org.apache.sqoop.model.MPrivilege Java Examples

The following examples show how to use org.apache.sqoop.model.MPrivilege. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: GrantPrivilegeFunction.java    From sqoop-on-spark with Apache License 2.0 6 votes vote down vote up
private Status grantPrivilege(String action, String resourceType, String resource,
                              String principalType, String principal, boolean withGrant)
  throws IOException {
  MResource resourceObject = new MResource(resource, resourceType);
  MPrivilege privilegeObject = new MPrivilege(resourceObject, action, withGrant);
  MPrincipal principalObject = new MPrincipal(principal, principalType);

  client.grantPrivilege(
    Arrays.asList(principalObject),
    Arrays.asList(privilegeObject));

  if (resourceType.toUpperCase().equals(MResource.TYPE.CONNECTOR.name())) {
    client.clearCache();
  }

  printlnResource(Constants.RES_GRANT_PRIVILEGE_SUCCESSFUL,
    action, resourceType + " " + resource,
    ((withGrant) ? " " + resourceString(Constants.RES_GRANT_PRIVILEGE_SUCCESSFUL_WITH_GRANT) : ""),
    principalType + " " + principal);

  return Status.OK;
}
 
Example #2
Source File: SentryAuthorizationValidator.java    From incubator-sentry with Apache License 2.0 6 votes vote down vote up
@Override
public void checkPrivileges(MPrincipal principal, List<MPrivilege> privileges) throws SqoopException {
  if (privileges == null || privileges.isEmpty()) {
    return;
  }
  PrincipalDesc principalDesc = new PrincipalDesc(principal.getName(), principal.getType());
  if (principalDesc.getType() != PrincipalType.USER) {
    throw new SqoopException(SecurityError.AUTH_0014,SentrySqoopError.AUTHORIZE_CHECK_NOT_SUPPORT_FOR_PRINCIPAL);
  }
  for (MPrivilege privilege : privileges) {
    if (LOG.isDebugEnabled()) {
      LOG.debug("Going to authorize check on privilege : " + privilege +
          " for principal: " + principal);
    }
    if (!binding.authorize(new Subject(principalDesc.getName()), privilege)) {
      throw new SqoopException(SecurityError.AUTH_0014, "User " + principalDesc.getName() +
          " does not have privileges for : " + privilege.toString());
    }
  }
}
 
Example #3
Source File: SqoopAuthBinding.java    From incubator-sentry with Apache License 2.0 6 votes vote down vote up
/**
 * construct a Sentry privilege to call by the thrift API
 * @param privilege
 * @return {@link TSentryPrivilege}
 */
private TSentryPrivilege toTSentryPrivilege(MPrivilege privilege) {
  TSentryPrivilege tSentryPrivilege = new TSentryPrivilege();
  tSentryPrivilege.setComponent(COMPONENT_TYPE);
  tSentryPrivilege.setServiceName(sqoopServer.getName());
  tSentryPrivilege.setAction(privilege.getAction().equalsIgnoreCase(
      SqoopActionConstant.ALL_NAME) ? SqoopActionConstant.ALL : privilege
      .getAction());
  if (privilege.isWith_grant_option()) {
    tSentryPrivilege.setGrantOption(TSentryGrantOption.TRUE);
  } else {
    tSentryPrivilege.setGrantOption(TSentryGrantOption.FALSE);
  }
  tSentryPrivilege.setAuthorizables(toTSentryAuthorizable(privilege.getResource()));
  return tSentryPrivilege;
}
 
Example #4
Source File: TestGrantPrivilege.java    From incubator-sentry with Apache License 2.0 6 votes vote down vote up
@Test
public void testGrantPrivilege() throws Exception {
  /**
   * user1 belongs to group group1
   * admin user grant role role1 to group group1
   * admin user grant read privilege on connector all to role role1
   */
  SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
  MRole role1 = new MRole(ROLE1);
  MPrincipal group1Princ = new MPrincipal(GROUP1, MPrincipal.TYPE.GROUP);
  MPrincipal role1Princ = new MPrincipal(ROLE1, MPrincipal.TYPE.ROLE);
  MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
  MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false);
  client.createRole(role1);
  client.grantRole(Lists.newArrayList(role1), Lists.newArrayList(group1Princ));
  client.grantPrivilege(Lists.newArrayList(role1Princ), Lists.newArrayList(readPrivilege));

  // check user1 has privilege on role1
  client = sqoopServerRunner.getSqoopClient(USER1);
  assertTrue(client.getPrivilegesByPrincipal(role1Princ, allConnector).size() == 1);
}
 
Example #5
Source File: RangerSqoopAuthorizer.java    From ranger with Apache License 2.0 6 votes vote down vote up
@Override
public void checkPrivileges(MPrincipal principal, List<MPrivilege> privileges) throws SqoopException {
	if (LOG.isDebugEnabled()) {
		LOG.debug("==> RangerSqoopAuthorizer.checkPrivileges()");
	}

	try {
		activatePluginClassLoader();

		authorizationValidator.checkPrivileges(principal, privileges);
	} finally {
		deactivatePluginClassLoader();
	}

	if (LOG.isDebugEnabled()) {
		LOG.debug("<== RangerSqoopAuthorizer.checkPrivileges()");
	}
}
 
Example #6
Source File: SentryAccessController.java    From incubator-sentry with Apache License 2.0 6 votes vote down vote up
@Override
public void grantPrivileges(List<MPrincipal> principals, List<MPrivilege> privileges)
    throws SqoopException {
  for (MPrincipal principal : principals) {
    PrincipalDesc principalDesc = PrincipalDesc.fromStr(principal.getName(), principal.getType());
    if (principalDesc.getType() != PrincipalType.ROLE) {
      throw new SqoopException(SecurityError.AUTH_0014,
          SentrySqoopError.GRANT_REVOKE_PRIVILEGE_NOT_SUPPORT_FOR_PRINCIPAL
              + principalDesc.getType().name());
    }

    for (MPrivilege privilege : privileges) {
      if (LOG.isDebugEnabled()) {
        LOG.debug("Going to grant privilege : " + privilege +
            " to principal: " + principal);
      }
      binding.grantPrivilege(getSubject(), principal.getName(), privilege);
    }
  }
}
 
Example #7
Source File: SentryAccessController.java    From incubator-sentry with Apache License 2.0 6 votes vote down vote up
@Override
public void revokePrivileges(List<MPrincipal> principals, List<MPrivilege> privileges)
    throws SqoopException {
  for (MPrincipal principal : principals) {
    PrincipalDesc principalDesc = PrincipalDesc.fromStr(principal.getName(), principal.getType());
    if (principalDesc.getType() != PrincipalType.ROLE) {
      throw new SqoopException(SecurityError.AUTH_0014,
          SentrySqoopError.GRANT_REVOKE_PRIVILEGE_NOT_SUPPORT_FOR_PRINCIPAL
              + principalDesc.getType().name());
    }

    for (MPrivilege privilege : privileges) {
      if (LOG.isDebugEnabled()) {
        LOG.debug("Going to revoke privilege : " + privilege +
            " from principal: " + principal);
      }
      binding.revokePrivilege(getSubject(), principal.getName(), privilege);
    }
  }
}
 
Example #8
Source File: RangerSqoopAuthorizer.java    From ranger with Apache License 2.0 6 votes vote down vote up
public RangerSqoopAccessRequest(MPrincipal principal, MPrivilege privilege,String clientIPAddress) {
	super.setResource(new RangerSqoopResource(privilege.getResource()));
	if (MPrincipal.TYPE.USER.name().equals(principal.getType())) {
		super.setUser(principal.getName());
	}
	if (MPrincipal.TYPE.GROUP.name().equals(principal.getType())) {
		super.setUserGroups(Sets.newHashSet(principal.getName()));
	}

	String action = privilege.getAction();
	super.setAccessType(action);
	super.setAction(action);

	super.setAccessTime(new Date());
	super.setClientIPAddress(clientIPAddress);
}
 
Example #9
Source File: ShowPrivilegeFunction.java    From sqoop-on-spark with Apache License 2.0 6 votes vote down vote up
private void showPrivileges(MPrincipal principal, MResource resource) {
  List<MPrivilege> privileges = client.getPrivilegesByPrincipal(principal, resource);

  List<String> header = new LinkedList<String>();
  header.add(resourceString(Constants.RES_TABLE_HEADER_PRIVILEGE_ACTION));
  header.add(resourceString(Constants.RES_TABLE_HEADER_RESOURCE_NAME));
  header.add(resourceString(Constants.RES_TABLE_HEADER_RESOURCE_TYPE));
  header.add(resourceString(Constants.RES_TABLE_HEADER_PRIVILEGE_WITH_GRANT));

  List<String> actions = new LinkedList<String>();
  List<String> resourceNames = new LinkedList<String>();
  List<String> resourceTypes = new LinkedList<String>();
  List<String> withGrant = new LinkedList<String>();

  for (MPrivilege privilege : privileges) {
    actions.add(privilege.getAction());
    resourceNames.add(privilege.getResource().getName());
    resourceTypes.add(privilege.getResource().getType());
    withGrant.add(Boolean.toString(privilege.isWith_grant_option()));
  }

  TableDisplayer.display(header, actions, resourceNames, resourceTypes, withGrant);
}
 
Example #10
Source File: RevokePrivilegeFunction.java    From sqoop-on-spark with Apache License 2.0 6 votes vote down vote up
private Status revokePrivilege(String action, String resourceType, String resource,
                               String principalType, String principal, boolean withGrant)
  throws IOException {
  MResource resourceObject = new MResource(resource, resourceType);
  MPrivilege privilegeObject = new MPrivilege(resourceObject, action, withGrant);
  MPrincipal principalObject = new MPrincipal(principal, principalType);

  client.revokePrivilege(
    Arrays.asList(principalObject),
    Arrays.asList(privilegeObject));

  if (resourceType.toUpperCase().equals(MResource.TYPE.CONNECTOR.name())) {
    client.clearCache();
  }

  printlnResource(Constants.RES_REVOKE_PRIVILEGE_SUCCESSFUL,
    action, resourceType + " " + resource,
    ((withGrant) ? " " + resourceString(Constants.RES_REVOKE_PRIVILEGE_SUCCESSFUL_WITH_GRANT) : ""),
    principalType + " " + principal);

  return Status.OK;
}
 
Example #11
Source File: AuthorizationResourceRequest.java    From sqoop-on-spark with Apache License 2.0 6 votes vote down vote up
public void grantRevokePrivilege(String serverUrl, List<MPrincipal> principals, List<MPrivilege> privileges, boolean isGrant) {
  PrincipalsBean principalsBean = new PrincipalsBean(principals);
  // Extract all config inputs including sensitive inputs
  JSONObject jsonObject = new JSONObject();
  jsonObject.putAll(principalsBean.extract(false));

  if (privileges != null && privileges.size() != 0) {
    PrivilegesBean privilegesBean = new PrivilegesBean(privileges);
    jsonObject.putAll(privilegesBean.extract(false));
  }

  if (isGrant) {
    super.put(serverUrl + RESOURCE + PRIVILEGES + GRANT, jsonObject.toJSONString());
  } else {
    super.put(serverUrl + RESOURCE + PRIVILEGES + REVOKE, jsonObject.toJSONString());
  }
}
 
Example #12
Source File: SqoopAuthBinding.java    From incubator-sentry with Apache License 2.0 6 votes vote down vote up
public List<MPrivilege> listPrivilegeByRole(final Subject subject, final String role, final MResource resource) throws SqoopException {
  Set<TSentryPrivilege> tSentryPrivileges = execute(new Command<Set<TSentryPrivilege>>() {
    @Override
    public Set<TSentryPrivilege> run(SentryGenericServiceClient client)
        throws Exception {
      if (resource == null) {
        return client.listPrivilegesByRoleName(subject.getName(), role, COMPONENT_TYPE, sqoopServer.getName());
      } else if (resource.getType().equalsIgnoreCase(MResource.TYPE.SERVER.name())) {
        return client.listPrivilegesByRoleName(subject.getName(), role, COMPONENT_TYPE, resource.getName());
      } else {
        return client.listPrivilegesByRoleName(subject.getName(), role, COMPONENT_TYPE, sqoopServer.getName(), toAuthorizable(resource));
      }
    }
  });

  List<MPrivilege> privileges = Lists.newArrayList();
  for (TSentryPrivilege tSentryPrivilege : tSentryPrivileges) {
    privileges.add(toSqoopPrivilege(tSentryPrivilege));
  }
  return privileges;
}
 
Example #13
Source File: TestConnectorEndToEnd.java    From incubator-sentry with Apache License 2.0 6 votes vote down vote up
@Test
public void testShowAllConnector() throws Exception {
  // USER3 at firstly has no privilege on any Sqoop resource
  SqoopClient client = sqoopServerRunner.getSqoopClient(USER3);
  assertTrue(client.getConnectors().size() == 0);
  /**
   * ADMIN_USER grant read action privilege on connector all to role ROLE3
   * ADMIN_USER grant role ROLE3 to group GROUP3
   */
  client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
  MRole role3 = new MRole(ROLE3);
  MPrincipal group3 = new MPrincipal(GROUP3, MPrincipal.TYPE.GROUP);
  MResource  allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
  MPrivilege readPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
  client.createRole(role3);
  client.grantRole(Lists.newArrayList(role3), Lists.newArrayList(group3));
  client.grantPrivilege(Lists.newArrayList(new MPrincipal(role3.getName(), MPrincipal.TYPE.ROLE)),
      Lists.newArrayList(readPriv));

  // check USER3 has the read privilege on all connector
  client = sqoopServerRunner.getSqoopClient(USER3);
  assertTrue(client.getConnectors().size() > 0);
}
 
Example #14
Source File: TestGrantPrivilege.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
@Test
public void testGrantPrivilegeTwice() throws Exception {
  /**
   * user2 belongs to group group2
   * admin user grant role role2 to group group2
   * admin user grant write privilege on connector all to role role2
   */
  SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
  MRole role2 = new MRole(ROLE2);
  MPrincipal group2Princ = new MPrincipal(GROUP2, MPrincipal.TYPE.GROUP);
  MPrincipal role2Princ = new MPrincipal(ROLE2, MPrincipal.TYPE.ROLE);
  MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
  MPrivilege writePrivilege = new MPrivilege(allConnector, SqoopActionConstant.WRITE, false);
  client.createRole(role2);
  client.grantRole(Lists.newArrayList(role2), Lists.newArrayList(group2Princ));
  client.grantPrivilege(Lists.newArrayList(role2Princ), Lists.newArrayList(writePrivilege));

  // check user2 has one privilege on role2
  client = sqoopServerRunner.getSqoopClient(USER2);
  assertTrue(client.getPrivilegesByPrincipal(role2Princ, allConnector).size() == 1);

  // grant privilege to role role2 again
  client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
  client.grantPrivilege(Lists.newArrayList(role2Princ), Lists.newArrayList(writePrivilege));

  // check user2 has only one privilege on role2
  client = sqoopServerRunner.getSqoopClient(USER2);
  assertTrue(client.getPrivilegesByPrincipal(role2Princ, allConnector).size() == 1);
}
 
Example #15
Source File: RangerSqoopAuthorizer.java    From ranger with Apache License 2.0 5 votes vote down vote up
@Override
public void checkPrivileges(MPrincipal principal, List<MPrivilege> privileges) throws SqoopException {
	if (LOG.isDebugEnabled()) {
		LOG.debug("==> RangerSqoopAuthorizer.checkPrivileges( principal=" + principal + ", privileges="
				+ privileges + ")");
	}

	if (CollectionUtils.isEmpty(privileges)) {
		if (LOG.isDebugEnabled()) {
			LOG.debug("<== RangerSqoopAuthorizer.checkPrivileges() return because privileges is empty.");
		}
		return;
	}

	RangerSqoopPlugin plugin = sqoopPlugin;

	if (plugin != null) {
		for (MPrivilege privilege : privileges) {
			RangerSqoopAccessRequest request = new RangerSqoopAccessRequest(principal, privilege, clientIPAddress);

			RangerAccessResult result = plugin.isAccessAllowed(request);
			if (result != null && !result.getIsAllowed()) {
				throw new SqoopException(SecurityError.AUTH_0014, "principal=" + principal
						+ " does not have privileges for : " + privilege);
			}
		}
	}

	if (LOG.isDebugEnabled()) {
		LOG.debug("<== RangerSqoopAuthorizer.checkPrivileges() success without exception.");
	}
}
 
Example #16
Source File: PrivilegeBean.java    From sqoop-on-spark with Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("unchecked")
private JSONObject extractPrivilege(MPrivilege privilege) {
  JSONObject object = new JSONObject();
  object.put(RESOURCE_NAME, privilege.getResource().getName());
  object.put(RESOURCE_TYPE, privilege.getResource().getType());
  object.put(ACTION, privilege.getAction());
  object.put(WITH_GRANT_OPTION, privilege.isWith_grant_option());
  return object;
}
 
Example #17
Source File: PrivilegeBean.java    From sqoop-on-spark with Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("unchecked")
protected JSONArray extractPrivileges() {
  JSONArray privilegesArray = new JSONArray();
  if (privileges != null) {
    for (MPrivilege privilege : privileges) {
      privilegesArray.add(extractPrivilege(privilege));
    }
  }
  return privilegesArray;
}
 
Example #18
Source File: DefaultAuthorizationAccessController.java    From sqoop-on-spark with Apache License 2.0 5 votes vote down vote up
@Override
public void revokePrivileges(List<MPrincipal> principals, List<MPrivilege> privileges) throws SqoopException {
  LOG.debug("Revoke privileges in default authorization access controller: empty function");
  for (MPrincipal principal : principals) {
    LOG.debug("principal: " + principal.toString());
  }
  if (privileges != null) { //Revoke all privileges on principal
    for (MPrivilege privilege : privileges) {
      LOG.debug("privilege: " + privilege.toString());
    }
  }
}
 
Example #19
Source File: SentryAccessController.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
@Override
public List<MPrivilege> getPrivilegesByPrincipal(MPrincipal principal,
    MResource resource) throws SqoopException {
  /**
   * Sentry Only supports get privilege by role
   */
  PrincipalDesc principalDesc = PrincipalDesc.fromStr(principal.getName(), principal.getType());
  if (principalDesc.getType() != PrincipalType.ROLE) {
    throw new SqoopException(SecurityError.AUTH_0014,
        SentrySqoopError.SHOW_PRIVILEGE_NOT_SUPPORTED_FOR_PRINCIPAL
            + principalDesc.getType().name());
  }
  return binding.listPrivilegeByRole(getSubject(), principalDesc.getName(), resource);
}
 
Example #20
Source File: TestGrantPrivilege.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
@Test
public void testNotSupportGrantPrivilegeToUser() throws Exception {
  SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
  MPrincipal user1 = new MPrincipal("not_support_grant_user_1", MPrincipal.TYPE.GROUP);
  MResource  allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
  MPrivilege readPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
  try {
    client.grantPrivilege(Lists.newArrayList(user1), Lists.newArrayList(readPriv));
    fail("expected not support exception happend");
  } catch (Exception e) {
    assertCausedMessage(e, SentrySqoopError.GRANT_REVOKE_PRIVILEGE_NOT_SUPPORT_FOR_PRINCIPAL);
  }
}
 
Example #21
Source File: TestGrantPrivilege.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
@Test
public void testNotSupportGrantPrivilegeToGroup() throws Exception {
  SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
  MPrincipal group1 = new MPrincipal("not_support_grant_group_1", MPrincipal.TYPE.GROUP);
  MResource  allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
  MPrivilege readPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
  try {
    client.grantPrivilege(Lists.newArrayList(group1), Lists.newArrayList(readPriv));
    fail("expected not support exception happend");
  } catch (Exception e) {
    assertCausedMessage(e, SentrySqoopError.GRANT_REVOKE_PRIVILEGE_NOT_SUPPORT_FOR_PRINCIPAL);
  }
}
 
Example #22
Source File: SqoopAuthBinding.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
public void revokePrivilege(final Subject subject, final String role, final MPrivilege privilege) throws SqoopException {
  execute(new Command<Void>() {
    @Override
    public Void run(SentryGenericServiceClient client) throws Exception {
      client.revokePrivilege(subject.getName(), role, COMPONENT_TYPE, toTSentryPrivilege(privilege));
      return null;
    }
  });
}
 
Example #23
Source File: TestGrantPrivilege.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
@Test
public void testGrantPrivilegeWithAllPrivilegeExist() throws Exception {
  /**
   * user3 belongs to group group3
   * admin user grant role role3 to group group3
   * admin user grant all privilege on connector all to role role3
   */
  SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
  MRole role3 = new MRole(ROLE3);
  MPrincipal group3Princ = new MPrincipal(GROUP3, MPrincipal.TYPE.GROUP);
  MPrincipal role3Princ = new MPrincipal(ROLE3, MPrincipal.TYPE.ROLE);
  MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
  MPrivilege allPrivilege = new MPrivilege(allConnector, SqoopActionConstant.ALL_NAME, false);
  client.createRole(role3);
  client.grantRole(Lists.newArrayList(role3), Lists.newArrayList(group3Princ));
  client.grantPrivilege(Lists.newArrayList(role3Princ), Lists.newArrayList(allPrivilege));

  // check user3 has one privilege on role3
  client = sqoopServerRunner.getSqoopClient(USER3);
  assertTrue(client.getPrivilegesByPrincipal(role3Princ, allConnector).size() == 1);
  // user3 has the all action on role3
  MPrivilege user3Privilege = client.getPrivilegesByPrincipal(role3Princ, allConnector).get(0);
  assertEquals(user3Privilege.getAction(), SqoopActionConstant.ALL_NAME);

  /**
   * admin user grant read privilege on connector all to role role3
   * because the role3 has already the all privilege, the read privilege granting has
   * no impact on the role3
   */
  client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
  MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false);
  client.grantPrivilege(Lists.newArrayList(role3Princ), Lists.newArrayList(readPrivilege));
  // check user3 has only one privilege on role3
  client = sqoopServerRunner.getSqoopClient(USER3);
  assertTrue(client.getPrivilegesByPrincipal(role3Princ, allConnector).size() == 1);
  // user3 has the all action on role3
  user3Privilege = client.getPrivilegesByPrincipal(role3Princ, allConnector).get(0);
  assertEquals(user3Privilege.getAction(), SqoopActionConstant.ALL_NAME);
}
 
Example #24
Source File: TestShowPrivilege.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
@Test
public void testShowPrivileges() throws Exception {
  /**
   * user1 belongs to group group1
   * admin user grant role role1 to group group1
   * admin user grant read privilege on connector all to role role1
   */
  SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
  MRole role1 = new MRole(ROLE1);
  MPrincipal group1Princ = new MPrincipal(GROUP1, MPrincipal.TYPE.GROUP);
  MPrincipal role1Princ = new MPrincipal(ROLE1, MPrincipal.TYPE.ROLE);
  MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
  MPrivilege readPriv = new MPrivilege(allConnector, SqoopActionConstant.READ, false);
  client.createRole(role1);
  client.grantRole(Lists.newArrayList(role1), Lists.newArrayList(group1Princ));
  client.grantPrivilege(Lists.newArrayList(role1Princ), Lists.newArrayList(readPriv));

  // user1 show privilege on role1
  client = sqoopServerRunner.getSqoopClient(USER1);
  assertTrue(client.getPrivilegesByPrincipal(role1Princ, allConnector).size() == 1);

  // user2 can't show privilege on role1, because user2 doesn't belong to role1
  client = sqoopServerRunner.getSqoopClient(USER2);
  try {
    client.getPrivilegesByPrincipal(role1Princ, allConnector);
    fail("expected SentryAccessDeniedException happend");
  } catch (Exception e) {
    assertCausedMessage(e, "SentryAccessDeniedException");
  }
}
 
Example #25
Source File: TestRevokePrivilege.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
@Test
public void testNotSupportRevokePrivilegeFromUser() throws Exception {
  SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
  MPrincipal user1 = new MPrincipal("not_support_revoke_user_1", MPrincipal.TYPE.GROUP);
  MResource  allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
  MPrivilege readPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
  try {
    client.revokePrivilege(Lists.newArrayList(user1), Lists.newArrayList(readPriv));
    fail("expected not support exception happend");
  } catch (Exception e) {
    assertCausedMessage(e, SentrySqoopError.GRANT_REVOKE_PRIVILEGE_NOT_SUPPORT_FOR_PRINCIPAL);
  }
}
 
Example #26
Source File: TestRevokePrivilege.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
@Test
public void testNotSupportRevokePrivilegeFromGroup() throws Exception {
  SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
  MPrincipal group1 = new MPrincipal("not_support_revoke_group_1", MPrincipal.TYPE.GROUP);
  MResource  allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
  MPrivilege readPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
  try {
    client.revokePrivilege(Lists.newArrayList(group1), Lists.newArrayList(readPriv));
    fail("expected not support exception happend");
  } catch (Exception e) {
    assertCausedMessage(e, SentrySqoopError.GRANT_REVOKE_PRIVILEGE_NOT_SUPPORT_FOR_PRINCIPAL);
  }
}
 
Example #27
Source File: TestRevokePrivilege.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
@Test
public void testRevokeNotExistPrivilege() throws Exception {
  SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
  MRole testRole = new MRole("noexist_privilege_role1");
  MPrincipal testPrinc = new MPrincipal(testRole.getName(), MPrincipal.TYPE.ROLE);
  MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
  MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false);
  client.createRole(testRole);
  assertTrue(client.getPrivilegesByPrincipal(testPrinc, allConnector).size() == 0);

  client.revokePrivilege(Lists.newArrayList(testPrinc), Lists.newArrayList(readPrivilege));
  assertTrue(client.getPrivilegesByPrincipal(testPrinc, allConnector).size() == 0);
}
 
Example #28
Source File: TestRevokePrivilege.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
@Test
public void testRevokePrivilege() throws Exception {
  /**
   * user1 belongs to group group1
   * admin user grant role role1 to group group1
   * admin user grant read privilege on connector all to role role1
   */
  SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
  MRole role1 = new MRole(ROLE1);
  MPrincipal group1Princ = new MPrincipal(GROUP1, MPrincipal.TYPE.GROUP);
  MPrincipal role1Princ = new MPrincipal(ROLE1, MPrincipal.TYPE.ROLE);
  MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
  MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false);
  client.createRole(role1);
  client.grantRole(Lists.newArrayList(role1), Lists.newArrayList(group1Princ));
  client.grantPrivilege(Lists.newArrayList(role1Princ), Lists.newArrayList(readPrivilege));

  // check user1 has privilege on role1
  client = sqoopServerRunner.getSqoopClient(USER1);
  assertTrue(client.getPrivilegesByPrincipal(role1Princ, allConnector).size() == 1);

  // admin user revoke read privilege from role1
  client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
  client.revokePrivilege(Lists.newArrayList(role1Princ), Lists.newArrayList(readPrivilege));

  // check user1 has no privilege on role1
  client = sqoopServerRunner.getSqoopClient(USER1);
  assertTrue(client.getPrivilegesByPrincipal(role1Princ, allConnector).size() == 0);
}
 
Example #29
Source File: TestRevokePrivilege.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
@Test
public void testRevokeAllPrivilege() throws Exception {
  /**
   * user2 belongs to group group2
   * admin user grant role role2 to group group2
   * admin user grant read and write privilege on connector all to role role2
   */
  SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
  MRole role2 = new MRole(ROLE2);
  MPrincipal group2Princ = new MPrincipal(GROUP2, MPrincipal.TYPE.GROUP);
  MPrincipal role2Princ = new MPrincipal(ROLE2, MPrincipal.TYPE.ROLE);
  MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
  MPrivilege writePrivilege = new MPrivilege(allConnector, SqoopActionConstant.WRITE, false);
  MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false);
  client.createRole(role2);
  client.grantRole(Lists.newArrayList(role2), Lists.newArrayList(group2Princ));
  client.grantPrivilege(Lists.newArrayList(role2Princ), Lists.newArrayList(writePrivilege, readPrivilege));

  // check user2 has two privileges on role2
  client = sqoopServerRunner.getSqoopClient(USER2);
  assertTrue(client.getPrivilegesByPrincipal(role2Princ, allConnector).size() == 2);

  // admin user revoke all privilege from role2
  MPrivilege allPrivilege = new MPrivilege(allConnector, SqoopActionConstant.ALL_NAME, false);
  client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
  client.revokePrivilege(Lists.newArrayList(role2Princ), Lists.newArrayList(allPrivilege));

  // check user2 has no privilege on role2
  client = sqoopServerRunner.getSqoopClient(USER2);
  assertTrue(client.getPrivilegesByPrincipal(role2Princ, allConnector).size() == 0);
}
 
Example #30
Source File: TestRevokePrivilege.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
@Test
public void testRevokePrivilegeWithAllPrivilegeExist() throws Exception {
  /**
   * user3 belongs to group group3
   * admin user grant role role3 to group group3
   * admin user grant all privilege on connector all to role role3
   */
  SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
  MRole role3 = new MRole(ROLE3);
  MPrincipal group3Princ = new MPrincipal(GROUP3, MPrincipal.TYPE.GROUP);
  MPrincipal role3Princ = new MPrincipal(ROLE3, MPrincipal.TYPE.ROLE);
  MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
  MPrivilege allPrivilege = new MPrivilege(allConnector, SqoopActionConstant.ALL_NAME, false);
  client.createRole(role3);
  client.grantRole(Lists.newArrayList(role3), Lists.newArrayList(group3Princ));
  client.grantPrivilege(Lists.newArrayList(role3Princ), Lists.newArrayList(allPrivilege));

  // check user3 has one privilege on role3
  client = sqoopServerRunner.getSqoopClient(USER3);
  assertTrue(client.getPrivilegesByPrincipal(role3Princ, allConnector).size() == 1);
  // user3 has the all action on role3
  MPrivilege user3Privilege = client.getPrivilegesByPrincipal(role3Princ, allConnector).get(0);
  assertEquals(user3Privilege.getAction(), SqoopActionConstant.ALL_NAME);

  // admin user revoke the read privilege on connector all from role role3
  MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false);
  client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
  client.revokePrivilege(Lists.newArrayList(role3Princ), Lists.newArrayList(readPrivilege));

  // check user3 has only the write privilege on role3
  client = sqoopServerRunner.getSqoopClient(USER3);
  assertTrue(client.getPrivilegesByPrincipal(role3Princ, allConnector).size() == 1);
  user3Privilege = client.getPrivilegesByPrincipal(role3Princ, allConnector).get(0);
  assertEquals(user3Privilege.getAction().toLowerCase(), SqoopActionConstant.WRITE);
}