class TestPrivilegeChecker(object): def setUp(self): self.client = make_logged_in_client(username="******", groupname="test", recreate=True, is_superuser=False) self.user = User.objects.get(username="******") grant_access("test", "test", "libsentry") self.api_v1 = MockSentryApiV1() self.api_v2 = MockSentryApiV2() self.checker = PrivilegeChecker(user=self.user, api_v1=self.api_v1, api_v2=self.api_v2) def test_to_sentry_authorizables(self): objectSet = ['foo', 'bar', 'baz', 'boom'] expectedSet = [ ('foo', { 'db': 'foo', 'server': 'server1' }), ('bar', { 'db': 'bar', 'server': 'server1' }), ('baz', { 'db': 'baz', 'server': 'server1' }), ] def test_key_fn(obj): if obj != 'boom': return {'db': obj} else: return None authorizableSet = self.checker._to_sentry_authorizables( objects=objectSet, key=test_key_fn) assert_equal(expectedSet, authorizableSet, authorizableSet) # Original list of objects should not be mutated assert_true(['bar', 'baz', 'foo'], sorted(objectSet, reverse=True)) def test_end_to_end(self): action = 'SELECT' objectSet = [{ 'name': 'test_table_select', 'db': 'default' }, { 'name': 'test_table_insert', 'db': 'default' }, { 'name': 'test_db_select', 'db': 'test_db_select' }, { 'name': 'test_none', 'db': 'default' }, { 'name': 'invalid_object' }] expectedSet = [ { 'name': 'test_table_select', 'db': 'default' }, { 'name': 'test_table_insert', 'db': 'default' }, { 'name': 'test_db_select', 'db': 'test_db_select' }, ] def test_key_fn(obj): if 'name' in obj and 'db' in obj: return {'column': '', 'table': obj['name'], 'db': obj['db']} else: return None filtered_set = self.checker.filter_objects(objects=objectSet, action=action, key=test_key_fn) assert_equal(expectedSet, list(filtered_set), list(filtered_set)) def test_columns_select(self): action = 'SELECT' authorizableSet = [ # column-level SELECT privilege exists { u'column': 'column_select', u'table': u'test_column', u'db': u'default', u'server': u'server1' }, # table-level SELECT privileges exists { u'column': 'id', u'table': u'test_table_select', u'db': u'default', u'server': u'server1' }, # db-level SELECT privileges exist { u'column': 'id', u'table': u'test_db_select', u'db': u'test_db_select', u'server': u'server1' }, # no privileges exist { u'column': 'id', u'table': u'test_none', u'db': u'default', u'server': u'server1' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [{ u'column': 'column_select', u'table': u'test_column', u'db': u'default', u'server': u'server1' }, { u'column': 'id', u'table': u'test_table_select', u'db': u'default', u'server': u'server1' }, { u'column': 'id', u'table': u'test_db_select', u'db': u'test_db_select', u'server': u'server1' }] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_columns_insert(self): action = 'INSERT' authorizableSet = [ # column-level ALL privilege exists { u'column': 'column_all', u'table': u'test_column', u'db': u'default', u'server': u'server1' }, # column-level INSERT privileges exist { u'column': 'column_insert', u'table': u'test_column', u'db': u'default', u'server': u'server1' }, # SELECT, but not INSERT, privilege exists { u'column': 'column_select', u'table': u'test_column', u'db': u'default', u'server': u'server1' }, # no privileges exist { u'column': 'salary', u'table': u'sample_07', u'db': u'default', u'server': u'server1' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ { u'column': 'column_all', u'table': u'test_column', u'db': u'default', u'server': u'server1' }, { u'column': 'column_insert', u'table': u'test_column', u'db': u'default', u'server': u'server1' }, ] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_tables_select(self): action = 'SELECT' authorizableSet = [ # table-level SELECT privileges exists { u'column': '', u'table': u'test_table_select', u'db': u'default', u'server': u'server1' }, # table-level INSERT privileges exists { u'column': '', u'table': u'test_table_insert', u'db': u'default', u'server': u'server1' }, # db-level SELECT privileges exist { u'column': '', u'table': u'test_db_select', u'db': u'test_db_select', u'server': u'server1' }, # no privileges exist { u'column': '', u'table': u'test_none', u'db': u'default', u'server': u'server1' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [{ u'column': '', u'table': u'test_table_insert', u'db': u'default', u'server': u'server1' }, { u'column': '', u'table': u'test_table_select', u'db': u'default', u'server': u'server1' }, { u'column': '', u'table': u'test_db_select', u'db': u'test_db_select', u'server': u'server1' }] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_tables_insert(self): action = 'INSERT' authorizableSet = [ # table-level ALL privilege exists { u'column': '', u'table': u'test_table_all', u'db': u'default', u'server': u'server1' }, # table-level INSERT privileges exist { u'column': '', u'table': u'test_table_insert', u'db': u'default', u'server': u'server1' }, # SELECT, but not INSERT, privilege exists { u'column': '', u'table': u'test_table_select', u'db': u'default', u'server': u'server1' }, # no privileges exist { u'column': '', u'table': u'sample_07', u'db': u'default', u'server': u'server1' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ { u'column': '', u'table': u'test_table_all', u'db': u'default', u'server': u'server1' }, { u'column': '', u'table': u'test_table_insert', u'db': u'default', u'server': u'server1' }, ] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_dbs_select(self): action = 'SELECT' authorizableSet = [ # db-level SELECT privileges exists { u'column': '', u'table': u'', u'db': u'test_db_select', u'server': u'server1' }, # db-level INSERT privileges exists { u'column': '', u'table': u'', u'db': u'test_db_insert', u'server': u'server1' }, # no privileges exist { u'column': '', u'table': u'', u'db': u'test_db_none', u'server': u'server1' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ { u'column': '', u'table': u'', u'db': u'test_db_insert', u'server': u'server1' }, { u'column': '', u'table': u'', u'db': u'test_db_select', u'server': u'server1' }, ] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_dbs_insert(self): action = 'INSERT' authorizableSet = [ # db-level ALL privilege exists { u'column': '', u'table': u'', u'db': u'test_db_all', u'server': u'server1' }, # db-level INSERT privileges exist { u'column': '', u'table': u'', u'db': u'test_db_insert', u'server': u'server1' }, # SELECT, but not INSERT, privilege exists { u'column': '', u'table': u'', u'db': u'test_db_select', u'server': u'server1' }, # no privileges exist { u'column': '', u'table': u'', u'db': u'test_db_none', u'server': u'server1' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ { u'column': '', u'table': u'', u'db': u'test_db_all', u'server': u'server1' }, { u'column': '', u'table': u'', u'db': u'test_db_insert', u'server': u'server1' }, ] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_collections_query(self): action = 'QUERY' authorizableSet = [ # ALL privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'web_logs_demo' }, # UPDATE privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'yelp_demo' }, # QUERY privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'twitter_demo' }, # No privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'test_demo' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [{ u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'twitter_demo' }, { u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'web_logs_demo' }, { u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'yelp_demo' }] sort_keys = [ 'server', 'db', 'table', 'column', 'URI', 'serviceName', 'component', 'type', 'name' ] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])), sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_collections_update(self): action = 'UPDATE' authorizableSet = [ # ALL privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'web_logs_demo' }, # UPDATE privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'yelp_demo' }, # QUERY privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'twitter_demo' }, # No privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'test_demo' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [{ u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'web_logs_demo' }, { u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'yelp_demo' }] sort_keys = [ 'server', 'db', 'table', 'column', 'URI', 'serviceName', 'component', 'type', 'name' ] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])), sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_config(self): action = 'UPDATE' authorizableSet = [ # ALL privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'CONFIG', u'name': u'yelp_demo' }, # No privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'CONFIG', u'name': u'test_demo' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [{ u'type': u'CONFIG', u'serviceName': u'server1', u'component': u'solr', u'name': u'yelp_demo' }] sort_keys = [ 'server', 'db', 'table', 'column', 'URI', 'serviceName', 'component', 'type', 'name' ] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])), sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_uri(self): action = 'UPDATE' authorizableSet = [ # HDFS privilege { u'component': u'hdfs', u'serviceName': u'server1', u'type': u'URI', u'name': u'hdfs://ha-nn-uri/data/landing-skid' }, # S3 privilege { u'component': u's3', u'serviceName': u'server1', u'type': u'URI', u'name': u's3a://hue-datasets/test' }, # No privilege { u'component': u's3', u'serviceName': u'server1', u'type': u'URI', u'name': u's3a://hue-datasets/none' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [{ u'type': u'URI', u'serviceName': u'server1', u'component': u'hdfs', u'name': u'hdfs://ha-nn-uri/data/landing-skid' }, { u'type': u'URI', u'serviceName': u'server1', u'component': u's3', u'name': u's3a://hue-datasets/test' }] sort_keys = [ 'server', 'db', 'table', 'column', 'URI', 'serviceName', 'component', 'type', 'name' ] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])), sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])))
class TestPrivilegeChecker(object): def setUp(self): self.client = make_logged_in_client(username="******", groupname="test", recreate=True, is_superuser=False) self.user = User.objects.get(username="******") grant_access("test", "test", "libsentry") self.api_v1 = MockSentryApiV1() self.api_v2 = MockSentryApiV2() self.checker = PrivilegeChecker(user=self.user, api_v1=self.api_v1, api_v2=self.api_v2) def test_to_sentry_authorizables(self): objectSet = ['foo', 'bar', 'baz', 'boom'] expectedSet = [ ('foo', {'db': 'foo', 'server': 'server1'}), ('bar', {'db': 'bar', 'server': 'server1'}), ('baz', {'db': 'baz', 'server': 'server1'}), ] def test_key_fn(obj): if obj != 'boom': return {'db': obj} else: return None authorizableSet = self.checker._to_sentry_authorizables(objects=objectSet, key=test_key_fn) assert_equal(expectedSet, authorizableSet, authorizableSet) # Original list of objects should not be mutated assert_true(['bar', 'baz', 'foo'], sorted(objectSet, reverse=True)) def test_end_to_end(self): action = 'SELECT' objectSet = [ {'name': 'test_table_select', 'db': 'default'}, {'name': 'test_table_insert', 'db': 'default'}, {'name': 'test_db_select', 'db': 'test_db_select'}, {'name': 'test_none', 'db': 'default'}, {'name': 'invalid_object'} ] expectedSet = [ {'name': 'test_table_select', 'db': 'default'}, {'name': 'test_table_insert', 'db': 'default'}, {'name': 'test_db_select', 'db': 'test_db_select'}, ] def test_key_fn(obj): if 'name' in obj and 'db' in obj: return {'column': '', 'table': obj['name'], 'db': obj['db']} else: return None filtered_set = self.checker.filter_objects(objects=objectSet, action=action, key=test_key_fn) assert_equal(expectedSet, filtered_set, filtered_set) def test_columns_select(self): action = 'SELECT' authorizableSet = [ # column-level SELECT privilege exists {u'column': 'column_select', u'table': u'test_column', u'db': u'default', u'server': u'server1'}, # table-level SELECT privileges exists {u'column': 'id', u'table': u'test_table_select', u'db': u'default', u'server': u'server1'}, # db-level SELECT privileges exist {u'column': 'id', u'table': u'test_db_select', u'db': u'test_db_select', u'server': u'server1'}, # no privileges exist {u'column': 'id', u'table': u'test_none', u'db': u'default', u'server': u'server1'}, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ {u'column': 'column_select', u'table': u'test_column', u'db': u'default', u'server': u'server1'}, {u'column': 'id', u'table': u'test_table_select', u'db': u'default', u'server': u'server1'}, {u'column': 'id', u'table': u'test_db_select', u'db': u'test_db_select', u'server': u'server1'} ] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal(expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_columns_insert(self): action = 'INSERT' authorizableSet = [ # column-level ALL privilege exists {u'column': 'column_all', u'table': u'test_column', u'db': u'default', u'server': u'server1'}, # column-level INSERT privileges exist {u'column': 'column_insert', u'table': u'test_column', u'db': u'default', u'server': u'server1'}, # SELECT, but not INSERT, privilege exists {u'column': 'column_select', u'table': u'test_column', u'db': u'default', u'server': u'server1'}, # no privileges exist {u'column': 'salary', u'table': u'sample_07', u'db': u'default', u'server': u'server1'}, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ {u'column': 'column_all', u'table': u'test_column', u'db': u'default', u'server': u'server1'}, {u'column': 'column_insert', u'table': u'test_column', u'db': u'default', u'server': u'server1'}, ] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal(expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_tables_select(self): action = 'SELECT' authorizableSet = [ # table-level SELECT privileges exists {u'column': '', u'table': u'test_table_select', u'db': u'default', u'server': u'server1'}, # table-level INSERT privileges exists {u'column': '', u'table': u'test_table_insert', u'db': u'default', u'server': u'server1'}, # db-level SELECT privileges exist {u'column': '', u'table': u'test_db_select', u'db': u'test_db_select', u'server': u'server1'}, # no privileges exist {u'column': '', u'table': u'test_none', u'db': u'default', u'server': u'server1'}, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ {u'column': '', u'table': u'test_table_insert', u'db': u'default', u'server': u'server1'}, {u'column': '', u'table': u'test_table_select', u'db': u'default', u'server': u'server1'}, {u'column': '', u'table': u'test_db_select', u'db': u'test_db_select', u'server': u'server1'} ] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal(expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_tables_insert(self): action = 'INSERT' authorizableSet = [ # table-level ALL privilege exists {u'column': '', u'table': u'test_table_all', u'db': u'default', u'server': u'server1'}, # table-level INSERT privileges exist {u'column': '', u'table': u'test_table_insert', u'db': u'default', u'server': u'server1'}, # SELECT, but not INSERT, privilege exists {u'column': '', u'table': u'test_table_select', u'db': u'default', u'server': u'server1'}, # no privileges exist {u'column': '', u'table': u'sample_07', u'db': u'default', u'server': u'server1'}, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ {u'column': '', u'table': u'test_table_all', u'db': u'default', u'server': u'server1'}, {u'column': '', u'table': u'test_table_insert', u'db': u'default', u'server': u'server1'}, ] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal(expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_dbs_select(self): action = 'SELECT' authorizableSet = [ # db-level SELECT privileges exists {u'column': '', u'table': u'', u'db': u'test_db_select', u'server': u'server1'}, # db-level INSERT privileges exists {u'column': '', u'table': u'', u'db': u'test_db_insert', u'server': u'server1'}, # no privileges exist {u'column': '', u'table': u'', u'db': u'test_db_none', u'server': u'server1'}, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ {u'column': '', u'table': u'', u'db': u'test_db_insert', u'server': u'server1'}, {u'column': '', u'table': u'', u'db': u'test_db_select', u'server': u'server1'}, ] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal(expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_dbs_insert(self): action = 'INSERT' authorizableSet = [ # db-level ALL privilege exists {u'column': '', u'table': u'', u'db': u'test_db_all', u'server': u'server1'}, # db-level INSERT privileges exist {u'column': '', u'table': u'', u'db': u'test_db_insert', u'server': u'server1'}, # SELECT, but not INSERT, privilege exists {u'column': '', u'table': u'', u'db': u'test_db_select', u'server': u'server1'}, # no privileges exist {u'column': '', u'table': u'', u'db': u'test_db_none', u'server': u'server1'}, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ {u'column': '', u'table': u'', u'db': u'test_db_all', u'server': u'server1'}, {u'column': '', u'table': u'', u'db': u'test_db_insert', u'server': u'server1'}, ] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal(expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_collections_query(self): action = 'QUERY' authorizableSet = [ # ALL privilege {u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'web_logs_demo'}, # UPDATE privilege {u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'yelp_demo'}, # QUERY privilege {u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'twitter_demo'}, # No privilege {u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'test_demo'}, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ {u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'twitter_demo'}, {u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'web_logs_demo'}, {u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'yelp_demo'} ] sort_keys = ['server', 'db', 'table', 'column', 'URI', 'serviceName', 'component', 'type', 'name'] assert_equal(expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])), sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_collections_update(self): action = 'UPDATE' authorizableSet = [ # ALL privilege {u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'web_logs_demo'}, # UPDATE privilege {u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'yelp_demo'}, # QUERY privilege {u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'twitter_demo'}, # No privilege {u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'test_demo'}, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ {u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'web_logs_demo'}, {u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'yelp_demo'} ] sort_keys = ['server', 'db', 'table', 'column', 'URI', 'serviceName', 'component', 'type', 'name'] assert_equal(expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])), sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_config(self): action = 'UPDATE' authorizableSet = [ # ALL privilege {u'component': u'solr', u'serviceName': u'server1', u'type': u'CONFIG', u'name': u'yelp_demo'}, # No privilege {u'component': u'solr', u'serviceName': u'server1', u'type': u'CONFIG', u'name': u'test_demo'}, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ {u'type': u'CONFIG', u'serviceName': u'server1', u'component': u'solr', u'name': u'yelp_demo'} ] sort_keys = ['server', 'db', 'table', 'column', 'URI', 'serviceName', 'component', 'type', 'name'] assert_equal(expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])), sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_uri(self): action = 'UPDATE' authorizableSet = [ # HDFS privilege {u'component': u'hdfs', u'serviceName': u'server1', u'type': u'URI', u'name': u'hdfs://ha-nn-uri/data/landing-skid'}, # S3 privilege {u'component': u's3', u'serviceName': u'server1', u'type': u'URI', u'name': u's3a://hue-datasets/test'}, # No privilege {u'component': u's3', u'serviceName': u'server1', u'type': u'URI', u'name': u's3a://hue-datasets/none'}, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ {u'type': u'URI', u'serviceName': u'server1', u'component': u'hdfs', u'name': u'hdfs://ha-nn-uri/data/landing-skid'}, {u'type': u'URI', u'serviceName': u'server1', u'component': u's3', u'name': u's3a://hue-datasets/test'} ] sort_keys = ['server', 'db', 'table', 'column', 'URI', 'serviceName', 'component', 'type', 'name'] assert_equal(expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])), sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])))
class TestPrivilegeChecker(object): def setUp(self): self.client = make_logged_in_client(username="******", groupname="test", recreate=True, is_superuser=False) self.user = User.objects.get(username="******") grant_access("test", "test", "libsentry") self.api_v1 = MockSentryApiV1() self.api_v2 = MockSentryApiV2() self.checker = PrivilegeChecker(user=self.user, api_v1=self.api_v1, api_v2=self.api_v2) def test_to_sentry_authorizables(self): objectSet = ['foo', 'bar', 'baz', 'boom'] expectedSet = [ { 'db': 'foo', 'server': 'server1' }, { 'db': 'bar', 'server': 'server1' }, { 'db': 'baz', 'server': 'server1' }, ] def test_key_fn(obj): if obj != 'boom': return {'db': obj} else: return None authorizableSet = self.checker._to_sentry_authorizables( objects=objectSet, key=test_key_fn) assert_equal(expectedSet, authorizableSet, authorizableSet) # Original list of objects should not be mutated assert_true(['bar', 'baz', 'foo'], sorted(objectSet, reverse=True)) objectSet = [{ u'identity': u'9282adb88478c2ce4beb13dbba997ef5', u'serDeLibName': u'org.apache.hadoop.hive.serde2.lazy.LazySimpleSerDe', u'outputFormat': u'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat', u'sourceType': u'HIVE', u'inputFormat': u'org.apache.hadoop.mapred.TextInputFormat', u'created': u'2016-07-25T17: 22: 18.000Z', u'sourceId': u'4fbdadc6899638782fc8cb626176dc7b', u'tags': [u'asdf'], u'deleted': False, u'_version_': 1549818955715051520, u'userEntity': False, u'properties': { u'1': u'2' }, u'extractorRunId': u'4fbdadc6899638782fc8cb626176dc7b##1', u'compressed': False, u'parentPath': u'/default', u'owner': u'admin', u'originalName': u'sample_08', u'type': u'TABLE', u'lastAccessed': u'1970-01-01T00: 00: 00.000Z', u'fileSystemPath': u'hdfs: //hue-team-1.vpc.cloudera.com: 8020/user/hive/warehouse/sample_08', u'internalType': u'hv_table' }, { u'serDeLibName': u'org.apache.hadoop.hive.serde2.lazy.LazySimpleSerDe', u'owner': u'admin', u'fileSystemPath': u'hdfs: //hue-team-1.vpc.cloudera.com: 8020/user/hive/warehouse/sample_07', u'lastModifiedBy': u'admin', u'_version_': 1550478188023382016, u'type': u'TABLE', u'internalType': u'hv_table', u'sourceType': u'HIVE', u'inputFormat': u'org.apache.hadoop.mapred.TextInputFormat', u'tags': [u'hue-bugblitz', u'vvvvv', u'asdf', u'ffff'], u'deleted': False, u'userEntity': False, u'originalDescription': u'HueisaWebinterfaceforanalyzingdatawithApacheHadoop.HueisaWebinterfaceforanalyzingdatawithApacheHadoop.HueisaWebinterfaceforanalyzingdatawithApacheHadoop.HueisaWebinterfaceforanalyzingdatawithApacheHadoop.\n\nHueisaWebinterfaceforanalyzingdatawithApacheHadoop.HueisaWebinterfaceforanalyzingdatawithApacheHadoop.', u'compressed': False, u'identity': u'ea27302e11370a3927ac11cbb920891d', u'outputFormat': u'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat', u'extractorRunId': u'4fbdadc6899638782fc8cb626176dc7b##8979', u'created': u'2016-07-25T17: 22: 15.000Z', u'sourceId': u'4fbdadc6899638782fc8cb626176dc7b', u'lastModified': u'2016-09-28T16: 25: 07.000Z', u'parentPath': u'/default', u'originalName': u'sample_07', u'lastAccessed': u'1970-01-01T00: 00: 00.000Z' }] expectedSet = [{ u'column': None, u'table': u'sample_08', u'db': u'default', 'server': 'server1' }, { u'column': None, u'table': u'sample_07', u'db': u'default', 'server': 'server1' }] def test_key_fn(obj): return { 'column': None, 'table': obj.get('originalName'), 'db': obj.get('parentPath', '').strip('/') } authorizableSet = self.checker._to_sentry_authorizables( objects=objectSet, key=test_key_fn) assert_equal(expectedSet, authorizableSet, authorizableSet) # Original list of objects should not be mutated assert_true(all('server' not in obj for obj in objectSet)) assert_true(all('db' not in obj for obj in objectSet)) def test_columns_select(self): action = 'SELECT' authorizableSet = [ # column-level SELECT privilege exists { u'column': 'column_select', u'table': u'test_column', u'db': u'default', u'server': u'server1' }, # table-level SELECT privileges exists { u'column': 'id', u'table': u'test_table_select', u'db': u'default', u'server': u'server1' }, # db-level SELECT privileges exist { u'column': 'id', u'table': u'test_db_select', u'db': u'test_db_select', u'server': u'server1' }, # no privileges exist { u'column': 'id', u'table': u'test_none', u'db': u'default', u'server': u'server1' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [{ u'column': 'column_select', u'table': u'test_column', u'db': u'default', u'server': u'server1' }, { u'column': 'id', u'table': u'test_table_select', u'db': u'default', u'server': u'server1' }, { u'column': 'id', u'table': u'test_db_select', u'db': u'test_db_select', u'server': u'server1' }] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_columns_insert(self): action = 'INSERT' authorizableSet = [ # column-level ALL privilege exists { u'column': 'column_all', u'table': u'test_column', u'db': u'default', u'server': u'server1' }, # column-level INSERT privileges exist { u'column': 'column_insert', u'table': u'test_column', u'db': u'default', u'server': u'server1' }, # SELECT, but not INSERT, privilege exists { u'column': 'column_select', u'table': u'test_column', u'db': u'default', u'server': u'server1' }, # no privileges exist { u'column': 'salary', u'table': u'sample_07', u'db': u'default', u'server': u'server1' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ { u'column': 'column_all', u'table': u'test_column', u'db': u'default', u'server': u'server1' }, { u'column': 'column_insert', u'table': u'test_column', u'db': u'default', u'server': u'server1' }, ] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_tables_select(self): action = 'SELECT' authorizableSet = [ # table-level SELECT privileges exists { u'column': '', u'table': u'test_table_select', u'db': u'default', u'server': u'server1' }, # table-level INSERT privileges exists { u'column': '', u'table': u'test_table_insert', u'db': u'default', u'server': u'server1' }, # db-level SELECT privileges exist { u'column': '', u'table': u'test_db_select', u'db': u'test_db_select', u'server': u'server1' }, # no privileges exist { u'column': '', u'table': u'test_none', u'db': u'default', u'server': u'server1' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [{ u'column': '', u'table': u'test_table_insert', u'db': u'default', u'server': u'server1' }, { u'column': '', u'table': u'test_table_select', u'db': u'default', u'server': u'server1' }, { u'column': '', u'table': u'test_db_select', u'db': u'test_db_select', u'server': u'server1' }] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_tables_insert(self): action = 'INSERT' authorizableSet = [ # table-level ALL privilege exists { u'column': '', u'table': u'test_table_all', u'db': u'default', u'server': u'server1' }, # table-level INSERT privileges exist { u'column': '', u'table': u'test_table_insert', u'db': u'default', u'server': u'server1' }, # SELECT, but not INSERT, privilege exists { u'column': '', u'table': u'test_table_select', u'db': u'default', u'server': u'server1' }, # no privileges exist { u'column': '', u'table': u'sample_07', u'db': u'default', u'server': u'server1' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ { u'column': '', u'table': u'test_table_all', u'db': u'default', u'server': u'server1' }, { u'column': '', u'table': u'test_table_insert', u'db': u'default', u'server': u'server1' }, ] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_dbs_select(self): action = 'SELECT' authorizableSet = [ # db-level SELECT privileges exists { u'column': '', u'table': u'', u'db': u'test_db_select', u'server': u'server1' }, # db-level INSERT privileges exists { u'column': '', u'table': u'', u'db': u'test_db_insert', u'server': u'server1' }, # no privileges exist { u'column': '', u'table': u'', u'db': u'test_db_none', u'server': u'server1' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ { u'column': '', u'table': u'', u'db': u'test_db_insert', u'server': u'server1' }, { u'column': '', u'table': u'', u'db': u'test_db_select', u'server': u'server1' }, ] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_dbs_insert(self): action = 'INSERT' authorizableSet = [ # db-level ALL privilege exists { u'column': '', u'table': u'', u'db': u'test_db_all', u'server': u'server1' }, # db-level INSERT privileges exist { u'column': '', u'table': u'', u'db': u'test_db_insert', u'server': u'server1' }, # SELECT, but not INSERT, privilege exists { u'column': '', u'table': u'', u'db': u'test_db_select', u'server': u'server1' }, # no privileges exist { u'column': '', u'table': u'', u'db': u'test_db_none', u'server': u'server1' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [ { u'column': '', u'table': u'', u'db': u'test_db_all', u'server': u'server1' }, { u'column': '', u'table': u'', u'db': u'test_db_insert', u'server': u'server1' }, ] sort_keys = ['server', 'db', 'table', 'column', 'URI'] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_collections_query(self): action = 'QUERY' authorizableSet = [ # ALL privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'web_logs_demo' }, # UPDATE privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'yelp_demo' }, # QUERY privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'twitter_demo' }, # No privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'test_demo' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [{ u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'twitter_demo' }, { u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'web_logs_demo' }, { u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'yelp_demo' }] sort_keys = [ 'server', 'db', 'table', 'column', 'URI', 'serviceName', 'component', 'type', 'name' ] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])), sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_collections_update(self): action = 'UPDATE' authorizableSet = [ # ALL privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'web_logs_demo' }, # UPDATE privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'yelp_demo' }, # QUERY privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'twitter_demo' }, # No privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'COLLECTION', u'name': u'test_demo' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [{ u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'web_logs_demo' }, { u'type': u'COLLECTION', u'serviceName': u'server1', u'component': u'solr', u'name': u'yelp_demo' }] sort_keys = [ 'server', 'db', 'table', 'column', 'URI', 'serviceName', 'component', 'type', 'name' ] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])), sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_config(self): action = 'UPDATE' authorizableSet = [ # ALL privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'CONFIG', u'name': u'yelp_demo' }, # No privilege { u'component': u'solr', u'serviceName': u'server1', u'type': u'CONFIG', u'name': u'test_demo' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [{ u'type': u'CONFIG', u'serviceName': u'server1', u'component': u'solr', u'name': u'yelp_demo' }] sort_keys = [ 'server', 'db', 'table', 'column', 'URI', 'serviceName', 'component', 'type', 'name' ] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])), sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys]))) def test_uri(self): action = 'UPDATE' authorizableSet = [ # HDFS privilege { u'component': u'hdfs', u'serviceName': u'server1', u'type': u'URI', u'name': u'hdfs://ha-nn-uri/data/landing-skid' }, # S3 privilege { u'component': u's3', u'serviceName': u'server1', u'type': u'URI', u'name': u's3a://hue-datasets/test' }, # No privilege { u'component': u's3', u'serviceName': u'server1', u'type': u'URI', u'name': u's3a://hue-datasets/none' }, ] filtered_set = self.checker.filter_objects(objects=authorizableSet, action=action) expected_filtered_set = [{ u'type': u'URI', u'serviceName': u'server1', u'component': u'hdfs', u'name': u'hdfs://ha-nn-uri/data/landing-skid' }, { u'type': u'URI', u'serviceName': u'server1', u'component': u's3', u'name': u's3a://hue-datasets/test' }] sort_keys = [ 'server', 'db', 'table', 'column', 'URI', 'serviceName', 'component', 'type', 'name' ] assert_equal( expected_filtered_set, sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])), sorted(filtered_set, key=lambda obj: ([obj.get(key) for key in sort_keys])))