sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lsk...@apache.org
Subject git commit: SENTRY-507: Ban additional configs in getConfigVal() (Mike Yoder via Lenni Kuff)
Date Tue, 28 Oct 2014 22:04:06 GMT
Repository: incubator-sentry
Updated Branches:
  refs/heads/master 2fb35eb9c -> e4dc61d52


SENTRY-507: Ban additional configs in getConfigVal() (Mike Yoder via Lenni Kuff)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/e4dc61d5
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/e4dc61d5
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/e4dc61d5

Branch: refs/heads/master
Commit: e4dc61d52b159b21ab2cced635a789c2b1e551d6
Parents: 2fb35eb
Author: Lenni Kuff <lskuff@cloudera.com>
Authored: Tue Oct 28 15:02:06 2014 -0700
Committer: Lenni Kuff <lskuff@cloudera.com>
Committed: Tue Oct 28 15:02:47 2014 -0700

----------------------------------------------------------------------
 .../thrift/SentryPolicyStoreProcessor.java      |  7 ++-
 .../thrift/TestSentryServiceIntegration.java    | 49 +++++++++++---------
 2 files changed, 31 insertions(+), 25 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/e4dc61d5/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
index 6de9992..d64d019 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
@@ -602,12 +602,15 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface
{
   public TSentryConfigValueResponse get_sentry_config_value(
           TSentryConfigValueRequest request) throws TException {
 
+    final String requirePattern = "^sentry\\..*";
+    final String excludePattern = ".*keytab.*|.*\\.jdbc\\..*|.*password.*";
+
     TSentryConfigValueResponse response = new TSentryConfigValueResponse();
     String attr = request.getPropertyName();
 
     // Only allow config parameters like...
-    if (!Pattern.matches("^sentry\\..*", attr) ||
-        Pattern.matches(".*keytab.*", attr)) {
+    if (!Pattern.matches(requirePattern, attr) ||
+        Pattern.matches(excludePattern, attr)) {
       String msg = "Attempted access of the configuration property " + attr +
               " was denied";
       LOGGER.error(msg);

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/e4dc61d5/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
index 23bd765..50ee559 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
@@ -638,6 +638,23 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase
{
     }
   }
 
+  /**
+   * Attempt to access a configuration value that is forbidden in getConfigVal
+   * @param configVal The banned value
+   * @param defaultVal A default to pass to getConfigValue
+   * @throws Exception
+   */
+  private void checkBannedConfigVal(String configVal, String defaultVal)
+          throws Exception {
+  try {
+      client.getConfigValue(configVal, defaultVal);
+      fail("Attempt to access " + configVal + " succeeded");
+    } catch (SentryAccessDeniedException e) {
+      assertTrue(e.toString().contains("was denied"));
+      assertTrue(e.toString().contains(configVal));
+    }
+  }
+
   @Test
   public void testGetConfigVal() throws Exception {
     String val;
@@ -659,33 +676,19 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase
{
     assertEquals(val, "admin_group");
 
     // Value that is forbidden (anything not starting with "sentry") dies
-    try {
-      val = client.getConfigValue("notsentry", "xxx");
-      fail("Attempt to access banned config value succeeded");
-    } catch (SentryAccessDeniedException e) {
-      assertTrue(e.toString().contains("was denied"));
-      assertTrue(e.toString().contains("notsentry"));
-      // expected
-    }
+    checkBannedConfigVal("notsentry", "xxx");
 
     // Ditto with a null default
-    try {
-      val = client.getConfigValue("notsentry", null);
-      fail("Attempt to access banned config value succeeded");
-    } catch (SentryAccessDeniedException e) {
-      assertTrue(e.toString().contains("was denied"));
-      assertTrue(e.toString().contains("notsentry"));
-      // expected
-    }
+    checkBannedConfigVal("notsentry", null);
+
+    // Values with .jdbc. are forbidden
+    checkBannedConfigVal("sentry.xxx.jdbc.xxx", null);
+
+    // Values with password are forbidden
+    checkBannedConfigVal("sentry.xxx.password", null);
 
     // Attempt to get the location of the keytab also fails
-    try {
-      val = client.getConfigValue("sentry.service.server.keytab", "xxx");
-      fail("Attempt to access banned keytab succeeded");
-    } catch (SentryAccessDeniedException e) {
-      assertTrue(e.toString().contains("was denied"));
-      assertTrue(e.toString().contains("keytab"));
-    }
+    checkBannedConfigVal("sentry.service.server.keytab", null);
 
     // null parameter name fails
     try {


Mime
View raw message