def setUp(self): self.client = make_logged_in_client(username="******", groupname="test", recreate=True, is_superuser=False) self.user = User.objects.get(username="******") grant_access("test", "test", "libsentry") self.api_v1 = MockSentryApiV1() self.api_v2 = MockSentryApiV2() self.checker = PrivilegeChecker(user=self.user, api_v1=self.api_v1, api_v2=self.api_v2)
def _secure_results(self, response): if NAVIGATOR.APPLY_SENTRY_PERMISSIONS.get(): checker = PrivilegeChecker(user=self.user) action = 'SELECT' def getkey(result): if result['type'] == 'TABLE': return {u'column': None, u'table': result['originalName'], u'db': result['parentPath'].strip('/')} #, 'server': 'server1'} else: return {u'column': None, u'table': None, u'db': None, u'server': None} response['results'] = checker.filter_objects(response['results'], action, key=getkey)
def setUp(self): self.client = make_logged_in_client(username="******", groupname="test", recreate=True, is_superuser=False) self.user = User.objects.get(username="******") grant_access("test", "test", "libsentry") self.api_v1 = get_api_v1(self.user) self.api_v2 = get_api_v2(self.user, component='solr') self.checker = PrivilegeChecker(user=self.user, api_v1=self.api_v1, api_v2=self.api_v2)
def _secure_results(self, response): if NAVIGATOR.APPLY_SENTRY_PERMISSIONS.get(): checker = PrivilegeChecker(user=self.user) action = 'SELECT' for result in response['results']: if result['type'] == 'TABLE': result.update({ u'column': None, u'table': result['originalName'], u'db': result['parentPath'].strip('/'), u'server': u'server1' }) else: result.update({ u'column': None, u'table': None, u'db': None, u'server': None }) response['results'] = checker.filter_objects( response['results'], action)
def top_tables(request): response = {'status': -1} database = request.POST.get('database', 'default') len = request.POST.get('len', 1000) api = OptimizerApi() data = api.top_tables(database_name=database) tables = [{ 'eid': table['eid'], 'database': _get_table_name(table['name'])['database'], 'name': _get_table_name(table['name'])['table'], 'popularity': table['workloadPercent'], 'column_count': table['columnCount'], 'patternCount': table['patternCount'], 'total': table['total'], 'is_fact': table['type'] != 'Dimension' } for table in data['results']] if NAVIGATOR.APPLY_SENTRY_PERMISSIONS.get(): checker = PrivilegeChecker(user=request.user) action = 'SELECT' for table in tables: paths = _get_table_name(table['name']) table.update({ u'db': paths['database'], u'table': paths['table'], u'column': None, u'server': u'server1' }) tables = list(checker.filter_objects(tables, action)) #, getkey=getkey) response['top_tables'] = tables response['status'] = 0 return JsonResponse(response)
def test_secure_results(self): cache_key = SENTRY_PRIVILEGE_CACHE_KEY % { 'username': self.user.username } try: # All single privileges api_v1 = MockSentryApiHive(privileges=[ { 'column': '', 'grantOption': False, 'timestamp': 1478810513849, 'database': 'etl', 'action': 'SELECT', 'scope': 'DATABASE', 'table': '', 'URI': '', 'server': 'server1' }, { 'column': '', 'grantOption': False, 'timestamp': 1478810422058, 'database': 'etl', 'action': 'SELECT', 'scope': 'TABLE', 'table': 'finance', 'URI': '', 'server': 'server1' }, { 'column': 'col3', 'grantOption': False, 'timestamp': 1478810590335, 'database': 'etl', 'action': 'SELECT', 'scope': 'COLUMN', 'table': 'finance', 'URI': '', 'server': 'server1' }, ]) api_v2 = MockSentryApiV2() checker = PrivilegeChecker(user=self.user, api_v1=api_v1, api_v2=api_v2) records = [{ u'type': u'DATABASE', u'originalName': u'etl', u'description': None, u'params': None, u'internalType': u'hv_database', u'sourceType': u'HIVE', u'tags': None, u'originalDescription': None, u'metaClassName': u'hv_database', u'properties': None, u'identity': u'51002517', u'firstClassParentId': None, u'name': None, u'extractorRunId': u'845beb21b95783c4f55276a4ae38a332##3', u'sourceId': u'56850544', u'packageName': u'nav', u'parentPath': None }, { u'type': u'TABLE', u'parentPath': u'/etl', u'originalName': u'finance', u'clusteredByColNames': None, u'customProperties': None, u'owner': u'elt', u'serdeName': None, u'sourceType': u'HIVE', u'serdeLibName': u'org.apache.hadoop.hive.serde2.lazy.LazySimpleSerDe', u'internalType': u'hv_table', u'description': None, u'tags': None, u'originalDescription': None, u'compressed': False, u'metaClassName': u'hv_table', u'properties': None, u'identity': u'51340470', u'outputFormat': u'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat', u'firstClassParentId': None, u'name': None, u'extractorRunId': u'845beb21b95783c4f55276a4ae38a332##1185', u'created': u'2015-08-14T00:04:01.000Z', u'sourceId': u'56850544', u'lastModified': None, u'packageName': u'nav', u'lastAccessed': u'1970-01-01T00:00:00.000Z' }, { u'type': u'FIELD', u'parentPath': u'/etl/finance', u'originalName': u'col1', u'customProperties': None, u'deleteTime': None, u'description': None, u'dataType': u'string', u'internalType': u'hv_column', u'sourceType': u'HIVE', u'tags': None, u'technicalProperties': None, u'userEntity': False, u'originalDescription': None, u'metaClassName': u'hv_column', u'properties': None, u'identity': u'51001004', u'firstClassParentId': u'59444965', u'name': None, u'extractorRunId': u'845beb21b95783c4f55276a4ae38a332##1582', u'sourceId': u'56850544', u'packageName': u'nav' }, { u'type': u'VIEW', u'parentPath': u'/etl', u'originalName': u'finance_view', u'customProperties': None, u'deleteTime': None, u'description': None, u'lastModifiedBy': None, u'internalType': u'hv_view', u'sourceType': u'HIVE', u'tags': None, u'deleted': False, u'technicalProperties': None, u'userEntity': False, u'originalDescription': None, u'metaClassName': u'hv_view', u'properties': None, u'identity': u'51012354', u'firstClassParentId': None, u'name': None, u'extractorRunId': u'845beb21b95783c4f55276a4ae38a332##394', u'created': u'2015-09-02T08:01:14.000Z', u'sourceId': u'56850544', u'lastModified': None, u'packageName': u'nav', u'queryText': u"SELECT * FROM etl.finance LIMIT 10", u'lastAccessed': u'1970-01-01T00:00:00.000Z' }] results = list(self.api._secure_results(records, checker=checker)) assert_equal(len(records), len(results), results) # No privilege api_v1 = MockSentryApiHive() checker = PrivilegeChecker(user=self.user, api_v1=api_v1, api_v2=api_v2) records = [{ u'type': u'DATABASE', u'originalName': u'etl', u'description': None, u'params': None, u'internalType': u'hv_database', u'sourceType': u'HIVE', u'tags': None, u'originalDescription': None, u'metaClassName': u'hv_database', u'properties': None, u'identity': u'51002517', u'firstClassParentId': None, u'name': None, u'extractorRunId': u'845beb21b95783c4f55276a4ae38a332##3', u'sourceId': u'56850544', u'packageName': u'nav', u'parentPath': None }, { u'type': u'TABLE', u'parentPath': u'/etl', u'originalName': u'finance', u'clusteredByColNames': None, u'customProperties': None, u'owner': u'elt', u'serdeName': None, u'sourceType': u'HIVE', u'serdeLibName': u'org.apache.hadoop.hive.serde2.lazy.LazySimpleSerDe', u'internalType': u'hv_table', u'description': None, u'tags': None, u'originalDescription': None, u'compressed': False, u'metaClassName': u'hv_table', u'properties': None, u'identity': u'51340470', u'outputFormat': u'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat', u'firstClassParentId': None, u'name': None, u'extractorRunId': u'845beb21b95783c4f55276a4ae38a332##1185', u'created': u'2015-08-14T00:04:01.000Z', u'sourceId': u'56850544', u'lastModified': None, u'packageName': u'nav', u'lastAccessed': u'1970-01-01T00:00:00.000Z' }, { u'type': u'FIELD', u'parentPath': u'/etl/finance', u'originalName': u'col1', u'customProperties': None, u'deleteTime': None, u'description': None, u'dataType': u'string', u'internalType': u'hv_column', u'sourceType': u'HIVE', u'tags': None, u'technicalProperties': None, u'userEntity': False, u'originalDescription': None, u'metaClassName': u'hv_column', u'properties': None, u'identity': u'51001004', u'firstClassParentId': u'59444965', u'name': None, u'extractorRunId': u'845beb21b95783c4f55276a4ae38a332##1582', u'sourceId': u'56850544', u'packageName': u'nav' }, { u'type': u'VIEW', u'parentPath': u'/etl', u'originalName': u'finance_view', u'customProperties': None, u'deleteTime': None, u'description': None, u'lastModifiedBy': None, u'internalType': u'hv_view', u'sourceType': u'HIVE', u'tags': None, u'deleted': False, u'technicalProperties': None, u'userEntity': False, u'originalDescription': None, u'metaClassName': u'hv_view', u'properties': None, u'identity': u'51012354', u'firstClassParentId': None, u'name': None, u'extractorRunId': u'845beb21b95783c4f55276a4ae38a332##394', u'created': u'2015-09-02T08:01:14.000Z', u'sourceId': u'56850544', u'lastModified': None, u'packageName': u'nav', u'queryText': u"SELECT * FROM etl.finance LIMIT 10", u'lastAccessed': u'1970-01-01T00:00:00.000Z' }] results = list(self.api._secure_results(records, checker=checker)) assert_equal(0, len(results), results) # Only table privilege api_v1 = MockSentryApiHive(privileges=[ { 'column': '', 'grantOption': False, 'timestamp': 1478810422058, 'database': 'etl', 'action': 'SELECT', 'scope': 'TABLE', 'table': 'finance', 'URI': '', 'server': 'server1' }, ]) checker = PrivilegeChecker(user=self.user, api_v1=api_v1, api_v2=api_v2) records = [{ u'type': u'DATABASE', u'originalName': u'etl', u'description': None, u'params': None, u'internalType': u'hv_database', u'sourceType': u'HIVE', u'tags': None, u'originalDescription': None, u'metaClassName': u'hv_database', u'properties': None, u'identity': u'51002517', u'firstClassParentId': None, u'name': None, u'extractorRunId': u'845beb21b95783c4f55276a4ae38a332##3', u'sourceId': u'56850544', u'packageName': u'nav', u'parentPath': None }, { u'type': u'TABLE', u'parentPath': u'/etl', u'originalName': u'finance', u'clusteredByColNames': None, u'customProperties': None, u'owner': u'elt', u'serdeName': None, u'sourceType': u'HIVE', u'serdeLibName': u'org.apache.hadoop.hive.serde2.lazy.LazySimpleSerDe', u'internalType': u'hv_table', u'description': None, u'tags': None, u'originalDescription': None, u'compressed': False, u'metaClassName': u'hv_table', u'properties': None, u'identity': u'51340470', u'outputFormat': u'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat', u'firstClassParentId': None, u'name': None, u'extractorRunId': u'845beb21b95783c4f55276a4ae38a332##1185', u'created': u'2015-08-14T00:04:01.000Z', u'sourceId': u'56850544', u'lastModified': None, u'packageName': u'nav', u'lastAccessed': u'1970-01-01T00:00:00.000Z' }, { u'type': u'FIELD', u'parentPath': u'/etl/finance', u'originalName': u'col1', u'customProperties': None, u'deleteTime': None, u'description': None, u'dataType': u'string', u'internalType': u'hv_column', u'sourceType': u'HIVE', u'tags': None, u'technicalProperties': None, u'userEntity': False, u'originalDescription': None, u'metaClassName': u'hv_column', u'properties': None, u'identity': u'51001004', u'firstClassParentId': u'59444965', u'name': None, u'extractorRunId': u'845beb21b95783c4f55276a4ae38a332##1582', u'sourceId': u'56850544', u'packageName': u'nav' }, { u'type': u'VIEW', u'parentPath': u'/etl', u'originalName': u'finance_view', u'customProperties': None, u'deleteTime': None, u'description': None, u'lastModifiedBy': None, u'internalType': u'hv_view', u'sourceType': u'HIVE', u'tags': None, u'deleted': False, u'technicalProperties': None, u'userEntity': False, u'originalDescription': None, u'metaClassName': u'hv_view', u'properties': None, u'identity': u'51012354', u'firstClassParentId': None, u'name': None, u'extractorRunId': u'845beb21b95783c4f55276a4ae38a332##394', u'created': u'2015-09-02T08:01:14.000Z', u'sourceId': u'56850544', u'lastModified': None, u'packageName': u'nav', u'queryText': u"SELECT * FROM etl.finance LIMIT 10", u'lastAccessed': u'1970-01-01T00:00:00.000Z' }] results = list(self.api._secure_results(records, checker=checker)) assert_equal(2, len(results), results) # Table + its Column # Only table 2 privilege api_v1 = MockSentryApiHive(privileges=[ { 'column': '', 'grantOption': False, 'timestamp': 1478810513849, 'database': 'etl2', 'action': 'SELECT', 'scope': 'DATABASE', 'table': '', 'URI': '', 'server': 'server1' }, ]) checker = PrivilegeChecker(user=self.user, api_v1=api_v1, api_v2=api_v2) records = [ { u'type': u'DATABASE', u'originalName': u'etl', u'description': None, u'params': None, u'internalType': u'hv_database', u'sourceType': u'HIVE', u'tags': None, u'originalDescription': None, u'metaClassName': u'hv_database', u'properties': None, u'identity': u'51002517', u'firstClassParentId': None, u'name': None, u'extractorRunId': u'845beb21b95783c4f55276a4ae38a332##3', u'sourceId': u'56850544', u'packageName': u'nav', u'parentPath': None }, { u'type': u'TABLE', u'parentPath': u'/etl', u'originalName': u'finance', u'clusteredByColNames': None, u'customProperties': None, u'owner': u'elt', u'serdeName': None, u'sourceType': u'HIVE', u'serdeLibName': u'org.apache.hadoop.hive.serde2.lazy.LazySimpleSerDe', u'internalType': u'hv_table', u'description': None, u'tags': None, u'originalDescription': None, u'compressed': False, u'metaClassName': u'hv_table', u'properties': None, u'identity': u'51340470', u'outputFormat': u'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat', u'firstClassParentId': None, u'name': None, u'extractorRunId': u'845beb21b95783c4f55276a4ae38a332##1185', u'created': u'2015-08-14T00:04:01.000Z', u'sourceId': u'56850544', u'lastModified': None, u'packageName': u'nav', u'lastAccessed': u'1970-01-01T00:00:00.000Z' }, { u'type': u'FIELD', u'parentPath': u'/etl/finance', u'originalName': u'col1', u'customProperties': None, u'deleteTime': None, u'description': None, u'dataType': u'string', u'internalType': u'hv_column', u'sourceType': u'HIVE', u'tags': None, u'technicalProperties': None, u'userEntity': False, u'originalDescription': None, u'metaClassName': u'hv_column', u'properties': None, u'identity': u'51001004', u'firstClassParentId': u'59444965', u'name': None, u'extractorRunId': u'845beb21b95783c4f55276a4ae38a332##1582', u'sourceId': u'56850544', u'packageName': u'nav' }, { u'type': u'VIEW', u'parentPath': u'/etl', u'originalName': u'finance_view', u'customProperties': None, u'deleteTime': None, u'description': None, u'lastModifiedBy': None, u'internalType': u'hv_view', u'sourceType': u'HIVE', u'tags': None, u'deleted': False, u'technicalProperties': None, u'userEntity': False, u'originalDescription': None, u'metaClassName': u'hv_view', u'properties': None, u'identity': u'51012354', u'firstClassParentId': None, u'name': None, u'extractorRunId': u'845beb21b95783c4f55276a4ae38a332##394', u'created': u'2015-09-02T08:01:14.000Z', u'sourceId': u'56850544', u'lastModified': None, u'packageName': u'nav', u'queryText': u"SELECT * FROM etl.finance LIMIT 10", u'lastAccessed': u'1970-01-01T00:00:00.000Z' }, { u'type': u'TABLE', u'parentPath': u'/etl2', u'originalName': u'finance2', u'clusteredByColNames': None, u'customProperties': None, u'owner': u'elt', u'serdeName': None, u'sourceType': u'HIVE', u'serdeLibName': u'org.apache.hadoop.hive.serde2.lazy.LazySimpleSerDe', u'internalType': u'hv_table', u'description': None, u'tags': None, u'originalDescription': None, u'compressed': False, u'metaClassName': u'hv_table', u'properties': None, u'identity': u'51340470', u'outputFormat': u'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat', u'firstClassParentId': None, u'name': None, u'extractorRunId': u'845beb21b95783c4f55276a4ae38a332##1185', u'created': u'2015-08-14T00:04:01.000Z', u'sourceId': u'56850544', u'lastModified': None, u'packageName': u'nav', u'lastAccessed': u'1970-01-01T00:00:00.000Z' }, ] results = list(self.api._secure_results(records, checker=checker)) assert_equal(1, len(results), results) # Table2 only finally: cache.delete(cache_key)
class TestDocumentConverter(object): def setUp(self): self.client = make_logged_in_client(username="******", groupname="test", recreate=True, is_superuser=False) self.user = User.objects.get(username="******") grant_access("test", "test", "libsentry") self.api_v1 = get_api_v1(self.user) self.api_v2 = get_api_v2(self.user, component='solr') self.checker = PrivilegeChecker(user=self.user, api_v1=self.api_v1, api_v2=self.api_v2) def test_read_privilege(self): try: from mock import Mock except ImportError: raise SkipTest("Skips until HUE-2947 is resolved") action = 'READ' authorizableSet = [ # V1 authorizables { u'column': None, u'table': u'customers', u'db': u'default', u'server': u'server1' }, { u'column': None, u'table': u'sample_07', u'db': u'default', u'server': u'server1' }, { u'column': None, u'table': u'sample_08', u'db': u'default', u'server': u'server1' }, { u'column': None, u'table': u'web_logs', u'db': u'default', u'server': u'server1' }, { u'column': 'salary', u'table': u'sample_08', u'db': u'default', u'server': u'server1' }, { u'column': 'code', u'table': u'sample_08', u'db': u'default', u'server': u'server1' }, { u'column': 'total_emp', u'table': u'sample_08', u'db': u'default', u'server': u'server1' }, { u'column': 'total_emp', u'table': u'sample_07', u'db': u'default', u'server': u'server1' }, { u'column': None, u'table': None, u'db': None, u'server': u'server1', u'URI': u'hdfs://ha-nn-uri/data/landing-skid' }, { u'column': None, u'table': None, u'db': None, u'server': u'server1', u'URI': u'file:///path/to/nfs/local/to/nfs' }, # V2 authorizables { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'logs_demo' }, { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'test_demo' }, { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'twitter_demo' }, { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'yelp_demo' }, { u'component': u'solr', u'serviceName': u'server1', u'type': u'CONFIG', u'name': u'twitter_demo' }, { u'component': u'solr', u'serviceName': u'server1', u'type': u'CONFIG', u'name': u'managedTemplate' }, { u'component': u'solr', u'serviceName': u'server1', u'type': u'CONFIG', u'name': u'yelp_demo' }, { u'component': u'hdfs', u'serviceName': u'server1', u'type': u'URI', u'name': u'hdfs://ha-nn-uri/data/landing-skid' }, { u'component': u'nfs', u'serviceName': u'server1', u'type': u'URI', u'name': u'file:///path/to/nfs/local/to/nfs' }, ] self.api_v1.list_sentry_roles_by_group = Mock( return_value=[{ 'name': 'test', 'group': 'test' }]) self.api_v1.list_sentry_privileges_by_role = Mock(return_value=[ { 'column': 'total_emp', 'grantOption': False, 'timestamp': 1478810635378, 'database': 'default', 'action': 'INSERT', 'scope': 'COLUMN', 'table': 'sample_08', 'URI': '', 'server': 'server1' }, { 'column': '', 'grantOption': False, 'timestamp': 1478810422058, 'database': 'default', 'action': 'SELECT', 'scope': 'TABLE', 'table': 'customers', 'URI': '', 'server': 'server1' }, { 'column': '', 'grantOption': False, 'timestamp': 1478810513849, 'database': 'default', 'action': 'SELECT', 'scope': 'TABLE', 'table': 'web_logs', 'URI': '', 'server': 'server1' }, { 'column': '', 'grantOption': False, 'timestamp': 1478810590335, 'database': 'default', 'action': 'SELECT', 'scope': 'TABLE', 'table': 'sample_08', 'URI': '', 'server': 'server1' }, { 'column': 'salary', 'grantOption': False, 'timestamp': 1478810635396, 'database': 'default', 'action': 'ALL', 'scope': 'COLUMN', 'table': 'sample_08', 'URI': '', 'server': 'server1' }, { 'column': '', 'grantOption': False, 'timestamp': 1478810513849, 'database': '', 'action': 'ALL', 'scope': 'URI', 'table': '', 'URI': 'hdfs://ha-nn-uri/data/landing-skid', 'server': 'server1' }, ]) self.api_v2.list_sentry_roles_by_group = Mock( return_value=[{ 'name': 'test', 'group': 'test' }]) self.api_v2.list_sentry_privileges_by_role = Mock(return_value=[ { 'grantOption': False, 'timestamp': None, 'component': 'solr', 'serviceName': 'server1', 'grantorPrincipal': None, 'action': 'ALL', 'authorizables': [{ 'type': 'CONFIG', 'name': 'managedTemplate' }] }, { 'grantOption': False, 'timestamp': None, 'component': 'solr', 'serviceName': 'server1', 'grantorPrincipal': None, 'action': 'QUERY', 'authorizables': [{ 'type': 'COLLECTION', 'name': 'twitter_demo' }] }, { 'grantOption': False, 'timestamp': None, 'component': 'solr', 'serviceName': 'server1', 'grantorPrincipal': None, 'action': 'UPDATE', 'authorizables': [{ 'type': 'COLLECTION', 'name': 'yelp_demo' }] }, { 'grantOption': False, 'timestamp': None, 'component': 'solr', 'serviceName': 'server1', 'grantorPrincipal': None, 'action': 'ALL', 'authorizables': [{ 'type': 'CONFIG', 'name': 'yelp_demo' }] }, { 'grantOption': False, 'timestamp': None, 'component': 'hdfs', 'serviceName': 'server1', 'grantorPrincipal': None, 'action': 'ALL', 'authorizables': [{ 'type': 'URI', 'name': 'hdfs://ha-nn-uri/data/landing-skid' }] }, ]) filtered_set = self.checker.filter_objects( authorizableSet=authorizableSet, action=action) expected_filtered_set = [ # V2 authorizables { u'type': u'URI', u'serviceName': u'server1', u'component': u'hdfs', u'name': u'hdfs://ha-nn-uri/data/landing-skid' }, { u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'twitter_demo' }, { u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'yelp_demo' }, { u'type': u'CONFIG', u'serviceName': u'server1', u'component': u'solr', u'name': u'managedTemplate' }, { u'type': u'CONFIG', u'serviceName': u'server1', u'component': u'solr', u'name': u'yelp_demo' }, # V1 authorizables { u'column': None, u'table': None, u'db': None, u'server': u'server1', u'URI': u'hdfs://ha-nn-uri/data/landing-skid' }, { u'column': None, u'table': u'customers', u'db': u'default', u'server': u'server1' }, { u'column': None, u'table': u'sample_08', u'db': u'default', u'server': u'server1' }, { u'column': 'code', u'table': u'sample_08', u'db': u'default', u'server': u'server1' }, { u'column': 'salary', u'table': u'sample_08', u'db': u'default', u'server': u'server1' }, { u'column': 'total_emp', u'table': u'sample_08', u'db': u'default', u'server': u'server1' }, { u'column': None, u'table': u'web_logs', u'db': u'default', u'server': u'server1' }, ] sort_keys = [ 'server', 'db', 'table', 'column', 'URI', 'serviceName', 'component', 'type', 'name' ] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_write_privilege(self): try: from mock import Mock except ImportError: raise SkipTest("Skips until HUE-2947 is resolved") action = 'WRITE' authorizableSet = [ # V1 authorizables { u'column': None, u'table': u'customers', u'db': u'default', u'server': u'server1' }, { u'column': None, u'table': u'sample_07', u'db': u'default', u'server': u'server1' }, { u'column': None, u'table': u'sample_08', u'db': u'default', u'server': u'server1' }, { u'column': None, u'table': u'web_logs', u'db': u'default', u'server': u'server1' }, { u'column': 'salary', u'table': u'sample_08', u'db': u'default', u'server': u'server1' }, { u'column': 'code', u'table': u'sample_08', u'db': u'default', u'server': u'server1' }, { u'column': 'total_emp', u'table': u'sample_08', u'db': u'default', u'server': u'server1' }, { u'column': 'total_emp', u'table': u'sample_07', u'db': u'default', u'server': u'server1' }, { u'column': None, u'table': None, u'db': None, u'server': u'server1', u'URI': u'hdfs://ha-nn-uri/data/landing-skid' }, { u'column': None, u'table': None, u'db': None, u'server': u'server1', u'URI': u'file:///path/to/nfs/local/to/nfs' }, # V2 authorizables { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'logs_demo' }, { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'test_demo' }, { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'twitter_demo' }, { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'yelp_demo' }, { u'component': u'solr', u'serviceName': u'server1', u'type': u'CONFIG', u'name': u'twitter_demo' }, { u'component': u'solr', u'serviceName': u'server1', u'type': u'CONFIG', u'name': u'managedTemplate' }, { u'component': u'solr', u'serviceName': u'server1', u'type': u'CONFIG', u'name': u'yelp_demo' }, { u'component': u'hdfs', u'serviceName': u'server1', u'type': u'URI', u'name': u'hdfs://ha-nn-uri/data/landing-skid' }, { u'component': u'nfs', u'serviceName': u'server1', u'type': u'URI', u'name': u'file:///path/to/nfs/local/to/nfs' }, ] self.api_v1.list_sentry_roles_by_group = Mock( return_value=[{ 'name': 'test', 'group': 'test' }]) self.api_v1.list_sentry_privileges_by_role = Mock(return_value=[ { 'column': 'total_emp', 'grantOption': False, 'timestamp': 1478810635378, 'database': 'default', 'action': 'INSERT', 'scope': 'COLUMN', 'table': 'sample_08', 'URI': '', 'server': 'server1' }, { 'column': '', 'grantOption': False, 'timestamp': 1478810422058, 'database': 'default', 'action': 'SELECT', 'scope': 'TABLE', 'table': 'customers', 'URI': '', 'server': 'server1' }, { 'column': '', 'grantOption': False, 'timestamp': 1478810513849, 'database': 'default', 'action': 'SELECT', 'scope': 'TABLE', 'table': 'web_logs', 'URI': '', 'server': 'server1' }, { 'column': '', 'grantOption': False, 'timestamp': 1478810590335, 'database': 'default', 'action': 'SELECT', 'scope': 'TABLE', 'table': 'sample_08', 'URI': '', 'server': 'server1' }, { 'column': 'salary', 'grantOption': False, 'timestamp': 1478810635396, 'database': 'default', 'action': 'ALL', 'scope': 'COLUMN', 'table': 'sample_08', 'URI': '', 'server': 'server1' }, { 'column': '', 'grantOption': False, 'timestamp': 1478810513849, 'database': '', 'action': 'ALL', 'scope': 'URI', 'table': '', 'URI': 'hdfs://ha-nn-uri/data/landing-skid', 'server': 'server1' }, ]) self.api_v2.list_sentry_roles_by_group = Mock( return_value=[{ 'name': 'test', 'group': 'test' }]) self.api_v2.list_sentry_privileges_by_role = Mock(return_value=[ { 'grantOption': False, 'timestamp': None, 'component': 'solr', 'serviceName': 'server1', 'grantorPrincipal': None, 'action': 'ALL', 'authorizables': [{ 'type': 'CONFIG', 'name': 'managedTemplate' }] }, { 'grantOption': False, 'timestamp': None, 'component': 'solr', 'serviceName': 'server1', 'grantorPrincipal': None, 'action': 'QUERY', 'authorizables': [{ 'type': 'COLLECTION', 'name': 'twitter_demo' }] }, { 'grantOption': False, 'timestamp': None, 'component': 'solr', 'serviceName': 'server1', 'grantorPrincipal': None, 'action': 'UPDATE', 'authorizables': [{ 'type': 'COLLECTION', 'name': 'yelp_demo' }] }, { 'grantOption': False, 'timestamp': None, 'component': 'solr', 'serviceName': 'server1', 'grantorPrincipal': None, 'action': 'ALL', 'authorizables': [{ 'type': 'CONFIG', 'name': 'yelp_demo' }] }, { 'grantOption': False, 'timestamp': None, 'component': 'hdfs', 'serviceName': 'server1', 'grantorPrincipal': None, 'action': 'ALL', 'authorizables': [{ 'type': 'URI', 'name': 'hdfs://ha-nn-uri/data/landing-skid' }] }, ]) filtered_set = self.checker.filter_objects( authorizableSet=authorizableSet, action=action) expected_filtered_set = [ # V2 authorizables { u'type': u'URI', u'serviceName': u'server1', u'component': u'hdfs', u'name': u'hdfs://ha-nn-uri/data/landing-skid' }, { u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'yelp_demo' }, { u'type': u'CONFIG', u'serviceName': u'server1', u'component': u'solr', u'name': u'managedTemplate' }, { u'type': u'CONFIG', u'serviceName': u'server1', u'component': u'solr', u'name': u'yelp_demo' }, # V1 authorizables { u'column': None, u'table': None, u'db': None, u'server': u'server1', u'URI': u'hdfs://ha-nn-uri/data/landing-skid' }, { u'column': 'salary', u'table': u'sample_08', u'db': u'default', u'server': u'server1' }, { u'column': 'total_emp', u'table': u'sample_08', u'db': u'default', u'server': u'server1' }, ] sort_keys = [ 'server', 'db', 'table', 'column', 'URI', 'serviceName', 'component', 'type', 'name' ] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])), sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])))
class TestPrivilegeChecker(object): def setUp(self): self.client = make_logged_in_client(username="******", groupname="test", recreate=True, is_superuser=False) self.user = User.objects.get(username="******") grant_access("test", "test", "libsentry") self.api_v1 = MockSentryApiV1() self.api_v2 = MockSentryApiV2() self.checker = PrivilegeChecker(user=self.user, api_v1=self.api_v1, api_v2=self.api_v2) def test_to_sentry_authorizables(self): objectSet = ['foo', 'bar', 'baz', 'boom'] expectedSet = [ ('foo', {'db': 'foo', 'server': 'server1'}), ('bar', {'db': 'bar', 'server': 'server1'}), ('baz', {'db': 'baz', 'server': 'server1'}), ] def test_key_fn(obj): if obj != 'boom': return {'db': obj} else: return None authorizableSet = self.checker._to_sentry_authorizables(objects=objectSet, key=test_key_fn) assert_equal(expectedSet, authorizableSet, authorizableSet) # Original list of objects should not be mutated assert_true(['bar', 'baz', 'foo'], sorted(objectSet, reverse=True)) def test_end_to_end(self): action = 'SELECT' objectSet = [ {'name': 'test_table_select', 'db': 'default'}, {'name': 'test_table_insert', 'db': 'default'}, {'name': 'test_db_select', 'db': 'test_db_select'}, {'name': 'test_none', 'db': 'default'}, {'name': 'invalid_object'} ] expectedSet = [ {'name': 'test_table_select', 'db': 'default'}, {'name': 'test_table_insert', 'db': 'default'}, {'name': 'test_db_select', 'db': 'test_db_select'}, ] def test_key_fn(obj): if 'name' in obj and 'db' in obj: return {'column': '', 'table': obj['name'], 'db': obj['db']} else: return None filtered_set = self.checker.filter_objects(objects=objectSet, action=action, key=test_key_fn) assert_equal(expectedSet, filtered_set, filtered_set) def test_columns_select(self): action = 'SELECT' authorizableSet = [ # column-level SELECT privilege exists {u'column': 'column_select', u'table': u'test_column', u'db': u'default', u'server': u'server1'}, # table-level SELECT privileges exists {u'column': 'id', u'table': u'test_table_select', u'db': u'default', u'server': u'server1'}, # db-level SELECT privileges exist {u'column': 'id', u'table': u'test_db_select', u'db': u'test_db_select', u'server': u'server1'}, # no privileges exist {u'column': 'id', u'table': u'test_none', u'db': u'default', u'server': u'server1'}, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ {u'column': 'column_select', u'table': u'test_column', u'db': u'default', u'server': u'server1'}, {u'column': 'id', u'table': u'test_table_select', u'db': u'default', u'server': u'server1'}, {u'column': 'id', u'table': u'test_db_select', u'db': u'test_db_select', u'server': u'server1'} ] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal(expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_columns_insert(self): action = 'INSERT' authorizableSet = [ # column-level ALL privilege exists {u'column': 'column_all', u'table': u'test_column', u'db': u'default', u'server': u'server1'}, # column-level INSERT privileges exist {u'column': 'column_insert', u'table': u'test_column', u'db': u'default', u'server': u'server1'}, # SELECT, but not INSERT, privilege exists {u'column': 'column_select', u'table': u'test_column', u'db': u'default', u'server': u'server1'}, # no privileges exist {u'column': 'salary', u'table': u'sample_07', u'db': u'default', u'server': u'server1'}, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ {u'column': 'column_all', u'table': u'test_column', u'db': u'default', u'server': u'server1'}, {u'column': 'column_insert', u'table': u'test_column', u'db': u'default', u'server': u'server1'}, ] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal(expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_tables_select(self): action = 'SELECT' authorizableSet = [ # table-level SELECT privileges exists {u'column': '', u'table': u'test_table_select', u'db': u'default', u'server': u'server1'}, # table-level INSERT privileges exists {u'column': '', u'table': u'test_table_insert', u'db': u'default', u'server': u'server1'}, # db-level SELECT privileges exist {u'column': '', u'table': u'test_db_select', u'db': u'test_db_select', u'server': u'server1'}, # no privileges exist {u'column': '', u'table': u'test_none', u'db': u'default', u'server': u'server1'}, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ {u'column': '', u'table': u'test_table_insert', u'db': u'default', u'server': u'server1'}, {u'column': '', u'table': u'test_table_select', u'db': u'default', u'server': u'server1'}, {u'column': '', u'table': u'test_db_select', u'db': u'test_db_select', u'server': u'server1'} ] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal(expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_tables_insert(self): action = 'INSERT' authorizableSet = [ # table-level ALL privilege exists {u'column': '', u'table': u'test_table_all', u'db': u'default', u'server': u'server1'}, # table-level INSERT privileges exist {u'column': '', u'table': u'test_table_insert', u'db': u'default', u'server': u'server1'}, # SELECT, but not INSERT, privilege exists {u'column': '', u'table': u'test_table_select', u'db': u'default', u'server': u'server1'}, # no privileges exist {u'column': '', u'table': u'sample_07', u'db': u'default', u'server': u'server1'}, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ {u'column': '', u'table': u'test_table_all', u'db': u'default', u'server': u'server1'}, {u'column': '', u'table': u'test_table_insert', u'db': u'default', u'server': u'server1'}, ] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal(expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_dbs_select(self): action = 'SELECT' authorizableSet = [ # db-level SELECT privileges exists {u'column': '', u'table': u'', u'db': u'test_db_select', u'server': u'server1'}, # db-level INSERT privileges exists {u'column': '', u'table': u'', u'db': u'test_db_insert', u'server': u'server1'}, # no privileges exist {u'column': '', u'table': u'', u'db': u'test_db_none', u'server': u'server1'}, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ {u'column': '', u'table': u'', u'db': u'test_db_insert', u'server': u'server1'}, {u'column': '', u'table': u'', u'db': u'test_db_select', u'server': u'server1'}, ] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal(expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_dbs_insert(self): action = 'INSERT' authorizableSet = [ # db-level ALL privilege exists {u'column': '', u'table': u'', u'db': u'test_db_all', u'server': u'server1'}, # db-level INSERT privileges exist {u'column': '', u'table': u'', u'db': u'test_db_insert', u'server': u'server1'}, # SELECT, but not INSERT, privilege exists {u'column': '', u'table': u'', u'db': u'test_db_select', u'server': u'server1'}, # no privileges exist {u'column': '', u'table': u'', u'db': u'test_db_none', u'server': u'server1'}, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ {u'column': '', u'table': u'', u'db': u'test_db_all', u'server': u'server1'}, {u'column': '', u'table': u'', u'db': u'test_db_insert', u'server': u'server1'}, ] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal(expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_collections_query(self): action = 'QUERY' authorizableSet = [ # ALL privilege {u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'web_logs_demo'}, # UPDATE privilege {u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'yelp_demo'}, # QUERY privilege {u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'twitter_demo'}, # No privilege {u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'test_demo'}, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ {u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'twitter_demo'}, {u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'web_logs_demo'}, {u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'yelp_demo'} ] sort_keys = ['server', 'db', 'table', 'column', 'URI', 'serviceName', 'component', 'type', 'name'] assert_equal(expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])), sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_collections_update(self): action = 'UPDATE' authorizableSet = [ # ALL privilege {u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'web_logs_demo'}, # UPDATE privilege {u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'yelp_demo'}, # QUERY privilege {u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'twitter_demo'}, # No privilege {u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'test_demo'}, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ {u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'web_logs_demo'}, {u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'yelp_demo'} ] sort_keys = ['server', 'db', 'table', 'column', 'URI', 'serviceName', 'component', 'type', 'name'] assert_equal(expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])), sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_config(self): action = 'UPDATE' authorizableSet = [ # ALL privilege {u'component': u'solr', u'serviceName': u'server1', u'type': u'CONFIG', u'name': u'yelp_demo'}, # No privilege {u'component': u'solr', u'serviceName': u'server1', u'type': u'CONFIG', u'name': u'test_demo'}, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ {u'type': u'CONFIG', u'serviceName': u'server1', u'component': u'solr', u'name': u'yelp_demo'} ] sort_keys = ['server', 'db', 'table', 'column', 'URI', 'serviceName', 'component', 'type', 'name'] assert_equal(expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])), sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_uri(self): action = 'UPDATE' authorizableSet = [ # HDFS privilege {u'component': u'hdfs', u'serviceName': u'server1', u'type': u'URI', u'name': u'hdfs://ha-nn-uri/data/landing-skid'}, # S3 privilege {u'component': u's3', u'serviceName': u'server1', u'type': u'URI', u'name': u's3a://hue-datasets/test'}, # No privilege {u'component': u's3', u'serviceName': u'server1', u'type': u'URI', u'name': u's3a://hue-datasets/none'}, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ {u'type': u'URI', u'serviceName': u'server1', u'component': u'hdfs', u'name': u'hdfs://ha-nn-uri/data/landing-skid'}, {u'type': u'URI', u'serviceName': u'server1', u'component': u's3', u'name': u's3a://hue-datasets/test'} ] sort_keys = ['server', 'db', 'table', 'column', 'URI', 'serviceName', 'component', 'type', 'name'] assert_equal(expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])), sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])))
class TestPrivilegeChecker(object): def setUp(self): self.client = make_logged_in_client(username="******", groupname="test", recreate=True, is_superuser=False) self.user = User.objects.get(username="******") grant_access("test", "test", "libsentry") self.api_v1 = MockSentryApiV1() self.api_v2 = MockSentryApiV2() self.checker = PrivilegeChecker(user=self.user, api_v1=self.api_v1, api_v2=self.api_v2) def test_to_sentry_authorizables(self): objectSet = ['foo', 'bar', 'baz', 'boom'] expectedSet = [ ('foo', { 'db': 'foo', 'server': 'server1' }), ('bar', { 'db': 'bar', 'server': 'server1' }), ('baz', { 'db': 'baz', 'server': 'server1' }), ] def test_key_fn(obj): if obj != 'boom': return {'db': obj} else: return None authorizableSet = self.checker._to_sentry_authorizables( objects=objectSet, key=test_key_fn) assert_equal(expectedSet, authorizableSet, authorizableSet) # Original list of objects should not be mutated assert_true(['bar', 'baz', 'foo'], sorted(objectSet, reverse=True)) def test_end_to_end(self): action = 'SELECT' objectSet = [{ 'name': 'test_table_select', 'db': 'default' }, { 'name': 'test_table_insert', 'db': 'default' }, { 'name': 'test_db_select', 'db': 'test_db_select' }, { 'name': 'test_none', 'db': 'default' }, { 'name': 'invalid_object' }] expectedSet = [ { 'name': 'test_table_select', 'db': 'default' }, { 'name': 'test_table_insert', 'db': 'default' }, { 'name': 'test_db_select', 'db': 'test_db_select' }, ] def test_key_fn(obj): if 'name' in obj and 'db' in obj: return {'column': '', 'table': obj['name'], 'db': obj['db']} else: return None filtered_set = self.checker.filter_objects(objects=objectSet, action=action, key=test_key_fn) assert_equal(expectedSet, list(filtered_set), list(filtered_set)) def test_columns_select(self): action = 'SELECT' authorizableSet = [ # column-level SELECT privilege exists { u'column': 'column_select', u'table': u'test_column', u'db': u'default', u'server': u'server1' }, # table-level SELECT privileges exists { u'column': 'id', u'table': u'test_table_select', u'db': u'default', u'server': u'server1' }, # db-level SELECT privileges exist { u'column': 'id', u'table': u'test_db_select', u'db': u'test_db_select', u'server': u'server1' }, # no privileges exist { u'column': 'id', u'table': u'test_none', u'db': u'default', u'server': u'server1' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [{ u'column': 'column_select', u'table': u'test_column', u'db': u'default', u'server': u'server1' }, { u'column': 'id', u'table': u'test_table_select', u'db': u'default', u'server': u'server1' }, { u'column': 'id', u'table': u'test_db_select', u'db': u'test_db_select', u'server': u'server1' }] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_columns_insert(self): action = 'INSERT' authorizableSet = [ # column-level ALL privilege exists { u'column': 'column_all', u'table': u'test_column', u'db': u'default', u'server': u'server1' }, # column-level INSERT privileges exist { u'column': 'column_insert', u'table': u'test_column', u'db': u'default', u'server': u'server1' }, # SELECT, but not INSERT, privilege exists { u'column': 'column_select', u'table': u'test_column', u'db': u'default', u'server': u'server1' }, # no privileges exist { u'column': 'salary', u'table': u'sample_07', u'db': u'default', u'server': u'server1' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ { u'column': 'column_all', u'table': u'test_column', u'db': u'default', u'server': u'server1' }, { u'column': 'column_insert', u'table': u'test_column', u'db': u'default', u'server': u'server1' }, ] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_tables_select(self): action = 'SELECT' authorizableSet = [ # table-level SELECT privileges exists { u'column': '', u'table': u'test_table_select', u'db': u'default', u'server': u'server1' }, # table-level INSERT privileges exists { u'column': '', u'table': u'test_table_insert', u'db': u'default', u'server': u'server1' }, # db-level SELECT privileges exist { u'column': '', u'table': u'test_db_select', u'db': u'test_db_select', u'server': u'server1' }, # no privileges exist { u'column': '', u'table': u'test_none', u'db': u'default', u'server': u'server1' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [{ u'column': '', u'table': u'test_table_insert', u'db': u'default', u'server': u'server1' }, { u'column': '', u'table': u'test_table_select', u'db': u'default', u'server': u'server1' }, { u'column': '', u'table': u'test_db_select', u'db': u'test_db_select', u'server': u'server1' }] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_tables_insert(self): action = 'INSERT' authorizableSet = [ # table-level ALL privilege exists { u'column': '', u'table': u'test_table_all', u'db': u'default', u'server': u'server1' }, # table-level INSERT privileges exist { u'column': '', u'table': u'test_table_insert', u'db': u'default', u'server': u'server1' }, # SELECT, but not INSERT, privilege exists { u'column': '', u'table': u'test_table_select', u'db': u'default', u'server': u'server1' }, # no privileges exist { u'column': '', u'table': u'sample_07', u'db': u'default', u'server': u'server1' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ { u'column': '', u'table': u'test_table_all', u'db': u'default', u'server': u'server1' }, { u'column': '', u'table': u'test_table_insert', u'db': u'default', u'server': u'server1' }, ] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_dbs_select(self): action = 'SELECT' authorizableSet = [ # db-level SELECT privileges exists { u'column': '', u'table': u'', u'db': u'test_db_select', u'server': u'server1' }, # db-level INSERT privileges exists { u'column': '', u'table': u'', u'db': u'test_db_insert', u'server': u'server1' }, # no privileges exist { u'column': '', u'table': u'', u'db': u'test_db_none', u'server': u'server1' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ { u'column': '', u'table': u'', u'db': u'test_db_insert', u'server': u'server1' }, { u'column': '', u'table': u'', u'db': u'test_db_select', u'server': u'server1' }, ] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_dbs_insert(self): action = 'INSERT' authorizableSet = [ # db-level ALL privilege exists { u'column': '', u'table': u'', u'db': u'test_db_all', u'server': u'server1' }, # db-level INSERT privileges exist { u'column': '', u'table': u'', u'db': u'test_db_insert', u'server': u'server1' }, # SELECT, but not INSERT, privilege exists { u'column': '', u'table': u'', u'db': u'test_db_select', u'server': u'server1' }, # no privileges exist { u'column': '', u'table': u'', u'db': u'test_db_none', u'server': u'server1' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ { u'column': '', u'table': u'', u'db': u'test_db_all', u'server': u'server1' }, { u'column': '', u'table': u'', u'db': u'test_db_insert', u'server': u'server1' }, ] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_collections_query(self): action = 'QUERY' authorizableSet = [ # ALL privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'web_logs_demo' }, # UPDATE privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'yelp_demo' }, # QUERY privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'twitter_demo' }, # No privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'test_demo' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [{ u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'twitter_demo' }, { u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'web_logs_demo' }, { u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'yelp_demo' }] sort_keys = [ 'server', 'db', 'table', 'column', 'URI', 'serviceName', 'component', 'type', 'name' ] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])), sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_collections_update(self): action = 'UPDATE' authorizableSet = [ # ALL privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'web_logs_demo' }, # UPDATE privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'yelp_demo' }, # QUERY privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'twitter_demo' }, # No privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'test_demo' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [{ u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'web_logs_demo' }, { u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'yelp_demo' }] sort_keys = [ 'server', 'db', 'table', 'column', 'URI', 'serviceName', 'component', 'type', 'name' ] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])), sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_config(self): action = 'UPDATE' authorizableSet = [ # ALL privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'CONFIG', u'name': u'yelp_demo' }, # No privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'CONFIG', u'name': u'test_demo' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [{ u'type': u'CONFIG', u'serviceName': u'server1', u'component': u'solr', u'name': u'yelp_demo' }] sort_keys = [ 'server', 'db', 'table', 'column', 'URI', 'serviceName', 'component', 'type', 'name' ] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])), sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_uri(self): action = 'UPDATE' authorizableSet = [ # HDFS privilege { u'component': u'hdfs', u'serviceName': u'server1', u'type': u'URI', u'name': u'hdfs://ha-nn-uri/data/landing-skid' }, # S3 privilege { u'component': u's3', u'serviceName': u'server1', u'type': u'URI', u'name': u's3a://hue-datasets/test' }, # No privilege { u'component': u's3', u'serviceName': u'server1', u'type': u'URI', u'name': u's3a://hue-datasets/none' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [{ u'type': u'URI', u'serviceName': u'server1', u'component': u'hdfs', u'name': u'hdfs://ha-nn-uri/data/landing-skid' }, { u'type': u'URI', u'serviceName': u'server1', u'component': u's3', u'name': u's3a://hue-datasets/test' }] sort_keys = [ 'server', 'db', 'table', 'column', 'URI', 'serviceName', 'component', 'type', 'name' ] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])), sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])))
class TestPrivilegeChecker(object): def setUp(self): self.client = make_logged_in_client(username="******", groupname="test", recreate=True, is_superuser=False) self.user = User.objects.get(username="******") grant_access("test", "test", "libsentry") self.api_v1 = MockSentryApiV1() self.api_v2 = MockSentryApiV2() self.checker = PrivilegeChecker(user=self.user, api_v1=self.api_v1, api_v2=self.api_v2) def test_to_sentry_authorizables(self): objectSet = ['foo', 'bar', 'baz', 'boom'] expectedSet = [ { 'db': 'foo', 'server': 'server1' }, { 'db': 'bar', 'server': 'server1' }, { 'db': 'baz', 'server': 'server1' }, ] def test_key_fn(obj): if obj != 'boom': return {'db': obj} else: return None authorizableSet = self.checker._to_sentry_authorizables( objects=objectSet, key=test_key_fn) assert_equal(expectedSet, authorizableSet, authorizableSet) # Original list of objects should not be mutated assert_true(['bar', 'baz', 'foo'], sorted(objectSet, reverse=True)) objectSet = [{ u'identity': u'9282adb88478c2ce4beb13dbba997ef5', u'serDeLibName': u'org.apache.hadoop.hive.serde2.lazy.LazySimpleSerDe', u'outputFormat': u'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat', u'sourceType': u'HIVE', u'inputFormat': u'org.apache.hadoop.mapred.TextInputFormat', u'created': u'2016-07-25T17: 22: 18.000Z', u'sourceId': u'4fbdadc6899638782fc8cb626176dc7b', u'tags': [u'asdf'], u'deleted': False, u'_version_': 1549818955715051520, u'userEntity': False, u'properties': { u'1': u'2' }, u'extractorRunId': u'4fbdadc6899638782fc8cb626176dc7b##1', u'compressed': False, u'parentPath': u'/default', u'owner': u'admin', u'originalName': u'sample_08', u'type': u'TABLE', u'lastAccessed': u'1970-01-01T00: 00: 00.000Z', u'fileSystemPath': u'hdfs: //hue-team-1.vpc.cloudera.com: 8020/user/hive/warehouse/sample_08', u'internalType': u'hv_table' }, { u'serDeLibName': u'org.apache.hadoop.hive.serde2.lazy.LazySimpleSerDe', u'owner': u'admin', u'fileSystemPath': u'hdfs: //hue-team-1.vpc.cloudera.com: 8020/user/hive/warehouse/sample_07', u'lastModifiedBy': u'admin', u'_version_': 1550478188023382016, u'type': u'TABLE', u'internalType': u'hv_table', u'sourceType': u'HIVE', u'inputFormat': u'org.apache.hadoop.mapred.TextInputFormat', u'tags': [u'hue-bugblitz', u'vvvvv', u'asdf', u'ffff'], u'deleted': False, u'userEntity': False, u'originalDescription': u'HueisaWebinterfaceforanalyzingdatawithApacheHadoop.HueisaWebinterfaceforanalyzingdatawithApacheHadoop.HueisaWebinterfaceforanalyzingdatawithApacheHadoop.HueisaWebinterfaceforanalyzingdatawithApacheHadoop.\n\nHueisaWebinterfaceforanalyzingdatawithApacheHadoop.HueisaWebinterfaceforanalyzingdatawithApacheHadoop.', u'compressed': False, u'identity': u'ea27302e11370a3927ac11cbb920891d', u'outputFormat': u'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat', u'extractorRunId': u'4fbdadc6899638782fc8cb626176dc7b##8979', u'created': u'2016-07-25T17: 22: 15.000Z', u'sourceId': u'4fbdadc6899638782fc8cb626176dc7b', u'lastModified': u'2016-09-28T16: 25: 07.000Z', u'parentPath': u'/default', u'originalName': u'sample_07', u'lastAccessed': u'1970-01-01T00: 00: 00.000Z' }] expectedSet = [{ u'column': None, u'table': u'sample_08', u'db': u'default', 'server': 'server1' }, { u'column': None, u'table': u'sample_07', u'db': u'default', 'server': 'server1' }] def test_key_fn(obj): return { 'column': None, 'table': obj.get('originalName'), 'db': obj.get('parentPath', '').strip('/') } authorizableSet = self.checker._to_sentry_authorizables( objects=objectSet, key=test_key_fn) assert_equal(expectedSet, authorizableSet, authorizableSet) # Original list of objects should not be mutated assert_true(all('server' not in obj for obj in objectSet)) assert_true(all('db' not in obj for obj in objectSet)) def test_columns_select(self): action = 'SELECT' authorizableSet = [ # column-level SELECT privilege exists { u'column': 'column_select', u'table': u'test_column', u'db': u'default', u'server': u'server1' }, # table-level SELECT privileges exists { u'column': 'id', u'table': u'test_table_select', u'db': u'default', u'server': u'server1' }, # db-level SELECT privileges exist { u'column': 'id', u'table': u'test_db_select', u'db': u'test_db_select', u'server': u'server1' }, # no privileges exist { u'column': 'id', u'table': u'test_none', u'db': u'default', u'server': u'server1' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [{ u'column': 'column_select', u'table': u'test_column', u'db': u'default', u'server': u'server1' }, { u'column': 'id', u'table': u'test_table_select', u'db': u'default', u'server': u'server1' }, { u'column': 'id', u'table': u'test_db_select', u'db': u'test_db_select', u'server': u'server1' }] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_columns_insert(self): action = 'INSERT' authorizableSet = [ # column-level ALL privilege exists { u'column': 'column_all', u'table': u'test_column', u'db': u'default', u'server': u'server1' }, # column-level INSERT privileges exist { u'column': 'column_insert', u'table': u'test_column', u'db': u'default', u'server': u'server1' }, # SELECT, but not INSERT, privilege exists { u'column': 'column_select', u'table': u'test_column', u'db': u'default', u'server': u'server1' }, # no privileges exist { u'column': 'salary', u'table': u'sample_07', u'db': u'default', u'server': u'server1' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ { u'column': 'column_all', u'table': u'test_column', u'db': u'default', u'server': u'server1' }, { u'column': 'column_insert', u'table': u'test_column', u'db': u'default', u'server': u'server1' }, ] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_tables_select(self): action = 'SELECT' authorizableSet = [ # table-level SELECT privileges exists { u'column': '', u'table': u'test_table_select', u'db': u'default', u'server': u'server1' }, # table-level INSERT privileges exists { u'column': '', u'table': u'test_table_insert', u'db': u'default', u'server': u'server1' }, # db-level SELECT privileges exist { u'column': '', u'table': u'test_db_select', u'db': u'test_db_select', u'server': u'server1' }, # no privileges exist { u'column': '', u'table': u'test_none', u'db': u'default', u'server': u'server1' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [{ u'column': '', u'table': u'test_table_insert', u'db': u'default', u'server': u'server1' }, { u'column': '', u'table': u'test_table_select', u'db': u'default', u'server': u'server1' }, { u'column': '', u'table': u'test_db_select', u'db': u'test_db_select', u'server': u'server1' }] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_tables_insert(self): action = 'INSERT' authorizableSet = [ # table-level ALL privilege exists { u'column': '', u'table': u'test_table_all', u'db': u'default', u'server': u'server1' }, # table-level INSERT privileges exist { u'column': '', u'table': u'test_table_insert', u'db': u'default', u'server': u'server1' }, # SELECT, but not INSERT, privilege exists { u'column': '', u'table': u'test_table_select', u'db': u'default', u'server': u'server1' }, # no privileges exist { u'column': '', u'table': u'sample_07', u'db': u'default', u'server': u'server1' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ { u'column': '', u'table': u'test_table_all', u'db': u'default', u'server': u'server1' }, { u'column': '', u'table': u'test_table_insert', u'db': u'default', u'server': u'server1' }, ] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_dbs_select(self): action = 'SELECT' authorizableSet = [ # db-level SELECT privileges exists { u'column': '', u'table': u'', u'db': u'test_db_select', u'server': u'server1' }, # db-level INSERT privileges exists { u'column': '', u'table': u'', u'db': u'test_db_insert', u'server': u'server1' }, # no privileges exist { u'column': '', u'table': u'', u'db': u'test_db_none', u'server': u'server1' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ { u'column': '', u'table': u'', u'db': u'test_db_insert', u'server': u'server1' }, { u'column': '', u'table': u'', u'db': u'test_db_select', u'server': u'server1' }, ] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_dbs_insert(self): action = 'INSERT' authorizableSet = [ # db-level ALL privilege exists { u'column': '', u'table': u'', u'db': u'test_db_all', u'server': u'server1' }, # db-level INSERT privileges exist { u'column': '', u'table': u'', u'db': u'test_db_insert', u'server': u'server1' }, # SELECT, but not INSERT, privilege exists { u'column': '', u'table': u'', u'db': u'test_db_select', u'server': u'server1' }, # no privileges exist { u'column': '', u'table': u'', u'db': u'test_db_none', u'server': u'server1' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ { u'column': '', u'table': u'', u'db': u'test_db_all', u'server': u'server1' }, { u'column': '', u'table': u'', u'db': u'test_db_insert', u'server': u'server1' }, ] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_collections_query(self): action = 'QUERY' authorizableSet = [ # ALL privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'web_logs_demo' }, # UPDATE privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'yelp_demo' }, # QUERY privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'twitter_demo' }, # No privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'test_demo' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [{ u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'twitter_demo' }, { u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'web_logs_demo' }, { u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'yelp_demo' }] sort_keys = [ 'server', 'db', 'table', 'column', 'URI', 'serviceName', 'component', 'type', 'name' ] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])), sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_collections_update(self): action = 'UPDATE' authorizableSet = [ # ALL privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'web_logs_demo' }, # UPDATE privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'yelp_demo' }, # QUERY privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'twitter_demo' }, # No privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'test_demo' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [{ u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'web_logs_demo' }, { u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'yelp_demo' }] sort_keys = [ 'server', 'db', 'table', 'column', 'URI', 'serviceName', 'component', 'type', 'name' ] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])), sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_config(self): action = 'UPDATE' authorizableSet = [ # ALL privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'CONFIG', u'name': u'yelp_demo' }, # No privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'CONFIG', u'name': u'test_demo' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [{ u'type': u'CONFIG', u'serviceName': u'server1', u'component': u'solr', u'name': u'yelp_demo' }] sort_keys = [ 'server', 'db', 'table', 'column', 'URI', 'serviceName', 'component', 'type', 'name' ] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])), sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_uri(self): action = 'UPDATE' authorizableSet = [ # HDFS privilege { u'component': u'hdfs', u'serviceName': u'server1', u'type': u'URI', u'name': u'hdfs://ha-nn-uri/data/landing-skid' }, # S3 privilege { u'component': u's3', u'serviceName': u'server1', u'type': u'URI', u'name': u's3a://hue-datasets/test' }, # No privilege { u'component': u's3', u'serviceName': u'server1', u'type': u'URI', u'name': u's3a://hue-datasets/none' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [{ u'type': u'URI', u'serviceName': u'server1', u'component': u'hdfs', u'name': u'hdfs://ha-nn-uri/data/landing-skid' }, { u'type': u'URI', u'serviceName': u'server1', u'component': u's3', u'name': u's3a://hue-datasets/test' }] sort_keys = [ 'server', 'db', 'table', 'column', 'URI', 'serviceName', 'component', 'type', 'name' ] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])), sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])))
class TestDocumentConverter(object): def setUp(self): self.client = make_logged_in_client(username="******", groupname="test", recreate=True, is_superuser=False) self.user = User.objects.get(username="******") grant_access("test", "test", "libsentry") self.api = get_api(self.user) self.checker = PrivilegeChecker(user=self.user, api=self.api) def test_select_privilege(self): try: from mock import Mock except ImportError: raise SkipTest("Skips until HUE-2947 is resolved") action = 'SELECT' authorizableSet = [ { u'column': None, u'table': u'customers', u'db': u'default', u'server': u'server1' }, { u'column': None, u'table': u'sample_07', u'db': u'default', u'server': u'server1' }, { u'column': None, u'table': u'sample_08', u'db': u'default', u'server': u'server1' }, { u'column': None, u'table': u'web_logs', u'db': u'default', u'server': u'server1' }, { u'column': 'salary', u'table': u'sample_08', u'db': u'default', u'server': u'server1' }, { u'column': 'code', u'table': u'sample_08', u'db': u'default', u'server': u'server1' }, { u'column': 'total_emp', u'table': u'sample_08', u'db': u'default', u'server': u'server1' }, { u'column': 'total_emp', u'table': u'sample_07', u'db': u'default', u'server': u'server1' }, ] self.api.list_sentry_roles_by_group = Mock( return_value=[{ 'name': 'test', 'group': 'test' }]) self.api.list_sentry_privileges_by_role = Mock( return_value=[{ 'column': 'total_emp', 'grantOption': False, 'timestamp': 1478810635378, 'database': 'default', 'action': 'INSERT', 'scope': 'COLUMN', 'table': 'sample_08', 'URI': '', 'server': 'server1' }, { 'column': '', 'grantOption': False, 'timestamp': 1478810422058, 'database': 'default', 'action': 'SELECT', 'scope': 'TABLE', 'table': 'customers', 'URI': '', 'server': 'server1' }, { 'column': '', 'grantOption': False, 'timestamp': 1478810513849, 'database': 'default', 'action': 'SELECT', 'scope': 'TABLE', 'table': 'web_logs', 'URI': '', 'server': 'server1' }, { 'column': '', 'grantOption': False, 'timestamp': 1478810590335, 'database': 'default', 'action': 'SELECT', 'scope': 'TABLE', 'table': 'sample_08', 'URI': '', 'server': 'server1' }, { 'column': 'salary', 'grantOption': False, 'timestamp': 1478810635396, 'database': 'default', 'action': 'ALL', 'scope': 'COLUMN', 'table': 'sample_08', 'URI': '', 'server': 'server1' }]) filtered_set = self.checker.filter_objects( authorizableSet=authorizableSet, action=action) expected_filtered_set = [ { u'column': None, u'table': u'customers', u'db': u'default', u'server': u'server1' }, { u'column': None, u'table': u'sample_08', u'db': u'default', u'server': u'server1' }, { u'column': 'code', u'table': u'sample_08', u'db': u'default', u'server': u'server1' }, { u'column': 'salary', u'table': u'sample_08', u'db': u'default', u'server': u'server1' }, { u'column': 'total_emp', u'table': u'sample_08', u'db': u'default', u'server': u'server1' }, { u'column': None, u'table': u'web_logs', u'db': u'default', u'server': u'server1' }, ] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: (obj['table'], obj['column'])))