mirror of
https://github.com/apache/impala.git
synced 2026-01-06 15:01:43 -05:00
41e3b6b61e
1) Fix up locations to take FILESYSTEM_PREFIX into account so we can run the test against non-default FS. 2) Fix up results and catch sections. 3) Since S3 doesn't support INSERT, split the test into another version that expects different results for the INSERT part. The rest of the test is identical, and we can remove this new .test file once INSERT is supported. Change-Id: I50d21048b846aa985d1eefc50fc33bda05ebe509 Reviewed-on: http://gerrit.cloudera.org:8080/146 Reviewed-by: Dan Hecht <dhecht@cloudera.com> Tested-by: Internal Jenkins
416 lines
10 KiB
Plaintext
416 lines
10 KiB
Plaintext
====
|
|
---- QUERY
|
|
create role grant_revoke_test_ALL_SERVER
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
create role grant_revoke_test_ALL_TEST_DB
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
create role grant_revoke_test_SELECT_INSERT_TEST_TBL
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
create role grant_revoke_test_ALL_URI
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
# Shows all roles in the system
|
|
show roles
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
'grant_revoke_test_ALL_SERVER'
|
|
'grant_revoke_test_ALL_TEST_DB'
|
|
'grant_revoke_test_SELECT_INSERT_TEST_TBL'
|
|
'grant_revoke_test_ALL_URI'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
create database grant_rev_db location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_db.db'
|
|
---- CATCH
|
|
does not have privileges to execute 'CREATE' on: grant_rev_db
|
|
====
|
|
---- QUERY
|
|
grant all on server to grant_revoke_test_ALL_SERVER
|
|
====
|
|
---- QUERY
|
|
# Group name will be replaced with the actual user's group in the test
|
|
# framework.
|
|
grant role grant_revoke_test_ALL_SERVER to group $GROUP_NAME
|
|
====
|
|
---- QUERY
|
|
show current roles
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
'grant_revoke_test_ALL_SERVER'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- USER
|
|
does_not_exist
|
|
---- QUERY
|
|
# Run this query as a different user and verify no roles show up but the
|
|
# stmt does not fail with an authorization error.
|
|
show current roles
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_SERVER
|
|
---- RESULTS
|
|
'SERVER','','','','ALL',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_SERVER on server
|
|
---- RESULTS
|
|
'SERVER','','','','ALL',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- USER
|
|
does_not_exist
|
|
---- QUERY
|
|
# User should not have privileges to execute SHOW ROLES
|
|
show roles
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
---- TYPES
|
|
STRING
|
|
---- CATCH
|
|
User 'does_not_exist' does not have privileges to access the requested policy metadata
|
|
====
|
|
---- USER
|
|
does_not_exist
|
|
---- QUERY
|
|
# User should not have privileges to execute SHOW ROLE GRANT GROUP for a group they do not
|
|
# belong to.
|
|
show role grant group root
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
---- TYPES
|
|
STRING
|
|
---- CATCH
|
|
User 'does_not_exist' does not have privileges to access the requested policy metadata
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
# The 'root' user doesn't have any roles granted to them, but since they are part of the
|
|
# 'root' group, they should have privileges to execute this statement.
|
|
show role grant group root
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
drop database if exists grant_rev_db
|
|
====
|
|
---- QUERY
|
|
create database grant_rev_db location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_db.db'
|
|
====
|
|
---- QUERY
|
|
show tables in grant_rev_db
|
|
---- RESULTS
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
create table grant_rev_db.test_tbl1(i int)
|
|
====
|
|
---- QUERY
|
|
show tables in grant_rev_db
|
|
---- RESULTS
|
|
'test_tbl1'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
revoke role grant_revoke_test_ALL_SERVER from group $GROUP_NAME
|
|
====
|
|
---- QUERY
|
|
create database grant_rev_db location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_db.db'
|
|
---- CATCH
|
|
does not have privileges to execute 'CREATE' on: grant_rev_db
|
|
====
|
|
---- QUERY
|
|
show tables in grant_rev_db
|
|
---- CATCH
|
|
does not have privileges to access: grant_rev_db.*
|
|
====
|
|
---- QUERY
|
|
grant role grant_revoke_test_ALL_TEST_DB to group $GROUP_NAME
|
|
====
|
|
---- QUERY
|
|
# Should now have all privileges on the test db
|
|
grant all on database grant_rev_db to grant_revoke_test_ALL_TEST_DB
|
|
====
|
|
---- QUERY
|
|
show tables in grant_rev_db
|
|
---- RESULTS
|
|
'test_tbl1'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
# Even though the user has all privileges on the database, they do not have privileges
|
|
# on any URIs. The FE tests have additional error message verification.
|
|
create table grant_rev_db.test_tbl2(i int) location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_test_tbl2';
|
|
---- CATCH
|
|
does not have privileges to access: $NAMENODE/test-warehouse/grant_rev_test_tbl2
|
|
====
|
|
---- QUERY
|
|
grant role grant_revoke_test_ALL_URI to group $GROUP_NAME
|
|
====
|
|
---- QUERY
|
|
grant all on uri '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_test_tbl2' to grant_revoke_test_ALL_URI
|
|
====
|
|
---- QUERY
|
|
# Should now have privileges to create the table.
|
|
create table grant_rev_db.test_tbl2(i int) location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_test_tbl2';
|
|
====
|
|
---- QUERY
|
|
show tables in grant_rev_db
|
|
---- RESULTS
|
|
'test_tbl1'
|
|
'test_tbl2'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_URI
|
|
---- RESULTS
|
|
'URI','','','$NAMENODE/test-warehouse/grant_rev_test_tbl2','ALL',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
# To create a database server-level privileges are required.
|
|
create database grant_rev_db location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_db.db'
|
|
---- CATCH
|
|
does not have privileges to execute 'CREATE' on: grant_rev_db
|
|
====
|
|
---- QUERY
|
|
# Dropping the role should remove the privileges
|
|
drop role grant_revoke_test_ALL_TEST_DB
|
|
====
|
|
---- QUERY
|
|
show tables in grant_rev_db
|
|
---- CATCH
|
|
does not have privileges to access: grant_rev_db.*
|
|
====
|
|
---- QUERY
|
|
grant role grant_revoke_test_SELECT_INSERT_TEST_TBL to group $GROUP_NAME
|
|
====
|
|
---- QUERY
|
|
GRANT SELECT ON TABLE grant_rev_db.test_tbl1 TO grant_revoke_test_SELECT_INSERT_TEST_TBL
|
|
====
|
|
---- QUERY
|
|
select * from grant_rev_db.test_tbl1
|
|
---- RESULTS
|
|
---- TYPES
|
|
INT
|
|
====
|
|
---- QUERY
|
|
select * from grant_rev_db.test_tbl2
|
|
---- CATCH
|
|
does not have privileges to execute 'SELECT' on: grant_rev_db.test_tbl2
|
|
====
|
|
---- QUERY
|
|
insert overwrite grant_rev_db.test_tbl1 select 1
|
|
---- CATCH
|
|
does not have privileges to execute 'INSERT' on: grant_rev_db.test_tbl1
|
|
====
|
|
---- QUERY
|
|
GRANT INSERT ON TABLE grant_rev_db.test_tbl1 TO grant_revoke_test_SELECT_INSERT_TEST_TBL
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_SELECT_INSERT_TEST_TBL on table grant_rev_db.test_tbl1
|
|
---- RESULTS
|
|
'TABLE','grant_rev_db','test_tbl1','','SELECT',FALSE,regex:.+
|
|
'TABLE','grant_rev_db','test_tbl1','','INSERT',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
insert overwrite grant_rev_db.test_tbl1 select 1
|
|
---- RESULTS
|
|
: 1
|
|
====
|
|
---- QUERY
|
|
select * from grant_rev_db.test_tbl1
|
|
---- RESULTS
|
|
1
|
|
---- TYPES
|
|
INT
|
|
====
|
|
---- USER
|
|
test_user
|
|
---- QUERY
|
|
create role some_test_role
|
|
---- CATCH
|
|
User 'test_user' does not have privileges to execute: CREATE_ROLE
|
|
====
|
|
---- USER
|
|
test_user
|
|
---- QUERY
|
|
drop role grant_revoke_test_ALL_SERVER
|
|
---- CATCH
|
|
User 'test_user' does not have privileges to execute: DROP_ROLE
|
|
====
|
|
---- USER
|
|
test_user
|
|
---- QUERY
|
|
grant role grant_revoke_test_ALL_SERVER to group $GROUP_NAME
|
|
---- CATCH
|
|
User 'test_user' does not have privileges to execute: GRANT_ROLE
|
|
====
|
|
---- USER
|
|
test_user
|
|
---- QUERY
|
|
revoke role grant_revoke_test_ALL_SERVER from group $GROUP_NAME
|
|
---- CATCH
|
|
User 'test_user' does not have privileges to execute: REVOKE_ROLE
|
|
====
|
|
---- USER
|
|
test_user
|
|
---- QUERY
|
|
grant all on server to grant_revoke_test_ALL_SERVER
|
|
---- CATCH
|
|
User 'test_user' does not have privileges to execute: GRANT_PRIVILEGE
|
|
====
|
|
---- USER
|
|
test_user
|
|
---- QUERY
|
|
revoke all on server from grant_revoke_test_ALL_SERVER
|
|
---- CATCH
|
|
User 'test_user' does not have privileges to execute: REVOKE_PRIVILEGE
|
|
====
|
|
---- QUERY
|
|
# Set up a role to test the WITH GRANT OPTION. Assumes that tests are not running as
|
|
# 'root' and that 'root' exists on all machines.
|
|
create role grant_revoke_test_ROOT;
|
|
grant role grant_revoke_test_ROOT to group root;
|
|
grant all on database functional to grant_revoke_test_ROOT WITH GRANT OPTION;
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
# There should only be one role that exists for root
|
|
show current roles
|
|
---- RESULTS
|
|
'grant_revoke_test_ROOT'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
# This privilege actually active
|
|
show databases
|
|
---- RESULTS
|
|
'default'
|
|
'functional'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
# The root user should be able to grant/revoke child privileges.
|
|
# Due to SENTRY-445 they cannot grant SELECT/INSERT even though they have been granted
|
|
# ALL.
|
|
grant all on table functional.alltypes to grant_revoke_test_ROOT
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ROOT
|
|
---- RESULTS
|
|
'DATABASE','functional','','','ALL',TRUE,regex:.+
|
|
'TABLE','functional','alltypes','','ALL',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
---- USER
|
|
root
|
|
====
|
|
---- QUERY
|
|
revoke all on table functional.alltypes from grant_revoke_test_ROOT
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
# User should not be able to grant privileges outside of this scope.
|
|
grant all on table functional_seq.alltypes to grant_revoke_test_ROOT
|
|
---- CATCH
|
|
User 'root' does not have privileges to execute: GRANT_PRIVILEGE
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
# Also cannot create/drop/grant roles
|
|
create role grant_revoke_test_ROOT2
|
|
---- CATCH
|
|
User 'root' does not have privileges to execute: CREATE_ROLE
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
# Also cannot create/drop/grant roles
|
|
grant role grant_revoke_test_ROOT to group root
|
|
---- CATCH
|
|
User 'root' does not have privileges to execute: GRANT_ROLE
|
|
====
|
|
---- QUERY
|
|
# Revoke the GRANT OPTION and verify the user can no longer GRANT or REVOKE
|
|
revoke grant option for all on database functional from grant_revoke_test_ROOT
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
grant all on table functional.alltypes to grant_revoke_test_ROOT
|
|
---- CATCH
|
|
User 'root' does not have privileges to execute: GRANT_PRIVILEGE
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
# The privilege is still active
|
|
show databases
|
|
---- RESULTS
|
|
'default'
|
|
'functional'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
# Privilege still exists, but grant option is set to false
|
|
show grant role grant_revoke_test_ROOT
|
|
---- RESULTS
|
|
'DATABASE','functional','','','ALL',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
---- USER
|
|
root
|
|
====
|
|
---- QUERY
|
|
# Cleanup test roles
|
|
drop role grant_revoke_test_ALL_SERVER;
|
|
drop role grant_revoke_test_SELECT_INSERT_TEST_TBL;
|
|
drop role grant_revoke_test_ALL_URI;
|
|
drop role grant_revoke_test_ROOT;
|
|
---- RESULTS
|
|
====
|