sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From linaataus...@apache.org
Subject [sentry] branch master updated: SENTRY-2540: Only use SELECT action for filter SHOW DATABASES and SHOW TABLES command based on configuration (Na Li, reviewed by Kalyan Kumar Kalvagadda)
Date Fri, 20 Dec 2019 22:49:37 GMT
This is an automated email from the ASF dual-hosted git repository.

linaataustin pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sentry.git


The following commit(s) were added to refs/heads/master by this push:
     new 1a2a1ec  SENTRY-2540: Only use SELECT action for filter SHOW DATABASES and SHOW TABLES
command based on configuration (Na Li, reviewed by Kalyan Kumar Kalvagadda)
1a2a1ec is described below

commit 1a2a1ecb237dc2ef3c1e7d0ad11c36c1c374cd89
Author: lina.li <lina.li@cloudera.com>
AuthorDate: Fri Dec 20 16:48:18 2019 -0600

    SENTRY-2540: Only use SELECT action for filter SHOW DATABASES and SHOW TABLES command
based on configuration (Na Li, reviewed by Kalyan Kumar Kalvagadda)
---
 .../sentry/binding/hive/conf/HiveAuthzConf.java    |  2 +
 .../hive/authz/MetastoreAuthzObjectFilter.java     | 48 +++++++++++++++++--
 .../hive/AbstractTestWithStaticConfiguration.java  |  9 ++++
 .../tests/e2e/hive/TestShowMetadataPrivileges.java | 51 +++++++++++++++++---
 .../TestShowMetadataPrivilegesOnSelectOnly.java    | 54 ++++++++++++++++++++++
 5 files changed, 154 insertions(+), 10 deletions(-)

diff --git a/sentry-binding/sentry-binding-hive-conf/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
b/sentry-binding/sentry-binding-hive-conf/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
index 90fcfc3..8f45c60 100644
--- a/sentry-binding/sentry-binding-hive-conf/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
+++ b/sentry-binding/sentry-binding-hive-conf/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
@@ -102,6 +102,8 @@ public class HiveAuthzConf extends Configuration {
                 "org.apache.sentry.binding.hive.SentryIniPolicyFileFormatter"),
         AUTHZ_SERVER_NAME("sentry.hive.server", SENTRY_HIVE_SERVER_DEFAULT),
         AUTHZ_RESTRICT_DEFAULT_DB("sentry.hive.restrict.defaultDB", "false"),
+        SHOWDATABASES_ON_SELECT_ONLY("sentry.showdatabases.select.only", "false"),
+        SHOWTABLES_ON_SELECT_ONLY("sentry.showtables.select.only", "false"),
         SENTRY_TESTING_MODE("sentry.hive.testing.mode", "false"),
         AUTHZ_ALLOW_HIVE_IMPERSONATION("sentry.hive.allow.hive.impersonation", "false"),
         AUTHZ_ONFAILURE_HOOKS("sentry.hive.failure.hooks", ""),
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/MetastoreAuthzObjectFilter.java
b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/MetastoreAuthzObjectFilter.java
index e64d1a5..9f323f4 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/MetastoreAuthzObjectFilter.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/MetastoreAuthzObjectFilter.java
@@ -30,6 +30,7 @@ import org.apache.hadoop.hive.ql.plan.HiveOperation;
 import org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationScope;
 import org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationType;
 import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
+import org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars;
 import org.apache.sentry.core.common.Subject;
 import org.apache.sentry.core.model.db.Column;
 import org.apache.sentry.core.model.db.DBModelAction;
@@ -67,6 +68,15 @@ public class MetastoreAuthzObjectFilter<T> {
     .setOperationType(HiveOperationType.QUERY)
     .build();
 
+  private static final HiveAuthzPrivileges LIST_DATABASES_PRIVILEGES_ON_SELECT = new HiveAuthzPrivileges.AuthzPrivilegeBuilder()
+      .addInputObjectPriviledge(
+          AuthorizableType.Column,
+          EnumSet.of(DBModelAction.SELECT))
+      .addInputObjectPriviledge(AuthorizableType.URI, EnumSet.of(DBModelAction.SELECT))
+      .setOperationScope(HiveOperationScope.CONNECT)
+      .setOperationType(HiveOperationType.QUERY)
+      .build();
+
   private static final HiveAuthzPrivileges LIST_TABLES_PRIVILEGES = new HiveAuthzPrivileges.AuthzPrivilegeBuilder()
     .addInputObjectPriviledge(
       AuthorizableType.Column,
@@ -78,7 +88,18 @@ public class MetastoreAuthzObjectFilter<T> {
       HiveAuthzPrivileges.HiveOperationType.INFO)
     .build();
 
+  private static final HiveAuthzPrivileges LIST_TABLES_PRIVILEGES_ON_SELECT = new HiveAuthzPrivileges.AuthzPrivilegeBuilder()
+      .addInputObjectPriviledge(
+          AuthorizableType.Column,
+          EnumSet.of(DBModelAction.SELECT))
+      .setOperationScope(HiveOperationScope.TABLE)
+      .setOperationType(
+          HiveAuthzPrivileges.HiveOperationType.INFO)
+      .build();
+
   private final boolean DEFAULT_DATABASE_RESTRICTED;
+  private final boolean SHOWDATABASES_ON_SELECT_ONLY;
+  private final boolean SHOWTABLES_ON_SELECT_ONLY;
   private final DBModelAuthorizable AUTH_SERVER;
   private HiveAuthzBinding authzBinding;
   private ObjectExtractor extractor;
@@ -89,6 +110,12 @@ public class MetastoreAuthzObjectFilter<T> {
     this.AUTH_SERVER = authzBinding.getAuthServer();
     this.DEFAULT_DATABASE_RESTRICTED = authzBinding.getAuthzConf()
       .getBoolean(HiveAuthzConf.AuthzConfVars.AUTHZ_RESTRICT_DEFAULT_DB.getVar(), false);
+
+    this.SHOWDATABASES_ON_SELECT_ONLY = authzBinding.getAuthzConf()
+        .getBoolean(HiveAuthzConf.AuthzConfVars.SHOWDATABASES_ON_SELECT_ONLY.getVar(), false);
+
+    this.SHOWTABLES_ON_SELECT_ONLY = authzBinding.getAuthzConf()
+        .getBoolean(AuthzConfVars.SHOWTABLES_ON_SELECT_ONLY.getVar(), false);
   }
 
   /**
@@ -103,7 +130,11 @@ public class MetastoreAuthzObjectFilter<T> {
    * Return the required privileges for listing tables in a database
    * @return the required privileges for authorizing listing tables in a database
    */
-  public static HiveAuthzPrivileges getListTablePrivileges() {
+  public HiveAuthzPrivileges getListTablePrivileges() {
+    if (SHOWTABLES_ON_SELECT_ONLY) {
+      return LIST_TABLES_PRIVILEGES_ON_SELECT;
+    }
+
     return LIST_TABLES_PRIVILEGES;
   }
 
@@ -170,7 +201,14 @@ public class MetastoreAuthzObjectFilter<T> {
       AUTH_SERVER, database, Table.ALL, Column.ALL
     );
 
-    return authorize(HiveOperation.SHOWDATABASES, LIST_DATABASES_PRIVILEGES, username, authorizable);
+    if (SHOWDATABASES_ON_SELECT_ONLY) {
+      return authorize(HiveOperation.SHOWDATABASES, LIST_DATABASES_PRIVILEGES_ON_SELECT,
username,
+          authorizable);
+
+    } else {
+      return authorize(HiveOperation.SHOWDATABASES, LIST_DATABASES_PRIVILEGES, username,
+          authorizable);
+    }
   }
 
   /**
@@ -185,7 +223,11 @@ public class MetastoreAuthzObjectFilter<T> {
       AUTH_SERVER, database, table, Column.ALL
     );
 
-    return authorize(HiveOperation.SHOWTABLES, LIST_TABLES_PRIVILEGES, username, authorizable);
+    if (SHOWTABLES_ON_SELECT_ONLY) {
+      return authorize(HiveOperation.SHOWTABLES, LIST_TABLES_PRIVILEGES_ON_SELECT, username,
authorizable);
+    } else {
+      return authorize(HiveOperation.SHOWTABLES, LIST_TABLES_PRIVILEGES, username, authorizable);
+    }
   }
 
   /**
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java
b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java
index cc0465a..9045773 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java
@@ -35,6 +35,7 @@ import java.util.HashSet;
 
 import com.google.common.collect.Sets;
 import org.apache.hive.hcatalog.listener.DbNotificationListener;
+import org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars;
 import org.apache.sentry.binding.metastore.messaging.json.SentryJSONMessageFactory;
 import org.apache.sentry.api.common.ApiConstants.ClientConfig;
 import org.apache.sentry.tests.e2e.hive.fs.TestFSContants;
@@ -142,6 +143,9 @@ public abstract class AbstractTestWithStaticConfiguration extends RulesForE2ETes
   protected static boolean enableFilter = false;
   // indicate if the database need to be clear for every test case in one test class
   protected static boolean clearDbPerTest = true;
+  protected static boolean showDbOnSelectOnly = false;
+  protected static boolean showTableOnSelectOnly = false;
+  protected static boolean restrictDefaultDatabase = false;
 
   protected static File baseDir;
   protected static File logDir;
@@ -311,6 +315,11 @@ public abstract class AbstractTestWithStaticConfiguration extends RulesForE2ETes
       properties.put(HiveConf.ConfVars.HIVE_LOCK_MANAGER.varname,
           "org.apache.hadoop.hive.ql.lockmgr.EmbeddedLockManager");
     }
+
+    properties.put(AuthzConfVars.SHOWDATABASES_ON_SELECT_ONLY.getVar(), String.valueOf(showDbOnSelectOnly));
+    properties.put(AuthzConfVars.SHOWTABLES_ON_SELECT_ONLY.getVar(), String.valueOf(showTableOnSelectOnly));
+    properties.put(AuthzConfVars.AUTHZ_RESTRICT_DEFAULT_DB.getVar(), String.valueOf(restrictDefaultDatabase));
+
     if (useSentryService && (!startSentry)) {
       configureHiveAndMetastoreForSentry();
       setupSentryService();
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestShowMetadataPrivileges.java
b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestShowMetadataPrivileges.java
index 6a88d0b..0837c7f 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestShowMetadataPrivileges.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestShowMetadataPrivileges.java
@@ -34,15 +34,15 @@ import org.junit.runners.Parameterized;
 
 @RunWith(Parameterized.class)
 public class TestShowMetadataPrivileges extends AbstractTestWithStaticConfiguration {
-  private static final boolean ALLOWED = true;
-  private static final boolean NOT_ALLOWED = false;
-  private static final String SERVER1 = "server1";
+  protected static final boolean ALLOWED = true;
+  protected static final boolean NOT_ALLOWED = false;
+  protected static final String SERVER1 = "server1";
 
-  private static Connection adminCon, user1Con;
-  private static Statement adminStmt, user1Stmt;
+  protected static Connection adminCon, user1Con;
+  protected static Statement adminStmt, user1Stmt;
 
-  private DBModelAction action;
-  private boolean allowed;
+  protected DBModelAction action;
+  protected boolean allowed;
 
   @Parameterized.Parameters
   public static Collection describePrivileges() {
@@ -62,6 +62,7 @@ public class TestShowMetadataPrivileges extends AbstractTestWithStaticConfigurat
   @BeforeClass
   public static void setupTestStaticConfiguration() throws Exception{
     useSentryService = true;
+    restrictDefaultDatabase = true;
     AbstractTestWithStaticConfiguration.setupTestStaticConfiguration();
     setupAdmin();
 
@@ -151,4 +152,40 @@ public class TestShowMetadataPrivileges extends AbstractTestWithStaticConfigurat
         user1Stmt.getResultSet().next());
     }
   }
+
+  @Test
+  public void testShowDatabasesWithGrantOnDatabase() throws Exception {
+    if (action != null) {
+      adminStmt.execute("GRANT " + action + " ON DATABASE " + DB1 + " TO ROLE role1");
+    }
+
+    user1Stmt.execute("SHOW DATABASES");
+    if (!allowed) {
+      assertFalse(
+          "SHOW DATABASES should NOT display databases with " + action + " privileges on
the database.",
+          user1Stmt.getResultSet().next());
+    } else {
+      assertTrue(
+          "SHOW DATABASES should display databases with " + action + " privileges on the
database.",
+          user1Stmt.getResultSet().next());
+    }
+  }
+
+  @Test
+  public void testShowDatabasesWithGrantOnServer() throws Exception {
+    if (action != null) {
+      adminStmt.execute("GRANT " + action + " ON SERVER " + SERVER1 + " TO ROLE role1");
+    }
+
+    user1Stmt.execute("SHOW DATABASES");
+    if (!allowed) {
+      assertFalse(
+          "SHOW DATABASES should NOT display databases with " + action + " privileges on
the server.",
+          user1Stmt.getResultSet().next());
+    } else {
+      assertTrue(
+          "SHOW DATABASES should display databases with " + action + " privileges on the
server.",
+          user1Stmt.getResultSet().next());
+    }
+  }
 }
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestShowMetadataPrivilegesOnSelectOnly.java
b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestShowMetadataPrivilegesOnSelectOnly.java
new file mode 100644
index 0000000..b89e941
--- /dev/null
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestShowMetadataPrivilegesOnSelectOnly.java
@@ -0,0 +1,54 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.tests.e2e.hive;
+
+
+import java.util.Arrays;
+import java.util.Collection;
+import org.apache.sentry.core.model.db.DBModelAction;
+import org.junit.BeforeClass;
+import org.junit.runners.Parameterized;
+
+public class TestShowMetadataPrivilegesOnSelectOnly extends TestShowMetadataPrivileges {
+
+    @Parameterized.Parameters
+    public static Collection describePrivilegesOnSelect() {
+        return Arrays.asList(new Object[][] {
+            { null,                  NOT_ALLOWED }, // Means no privileges
+            { DBModelAction.ALL,     ALLOWED },
+            { DBModelAction.CREATE,  NOT_ALLOWED },
+            { DBModelAction.SELECT,  ALLOWED },
+            { DBModelAction.INSERT,  NOT_ALLOWED },
+            { DBModelAction.ALTER,   NOT_ALLOWED },
+            { DBModelAction.DROP,    NOT_ALLOWED },
+            { DBModelAction.INDEX,   NOT_ALLOWED },
+            { DBModelAction.LOCK,    NOT_ALLOWED },
+        });
+    }
+
+    @BeforeClass
+    public static void setupSelectOnlyTestStaticConfiguration() throws Exception {
+        showDbOnSelectOnly = true;
+        showTableOnSelectOnly = true;
+        setupTestStaticConfiguration();
+    }
+
+    public TestShowMetadataPrivilegesOnSelectOnly(DBModelAction action, boolean allowed)
{
+        super(action, allowed);
+    }
+
+}


Mime
View raw message