sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From shreepa...@apache.org
Subject [1/2] SENTRY-129: Implement Hive Sentry Authz DDL Task Factory (Brock Noland via Shreepadma Venugopalan)
Date Tue, 18 Mar 2014 23:30:08 GMT
Repository: incubator-sentry
Updated Branches:
  refs/heads/master fbf042e66 -> 63c134f36


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/63c134f3/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java
b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java
index c4a0fd4..22f31cd 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java
@@ -26,6 +26,7 @@ import javax.security.sasl.AuthorizeCallback;
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.security.SaslRpcServer;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
 
 public class GSSCallback extends SaslRpcServer.SaslGssCallbackHandler {
 
@@ -54,12 +55,12 @@ public class GSSCallback extends SaslRpcServer.SaslGssCallbackHandler
{
   }
 
   boolean allowConnect(String principal) {
-    String allowedPrincipals = conf.get("sentry.service.allow.connect");
+    String allowedPrincipals = conf.get(ServerConfig.ALLOW_CONNECT);
     if (allowedPrincipals == null) {
       return false;
     }
     List<String> items = Arrays.asList(allowedPrincipals.split("\\s*,\\s*"));
-    for (String item:items) {
+    for (String item : items) {
       if(comparePrincipals(item, principal)) {
         return true;
       }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/63c134f3/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java
b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java
index fbb0eef..bebaf0d 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java
@@ -52,6 +52,7 @@ import org.apache.thrift.server.TThreadPoolServer;
 import org.apache.thrift.transport.TSaslServerTransport;
 import org.apache.thrift.transport.TServerSocket;
 import org.apache.thrift.transport.TServerTransport;
+import org.apache.thrift.transport.TTransportFactory;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -71,6 +72,7 @@ public class SentryService implements Runnable {
   private final InetSocketAddress address;
   private final int maxThreads;
   private final int minThreads;
+  private boolean kerberos;
   private final String principal;
   private final String[] principalParts;
   private final String keytab;
@@ -90,20 +92,28 @@ public class SentryService implements Runnable {
         conf.get(ServerConfig.RPC_ADDRESS, ServerConfig.RPC_ADDRESS_DEFAULT),
         port);
     LOGGER.info("Configured on address " + address);
+    kerberos = ServerConfig.SECURITY_MODE_KERBEROS.equalsIgnoreCase(
+        conf.get(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_KERBEROS).trim());
     maxThreads = conf.getInt(ServerConfig.RPC_MAX_THREADS,
         ServerConfig.RPC_MAX_THREADS_DEFAULT);
     minThreads = conf.getInt(ServerConfig.RPC_MIN_THREADS,
         ServerConfig.RPC_MIN_THREADS_DEFAULT);
-    principal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL),
-        ServerConfig.PRINCIPAL + " is required");
-    principalParts = SaslRpcServer.splitKerberosName(principal);
-    Preconditions.checkArgument(principalParts.length == 3,
-        "Kerberos principal should have 3 parts: " + principal);
-    keytab = Preconditions.checkNotNull(conf.get(ServerConfig.KEY_TAB),
-        ServerConfig.KEY_TAB + " is required");
-    File keytabFile = new File(keytab);
-    Preconditions.checkState(keytabFile.isFile() && keytabFile.canRead(),
-        "Keytab " + keytab + " does not exist or is not readable.");
+    if (kerberos) {
+      principal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL),
+          ServerConfig.PRINCIPAL + " is required");
+      principalParts = SaslRpcServer.splitKerberosName(principal);
+      Preconditions.checkArgument(principalParts.length == 3,
+          "Kerberos principal should have 3 parts: " + principal);
+      keytab = Preconditions.checkNotNull(conf.get(ServerConfig.KEY_TAB),
+          ServerConfig.KEY_TAB + " is required");
+      File keytabFile = new File(keytab);
+      Preconditions.checkState(keytabFile.isFile() && keytabFile.canRead(),
+          "Keytab " + keytab + " does not exist or is not readable.");
+    } else {
+      principal = null;
+      principalParts = null;
+      keytab = null;
+    }
     serviceExecutor = Executors.newSingleThreadExecutor(new ThreadFactory() {
       private int count = 0;
 
@@ -120,60 +130,24 @@ public class SentryService implements Runnable {
   public void run() {
     LoginContext loginContext = null;
     try {
-      Subject subject = new Subject(false,
-          Sets.newHashSet(new KerberosPrincipal(principal)),
-          new HashSet<Object>(), new HashSet<Object>());
-      loginContext = new LoginContext("", subject, null,
-          KerberosConfiguration.createClientConfig(principal, new File(keytab)));
-      loginContext.login();
-      subject = loginContext.getSubject();
-      Subject.doAs(subject, new PrivilegedExceptionAction<Void>() {
-        @Override
-        public Void run() throws Exception {
-          Iterable<String> processorFactories = ConfUtilties.CLASS_SPLITTER
-              .split(conf.get(ServerConfig.PROCESSOR_FACTORIES,
-                  ServerConfig.PROCESSOR_FACTORIES_DEFAULT).trim());
-          TMultiplexedProcessor processor = new TMultiplexedProcessor();
-          boolean registeredProcessor = false;
-          for (String processorFactory : processorFactories) {
-            Class<?> clazz = conf.getClassByName(processorFactory);
-            if (!ProcessorFactory.class.isAssignableFrom(clazz)) {
-              throw new IllegalArgumentException("Processor Factory "
-                  + processorFactory + " is not a "
-                  + ProcessorFactory.class.getName());
-            }
-            try {
-              Constructor<?> constructor = clazz
-                  .getConstructor(Configuration.class);
-              ProcessorFactory factory = (ProcessorFactory) constructor
-                  .newInstance(conf);
-              registeredProcessor = registeredProcessor
-                  || factory.register(processor);
-            } catch (Exception e) {
-              throw new IllegalStateException("Could not create "
-                  + processorFactory, e);
-            }
+      if (kerberos) {
+        Subject subject = new Subject(false,
+            Sets.newHashSet(new KerberosPrincipal(principal)),
+            new HashSet<Object>(), new HashSet<Object>());
+        loginContext = new LoginContext("", subject, null,
+            KerberosConfiguration.createClientConfig(principal, new File(keytab)));
+        loginContext.login();
+        subject = loginContext.getSubject();
+        Subject.doAs(subject, new PrivilegedExceptionAction<Void>() {
+          @Override
+          public Void run() throws Exception {
+            runServer();
+            return null;
           }
-          if (!registeredProcessor) {
-            throw new IllegalStateException(
-                "Failed to register any processors from " + processorFactories);
-          }
-          TServerTransport serverTransport = new TServerSocket(address);
-          TSaslServerTransport.Factory saslTransportFactory = new TSaslServerTransport.Factory();
-          saslTransportFactory.addServerDefinition(AuthMethod.KERBEROS
-              .getMechanismName(), principalParts[0], principalParts[1],
-              ServerConfig.SASL_PROPERTIES, new GSSCallback(conf));
-          TThreadPoolServer.Args args = new TThreadPoolServer.Args(
-              serverTransport).processor(processor)
-              .transportFactory(saslTransportFactory)
-              .protocolFactory(new TBinaryProtocol.Factory())
-              .minWorkerThreads(minThreads).maxWorkerThreads(maxThreads);
-          thriftServer = new TThreadPoolServer(args);
-          LOGGER.info("Serving on " + address);
-          thriftServer.serve();
-          return null;
-        }
-      });
+        });
+      } else {
+        runServer();
+      }
     } catch (Throwable t) {
       LOGGER.error("Error starting server", t);
     } finally {
@@ -188,6 +162,56 @@ public class SentryService implements Runnable {
     }
   }
 
+  private void runServer() throws Exception {
+    Iterable<String> processorFactories = ConfUtilties.CLASS_SPLITTER
+        .split(conf.get(ServerConfig.PROCESSOR_FACTORIES,
+            ServerConfig.PROCESSOR_FACTORIES_DEFAULT).trim());
+    TMultiplexedProcessor processor = new TMultiplexedProcessor();
+    boolean registeredProcessor = false;
+    for (String processorFactory : processorFactories) {
+      Class<?> clazz = conf.getClassByName(processorFactory);
+      if (!ProcessorFactory.class.isAssignableFrom(clazz)) {
+        throw new IllegalArgumentException("Processor Factory "
+            + processorFactory + " is not a "
+            + ProcessorFactory.class.getName());
+      }
+      try {
+        Constructor<?> constructor = clazz
+            .getConstructor(Configuration.class);
+        ProcessorFactory factory = (ProcessorFactory) constructor
+            .newInstance(conf);
+        registeredProcessor = registeredProcessor
+            || factory.register(processor);
+      } catch (Exception e) {
+        throw new IllegalStateException("Could not create "
+            + processorFactory, e);
+      }
+    }
+    if (!registeredProcessor) {
+      throw new IllegalStateException(
+          "Failed to register any processors from " + processorFactories);
+    }
+    TServerTransport serverTransport = new TServerSocket(address);
+    TTransportFactory transportFactory = null;
+    if (kerberos) {
+      TSaslServerTransport.Factory saslTransportFactory = new TSaslServerTransport.Factory();
+      saslTransportFactory.addServerDefinition(AuthMethod.KERBEROS
+          .getMechanismName(), principalParts[0], principalParts[1],
+          ServerConfig.SASL_PROPERTIES, new GSSCallback(conf));
+      transportFactory = saslTransportFactory;
+    } else {
+      transportFactory = new TTransportFactory();
+    }
+    TThreadPoolServer.Args args = new TThreadPoolServer.Args(
+        serverTransport).processor(processor)
+        .transportFactory(transportFactory)
+        .protocolFactory(new TBinaryProtocol.Factory())
+        .minWorkerThreads(minThreads).maxWorkerThreads(maxThreads);
+    thriftServer = new TThreadPoolServer(args);
+    LOGGER.info("Serving on " + address);
+    thriftServer.serve();
+  }
+
   public InetSocketAddress getAddress() {
     return address;
   }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/63c134f3/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
index 59cb456..1b36690 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
@@ -45,6 +45,13 @@ public class ServiceConstants {
   }
   public static class ServerConfig {
     public static final ImmutableMap<String, String> SASL_PROPERTIES = ServiceConstants.SASL_PROPERTIES;
+    /**
+     * This configuration parameter is only meant to be used for testing purposes.
+     */
+    public static final String SECURITY_MODE = "sentry.service.security.mode";
+    public static final String SECURITY_MODE_KERBEROS = "kerberos";
+    public static final String SECURITY_MODE_NONE = "none";
+    public static final String ADMIN_GROUPS = "sentry.service.admin.group";
     public static final String PRINCIPAL = "sentry.service.server.principal";
     public static final String KEY_TAB = "sentry.service.server.keytab";
     public static final String RPC_PORT = "sentry.service.server.rpc-port";

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/63c134f3/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/Status.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/Status.java
b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/Status.java
index e1549ca..c167837 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/Status.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/Status.java
@@ -23,6 +23,7 @@ import java.io.StringWriter;
 import javax.annotation.Nullable;
 
 import org.apache.sentry.SentryUserException;
+import org.apache.sentry.provider.db.SentryAccessDeniedException;
 import org.apache.sentry.provider.db.SentryAlreadyExistsException;
 import org.apache.sentry.provider.db.SentryInvalidInputException;
 import org.apache.sentry.provider.db.SentryNoSuchObjectException;
@@ -37,6 +38,7 @@ public enum Status {
   NO_SUCH_OBJECT(ThriftConstants.TSENTRY_STATUS_NO_SUCH_OBJECT),
   RUNTIME_ERROR(ThriftConstants.TSENTRY_STATUS_RUNTIME_ERROR),
   INVALID_INPUT(ThriftConstants.TSENTRY_STATUS_INVALID_INPUT),
+  ACCESS_DENIED(ThriftConstants.TSENTRY_STATUS_ACCESS_DENIED),
   UNKNOWN(-1)
   ;
   private int code;
@@ -57,6 +59,9 @@ public enum Status {
   public static TSentryResponseStatus OK() {
     return Create(Status.OK, "");
   }
+  public static TSentryResponseStatus AccessDenied(String message, Throwable t) {
+    return Create(Status.ACCESS_DENIED, message, t);
+  }
   public static TSentryResponseStatus AlreadyExists(String message, Throwable t) {
     return Create(Status.ALREADY_EXISTS, message, t);
   }
@@ -99,6 +104,8 @@ public enum Status {
       throw new RuntimeException(serverErrorToString(thriftStatus));
     case INVALID_INPUT:
       throw new SentryInvalidInputException(serverErrorToString(thriftStatus));
+    case ACCESS_DENIED:
+      throw new SentryAccessDeniedException(serverErrorToString(thriftStatus));
     case UNKNOWN:
       throw new AssertionError(serverErrorToString(thriftStatus));
     default:

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/63c134f3/sentry-provider/sentry-provider-db/src/main/resources/sentry_common_service.thrift
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry_common_service.thrift
b/sentry-provider/sentry-provider-db/src/main/resources/sentry_common_service.thrift
index 7a545be..9456274 100644
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry_common_service.thrift
+++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry_common_service.thrift
@@ -31,6 +31,7 @@ const i32 TSENTRY_STATUS_ALREADY_EXISTS = 1;
 const i32 TSENTRY_STATUS_NO_SUCH_OBJECT = 2;
 const i32 TSENTRY_STATUS_RUNTIME_ERROR = 3;
 const i32 TSENTRY_STATUS_INVALID_INPUT = 4;
+const i32 TSENTRY_STATUS_ACCESS_DENIED = 5;
 
 struct TSentryResponseStatus {
 1: required i32 value,

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/63c134f3/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerWithoutKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerWithoutKerberos.java
b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerWithoutKerberos.java
new file mode 100644
index 0000000..81a9ea4
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerWithoutKerberos.java
@@ -0,0 +1,45 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless createRequired by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.thrift;
+import java.util.Set;
+
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.junit.Test;
+
+import com.google.common.collect.Sets;
+
+
+public class TestSentryServerWithoutKerberos extends SentryServiceIntegrationBase {
+
+  @Override
+  public void beforeSetup() throws Exception {
+    this.kerberos = false;
+  }
+
+  @Test
+  public void testCreateRole() throws Exception {
+    String requestorUserName = ADMIN_USER;
+    Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+    String roleName = "admin_r";
+    client.dropRoleIfExists(requestorUserName, requestorUserGroupNames, roleName);
+    client.createRole(requestorUserName, requestorUserGroupNames, roleName);
+    client.dropRole(requestorUserName, requestorUserGroupNames, roleName);
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/63c134f3/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceFailureCase.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceFailureCase.java
b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceFailureCase.java
index a4643bf..b97db4b 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceFailureCase.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceFailureCase.java
@@ -25,11 +25,17 @@ import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
-public class TestSentryServiceFailureCase extends SentryServiceIntegrationBase {
+import com.google.common.base.Strings;
 
+public class TestSentryServiceFailureCase extends SentryServiceIntegrationBase {
+  private static final Logger LOGGER = LoggerFactory.getLogger(TestSentryServiceFailureCase.class);
+  private static final String PEER_CALLBACK_FAILURE = "Peer indicated failure: Problem with
callback handler";
   @Before @Override
   public void setup() throws Exception {
+    this.kerberos = true;
     beforeSetup();
     setupConf();
     conf.set(ServerConfig.ALLOW_CONNECT, "");
@@ -37,9 +43,21 @@ public class TestSentryServiceFailureCase extends SentryServiceIntegrationBase
{
     afterSetup();
   }
 
-  @Test(expected = PrivilegedActionException.class)
+  @Test
   public void testClientServerConnectionFailure()  throws Exception {
-    connectToSentryService();
-    Assert.fail("Failed to receive Exception");
+    try {
+      connectToSentryService();
+      Assert.fail("Failed to receive Exception");
+    } catch(PrivilegedActionException e) {
+      LOGGER.info("Excepted exception", e);
+      Exception cause = e.getException();
+      if (cause == null) {
+        throw e;
+      }
+      String msg = "Exception message: " + cause.getMessage() + " to contain " +
+          PEER_CALLBACK_FAILURE;
+      Assert.assertTrue(msg, Strings.nullToEmpty(cause.getMessage())
+          .contains(PEER_CALLBACK_FAILURE));
+    }
   }
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/63c134f3/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
index aa1e860..dcaa246 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
@@ -36,8 +36,8 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase
{
 
   @Test
   public void testCreateRole() throws Exception {
-    String requestorUserName = "user_1";
-    Set<String> requestorUserGroupNames = new HashSet<String>();
+    String requestorUserName = ADMIN_USER;
+    Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
     String roleName = "admin_r";
 
     client.dropRoleIfExists(requestorUserName, requestorUserGroupNames, roleName);
@@ -58,8 +58,8 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase
{
   @Test
   public void testGrantRevokePrivilege() throws Exception {
     String server = "server1";
-    String requestorUserName = "server_admin";
-    Set<String> requestorUserGroupNames = new HashSet<String>();
+    String requestorUserName = ADMIN_USER;
+    Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
     String roleName = "admin_testdb";
     String db = "testDB";
     String group = "group1";

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/63c134f3/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
index ee5ca69..61bad23 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
@@ -58,6 +58,8 @@ public abstract class SentryServiceIntegrationBase extends KerberosSecurityTestc
   protected static final String SERVER_KERBEROS_NAME = "sentry/" + SERVER_HOST + "@" + REALM;
   protected static final String CLIENT_PRINCIPAL = "hive/" + SERVER_HOST;
   protected static final String CLIENT_KERBEROS_NAME = "hive/" + SERVER_HOST + "@" + REALM;
+  protected static final String ADMIN_USER = "admin_user";
+  protected static final String ADMIN_GROUP = "admin_group";
 
   protected SentryService server;
   protected SentryPolicyServiceClient client;
@@ -68,10 +70,12 @@ public abstract class SentryServiceIntegrationBase extends KerberosSecurityTestc
   protected File clientKeytab;
   protected Subject clientSubject;
   protected LoginContext clientLoginContext;
+  protected boolean kerberos;
   protected final Configuration conf = new Configuration(false);
 
   @Before
   public void setup() throws Exception {
+    this.kerberos = true;
     beforeSetup();
     setupConf();
     startSentryService();
@@ -91,18 +95,23 @@ public abstract class SentryServiceIntegrationBase extends KerberosSecurityTestc
   }
 
   public void setupConf() throws Exception {
-    kdc = getKdc();
-    kdcWorkDir = getWorkDir();
-    serverKeytab = new File(kdcWorkDir, "server.keytab");
-    clientKeytab = new File(kdcWorkDir, "client.keytab");
-    kdc.createPrincipal(serverKeytab, SERVER_PRINCIPAL);
-    kdc.createPrincipal(clientKeytab, CLIENT_PRINCIPAL);
-
-    conf.set(ServerConfig.PRINCIPAL, SERVER_KERBEROS_NAME);
-    conf.set(ServerConfig.KEY_TAB, serverKeytab.getPath());
+    if (kerberos) {
+      kdc = getKdc();
+      kdcWorkDir = getWorkDir();
+      serverKeytab = new File(kdcWorkDir, "server.keytab");
+      clientKeytab = new File(kdcWorkDir, "client.keytab");
+      kdc.createPrincipal(serverKeytab, SERVER_PRINCIPAL);
+      kdc.createPrincipal(clientKeytab, CLIENT_PRINCIPAL);
+      conf.set(ServerConfig.PRINCIPAL, SERVER_KERBEROS_NAME);
+      conf.set(ServerConfig.KEY_TAB, serverKeytab.getPath());
+      conf.set(ServerConfig.ALLOW_CONNECT, CLIENT_KERBEROS_NAME);
+    } else {
+      LOGGER.info("Stopped KDC");
+      conf.set(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_NONE);
+    }
+    conf.set(ServerConfig.ADMIN_GROUPS, ADMIN_GROUP);
     conf.set(ServerConfig.RPC_ADDRESS, SERVER_HOST);
     conf.set(ServerConfig.RPC_PORT, String.valueOf(0));
-    conf.set(ServerConfig.ALLOW_CONNECT, CLIENT_KERBEROS_NAME);
     dbDir = new File(Files.createTempDir(), "sentry_policy_db");
     conf.set(ServerConfig.SENTRY_STORE_JDBC_URL,
         "jdbc:derby:;databaseName=" + dbDir.getPath() + ";create=true");
@@ -114,19 +123,24 @@ public abstract class SentryServiceIntegrationBase extends KerberosSecurityTestc
   public void connectToSentryService() throws Exception {
     // The client should already be logged in when running in hive/impala/solr
     // therefore we must manually login in the integration tests
-    clientSubject = new Subject(false, Sets.newHashSet(
-                                  new KerberosPrincipal(CLIENT_KERBEROS_NAME)), new HashSet<Object>(),
-                                new HashSet<Object>());
-    clientLoginContext = new LoginContext("", clientSubject, null,
-                                          KerberosConfiguration.createClientConfig(CLIENT_KERBEROS_NAME,
clientKeytab));
-    clientLoginContext.login();
-    clientSubject = clientLoginContext.getSubject();
-    client = Subject.doAs(clientSubject, new PrivilegedExceptionAction<SentryPolicyServiceClient>()
{
-      @Override
-      public SentryPolicyServiceClient run() throws Exception {
-        return new SentryServiceClientFactory().create(conf);
-      }
-    });
+    final SentryServiceClientFactory factory = new SentryServiceClientFactory();
+    if (kerberos) {
+      clientSubject = new Subject(false, Sets.newHashSet(
+          new KerberosPrincipal(CLIENT_KERBEROS_NAME)), new HashSet<Object>(),
+        new HashSet<Object>());
+      clientLoginContext = new LoginContext("", clientSubject, null,
+          KerberosConfiguration.createClientConfig(CLIENT_KERBEROS_NAME, clientKeytab));
+      clientLoginContext.login();
+      clientSubject = clientLoginContext.getSubject();
+      client = Subject.doAs(clientSubject, new PrivilegedExceptionAction<SentryPolicyServiceClient>()
{
+        @Override
+        public SentryPolicyServiceClient run() throws Exception {
+          return factory.create(conf);
+        }
+      });
+    } else {
+      client = factory.create(conf);
+    }
   }
 
   @After

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/63c134f3/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java
b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java
index 9fcebbb..e7f69ac 100644
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java
@@ -107,10 +107,6 @@ public class SimpleFileProviderBackend implements ProviderBackend {
   private boolean allowPerDatabaseSection;
   private volatile boolean initialized;
 
-  public SimpleFileProviderBackend(String resourcePath) throws IOException {
-    this(new Configuration(), new Path(resourcePath));
-  }
-
   public SimpleFileProviderBackend(Configuration conf, String resourcePath) throws IOException
{
     this(conf, new Path(resourcePath));
   }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/63c134f3/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestSimpleFileProvderBackend.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestSimpleFileProvderBackend.java
b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestSimpleFileProvderBackend.java
index df5acdc..cd203cd 100644
--- a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestSimpleFileProvderBackend.java
+++ b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestSimpleFileProvderBackend.java
@@ -25,6 +25,7 @@ import java.io.IOException;
 import java.util.HashSet;
 
 import org.apache.commons.io.FileUtils;
+import org.apache.hadoop.conf.Configuration;
 import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.provider.common.ProviderBackendContext;
 import org.junit.After;
@@ -46,7 +47,8 @@ public class TestSimpleFileProvderBackend {
   public void setup() throws IOException {
     baseDir = Files.createTempDir();
     PolicyFiles.copyToDir(baseDir, resourcePath);
-    backend = new SimpleFileProviderBackend(new File(baseDir, resourcePath).toString());
+    backend = new SimpleFileProviderBackend(new Configuration(), new File(baseDir, resourcePath)
+      .toString());
     context = new ProviderBackendContext();
   }
 

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/63c134f3/sentry-tests/sentry-tests-hive/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/pom.xml b/sentry-tests/sentry-tests-hive/pom.xml
index 2b00d16..7a2c6be 100644
--- a/sentry-tests/sentry-tests-hive/pom.xml
+++ b/sentry-tests/sentry-tests-hive/pom.xml
@@ -195,6 +195,11 @@ limitations under the License.
     </dependency>
     <dependency>
       <groupId>org.apache.sentry</groupId>
+      <artifactId>sentry-provider-db</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.sentry</groupId>
       <artifactId>sentry-provider-file</artifactId>
       <scope>test</scope>
     </dependency>

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/63c134f3/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/Context.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/Context.java
b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/Context.java
index 4f7dd2d..99ca16e 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/Context.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/Context.java
@@ -34,11 +34,13 @@ import java.util.Set;
 import junit.framework.Assert;
 
 import org.apache.hadoop.fs.FileSystem;
+import org.apache.sentry.provider.db.SentryAccessDeniedException;
 import org.apache.sentry.tests.e2e.hive.hiveserver.HiveServer;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import com.google.common.base.Charsets;
+import com.google.common.base.Strings;
 import com.google.common.collect.Sets;
 import com.google.common.io.Files;
 
@@ -48,7 +50,7 @@ public class Context {
       .getLogger(Context.class);
 
   public static final String AUTHZ_EXCEPTION_SQL_STATE = "42000";
-  public static final String AUTHZ_EXEC_HOOK_EXCEPTION_SQL_STATE = "08S01";
+  public static final String AUTHZ_LINK_FAILURE_SQL_STATE = "08S01";
   public static final String AUTHZ_EXCEPTION_ERROR_MSG = "No valid privileges";
 
   private final HiveServer hiveServer;
@@ -169,6 +171,18 @@ public class Context {
     }
   }
 
+  public void assertSentryServiceAccessDenied(Statement statement, String query)
+      throws SQLException {
+    try {
+      statement.execute(query);
+      Assert.fail("Expected SQLException for '" + query + "'");
+    } catch (SQLException e) {
+      verifyAuthzExceptionForState(e, AUTHZ_LINK_FAILURE_SQL_STATE);
+      Assert.assertTrue("Expected SentryAccessDeniedException in " + e.getMessage(),
+          Strings.nullToEmpty(e.getMessage()).contains(SentryAccessDeniedException.class
+              .getSimpleName()));
+    }
+  }
 
   // verify that the sqlexception is due to authorization failure
   public void verifyAuthzException(SQLException sqlException) throws SQLException{
@@ -177,7 +191,7 @@ public class Context {
 
   // verify that the sqlexception is due to authorization failure due to exec hooks
   public void verifyAuthzExecHookException(SQLException sqlException) throws SQLException{
-    verifyAuthzExceptionForState(sqlException, AUTHZ_EXEC_HOOK_EXCEPTION_SQL_STATE);
+    verifyAuthzExceptionForState(sqlException, AUTHZ_LINK_FAILURE_SQL_STATE);
   }
 
   // verify that the sqlexception is due to authorization failure

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/63c134f3/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestDatabaseProvider.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestDatabaseProvider.java
b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestDatabaseProvider.java
new file mode 100644
index 0000000..b8163b3
--- /dev/null
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestDatabaseProvider.java
@@ -0,0 +1,124 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.tests.e2e.hive;
+
+import java.io.File;
+import java.sql.Connection;
+import java.sql.Statement;
+import java.util.Map;
+import java.util.concurrent.TimeoutException;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
+import org.apache.sentry.binding.hive.SentryHiveAuthorizationTaskFactoryImpl;
+import org.apache.sentry.provider.db.SimpleDBProviderBackend;
+import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.service.thrift.SentryService;
+import org.apache.sentry.service.thrift.SentryServiceFactory;
+import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.apache.sentry.tests.e2e.hive.hiveserver.HiveServerFactory;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import com.google.common.collect.Maps;
+import com.google.common.io.Files;
+
+public class TestDatabaseProvider extends AbstractTestWithHiveServer {
+  protected static final String SERVER_HOST = "localhost";
+
+  private Context context;
+  private Map<String, String> properties;
+  private File dbDir;
+  private SentryService server;
+  private Configuration conf;
+  private PolicyFile policyFile;
+
+  @Before
+  public void setup() throws Exception {
+    properties = Maps.newHashMap();
+    conf = new Configuration(false);
+    policyFile = new PolicyFile();
+    properties.put(HiveServerFactory.AUTHZ_PROVIDER_BACKEND, SimpleDBProviderBackend.class.getName());
+    properties.put(ConfVars.HIVE_AUTHORIZATION_TASK_FACTORY.varname,
+        SentryHiveAuthorizationTaskFactoryImpl.class.getName());
+    properties.put(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_NONE);
+    properties.put(ServerConfig.ADMIN_GROUPS, ADMINGROUP);
+    properties.put(ServerConfig.RPC_ADDRESS, SERVER_HOST);
+    properties.put(ServerConfig.RPC_PORT, String.valueOf(0));
+    dbDir = new File(Files.createTempDir(), "sentry_policy_db");
+    properties.put(ServerConfig.SENTRY_STORE_JDBC_URL,
+        "jdbc:derby:;databaseName=" + dbDir.getPath() + ";create=true");
+    for (Map.Entry<String, String> entry : properties.entrySet()) {
+      conf.set(entry.getKey(), entry.getValue());
+    }
+    server = new SentryServiceFactory().create(conf);
+    properties.put(ClientConfig.SERVER_RPC_ADDRESS, server.getAddress().getHostString());
+    properties.put(ClientConfig.SERVER_RPC_PORT, String.valueOf(server.getAddress().getPort()));
+    startSentryService();
+    context = createContext(properties);
+  }
+
+  @After
+  public void tearDown() throws Exception {
+    if(context != null) {
+      context.close();
+    }
+    if (dbDir != null) {
+      FileUtils.deleteQuietly(dbDir);
+    }
+  }
+
+  private void startSentryService() throws Exception {
+    server.start();
+    final long start = System.currentTimeMillis();
+    while(!server.isRunning()) {
+      Thread.sleep(1000);
+      if(System.currentTimeMillis() - start > 60000L) {
+        throw new TimeoutException("Server did not start after 60 seconds");
+      }
+    }
+  }
+
+  @Test
+  public void testBasic() throws Exception {
+    policyFile
+      .setUserGroupMapping(StaticUserGroup.getStaticMapping())
+      .write(context.getPolicyFile());
+    Connection connection = context.createConnection(ADMIN1);
+    Statement statement = context.createStatement(connection);
+    statement.execute("CREATE ROLE admin_role");
+    statement.execute("GRANT ALL ON DATABASE default TO ROLE admin_role");
+    statement.execute("GRANT ROLE admin_role TO GROUP " + ADMINGROUP);
+    statement.execute("CREATE TABLE t1 (c1 string)");
+    statement.execute("CREATE ROLE user_role");
+    statement.execute("GRANT SELECT ON TABLE t1 TO ROLE user_role");
+    statement.execute("GRANT ROLE user_role TO GROUP " + USERGROUP1);
+    statement.close();
+    connection.close();
+    connection = context.createConnection(USER1_1);
+    statement = context.createStatement(connection);
+    context.assertSentryServiceAccessDenied(statement, "CREATE ROLE r2");
+    statement.execute("SELECT * FROM t1");
+    statement.close();
+    connection.close();
+
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/63c134f3/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
index 8c145ca..416411c 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
@@ -44,7 +44,6 @@ import com.google.common.io.Resources;
 public class TestPrivilegesAtDatabaseScope extends AbstractTestWithStaticConfiguration {
 
   private Context context;
-  private File dataFile;
   private PolicyFile policyFile;
 
   Map <String, String >testProperties;

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/63c134f3/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java
b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java
index 8af3f45..f00efdb 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java
@@ -49,6 +49,7 @@ public class HiveServerFactory {
   public static final String WAREHOUSE_DIR = HiveConf.ConfVars.METASTOREWAREHOUSE.varname;
   public static final String AUTHZ_PROVIDER = HiveAuthzConf.AuthzConfVars.AUTHZ_PROVIDER.getVar();
   public static final String AUTHZ_PROVIDER_RESOURCE = HiveAuthzConf.AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar();
+  public static final String AUTHZ_PROVIDER_BACKEND = HiveAuthzConf.AuthzConfVars.AUTHZ_PROVIDER_BACKEND.getVar();
   public static final String AUTHZ_PROVIDER_FILENAME = "sentry-provider.ini";
   public static final String AUTHZ_SERVER_NAME = HiveAuthzConf.AuthzConfVars.AUTHZ_SERVER_NAME.getVar();
   public static final String ACCESS_TESTING_MODE = HiveAuthzConf.AuthzConfVars.SENTRY_TESTING_MODE.getVar();


Mime
View raw message