[GitHub] [incubator-pegasus] acelyc111 commented on a diff in pull request #1402: feat(Ranger): Use Apache Ranger for meta access controller

Wed, 29 Mar 2023 08:05:38 -0700 


acelyc111 commented on code in PR #1402:
URL: 
https://github.com/apache/incubator-pegasus/pull/1402#discussion_r1152092301


##########
src/runtime/test/ranger_resource_policy_manager_test.cpp:
##########
@@ -256,5 +257,96 @@ TEST(ranger_resource_policy_manager_test, 
get_table_name_from_app_name_test)
     }
 }
 
+class ranger_resource_policy_manager_function_test : public 
ranger_resource_policy_manager,
+                                                     public testing::Test
+{
+public:
+    ranger_resource_policy_manager_function_test() : 
ranger_resource_policy_manager(nullptr)
+    {
+        acl_policies fake_policy_1;
+        fake_policy_1.allow_policies = {
+            {access_type::kList | access_type::kMetadata, {"user1", "user2"}}};
+        fake_policy_1.allow_policies_exclude = {{access_type::kMetadata, 
{"user2"}}};
+        ranger_resource_policy fake_ranger_resource_policy_1;
+        fake_ranger_resource_policy_1.database_names = {"database1"};
+        fake_ranger_resource_policy_1.policies = fake_policy_1;
+        acl_policies fake_policy_2;
+        fake_policy_2.allow_policies = {
+            {access_type::kCreate | access_type::kDrop | access_type::kControl,
+             {"user3", "user4"}}};
+        fake_policy_2.allow_policies_exclude = {{access_type::kControl, 
{"user4"}}};
+        ranger_resource_policy fake_ranger_resource_policy_2;
+        fake_ranger_resource_policy_2.database_names = {"database2"};
+        fake_ranger_resource_policy_2.policies = fake_policy_2;
+        acl_policies fake_policy_3;
+        fake_policy_3.allow_policies = {{access_type::kCreate, {"user5", 
"user6"}}};
+        fake_policy_3.allow_policies_exclude = {{access_type::kCreate, 
{"user6"}}};
+        ranger_resource_policy fake_ranger_resource_policy_3;
+        fake_ranger_resource_policy_3.database_names = {"*"};
+        fake_ranger_resource_policy_3.policies = fake_policy_3;
+        _database_policies_cache = {fake_ranger_resource_policy_1,
+                                    fake_ranger_resource_policy_2,
+                                    fake_ranger_resource_policy_3};
+
+        acl_policies fake_policy_4;
+        fake_policy_4.allow_policies = {{access_type::kMetadata, {"user7", 
"user8"}}};
+        fake_policy_4.allow_policies_exclude = {{access_type::kMetadata, 
{"user8"}}};
+        ranger_resource_policy fake_ranger_resource_policy_4;
+        fake_ranger_resource_policy_4.database_names = {"database3"};
+        fake_ranger_resource_policy_4.policies = fake_policy_4;
+        acl_policies fake_policy_5;
+        fake_policy_5.allow_policies = {{access_type::kControl, {"user9", 
"user10"}}};
+        fake_policy_5.allow_policies_exclude = {{access_type::kControl, 
{"user10"}}};
+        ranger_resource_policy fake_ranger_resource_policy_5;
+        fake_ranger_resource_policy_5.database_names = {"database4"};
+        fake_ranger_resource_policy_5.policies = fake_policy_5;
+        _global_policies_cache = {fake_ranger_resource_policy_4, 
fake_ranger_resource_policy_5};
+    }
+};
+
+TEST_F(ranger_resource_policy_manager_function_test, allowed)
+{
+    struct test_case
+    {
+        std::string rpc_code;
+        std::string user_name;
+        std::string database_name;
+        bool expected_result;
+    } tests[] = {{"TASK_CODE_INVALID", "user1", "database1", false},
+                 {"RPC_CM_CREATE_APP", "user1", "database1", false},
+                 {"RPC_CM_CREATE_APP", "user2", "database1", false},
+                 {"RPC_CM_LIST_APPS", "user1", "database1", true},
+                 {"RPC_CM_LIST_APPS", "user2", "database1", true},
+                 {"RPC_CM_GET_MAX_REPLICA_COUNT", "user1", "database1", true},
+                 {"RPC_CM_GET_MAX_REPLICA_COUNT", "user2", "database1", false},
+                 {"TASK_CODE_INVALID", "user3", "database2", false},
+                 {"RPC_CM_CREATE_APP", "user3", "database2", true},
+                 {"RPC_CM_CREATE_APP", "user4", "database2", true},
+                 {"RPC_CM_START_BACKUP_APP", "user3", "database2", true},
+                 {"RPC_CM_START_BACKUP_APP", "user4", "database2", false},
+                 {"TASK_CODE_INVALID", "user5", "", false},
+                 {"RPC_CM_CREATE_APP", "user5", "", true},
+                 {"RPC_CM_CREATE_APP", "user5", "database2", false},
+                 {"RPC_CM_CREATE_APP", "user6", "", false},
+                 {"RPC_CM_CREATE_APP", "user6", "database2", false},
+                 {"TASK_CODE_INVALID", "user7", "database3", false},
+                 {"RPC_CM_LIST_NODES", "user7", "database3", true},
+                 {"RPC_CM_LIST_NODES", "user8", "database3", false},
+                 {"RPC_CM_LIST_APPS", "user7", "database3", true},
+                 {"RPC_CM_LIST_APPS", "user8", "database3", false},
+                 {"TASK_CODE_INVALID", "user9", "database4", false},
+                 {"RPC_CM_LIST_NODES", "user9", "database4", false},
+                 {"RPC_CM_LIST_NODES", "user10", "database4", false},
+                 {"RPC_CM_LIST_APPS", "user9", "database4", false},
+                 {"RPC_CM_LIST_APPS", "user10", "database4", false},
+                 {"RPC_CM_CONTROL_META", "user9", "database4", true},
+                 {"RPC_CM_CONTROL_META", "user10", "database4", false}};
+    for (const auto &test : tests) {
+        auto code = task_code::try_get(test.rpc_code, TASK_CODE_INVALID);
+        auto actual_result = allowed(code, test.user_name, test.database_name);
+        EXPECT_EQ(test.expected_result, actual_result);

Review Comment:
   How about output parameters like the following, so if any case failed, you 
can find out which case failed immediately.
   ```
   EXPECT_EQ(test.expected_result, actual_result) << fmt::format("rpc_code: {}, 
user_name: {}, database_name: {}", rpc_code, user_name, database_name);
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to