@Test public void testAdminOperation() throws Exception { Mockito.when(mockStore.createRole(anyString(), anyString(), anyString())) .thenReturn(new CommitContext(SERVER_UUID, SEQ_ID)); Mockito.when(mockStore.dropRole(anyString(), anyString(), anyString())) .thenReturn(new CommitContext(SERVER_UUID, SEQ_ID + 1)); Mockito.when(mockStore.alterRoleAddGroups(anyString(), anyString(), anySetOf(String.class),anyString())) .thenReturn(new CommitContext(SERVER_UUID, SEQ_ID + 2)); Mockito.when(mockStore.alterRoleDeleteGroups(anyString(), anyString(),anySetOf(String.class), anyString())) .thenReturn(new CommitContext(SERVER_UUID, SEQ_ID + 3)); Mockito.when(mockStore.dropPrivilege(anyString(), any(PrivilegeObject.class), anyString())) .thenReturn(new CommitContext(SERVER_UUID, SEQ_ID + 4)); Mockito.when(mockStore.renamePrivilege(anyString(), anyString(), anyListOf(Authorizable.class), anyListOf(Authorizable.class), anyString())) .thenReturn(new CommitContext(SERVER_UUID, SEQ_ID + 5)); testOperation(ADMIN_USER, Status.OK); }
@Override public Response<Void> handle() throws Exception { validateClientVersion(request.getProtocol_version()); store.alterRoleGrantPrivilege(request.getComponent(), request.getRoleName(), toPrivilegeObject(request.getPrivilege()), request.getRequestorUserName()); return new Response<Void>(Status.OK()); } });
@Override public Response<Void> handle() throws Exception { validateClientVersion(request.getProtocol_version()); store.alterRoleRevokePrivilege(request.getComponent(), request.getRoleName(), toPrivilegeObject(request.getPrivilege()), request.getRequestorUserName()); return new Response<Void>(Status.OK()); } });
@Override public Response<Set<TSentryPrivilege>> handle() throws Exception { validateClientVersion(request.getProtocol_version()); Set<String> groups = getRequestorGroups(conf, request.getRequestorUserName()); if (!inAdminGroups(groups)) { Set<String> roleNamesForGroups = toTrimmedLower(store.getRolesByGroups(request.getComponent(), groups)); if (!roleNamesForGroups.contains(toTrimmedLower(request.getRoleName()))) { throw new SentryAccessDeniedException(ACCESS_DENIAL_MESSAGE + request.getRequestorUserName()); } } Set<PrivilegeObject> privileges = store.getPrivilegesByProvider(request.getComponent(), request.getServiceName(), Sets.newHashSet(request.getRoleName()), null, toAuthorizables(request.getAuthorizables())); Set<TSentryPrivilege> tSentryPrivileges = Sets.newHashSet(); for (PrivilegeObject privilege : privileges) { tSentryPrivileges.add(fromPrivilegeObject(privilege)); } return new Response<Set<TSentryPrivilege>>(Status.OK(), tSentryPrivileges); } });
@Test public void testOperationWithException() throws Exception { String roleName = anyString(); Mockito.when(mockStore.createRole(anyString(), roleName, anyString())) .thenThrow(new SentryAlreadyExistsException("Role: " + roleName)); Mockito.when(mockStore.dropRole(anyString(), roleName, anyString())) .thenThrow(new SentryNoSuchObjectException("Role: " + roleName )); Mockito.when(mockStore.alterRoleAddGroups(anyString(), roleName, anySetOf(String.class),anyString())) .thenThrow(new SentryNoSuchObjectException("Role: " + roleName)); Mockito.when(mockStore.alterRoleDeleteGroups(anyString(), roleName, anySetOf(String.class), anyString())) .thenThrow(new SentryNoSuchObjectException("Role: " + roleName)); Mockito.when(mockStore.alterRoleGrantPrivilege(anyString(), roleName, any(PrivilegeObject.class), anyString())) .thenThrow(new SentryGrantDeniedException("Role: " + roleName + " is not allowed to do grant")); Mockito.when(mockStore.alterRoleRevokePrivilege(anyString(), roleName, any(PrivilegeObject.class), anyString())) .thenThrow(new SentryGrantDeniedException("Role: " + roleName + " is not allowed to do grant")); Mockito.when(mockStore.dropPrivilege(anyString(), any(PrivilegeObject.class), anyString())) .thenThrow(new SentryInvalidInputException("Invalid input privilege object")); Mockito.when(mockStore.renamePrivilege(anyString(), anyString(), anyListOf(Authorizable.class), anyListOf(Authorizable.class), anyString())) .thenThrow(new RuntimeException("Unknown error"));
mSentryGMPrivilege.setRoles(Sets.newHashSet(role)); Mockito.when(mockStore.getRolesByGroups(anyString(), anySetOf(String.class))) .thenReturn(Sets.newHashSet(roleName)); Mockito.when(mockStore.getPrivilegesByProvider(anyString(), anyString(), anySetOf(String.class), anySetOf(String.class), anyListOf(Authorizable.class))) .thenReturn(Sets.newHashSet(queryPrivilege, updatePrivilege)); Mockito.when(mockStore.getGroupsByRoles(anyString(), anySetOf(String.class))) .thenReturn(Sets.newHashSet(groupName)); Mockito.when(mockStore.getPrivilegesByAuthorizable(anyString(), anyString(), anySetOf(String.class), anyListOf(Authorizable.class))) .thenReturn(Sets.newHashSet(mSentryGMPrivilege)); Mockito.when(mockStore.getAllRoleNames()) .thenReturn(Sets.newHashSet(roleName));
Set<String> grantedRoles = toTrimmedLower(store.getRolesByGroups(request.getComponent(), requestedGroups)); Set<String> requestedRoles = toTrimmedLower(store.getAllRoleNames()); if (requestedGroups != null && !requestedGroups.isEmpty()) { requestedRoles = toTrimmedLower(store.getRolesByGroups(request.getComponent(), requestedGroups)); Set<MSentryGMPrivilege> sentryPrivileges = store.getPrivilegesByAuthorizable(request.getComponent(), request.getServiceName(), validActiveRoles, authorizables); authRoleMap.put(fromAuthorizableToStr(authorizables), toTSentryPrivilegeMap(sentryPrivileges));
.build(); sentryStore.createRole(component, roleName, grantor); sentryStore.alterRoleGrantPrivilege(component, roleName, queryPrivilege, grantor); sentryStore.getPrivilegesByRole(component, Sets.newHashSet(roleName))); .build(); sentryStore.alterRoleGrantPrivilege(component, roleName, queryPrivilegeWithOption, grantor); sentryStore.getPrivilegesByRole(component, Sets.newHashSet(roleName))); .build(); sentryStore.alterRoleGrantPrivilege(component, roleName, queryPrivilegeWithNoOption, grantor); sentryStore.getPrivilegesByRole(component, Sets.newHashSet(roleName)));
@Test public void testGrantAndRevokePrivilege() throws Exception { Mockito.when(mockStore.alterRoleGrantPrivilege(anyString(), anyString(), any(PrivilegeObject.class), anyString())) .thenReturn(new CommitContext(SERVER_UUID, SEQ_ID + 6)); Mockito.when(mockStore.alterRoleRevokePrivilege(anyString(), anyString(),any(PrivilegeObject.class), anyString())) .thenReturn(new CommitContext(SERVER_UUID, SEQ_ID + 7)); setup(); TSentryPrivilege tprivilege = new TSentryPrivilege("test", "test", new ArrayList<TAuthorizable>(), "test"); tprivilege.setGrantOption(TSentryGrantOption.UNSET); TAlterSentryRoleGrantPrivilegeRequest grantRequest = new TAlterSentryRoleGrantPrivilegeRequest(); grantRequest.setRequestorUserName(ADMIN_USER); grantRequest.setRoleName("r1"); grantRequest.setPrivilege(tprivilege); assertEquals(Status.OK, fromTSentryStatus(processor.alter_sentry_role_grant_privilege(grantRequest).getStatus())); TAlterSentryRoleRevokePrivilegeRequest revokeRequest = new TAlterSentryRoleRevokePrivilegeRequest(); revokeRequest.setRequestorUserName(ADMIN_USER); revokeRequest.setRoleName("r1"); revokeRequest.setPrivilege(tprivilege); assertEquals(Status.OK, fromTSentryStatus(processor.alter_sentry_role_revoke_privilege(revokeRequest).getStatus())); }
@Override public Response<Void> handle() throws Exception { validateClientVersion(request.getProtocol_version()); authorize(request.getRequestorUserName(), getRequestorGroups(conf, request.getRequestorUserName())); store.createRole(request.getComponent(), request.getRoleName(), request.getRequestorUserName()); return new Response<Void>(Status.OK()); } });
@Override public Response<Void> handle() throws Exception { validateClientVersion(request.getProtocol_version()); authorize(request.getRequestorUserName(), getRequestorGroups(conf, request.getRequestorUserName())); store.alterRoleAddGroups(request.getComponent(), request.getRoleName(), request.getGroups(), request.getRequestorUserName()); return new Response<Void>(Status.OK()); } });
@Override public Response<Void> handle() throws Exception { validateClientVersion(request.getProtocol_version()); authorize(request.getRequestorUserName(), getRequestorGroups(conf, request.getRequestorUserName())); store.dropRole(request.getComponent(), request.getRoleName(), request.getRequestorUserName()); return new Response<Void>(Status.OK()); } });
@Override public Response<Void> handle() throws Exception { validateClientVersion(request.getProtocol_version()); authorize(request.getRequestorUserName(), getRequestorGroups(conf, request.getRequestorUserName())); store.dropPrivilege(request.getComponent(), toPrivilegeObject(request.getPrivilege()), request.getRequestorUserName()); return new Response<Void>(Status.OK()); } });
@Override public Response<Void> handle() throws Exception { validateClientVersion(request.getProtocol_version()); authorize(request.getRequestorUserName(), getRequestorGroups(conf, request.getRequestorUserName())); store.alterRoleDeleteGroups(request.getComponent(), request.getRoleName(), request.getGroups(), request.getRequestorUserName()); return new Response<Void>(Status.OK()); } });
@Test public void testOperationWithException() throws Exception { String roleName = anyString(); Mockito.when(mockStore.createRole(anyString(), roleName, anyString())) .thenThrow(new SentryAlreadyExistsException("Role: " + roleName + " already exists")); Mockito.when(mockStore.dropRole(anyString(), roleName, anyString())) .thenThrow(new SentryNoSuchObjectException("Role: " + roleName + " doesn't exist")); Mockito.when(mockStore.alterRoleAddGroups(anyString(), roleName, anySetOf(String.class),anyString())) .thenThrow(new SentryNoSuchObjectException("Role: " + roleName + " doesn't exist")); Mockito.when(mockStore.alterRoleDeleteGroups(anyString(), roleName, anySetOf(String.class), anyString())) .thenThrow(new SentryNoSuchObjectException("Role: " + roleName + " doesn't exist")); Mockito.when(mockStore.alterRoleGrantPrivilege(anyString(), roleName, any(PrivilegeObject.class), anyString())) .thenThrow(new SentryGrantDeniedException("Role: " + roleName + " is not allowed to do grant")); Mockito.when(mockStore.alterRoleRevokePrivilege(anyString(), roleName, any(PrivilegeObject.class), anyString())) .thenThrow(new SentryGrantDeniedException("Role: " + roleName + " is not allowed to do grant")); Mockito.when(mockStore.dropPrivilege(anyString(), any(PrivilegeObject.class), anyString())) .thenThrow(new SentryInvalidInputException("Invalid input privilege object")); Mockito.when(mockStore.renamePrivilege(anyString(), anyString(), anyListOf(Authorizable.class), anyListOf(Authorizable.class), anyString())) .thenThrow(new RuntimeException("Unknown error"));
mSentryGMPrivilege.setRoles(Sets.newHashSet(role)); Mockito.when(mockStore.getRolesByGroups(anyString(), anySetOf(String.class))) .thenReturn(Sets.newHashSet(roleName)); Mockito.when(mockStore.getPrivilegesByProvider(anyString(), anyString(), anySetOf(String.class), anySetOf(String.class), anyListOf(Authorizable.class))) .thenReturn(Sets.newHashSet(queryPrivilege, updatePrivilege)); Mockito.when(mockStore.getGroupsByRoles(anyString(), anySetOf(String.class))) .thenReturn(Sets.newHashSet(groupName)); TSentryRole tSentryRole = new TSentryRole(roleName, Sets.newHashSet(groupName)); mockTRoles.add(tSentryRole); Mockito.when(mockStore.getTSentryRolesByGroupName(anyString(), anySetOf(String.class))) .thenReturn(mockTRoles); Mockito.when(mockStore.getPrivilegesByAuthorizable(anyString(), anyString(), anySetOf(String.class), anyListOf(Authorizable.class))) .thenReturn(Sets.newHashSet(mSentryGMPrivilege)); Mockito.when(mockStore.getAllRoleNames()) .thenReturn(Sets.newHashSet(roleName));
Set<String> grantedRoles = toTrimmedLower(store.getRolesByGroups(request.getComponent(), requestedGroups)); Set<String> activeRoleNames = toTrimmedLower(activeRoleSet.getRoles()); Set<String> allRoles = toTrimmedLower(store.getAllRoleNames()); Set<String> activeRoleNames = toTrimmedLower(activeRoleSet.getRoles()); validActiveRoles.addAll(activeRoleSet.isAll() ? allRoles : Sets.intersection(activeRoleNames, allRoles)); } else { Set<String> requestedRoles = toTrimmedLower(store.getRolesByGroups(request.getComponent(), requestedGroups)); validActiveRoles.addAll(activeRoleSet.isAll() ? allRoles : Sets.intersection(activeRoleNames, requestedRoles)); Set<MSentryGMPrivilege> sentryPrivileges = store.getPrivilegesByAuthorizable(request.getComponent(), request.getServiceName(), validActiveRoles, authorizables); authRoleMap.put(fromAuthorizableToStr(authorizables), toTSentryPrivilegeMap(sentryPrivileges));
@Override public Response<Set<TSentryPrivilege>> handle() throws Exception { validateClientVersion(request.getProtocol_version()); Set<String> groups = getRequestorGroups(conf, request.getRequestorUserName()); if (!inAdminGroups(groups)) { Set<String> roleNamesForGroups = toTrimmedLower(store.getRolesByGroups(request.getComponent(), groups)); if (!roleNamesForGroups.contains(toTrimmedLower(request.getRoleName()))) { throw new SentryAccessDeniedException(ACCESS_DENIAL_MESSAGE + request.getRequestorUserName()); } } Set<PrivilegeObject> privileges = store.getPrivilegesByProvider(request.getComponent(), request.getServiceName(), Sets.newHashSet(request.getRoleName()), null, toAuthorizables(request.getAuthorizables())); Set<TSentryPrivilege> tSentryPrivileges = Sets.newHashSet(); for (PrivilegeObject privilege : privileges) { tSentryPrivileges.add(fromPrivilegeObject(privilege)); } return new Response<Set<TSentryPrivilege>>(Status.OK(), tSentryPrivileges); } });
.build(); sentryStore.createRole(component, roleName, grantor); sentryStore.alterRoleGrantPrivilege(component, roleName, queryPrivilege, grantor); sentryStore.getPrivilegesByRole(component, Sets.newHashSet(roleName))); .build(); sentryStore.alterRoleGrantPrivilege(component, roleName, queryPrivilegeWithOption, grantor); sentryStore.getPrivilegesByRole(component, Sets.newHashSet(roleName))); .build(); sentryStore.alterRoleGrantPrivilege(component, roleName, queryPrivilegeWithNoOption, grantor); sentryStore.getPrivilegesByRole(component, Sets.newHashSet(roleName)));
@Override public Response<Void> handle() throws Exception { validateClientVersion(request.getProtocol_version()); authorize(request.getRequestorUserName(), getRequestorGroups(conf, request.getRequestorUserName())); CommitContext context = store.createRole(request.getComponent(), request.getRoleName(), request.getRequestorUserName()); return new Response<Void>(Status.OK(), context); } });