_SERVER_SERVER1_DB_DB1 = + create(new KeyValue("server", "server1"), new KeyValue("db", "db1")); + private static final CommonPrivilege ROLE_SERVER_SERVER2_DB_ALL = + create(new KeyValue("server", "server2"), new KeyValue("db", ALL)); + private static final CommonPrivilege ROLE_SERVER_SERVER2_DB_DB1 = + create(new KeyValue("server", "server2"), new KeyValue("db", "db1")); + private static final CommonPrivilege ROLE_SERVER_ALL_DB_ALL = + create(new KeyValue("server", ALL), new KeyValue("db", ALL)); + private static final CommonPrivilege ROLE_SERVER_ALL_DB_DB1 = + create(new KeyValue("server", ALL), new KeyValue("db", "db1")); + + private static final CommonPrivilege ROLE_SERVER_SERVER1_URI_URI1 = + create(new KeyValue("server", "server1"), new KeyValue("uri", + "hdfs://namenode:8020/path/to/uri1")); + private static final CommonPrivilege ROLE_SERVER_SERVER1_URI_URI2 = + create(new KeyValue("server", "server1"), new KeyValue("uri", + "hdfs://namenode:8020/path/to/uri2/")); + private static final CommonPrivilege ROLE_SERVER_SERVER1_URI_ALL = + create(new KeyValue("server", "server1"), new KeyValue("uri", ALL)); + + private static final CommonPrivilege ROLE_SERVER_SERVER1 = + create(new KeyValue("server", "server1")); + + private static final CommonPrivilege REQUEST_SERVER1_DB1 = + create(new KeyValue("server", "server1"), new KeyValue("db", "db1")); + private static final CommonPrivilege REQUEST_SERVER2_DB1 = + create(new KeyValue("server", "server2"), new KeyValue("db", "db1")); + private static final CommonPrivilege REQUEST_SERVER1_DB2 = + create(new KeyValue("server", "server1"), new KeyValue("db", "db2")); + private static final CommonPrivilege REQUEST_SERVER2_DB2 = + create(new KeyValue("server", "server2"), new KeyValue("db", "db2")); + + private static final CommonPrivilege REQUEST_SERVER1_URI1 = + create(new KeyValue("server", "server1"), new KeyValue("uri", + "hdfs://namenode:8020/path/to/uri1/some/file")); + private static final CommonPrivilege REQUEST_SERVER1_URI2 = + create(new KeyValue("server", "server1"), new KeyValue("uri", + "hdfs://namenode:8020/path/to/uri2/some/other/file")); + + private static final CommonPrivilege REQUEST_SERVER1_OTHER = + create(new KeyValue("server", "server2"), new KeyValue("other", "thing")); + + private static final CommonPrivilege REQUEST_SERVER1 = + create(new KeyValue("server", "server2")); + + @Before + public void prepareData() { + hivePrivilegeModel = HivePrivilegeModel.getInstance(); + } + + @Test + public void testOther() throws Exception { + assertFalse(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_OTHER, hivePrivilegeModel)); + assertFalse(REQUEST_SERVER1_OTHER.implies(ROLE_SERVER_ALL_DB_ALL, hivePrivilegeModel)); + } + + @Test + public void testRoleShorterThanRequest() throws Exception { + assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_DB1, hivePrivilegeModel)); + assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_DB2, hivePrivilegeModel)); + assertFalse(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER2_DB1, hivePrivilegeModel)); + assertFalse(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER2_DB2, hivePrivilegeModel)); + + assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1, hivePrivilegeModel)); + assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1, hivePrivilegeModel)); + } + + @Test + public void testRolesAndRequests() throws Exception { + // ROLE_SERVER_SERVER1_DB_ALL + assertTrue(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER1_DB1, hivePrivilegeModel)); + assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER2_DB1, hivePrivilegeModel)); + assertTrue(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER1_DB2, hivePrivilegeModel)); + assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER2_DB2, hivePrivilegeModel)); + + // test inverse + assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER1_DB_ALL, hivePrivilegeModel)); + assertFalse(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER1_DB_ALL, hivePrivilegeModel)); + assertTrue(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER1_DB_ALL, hivePrivilegeModel)); + assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER1_DB_ALL, hivePrivilegeModel)); + + // ROLE_SERVER_SERVER1_DB_DB1 + assertTrue(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER1_DB1, hivePrivilegeModel)); + assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER2_DB1, hivePrivilegeModel)); + assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER1_DB2, hivePrivilegeModel)); + assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER2_DB2, hivePrivilegeModel)); + + // test inverse + assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER1_DB_DB1, hivePrivilegeModel)); + assertFalse(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER1_DB_DB1, hivePrivilegeModel)); + assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER1_DB_DB1, hivePrivilegeModel)); + assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER1_DB_DB1, hivePrivilegeModel)); + + // ROLE_SERVER_SERVER2_DB_ALL + assertFalse(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER1_DB1, hivePrivilegeModel)); + assertTrue(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER2_DB1, hivePrivilegeModel)); + assertFalse(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER1_DB2, hivePrivilegeModel)); + assertTrue(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER2_DB2, hivePrivilegeModel)); + + // test inverse + assertFalse(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER2_DB_ALL, hivePrivilegeModel)); + assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER2_DB_ALL, hivePrivilegeModel)); + assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER2_DB_ALL, hivePrivilegeModel)); + assertTrue(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER2_DB_ALL, hivePrivilegeModel)); + + // ROLE_SERVER_SERVER2_DB_DB1 + assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER1_DB1, hivePrivilegeModel)); + assertTrue(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER2_DB1, hivePrivilegeModel)); + assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER1_DB2, hivePrivilegeModel)); + assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER2_DB2, hivePrivilegeModel)); + + assertFalse(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER2_DB_DB1, hivePrivilegeModel)); + assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER2_DB_DB1, hivePrivilegeModel)); + assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER2_DB_DB1, hivePrivilegeModel)); + assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER2_DB_DB1, hivePrivilegeModel)); + + // ROLE_SERVER_ALL_DB_ALL + assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_DB1, hivePrivilegeModel)); + assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER2_DB1, hivePrivilegeModel)); + assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_DB2, hivePrivilegeModel)); + assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER2_DB2, hivePrivilegeModel)); + + // test inverse + assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_ALL_DB_ALL, hivePrivilegeModel)); + assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_ALL_DB_ALL, hivePrivilegeModel)); + assertTrue(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_ALL_DB_ALL, hivePrivilegeModel)); + assertTrue(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_ALL_DB_ALL, hivePrivilegeModel)); + + // ROLE_SERVER_ALL_DB_DB1 + assertTrue(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_DB1, hivePrivilegeModel)); + assertTrue(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER2_DB1, hivePrivilegeModel)); + assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_DB2, hivePrivilegeModel)); + assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER2_DB2, hivePrivilegeModel)); + + // test inverse + assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_ALL_DB_DB1, hivePrivilegeModel)); + assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_ALL_DB_DB1, hivePrivilegeModel)); + assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_ALL_DB_DB1, hivePrivilegeModel)); + assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_ALL_DB_DB1, hivePrivilegeModel)); + + // uri + assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI1, hivePrivilegeModel)); + assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2, hivePrivilegeModel)); + assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2, hivePrivilegeModel)); + assertTrue(ROLE_SERVER_SERVER1_URI_ALL.implies(REQUEST_SERVER1_URI1, hivePrivilegeModel)); + assertTrue(ROLE_SERVER_SERVER1_URI_ALL.implies(REQUEST_SERVER1_URI2, hivePrivilegeModel)); + assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2, hivePrivilegeModel)); + assertTrue(ROLE_SERVER_SERVER1_URI_URI1.implies(REQUEST_SERVER1_URI1, hivePrivilegeModel)); + assertFalse(ROLE_SERVER_SERVER1_URI_URI1.implies(REQUEST_SERVER1_URI2, hivePrivilegeModel)); + assertTrue(ROLE_SERVER_SERVER1_URI_URI2.implies(REQUEST_SERVER1_URI2, hivePrivilegeModel)); + assertFalse(ROLE_SERVER_SERVER1_URI_URI2.implies(REQUEST_SERVER1_URI1, hivePrivilegeModel)); + assertFalse(REQUEST_SERVER2_DB2.implies(REQUEST_SERVER1_URI1, hivePrivilegeModel)); + assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_URI1, hivePrivilegeModel)); + // test inverse + assertTrue(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_ALL, hivePrivilegeModel)); + assertTrue(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_ALL, hivePrivilegeModel)); + assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1, hivePrivilegeModel)); + assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_URI1, hivePrivilegeModel)); + assertFalse(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_URI1, hivePrivilegeModel)); + assertFalse(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_URI2, hivePrivilegeModel)); + assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_URI2, hivePrivilegeModel)); + }; + + @Test + public void testUnexpected() throws Exception { + Privilege p = new Privilege() { + @Override + public boolean implies(Privilege p) { + return false; + } + }; + assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(null)); + assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(p)); + assertFalse(ROLE_SERVER_SERVER1_DB_ALL.equals(null)); + assertFalse(ROLE_SERVER_SERVER1_DB_ALL.equals(p)); + + Assert.assertEquals(ROLE_SERVER_SERVER1_DB_ALL.hashCode(), + create(ROLE_SERVER_SERVER1_DB_ALL.toString()).hashCode()); + } + + @Test(expected=IllegalArgumentException.class) + public void testNullString() throws Exception { + System.out.println(create((String)null)); + } + + @Test(expected=IllegalArgumentException.class) + public void testEmptyString() throws Exception { + System.out.println(create("")); + } + + @Test(expected=IllegalArgumentException.class) + public void testEmptyKey() throws Exception { + System.out.println(create(KV_JOINER.join("", "db1"))); + } + + @Test(expected=IllegalArgumentException.class) + public void testEmptyValue() throws Exception { + System.out.println(create(KV_JOINER.join("db", ""))); + } + + @Test(expected=IllegalArgumentException.class) + public void testEmptyPart() throws Exception { + System.out.println(create(AUTHORIZABLE_JOINER. + join(KV_JOINER.join("server", "server1"), ""))); + } + + @Test(expected=IllegalArgumentException.class) + public void testOnlySeperators() throws Exception { + System.out.println(create(AUTHORIZABLE_JOINER. + join(KV_SEPARATOR, KV_SEPARATOR, KV_SEPARATOR))); + } + + @Test + public void testImpliesURIPositive() throws Exception { + assertTrue(PathUtils.impliesURI("hdfs://namenode:8020/path", "hdfs://namenode:8020/path/to/some/dir")); + assertTrue(PathUtils.impliesURI("hdfs://namenode:8020/path", "hdfs://namenode:8020/path")); + assertTrue(PathUtils.impliesURI("file:///path", "file:///path/to/some/dir")); + assertTrue(PathUtils.impliesURI("file:///path", "file:///path")); + } + + @Test + public void testImpliesURINegative() throws Exception { + // relative path + assertFalse(PathUtils.impliesURI("hdfs://namenode:8020/path", "hdfs://namenode:8020/path/to/../../other")); + assertFalse(PathUtils.impliesURI("file:///path", "file:///path/to/../../other")); + // bad policy + assertFalse(PathUtils.impliesURI("blah", "hdfs://namenode:8020/path/to/some/dir")); + // bad request + assertFalse(PathUtils.impliesURI("hdfs://namenode:8020/path", "blah")); + // scheme + assertFalse(PathUtils.impliesURI("hdfs://namenode:8020/path", "file:///path/to/some/dir")); + assertFalse(PathUtils.impliesURI("hdfs://namenode:8020/path", "file://namenode:8020/path/to/some/dir")); + // hostname + assertFalse(PathUtils.impliesURI("hdfs://namenode1:8020/path", "hdfs://namenode2:8020/path/to/some/dir")); + // port + assertFalse(PathUtils.impliesURI("hdfs://namenode:8020/path", "hdfs://namenode:8021/path/to/some/dir")); + // mangled path + assertFalse(PathUtils.impliesURI("hdfs://namenode:8020/path", "hdfs://namenode:8020/pathFooBar")); + // ends in / + assertTrue(PathUtils.impliesURI("hdfs://namenode:8020/path/", "hdfs://namenode:8020/path/FooBar")); + } + + @Test + public void testActionHierarchy() throws Exception { + String dbName = "db1"; + CommonPrivilege dbAll = create(new KeyValue("server", "server1"), + new KeyValue("db", dbName), new KeyValue("action", "ALL")); + + CommonPrivilege dbSelect = create(new KeyValue("server", "server1"), + new KeyValue("db", dbName), new KeyValue("action", "SELECT")); + CommonPrivilege dbInsert = create(new KeyValue("server", "server1"), + new KeyValue("db", dbName), new KeyValue("action", "INSERT")); + CommonPrivilege dbAlter = create(new KeyValue("server", "server1"), + new KeyValue("db", dbName), new KeyValue("action", "ALTER")); + CommonPrivilege dbCreate = create(new KeyValue("server", "server1"), + new KeyValue("db", dbName), new KeyValue("action", "CREATE")); + CommonPrivilege dbDrop = create(new KeyValue("server", "server1"), + new KeyValue("db", dbName), new KeyValue("action", "DROP")); + CommonPrivilege dbIndex = create(new KeyValue("server", "server1"), + new KeyValue("db", dbName), new KeyValue("action", "INDEX")); + CommonPrivilege dbLock = create(new KeyValue("server", "server1"), + new KeyValue("db", dbName), new KeyValue("action", "LOCK")); + + assertTrue(dbAll.implies(dbSelect, hivePrivilegeModel)); + assertTrue(dbAll.implies(dbInsert, hivePrivilegeModel)); + assertTrue(dbAll.implies(dbAlter, hivePrivilegeModel)); + assertTrue(dbAll.implies(dbCreate, hivePrivilegeModel)); + assertTrue(dbAll.implies(dbDrop, hivePrivilegeModel)); + assertTrue(dbAll.implies(dbIndex, hivePrivilegeModel)); + assertTrue(dbAll.implies(dbLock, hivePrivilegeModel)); + + dbAll = create(new KeyValue("server", "server1"), + new KeyValue("db", dbName), new KeyValue("action", "*")); + + assertTrue(dbAll.implies(dbSelect, hivePrivilegeModel)); + assertTrue(dbAll.implies(dbInsert, hivePrivilegeModel)); + assertTrue(dbAll.implies(dbAlter, hivePrivilegeModel)); + assertTrue(dbAll.implies(dbCreate, hivePrivilegeModel)); + assertTrue(dbAll.implies(dbDrop, hivePrivilegeModel)); + assertTrue(dbAll.implies(dbIndex, hivePrivilegeModel)); + assertTrue(dbAll.implies(dbLock, hivePrivilegeModel)); + + dbAll = create(new KeyValue("server", "server1"), + new KeyValue("db", dbName)); + + assertTrue(dbAll.implies(dbSelect, hivePrivilegeModel)); + assertTrue(dbAll.implies(dbInsert, hivePrivilegeModel)); + assertTrue(dbAll.implies(dbAlter, hivePrivilegeModel)); + assertTrue(dbAll.implies(dbCreate, hivePrivilegeModel)); + assertTrue(dbAll.implies(dbDrop, hivePrivilegeModel)); + assertTrue(dbAll.implies(dbIndex, hivePrivilegeModel)); + assertTrue(dbAll.implies(dbLock, hivePrivilegeModel)); + } + + static CommonPrivilege create(KeyValue... keyValues) { + return create(AUTHORIZABLE_JOINER.join(keyValues)); + } + + static CommonPrivilege create(String s) { + return new CommonPrivilege(s); + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/6c248e46/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/privilege/solr/TestCommonPrivilegeForSearch.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/privilege/solr/TestCommonPrivilegeForSearch.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/privilege/solr/TestCommonPrivilegeForSearch.java new file mode 100644 index 0000000..644e0ef --- /dev/null +++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/privilege/solr/TestCommonPrivilegeForSearch.java @@ -0,0 +1,215 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.privilege.solr; + +import org.apache.sentry.core.common.Model; +import org.apache.sentry.core.common.utils.KeyValue; +import org.apache.sentry.core.model.search.SearchConstants; +import org.apache.sentry.core.model.search.SearchPrivilegeModel; +import org.apache.sentry.policy.common.CommonPrivilege; +import org.apache.sentry.policy.common.Privilege; +import org.junit.Before; +import org.junit.Test; + +import static junit.framework.Assert.assertFalse; +import static junit.framework.Assert.assertTrue; +import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_JOINER; +import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER; +import static org.apache.sentry.core.common.utils.SentryConstants.KV_SEPARATOR; + +public class TestCommonPrivilegeForSearch { + + private Model searchPrivilegeModel; + + private static final String ALL = SearchConstants.ALL; + + @Before + public void prepareData() { + searchPrivilegeModel = SearchPrivilegeModel.getInstance(); + } + + @Test + public void testSimpleNoAction() throws Exception { + CommonPrivilege collection1 = create(new KeyValue("collection", "coll1")); + CommonPrivilege collection2 = create(new KeyValue("collection", "coll2")); + CommonPrivilege collection1Case = create(new KeyValue("colleCtIon", "coLl1")); + + assertTrue(collection1.implies(collection1, searchPrivilegeModel)); + assertTrue(collection2.implies(collection2, searchPrivilegeModel)); + assertTrue(collection1.implies(collection1Case, searchPrivilegeModel)); + assertTrue(collection1Case.implies(collection1, searchPrivilegeModel)); + + assertFalse(collection1.implies(collection2, searchPrivilegeModel)); + assertFalse(collection1Case.implies(collection2, searchPrivilegeModel)); + assertFalse(collection2.implies(collection1, searchPrivilegeModel)); + assertFalse(collection2.implies(collection1Case, searchPrivilegeModel)); + } + + @Test + public void testSimpleAction() throws Exception { + CommonPrivilege query = + create(new KeyValue("collection", "coll1"), new KeyValue("action", "query")); + CommonPrivilege update = + create(new KeyValue("collection", "coll1"), new KeyValue("action", "update")); + CommonPrivilege queryCase = + create(new KeyValue("colleCtIon", "coLl1"), new KeyValue("AcTiOn", "QuERy")); + + assertTrue(query.implies(query, searchPrivilegeModel)); + assertTrue(update.implies(update, searchPrivilegeModel)); + assertTrue(query.implies(queryCase, searchPrivilegeModel)); + assertTrue(queryCase.implies(query, searchPrivilegeModel)); + + assertFalse(query.implies(update, searchPrivilegeModel)); + assertFalse(queryCase.implies(update, searchPrivilegeModel)); + assertFalse(update.implies(query, searchPrivilegeModel)); + assertFalse(update.implies(queryCase, searchPrivilegeModel)); + } + + @Test + public void testRoleShorterThanRequest() throws Exception { + CommonPrivilege collection1 = create(new KeyValue("collection", "coll1")); + CommonPrivilege query = + create(new KeyValue("collection", "coll1"), new KeyValue("action", "query")); + CommonPrivilege update = + create(new KeyValue("collection", "coll1"), new KeyValue("action", "update")); + CommonPrivilege all = + create(new KeyValue("collection", "coll1"), new KeyValue("action", ALL)); + + assertTrue(collection1.implies(query, searchPrivilegeModel)); + assertTrue(collection1.implies(update, searchPrivilegeModel)); + assertTrue(collection1.implies(all, searchPrivilegeModel)); + + assertFalse(query.implies(collection1, searchPrivilegeModel)); + assertFalse(update.implies(collection1, searchPrivilegeModel)); + assertTrue(all.implies(collection1, searchPrivilegeModel)); + } + + @Test + public void testCollectionAll() throws Exception { + CommonPrivilege collectionAll = create(new KeyValue("collection", ALL)); + CommonPrivilege collection1 = create(new KeyValue("collection", "coll1")); + assertTrue(collectionAll.implies(collection1, searchPrivilegeModel)); + assertTrue(collection1.implies(collectionAll, searchPrivilegeModel)); + + CommonPrivilege allUpdate = + create(new KeyValue("collection", ALL), new KeyValue("action", "update")); + CommonPrivilege allQuery = + create(new KeyValue("collection", ALL), new KeyValue("action", "query")); + CommonPrivilege coll1Update = + create(new KeyValue("collection", "coll1"), new KeyValue("action", "update")); + CommonPrivilege coll1Query = + create(new KeyValue("collection", "coll1"), new KeyValue("action", "query")); + assertTrue(allUpdate.implies(coll1Update, searchPrivilegeModel)); + assertTrue(allQuery.implies(coll1Query, searchPrivilegeModel)); + assertTrue(coll1Update.implies(allUpdate, searchPrivilegeModel)); + assertTrue(coll1Query.implies(allQuery, searchPrivilegeModel)); + assertFalse(allUpdate.implies(coll1Query, searchPrivilegeModel)); + assertFalse(coll1Update.implies(coll1Query, searchPrivilegeModel)); + assertFalse(allQuery.implies(coll1Update, searchPrivilegeModel)); + assertFalse(coll1Query.implies(allUpdate, searchPrivilegeModel)); + assertFalse(allUpdate.implies(allQuery, searchPrivilegeModel)); + assertFalse(allQuery.implies(allUpdate, searchPrivilegeModel)); + assertFalse(coll1Update.implies(coll1Query, searchPrivilegeModel)); + assertFalse(coll1Query.implies(coll1Update, searchPrivilegeModel)); + + // test different length paths + assertTrue(collectionAll.implies(allUpdate, searchPrivilegeModel)); + assertTrue(collectionAll.implies(allQuery, searchPrivilegeModel)); + assertTrue(collectionAll.implies(coll1Update, searchPrivilegeModel)); + assertTrue(collectionAll.implies(coll1Query, searchPrivilegeModel)); + assertFalse(allUpdate.implies(collectionAll, searchPrivilegeModel)); + assertFalse(allQuery.implies(collectionAll, searchPrivilegeModel)); + assertFalse(coll1Update.implies(collectionAll, searchPrivilegeModel)); + assertFalse(coll1Query.implies(collectionAll, searchPrivilegeModel)); + } + + @Test + public void testActionAll() throws Exception { + CommonPrivilege coll1All = + create(new KeyValue("collection", "coll1"), new KeyValue("action", ALL)); + CommonPrivilege coll1Update = + create(new KeyValue("collection", "coll1"), new KeyValue("action", "update")); + CommonPrivilege coll1Query = + create(new KeyValue("collection", "coll1"), new KeyValue("action", "query")); + assertTrue(coll1All.implies(coll1All, searchPrivilegeModel)); + assertTrue(coll1All.implies(coll1Update, searchPrivilegeModel)); + assertTrue(coll1All.implies(coll1Query, searchPrivilegeModel)); + assertFalse(coll1Update.implies(coll1All, searchPrivilegeModel)); + assertFalse(coll1Query.implies(coll1All, searchPrivilegeModel)); + + // test different lengths + CommonPrivilege coll1 = + create(new KeyValue("collection", "coll1")); + assertTrue(coll1All.implies(coll1, searchPrivilegeModel)); + assertTrue(coll1.implies(coll1All, searchPrivilegeModel)); + } + + @Test + public void testUnexpected() throws Exception { + Privilege p = new Privilege() { + @Override + public boolean implies(Privilege p) { + return false; + } + }; + Privilege collection1 = create(new KeyValue("collection", "coll1")); + assertFalse(collection1.implies(null)); + assertFalse(collection1.implies(p)); + assertFalse(collection1.equals(null)); + assertFalse(collection1.equals(p)); + } + + @Test(expected=IllegalArgumentException.class) + public void testNullString() throws Exception { + System.out.println(create((String)null)); + } + + @Test(expected=IllegalArgumentException.class) + public void testEmptyString() throws Exception { + System.out.println(create("")); + } + + @Test(expected=IllegalArgumentException.class) + public void testEmptyKey() throws Exception { + System.out.println(create(KV_JOINER.join("collection", ""))); + } + + @Test(expected=IllegalArgumentException.class) + public void testEmptyValue() throws Exception { + System.out.println(create(KV_JOINER.join("", "coll1"))); + } + + @Test(expected=IllegalArgumentException.class) + public void testEmptyPart() throws Exception { + System.out.println(create(AUTHORIZABLE_JOINER. + join(KV_JOINER.join("collection1", "coll1"), ""))); + } + + @Test(expected=IllegalArgumentException.class) + public void testOnlySeperators() throws Exception { + System.out.println(create(AUTHORIZABLE_JOINER. + join(KV_SEPARATOR, KV_SEPARATOR, KV_SEPARATOR))); + } + + static CommonPrivilege create(KeyValue... keyValues) { + return create(AUTHORIZABLE_JOINER.join(keyValues)); + } + + static CommonPrivilege create(String s) { + return new CommonPrivilege(s); + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/6c248e46/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/privilege/sqoop/TestCommonPrivilegeForSqoop.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/privilege/sqoop/TestCommonPrivilegeForSqoop.java b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/privilege/sqoop/TestCommonPrivilegeForSqoop.java new file mode 100644 index 0000000..0ec7783 --- /dev/null +++ b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/privilege/sqoop/TestCommonPrivilegeForSqoop.java @@ -0,0 +1,197 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.privilege.sqoop; + +import org.apache.sentry.core.common.Model; +import org.apache.sentry.core.common.utils.KeyValue; +import org.apache.sentry.core.model.sqoop.SqoopActionConstant; +import org.apache.sentry.core.model.sqoop.SqoopPrivilegeModel; +import org.apache.sentry.policy.common.CommonPrivilege; +import org.apache.sentry.policy.common.Privilege; +import org.junit.Before; +import org.junit.Test; + +import static junit.framework.Assert.assertFalse; +import static junit.framework.Assert.assertTrue; +import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_JOINER; +import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER; +import static org.apache.sentry.core.common.utils.SentryConstants.KV_SEPARATOR; + +public class TestCommonPrivilegeForSqoop { + + private Model sqoopPrivilegeModel; + + private static final CommonPrivilege SQOOP_SERVER1_ALL = + create(new KeyValue("SERVER", "server1"), new KeyValue("action", SqoopActionConstant.ALL)); + private static final CommonPrivilege SQOOP_SERVER1_READ = + create(new KeyValue("SERVER", "server1"), new KeyValue("action", SqoopActionConstant.READ)); + private static final CommonPrivilege SQOOP_SERVER1_WRITE = + create(new KeyValue("SERVER", "server1"), new KeyValue("action", SqoopActionConstant.WRITE)); + + private static final CommonPrivilege SQOOP_SERVER1_JOB1_ALL = + create(new KeyValue("SERVER", "server1"), new KeyValue("JOB", "job1"), + new KeyValue("action", SqoopActionConstant.ALL)); + private static final CommonPrivilege SQOOP_SERVER1_JOB1_READ = + create(new KeyValue("SERVER", "server1"), new KeyValue("JOB", "job1"), + new KeyValue("action", SqoopActionConstant.READ)); + private static final CommonPrivilege SQOOP_SERVER1_JOB1_WRITE = + create(new KeyValue("SERVER", "server1"), new KeyValue("JOB", "job1"), + new KeyValue("action", SqoopActionConstant.WRITE)); + + private static final CommonPrivilege SQOOP_SERVER1_LINK1_ALL = + create(new KeyValue("SERVER", "server1"), new KeyValue("LINK", "link1"), + new KeyValue("action", SqoopActionConstant.ALL)); + private static final CommonPrivilege SQOOP_SERVER1_LINK1_READ = + create(new KeyValue("SERVER", "server1"), new KeyValue("LINK", "link1"), + new KeyValue("action", SqoopActionConstant.READ)); + private static final CommonPrivilege SQOOP_SERVER1_LINK1_WRITE = + create(new KeyValue("SERVER", "server1"), new KeyValue("LINK", "link1"), + new KeyValue("action", SqoopActionConstant.WRITE)); + + private static final CommonPrivilege SQOOP_SERVER1_CONNECTOR1_ALL = + create(new KeyValue("SERVER", "server1"), new KeyValue("CONNECTOR", "connector1"), + new KeyValue("action", SqoopActionConstant.ALL)); + private static final CommonPrivilege SQOOP_SERVER1_CONNECTOR1_READ = + create(new KeyValue("SERVER", "server1"), new KeyValue("CONNECTOR", "connector1"), + new KeyValue("action", SqoopActionConstant.READ)); + private static final CommonPrivilege SQOOP_SERVER1_CONNECTOR1_WRITE = + create(new KeyValue("SERVER", "server1"), new KeyValue("CONNECTOR", "connector1"), + new KeyValue("action", SqoopActionConstant.WRITE)); + + @Before + public void prepareData() { + sqoopPrivilegeModel = SqoopPrivilegeModel.getInstance(); + } + + @Test + public void testSimpleAction() throws Exception { + //server + assertFalse(SQOOP_SERVER1_WRITE.implies(SQOOP_SERVER1_READ, sqoopPrivilegeModel)); + assertFalse(SQOOP_SERVER1_READ.implies(SQOOP_SERVER1_WRITE, sqoopPrivilegeModel)); + //connector + assertFalse(SQOOP_SERVER1_CONNECTOR1_WRITE.implies(SQOOP_SERVER1_CONNECTOR1_READ, sqoopPrivilegeModel)); + assertFalse(SQOOP_SERVER1_CONNECTOR1_READ.implies(SQOOP_SERVER1_CONNECTOR1_WRITE, sqoopPrivilegeModel)); + //job + assertFalse(SQOOP_SERVER1_JOB1_READ.implies(SQOOP_SERVER1_JOB1_WRITE, sqoopPrivilegeModel)); + assertFalse(SQOOP_SERVER1_JOB1_WRITE.implies(SQOOP_SERVER1_JOB1_READ, sqoopPrivilegeModel)); + //link + assertFalse(SQOOP_SERVER1_LINK1_READ.implies(SQOOP_SERVER1_LINK1_WRITE, sqoopPrivilegeModel)); + assertFalse(SQOOP_SERVER1_LINK1_WRITE.implies(SQOOP_SERVER1_LINK1_READ, sqoopPrivilegeModel)); + } + + @Test + public void testShorterThanRequest() throws Exception { + //job + assertTrue(SQOOP_SERVER1_ALL.implies(SQOOP_SERVER1_JOB1_ALL, sqoopPrivilegeModel)); + assertTrue(SQOOP_SERVER1_ALL.implies(SQOOP_SERVER1_JOB1_READ, sqoopPrivilegeModel)); + assertTrue(SQOOP_SERVER1_ALL.implies(SQOOP_SERVER1_JOB1_WRITE, sqoopPrivilegeModel)); + + assertFalse(SQOOP_SERVER1_WRITE.implies(SQOOP_SERVER1_READ, sqoopPrivilegeModel)); + assertTrue(SQOOP_SERVER1_READ.implies(SQOOP_SERVER1_JOB1_READ, sqoopPrivilegeModel)); + assertTrue(SQOOP_SERVER1_WRITE.implies(SQOOP_SERVER1_JOB1_WRITE, sqoopPrivilegeModel)); + + //link + assertTrue(SQOOP_SERVER1_ALL.implies(SQOOP_SERVER1_LINK1_ALL, sqoopPrivilegeModel)); + assertTrue(SQOOP_SERVER1_ALL.implies(SQOOP_SERVER1_LINK1_READ, sqoopPrivilegeModel)); + assertTrue(SQOOP_SERVER1_ALL.implies(SQOOP_SERVER1_LINK1_WRITE, sqoopPrivilegeModel)); + + assertTrue(SQOOP_SERVER1_READ.implies(SQOOP_SERVER1_LINK1_READ, sqoopPrivilegeModel)); + assertTrue(SQOOP_SERVER1_WRITE.implies(SQOOP_SERVER1_LINK1_WRITE, sqoopPrivilegeModel)); + + //connector + assertTrue(SQOOP_SERVER1_ALL.implies(SQOOP_SERVER1_CONNECTOR1_ALL, sqoopPrivilegeModel)); + assertTrue(SQOOP_SERVER1_ALL.implies(SQOOP_SERVER1_CONNECTOR1_READ, sqoopPrivilegeModel)); + assertTrue(SQOOP_SERVER1_ALL.implies(SQOOP_SERVER1_CONNECTOR1_WRITE, sqoopPrivilegeModel)); + + assertTrue(SQOOP_SERVER1_READ.implies(SQOOP_SERVER1_CONNECTOR1_READ, sqoopPrivilegeModel)); + assertTrue(SQOOP_SERVER1_WRITE.implies(SQOOP_SERVER1_CONNECTOR1_WRITE, sqoopPrivilegeModel)); + } + + @Test + public void testActionAll() throws Exception { + //server + assertTrue(SQOOP_SERVER1_ALL.implies(SQOOP_SERVER1_READ, sqoopPrivilegeModel)); + assertTrue(SQOOP_SERVER1_ALL.implies(SQOOP_SERVER1_WRITE, sqoopPrivilegeModel)); + + //job + assertTrue(SQOOP_SERVER1_JOB1_ALL.implies(SQOOP_SERVER1_JOB1_READ, sqoopPrivilegeModel)); + assertTrue(SQOOP_SERVER1_JOB1_ALL.implies(SQOOP_SERVER1_JOB1_WRITE, sqoopPrivilegeModel)); + + //link + assertTrue(SQOOP_SERVER1_LINK1_ALL.implies(SQOOP_SERVER1_LINK1_READ, sqoopPrivilegeModel)); + assertTrue(SQOOP_SERVER1_LINK1_ALL.implies(SQOOP_SERVER1_LINK1_WRITE, sqoopPrivilegeModel)); + + //connector + assertTrue(SQOOP_SERVER1_CONNECTOR1_ALL.implies(SQOOP_SERVER1_CONNECTOR1_READ, sqoopPrivilegeModel)); + assertTrue(SQOOP_SERVER1_CONNECTOR1_ALL.implies(SQOOP_SERVER1_CONNECTOR1_WRITE, sqoopPrivilegeModel)); + } + + @Test + public void testUnexpected() throws Exception { + Privilege p = new Privilege() { + @Override + public boolean implies(Privilege p) { + return false; + } + }; + Privilege job1 = create(new KeyValue("SERVER", "server"), new KeyValue("JOB", "job1")); + assertFalse(job1.implies(null)); + assertFalse(job1.implies(p)); + assertFalse(job1.equals(null)); + assertFalse(job1.equals(p)); + } + + @Test(expected=IllegalArgumentException.class) + public void testNullString() throws Exception { + System.out.println(create((String)null)); + } + + @Test(expected=IllegalArgumentException.class) + public void testEmptyString() throws Exception { + System.out.println(create("")); + } + + @Test(expected=IllegalArgumentException.class) + public void testEmptyKey() throws Exception { + System.out.println(create(KV_JOINER.join("", "server1"))); + } + + @Test(expected=IllegalArgumentException.class) + public void testEmptyValue() throws Exception { + System.out.println(create(KV_JOINER.join("SERVER", ""))); + } + + @Test(expected=IllegalArgumentException.class) + public void testEmptyPart() throws Exception { + System.out.println(create(AUTHORIZABLE_JOINER. + join(KV_JOINER.join("SERVER", "server1"), ""))); + } + + @Test(expected=IllegalArgumentException.class) + public void testOnlySeperators() throws Exception { + System.out.println(create(AUTHORIZABLE_JOINER. + join(KV_SEPARATOR, KV_SEPARATOR, KV_SEPARATOR))); + } + + static CommonPrivilege create(KeyValue... keyValues) { + return create(AUTHORIZABLE_JOINER.join(keyValues)); + } + + static CommonPrivilege create(String s) { + return new CommonPrivilege(s); + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/6c248e46/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/SentryConstants.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/SentryConstants.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/SentryConstants.java index e752c76..3da4906 100644 --- a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/SentryConstants.java +++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/SentryConstants.java @@ -37,5 +37,7 @@ public class SentryConstants { public static final String PRIVILEGE_WILDCARD_VALUE = "*"; public static final String RESOURCE_WILDCARD_VALUE = "*"; + public static final String RESOURCE_WILDCARD_VALUE_ALL = "ALL"; + public static final String RESOURCE_WILDCARD_VALUE_SOME = "+"; public static final String ACCESS_ALLOW_URI_PER_DB_POLICYFILE = "sentry.allow.uri.db.policyfile"; } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/6c248e46/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/CommonPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/CommonPrivilege.java b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/CommonPrivilege.java index 8583448..43cb5c8 100644 --- a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/CommonPrivilege.java +++ b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/CommonPrivilege.java @@ -76,6 +76,10 @@ public class CommonPrivilege implements Privilege { String policyKey = part.getKey(); // are the keys even equal if(!policyKey.equalsIgnoreCase(otherPart.getKey())) { + // Support for action inheritance from parent to child + if (SentryConstants.PRIVILEGE_NAME.equalsIgnoreCase(policyKey)) { + continue; + } return false; } @@ -110,12 +114,23 @@ public class CommonPrivilege implements Privilege { // for Hive, databaseName, tableName, columnName will be compared using String.equal(wildcard support) // url will be compared using PathUtils.impliesURI private boolean impliesResource(ImplyMethodType implyMethodType, String policyValue, String requestValue) { + // wildcard support, "*", "+", "all"("+" and "all" are for backward compatibility) are represented as wildcard + // if requestValue is wildcard, means privilege request is to match with any value of given resource + if (SentryConstants.RESOURCE_WILDCARD_VALUE.equals(policyValue) + || SentryConstants.RESOURCE_WILDCARD_VALUE.equals(requestValue) + || SentryConstants.RESOURCE_WILDCARD_VALUE_ALL.equals(policyValue) + || SentryConstants.RESOURCE_WILDCARD_VALUE_ALL.equals(requestValue) + || SentryConstants.RESOURCE_WILDCARD_VALUE_SOME.equals(policyValue) + || SentryConstants.RESOURCE_WILDCARD_VALUE_SOME.equals(requestValue)) { + return true; + } + // compare as the url if (ImplyMethodType.URL == implyMethodType) { return PathUtils.impliesURI(policyValue, requestValue); } - // default: compare as the string with wildcard support - return impliesStringWithWildcard(policyValue, requestValue); + // default: compare as the string + return policyValue.equals(requestValue); } // The method is used for compare the action for the privilege model. @@ -132,14 +147,6 @@ public class CommonPrivilege implements Privilege { return currentAction.implies(requestAction); } - private boolean impliesStringWithWildcard(String policyValue, String requestValue) { - if (SentryConstants.RESOURCE_WILDCARD_VALUE.equals(policyValue)) { - return true; - } - return policyValue.equals(requestValue); - } - - @Override public String toString() { return SentryConstants.AUTHORIZABLE_JOINER.join(parts); @@ -152,4 +159,18 @@ public class CommonPrivilege implements Privilege { public List<KeyValue> getParts() { return parts; } + + @Override + public boolean equals(Object o) { + if (o instanceof CommonPrivilege) { + CommonPrivilege cp = (CommonPrivilege) o; + return parts.equals(cp.parts); + } + return false; + } + + @Override + public int hashCode() { + return parts.hashCode(); + } } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/6c248e46/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPrivilege.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPrivilege.java deleted file mode 100644 index 343a45d..0000000 --- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPrivilege.java +++ /dev/null @@ -1,338 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.sentry.policy.db; -import static junit.framework.Assert.assertEquals; -import static junit.framework.Assert.assertFalse; -import static junit.framework.Assert.assertTrue; -import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_JOINER; -import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER; -import static org.apache.sentry.core.common.utils.SentryConstants.KV_SEPARATOR; - -import org.apache.sentry.core.model.db.AccessConstants; -import org.apache.sentry.policy.common.Privilege; -import org.apache.sentry.core.common.utils.KeyValue; -import org.junit.Test; - -public class TestDBWildcardPrivilege { - - private static final String ALL = AccessConstants.ALL; - - private static final Privilege ROLE_SERVER_SERVER1_DB_ALL = - create(new KeyValue("server", "server1"), new KeyValue("db", ALL)); - private static final Privilege ROLE_SERVER_SERVER1_DB_DB1 = - create(new KeyValue("server", "server1"), new KeyValue("db", "db1")); - private static final Privilege ROLE_SERVER_SERVER2_DB_ALL = - create(new KeyValue("server", "server2"), new KeyValue("db", ALL)); - private static final Privilege ROLE_SERVER_SERVER2_DB_DB1 = - create(new KeyValue("server", "server2"), new KeyValue("db", "db1")); - private static final Privilege ROLE_SERVER_ALL_DB_ALL = - create(new KeyValue("server", ALL), new KeyValue("db", ALL)); - private static final Privilege ROLE_SERVER_ALL_DB_DB1 = - create(new KeyValue("server", ALL), new KeyValue("db", "db1")); - - private static final Privilege ROLE_SERVER_SERVER1_URI_URI1 = - create(new KeyValue("server", "server1"), new KeyValue("uri", - "hdfs://namenode:8020/path/to/uri1")); - private static final Privilege ROLE_SERVER_SERVER1_URI_URI2 = - create(new KeyValue("server", "server1"), new KeyValue("uri", - "hdfs://namenode:8020/path/to/uri2/")); - private static final Privilege ROLE_SERVER_SERVER1_URI_ALL = - create(new KeyValue("server", "server1"), new KeyValue("uri", ALL)); - - - private static final Privilege ROLE_SERVER_SERVER1 = - create(new KeyValue("server", "server1")); - - - private static final Privilege REQUEST_SERVER1_DB1 = - create(new KeyValue("server", "server1"), new KeyValue("db", "db1")); - private static final Privilege REQUEST_SERVER2_DB1 = - create(new KeyValue("server", "server2"), new KeyValue("db", "db1")); - private static final Privilege REQUEST_SERVER1_DB2 = - create(new KeyValue("server", "server1"), new KeyValue("db", "db2")); - private static final Privilege REQUEST_SERVER2_DB2 = - create(new KeyValue("server", "server2"), new KeyValue("db", "db2")); - - private static final Privilege REQUEST_SERVER1_URI1 = - create(new KeyValue("server", "server1"), new KeyValue("uri", - "hdfs://namenode:8020/path/to/uri1/some/file")); - private static final Privilege REQUEST_SERVER1_URI2 = - create(new KeyValue("server", "server1"), new KeyValue("uri", - "hdfs://namenode:8020/path/to/uri2/some/other/file")); - - private static final Privilege REQUEST_SERVER1_OTHER = - create(new KeyValue("server", "server2"), new KeyValue("other", "thing")); - - private static final Privilege REQUEST_SERVER1 = - create(new KeyValue("server", "server2")); - - @Test - public void testOther() throws Exception { - assertFalse(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_OTHER)); - assertFalse(REQUEST_SERVER1_OTHER.implies(ROLE_SERVER_ALL_DB_ALL)); - } - @Test - public void testRoleShorterThanRequest() throws Exception { - assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_DB1)); - assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_DB2)); - assertFalse(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER2_DB1)); - assertFalse(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER2_DB2)); - - assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1)); - assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1)); - } - @Test - public void testRolesAndRequests() throws Exception { - // ROLE_SERVER_SERVER1_DB_ALL - assertTrue(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER1_DB1)); - assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER2_DB1)); - assertTrue(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER1_DB2)); - assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER2_DB2)); - - // test inverse - assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER1_DB_ALL)); - assertFalse(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER1_DB_ALL)); - assertTrue(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER1_DB_ALL)); - assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER1_DB_ALL)); - - // ROLE_SERVER_SERVER1_DB_DB1 - assertTrue(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER1_DB1)); - assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER2_DB1)); - assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER1_DB2)); - assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER2_DB2)); - - // test inverse - assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER1_DB_DB1)); - assertFalse(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER1_DB_DB1)); - assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER1_DB_DB1)); - assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER1_DB_DB1)); - - // ROLE_SERVER_SERVER2_DB_ALL - assertFalse(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER1_DB1)); - assertTrue(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER2_DB1)); - assertFalse(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER1_DB2)); - assertTrue(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER2_DB2)); - - // test inverse - assertFalse(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER2_DB_ALL)); - assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER2_DB_ALL)); - assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER2_DB_ALL)); - assertTrue(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER2_DB_ALL)); - - // ROLE_SERVER_SERVER2_DB_DB1 - assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER1_DB1)); - assertTrue(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER2_DB1)); - assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER1_DB2)); - assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER2_DB2)); - - assertFalse(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER2_DB_DB1)); - assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER2_DB_DB1)); - assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER2_DB_DB1)); - assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER2_DB_DB1)); - - // ROLE_SERVER_ALL_DB_ALL - assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_DB1)); - assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER2_DB1)); - assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_DB2)); - assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER2_DB2)); - - // test inverse - assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_ALL_DB_ALL)); - assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_ALL_DB_ALL)); - assertTrue(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_ALL_DB_ALL)); - assertTrue(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_ALL_DB_ALL)); - - // ROLE_SERVER_ALL_DB_DB1 - assertTrue(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_DB1)); - assertTrue(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER2_DB1)); - assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_DB2)); - assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER2_DB2)); - - // test inverse - assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_ALL_DB_DB1)); - assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_ALL_DB_DB1)); - assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_ALL_DB_DB1)); - assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_ALL_DB_DB1)); - - // uri - assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI1)); - assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2)); - assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2)); - assertTrue(ROLE_SERVER_SERVER1_URI_ALL.implies(REQUEST_SERVER1_URI1)); - assertTrue(ROLE_SERVER_SERVER1_URI_ALL.implies(REQUEST_SERVER1_URI2)); - assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2)); - assertTrue(ROLE_SERVER_SERVER1_URI_URI1.implies(REQUEST_SERVER1_URI1)); - assertFalse(ROLE_SERVER_SERVER1_URI_URI1.implies(REQUEST_SERVER1_URI2)); - assertTrue(ROLE_SERVER_SERVER1_URI_URI2.implies(REQUEST_SERVER1_URI2)); - assertFalse(ROLE_SERVER_SERVER1_URI_URI2.implies(REQUEST_SERVER1_URI1)); - assertFalse(REQUEST_SERVER2_DB2.implies(REQUEST_SERVER1_URI1)); - assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_URI1)); - // test inverse - assertTrue(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_ALL)); - assertTrue(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_ALL)); - assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1)); - assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_URI1)); - assertFalse(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_URI1)); - assertFalse(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_URI2)); - assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_URI2)); - }; - @Test - public void testUnexpected() throws Exception { - Privilege p = new Privilege() { - @Override - public boolean implies(Privilege p) { - return false; - } - }; - assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(null)); - assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(p)); - assertFalse(ROLE_SERVER_SERVER1_DB_ALL.equals(null)); - assertFalse(ROLE_SERVER_SERVER1_DB_ALL.equals(p)); - - assertEquals(ROLE_SERVER_SERVER1_DB_ALL.hashCode(), - create(ROLE_SERVER_SERVER1_DB_ALL.toString()).hashCode()); - } - @Test(expected=IllegalArgumentException.class) - public void testNullString() throws Exception { - System.out.println(create((String)null)); - } - @Test(expected=IllegalArgumentException.class) - public void testEmptyString() throws Exception { - System.out.println(create("")); - } - @Test(expected=IllegalArgumentException.class) - public void testEmptyKey() throws Exception { - System.out.println(create(KV_JOINER.join("", "db1"))); - } - @Test(expected=IllegalArgumentException.class) - public void testEmptyValue() throws Exception { - System.out.println(create(KV_JOINER.join("db", ""))); - } - @Test(expected=IllegalArgumentException.class) - public void testEmptyPart() throws Exception { - System.out.println(create(AUTHORIZABLE_JOINER. - join(KV_JOINER.join("server", "server1"), ""))); - } - @Test(expected=IllegalArgumentException.class) - public void testOnlySeperators() throws Exception { - System.out.println(create(AUTHORIZABLE_JOINER. - join(KV_SEPARATOR, KV_SEPARATOR, KV_SEPARATOR))); - } - @Test - public void testImpliesURIPositive() throws Exception { - assertTrue(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path", - "hdfs://namenode:8020/path/to/some/dir")); - assertTrue(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path", - "hdfs://namenode:8020/path")); - assertTrue(DBWildcardPrivilege.impliesURI("file:///path", - "file:///path/to/some/dir")); - assertTrue(DBWildcardPrivilege.impliesURI("file:///path", - "file:///path")); - } - @Test - public void testImpliesURINegative() throws Exception { - // relative path - assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path", - "hdfs://namenode:8020/path/to/../../other")); - assertFalse(DBWildcardPrivilege.impliesURI("file:///path", - "file:///path/to/../../other")); - // bad policy - assertFalse(DBWildcardPrivilege.impliesURI("blah", - "hdfs://namenode:8020/path/to/some/dir")); - // bad request - assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path", - "blah")); - // scheme - assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path", - "file:///path/to/some/dir")); - assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path", - "file://namenode:8020/path/to/some/dir")); - // hostname - assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode1:8020/path", - "hdfs://namenode2:8020/path/to/some/dir")); - // port - assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path", - "hdfs://namenode:8021/path/to/some/dir")); - // mangled path - assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path", - "hdfs://namenode:8020/pathFooBar")); - // ends in / - assertTrue(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path/", - "hdfs://namenode:8020/path/FooBar")); - } - @Test - public void testActionHierarchy() throws Exception { - String dbName = "db1"; - DBWildcardPrivilege dbAll = create(new KeyValue("server", "server1"), - new KeyValue("db", dbName), new KeyValue("action", "ALL")); - - DBWildcardPrivilege dbSelect = create(new KeyValue("server", "server1"), - new KeyValue("db", dbName), new KeyValue("action", "SELECT")); - DBWildcardPrivilege dbInsert = create(new KeyValue("server", "server1"), - new KeyValue("db", dbName), new KeyValue("action", "INSERT")); - DBWildcardPrivilege dbAlter = create(new KeyValue("server", "server1"), - new KeyValue("db", dbName), new KeyValue("action", "ALTER")); - DBWildcardPrivilege dbCreate = create(new KeyValue("server", "server1"), - new KeyValue("db", dbName), new KeyValue("action", "CREATE")); - DBWildcardPrivilege dbDrop = create(new KeyValue("server", "server1"), - new KeyValue("db", dbName), new KeyValue("action", "DROP")); - DBWildcardPrivilege dbIndex = create(new KeyValue("server", "server1"), - new KeyValue("db", dbName), new KeyValue("action", "INDEX")); - DBWildcardPrivilege dbLock = create(new KeyValue("server", "server1"), - new KeyValue("db", dbName), new KeyValue("action", "LOCK")); - - assertTrue(dbAll.implies(dbSelect)); - assertTrue(dbAll.implies(dbInsert)); - assertTrue(dbAll.implies(dbAlter)); - assertTrue(dbAll.implies(dbCreate)); - assertTrue(dbAll.implies(dbDrop)); - assertTrue(dbAll.implies(dbIndex)); - assertTrue(dbAll.implies(dbLock)); - - dbAll = create(new KeyValue("server", "server1"), - new KeyValue("db", dbName), new KeyValue("action", "*")); - - assertTrue(dbAll.implies(dbSelect)); - assertTrue(dbAll.implies(dbInsert)); - assertTrue(dbAll.implies(dbAlter)); - assertTrue(dbAll.implies(dbCreate)); - assertTrue(dbAll.implies(dbDrop)); - assertTrue(dbAll.implies(dbIndex)); - assertTrue(dbAll.implies(dbLock)); - - dbAll = create(new KeyValue("server", "server1"), - new KeyValue("db", dbName)); - - assertTrue(dbAll.implies(dbSelect)); - assertTrue(dbAll.implies(dbInsert)); - assertTrue(dbAll.implies(dbAlter)); - assertTrue(dbAll.implies(dbCreate)); - assertTrue(dbAll.implies(dbDrop)); - assertTrue(dbAll.implies(dbIndex)); - assertTrue(dbAll.implies(dbLock)); - - } - static DBWildcardPrivilege create(KeyValue... keyValues) { - return create(AUTHORIZABLE_JOINER.join(keyValues)); - - } - static DBWildcardPrivilege create(String s) { - return new DBWildcardPrivilege(s); - } -} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/6c248e46/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestCommonPrivilegeForIndexer.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestCommonPrivilegeForIndexer.java b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestCommonPrivilegeForIndexer.java new file mode 100644 index 0000000..42fed4b --- /dev/null +++ b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestCommonPrivilegeForIndexer.java @@ -0,0 +1,215 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.policy.indexer; + +import org.apache.sentry.core.common.Model; +import org.apache.sentry.core.common.utils.KeyValue; +import org.apache.sentry.core.model.indexer.IndexerConstants; +import org.apache.sentry.core.model.indexer.IndexerPrivilegeModel; +import org.apache.sentry.policy.common.CommonPrivilege; +import org.apache.sentry.policy.common.Privilege; +import org.junit.Before; +import org.junit.Test; + +import static junit.framework.Assert.assertFalse; +import static junit.framework.Assert.assertTrue; +import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_JOINER; +import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER; +import static org.apache.sentry.core.common.utils.SentryConstants.KV_SEPARATOR; + +public class TestCommonPrivilegeForIndexer { + + private Model indexerPrivilegeModel; + + private static final String ALL = IndexerConstants.ALL; + + @Before + public void prepareData() { + indexerPrivilegeModel = IndexerPrivilegeModel.getInstance(); + } + + @Test + public void testSimpleNoAction() throws Exception { + CommonPrivilege indexer1 = create(new KeyValue("indexer", "ind1")); + CommonPrivilege indexer2 = create(new KeyValue("indexer", "ind2")); + CommonPrivilege indexer1Case = create(new KeyValue("indeXeR", "inD1")); + + assertTrue(indexer1.implies(indexer1, indexerPrivilegeModel)); + assertTrue(indexer2.implies(indexer2, indexerPrivilegeModel)); + assertTrue(indexer1.implies(indexer1Case, indexerPrivilegeModel)); + assertTrue(indexer1Case.implies(indexer1, indexerPrivilegeModel)); + + assertFalse(indexer1.implies(indexer2, indexerPrivilegeModel)); + assertFalse(indexer1Case.implies(indexer2, indexerPrivilegeModel)); + assertFalse(indexer2.implies(indexer1, indexerPrivilegeModel)); + assertFalse(indexer2.implies(indexer1Case, indexerPrivilegeModel)); + } + + @Test + public void testSimpleAction() throws Exception { + CommonPrivilege read = + create(new KeyValue("indexer", "ind1"), new KeyValue("action", "read")); + CommonPrivilege write = + create(new KeyValue("indexer", "ind1"), new KeyValue("action", "write")); + CommonPrivilege readCase = + create(new KeyValue("indeXeR", "iNd1"), new KeyValue("AcTiOn", "ReAd")); + + assertTrue(read.implies(read, indexerPrivilegeModel)); + assertTrue(write.implies(write, indexerPrivilegeModel)); + assertTrue(read.implies(readCase, indexerPrivilegeModel)); + assertTrue(readCase.implies(read, indexerPrivilegeModel)); + + assertFalse(read.implies(write, indexerPrivilegeModel)); + assertFalse(readCase.implies(write, indexerPrivilegeModel)); + assertFalse(write.implies(read, indexerPrivilegeModel)); + assertFalse(write.implies(readCase, indexerPrivilegeModel)); + } + + @Test + public void testRoleShorterThanRequest() throws Exception { + CommonPrivilege indexer1 = create(new KeyValue("indexer", "ind1")); + CommonPrivilege read = + create(new KeyValue("indexer", "ind1"), new KeyValue("action", "read")); + CommonPrivilege write = + create(new KeyValue("indexer", "ind1"), new KeyValue("action", "write")); + CommonPrivilege all = + create(new KeyValue("indexer", "ind1"), new KeyValue("action", ALL)); + + assertTrue(indexer1.implies(read, indexerPrivilegeModel)); + assertTrue(indexer1.implies(write, indexerPrivilegeModel)); + assertTrue(indexer1.implies(all, indexerPrivilegeModel)); + + assertFalse(read.implies(indexer1, indexerPrivilegeModel)); + assertFalse(write.implies(indexer1, indexerPrivilegeModel)); + assertTrue(all.implies(indexer1, indexerPrivilegeModel)); + } + + @Test + public void testIndexerAll() throws Exception { + CommonPrivilege indexerAll = create(new KeyValue("indexer", ALL)); + CommonPrivilege indexer1 = create(new KeyValue("indexer", "ind1")); + assertTrue(indexerAll.implies(indexer1, indexerPrivilegeModel)); + assertTrue(indexer1.implies(indexerAll, indexerPrivilegeModel)); + + CommonPrivilege allWrite = + create(new KeyValue("indexer", ALL), new KeyValue("action", "write")); + CommonPrivilege allRead = + create(new KeyValue("indexer", ALL), new KeyValue("action", "read")); + CommonPrivilege ind1Write = + create(new KeyValue("indexer", "ind1"), new KeyValue("action", "write")); + CommonPrivilege ind1Read = + create(new KeyValue("indexer", "ind1"), new KeyValue("action", "read")); + assertTrue(allWrite.implies(ind1Write, indexerPrivilegeModel)); + assertTrue(allRead.implies(ind1Read, indexerPrivilegeModel)); + assertTrue(ind1Write.implies(allWrite, indexerPrivilegeModel)); + assertTrue(ind1Read.implies(allRead, indexerPrivilegeModel)); + assertFalse(allWrite.implies(ind1Read, indexerPrivilegeModel)); + assertFalse(ind1Write.implies(ind1Read, indexerPrivilegeModel)); + assertFalse(allRead.implies(ind1Write, indexerPrivilegeModel)); + assertFalse(ind1Read.implies(allWrite, indexerPrivilegeModel)); + assertFalse(allWrite.implies(allRead, indexerPrivilegeModel)); + assertFalse(allRead.implies(allWrite, indexerPrivilegeModel)); + assertFalse(ind1Write.implies(ind1Read, indexerPrivilegeModel)); + assertFalse(ind1Read.implies(ind1Write, indexerPrivilegeModel)); + + // test different length paths + assertTrue(indexerAll.implies(allWrite, indexerPrivilegeModel)); + assertTrue(indexerAll.implies(allRead, indexerPrivilegeModel)); + assertTrue(indexerAll.implies(ind1Write, indexerPrivilegeModel)); + assertTrue(indexerAll.implies(ind1Read, indexerPrivilegeModel)); + assertFalse(allWrite.implies(indexerAll, indexerPrivilegeModel)); + assertFalse(allRead.implies(indexerAll, indexerPrivilegeModel)); + assertFalse(ind1Write.implies(indexerAll, indexerPrivilegeModel)); + assertFalse(ind1Read.implies(indexerAll, indexerPrivilegeModel)); + } + + @Test + public void testActionAll() throws Exception { + CommonPrivilege ind1All = + create(new KeyValue("indexer", "index1"), new KeyValue("action", ALL)); + CommonPrivilege ind1Write = + create(new KeyValue("indexer", "index1"), new KeyValue("action", "write")); + CommonPrivilege ind1Read = + create(new KeyValue("indexer", "index1"), new KeyValue("action", "read")); + assertTrue(ind1All.implies(ind1All, indexerPrivilegeModel)); + assertTrue(ind1All.implies(ind1Write, indexerPrivilegeModel)); + assertTrue(ind1All.implies(ind1Read, indexerPrivilegeModel)); + assertFalse(ind1Write.implies(ind1All, indexerPrivilegeModel)); + assertFalse(ind1Read.implies(ind1All, indexerPrivilegeModel)); + + // test different lengths + CommonPrivilege ind1 = + create(new KeyValue("indexer", "index1")); + assertTrue(ind1All.implies(ind1, indexerPrivilegeModel)); + assertTrue(ind1.implies(ind1All, indexerPrivilegeModel)); + } + + @Test + public void testUnexpected() throws Exception { + Privilege p = new Privilege() { + @Override + public boolean implies(Privilege p) { + return false; + } + }; + CommonPrivilege indexer1 = create(new KeyValue("indexer", "index1")); + assertFalse(indexer1.implies(null)); + assertFalse(indexer1.implies(p)); + assertFalse(indexer1.equals(null)); + assertFalse(indexer1.equals(p)); + } + + @Test(expected=IllegalArgumentException.class) + public void testNullString() throws Exception { + System.out.println(create((String)null)); + } + + @Test(expected=IllegalArgumentException.class) + public void testEmptyString() throws Exception { + System.out.println(create("")); + } + + @Test(expected=IllegalArgumentException.class) + public void testEmptyKey() throws Exception { + System.out.println(create(KV_JOINER.join("indexer", ""))); + } + + @Test(expected=IllegalArgumentException.class) + public void testEmptyValue() throws Exception { + System.out.println(create(KV_JOINER.join("", "index1"))); + } + + @Test(expected=IllegalArgumentException.class) + public void testEmptyPart() throws Exception { + System.out.println(create(AUTHORIZABLE_JOINER. + join(KV_JOINER.join("indexer11", "index1"), ""))); + } + + @Test(expected=IllegalArgumentException.class) + public void testOnlySeperators() throws Exception { + System.out.println(create(AUTHORIZABLE_JOINER. + join(KV_SEPARATOR, KV_SEPARATOR, KV_SEPARATOR))); + } + + static CommonPrivilege create(KeyValue... keyValues) { + return create(AUTHORIZABLE_JOINER.join(keyValues)); + } + + static CommonPrivilege create(String s) { + return new CommonPrivilege(s); + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/6c248e46/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerWildcardPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerWildcardPrivilege.java b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerWildcardPrivilege.java deleted file mode 100644 index 3ecde2d..0000000 --- a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerWildcardPrivilege.java +++ /dev/null @@ -1,205 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.sentry.policy.indexer; -import static junit.framework.Assert.assertFalse; -import static junit.framework.Assert.assertTrue; -import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_JOINER; -import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER; -import static org.apache.sentry.core.common.utils.SentryConstants.KV_SEPARATOR; - -import org.apache.sentry.core.model.indexer.IndexerConstants; -import org.apache.sentry.policy.common.Privilege; -import org.apache.sentry.core.common.utils.KeyValue; -import org.junit.Test; - -public class TestIndexerWildcardPrivilege { - - private static final String ALL = IndexerConstants.ALL; - - @Test - public void testSimpleNoAction() throws Exception { - Privilege indexer1 = create(new KeyValue("indexer", "ind1")); - Privilege indexer2 = create(new KeyValue("indexer", "ind2")); - Privilege indexer1Case = create(new KeyValue("indeXeR", "inD1")); - - assertTrue(indexer1.implies(indexer1)); - assertTrue(indexer2.implies(indexer2)); - assertTrue(indexer1.implies(indexer1Case)); - assertTrue(indexer1Case.implies(indexer1)); - - assertFalse(indexer1.implies(indexer2)); - assertFalse(indexer1Case.implies(indexer2)); - assertFalse(indexer2.implies(indexer1)); - assertFalse(indexer2.implies(indexer1Case)); - } - - @Test - public void testSimpleAction() throws Exception { - Privilege read = - create(new KeyValue("indexer", "ind1"), new KeyValue("action", "read")); - Privilege write = - create(new KeyValue("indexer", "ind1"), new KeyValue("action", "write")); - Privilege readCase = - create(new KeyValue("indeXeR", "iNd1"), new KeyValue("AcTiOn", "ReAd")); - - assertTrue(read.implies(read)); - assertTrue(write.implies(write)); - assertTrue(read.implies(readCase)); - assertTrue(readCase.implies(read)); - - assertFalse(read.implies(write)); - assertFalse(readCase.implies(write)); - assertFalse(write.implies(read)); - assertFalse(write.implies(readCase)); - } - - @Test - public void testRoleShorterThanRequest() throws Exception { - Privilege indexer1 = create(new KeyValue("indexer", "ind1")); - Privilege read = - create(new KeyValue("indexer", "ind1"), new KeyValue("action", "read")); - Privilege write = - create(new KeyValue("indexer", "ind1"), new KeyValue("action", "write")); - Privilege all = - create(new KeyValue("indexer", "ind1"), new KeyValue("action", ALL)); - - assertTrue(indexer1.implies(read)); - assertTrue(indexer1.implies(write)); - assertTrue(indexer1.implies(all)); - - assertFalse(read.implies(indexer1)); - assertFalse(write.implies(indexer1)); - assertTrue(all.implies(indexer1)); - } - - @Test - public void testIndexerAll() throws Exception { - Privilege indexerAll = create(new KeyValue("indexer", ALL)); - Privilege indexer1 = create(new KeyValue("indexer", "ind1")); - assertTrue(indexerAll.implies(indexer1)); - assertTrue(indexer1.implies(indexerAll)); - - Privilege allWrite = - create(new KeyValue("indexer", ALL), new KeyValue("action", "write")); - Privilege allRead = - create(new KeyValue("indexer", ALL), new KeyValue("action", "read")); - Privilege ind1Write = - create(new KeyValue("indexer", "ind1"), new KeyValue("action", "write")); - Privilege ind1Read = - create(new KeyValue("indexer", "ind1"), new KeyValue("action", "read")); - assertTrue(allWrite.implies(ind1Write)); - assertTrue(allRead.implies(ind1Read)); - assertTrue(ind1Write.implies(allWrite)); - assertTrue(ind1Read.implies(allRead)); - assertFalse(allWrite.implies(ind1Read)); - assertFalse(ind1Write.implies(ind1Read)); - assertFalse(allRead.implies(ind1Write)); - assertFalse(ind1Read.implies(allWrite)); - assertFalse(allWrite.implies(allRead)); - assertFalse(allRead.implies(allWrite)); - assertFalse(ind1Write.implies(ind1Read)); - assertFalse(ind1Read.implies(ind1Write)); - - // test different length paths - assertTrue(indexerAll.implies(allWrite)); - assertTrue(indexerAll.implies(allRead)); - assertTrue(indexerAll.implies(ind1Write)); - assertTrue(indexerAll.implies(ind1Read)); - assertFalse(allWrite.implies(indexerAll)); - assertFalse(allRead.implies(indexerAll)); - assertFalse(ind1Write.implies(indexerAll)); - assertFalse(ind1Read.implies(indexerAll)); - } - - @Test - public void testActionAll() throws Exception { - Privilege ind1All = - create(new KeyValue("indexer", "index1"), new KeyValue("action", ALL)); - Privilege ind1Write = - create(new KeyValue("indexer", "index1"), new KeyValue("action", "write")); - Privilege ind1Read = - create(new KeyValue("indexer", "index1"), new KeyValue("action", "read")); - assertTrue(ind1All.implies(ind1All)); - assertTrue(ind1All.implies(ind1Write)); - assertTrue(ind1All.implies(ind1Read)); - assertFalse(ind1Write.implies(ind1All)); - assertFalse(ind1Read.implies(ind1All)); - - // test different lengths - Privilege ind1 = - create(new KeyValue("indexer", "index1")); - assertTrue(ind1All.implies(ind1)); - assertTrue(ind1.implies(ind1All)); - } - - @Test - public void testUnexpected() throws Exception { - Privilege p = new Privilege() { - @Override - public boolean implies(Privilege p) { - return false; - } - }; - Privilege indexer1 = create(new KeyValue("indexer", "index1")); - assertFalse(indexer1.implies(null)); - assertFalse(indexer1.implies(p)); - assertFalse(indexer1.equals(null)); - assertFalse(indexer1.equals(p)); - } - - @Test(expected=IllegalArgumentException.class) - public void testNullString() throws Exception { - System.out.println(create((String)null)); - } - - @Test(expected=IllegalArgumentException.class) - public void testEmptyString() throws Exception { - System.out.println(create("")); - } - - @Test(expected=IllegalArgumentException.class) - public void testEmptyKey() throws Exception { - System.out.println(create(KV_JOINER.join("indexer", ""))); - } - - @Test(expected=IllegalArgumentException.class) - public void testEmptyValue() throws Exception { - System.out.println(create(KV_JOINER.join("", "index1"))); - } - - @Test(expected=IllegalArgumentException.class) - public void testEmptyPart() throws Exception { - System.out.println(create(AUTHORIZABLE_JOINER. - join(KV_JOINER.join("indexer11", "index1"), ""))); - } - - @Test(expected=IllegalArgumentException.class) - public void testOnlySeperators() throws Exception { - System.out.println(create(AUTHORIZABLE_JOINER. - join(KV_SEPARATOR, KV_SEPARATOR, KV_SEPARATOR))); - } - - static IndexerWildcardPrivilege create(KeyValue... keyValues) { - return create(AUTHORIZABLE_JOINER.join(keyValues)); - - } - static IndexerWildcardPrivilege create(String s) { - return new IndexerWildcardPrivilege(s); - } -}
