sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From s..@apache.org
Subject [19/25] incubator-sentry git commit: SENTRY-769: [Improve error handling] Make sure groups in list_sentry_privileges_for_provider is not empty ( Colin Ma, Reviewed by: Sravya Tirukkovalur)
Date Thu, 05 Nov 2015 01:44:47 GMT
SENTRY-769: [Improve error handling] Make sure groups in list_sentry_privileges_for_provider
is not empty ( Colin Ma, Reviewed by: Sravya Tirukkovalur)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/c69350b0
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/c69350b0
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/c69350b0

Branch: refs/heads/hive_plugin_v2
Commit: c69350b0a85054954500de306f4613c98798555d
Parents: 89a906a
Author: Sravya Tirukkovalur <sravya@cloudera.com>
Authored: Sun Oct 11 22:31:10 2015 -0700
Committer: Sun Dapeng <sdp@apache.org>
Committed: Mon Nov 2 16:37:06 2015 +0800

----------------------------------------------------------------------
 .../binding/hive/TestHiveAuthzBindings.java     |  4 +-
 .../binding/solr/TestSolrAuthzBinding.java      | 65 +++++++++++++++-----
 .../common/HadoopGroupMappingService.java       | 14 +++--
 .../common/SentryGroupNotFoundException.java    | 61 ++++++++++++++++++
 .../provider/file/LocalGroupMappingService.java | 10 +--
 .../provider/file/TestLocalGroupMapping.java    |  8 ++-
 .../sentry/test-authz-provider.ini              |  1 +
 .../SentryIndexAuthorizationSingletonTest.java  | 34 +++++++---
 .../tests/e2e/hive/TestUserManagement.java      | 46 +++++++++++++-
 .../metastore/TestAuthorizingObjectStore.java   | 44 ++++++-------
 .../solr/sentry/test-authz-provider.ini         |  4 +-
 11 files changed, 227 insertions(+), 64 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c69350b0/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java
b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java
index 0622b43..1fac0c7 100644
--- a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java
+++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java
@@ -42,6 +42,7 @@ import org.apache.sentry.core.model.db.DBModelAuthorizable;
 import org.apache.sentry.core.model.db.Database;
 import org.apache.sentry.core.model.db.Server;
 import org.apache.sentry.core.model.db.Table;
+import org.apache.sentry.provider.common.SentryGroupNotFoundException;
 import org.apache.sentry.provider.file.PolicyFiles;
 import org.junit.After;
 import org.junit.Before;
@@ -299,7 +300,8 @@ public class TestHiveAuthzBindings {
     testAuth.authorize(HiveOperation.CREATEFUNCTION, createFuncPrivileges, ANALYST_SUBJECT,
         inputTabHierarcyList, outputTabHierarcyList);
   }
-  @Test(expected=AuthorizationException.class)
+
+  @Test(expected = SentryGroupNotFoundException.class)
   public void testValidateCreateFunctionRejectionForUnknownUser() throws Exception {
     inputTabHierarcyList.add(Arrays.asList(new DBModelAuthorizable[] {
         new Server(SERVER1), new AccessURI("file:///path/to/some/lib/dir/my.jar")

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c69350b0/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
index c37f8ff..c0445ab 100644
--- a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
+++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
@@ -43,6 +43,7 @@ import org.apache.sentry.binding.solr.conf.SolrAuthzConf.AuthzConfVars;
 import org.apache.sentry.core.common.Subject;
 import org.apache.sentry.core.model.search.Collection;
 import org.apache.sentry.core.model.search.SearchModelAction;
+import org.apache.sentry.provider.common.SentryGroupNotFoundException;
 import org.apache.sentry.provider.file.PolicyFiles;
 import org.junit.After;
 import org.junit.Before;
@@ -181,14 +182,38 @@ public class TestSolrAuthzBinding {
     Set<String> emptyList = Collections.emptySet();
 
     // check non-existant users
-    assertEquals(binding.getGroups(null), emptyList);
-    assertEquals(binding.getGroups("nonExistantUser"), emptyList);
+    try {
+      binding.getGroups(null);
+      Assert.fail("Expected SentryGroupNotFoundException");
+    } catch (SentryGroupNotFoundException e) {
+    }
+    try {
+      binding.getGroups("nonExistantUser");
+      Assert.fail("Expected SentryGroupNotFoundException");
+    } catch (SentryGroupNotFoundException e) {
+    }
 
     // check group names don't map to user names
-    assertEquals(binding.getGroups("corporal"), emptyList);
-    assertEquals(binding.getGroups("sergeant"), emptyList);
-    assertEquals(binding.getGroups("general"), emptyList);
-    assertEquals(binding.getGroups("othergeneralgroup"), emptyList);
+    try {
+      binding.getGroups("corporal");
+      Assert.fail("Expected SentryGroupNotFoundException");
+    } catch (SentryGroupNotFoundException e) {
+    }
+    try {
+      binding.getGroups("sergeant");
+      Assert.fail("Expected SentryGroupNotFoundException");
+    } catch (SentryGroupNotFoundException e) {
+    }
+    try {
+      binding.getGroups("general");
+      Assert.fail("Expected SentryGroupNotFoundException");
+    } catch (SentryGroupNotFoundException e) {
+    }
+    try {
+      binding.getGroups("othergeneralgroup");
+      Assert.fail("Expected SentryGroupNotFoundException");
+    } catch (SentryGroupNotFoundException e) {
+    }
 
     // check valid group names
     assertEquals(binding.getGroups("corporal1"), Sets.newHashSet("corporal"));
@@ -207,19 +232,27 @@ public class TestSolrAuthzBinding {
     SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf);
     Set<String> emptySet = Collections.emptySet();
 
-    // check non-existant users
-    assertEquals(binding.getRoles(null), emptySet);
-    assertEquals(binding.getRoles("nonExistantUser"), emptySet);
-
     // check user with undefined group
     assertEquals(binding.getRoles("undefinedGroupUser"), emptySet);
     // check group with undefined role
     assertEquals(binding.getRoles("undefinedRoleUser"), emptySet);
 
     // check role names don't map in the other direction
-    assertEquals(binding.getRoles("corporal_role"), emptySet);
-    assertEquals(binding.getRoles("sergeant_role"), emptySet);
-    assertEquals(binding.getRoles("general_role"), emptySet);
+    try {
+      binding.getRoles("corporal_role");
+      Assert.fail("Expected SentryGroupNotFoundException");
+    } catch (SentryGroupNotFoundException e) {
+    }
+    try {
+      binding.getRoles("sergeant_role");
+      Assert.fail("Expected SentryGroupNotFoundException");
+    } catch (SentryGroupNotFoundException e) {
+    }
+    try {
+      binding.getRoles("general_role");
+      Assert.fail("Expected SentryGroupNotFoundException");
+    } catch (SentryGroupNotFoundException e) {
+    }
 
     // check valid users
     assertEquals(binding.getRoles("corporal1"), Sets.newHashSet("corporal_role"));
@@ -260,7 +293,11 @@ public class TestSolrAuthzBinding {
        new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
      setUsableAuthzConf(solrAuthzConf);
      SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf);
-     expectAuthException(binding, new Subject("bogus"), infoCollection, querySet);
+    try {
+      binding.authorizeCollection(new Subject("bogus"), infoCollection, querySet);
+      Assert.fail("Expected SentryGroupNotFoundException");
+    } catch (SentryGroupNotFoundException e) {
+    }
   }
 
   /**

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c69350b0/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java
b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java
index fb335a3..4214449 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java
@@ -17,8 +17,8 @@
 package org.apache.sentry.provider.common;
 
 import java.io.IOException;
-import java.util.Collections;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Set;
 
 import org.apache.commons.lang.StringUtils;
@@ -27,6 +27,8 @@ import org.apache.hadoop.security.Groups;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import com.google.common.collect.Lists;
+
 public class HadoopGroupMappingService implements GroupMappingService {
 
   private static final Logger LOGGER = LoggerFactory
@@ -56,11 +58,15 @@ public class HadoopGroupMappingService implements GroupMappingService
{
 
   @Override
   public Set<String> getGroups(String user) {
+    List<String> groupList = Lists.newArrayList();
     try {
-      return new HashSet<String>(groups.getGroups(user));
+      groupList = groups.getGroups(user);
     } catch (IOException e) {
-      LOGGER.warn("Unable to obtain groups for " + user, e);
+      throw new SentryGroupNotFoundException("Unable to obtain groups for " + user, e);
+    }
+    if (groupList == null || groupList.isEmpty()) {
+      throw new SentryGroupNotFoundException("Unable to obtain groups for " + user);
     }
-    return Collections.emptySet();
+    return new HashSet<String>(groupList);
   }
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c69350b0/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/SentryGroupNotFoundException.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/SentryGroupNotFoundException.java
b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/SentryGroupNotFoundException.java
new file mode 100644
index 0000000..2609bd3
--- /dev/null
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/SentryGroupNotFoundException.java
@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.common;
+
+public class SentryGroupNotFoundException extends RuntimeException {
+  private static final long serialVersionUID = -116202866086371881L;
+
+  /**
+   * Creates a new SentryGroupNotFoundException.
+   */
+  public SentryGroupNotFoundException() {
+    super();
+  }
+
+  /**
+   * Constructs a new SentryGroupNotFoundException.
+   *
+   * @param message
+   *        the reason for the exception
+   */
+  public SentryGroupNotFoundException(String message) {
+    super(message);
+  }
+
+  /**
+   * Constructs a new SentryGroupNotFoundException.
+   *
+   * @param cause
+   *        the underlying Throwable that caused this exception to be thrown.
+   */
+  public SentryGroupNotFoundException(Throwable cause) {
+    super(cause);
+  }
+
+  /**
+   * Constructs a new SentryGroupNotFoundException.
+   *
+   * @param message
+   *        the reason for the exception
+   * @param cause
+   *        the underlying Throwable that caused this exception to be thrown.
+   */
+  public SentryGroupNotFoundException(String message, Throwable cause) {
+    super(message, cause);
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c69350b0/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java
b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java
index e22e6b6..1c12f11 100644
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java
@@ -18,7 +18,6 @@
 package org.apache.sentry.provider.file;
 
 import java.io.IOException;
-import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Map.Entry;
@@ -30,6 +29,7 @@ import org.apache.hadoop.fs.Path;
 import org.apache.sentry.provider.common.GroupMappingService;
 import org.apache.sentry.provider.common.PolicyFileConstants;
 import org.apache.sentry.provider.common.ProviderConstants;
+import org.apache.sentry.provider.common.SentryGroupNotFoundException;
 import org.apache.shiro.config.Ini;
 import org.apache.shiro.config.Ini.Section;
 import org.slf4j.Logger;
@@ -85,11 +85,11 @@ public class LocalGroupMappingService implements GroupMappingService {
 
   @Override
   public Set<String> getGroups(String user) {
-    if (groupMap.containsKey(user)) {
-      return groupMap.get(user);
-    } else {
-      return Collections.emptySet();
+    Set<String> groups = groupMap.get(user);
+    if (groups == null || groups.isEmpty()) {
+      throw new SentryGroupNotFoundException("Unable to obtain groups for " + user);
     }
+    return groups;
   }
 
   private void parseGroups(FileSystem fileSystem, Path resourcePath) throws IOException {

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c69350b0/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java
b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java
index c436009..c5345bc 100644
--- a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java
+++ b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java
@@ -23,6 +23,7 @@ import java.util.Set;
 
 import org.apache.commons.io.FileUtils;
 import org.apache.hadoop.fs.Path;
+import org.apache.sentry.provider.common.SentryGroupNotFoundException;
 import org.junit.After;
 import org.junit.Assert;
 import org.junit.Before;
@@ -63,7 +64,10 @@ public class TestLocalGroupMapping {
     Set<String> barGroupsFromResource = localGroupMapping.getGroups("bar");
     Assert.assertEquals(barGroupsFromResource, barGroups);
 
-    Set<String> unknownGroupsFromResource = localGroupMapping.getGroups("unknown");
-    Assert.assertTrue("List not empty " + unknownGroupsFromResource, unknownGroupsFromResource.isEmpty());
+    try {
+      localGroupMapping.getGroups("unknown");
+      Assert.fail("SentryGroupNotFoundException should be thrown.");
+    } catch (SentryGroupNotFoundException sgnfe) {
+    }
   }
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c69350b0/sentry-solr/solr-sentry-handlers/src/main/resources/sentry-handlers/sentry/test-authz-provider.ini
----------------------------------------------------------------------
diff --git a/sentry-solr/solr-sentry-handlers/src/main/resources/sentry-handlers/sentry/test-authz-provider.ini
b/sentry-solr/solr-sentry-handlers/src/main/resources/sentry-handlers/sentry/test-authz-provider.ini
index 8f48a8c..ec029c5 100644
--- a/sentry-solr/solr-sentry-handlers/src/main/resources/sentry-handlers/sentry/test-authz-provider.ini
+++ b/sentry-solr/solr-sentry-handlers/src/main/resources/sentry-handlers/sentry/test-authz-provider.ini
@@ -33,3 +33,4 @@ queryOnlyAdmin=queryOnlyAdmin
 updateOnlyAdmin=updateOnlyAdmin
 multiGroupUser=junit, queryOnlyAdmin, updateOnlyAdmin
 undefinedRoleUser=undefinedRoleGroup
+bogusUser=bogusUserGroup

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c69350b0/sentry-solr/solr-sentry-handlers/src/test/java/org/apache/solr/sentry/SentryIndexAuthorizationSingletonTest.java
----------------------------------------------------------------------
diff --git a/sentry-solr/solr-sentry-handlers/src/test/java/org/apache/solr/sentry/SentryIndexAuthorizationSingletonTest.java
b/sentry-solr/solr-sentry-handlers/src/test/java/org/apache/solr/sentry/SentryIndexAuthorizationSingletonTest.java
index a3d7d19..694c486 100644
--- a/sentry-solr/solr-sentry-handlers/src/test/java/org/apache/solr/sentry/SentryIndexAuthorizationSingletonTest.java
+++ b/sentry-solr/solr-sentry-handlers/src/test/java/org/apache/solr/sentry/SentryIndexAuthorizationSingletonTest.java
@@ -23,6 +23,7 @@ import java.util.Set;
 
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.sentry.core.model.search.SearchModelAction;
+import org.apache.sentry.provider.common.SentryGroupNotFoundException;
 import org.apache.solr.cloud.CloudDescriptor;
 import org.apache.solr.common.SolrException;
 import org.apache.solr.common.params.ModifiableSolrParams;
@@ -89,6 +90,17 @@ public class SentryIndexAuthorizationSingletonTest extends SentryTestBase
{
     }
   }
 
+  private void doExpectExceptionWithoutGroup(SentryIndexAuthorizationSingleton singleton,
+      SolrQueryRequest request, Set<SearchModelAction> actions)
+      throws Exception {
+    try {
+      singleton.authorizeCollectionAction(request, actions, OPERATION_NAME);
+      Assert.fail("Expected SentryGroupNotFoundException");
+    } catch (SentryGroupNotFoundException ex) {
+      // excepted exception, do nothing
+    }
+  }
+
   @Test
   public void testNoBinding() throws Exception {
     // Use reflection to construct a non-singleton version of SentryIndexAuthorizationSingleton
@@ -122,8 +134,7 @@ public class SentryIndexAuthorizationSingletonTest extends SentryTestBase
{
   public void testNullUserName() throws Exception {
     SolrQueryRequest request = getRequest();
     prepareCollAndUser(core, request, "collection1", null);
-    doExpectUnauthorized(request, EnumSet.of(SearchModelAction.ALL),
-      "User null does not have privileges for collection1");
+    doExpectExceptionWithoutGroup(sentryInstance, request, EnumSet.of(SearchModelAction.ALL));
   }
 
   @Test
@@ -131,8 +142,7 @@ public class SentryIndexAuthorizationSingletonTest extends SentryTestBase
{
     System.setProperty("solr.authorization.superuser", "");
     SolrQueryRequest request = getRequest();
     prepareCollAndUser(core, request, "collection1", "solr");
-    doExpectUnauthorized(request, EnumSet.of(SearchModelAction.ALL),
-      "User solr does not have privileges for collection1");
+    doExpectExceptionWithoutGroup(sentryInstance, request, EnumSet.of(SearchModelAction.ALL));
   }
 
   /**
@@ -212,15 +222,21 @@ public class SentryIndexAuthorizationSingletonTest extends SentryTestBase
{
     Collection<String> emptyCollection = ImmutableSet.<String>of();
 
     // null user
-    Collection<String> roles = sentryInstance.getRoles(null);
-    assertTrue(CollectionUtils.isEqualCollection(emptyCollection, roles));
+    try {
+      sentryInstance.getRoles(null);
+      Assert.fail("Excepted SentryGroupNotFoundException");
+    } catch (SentryGroupNotFoundException e) {
+    }
 
     // no group
-    roles = sentryInstance.getRoles("bogusUser");
-    assertTrue(CollectionUtils.isEqualCollection(emptyCollection, roles));
+    try {
+      sentryInstance.getRoles("withoutGroupUser");
+      Assert.fail("Excepted SentryGroupNotFoundException");
+    } catch (SentryGroupNotFoundException e) {
+    }
 
     // no role
-    roles = sentryInstance.getRoles("undefinedRoleUser");
+    Collection<String> roles = sentryInstance.getRoles("undefinedRoleUser");
     assertTrue(CollectionUtils.isEqualCollection(emptyCollection, roles));
 
     // single member

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c69350b0/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java
b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java
index 471af1a..02ac514 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java
@@ -17,10 +17,9 @@
 
 package org.apache.sentry.tests.e2e.hive;
 
-import org.apache.sentry.provider.file.PolicyFile;
-import org.junit.After;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
 
 import java.io.File;
 import java.io.FileOutputStream;
@@ -29,12 +28,16 @@ import java.sql.ResultSet;
 import java.sql.Statement;
 
 import org.apache.hadoop.mapreduce.JobContext;
+import org.apache.hive.service.cli.HiveSQLException;
+import org.apache.sentry.provider.file.PolicyFile;
+import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
 
 import com.google.common.io.Resources;
 
 public class TestUserManagement extends AbstractTestWithStaticConfiguration {
+
   private static final String SINGLE_TYPE_DATA_FILE_NAME = "kv1.dat";
   private static final String dbName = "db1";
   private static final String tableName = "t1";
@@ -343,6 +346,45 @@ public class TestUserManagement extends AbstractTestWithStaticConfiguration
{
     }
   }
 
+  /**
+   * Tests that users without group information will cause the configuration exception
+   **/
+  @Test
+  public void testGroup9() throws Exception {
+    policyFile = PolicyFile.setAdminOnServer1(ADMINGROUP);
+    policyFile.addGroupsToUser("admin1", ADMINGROUP);
+    writePolicyFile(policyFile);
+
+    Connection connection = context.createConnection("admin1");
+    Statement statement = connection.createStatement();
+    statement.execute("DROP DATABASE IF EXISTS db1 CASCADE");
+    statement.execute("CREATE DATABASE db1");
+    statement.execute("USE db1");
+    statement.execute("CREATE TABLE t1 (under_col int)");
+    statement.close();
+    connection.close();
+
+    // user1 hasn't any group
+    connection = context.createConnection("user1");
+    statement = context.createStatement(connection);
+    // for any sql need to be authorized, exception will be thrown if the uer hasn't any
group
+    // information
+    try {
+      statement.execute("CREATE TABLE db1.t1 (under_col int, value string)");
+      fail("User without group configuration, SentryGroupNotFoundException should be thrown
");
+    } catch (HiveSQLException hse) {
+      assertTrue(hse.getMessage().indexOf("SentryGroupNotFoundException") >= 0);
+    }
+    try {
+      statement.execute("SELECT under_col from db1.t1");
+      fail("User without group configuration, SentryGroupNotFoundException should be thrown
");
+    } catch (HiveSQLException hse) {
+      assertTrue(hse.getMessage().indexOf("SentryGroupNotFoundException") >= 0);
+    }
+    statement.close();
+    connection.close();
+  }
+
   @Test
   public void testMrAclsSetting() throws Exception {
     Connection connection = context.createConnection("admin1");

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c69350b0/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestAuthorizingObjectStore.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestAuthorizingObjectStore.java
b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestAuthorizingObjectStore.java
index 44ed096..3c28fd0 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestAuthorizingObjectStore.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestAuthorizingObjectStore.java
@@ -64,7 +64,9 @@ public class TestAuthorizingObjectStore extends
   @Before
   public void setup() throws Exception {
     policyFile = setAdminOnServer1(ADMINGROUP);
-    policyFile.setUserGroupMapping(StaticUserGroup.getStaticMapping());
+    // add user ACCESSAllMETAUSER for the test case testPrivilegesForUserNameCaseSensitive
+    policyFile.addGroupsToUser(userWithoutAccess.toUpperCase(), "tempGroup").setUserGroupMapping(
+        StaticUserGroup.getStaticMapping());
     writePolicyFile(policyFile);
     super.setup();
 
@@ -97,31 +99,21 @@ public class TestAuthorizingObjectStore extends
     client.close();
 
     policyFile
-            .addRolesToGroup(USERGROUP1, all_role)
-            .addRolesToGroup(USERGROUP2, db1_t1_role)
-            .addPermissionsToRole(all_role, "server=server1->db=" + dbName1)
-            .addPermissionsToRole(all_role, "server=server1->db=" + dbName2)
-            .addPermissionsToRole(
-                    all_role,
-                    "server=server1->db=" + dbName1 + "->table=" + tabName1
-                            + "->action=SELECT")
-            .addPermissionsToRole(
-                    all_role,
-                    "server=server1->db=" + dbName1 + "->table=" + tabName2
-                            + "->action=SELECT")
-            .addPermissionsToRole(
-                    all_role,
-                    "server=server1->db=" + dbName2 + "->table=" + tabName3
-                            + "->action=SELECT")
-            .addPermissionsToRole(
-                    all_role,
-                    "server=server1->db=" + dbName2 + "->table=" + tabName4
-                            + "->action=SELECT")
-            .addPermissionsToRole(
-                    db1_t1_role,
-                    "server=server1->db=" + dbName1 + "->table=" + tabName1
-                            + "->action=SELECT")
-            .setUserGroupMapping(StaticUserGroup.getStaticMapping());
+        .addRolesToGroup(USERGROUP1, all_role)
+        .addRolesToGroup(USERGROUP2, db1_t1_role)
+        .addPermissionsToRole(all_role, "server=server1->db=" + dbName1)
+        .addPermissionsToRole(all_role, "server=server1->db=" + dbName2)
+        .addPermissionsToRole(all_role,
+            "server=server1->db=" + dbName1 + "->table=" + tabName1 + "->action=SELECT")
+        .addPermissionsToRole(all_role,
+            "server=server1->db=" + dbName1 + "->table=" + tabName2 + "->action=SELECT")
+        .addPermissionsToRole(all_role,
+            "server=server1->db=" + dbName2 + "->table=" + tabName3 + "->action=SELECT")
+        .addPermissionsToRole(all_role,
+            "server=server1->db=" + dbName2 + "->table=" + tabName4 + "->action=SELECT")
+        .addPermissionsToRole(db1_t1_role,
+            "server=server1->db=" + dbName1 + "->table=" + tabName1 + "->action=SELECT")
+        .setUserGroupMapping(StaticUserGroup.getStaticMapping());
     writePolicyFile(policyFile);
   }
 

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c69350b0/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
b/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
index 34a030d..bccc63e 100644
--- a/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
+++ b/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
@@ -115,10 +115,12 @@ admin_q__sentryCollection_ = admin_query_group,
 admin_ua__sentryCollection_ = admin_update_group, admin_all_group,
 admin_u__sentryCollection_ = admin_update_group,
 admin_a__sentryCollection_ = admin_all_group,
+admin___sentryCollection_ = sentryCollection_temp_group,
 sentryCollection_qua = sentryCollection_query_group, sentryCollection_update_group, sentryCollection_all_group,
 sentryCollection_qu = sentryCollection_query_group, sentryCollection_update_group,
 sentryCollection_qa = sentryCollection_query_group, sentryCollection_all_group,
 sentryCollection_q = sentryCollection_query_group,
 sentryCollection_ua = sentryCollection_update_group, sentryCollection_all_group,
 sentryCollection_u = sentryCollection_update_group,
-sentryCollection_a = sentryCollection_all_group,
\ No newline at end of file
+sentryCollection_a = sentryCollection_all_group,
+sentryCollection_ = sentryCollection_temp_group
\ No newline at end of file


Mime
View raw message