4abd1869fbb86fb3b5dd07c4898f9926f40bcd44,sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationEnd2End.java,TestHDFSIntegrationEnd2End,testColumnPrivileges,#,453
Before Change
stmt.execute("grant all on server server1 to role admin_role with grant option");
stmt.execute("grant role admin_role to group " + StaticUserGroup.ADMINGROUP);
conn = hiveServer2.createConnection(StaticUserGroup.ADMIN1, StaticUserGroup.ADMIN1);
stmt = conn.createStatement();
stmt.execute("create database " + dbName);
stmt.execute("use "+ dbName);
stmt.execute("create table p1 (s string) partitioned by (month int, day int)");
stmt.execute("alter table p1 add partition (month=1, day=1)");
stmt.execute("alter table p1 add partition (month=1, day=2)");
stmt.execute("alter table p1 add partition (month=2, day=1)");
stmt.execute("alter table p1 add partition (month=2, day=2)");
loadData(stmt);
stmt.execute("create role db_role");
stmt.execute("grant select on database " + dbName + " to role db_role");
stmt.execute("create role tab_role");
stmt.execute("grant select on p1 to role tab_role");
stmt.execute("create role col_role");
stmt.execute("grant select(s) on p1 to role col_role");
stmt.execute("grant role col_role to group "+ StaticUserGroup.USERGROUP1);
stmt.execute("grant role tab_role to group "+ StaticUserGroup.USERGROUP2);
stmt.execute("grant role col_role to group "+ StaticUserGroup.USERGROUP2);
stmt.execute("grant role db_role to group "+ StaticUserGroup.USERGROUP3);
stmt.execute("grant role col_role to group "+ StaticUserGroup.USERGROUP3);
stmt.execute("grant role col_role to group " + StaticUserGroup.ADMINGROUP);
Thread.sleep(CACHE_REFRESH);//Wait till sentry cache is updated in Namenode
//User with just column level privileges cannot read HDFS
verifyOnAllSubDirs("/user/hive/warehouse/" + dbName + ".db/p1", null, StaticUserGroup.USERGROUP1, false);
//User with permissions on table and column can read HDFS file
verifyOnAllSubDirs("/user/hive/warehouse/" + dbName + ".db/p1", FsAction.READ_EXECUTE, StaticUserGroup.USERGROUP2, true);
//User with permissions on db and column can read HDFS file
verifyOnAllSubDirs("/user/hive/warehouse/" + dbName + ".db/p1", FsAction.READ_EXECUTE, StaticUserGroup.USERGROUP3, true);
//User with permissions on server and column cannot read HDFS file
//TODO:SENTRY-751
verifyOnAllSubDirs("/user/hive/warehouse/" + dbName + ".db/p1", null, StaticUserGroup.ADMINGROUP, false);
stmt.close();
conn.close();
}
After Change
Statement stmt = conn.createStatement())
{
stmt.execute("create database " + dbName);
stmt.execute("use "+ dbName);
stmt.execute("create table p1 (s string) partitioned by (month int, day int)");
stmt.execute("alter table p1 add partition (month=1, day=1)");
stmt.execute("alter table p1 add partition (month=1, day=2)");
stmt.execute("alter table p1 add partition (month=2, day=1)");
stmt.execute("alter table p1 add partition (month=2, day=2)");
loadData(stmt);
stmt.execute("create role db_role");
stmt.execute("grant select on database " + dbName + " to role db_role");
stmt.execute("create role tab_role");
stmt.execute("grant select on p1 to role tab_role");
stmt.execute("create role col_role");
stmt.execute("grant select(s) on p1 to role col_role");
stmt.execute("grant role col_role to group "+ StaticUserGroup.USERGROUP1);
stmt.execute("grant role tab_role to group "+ StaticUserGroup.USERGROUP2);
stmt.execute("grant role col_role to group "+ StaticUserGroup.USERGROUP2);
stmt.execute("grant role db_role to group "+ StaticUserGroup.USERGROUP3);
stmt.execute("grant role col_role to group "+ StaticUserGroup.USERGROUP3);