Add product tests for Grant/Revoke with grant options

SipeiZhou · Dec 3, 2021 · d08c5df · d08c5df
1 parent 249f9d8
commit d08c5df
Showing 1 changed file with 38 additions and 1 deletion.
diff --git a/testing/trino-product-tests/src/main/java/io/trino/tests/product/hive/TestGrantRevoke.java b/testing/trino-product-tests/src/main/java/io/trino/tests/product/hive/TestGrantRevoke.java
@@ -52,6 +52,7 @@ public class TestGrantRevoke
     private String viewName;
     private QueryExecutor aliceExecutor;
     private QueryExecutor bobExecutor;
+    private QueryExecutor charlieExecutor;
 
     /*
      * Pre-requisites for the tests in this class:
@@ -60,6 +61,7 @@ public class TestGrantRevoke
      * (2) tempto-configuration.yaml file should have definitions for the following connections to Presto server:
      *          - "alice@presto" that has "jdbc_user: alice"
      *          - "bob@presto" that has "jdbc_user: bob"
+     *          - "charlie@presto" that has "jdbc_user: charlie"
      *     (all other values of the connection are same as that of the default "presto" connection).
      */
 
@@ -70,6 +72,7 @@ public void setup()
         viewName = "alice_view";
         aliceExecutor = connectToPresto("alice@presto");
         bobExecutor = connectToPresto("bob@presto");
+        charlieExecutor = connectToPresto("charlie@presto");
 
         aliceExecutor.executeQuery(format("DROP TABLE IF EXISTS %s", tableName));
         aliceExecutor.executeQuery(format("CREATE TABLE %s(month bigint, day bigint)", tableName));
@@ -111,7 +114,7 @@ private Set<String> listRoles()
     public void testGrantRevoke()
     {
         // test GRANT
-        aliceExecutor.executeQuery(format("GRANT SELECT ON %s TO bob WITH GRANT OPTION", tableName));
+        aliceExecutor.executeQuery(format("GRANT SELECT ON %s TO bob", tableName));
         assertThat(bobExecutor.executeQuery(format("SELECT * FROM %s", tableName))).hasNoRows();
         aliceExecutor.executeQuery(format("GRANT INSERT, SELECT ON %s TO bob", tableName));
         assertThat(bobExecutor.executeQuery(format("INSERT INTO %s VALUES (3, 22)", tableName))).hasRowsCount(1);
@@ -129,6 +132,40 @@ public void testGrantRevoke()
                 .hasMessageContaining(format("Access Denied: Cannot select from table default.%s", tableName));
     }
 
+    @Test(groups = {AUTHORIZATION, PROFILE_SPECIFIC_TESTS})
+    public void testGrantOptionsOnGrantedPrivilege()
+    {
+        aliceExecutor.executeQuery(format("GRANT SELECT ON %s TO bob", tableName));
+        assertQueryFailure(() -> aliceExecutor.executeQuery(format("GRANT SELECT ON %s TO bob WITH GRANT OPTION", tableName)))
+                // Updating a privilege with GRANT OPTION is not supported by Hive. https://issues.apache.org/jira/browse/HIVE-15689
+                .hasMessageContaining("Granting SELECT WITH GRANT OPTION is not supported while USER bob possesses SELECT");
+    }
+
+    @Test(groups = {AUTHORIZATION, PROFILE_SPECIFIC_TESTS})
+    public void testGrantRevokeWithGrantOption()
+    {
+        onTrino().executeQuery("CREATE ROLE role1 IN hive");
+        onTrino().executeQuery("CREATE ROLE role2 IN hive");
+        onTrino().executeQuery("GRANT role1 TO USER charlie IN hive");
+
+        // test GRANT WITH GRANT OPTION
+        aliceExecutor.executeQuery(format("GRANT SELECT ON %s TO bob WITH GRANT OPTION", tableName));
+        assertQueryFailure(() -> charlieExecutor.executeQuery(format("SELECT * FROM %s", tableName)))
+                .hasMessageContaining(format("Access Denied: Cannot select from table default.%s", tableName));
+        bobExecutor.executeQuery(format("GRANT SELECT ON %s TO ROLE role1", tableName));
+        assertThat(charlieExecutor.executeQuery(format("SELECT * FROM %s", tableName))).hasNoRows();
+
+        // test REVOKE WITH GRANT OPTION
+        aliceExecutor.executeQuery(format("REVOKE GRANT OPTION FOR SELECT ON %s FROM bob", tableName));
+        assertQueryFailure(() -> bobExecutor.executeQuery(format("GRANT SELECT ON %s TO ROLE role1 ", tableName)))
+                .hasMessageContaining(format("Access Denied: Cannot grant privilege SELECT on table default.%s", tableName));
+        // TODO (https://github.com/trinodb/trino/issues/4455) Should revoke only GRANT OPTION
+        assertQueryFailure(() -> bobExecutor.executeQuery(format("SELECT * FROM %s", tableName)))
+                .hasMessageContaining(format("Access Denied: Cannot select from table default.%s", tableName));
+        // Since Hive doesn't support REVOKE with CASCADE, charlie would still have access to table
+        assertThat(charlieExecutor.executeQuery(format("SELECT * FROM %s", tableName))).hasNoRows();
+    }
+
     @Test(groups = {AUTHORIZATION, PROFILE_SPECIFIC_TESTS})
     public void testShowGrants()
     {