sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From linaataus...@apache.org
Subject sentry git commit: SENTRY-2429: Transfer database owner drops table owner
Date Fri, 19 Oct 2018 04:34:36 GMT
Repository: sentry
Updated Branches:
  refs/heads/master 542e984ba -> 985b70887


SENTRY-2429: Transfer database owner drops table owner


Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/985b7088
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/985b7088
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/985b7088

Branch: refs/heads/master
Commit: 985b7088742906b266f0c1af393916e1d58ddd0e
Parents: 542e984
Author: lina.li <lina.li@cloudera.com>
Authored: Thu Oct 18 15:18:00 2018 -0500
Committer: lina.li <lina.li@cloudera.com>
Committed: Thu Oct 18 23:33:16 2018 -0500

----------------------------------------------------------------------
 .../db/service/persistent/SentryStore.java      |  32 ++++-
 .../e2e/dbprovider/TestOwnerPrivileges.java     | 141 +++++++++++++++++++
 2 files changed, 172 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/sentry/blob/985b7088/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
index 29f83a8..b387a22 100644
--- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
@@ -1492,6 +1492,13 @@ public class SentryStore implements SentryStoreInterface {
     removeStaledPrivileges(pm, privilegesCopy);
   }
 
+  /**
+   * Return the privileges on the authorizable object specified in tPriv, and including
+   * privileges on the child authorizable objects.
+   * @param tPriv the privilege that specifies the authorizable object to find its privileges
+   * @param pm persistant manager
+   * @return  the privileges on the authorizable object specified in tPriv
+   */
   @SuppressWarnings("unchecked")
   private List<MSentryPrivilege> getMSentryPrivileges(TSentryPrivilege tPriv, PersistenceManager
pm) {
     Query query = pm.newQuery(MSentryPrivilege.class);
@@ -1522,6 +1529,29 @@ public class SentryStore implements SentryStoreInterface {
     return (List<MSentryPrivilege>) query.executeWithMap(paramBuilder.getArguments());
   }
 
+  /**
+   * Return the privileges on the authorizable object specified in tPriv, and not including
+   * privileges on the child authorizable objects.
+   * @param tPriv the privilege that specifies the authorizable object to find its privileges
+   * @param pm persistant manager
+   * @return  the privileges on the authorizable object specified in tPriv
+   */
+  @SuppressWarnings("unchecked")
+  private List<MSentryPrivilege> getMSentryPrivilegesExactMatch(TSentryPrivilege tPriv,
PersistenceManager pm) {
+    Query query = pm.newQuery(MSentryPrivilege.class);
+    QueryParamBuilder paramBuilder = QueryParamBuilder.newQueryParamBuilder();
+    paramBuilder
+        .add(SERVER_NAME, tPriv.getServerName())
+        .add("action", tPriv.getAction())
+        .add(DB_NAME, tPriv.getDbName())
+        .add(TABLE_NAME, tPriv.getTableName())
+        .add(COLUMN_NAME, tPriv.getColumnName())
+        .add(URI, tPriv.getURI(), true);
+
+    query.setFilter(paramBuilder.toString());
+    return (List<MSentryPrivilege>) query.executeWithMap(paramBuilder.getArguments());
+  }
+
   private MSentryPrivilege getMSentryPrivilege(TSentryPrivilege tPriv, PersistenceManager
pm) {
     Boolean grantOption = null;
     if (tPriv.getGrantOption().equals(TSentryGrantOption.TRUE)) {
@@ -2854,7 +2884,7 @@ public class SentryStore implements SentryStoreInterface {
     tOwnerPrivilege.setAction(AccessConstants.OWNER);
 
     // Finding owner privileges and removing them.
-    List<MSentryPrivilege> mOwnerPrivileges = getMSentryPrivileges(tOwnerPrivilege,
pm);
+    List<MSentryPrivilege> mOwnerPrivileges = getMSentryPrivilegesExactMatch(tOwnerPrivilege,
pm);
     for(MSentryPrivilege mOwnerPriv : mOwnerPrivileges) {
       Set<MSentryUser> users;
       users = mOwnerPriv.getUsers();

http://git-wip-us.apache.org/repos/asf/sentry/blob/985b7088/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestOwnerPrivileges.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestOwnerPrivileges.java
b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestOwnerPrivileges.java
index 880fa94..d3294f4 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestOwnerPrivileges.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestOwnerPrivileges.java
@@ -363,6 +363,147 @@ public class TestOwnerPrivileges extends TestHDFSIntegrationBase {
     }
   }
 
+  /**
+   * Verify that if the same user is owner of both DB and table, after alter DB's owner,
+   * the table owner is still that user
+   *
+   * @throws Exception
+   */
+  @Ignore("Enable the test once HIVE-18031 is in the hiver version integrated with Sentry")
+  @Test
+  public void testAlterDBNotDropTableOwnerSameOwner() throws Exception {
+    String allWithGrantRole = "allWithGrant_role";
+    String ownerRole = "owner_role";
+    dbNames = new String[]{DB1};
+    roles = new String[]{"admin_role", "create_db1", "owner_role"};
+
+    // create required roles
+    setupUserRoles(roles, statementAdmin);
+
+    // remove test DB if it exists
+    statementAdmin.execute("DROP DATABASE IF EXISTS " + DB1 + " CASCADE");
+
+    // setup privileges for USER1
+    statementAdmin.execute("GRANT CREATE ON SERVER server1 TO ROLE create_db1");
+
+    // USER1 creates test DB
+    Connection connectionUSER1_1 = hiveServer2.createConnection(USER1_1, USER1_1);
+    Statement statementUSER1_1 = connectionUSER1_1.createStatement();
+    statementUSER1_1.execute("CREATE DATABASE " + DB1);
+    statementUSER1_1.execute("USE " + DB1);
+
+    // USER1 create table
+    statementUSER1_1.execute("CREATE TABLE " + DB1 + "." + tableName1
+        + " (under_col int comment 'the under column')");
+
+    // verify privileges created for new database
+    verifyTableOwnerPrivilegeExistForPrincipal(statementUSER1_1, SentryPrincipalType.USER,
Lists.newArrayList(USER1_1),
+        DB1, "", 1);
+
+    // verify privileges created for new table
+    verifyTableOwnerPrivilegeExistForPrincipal(statementUSER1_1, SentryPrincipalType.USER,
Lists.newArrayList(USER1_1),
+        DB1, tableName1, 1);
+
+    // change db owner
+    // setup all privilege for USERGROUP2
+    statementAdmin.execute("create role " + allWithGrantRole);
+    statementAdmin.execute("grant role " + allWithGrantRole + " to group " + USERGROUP2);
+    statementAdmin.execute("GRANT ALL ON DATABASE " + DB1 + " to role " +
+        allWithGrantRole + " with grant option");
+    Connection connectionUSER2_1 = hiveServer2.createConnection(USER2_1, USER2_1);
+    Statement statementUSER2_1 = connectionUSER2_1.createStatement();
+    statementUSER2_1.execute("ALTER DATABASE " + DB1 + " SET OWNER ROLE " + "owner_role");
+
+    // Verify that new owner has owner privilege on DB
+    verifyTableOwnerPrivilegeExistForPrincipal(statementAdmin, SentryPrincipalType.ROLE,
+        Lists.newArrayList(ownerRole), DB1, "", 1);
+
+    // Verify table still has its owner
+    verifyTableOwnerPrivilegeExistForPrincipal(statementUSER1_1, SentryPrincipalType.USER,
Lists.newArrayList(USER1_1),
+        DB1, tableName1, 1);
+
+    statementAdmin.execute("DROP ROLE " + allWithGrantRole);
+
+    statementAdmin.close();
+    connection.close();
+
+    statementUSER1_1.close();
+    connectionUSER1_1.close();
+
+    statementUSER2_1.close();
+    connectionUSER2_1.close();
+  }
+
+  /**
+   * Verify that if owner of DB is different from owner of its table, after alter DB's owner,
+   * the table owner still exists
+   *
+   * @throws Exception
+   */
+  @Ignore("Enable the test once HIVE-18031 is in the hiver version integrated with Sentry")
+  @Test
+  public void testAlterDBNotDropTableOwnerDifferentOwner() throws Exception {
+    String allWithGrantRole = "allWithGrant_role";
+    String ownerRole = "owner_role";
+    dbNames = new String[]{DB1};
+    roles = new String[]{"admin_role", "create_db1", "owner_role"};
+
+    // create required roles
+    setupUserRoles(roles, statementAdmin);
+
+    // remove test DB if it exists, then create the DB, so its owner is admin
+    statementAdmin.execute("DROP DATABASE IF EXISTS " + DB1 + " CASCADE");
+    statementAdmin.execute("CREATE DATABASE " + DB1);
+
+    // setup privileges for USER1
+    statementAdmin.execute("GRANT CREATE ON SERVER server1 TO ROLE create_db1");
+    Connection connectionUSER1_1 = hiveServer2.createConnection(USER1_1, USER1_1);
+    Statement statementUSER1_1 = connectionUSER1_1.createStatement();
+    statementUSER1_1.execute("USE " + DB1);
+
+    // USER1 create table and becomes owner of that table
+    statementUSER1_1.execute("CREATE TABLE " + DB1 + "." + tableName1
+        + " (under_col int comment 'the under column')");
+
+    // verify privileges created for new database
+    verifyTableOwnerPrivilegeExistForPrincipal(statementAdmin, SentryPrincipalType.USER,
Lists.newArrayList(admin),
+        DB1, "", 1);
+
+    // verify privileges created for new table
+    verifyTableOwnerPrivilegeExistForPrincipal(statementUSER1_1, SentryPrincipalType.USER,
Lists.newArrayList(USER1_1),
+        DB1, tableName1, 1);
+
+    // change db owner
+    // setup all privilege for USERGROUP2
+    statementAdmin.execute("create role " + allWithGrantRole);
+    statementAdmin.execute("grant role " + allWithGrantRole + " to group " + USERGROUP2);
+    statementAdmin.execute("GRANT ALL ON DATABASE " + DB1 + " to role " +
+        allWithGrantRole + " with grant option");
+    Connection connectionUSER2_1 = hiveServer2.createConnection(USER2_1, USER2_1);
+    Statement statementUSER2_1 = connectionUSER2_1.createStatement();
+    statementUSER2_1.execute("ALTER DATABASE " + DB1 + " SET OWNER ROLE " + "owner_role");
+
+    // Verify that new owner has owner privilege on DB
+    verifyTableOwnerPrivilegeExistForPrincipal(statementAdmin, SentryPrincipalType.ROLE,
+        Lists.newArrayList(ownerRole), DB1, "", 1);
+
+    // Verify table still has its owner
+    verifyTableOwnerPrivilegeExistForPrincipal(statementUSER1_1, SentryPrincipalType.USER,
Lists.newArrayList(USER1_1),
+        DB1, tableName1, 1);
+
+    statementAdmin.execute("DROP ROLE " + allWithGrantRole);
+
+    statementAdmin.close();
+    connection.close();
+
+    statementUSER1_1.close();
+    connectionUSER1_1.close();
+
+    statementUSER2_1.close();
+    connectionUSER2_1.close();
+  }
+
+
 
   /**
    * Verify that the user who creases table has owner privilege on this table and


Mime
View raw message