def setUp(self):
self.client = make_logged_in_client(username="******", groupname="test", recreate=True, is_superuser=False)
self.user = User.objects.get(username="******")
grant_access("test", "test", "libsentry")
self.api_v1 = MockSentryApiV1()
self.api_v2 = MockSentryApiV2()
self.checker = PrivilegeChecker(user=self.user, api_v1=self.api_v1, api_v2=self.api_v2)
def _secure_results(self, response):
if NAVIGATOR.APPLY_SENTRY_PERMISSIONS.get():
checker = PrivilegeChecker(user=self.user)
action = 'SELECT'
def getkey(result):
if result['type'] == 'TABLE':
return {u'column': None, u'table': result['originalName'], u'db': result['parentPath'].strip('/')} #, 'server': 'server1'}
else:
return {u'column': None, u'table': None, u'db': None, u'server': None}
response['results'] = checker.filter_objects(response['results'], action, key=getkey)
def setUp(self):
self.client = make_logged_in_client(username="******",
groupname="test",
recreate=True,
is_superuser=False)
self.user = User.objects.get(username="******")
grant_access("test", "test", "libsentry")
self.api_v1 = get_api_v1(self.user)
self.api_v2 = get_api_v2(self.user, component='solr')
self.checker = PrivilegeChecker(user=self.user,
api_v1=self.api_v1,
api_v2=self.api_v2)
def setUp(self):
self.client = make_logged_in_client(username="******", groupname="test", recreate=True, is_superuser=False)
self.user = User.objects.get(username="******")
grant_access("test", "test", "libsentry")
self.api_v1 = MockSentryApiV1()
self.api_v2 = MockSentryApiV2()
self.checker = PrivilegeChecker(user=self.user, api_v1=self.api_v1, api_v2=self.api_v2)
def _secure_results(self, response):
if NAVIGATOR.APPLY_SENTRY_PERMISSIONS.get():
checker = PrivilegeChecker(user=self.user)
action = 'SELECT'
for result in response['results']:
if result['type'] == 'TABLE':
result.update({
u'column': None,
u'table': result['originalName'],
u'db': result['parentPath'].strip('/'),
u'server': u'server1'
})
else:
result.update({
u'column': None,
u'table': None,
u'db': None,
u'server': None
})
response['results'] = checker.filter_objects(
response['results'], action)
def top_tables(request):
response = {'status': -1}
database = request.POST.get('database', 'default')
len = request.POST.get('len', 1000)
api = OptimizerApi()
data = api.top_tables(database_name=database)
tables = [{
'eid': table['eid'],
'database': _get_table_name(table['name'])['database'],
'name': _get_table_name(table['name'])['table'],
'popularity': table['workloadPercent'],
'column_count': table['columnCount'],
'patternCount': table['patternCount'],
'total': table['total'],
'is_fact': table['type'] != 'Dimension'
} for table in data['results']]
if NAVIGATOR.APPLY_SENTRY_PERMISSIONS.get():
checker = PrivilegeChecker(user=request.user)
action = 'SELECT'
for table in tables:
paths = _get_table_name(table['name'])
table.update({
u'db': paths['database'],
u'table': paths['table'],
u'column': None,
u'server': u'server1'
})
tables = list(checker.filter_objects(tables,
action)) #, getkey=getkey)
response['top_tables'] = tables
response['status'] = 0
return JsonResponse(response)
def test_secure_results(self):
cache_key = SENTRY_PRIVILEGE_CACHE_KEY % {
'username': self.user.username
}
try:
# All single privileges
api_v1 = MockSentryApiHive(privileges=[
{
'column': '',
'grantOption': False,
'timestamp': 1478810513849,
'database': 'etl',
'action': 'SELECT',
'scope': 'DATABASE',
'table': '',
'URI': '',
'server': 'server1'
},
{
'column': '',
'grantOption': False,
'timestamp': 1478810422058,
'database': 'etl',
'action': 'SELECT',
'scope': 'TABLE',
'table': 'finance',
'URI': '',
'server': 'server1'
},
{
'column': 'col3',
'grantOption': False,
'timestamp': 1478810590335,
'database': 'etl',
'action': 'SELECT',
'scope': 'COLUMN',
'table': 'finance',
'URI': '',
'server': 'server1'
},
])
api_v2 = MockSentryApiV2()
checker = PrivilegeChecker(user=self.user,
api_v1=api_v1,
api_v2=api_v2)
records = [{
u'type': u'DATABASE',
u'originalName': u'etl',
u'description': None,
u'params': None,
u'internalType': u'hv_database',
u'sourceType': u'HIVE',
u'tags': None,
u'originalDescription': None,
u'metaClassName': u'hv_database',
u'properties': None,
u'identity': u'51002517',
u'firstClassParentId': None,
u'name': None,
u'extractorRunId': u'845beb21b95783c4f55276a4ae38a332##3',
u'sourceId': u'56850544',
u'packageName': u'nav',
u'parentPath': None
}, {
u'type': u'TABLE',
u'parentPath': u'/etl',
u'originalName': u'finance',
u'clusteredByColNames': None,
u'customProperties': None,
u'owner': u'elt',
u'serdeName': None,
u'sourceType': u'HIVE',
u'serdeLibName':
u'org.apache.hadoop.hive.serde2.lazy.LazySimpleSerDe',
u'internalType': u'hv_table',
u'description': None,
u'tags': None,
u'originalDescription': None,
u'compressed': False,
u'metaClassName': u'hv_table',
u'properties': None,
u'identity': u'51340470',
u'outputFormat':
u'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat',
u'firstClassParentId': None,
u'name': None,
u'extractorRunId': u'845beb21b95783c4f55276a4ae38a332##1185',
u'created': u'2015-08-14T00:04:01.000Z',
u'sourceId': u'56850544',
u'lastModified': None,
u'packageName': u'nav',
u'lastAccessed': u'1970-01-01T00:00:00.000Z'
}, {
u'type': u'FIELD',
u'parentPath': u'/etl/finance',
u'originalName': u'col1',
u'customProperties': None,
u'deleteTime': None,
u'description': None,
u'dataType': u'string',
u'internalType': u'hv_column',
u'sourceType': u'HIVE',
u'tags': None,
u'technicalProperties': None,
u'userEntity': False,
u'originalDescription': None,
u'metaClassName': u'hv_column',
u'properties': None,
u'identity': u'51001004',
u'firstClassParentId': u'59444965',
u'name': None,
u'extractorRunId': u'845beb21b95783c4f55276a4ae38a332##1582',
u'sourceId': u'56850544',
u'packageName': u'nav'
}, {
u'type': u'VIEW',
u'parentPath': u'/etl',
u'originalName': u'finance_view',
u'customProperties': None,
u'deleteTime': None,
u'description': None,
u'lastModifiedBy': None,
u'internalType': u'hv_view',
u'sourceType': u'HIVE',
u'tags': None,
u'deleted': False,
u'technicalProperties': None,
u'userEntity': False,
u'originalDescription': None,
u'metaClassName': u'hv_view',
u'properties': None,
u'identity': u'51012354',
u'firstClassParentId': None,
u'name': None,
u'extractorRunId': u'845beb21b95783c4f55276a4ae38a332##394',
u'created': u'2015-09-02T08:01:14.000Z',
u'sourceId': u'56850544',
u'lastModified': None,
u'packageName': u'nav',
u'queryText': u"SELECT * FROM etl.finance LIMIT 10",
u'lastAccessed': u'1970-01-01T00:00:00.000Z'
}]
results = list(self.api._secure_results(records, checker=checker))
assert_equal(len(records), len(results), results)
# No privilege
api_v1 = MockSentryApiHive()
checker = PrivilegeChecker(user=self.user,
api_v1=api_v1,
api_v2=api_v2)
records = [{
u'type': u'DATABASE',
u'originalName': u'etl',
u'description': None,
u'params': None,
u'internalType': u'hv_database',
u'sourceType': u'HIVE',
u'tags': None,
u'originalDescription': None,
u'metaClassName': u'hv_database',
u'properties': None,
u'identity': u'51002517',
u'firstClassParentId': None,
u'name': None,
u'extractorRunId': u'845beb21b95783c4f55276a4ae38a332##3',
u'sourceId': u'56850544',
u'packageName': u'nav',
u'parentPath': None
}, {
u'type': u'TABLE',
u'parentPath': u'/etl',
u'originalName': u'finance',
u'clusteredByColNames': None,
u'customProperties': None,
u'owner': u'elt',
u'serdeName': None,
u'sourceType': u'HIVE',
u'serdeLibName':
u'org.apache.hadoop.hive.serde2.lazy.LazySimpleSerDe',
u'internalType': u'hv_table',
u'description': None,
u'tags': None,
u'originalDescription': None,
u'compressed': False,
u'metaClassName': u'hv_table',
u'properties': None,
u'identity': u'51340470',
u'outputFormat':
u'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat',
u'firstClassParentId': None,
u'name': None,
u'extractorRunId': u'845beb21b95783c4f55276a4ae38a332##1185',
u'created': u'2015-08-14T00:04:01.000Z',
u'sourceId': u'56850544',
u'lastModified': None,
u'packageName': u'nav',
u'lastAccessed': u'1970-01-01T00:00:00.000Z'
}, {
u'type': u'FIELD',
u'parentPath': u'/etl/finance',
u'originalName': u'col1',
u'customProperties': None,
u'deleteTime': None,
u'description': None,
u'dataType': u'string',
u'internalType': u'hv_column',
u'sourceType': u'HIVE',
u'tags': None,
u'technicalProperties': None,
u'userEntity': False,
u'originalDescription': None,
u'metaClassName': u'hv_column',
u'properties': None,
u'identity': u'51001004',
u'firstClassParentId': u'59444965',
u'name': None,
u'extractorRunId': u'845beb21b95783c4f55276a4ae38a332##1582',
u'sourceId': u'56850544',
u'packageName': u'nav'
}, {
u'type': u'VIEW',
u'parentPath': u'/etl',
u'originalName': u'finance_view',
u'customProperties': None,
u'deleteTime': None,
u'description': None,
u'lastModifiedBy': None,
u'internalType': u'hv_view',
u'sourceType': u'HIVE',
u'tags': None,
u'deleted': False,
u'technicalProperties': None,
u'userEntity': False,
u'originalDescription': None,
u'metaClassName': u'hv_view',
u'properties': None,
u'identity': u'51012354',
u'firstClassParentId': None,
u'name': None,
u'extractorRunId': u'845beb21b95783c4f55276a4ae38a332##394',
u'created': u'2015-09-02T08:01:14.000Z',
u'sourceId': u'56850544',
u'lastModified': None,
u'packageName': u'nav',
u'queryText': u"SELECT * FROM etl.finance LIMIT 10",
u'lastAccessed': u'1970-01-01T00:00:00.000Z'
}]
results = list(self.api._secure_results(records, checker=checker))
assert_equal(0, len(results), results)
# Only table privilege
api_v1 = MockSentryApiHive(privileges=[
{
'column': '',
'grantOption': False,
'timestamp': 1478810422058,
'database': 'etl',
'action': 'SELECT',
'scope': 'TABLE',
'table': 'finance',
'URI': '',
'server': 'server1'
},
])
checker = PrivilegeChecker(user=self.user,
api_v1=api_v1,
api_v2=api_v2)
records = [{
u'type': u'DATABASE',
u'originalName': u'etl',
u'description': None,
u'params': None,
u'internalType': u'hv_database',
u'sourceType': u'HIVE',
u'tags': None,
u'originalDescription': None,
u'metaClassName': u'hv_database',
u'properties': None,
u'identity': u'51002517',
u'firstClassParentId': None,
u'name': None,
u'extractorRunId': u'845beb21b95783c4f55276a4ae38a332##3',
u'sourceId': u'56850544',
u'packageName': u'nav',
u'parentPath': None
}, {
u'type': u'TABLE',
u'parentPath': u'/etl',
u'originalName': u'finance',
u'clusteredByColNames': None,
u'customProperties': None,
u'owner': u'elt',
u'serdeName': None,
u'sourceType': u'HIVE',
u'serdeLibName':
u'org.apache.hadoop.hive.serde2.lazy.LazySimpleSerDe',
u'internalType': u'hv_table',
u'description': None,
u'tags': None,
u'originalDescription': None,
u'compressed': False,
u'metaClassName': u'hv_table',
u'properties': None,
u'identity': u'51340470',
u'outputFormat':
u'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat',
u'firstClassParentId': None,
u'name': None,
u'extractorRunId': u'845beb21b95783c4f55276a4ae38a332##1185',
u'created': u'2015-08-14T00:04:01.000Z',
u'sourceId': u'56850544',
u'lastModified': None,
u'packageName': u'nav',
u'lastAccessed': u'1970-01-01T00:00:00.000Z'
}, {
u'type': u'FIELD',
u'parentPath': u'/etl/finance',
u'originalName': u'col1',
u'customProperties': None,
u'deleteTime': None,
u'description': None,
u'dataType': u'string',
u'internalType': u'hv_column',
u'sourceType': u'HIVE',
u'tags': None,
u'technicalProperties': None,
u'userEntity': False,
u'originalDescription': None,
u'metaClassName': u'hv_column',
u'properties': None,
u'identity': u'51001004',
u'firstClassParentId': u'59444965',
u'name': None,
u'extractorRunId': u'845beb21b95783c4f55276a4ae38a332##1582',
u'sourceId': u'56850544',
u'packageName': u'nav'
}, {
u'type': u'VIEW',
u'parentPath': u'/etl',
u'originalName': u'finance_view',
u'customProperties': None,
u'deleteTime': None,
u'description': None,
u'lastModifiedBy': None,
u'internalType': u'hv_view',
u'sourceType': u'HIVE',
u'tags': None,
u'deleted': False,
u'technicalProperties': None,
u'userEntity': False,
u'originalDescription': None,
u'metaClassName': u'hv_view',
u'properties': None,
u'identity': u'51012354',
u'firstClassParentId': None,
u'name': None,
u'extractorRunId': u'845beb21b95783c4f55276a4ae38a332##394',
u'created': u'2015-09-02T08:01:14.000Z',
u'sourceId': u'56850544',
u'lastModified': None,
u'packageName': u'nav',
u'queryText': u"SELECT * FROM etl.finance LIMIT 10",
u'lastAccessed': u'1970-01-01T00:00:00.000Z'
}]
results = list(self.api._secure_results(records, checker=checker))
assert_equal(2, len(results), results) # Table + its Column
# Only table 2 privilege
api_v1 = MockSentryApiHive(privileges=[
{
'column': '',
'grantOption': False,
'timestamp': 1478810513849,
'database': 'etl2',
'action': 'SELECT',
'scope': 'DATABASE',
'table': '',
'URI': '',
'server': 'server1'
},
])
checker = PrivilegeChecker(user=self.user,
api_v1=api_v1,
api_v2=api_v2)
records = [
{
u'type': u'DATABASE',
u'originalName': u'etl',
u'description': None,
u'params': None,
u'internalType': u'hv_database',
u'sourceType': u'HIVE',
u'tags': None,
u'originalDescription': None,
u'metaClassName': u'hv_database',
u'properties': None,
u'identity': u'51002517',
u'firstClassParentId': None,
u'name': None,
u'extractorRunId': u'845beb21b95783c4f55276a4ae38a332##3',
u'sourceId': u'56850544',
u'packageName': u'nav',
u'parentPath': None
},
{
u'type': u'TABLE',
u'parentPath': u'/etl',
u'originalName': u'finance',
u'clusteredByColNames': None,
u'customProperties': None,
u'owner': u'elt',
u'serdeName': None,
u'sourceType': u'HIVE',
u'serdeLibName':
u'org.apache.hadoop.hive.serde2.lazy.LazySimpleSerDe',
u'internalType': u'hv_table',
u'description': None,
u'tags': None,
u'originalDescription': None,
u'compressed': False,
u'metaClassName': u'hv_table',
u'properties': None,
u'identity': u'51340470',
u'outputFormat':
u'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat',
u'firstClassParentId': None,
u'name': None,
u'extractorRunId':
u'845beb21b95783c4f55276a4ae38a332##1185',
u'created': u'2015-08-14T00:04:01.000Z',
u'sourceId': u'56850544',
u'lastModified': None,
u'packageName': u'nav',
u'lastAccessed': u'1970-01-01T00:00:00.000Z'
},
{
u'type': u'FIELD',
u'parentPath': u'/etl/finance',
u'originalName': u'col1',
u'customProperties': None,
u'deleteTime': None,
u'description': None,
u'dataType': u'string',
u'internalType': u'hv_column',
u'sourceType': u'HIVE',
u'tags': None,
u'technicalProperties': None,
u'userEntity': False,
u'originalDescription': None,
u'metaClassName': u'hv_column',
u'properties': None,
u'identity': u'51001004',
u'firstClassParentId': u'59444965',
u'name': None,
u'extractorRunId':
u'845beb21b95783c4f55276a4ae38a332##1582',
u'sourceId': u'56850544',
u'packageName': u'nav'
},
{
u'type': u'VIEW',
u'parentPath': u'/etl',
u'originalName': u'finance_view',
u'customProperties': None,
u'deleteTime': None,
u'description': None,
u'lastModifiedBy': None,
u'internalType': u'hv_view',
u'sourceType': u'HIVE',
u'tags': None,
u'deleted': False,
u'technicalProperties': None,
u'userEntity': False,
u'originalDescription': None,
u'metaClassName': u'hv_view',
u'properties': None,
u'identity': u'51012354',
u'firstClassParentId': None,
u'name': None,
u'extractorRunId':
u'845beb21b95783c4f55276a4ae38a332##394',
u'created': u'2015-09-02T08:01:14.000Z',
u'sourceId': u'56850544',
u'lastModified': None,
u'packageName': u'nav',
u'queryText': u"SELECT * FROM etl.finance LIMIT 10",
u'lastAccessed': u'1970-01-01T00:00:00.000Z'
},
{
u'type': u'TABLE',
u'parentPath': u'/etl2',
u'originalName': u'finance2',
u'clusteredByColNames': None,
u'customProperties': None,
u'owner': u'elt',
u'serdeName': None,
u'sourceType': u'HIVE',
u'serdeLibName':
u'org.apache.hadoop.hive.serde2.lazy.LazySimpleSerDe',
u'internalType': u'hv_table',
u'description': None,
u'tags': None,
u'originalDescription': None,
u'compressed': False,
u'metaClassName': u'hv_table',
u'properties': None,
u'identity': u'51340470',
u'outputFormat':
u'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat',
u'firstClassParentId': None,
u'name': None,
u'extractorRunId':
u'845beb21b95783c4f55276a4ae38a332##1185',
u'created': u'2015-08-14T00:04:01.000Z',
u'sourceId': u'56850544',
u'lastModified': None,
u'packageName': u'nav',
u'lastAccessed': u'1970-01-01T00:00:00.000Z'
},
]
results = list(self.api._secure_results(records, checker=checker))
assert_equal(1, len(results), results) # Table2 only
finally:
cache.delete(cache_key)
class TestDocumentConverter(object):
def setUp(self):
self.client = make_logged_in_client(username="******",
groupname="test",
recreate=True,
is_superuser=False)
self.user = User.objects.get(username="******")
grant_access("test", "test", "libsentry")
self.api_v1 = get_api_v1(self.user)
self.api_v2 = get_api_v2(self.user, component='solr')
self.checker = PrivilegeChecker(user=self.user,
api_v1=self.api_v1,
api_v2=self.api_v2)
def test_read_privilege(self):
try:
from mock import Mock
except ImportError:
raise SkipTest("Skips until HUE-2947 is resolved")
action = 'READ'
authorizableSet = [
# V1 authorizables
{
u'column': None,
u'table': u'customers',
u'db': u'default',
u'server': u'server1'
},
{
u'column': None,
u'table': u'sample_07',
u'db': u'default',
u'server': u'server1'
},
{
u'column': None,
u'table': u'sample_08',
u'db': u'default',
u'server': u'server1'
},
{
u'column': None,
u'table': u'web_logs',
u'db': u'default',
u'server': u'server1'
},
{
u'column': 'salary',
u'table': u'sample_08',
u'db': u'default',
u'server': u'server1'
},
{
u'column': 'code',
u'table': u'sample_08',
u'db': u'default',
u'server': u'server1'
},
{
u'column': 'total_emp',
u'table': u'sample_08',
u'db': u'default',
u'server': u'server1'
},
{
u'column': 'total_emp',
u'table': u'sample_07',
u'db': u'default',
u'server': u'server1'
},
{
u'column': None,
u'table': None,
u'db': None,
u'server': u'server1',
u'URI': u'hdfs://ha-nn-uri/data/landing-skid'
},
{
u'column': None,
u'table': None,
u'db': None,
u'server': u'server1',
u'URI': u'file:///path/to/nfs/local/to/nfs'
},
# V2 authorizables
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'COLLECTION',
u'name': u'logs_demo'
},
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'COLLECTION',
u'name': u'test_demo'
},
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'COLLECTION',
u'name': u'twitter_demo'
},
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'COLLECTION',
u'name': u'yelp_demo'
},
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'CONFIG',
u'name': u'twitter_demo'
},
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'CONFIG',
u'name': u'managedTemplate'
},
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'CONFIG',
u'name': u'yelp_demo'
},
{
u'component': u'hdfs',
u'serviceName': u'server1',
u'type': u'URI',
u'name': u'hdfs://ha-nn-uri/data/landing-skid'
},
{
u'component': u'nfs',
u'serviceName': u'server1',
u'type': u'URI',
u'name': u'file:///path/to/nfs/local/to/nfs'
},
]
self.api_v1.list_sentry_roles_by_group = Mock(
return_value=[{
'name': 'test',
'group': 'test'
}])
self.api_v1.list_sentry_privileges_by_role = Mock(return_value=[
{
'column': 'total_emp',
'grantOption': False,
'timestamp': 1478810635378,
'database': 'default',
'action': 'INSERT',
'scope': 'COLUMN',
'table': 'sample_08',
'URI': '',
'server': 'server1'
},
{
'column': '',
'grantOption': False,
'timestamp': 1478810422058,
'database': 'default',
'action': 'SELECT',
'scope': 'TABLE',
'table': 'customers',
'URI': '',
'server': 'server1'
},
{
'column': '',
'grantOption': False,
'timestamp': 1478810513849,
'database': 'default',
'action': 'SELECT',
'scope': 'TABLE',
'table': 'web_logs',
'URI': '',
'server': 'server1'
},
{
'column': '',
'grantOption': False,
'timestamp': 1478810590335,
'database': 'default',
'action': 'SELECT',
'scope': 'TABLE',
'table': 'sample_08',
'URI': '',
'server': 'server1'
},
{
'column': 'salary',
'grantOption': False,
'timestamp': 1478810635396,
'database': 'default',
'action': 'ALL',
'scope': 'COLUMN',
'table': 'sample_08',
'URI': '',
'server': 'server1'
},
{
'column': '',
'grantOption': False,
'timestamp': 1478810513849,
'database': '',
'action': 'ALL',
'scope': 'URI',
'table': '',
'URI': 'hdfs://ha-nn-uri/data/landing-skid',
'server': 'server1'
},
])
self.api_v2.list_sentry_roles_by_group = Mock(
return_value=[{
'name': 'test',
'group': 'test'
}])
self.api_v2.list_sentry_privileges_by_role = Mock(return_value=[
{
'grantOption': False,
'timestamp': None,
'component': 'solr',
'serviceName': 'server1',
'grantorPrincipal': None,
'action': 'ALL',
'authorizables': [{
'type': 'CONFIG',
'name': 'managedTemplate'
}]
},
{
'grantOption': False,
'timestamp': None,
'component': 'solr',
'serviceName': 'server1',
'grantorPrincipal': None,
'action': 'QUERY',
'authorizables': [{
'type': 'COLLECTION',
'name': 'twitter_demo'
}]
},
{
'grantOption': False,
'timestamp': None,
'component': 'solr',
'serviceName': 'server1',
'grantorPrincipal': None,
'action': 'UPDATE',
'authorizables': [{
'type': 'COLLECTION',
'name': 'yelp_demo'
}]
},
{
'grantOption': False,
'timestamp': None,
'component': 'solr',
'serviceName': 'server1',
'grantorPrincipal': None,
'action': 'ALL',
'authorizables': [{
'type': 'CONFIG',
'name': 'yelp_demo'
}]
},
{
'grantOption':
False,
'timestamp':
None,
'component':
'hdfs',
'serviceName':
'server1',
'grantorPrincipal':
None,
'action':
'ALL',
'authorizables': [{
'type': 'URI',
'name': 'hdfs://ha-nn-uri/data/landing-skid'
}]
},
])
filtered_set = self.checker.filter_objects(
authorizableSet=authorizableSet, action=action)
expected_filtered_set = [
# V2 authorizables
{
u'type': u'URI',
u'serviceName': u'server1',
u'component': u'hdfs',
u'name': u'hdfs://ha-nn-uri/data/landing-skid'
},
{
u'type': u'COLLECTION',
u'serviceName': u'server1',
u'component': u'solr',
u'name': u'twitter_demo'
},
{
u'type': u'COLLECTION',
u'serviceName': u'server1',
u'component': u'solr',
u'name': u'yelp_demo'
},
{
u'type': u'CONFIG',
u'serviceName': u'server1',
u'component': u'solr',
u'name': u'managedTemplate'
},
{
u'type': u'CONFIG',
u'serviceName': u'server1',
u'component': u'solr',
u'name': u'yelp_demo'
},
# V1 authorizables
{
u'column': None,
u'table': None,
u'db': None,
u'server': u'server1',
u'URI': u'hdfs://ha-nn-uri/data/landing-skid'
},
{
u'column': None,
u'table': u'customers',
u'db': u'default',
u'server': u'server1'
},
{
u'column': None,
u'table': u'sample_08',
u'db': u'default',
u'server': u'server1'
},
{
u'column': 'code',
u'table': u'sample_08',
u'db': u'default',
u'server': u'server1'
},
{
u'column': 'salary',
u'table': u'sample_08',
u'db': u'default',
u'server': u'server1'
},
{
u'column': 'total_emp',
u'table': u'sample_08',
u'db': u'default',
u'server': u'server1'
},
{
u'column': None,
u'table': u'web_logs',
u'db': u'default',
u'server': u'server1'
},
]
sort_keys = [
'server', 'db', 'table', 'column', 'URI', 'serviceName',
'component', 'type', 'name'
]
assert_equal(
expected_filtered_set,
sorted(filtered_set,
key=lambda obj: ([obj.get(key) for key in sort_keys])))
def test_write_privilege(self):
try:
from mock import Mock
except ImportError:
raise SkipTest("Skips until HUE-2947 is resolved")
action = 'WRITE'
authorizableSet = [
# V1 authorizables
{
u'column': None,
u'table': u'customers',
u'db': u'default',
u'server': u'server1'
},
{
u'column': None,
u'table': u'sample_07',
u'db': u'default',
u'server': u'server1'
},
{
u'column': None,
u'table': u'sample_08',
u'db': u'default',
u'server': u'server1'
},
{
u'column': None,
u'table': u'web_logs',
u'db': u'default',
u'server': u'server1'
},
{
u'column': 'salary',
u'table': u'sample_08',
u'db': u'default',
u'server': u'server1'
},
{
u'column': 'code',
u'table': u'sample_08',
u'db': u'default',
u'server': u'server1'
},
{
u'column': 'total_emp',
u'table': u'sample_08',
u'db': u'default',
u'server': u'server1'
},
{
u'column': 'total_emp',
u'table': u'sample_07',
u'db': u'default',
u'server': u'server1'
},
{
u'column': None,
u'table': None,
u'db': None,
u'server': u'server1',
u'URI': u'hdfs://ha-nn-uri/data/landing-skid'
},
{
u'column': None,
u'table': None,
u'db': None,
u'server': u'server1',
u'URI': u'file:///path/to/nfs/local/to/nfs'
},
# V2 authorizables
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'COLLECTION',
u'name': u'logs_demo'
},
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'COLLECTION',
u'name': u'test_demo'
},
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'COLLECTION',
u'name': u'twitter_demo'
},
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'COLLECTION',
u'name': u'yelp_demo'
},
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'CONFIG',
u'name': u'twitter_demo'
},
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'CONFIG',
u'name': u'managedTemplate'
},
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'CONFIG',
u'name': u'yelp_demo'
},
{
u'component': u'hdfs',
u'serviceName': u'server1',
u'type': u'URI',
u'name': u'hdfs://ha-nn-uri/data/landing-skid'
},
{
u'component': u'nfs',
u'serviceName': u'server1',
u'type': u'URI',
u'name': u'file:///path/to/nfs/local/to/nfs'
},
]
self.api_v1.list_sentry_roles_by_group = Mock(
return_value=[{
'name': 'test',
'group': 'test'
}])
self.api_v1.list_sentry_privileges_by_role = Mock(return_value=[
{
'column': 'total_emp',
'grantOption': False,
'timestamp': 1478810635378,
'database': 'default',
'action': 'INSERT',
'scope': 'COLUMN',
'table': 'sample_08',
'URI': '',
'server': 'server1'
},
{
'column': '',
'grantOption': False,
'timestamp': 1478810422058,
'database': 'default',
'action': 'SELECT',
'scope': 'TABLE',
'table': 'customers',
'URI': '',
'server': 'server1'
},
{
'column': '',
'grantOption': False,
'timestamp': 1478810513849,
'database': 'default',
'action': 'SELECT',
'scope': 'TABLE',
'table': 'web_logs',
'URI': '',
'server': 'server1'
},
{
'column': '',
'grantOption': False,
'timestamp': 1478810590335,
'database': 'default',
'action': 'SELECT',
'scope': 'TABLE',
'table': 'sample_08',
'URI': '',
'server': 'server1'
},
{
'column': 'salary',
'grantOption': False,
'timestamp': 1478810635396,
'database': 'default',
'action': 'ALL',
'scope': 'COLUMN',
'table': 'sample_08',
'URI': '',
'server': 'server1'
},
{
'column': '',
'grantOption': False,
'timestamp': 1478810513849,
'database': '',
'action': 'ALL',
'scope': 'URI',
'table': '',
'URI': 'hdfs://ha-nn-uri/data/landing-skid',
'server': 'server1'
},
])
self.api_v2.list_sentry_roles_by_group = Mock(
return_value=[{
'name': 'test',
'group': 'test'
}])
self.api_v2.list_sentry_privileges_by_role = Mock(return_value=[
{
'grantOption': False,
'timestamp': None,
'component': 'solr',
'serviceName': 'server1',
'grantorPrincipal': None,
'action': 'ALL',
'authorizables': [{
'type': 'CONFIG',
'name': 'managedTemplate'
}]
},
{
'grantOption': False,
'timestamp': None,
'component': 'solr',
'serviceName': 'server1',
'grantorPrincipal': None,
'action': 'QUERY',
'authorizables': [{
'type': 'COLLECTION',
'name': 'twitter_demo'
}]
},
{
'grantOption': False,
'timestamp': None,
'component': 'solr',
'serviceName': 'server1',
'grantorPrincipal': None,
'action': 'UPDATE',
'authorizables': [{
'type': 'COLLECTION',
'name': 'yelp_demo'
}]
},
{
'grantOption': False,
'timestamp': None,
'component': 'solr',
'serviceName': 'server1',
'grantorPrincipal': None,
'action': 'ALL',
'authorizables': [{
'type': 'CONFIG',
'name': 'yelp_demo'
}]
},
{
'grantOption':
False,
'timestamp':
None,
'component':
'hdfs',
'serviceName':
'server1',
'grantorPrincipal':
None,
'action':
'ALL',
'authorizables': [{
'type': 'URI',
'name': 'hdfs://ha-nn-uri/data/landing-skid'
}]
},
])
filtered_set = self.checker.filter_objects(
authorizableSet=authorizableSet, action=action)
expected_filtered_set = [
# V2 authorizables
{
u'type': u'URI',
u'serviceName': u'server1',
u'component': u'hdfs',
u'name': u'hdfs://ha-nn-uri/data/landing-skid'
},
{
u'type': u'COLLECTION',
u'serviceName': u'server1',
u'component': u'solr',
u'name': u'yelp_demo'
},
{
u'type': u'CONFIG',
u'serviceName': u'server1',
u'component': u'solr',
u'name': u'managedTemplate'
},
{
u'type': u'CONFIG',
u'serviceName': u'server1',
u'component': u'solr',
u'name': u'yelp_demo'
},
# V1 authorizables
{
u'column': None,
u'table': None,
u'db': None,
u'server': u'server1',
u'URI': u'hdfs://ha-nn-uri/data/landing-skid'
},
{
u'column': 'salary',
u'table': u'sample_08',
u'db': u'default',
u'server': u'server1'
},
{
u'column': 'total_emp',
u'table': u'sample_08',
u'db': u'default',
u'server': u'server1'
},
]
sort_keys = [
'server', 'db', 'table', 'column', 'URI', 'serviceName',
'component', 'type', 'name'
]
assert_equal(
expected_filtered_set,
sorted(filtered_set,
key=lambda obj: ([obj.get(key) for key in sort_keys])),
sorted(filtered_set,
key=lambda obj: ([obj.get(key) for key in sort_keys])))
class TestPrivilegeChecker(object):
def setUp(self):
self.client = make_logged_in_client(username="******", groupname="test", recreate=True, is_superuser=False)
self.user = User.objects.get(username="******")
grant_access("test", "test", "libsentry")
self.api_v1 = MockSentryApiV1()
self.api_v2 = MockSentryApiV2()
self.checker = PrivilegeChecker(user=self.user, api_v1=self.api_v1, api_v2=self.api_v2)
def test_to_sentry_authorizables(self):
objectSet = ['foo', 'bar', 'baz', 'boom']
expectedSet = [
('foo', {'db': 'foo', 'server': 'server1'}),
('bar', {'db': 'bar', 'server': 'server1'}),
('baz', {'db': 'baz', 'server': 'server1'}),
]
def test_key_fn(obj):
if obj != 'boom':
return {'db': obj}
else:
return None
authorizableSet = self.checker._to_sentry_authorizables(objects=objectSet, key=test_key_fn)
assert_equal(expectedSet, authorizableSet, authorizableSet)
# Original list of objects should not be mutated
assert_true(['bar', 'baz', 'foo'], sorted(objectSet, reverse=True))
def test_end_to_end(self):
action = 'SELECT'
objectSet = [
{'name': 'test_table_select', 'db': 'default'},
{'name': 'test_table_insert', 'db': 'default'},
{'name': 'test_db_select', 'db': 'test_db_select'},
{'name': 'test_none', 'db': 'default'},
{'name': 'invalid_object'}
]
expectedSet = [
{'name': 'test_table_select', 'db': 'default'},
{'name': 'test_table_insert', 'db': 'default'},
{'name': 'test_db_select', 'db': 'test_db_select'},
]
def test_key_fn(obj):
if 'name' in obj and 'db' in obj:
return {'column': '', 'table': obj['name'], 'db': obj['db']}
else:
return None
filtered_set = self.checker.filter_objects(objects=objectSet, action=action, key=test_key_fn)
assert_equal(expectedSet, filtered_set, filtered_set)
def test_columns_select(self):
action = 'SELECT'
authorizableSet = [
# column-level SELECT privilege exists
{u'column': 'column_select', u'table': u'test_column', u'db': u'default', u'server': u'server1'},
# table-level SELECT privileges exists
{u'column': 'id', u'table': u'test_table_select', u'db': u'default', u'server': u'server1'},
# db-level SELECT privileges exist
{u'column': 'id', u'table': u'test_db_select', u'db': u'test_db_select', u'server': u'server1'},
# no privileges exist
{u'column': 'id', u'table': u'test_none', u'db': u'default', u'server': u'server1'},
]
filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action)
expected_filtered_set = [
{u'column': 'column_select', u'table': u'test_column', u'db': u'default', u'server': u'server1'},
{u'column': 'id', u'table': u'test_table_select', u'db': u'default', u'server': u'server1'},
{u'column': 'id', u'table': u'test_db_select', u'db': u'test_db_select', u'server': u'server1'}
]
sort_keys = ['server', 'db', 'table', 'column', 'URI']
assert_equal(expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])))
def test_columns_insert(self):
action = 'INSERT'
authorizableSet = [
# column-level ALL privilege exists
{u'column': 'column_all', u'table': u'test_column', u'db': u'default', u'server': u'server1'},
# column-level INSERT privileges exist
{u'column': 'column_insert', u'table': u'test_column', u'db': u'default', u'server': u'server1'},
# SELECT, but not INSERT, privilege exists
{u'column': 'column_select', u'table': u'test_column', u'db': u'default', u'server': u'server1'},
# no privileges exist
{u'column': 'salary', u'table': u'sample_07', u'db': u'default', u'server': u'server1'},
]
filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action)
expected_filtered_set = [
{u'column': 'column_all', u'table': u'test_column', u'db': u'default', u'server': u'server1'},
{u'column': 'column_insert', u'table': u'test_column', u'db': u'default', u'server': u'server1'},
]
sort_keys = ['server', 'db', 'table', 'column', 'URI']
assert_equal(expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])))
def test_tables_select(self):
action = 'SELECT'
authorizableSet = [
# table-level SELECT privileges exists
{u'column': '', u'table': u'test_table_select', u'db': u'default', u'server': u'server1'},
# table-level INSERT privileges exists
{u'column': '', u'table': u'test_table_insert', u'db': u'default', u'server': u'server1'},
# db-level SELECT privileges exist
{u'column': '', u'table': u'test_db_select', u'db': u'test_db_select', u'server': u'server1'},
# no privileges exist
{u'column': '', u'table': u'test_none', u'db': u'default', u'server': u'server1'},
]
filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action)
expected_filtered_set = [
{u'column': '', u'table': u'test_table_insert', u'db': u'default', u'server': u'server1'},
{u'column': '', u'table': u'test_table_select', u'db': u'default', u'server': u'server1'},
{u'column': '', u'table': u'test_db_select', u'db': u'test_db_select', u'server': u'server1'}
]
sort_keys = ['server', 'db', 'table', 'column', 'URI']
assert_equal(expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])))
def test_tables_insert(self):
action = 'INSERT'
authorizableSet = [
# table-level ALL privilege exists
{u'column': '', u'table': u'test_table_all', u'db': u'default', u'server': u'server1'},
# table-level INSERT privileges exist
{u'column': '', u'table': u'test_table_insert', u'db': u'default', u'server': u'server1'},
# SELECT, but not INSERT, privilege exists
{u'column': '', u'table': u'test_table_select', u'db': u'default', u'server': u'server1'},
# no privileges exist
{u'column': '', u'table': u'sample_07', u'db': u'default', u'server': u'server1'},
]
filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action)
expected_filtered_set = [
{u'column': '', u'table': u'test_table_all', u'db': u'default', u'server': u'server1'},
{u'column': '', u'table': u'test_table_insert', u'db': u'default', u'server': u'server1'},
]
sort_keys = ['server', 'db', 'table', 'column', 'URI']
assert_equal(expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])))
def test_dbs_select(self):
action = 'SELECT'
authorizableSet = [
# db-level SELECT privileges exists
{u'column': '', u'table': u'', u'db': u'test_db_select', u'server': u'server1'},
# db-level INSERT privileges exists
{u'column': '', u'table': u'', u'db': u'test_db_insert', u'server': u'server1'},
# no privileges exist
{u'column': '', u'table': u'', u'db': u'test_db_none', u'server': u'server1'},
]
filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action)
expected_filtered_set = [
{u'column': '', u'table': u'', u'db': u'test_db_insert', u'server': u'server1'},
{u'column': '', u'table': u'', u'db': u'test_db_select', u'server': u'server1'},
]
sort_keys = ['server', 'db', 'table', 'column', 'URI']
assert_equal(expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])))
def test_dbs_insert(self):
action = 'INSERT'
authorizableSet = [
# db-level ALL privilege exists
{u'column': '', u'table': u'', u'db': u'test_db_all', u'server': u'server1'},
# db-level INSERT privileges exist
{u'column': '', u'table': u'', u'db': u'test_db_insert', u'server': u'server1'},
# SELECT, but not INSERT, privilege exists
{u'column': '', u'table': u'', u'db': u'test_db_select', u'server': u'server1'},
# no privileges exist
{u'column': '', u'table': u'', u'db': u'test_db_none', u'server': u'server1'},
]
filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action)
expected_filtered_set = [
{u'column': '', u'table': u'', u'db': u'test_db_all', u'server': u'server1'},
{u'column': '', u'table': u'', u'db': u'test_db_insert', u'server': u'server1'},
]
sort_keys = ['server', 'db', 'table', 'column', 'URI']
assert_equal(expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])))
def test_collections_query(self):
action = 'QUERY'
authorizableSet = [
# ALL privilege
{u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'web_logs_demo'},
# UPDATE privilege
{u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'yelp_demo'},
# QUERY privilege
{u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'twitter_demo'},
# No privilege
{u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'test_demo'},
]
filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action)
expected_filtered_set = [
{u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'twitter_demo'},
{u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'web_logs_demo'},
{u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'yelp_demo'}
]
sort_keys = ['server', 'db', 'table', 'column', 'URI', 'serviceName', 'component', 'type', 'name']
assert_equal(expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])), sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])))
def test_collections_update(self):
action = 'UPDATE'
authorizableSet = [
# ALL privilege
{u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'web_logs_demo'},
# UPDATE privilege
{u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'yelp_demo'},
# QUERY privilege
{u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'twitter_demo'},
# No privilege
{u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'test_demo'},
]
filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action)
expected_filtered_set = [
{u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'web_logs_demo'},
{u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'yelp_demo'}
]
sort_keys = ['server', 'db', 'table', 'column', 'URI', 'serviceName', 'component', 'type', 'name']
assert_equal(expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])),
sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])))
def test_config(self):
action = 'UPDATE'
authorizableSet = [
# ALL privilege
{u'component': u'solr', u'serviceName': u'server1', u'type': u'CONFIG', u'name': u'yelp_demo'},
# No privilege
{u'component': u'solr', u'serviceName': u'server1', u'type': u'CONFIG', u'name': u'test_demo'},
]
filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action)
expected_filtered_set = [
{u'type': u'CONFIG', u'serviceName': u'server1', u'component': u'solr', u'name': u'yelp_demo'}
]
sort_keys = ['server', 'db', 'table', 'column', 'URI', 'serviceName', 'component', 'type', 'name']
assert_equal(expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])),
sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])))
def test_uri(self):
action = 'UPDATE'
authorizableSet = [
# HDFS privilege
{u'component': u'hdfs', u'serviceName': u'server1', u'type': u'URI', u'name': u'hdfs://ha-nn-uri/data/landing-skid'},
# S3 privilege
{u'component': u's3', u'serviceName': u'server1', u'type': u'URI', u'name': u's3a://hue-datasets/test'},
# No privilege
{u'component': u's3', u'serviceName': u'server1', u'type': u'URI', u'name': u's3a://hue-datasets/none'},
]
filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action)
expected_filtered_set = [
{u'type': u'URI', u'serviceName': u'server1', u'component': u'hdfs', u'name': u'hdfs://ha-nn-uri/data/landing-skid'},
{u'type': u'URI', u'serviceName': u'server1', u'component': u's3', u'name': u's3a://hue-datasets/test'}
]
sort_keys = ['server', 'db', 'table', 'column', 'URI', 'serviceName', 'component', 'type', 'name']
assert_equal(expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])),
sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])))
class TestPrivilegeChecker(object):
def setUp(self):
self.client = make_logged_in_client(username="******",
groupname="test",
recreate=True,
is_superuser=False)
self.user = User.objects.get(username="******")
grant_access("test", "test", "libsentry")
self.api_v1 = MockSentryApiV1()
self.api_v2 = MockSentryApiV2()
self.checker = PrivilegeChecker(user=self.user,
api_v1=self.api_v1,
api_v2=self.api_v2)
def test_to_sentry_authorizables(self):
objectSet = ['foo', 'bar', 'baz', 'boom']
expectedSet = [
('foo', {
'db': 'foo',
'server': 'server1'
}),
('bar', {
'db': 'bar',
'server': 'server1'
}),
('baz', {
'db': 'baz',
'server': 'server1'
}),
]
def test_key_fn(obj):
if obj != 'boom':
return {'db': obj}
else:
return None
authorizableSet = self.checker._to_sentry_authorizables(
objects=objectSet, key=test_key_fn)
assert_equal(expectedSet, authorizableSet, authorizableSet)
# Original list of objects should not be mutated
assert_true(['bar', 'baz', 'foo'], sorted(objectSet, reverse=True))
def test_end_to_end(self):
action = 'SELECT'
objectSet = [{
'name': 'test_table_select',
'db': 'default'
}, {
'name': 'test_table_insert',
'db': 'default'
}, {
'name': 'test_db_select',
'db': 'test_db_select'
}, {
'name': 'test_none',
'db': 'default'
}, {
'name': 'invalid_object'
}]
expectedSet = [
{
'name': 'test_table_select',
'db': 'default'
},
{
'name': 'test_table_insert',
'db': 'default'
},
{
'name': 'test_db_select',
'db': 'test_db_select'
},
]
def test_key_fn(obj):
if 'name' in obj and 'db' in obj:
return {'column': '', 'table': obj['name'], 'db': obj['db']}
else:
return None
filtered_set = self.checker.filter_objects(objects=objectSet,
action=action,
key=test_key_fn)
assert_equal(expectedSet, list(filtered_set), list(filtered_set))
def test_columns_select(self):
action = 'SELECT'
authorizableSet = [
# column-level SELECT privilege exists
{
u'column': 'column_select',
u'table': u'test_column',
u'db': u'default',
u'server': u'server1'
},
# table-level SELECT privileges exists
{
u'column': 'id',
u'table': u'test_table_select',
u'db': u'default',
u'server': u'server1'
},
# db-level SELECT privileges exist
{
u'column': 'id',
u'table': u'test_db_select',
u'db': u'test_db_select',
u'server': u'server1'
},
# no privileges exist
{
u'column': 'id',
u'table': u'test_none',
u'db': u'default',
u'server': u'server1'
},
]
filtered_set = self.checker.filter_objects(objects=authorizableSet,
action=action)
expected_filtered_set = [{
u'column': 'column_select',
u'table': u'test_column',
u'db': u'default',
u'server': u'server1'
}, {
u'column': 'id',
u'table': u'test_table_select',
u'db': u'default',
u'server': u'server1'
}, {
u'column': 'id',
u'table': u'test_db_select',
u'db': u'test_db_select',
u'server': u'server1'
}]
sort_keys = ['server', 'db', 'table', 'column', 'URI']
assert_equal(
expected_filtered_set,
sorted(filtered_set,
key=lambda obj: ([obj.get(key) for key in sort_keys])))
def test_columns_insert(self):
action = 'INSERT'
authorizableSet = [
# column-level ALL privilege exists
{
u'column': 'column_all',
u'table': u'test_column',
u'db': u'default',
u'server': u'server1'
},
# column-level INSERT privileges exist
{
u'column': 'column_insert',
u'table': u'test_column',
u'db': u'default',
u'server': u'server1'
},
# SELECT, but not INSERT, privilege exists
{
u'column': 'column_select',
u'table': u'test_column',
u'db': u'default',
u'server': u'server1'
},
# no privileges exist
{
u'column': 'salary',
u'table': u'sample_07',
u'db': u'default',
u'server': u'server1'
},
]
filtered_set = self.checker.filter_objects(objects=authorizableSet,
action=action)
expected_filtered_set = [
{
u'column': 'column_all',
u'table': u'test_column',
u'db': u'default',
u'server': u'server1'
},
{
u'column': 'column_insert',
u'table': u'test_column',
u'db': u'default',
u'server': u'server1'
},
]
sort_keys = ['server', 'db', 'table', 'column', 'URI']
assert_equal(
expected_filtered_set,
sorted(filtered_set,
key=lambda obj: ([obj.get(key) for key in sort_keys])))
def test_tables_select(self):
action = 'SELECT'
authorizableSet = [
# table-level SELECT privileges exists
{
u'column': '',
u'table': u'test_table_select',
u'db': u'default',
u'server': u'server1'
},
# table-level INSERT privileges exists
{
u'column': '',
u'table': u'test_table_insert',
u'db': u'default',
u'server': u'server1'
},
# db-level SELECT privileges exist
{
u'column': '',
u'table': u'test_db_select',
u'db': u'test_db_select',
u'server': u'server1'
},
# no privileges exist
{
u'column': '',
u'table': u'test_none',
u'db': u'default',
u'server': u'server1'
},
]
filtered_set = self.checker.filter_objects(objects=authorizableSet,
action=action)
expected_filtered_set = [{
u'column': '',
u'table': u'test_table_insert',
u'db': u'default',
u'server': u'server1'
}, {
u'column': '',
u'table': u'test_table_select',
u'db': u'default',
u'server': u'server1'
}, {
u'column': '',
u'table': u'test_db_select',
u'db': u'test_db_select',
u'server': u'server1'
}]
sort_keys = ['server', 'db', 'table', 'column', 'URI']
assert_equal(
expected_filtered_set,
sorted(filtered_set,
key=lambda obj: ([obj.get(key) for key in sort_keys])))
def test_tables_insert(self):
action = 'INSERT'
authorizableSet = [
# table-level ALL privilege exists
{
u'column': '',
u'table': u'test_table_all',
u'db': u'default',
u'server': u'server1'
},
# table-level INSERT privileges exist
{
u'column': '',
u'table': u'test_table_insert',
u'db': u'default',
u'server': u'server1'
},
# SELECT, but not INSERT, privilege exists
{
u'column': '',
u'table': u'test_table_select',
u'db': u'default',
u'server': u'server1'
},
# no privileges exist
{
u'column': '',
u'table': u'sample_07',
u'db': u'default',
u'server': u'server1'
},
]
filtered_set = self.checker.filter_objects(objects=authorizableSet,
action=action)
expected_filtered_set = [
{
u'column': '',
u'table': u'test_table_all',
u'db': u'default',
u'server': u'server1'
},
{
u'column': '',
u'table': u'test_table_insert',
u'db': u'default',
u'server': u'server1'
},
]
sort_keys = ['server', 'db', 'table', 'column', 'URI']
assert_equal(
expected_filtered_set,
sorted(filtered_set,
key=lambda obj: ([obj.get(key) for key in sort_keys])))
def test_dbs_select(self):
action = 'SELECT'
authorizableSet = [
# db-level SELECT privileges exists
{
u'column': '',
u'table': u'',
u'db': u'test_db_select',
u'server': u'server1'
},
# db-level INSERT privileges exists
{
u'column': '',
u'table': u'',
u'db': u'test_db_insert',
u'server': u'server1'
},
# no privileges exist
{
u'column': '',
u'table': u'',
u'db': u'test_db_none',
u'server': u'server1'
},
]
filtered_set = self.checker.filter_objects(objects=authorizableSet,
action=action)
expected_filtered_set = [
{
u'column': '',
u'table': u'',
u'db': u'test_db_insert',
u'server': u'server1'
},
{
u'column': '',
u'table': u'',
u'db': u'test_db_select',
u'server': u'server1'
},
]
sort_keys = ['server', 'db', 'table', 'column', 'URI']
assert_equal(
expected_filtered_set,
sorted(filtered_set,
key=lambda obj: ([obj.get(key) for key in sort_keys])))
def test_dbs_insert(self):
action = 'INSERT'
authorizableSet = [
# db-level ALL privilege exists
{
u'column': '',
u'table': u'',
u'db': u'test_db_all',
u'server': u'server1'
},
# db-level INSERT privileges exist
{
u'column': '',
u'table': u'',
u'db': u'test_db_insert',
u'server': u'server1'
},
# SELECT, but not INSERT, privilege exists
{
u'column': '',
u'table': u'',
u'db': u'test_db_select',
u'server': u'server1'
},
# no privileges exist
{
u'column': '',
u'table': u'',
u'db': u'test_db_none',
u'server': u'server1'
},
]
filtered_set = self.checker.filter_objects(objects=authorizableSet,
action=action)
expected_filtered_set = [
{
u'column': '',
u'table': u'',
u'db': u'test_db_all',
u'server': u'server1'
},
{
u'column': '',
u'table': u'',
u'db': u'test_db_insert',
u'server': u'server1'
},
]
sort_keys = ['server', 'db', 'table', 'column', 'URI']
assert_equal(
expected_filtered_set,
sorted(filtered_set,
key=lambda obj: ([obj.get(key) for key in sort_keys])))
def test_collections_query(self):
action = 'QUERY'
authorizableSet = [
# ALL privilege
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'COLLECTION',
u'name': u'web_logs_demo'
},
# UPDATE privilege
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'COLLECTION',
u'name': u'yelp_demo'
},
# QUERY privilege
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'COLLECTION',
u'name': u'twitter_demo'
},
# No privilege
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'COLLECTION',
u'name': u'test_demo'
},
]
filtered_set = self.checker.filter_objects(objects=authorizableSet,
action=action)
expected_filtered_set = [{
u'type': u'COLLECTION',
u'serviceName': u'server1',
u'component': u'solr',
u'name': u'twitter_demo'
}, {
u'type': u'COLLECTION',
u'serviceName': u'server1',
u'component': u'solr',
u'name': u'web_logs_demo'
}, {
u'type': u'COLLECTION',
u'serviceName': u'server1',
u'component': u'solr',
u'name': u'yelp_demo'
}]
sort_keys = [
'server', 'db', 'table', 'column', 'URI', 'serviceName',
'component', 'type', 'name'
]
assert_equal(
expected_filtered_set,
sorted(filtered_set,
key=lambda obj: ([obj.get(key) for key in sort_keys])),
sorted(filtered_set,
key=lambda obj: ([obj.get(key) for key in sort_keys])))
def test_collections_update(self):
action = 'UPDATE'
authorizableSet = [
# ALL privilege
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'COLLECTION',
u'name': u'web_logs_demo'
},
# UPDATE privilege
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'COLLECTION',
u'name': u'yelp_demo'
},
# QUERY privilege
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'COLLECTION',
u'name': u'twitter_demo'
},
# No privilege
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'COLLECTION',
u'name': u'test_demo'
},
]
filtered_set = self.checker.filter_objects(objects=authorizableSet,
action=action)
expected_filtered_set = [{
u'type': u'COLLECTION',
u'serviceName': u'server1',
u'component': u'solr',
u'name': u'web_logs_demo'
}, {
u'type': u'COLLECTION',
u'serviceName': u'server1',
u'component': u'solr',
u'name': u'yelp_demo'
}]
sort_keys = [
'server', 'db', 'table', 'column', 'URI', 'serviceName',
'component', 'type', 'name'
]
assert_equal(
expected_filtered_set,
sorted(filtered_set,
key=lambda obj: ([obj.get(key) for key in sort_keys])),
sorted(filtered_set,
key=lambda obj: ([obj.get(key) for key in sort_keys])))
def test_config(self):
action = 'UPDATE'
authorizableSet = [
# ALL privilege
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'CONFIG',
u'name': u'yelp_demo'
},
# No privilege
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'CONFIG',
u'name': u'test_demo'
},
]
filtered_set = self.checker.filter_objects(objects=authorizableSet,
action=action)
expected_filtered_set = [{
u'type': u'CONFIG',
u'serviceName': u'server1',
u'component': u'solr',
u'name': u'yelp_demo'
}]
sort_keys = [
'server', 'db', 'table', 'column', 'URI', 'serviceName',
'component', 'type', 'name'
]
assert_equal(
expected_filtered_set,
sorted(filtered_set,
key=lambda obj: ([obj.get(key) for key in sort_keys])),
sorted(filtered_set,
key=lambda obj: ([obj.get(key) for key in sort_keys])))
def test_uri(self):
action = 'UPDATE'
authorizableSet = [
# HDFS privilege
{
u'component': u'hdfs',
u'serviceName': u'server1',
u'type': u'URI',
u'name': u'hdfs://ha-nn-uri/data/landing-skid'
},
# S3 privilege
{
u'component': u's3',
u'serviceName': u'server1',
u'type': u'URI',
u'name': u's3a://hue-datasets/test'
},
# No privilege
{
u'component': u's3',
u'serviceName': u'server1',
u'type': u'URI',
u'name': u's3a://hue-datasets/none'
},
]
filtered_set = self.checker.filter_objects(objects=authorizableSet,
action=action)
expected_filtered_set = [{
u'type': u'URI',
u'serviceName': u'server1',
u'component': u'hdfs',
u'name': u'hdfs://ha-nn-uri/data/landing-skid'
}, {
u'type': u'URI',
u'serviceName': u'server1',
u'component': u's3',
u'name': u's3a://hue-datasets/test'
}]
sort_keys = [
'server', 'db', 'table', 'column', 'URI', 'serviceName',
'component', 'type', 'name'
]
assert_equal(
expected_filtered_set,
sorted(filtered_set,
key=lambda obj: ([obj.get(key) for key in sort_keys])),
sorted(filtered_set,
key=lambda obj: ([obj.get(key) for key in sort_keys])))
class TestPrivilegeChecker(object):
def setUp(self):
self.client = make_logged_in_client(username="******",
groupname="test",
recreate=True,
is_superuser=False)
self.user = User.objects.get(username="******")
grant_access("test", "test", "libsentry")
self.api_v1 = MockSentryApiV1()
self.api_v2 = MockSentryApiV2()
self.checker = PrivilegeChecker(user=self.user,
api_v1=self.api_v1,
api_v2=self.api_v2)
def test_to_sentry_authorizables(self):
objectSet = ['foo', 'bar', 'baz', 'boom']
expectedSet = [
{
'db': 'foo',
'server': 'server1'
},
{
'db': 'bar',
'server': 'server1'
},
{
'db': 'baz',
'server': 'server1'
},
]
def test_key_fn(obj):
if obj != 'boom':
return {'db': obj}
else:
return None
authorizableSet = self.checker._to_sentry_authorizables(
objects=objectSet, key=test_key_fn)
assert_equal(expectedSet, authorizableSet, authorizableSet)
# Original list of objects should not be mutated
assert_true(['bar', 'baz', 'foo'], sorted(objectSet, reverse=True))
objectSet = [{
u'identity': u'9282adb88478c2ce4beb13dbba997ef5',
u'serDeLibName':
u'org.apache.hadoop.hive.serde2.lazy.LazySimpleSerDe',
u'outputFormat':
u'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat',
u'sourceType': u'HIVE',
u'inputFormat': u'org.apache.hadoop.mapred.TextInputFormat',
u'created': u'2016-07-25T17: 22: 18.000Z',
u'sourceId': u'4fbdadc6899638782fc8cb626176dc7b',
u'tags': [u'asdf'],
u'deleted': False,
u'_version_': 1549818955715051520,
u'userEntity': False,
u'properties': {
u'1': u'2'
},
u'extractorRunId': u'4fbdadc6899638782fc8cb626176dc7b##1',
u'compressed': False,
u'parentPath': u'/default',
u'owner': u'admin',
u'originalName': u'sample_08',
u'type': u'TABLE',
u'lastAccessed': u'1970-01-01T00: 00: 00.000Z',
u'fileSystemPath':
u'hdfs: //hue-team-1.vpc.cloudera.com: 8020/user/hive/warehouse/sample_08',
u'internalType': u'hv_table'
}, {
u'serDeLibName':
u'org.apache.hadoop.hive.serde2.lazy.LazySimpleSerDe',
u'owner': u'admin',
u'fileSystemPath':
u'hdfs: //hue-team-1.vpc.cloudera.com: 8020/user/hive/warehouse/sample_07',
u'lastModifiedBy': u'admin',
u'_version_': 1550478188023382016,
u'type': u'TABLE',
u'internalType': u'hv_table',
u'sourceType': u'HIVE',
u'inputFormat': u'org.apache.hadoop.mapred.TextInputFormat',
u'tags': [u'hue-bugblitz', u'vvvvv', u'asdf', u'ffff'],
u'deleted': False,
u'userEntity': False,
u'originalDescription':
u'HueisaWebinterfaceforanalyzingdatawithApacheHadoop.HueisaWebinterfaceforanalyzingdatawithApacheHadoop.HueisaWebinterfaceforanalyzingdatawithApacheHadoop.HueisaWebinterfaceforanalyzingdatawithApacheHadoop.\n\nHueisaWebinterfaceforanalyzingdatawithApacheHadoop.HueisaWebinterfaceforanalyzingdatawithApacheHadoop.',
u'compressed': False,
u'identity': u'ea27302e11370a3927ac11cbb920891d',
u'outputFormat':
u'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat',
u'extractorRunId': u'4fbdadc6899638782fc8cb626176dc7b##8979',
u'created': u'2016-07-25T17: 22: 15.000Z',
u'sourceId': u'4fbdadc6899638782fc8cb626176dc7b',
u'lastModified': u'2016-09-28T16: 25: 07.000Z',
u'parentPath': u'/default',
u'originalName': u'sample_07',
u'lastAccessed': u'1970-01-01T00: 00: 00.000Z'
}]
expectedSet = [{
u'column': None,
u'table': u'sample_08',
u'db': u'default',
'server': 'server1'
}, {
u'column': None,
u'table': u'sample_07',
u'db': u'default',
'server': 'server1'
}]
def test_key_fn(obj):
return {
'column': None,
'table': obj.get('originalName'),
'db': obj.get('parentPath', '').strip('/')
}
authorizableSet = self.checker._to_sentry_authorizables(
objects=objectSet, key=test_key_fn)
assert_equal(expectedSet, authorizableSet, authorizableSet)
# Original list of objects should not be mutated
assert_true(all('server' not in obj for obj in objectSet))
assert_true(all('db' not in obj for obj in objectSet))
def test_columns_select(self):
action = 'SELECT'
authorizableSet = [
# column-level SELECT privilege exists
{
u'column': 'column_select',
u'table': u'test_column',
u'db': u'default',
u'server': u'server1'
},
# table-level SELECT privileges exists
{
u'column': 'id',
u'table': u'test_table_select',
u'db': u'default',
u'server': u'server1'
},
# db-level SELECT privileges exist
{
u'column': 'id',
u'table': u'test_db_select',
u'db': u'test_db_select',
u'server': u'server1'
},
# no privileges exist
{
u'column': 'id',
u'table': u'test_none',
u'db': u'default',
u'server': u'server1'
},
]
filtered_set = self.checker.filter_objects(objects=authorizableSet,
action=action)
expected_filtered_set = [{
u'column': 'column_select',
u'table': u'test_column',
u'db': u'default',
u'server': u'server1'
}, {
u'column': 'id',
u'table': u'test_table_select',
u'db': u'default',
u'server': u'server1'
}, {
u'column': 'id',
u'table': u'test_db_select',
u'db': u'test_db_select',
u'server': u'server1'
}]
sort_keys = ['server', 'db', 'table', 'column', 'URI']
assert_equal(
expected_filtered_set,
sorted(filtered_set,
key=lambda obj: ([obj.get(key) for key in sort_keys])))
def test_columns_insert(self):
action = 'INSERT'
authorizableSet = [
# column-level ALL privilege exists
{
u'column': 'column_all',
u'table': u'test_column',
u'db': u'default',
u'server': u'server1'
},
# column-level INSERT privileges exist
{
u'column': 'column_insert',
u'table': u'test_column',
u'db': u'default',
u'server': u'server1'
},
# SELECT, but not INSERT, privilege exists
{
u'column': 'column_select',
u'table': u'test_column',
u'db': u'default',
u'server': u'server1'
},
# no privileges exist
{
u'column': 'salary',
u'table': u'sample_07',
u'db': u'default',
u'server': u'server1'
},
]
filtered_set = self.checker.filter_objects(objects=authorizableSet,
action=action)
expected_filtered_set = [
{
u'column': 'column_all',
u'table': u'test_column',
u'db': u'default',
u'server': u'server1'
},
{
u'column': 'column_insert',
u'table': u'test_column',
u'db': u'default',
u'server': u'server1'
},
]
sort_keys = ['server', 'db', 'table', 'column', 'URI']
assert_equal(
expected_filtered_set,
sorted(filtered_set,
key=lambda obj: ([obj.get(key) for key in sort_keys])))
def test_tables_select(self):
action = 'SELECT'
authorizableSet = [
# table-level SELECT privileges exists
{
u'column': '',
u'table': u'test_table_select',
u'db': u'default',
u'server': u'server1'
},
# table-level INSERT privileges exists
{
u'column': '',
u'table': u'test_table_insert',
u'db': u'default',
u'server': u'server1'
},
# db-level SELECT privileges exist
{
u'column': '',
u'table': u'test_db_select',
u'db': u'test_db_select',
u'server': u'server1'
},
# no privileges exist
{
u'column': '',
u'table': u'test_none',
u'db': u'default',
u'server': u'server1'
},
]
filtered_set = self.checker.filter_objects(objects=authorizableSet,
action=action)
expected_filtered_set = [{
u'column': '',
u'table': u'test_table_insert',
u'db': u'default',
u'server': u'server1'
}, {
u'column': '',
u'table': u'test_table_select',
u'db': u'default',
u'server': u'server1'
}, {
u'column': '',
u'table': u'test_db_select',
u'db': u'test_db_select',
u'server': u'server1'
}]
sort_keys = ['server', 'db', 'table', 'column', 'URI']
assert_equal(
expected_filtered_set,
sorted(filtered_set,
key=lambda obj: ([obj.get(key) for key in sort_keys])))
def test_tables_insert(self):
action = 'INSERT'
authorizableSet = [
# table-level ALL privilege exists
{
u'column': '',
u'table': u'test_table_all',
u'db': u'default',
u'server': u'server1'
},
# table-level INSERT privileges exist
{
u'column': '',
u'table': u'test_table_insert',
u'db': u'default',
u'server': u'server1'
},
# SELECT, but not INSERT, privilege exists
{
u'column': '',
u'table': u'test_table_select',
u'db': u'default',
u'server': u'server1'
},
# no privileges exist
{
u'column': '',
u'table': u'sample_07',
u'db': u'default',
u'server': u'server1'
},
]
filtered_set = self.checker.filter_objects(objects=authorizableSet,
action=action)
expected_filtered_set = [
{
u'column': '',
u'table': u'test_table_all',
u'db': u'default',
u'server': u'server1'
},
{
u'column': '',
u'table': u'test_table_insert',
u'db': u'default',
u'server': u'server1'
},
]
sort_keys = ['server', 'db', 'table', 'column', 'URI']
assert_equal(
expected_filtered_set,
sorted(filtered_set,
key=lambda obj: ([obj.get(key) for key in sort_keys])))
def test_dbs_select(self):
action = 'SELECT'
authorizableSet = [
# db-level SELECT privileges exists
{
u'column': '',
u'table': u'',
u'db': u'test_db_select',
u'server': u'server1'
},
# db-level INSERT privileges exists
{
u'column': '',
u'table': u'',
u'db': u'test_db_insert',
u'server': u'server1'
},
# no privileges exist
{
u'column': '',
u'table': u'',
u'db': u'test_db_none',
u'server': u'server1'
},
]
filtered_set = self.checker.filter_objects(objects=authorizableSet,
action=action)
expected_filtered_set = [
{
u'column': '',
u'table': u'',
u'db': u'test_db_insert',
u'server': u'server1'
},
{
u'column': '',
u'table': u'',
u'db': u'test_db_select',
u'server': u'server1'
},
]
sort_keys = ['server', 'db', 'table', 'column', 'URI']
assert_equal(
expected_filtered_set,
sorted(filtered_set,
key=lambda obj: ([obj.get(key) for key in sort_keys])))
def test_dbs_insert(self):
action = 'INSERT'
authorizableSet = [
# db-level ALL privilege exists
{
u'column': '',
u'table': u'',
u'db': u'test_db_all',
u'server': u'server1'
},
# db-level INSERT privileges exist
{
u'column': '',
u'table': u'',
u'db': u'test_db_insert',
u'server': u'server1'
},
# SELECT, but not INSERT, privilege exists
{
u'column': '',
u'table': u'',
u'db': u'test_db_select',
u'server': u'server1'
},
# no privileges exist
{
u'column': '',
u'table': u'',
u'db': u'test_db_none',
u'server': u'server1'
},
]
filtered_set = self.checker.filter_objects(objects=authorizableSet,
action=action)
expected_filtered_set = [
{
u'column': '',
u'table': u'',
u'db': u'test_db_all',
u'server': u'server1'
},
{
u'column': '',
u'table': u'',
u'db': u'test_db_insert',
u'server': u'server1'
},
]
sort_keys = ['server', 'db', 'table', 'column', 'URI']
assert_equal(
expected_filtered_set,
sorted(filtered_set,
key=lambda obj: ([obj.get(key) for key in sort_keys])))
def test_collections_query(self):
action = 'QUERY'
authorizableSet = [
# ALL privilege
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'COLLECTION',
u'name': u'web_logs_demo'
},
# UPDATE privilege
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'COLLECTION',
u'name': u'yelp_demo'
},
# QUERY privilege
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'COLLECTION',
u'name': u'twitter_demo'
},
# No privilege
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'COLLECTION',
u'name': u'test_demo'
},
]
filtered_set = self.checker.filter_objects(objects=authorizableSet,
action=action)
expected_filtered_set = [{
u'type': u'COLLECTION',
u'serviceName': u'server1',
u'component': u'solr',
u'name': u'twitter_demo'
}, {
u'type': u'COLLECTION',
u'serviceName': u'server1',
u'component': u'solr',
u'name': u'web_logs_demo'
}, {
u'type': u'COLLECTION',
u'serviceName': u'server1',
u'component': u'solr',
u'name': u'yelp_demo'
}]
sort_keys = [
'server', 'db', 'table', 'column', 'URI', 'serviceName',
'component', 'type', 'name'
]
assert_equal(
expected_filtered_set,
sorted(filtered_set,
key=lambda obj: ([obj.get(key) for key in sort_keys])),
sorted(filtered_set,
key=lambda obj: ([obj.get(key) for key in sort_keys])))
def test_collections_update(self):
action = 'UPDATE'
authorizableSet = [
# ALL privilege
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'COLLECTION',
u'name': u'web_logs_demo'
},
# UPDATE privilege
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'COLLECTION',
u'name': u'yelp_demo'
},
# QUERY privilege
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'COLLECTION',
u'name': u'twitter_demo'
},
# No privilege
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'COLLECTION',
u'name': u'test_demo'
},
]
filtered_set = self.checker.filter_objects(objects=authorizableSet,
action=action)
expected_filtered_set = [{
u'type': u'COLLECTION',
u'serviceName': u'server1',
u'component': u'solr',
u'name': u'web_logs_demo'
}, {
u'type': u'COLLECTION',
u'serviceName': u'server1',
u'component': u'solr',
u'name': u'yelp_demo'
}]
sort_keys = [
'server', 'db', 'table', 'column', 'URI', 'serviceName',
'component', 'type', 'name'
]
assert_equal(
expected_filtered_set,
sorted(filtered_set,
key=lambda obj: ([obj.get(key) for key in sort_keys])),
sorted(filtered_set,
key=lambda obj: ([obj.get(key) for key in sort_keys])))
def test_config(self):
action = 'UPDATE'
authorizableSet = [
# ALL privilege
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'CONFIG',
u'name': u'yelp_demo'
},
# No privilege
{
u'component': u'solr',
u'serviceName': u'server1',
u'type': u'CONFIG',
u'name': u'test_demo'
},
]
filtered_set = self.checker.filter_objects(objects=authorizableSet,
action=action)
expected_filtered_set = [{
u'type': u'CONFIG',
u'serviceName': u'server1',
u'component': u'solr',
u'name': u'yelp_demo'
}]
sort_keys = [
'server', 'db', 'table', 'column', 'URI', 'serviceName',
'component', 'type', 'name'
]
assert_equal(
expected_filtered_set,
sorted(filtered_set,
key=lambda obj: ([obj.get(key) for key in sort_keys])),
sorted(filtered_set,
key=lambda obj: ([obj.get(key) for key in sort_keys])))
def test_uri(self):
action = 'UPDATE'
authorizableSet = [
# HDFS privilege
{
u'component': u'hdfs',
u'serviceName': u'server1',
u'type': u'URI',
u'name': u'hdfs://ha-nn-uri/data/landing-skid'
},
# S3 privilege
{
u'component': u's3',
u'serviceName': u'server1',
u'type': u'URI',
u'name': u's3a://hue-datasets/test'
},
# No privilege
{
u'component': u's3',
u'serviceName': u'server1',
u'type': u'URI',
u'name': u's3a://hue-datasets/none'
},
]
filtered_set = self.checker.filter_objects(objects=authorizableSet,
action=action)
expected_filtered_set = [{
u'type': u'URI',
u'serviceName': u'server1',
u'component': u'hdfs',
u'name': u'hdfs://ha-nn-uri/data/landing-skid'
}, {
u'type': u'URI',
u'serviceName': u'server1',
u'component': u's3',
u'name': u's3a://hue-datasets/test'
}]
sort_keys = [
'server', 'db', 'table', 'column', 'URI', 'serviceName',
'component', 'type', 'name'
]
assert_equal(
expected_filtered_set,
sorted(filtered_set,
key=lambda obj: ([obj.get(key) for key in sort_keys])),
sorted(filtered_set,
key=lambda obj: ([obj.get(key) for key in sort_keys])))
class TestDocumentConverter(object):
def setUp(self):
self.client = make_logged_in_client(username="******",
groupname="test",
recreate=True,
is_superuser=False)
self.user = User.objects.get(username="******")
grant_access("test", "test", "libsentry")
self.api = get_api(self.user)
self.checker = PrivilegeChecker(user=self.user, api=self.api)
def test_select_privilege(self):
try:
from mock import Mock
except ImportError:
raise SkipTest("Skips until HUE-2947 is resolved")
action = 'SELECT'
authorizableSet = [
{
u'column': None,
u'table': u'customers',
u'db': u'default',
u'server': u'server1'
},
{
u'column': None,
u'table': u'sample_07',
u'db': u'default',
u'server': u'server1'
},
{
u'column': None,
u'table': u'sample_08',
u'db': u'default',
u'server': u'server1'
},
{
u'column': None,
u'table': u'web_logs',
u'db': u'default',
u'server': u'server1'
},
{
u'column': 'salary',
u'table': u'sample_08',
u'db': u'default',
u'server': u'server1'
},
{
u'column': 'code',
u'table': u'sample_08',
u'db': u'default',
u'server': u'server1'
},
{
u'column': 'total_emp',
u'table': u'sample_08',
u'db': u'default',
u'server': u'server1'
},
{
u'column': 'total_emp',
u'table': u'sample_07',
u'db': u'default',
u'server': u'server1'
},
]
self.api.list_sentry_roles_by_group = Mock(
return_value=[{
'name': 'test',
'group': 'test'
}])
self.api.list_sentry_privileges_by_role = Mock(
return_value=[{
'column': 'total_emp',
'grantOption': False,
'timestamp': 1478810635378,
'database': 'default',
'action': 'INSERT',
'scope': 'COLUMN',
'table': 'sample_08',
'URI': '',
'server': 'server1'
}, {
'column': '',
'grantOption': False,
'timestamp': 1478810422058,
'database': 'default',
'action': 'SELECT',
'scope': 'TABLE',
'table': 'customers',
'URI': '',
'server': 'server1'
}, {
'column': '',
'grantOption': False,
'timestamp': 1478810513849,
'database': 'default',
'action': 'SELECT',
'scope': 'TABLE',
'table': 'web_logs',
'URI': '',
'server': 'server1'
}, {
'column': '',
'grantOption': False,
'timestamp': 1478810590335,
'database': 'default',
'action': 'SELECT',
'scope': 'TABLE',
'table': 'sample_08',
'URI': '',
'server': 'server1'
}, {
'column': 'salary',
'grantOption': False,
'timestamp': 1478810635396,
'database': 'default',
'action': 'ALL',
'scope': 'COLUMN',
'table': 'sample_08',
'URI': '',
'server': 'server1'
}])
filtered_set = self.checker.filter_objects(
authorizableSet=authorizableSet, action=action)
expected_filtered_set = [
{
u'column': None,
u'table': u'customers',
u'db': u'default',
u'server': u'server1'
},
{
u'column': None,
u'table': u'sample_08',
u'db': u'default',
u'server': u'server1'
},
{
u'column': 'code',
u'table': u'sample_08',
u'db': u'default',
u'server': u'server1'
},
{
u'column': 'salary',
u'table': u'sample_08',
u'db': u'default',
u'server': u'server1'
},
{
u'column': 'total_emp',
u'table': u'sample_08',
u'db': u'default',
u'server': u'server1'
},
{
u'column': None,
u'table': u'web_logs',
u'db': u'default',
u'server': u'server1'
},
]
assert_equal(
expected_filtered_set,
sorted(filtered_set, key=lambda obj:
(obj['table'], obj['column'])))
