LENS-1532 and LENS-1529 : Adding files missed in previous commit.
authorRajitha R <rajithar@apache.org>
Thu, 6 Sep 2018 09:26:02 +0000 (14:56 +0530)
committerRajitha.R <rajithar@IM0318-L0.corp.inmobi.com>
Thu, 6 Sep 2018 09:26:02 +0000 (14:56 +0530)
lens-cube/src/test/java/org/apache/lens/cube/parse/MockAuthorizer.java [new file with mode: 0644]
lens-cube/src/test/java/org/apache/lens/cube/parse/TestQueryAuthorizationResolver.java [new file with mode: 0644]

diff --git a/lens-cube/src/test/java/org/apache/lens/cube/parse/MockAuthorizer.java b/lens-cube/src/test/java/org/apache/lens/cube/parse/MockAuthorizer.java
new file mode 100644 (file)
index 0000000..d410083
--- /dev/null
@@ -0,0 +1,57 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.lens.cube.parse;
+
+import java.util.HashSet;
+import java.util.Set;
+
+import org.apache.lens.server.api.authorization.ActionType;
+import org.apache.lens.server.api.authorization.Authorizer;
+import org.apache.lens.server.api.authorization.LensPrivilegeObject;
+
+import lombok.Getter;
+
+public class MockAuthorizer implements Authorizer {
+
+  @Getter
+  Set<String> authorizedUserGroups;
+  MockAuthorizer(){
+    init();
+  }
+
+  public void init(){
+    this.authorizedUserGroups = new HashSet<>();
+    this.authorizedUserGroups.add("lens-auth-test1");
+  }
+  @Override
+  public boolean authorize(LensPrivilegeObject lensPrivilegeObject, ActionType accessType, String user,
+    Set<String> userGroups) {
+    //check query authorization
+    if (lensPrivilegeObject.getTable().equals("basecube") && accessType.equals(ActionType.SELECT)) {
+      userGroups.retainAll(getAuthorizedUserGroups());
+      return !userGroups.isEmpty();
+    }
+    // check metastore schema authorization
+    if (lensPrivilegeObject.getTable().equals("TestCubeMetastoreClient") && accessType.equals(ActionType.UPDATE)) {
+      userGroups.retainAll(getAuthorizedUserGroups());
+      return !userGroups.isEmpty();
+    }
+    return false;
+  }
+}
diff --git a/lens-cube/src/test/java/org/apache/lens/cube/parse/TestQueryAuthorizationResolver.java b/lens-cube/src/test/java/org/apache/lens/cube/parse/TestQueryAuthorizationResolver.java
new file mode 100644 (file)
index 0000000..13b345f
--- /dev/null
@@ -0,0 +1,66 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.lens.cube.parse;
+
+import static org.apache.lens.cube.metadata.DateFactory.TWO_DAYS_RANGE;
+
+import static org.testng.Assert.assertEquals;
+import static org.testng.Assert.fail;
+
+import org.apache.lens.cube.metadata.MetastoreConstants;
+import org.apache.lens.server.api.LensConfConstants;
+import org.apache.lens.server.api.error.LensException;
+import org.apache.lens.server.api.query.save.exception.PrivilegeException;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hive.ql.session.SessionState;
+
+import org.testng.annotations.BeforeClass;
+import org.testng.annotations.Test;
+
+public class TestQueryAuthorizationResolver extends TestQueryRewrite {
+  private Configuration conf = new Configuration();
+
+  @BeforeClass
+  public void beforeClassTestQueryAuthorizationResolver() {
+    conf.setBoolean(LensConfConstants.ENABLE_QUERY_AUTHORIZATION_CHECK, true);
+    conf.setBoolean(LensConfConstants.USER_GROUPS_BASED_AUTHORIZATION, true);
+    conf.set(MetastoreConstants.AUTHORIZER_CLASS, "org.apache.lens.cube.parse.MockAuthorizer");
+  }
+
+  @Test
+  public void testRestrictedColumnsFromQuery() throws LensException {
+
+    SessionState.getSessionConf().set(LensConfConstants.SESSION_USER_GROUPS, "lens-auth-test2");
+    String testQuery = "select dim11 from basecube where " + TWO_DAYS_RANGE;
+
+    try {
+      rewrite(testQuery, conf);
+      fail("Privilege exception supposed to be thrown for selecting restricted columns in basecube, "
+         + "however not seeing expected behaviour");
+    } catch (PrivilegeException actualException) {
+      PrivilegeException expectedException =
+        new PrivilegeException("COLUMN", "basecube", "SELECT");
+      assertEquals(expectedException, actualException);
+    }
+    SessionState.getSessionConf().set(LensConfConstants.SESSION_USER_GROUPS, "lens-auth-test1");
+    rewrite(testQuery, conf);
+  }
+
+}