SentryGenericPolicyProcessor(Configuration conf) throws Exception { this.store = new DelegateSentryStore(conf); this.handerInvoker = new NotificationHandlerInvoker(createHandlers(conf)); this.conf = conf; adminGroups = ImmutableSet.copyOf((Sets.newHashSet(conf.getStrings( ServerConfig.ADMIN_GROUPS, new String[]{})))); }
@Test public void testAddDeleteRoleToGroups() throws Exception { String role1 = "r1", role2 = "r2"; Set<String> twoGroups = Sets.newHashSet("g1", "g2"); Set<String> oneGroup = Sets.newHashSet("g3"); String grantor = "grantor"; sentryStore.createRole(SEARCH, role1, grantor); sentryStore.createRole(SEARCH, role2, grantor); sentryStore.alterRoleAddGroups(SEARCH, role1, twoGroups, grantor); assertEquals(twoGroups, sentryStore.getGroupsByRoles(SEARCH,Sets.newHashSet(role1))); assertEquals(Sets.newHashSet(role1), sentryStore.getRolesByGroups(SEARCH, twoGroups)); sentryStore.alterRoleAddGroups(SEARCH, role2, oneGroup, grantor); assertEquals(oneGroup, sentryStore.getGroupsByRoles(SEARCH, Sets.newHashSet(role2))); sentryStore.alterRoleDeleteGroups(SEARCH, role1, Sets.newHashSet("g1"), grantor); assertEquals(Sets.newHashSet("g2"), sentryStore.getGroupsByRoles(SEARCH, Sets.newHashSet(role1))); sentryStore.alterRoleDeleteGroups(SEARCH, role2, oneGroup, grantor); assertEquals(Sets.newHashSet(), sentryStore.getGroupsByRoles(SEARCH, Sets.newHashSet(role2))); }
@After public void clearData() throws Exception{ sentryStore.clearAllTables(); }
@Test public void testGetRolesByGroupNames() throws Exception { String role1 = "r1", role2 = "r2"; Set<String> twoGroups = Sets.newHashSet("g1", "g2"); String grantor = "grantor"; sentryStore.createRole(SEARCH, role1, grantor); sentryStore.createRole(SEARCH, role2, grantor); sentryStore.alterRoleAddGroups(SEARCH, role1, twoGroups, grantor); sentryStore.alterRoleAddGroups(SEARCH, role2, twoGroups, grantor); assertEquals(Sets.newHashSet(role1,role2), sentryStore.getRolesByGroups(SEARCH, twoGroups)); }
@Test public void testCreateDropRole() throws Exception { String roleName = "test-drop-role"; String grantor = "grantor"; sentryStore.createRole(SEARCH, roleName, grantor); sentryStore.dropRole(SEARCH, roleName, grantor); }
@Test public void testGetGroupsByRoleNames() throws Exception { String role1 = "r1", role2 = "r2"; Set<String> twoGroups = Sets.newHashSet("g1", "g2"); String grantor = "grantor"; sentryStore.createRole(SEARCH, role1, grantor); sentryStore.createRole(SEARCH, role2, grantor); sentryStore.alterRoleAddGroups(SEARCH, role1, twoGroups, grantor); sentryStore.alterRoleAddGroups(SEARCH, role2, twoGroups, grantor); assertEquals(twoGroups, sentryStore.getGroupsByRoles(SEARCH, Sets.newHashSet(role1))); assertEquals(twoGroups, sentryStore.getGroupsByRoles(SEARCH, Sets.newHashSet(role2))); assertEquals(twoGroups, sentryStore.getGroupsByRoles(SEARCH, Sets.newHashSet(role1,role2))); }
sentryStore.createRole(SEARCH, roleName1, grantor); .build(); sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege, ADMIN_USER); assertEquals(Sets.newHashSet(queryPrivilege), sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1))); sentryStore.alterRoleAddGroups(SEARCH, roleName1, Sets.newHashSet(GRANT_OPTION_GROUP), grantor); sentryStore.createRole(SEARCH, roleName2, grantor); sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege, GRANT_OPTION_USER); assertEquals(Sets.newHashSet(queryPrivilege), sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2))); sentryStore.alterRoleRevokePrivilege(SEARCH, roleName2, queryPrivilege, GRANT_OPTION_USER); assertEquals(Sets.newHashSet(), sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
.build(); sentryStore.createRole(SEARCH, roleName1, grantor); sentryStore.createRole(SEARCH, roleName2, grantor); sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege, grantor); sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, updatePrivilege,grantor); assertEquals(Sets.newHashSet(queryPrivilege, updatePrivilege), sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1))); sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege, grantor); sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, updatePrivilege,grantor); assertEquals(Sets.newHashSet(queryPrivilege, updatePrivilege), sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2))); sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, allPrivilege, grantor); sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1))); sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
.build(); sentryStore.createRole(SEARCH, roleName1, grantor); sentryStore.createRole(SEARCH, roleName2, grantor); sentryStore.createRole(SEARCH, roleName3, grantor); sentryStore.alterRoleAddGroups(SEARCH, roleName3, Sets.newHashSet(group), grantor); sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege1, grantor); sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, updatePrivilege1, grantor); sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege2, grantor); sentryStore.alterRoleGrantPrivilege(SEARCH, roleName3, updatePrivilege2, grantor); sentryStore.getPrivilegesByProvider(SEARCH, service1, Sets.newHashSet(roleName1), null, null)); sentryStore.getPrivilegesByProvider(SEARCH, service1, Sets.newHashSet(roleName1,roleName2), null, null)); sentryStore.getPrivilegesByProvider(SEARCH, service1, Sets.newHashSet(roleName1,roleName2), Sets.newHashSet(group), null)); sentryStore.getPrivilegesByProvider(SEARCH, service1, Sets.newHashSet(roleName1,roleName2), Sets.newHashSet(group), authorizables));
sentryStore.createRole(SEARCH, roleName1, grantor); sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege, grantor); sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, updatePrivilege, grantor); sentryStore.createRole(SEARCH, roleName2, grantor); sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege, grantor); sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, updatePrivilege, grantor); sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1))); sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2))); sentryStore.dropPrivilege(SEARCH, queryPrivilege, grantor); sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1))); sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2))); sentryStore.dropPrivilege(SEARCH, allPrivilege, grantor); sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1))); sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2))); sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege, grantor); sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, updatePrivilege, grantor); sentryStore.dropPrivilege(SEARCH, parentPrivilege, grantor); assertEquals(Sets.newHashSet(),
sentryStore.createRole(SEARCH, roleName1, grantor); sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, oldQueryPrivilege, grantor); sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, oldUpdatePrivilege, grantor); sentryStore.createRole(SEARCH, roleName2, grantor); sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, oldALLPrivilege, grantor); sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1))); sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2))); sentryStore.renamePrivilege(SEARCH, SERVICE, oldAuthoriables, newAuthoriables, sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1))); sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2))); .build(); sentryStore.renamePrivilege(SEARCH, SERVICE, Arrays.asList(new Collection(COLLECTION_NAME)), Arrays.asList(new Collection(NOT_COLLECTION_NAME)), sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1))); sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
sentryStore.createRole(SEARCH, role1, grantor); sentryStore.createRole(SEARCH, role2, grantor); sentryStore.createRole(SEARCH, role3, grantor); sentryStore.alterRoleAddGroups(SEARCH, role1, twoGroups, grantor); Set<TSentryRole> tRoles = sentryStore.getTSentryRolesByGroupName(SEARCH, twoGroups); assertEquals(1, tRoles.size()); for(TSentryRole tRole:tRoles) { assertEquals(Sets.newHashSet(role1), sentryStore.getRolesByGroups(SEARCH, twoGroups)); sentryStore.alterRoleAddGroups(SEARCH, role2, oneGroup, grantor); tRoles = sentryStore.getTSentryRolesByGroupName(SEARCH, oneGroup); assertEquals(1, tRoles.size()); for(TSentryRole tRole:tRoles) { tRoles = sentryStore.getTSentryRolesByGroupName(SEARCH, tempGroups); assertEquals(3, tRoles.size()); //Should get all roles assertEquals(Sets.newHashSet(role1, role2, role3), sentryStore.getRolesByGroups(SEARCH, tempGroups)); sentryStore.alterRoleDeleteGroups(SEARCH, role1, Sets.newHashSet("g1"), grantor); tRoles = sentryStore.getTSentryRolesByGroupName(SEARCH, twoGroups); assertEquals(1, tRoles.size()); for(TSentryRole tRole:tRoles) { sentryStore.alterRoleDeleteGroups(SEARCH, role2, oneGroup, grantor); tRoles = sentryStore.getTSentryRolesByGroupName(SEARCH, oneGroup); assertEquals(0, tRoles.size());
.build(); sentryStore.createRole(SEARCH, roleName1, grantor); sentryStore.createRole(SEARCH, roleName2, grantor); sentryStore.createRole(SEARCH, roleName3, grantor); sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege1, grantor); sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, updatePrivilege1, grantor); sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege2, grantor); sentryStore.alterRoleGrantPrivilege(SEARCH, roleName3, updatePrivilege2, grantor); assertEquals(0, sentryStore.getPrivilegesByAuthorizable(SEARCH, service1, null, Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME))).size()); assertEquals(2, sentryStore.getPrivilegesByAuthorizable(SEARCH, service1, Sets.newHashSet(roleName1), null).size()); assertEquals(2, sentryStore.getPrivilegesByAuthorizable(SEARCH, service1, Sets.newHashSet(roleName1,roleName2), null).size()); assertEquals(2, sentryStore.getPrivilegesByAuthorizable(SEARCH, service1, Sets.newHashSet(roleName1,roleName2, roleName3), null).size());
String grantor = "grantor"; sentryStore.createRole(SEARCH, role1, grantor); sentryStore.createRole(SEARCH, role2, grantor); sentryStore.createRole(SEARCH, role3, grantor); sentryStore.alterRoleAddGroups(SEARCH, role1, groups1, grantor); sentryStore.alterRoleAddGroups(SEARCH, role2, groups2, grantor); Set<TSentryRole> tRoles = sentryStore.getTSentryRolesByGroupName(SEARCH, Sets.newHashSet(groups1)); assertEquals(2, tRoles.size()); for(TSentryRole tRole:tRoles) { tRoles = sentryStore.getTSentryRolesByGroupName(SEARCH, Sets.newHashSet(groups2)); assertEquals(2, tRoles.size()); for(TSentryRole tRole:tRoles) { tRoles = sentryStore.getTSentryRolesByGroupName(SEARCH, allGroups); assertEquals(2, tRoles.size()); for(TSentryRole tRole:tRoles) { sentryStore.alterRoleAddGroups(SEARCH, role3, groups1, grantor); tRoles = sentryStore.getTSentryRolesByGroupName(SEARCH, allGroups); assertEquals(3, tRoles.size()); for(TSentryRole tRole:tRoles) {
@AfterClass public static void teardown() { if (sentryStore != null) { sentryStore.close(); } if (dataDir != null) { FileUtils.deleteQuietly(dataDir); } if (policyFilePath != null) { FileUtils.deleteQuietly(policyFilePath); } }
@Test(expected = SentryNoSuchObjectException.class) public void testAddGroupsNonExistantRole() throws Exception { String roleName = "non-existant-role"; String grantor = "grantor"; sentryStore.alterRoleAddGroups(SEARCH, roleName, Sets.newHashSet("g1"), grantor); }
@Test(expected=Exception.class) public void testCreateDuplicateRole() throws Exception { String roleName = "test-dup-role"; String grantor = "grantor"; sentryStore.createRole(SEARCH, roleName, grantor); sentryStore.createRole(SEARCH, roleName, grantor); }
@Test(expected=SentryNoSuchObjectException.class) public void testDropNotExistRole() throws Exception { String roleName = "not-exist"; String grantor = "grantor"; sentryStore.dropRole(SEARCH, roleName, grantor); }
@Test(expected = SentryNoSuchObjectException.class) public void testDeleteGroupsNonExistantRole() throws Exception { String roleName = "non-existant-role"; String grantor = "grantor"; sentryStore.alterRoleDeleteGroups(SEARCH, roleName, Sets.newHashSet("g1"), grantor); }
sentryStore.createRole(SEARCH, roleName1, grantor); .build(); sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege, ADMIN_USER); assertEquals(Sets.newHashSet(queryPrivilege), sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1))); sentryStore.alterRoleAddGroups(SEARCH, roleName1, Sets.newHashSet(GRANT_OPTION_GROUP), grantor); sentryStore.createRole(SEARCH, roleName2, grantor); sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege, GRANT_OPTION_USER); assertEquals(Sets.newHashSet(queryPrivilege), sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2))); sentryStore.alterRoleRevokePrivilege(SEARCH, roleName2, queryPrivilege, GRANT_OPTION_USER); assertEquals(Sets.newHashSet(), sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));