More product tests for SET ROLE

Verify that role set with `SET ROLE` is considering during the access check. Extracted-From: prestodb/presto#10904
trinodb · Jan 29, 2019 · 87063ee · 87063ee
1 parent 0beeb77
commit 87063ee
Showing 1 changed file with 115 additions and 1 deletion.
diff --git a/presto-product-tests/src/main/java/io/prestosql/tests/hive/TestRoles.java b/presto-product-tests/src/main/java/io/prestosql/tests/hive/TestRoles.java
@@ -13,6 +13,7 @@
  */
 package io.prestosql.tests.hive;
 
+import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Iterables;
 import io.prestodb.tempto.AfterTestWithContext;
@@ -120,7 +121,7 @@ public void testDropNonExistentRole()
     }
 
     @Test(groups = {ROLES, AUTHORIZATION, PROFILE_SPECIFIC_TESTS})
-    public void testAccessControl()
+    public void testCreateDropRoleAccessControl()
     {
         // Only users that are granted with "admin" role can create, drop and list roles
         // Alice is not granted with "admin" role
@@ -563,6 +564,119 @@ public void testShowRoleGrants()
                         row("role1"));
     }
 
+    @Test(groups = {ROLES, AUTHORIZATION, PROFILE_SPECIFIC_TESTS})
+    public void testSetRoleCreateDropSchema()
+    {
+        assertAdminExecute("CREATE SCHEMA hive.test_admin_schema");
+        onPresto().executeQuery("DROP SCHEMA hive.test_admin_schema");
+    }
+
+    @Test(groups = {ROLES, AUTHORIZATION, PROFILE_SPECIFIC_TESTS})
+    public void testAdminCanDropAnyTable()
+    {
+        onPrestoAlice().executeQuery("CREATE TABLE hive.default.test_table (foo BIGINT)");
+        assertAdminExecute("DROP TABLE hive.default.test_table");
+    }
+
+    @Test(groups = {ROLES, AUTHORIZATION, PROFILE_SPECIFIC_TESTS})
+    public void testAdminCanRenameAnyTable()
+    {
+        onPrestoAlice().executeQuery("CREATE TABLE hive.default.test_table (foo BIGINT)");
+        assertAdminExecute("ALTER TABLE hive.default.test_table RENAME TO hive.default.test_table_1");
+        onPrestoAlice().executeQuery("DROP TABLE hive.default.test_table_1");
+    }
+
+    @Test(groups = {ROLES, AUTHORIZATION, PROFILE_SPECIFIC_TESTS})
+    public void testAdminCanAddColumnToAnyTable()
+    {
+        onPrestoAlice().executeQuery("CREATE TABLE hive.default.test_table (foo BIGINT)");
+        assertAdminExecute("ALTER TABLE hive.default.test_table ADD COLUMN bar DATE");
+        onPrestoAlice().executeQuery("DROP TABLE hive.default.test_table");
+    }
+
+    @Test(groups = {ROLES, AUTHORIZATION, PROFILE_SPECIFIC_TESTS})
+    public void testAdminCanRenameColumnInAnyTable()
+    {
+        onPrestoAlice().executeQuery("CREATE TABLE hive.default.test_table (foo BIGINT)");
+        assertAdminExecute("ALTER TABLE hive.default.test_table RENAME COLUMN foo TO bar");
+        onPrestoAlice().executeQuery("DROP TABLE hive.default.test_table");
+    }
+
+    @Test(groups = {ROLES, AUTHORIZATION, PROFILE_SPECIFIC_TESTS})
+    public void testSetRoleTablePermissions()
+    {
+        onPresto().executeQuery("CREATE ROLE role1");
+        onPresto().executeQuery("CREATE ROLE role2");
+
+        onPresto().executeQuery("GRANT role1 TO USER bob");
+        onPresto().executeQuery("GRANT role2 TO USER bob");
+
+        onPrestoAlice().executeQuery("CREATE TABLE hive.default.test_table (foo BIGINT)");
+        onPrestoAlice().executeQuery("GRANT SELECT ON hive.default.test_table TO ROLE role1");
+        onPrestoAlice().executeQuery("GRANT INSERT ON hive.default.test_table TO ROLE role2");
+
+        String select = "SELECT * FROM hive.default.test_table";
+        String insert = "INSERT INTO hive.default.test_table (foo) VALUES (1)";
+
+        assertAdminExecute(select);
+        assertAdminExecute(insert);
+
+        onPrestoBob().executeQuery(select);
+        onPrestoBob().executeQuery(insert);
+        QueryAssert.assertThat(onPrestoBob().executeQuery("SHOW GRANTS ON hive.default.test_table"))
+                .containsOnly(ImmutableList.of(
+                        row("alice", "USER", "role1", "ROLE", "hive", "default", "test_table", "SELECT", "NO", null),
+                        row("alice", "USER", "role2", "ROLE", "hive", "default", "test_table", "INSERT", "NO", null)));
+
+        onPrestoBob().executeQuery("SET ROLE ALL");
+        onPrestoBob().executeQuery(select);
+        onPrestoBob().executeQuery(insert);
+        QueryAssert.assertThat(onPrestoBob().executeQuery("SHOW GRANTS ON hive.default.test_table"))
+                .containsOnly(ImmutableList.of(
+                        row("alice", "USER", "role1", "ROLE", "hive", "default", "test_table", "SELECT", "NO", null),
+                        row("alice", "USER", "role2", "ROLE", "hive", "default", "test_table", "INSERT", "NO", null)));
+
+        onPrestoBob().executeQuery("SET ROLE NONE");
+        QueryAssert.assertThat(() -> onPrestoBob().executeQuery(select))
+                .failsWithMessage("Access Denied");
+        QueryAssert.assertThat(() -> onPrestoBob().executeQuery(insert))
+                .failsWithMessage("Access Denied");
+        QueryAssert.assertThat(onPrestoBob().executeQuery("SHOW GRANTS ON hive.default.test_table"))
+                .containsOnly(ImmutableList.of());
+
+        onPrestoBob().executeQuery("SET ROLE role1");
+        onPrestoBob().executeQuery(select);
+        QueryAssert.assertThat(() -> onPrestoBob().executeQuery(insert))
+                .failsWithMessage("Access Denied");
+        QueryAssert.assertThat(onPrestoBob().executeQuery("SHOW GRANTS ON hive.default.test_table"))
+                .containsOnly(ImmutableList.of(
+                        row("alice", "USER", "role1", "ROLE", "hive", "default", "test_table", "SELECT", "NO", null)));
+
+        onPrestoBob().executeQuery("SET ROLE role2");
+        QueryAssert.assertThat(() -> onPrestoBob().executeQuery(select))
+                .failsWithMessage("Access Denied");
+        onPrestoBob().executeQuery(insert);
+        QueryAssert.assertThat(onPrestoBob().executeQuery("SHOW GRANTS ON hive.default.test_table"))
+                .containsOnly(ImmutableList.of(
+                        row("alice", "USER", "role2", "ROLE", "hive", "default", "test_table", "INSERT", "NO", null)));
+
+        onPrestoAlice().executeQuery("DROP TABLE hive.default.test_table");
+    }
+
+    private static void assertAdminExecute(String query)
+    {
+        onPresto().executeQuery("SET ROLE NONE");
+        QueryAssert.assertThat(() -> onPresto().executeQuery(query))
+                .failsWithMessage("Access Denied");
+
+        onPresto().executeQuery("SET ROLE ALL");
+        QueryAssert.assertThat(() -> onPresto().executeQuery(query))
+                .failsWithMessage("Access Denied");
+
+        onPresto().executeQuery("SET ROLE admin");
+        onPresto().executeQuery(query);
+    }
+
     private static QueryExecutor onPrestoAlice()
     {
         return connectToPresto("alice@presto");