ut

jerqi · jerqi · commit 88b52ec217ae · 2025-02-28T18:31:19.000+08:00
diff --git a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java
@@ -77,8 +77,8 @@ public abstract class RangerAuthorizationPlugin
 
   protected String metalake;
   protected final String rangerServiceName;
-  protected final RangerClientExtension rangerClient;
-  protected final RangerHelper rangerHelper;
+  protected RangerClientExtension rangerClient;
+  protected RangerHelper rangerHelper;
   @VisibleForTesting public final String rangerAdminName;
 
   protected RangerAuthorizationPlugin(String metalake, Map<String, String> config) {
@@ -108,6 +108,26 @@ public String getMetalake() {
     return metalake;
   }
 
+  @VisibleForTesting
+  public RangerHelper getRangerHelper() {
+    return rangerHelper;
+  }
+
+  @VisibleForTesting
+  public void setRangerHelper(RangerHelper rangerHelper) {
+    this.rangerHelper = rangerHelper;
+  }
+
+  @VisibleForTesting
+  public RangerClientExtension getRangerClient() {
+    return rangerClient;
+  }
+
+  @VisibleForTesting
+  public void setRangerClient(RangerClientExtension rangerClient) {
+    this.rangerClient = rangerClient;
+  }
+
   /**
    * Set the Ranger policy resource defines rule.
    *
diff --git a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveIT.java b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveIT.java
@@ -21,6 +21,8 @@
 import static org.apache.gravitino.authorization.ranger.integration.test.RangerITEnv.currentFunName;
 import static org.apache.gravitino.authorization.ranger.integration.test.RangerITEnv.rangerClient;
 import static org.apache.gravitino.authorization.ranger.integration.test.RangerITEnv.verifyRoleInRanger;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.when;
 
 import com.google.common.base.Joiner;
 import com.google.common.collect.ImmutableList;
@@ -48,24 +50,30 @@
 import org.apache.gravitino.authorization.SecurableObject;
 import org.apache.gravitino.authorization.SecurableObjects;
 import org.apache.gravitino.authorization.ranger.RangerAuthorizationPlugin;
+import org.apache.gravitino.authorization.ranger.RangerClientExtension;
 import org.apache.gravitino.authorization.ranger.RangerHadoopSQLMetadataObject;
 import org.apache.gravitino.authorization.ranger.RangerHadoopSQLSecurableObject;
 import org.apache.gravitino.authorization.ranger.RangerHelper;
 import org.apache.gravitino.authorization.ranger.RangerPrivileges;
 import org.apache.gravitino.authorization.ranger.reference.RangerDefines;
+import org.apache.gravitino.authorization.ranger.reference.VXUserList;
+import org.apache.gravitino.exceptions.AuthorizationPluginException;
 import org.apache.gravitino.integration.test.util.GravitinoITUtils;
 import org.apache.gravitino.meta.AuditInfo;
 import org.apache.gravitino.meta.GroupEntity;
 import org.apache.gravitino.meta.RoleEntity;
 import org.apache.gravitino.meta.UserEntity;
 import org.apache.ranger.RangerServiceException;
 import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerRole;
+import org.glassfish.jersey.internal.guava.Sets;
 import org.junit.jupiter.api.AfterAll;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Tag;
 import org.junit.jupiter.api.Test;
+import org.mockito.Mockito;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -134,8 +142,24 @@ public RoleEntity mock3TableRole(String roleName) {
 
   // Use the different db.table different privilege to test OnRoleCreated()
   @Test
-  public void testOnRoleCreated() {
+  public void testOnRoleCreated() throws Exception {
     RoleEntity role = mock3TableRole(currentFunName());
+
+    // test to throw an exception
+    RangerClientExtension client = Mockito.mock(RangerClientExtension.class);
+    RangerClientExtension originClient = rangerAuthHivePlugin.getRangerClient();
+    rangerAuthHivePlugin.setRangerClient(client);
+    RangerHelper originHelper = rangerAuthHivePlugin.getRangerHelper();
+
+    RangerHelper helper =
+        new RangerHelper(client, "test", "test", Sets.newHashSet(), Lists.newArrayList());
+    rangerAuthHivePlugin.setRangerHelper(helper);
+    when(client.createRole(any(), any())).thenThrow(new RangerServiceException(new Exception("")));
+    Assertions.assertThrows(
+        AuthorizationPluginException.class, () -> rangerAuthHivePlugin.onRoleCreated(role));
+    rangerAuthHivePlugin.setRangerClient(originClient);
+    rangerAuthHivePlugin.setRangerHelper(originHelper);
+
     Assertions.assertTrue(rangerAuthHivePlugin.onRoleCreated(role));
     verifyRoleInRanger(rangerAuthHivePlugin, role);
 
@@ -259,7 +283,7 @@ public void testOnDenyRoleCreatedCatalog() {
   }
 
   @Test
-  public void testOnRoleDeleted() {
+  public void testOnRoleDeleted() throws Exception {
     // prepare to create a role
     RoleEntity role = mock3TableRole(currentFunName());
     Assertions.assertTrue(rangerAuthHivePlugin.onRoleCreated(role));
@@ -272,6 +296,23 @@ public void testOnRoleDeleted() {
 
     // Repeat to delete the same role to verify the idempotent operation
     Assertions.assertTrue(rangerAuthHivePlugin.onRoleDeleted(role));
+
+    // test to throw an exception
+    RangerClientExtension client = Mockito.mock(RangerClientExtension.class);
+    RangerClientExtension originClient = rangerAuthHivePlugin.getRangerClient();
+    RangerHelper originHelper = rangerAuthHivePlugin.getRangerHelper();
+    rangerAuthHivePlugin.setRangerClient(client);
+
+    RangerHelper helper = Mockito.mock(RangerHelper.class);
+    rangerAuthHivePlugin.setRangerHelper(helper);
+    Mockito.doThrow(new RangerServiceException(new Exception("test")))
+        .when(client)
+        .deleteRole(any(), any(), any());
+    Mockito.when(helper.getRangerRole(any())).thenReturn(Mockito.mock(RangerRole.class));
+    Assertions.assertThrows(
+        AuthorizationPluginException.class, () -> rangerAuthHivePlugin.onRoleDeleted(role));
+    rangerAuthHivePlugin.setRangerClient(originClient);
+    rangerAuthHivePlugin.setRangerHelper(originHelper);
   }
 
   @Test
@@ -1089,7 +1130,7 @@ public void testRoleChangeCombinedOperation() {
   }
 
   @Test
-  public void testOnGrantedRolesToUser() {
+  public void testOnGrantedRolesToUser() throws Exception {
     // prepare to create a role
     RoleEntity role = mock3TableRole(currentFunName());
     Assertions.assertTrue(rangerAuthHivePlugin.onRoleCreated(role));
@@ -1113,6 +1154,17 @@ public void testOnGrantedRolesToUser() {
         rangerAuthHivePlugin.onGrantedRolesToUser(Lists.newArrayList(role), userEntity1));
     verifyRoleInRanger(rangerAuthHivePlugin, role, Lists.newArrayList(userName1));
 
+    // test to throw an exception
+    RangerClientExtension client = Mockito.mock(RangerClientExtension.class);
+    RangerClientExtension originClient = rangerAuthHivePlugin.getRangerClient();
+    rangerAuthHivePlugin.setRangerClient(client);
+    when(client.searchUser(any())).thenReturn(Mockito.mock(VXUserList.class));
+    when(client.grantRole(any(), any())).thenThrow(new AuthorizationPluginException("test"));
+    Assertions.assertThrows(
+        AuthorizationPluginException.class,
+        () -> rangerAuthHivePlugin.onGrantedRolesToUser(Lists.newArrayList(role), userEntity1));
+    rangerAuthHivePlugin.setRangerClient(originClient);
+
     // granted a role to the user2
     String userName2 = "user2";
     UserEntity userEntity2 =
@@ -1131,7 +1183,7 @@ public void testOnGrantedRolesToUser() {
   }
 
   @Test
-  public void testOnRevokedRolesFromUser() {
+  public void testOnRevokedRolesFromUser() throws Exception {
     // prepare to create a role
     RoleEntity role = mock3TableRole(currentFunName());
     Assertions.assertTrue(rangerAuthHivePlugin.onRoleCreated(role));
@@ -1158,10 +1210,21 @@ public void testOnRevokedRolesFromUser() {
     Assertions.assertTrue(
         rangerAuthHivePlugin.onRevokedRolesFromUser(Lists.newArrayList(role), userEntity1));
     verifyRoleInRanger(rangerAuthHivePlugin, role, null, Lists.newArrayList(userName1));
+
+    // test to throw an exception
+    RangerClientExtension client = Mockito.mock(RangerClientExtension.class);
+    RangerClientExtension originClient = rangerAuthHivePlugin.getRangerClient();
+    rangerAuthHivePlugin.setRangerClient(client);
+    when(client.searchUser(any())).thenReturn(Mockito.mock(VXUserList.class));
+    when(client.revokeRole(any(), any())).thenThrow(new AuthorizationPluginException("test"));
+    Assertions.assertThrows(
+        AuthorizationPluginException.class,
+        () -> rangerAuthHivePlugin.onRevokedRolesFromUser(Lists.newArrayList(role), userEntity1));
+    rangerAuthHivePlugin.setRangerClient(originClient);
   }
 
   @Test
-  public void testOnGrantedRolesToGroup() {
+  public void testOnGrantedRolesToGroup() throws Exception {
     // prepare to create a role
     RoleEntity role = mock3TableRole(currentFunName());
     Assertions.assertTrue(rangerAuthHivePlugin.onRoleCreated(role));
@@ -1185,6 +1248,17 @@ public void testOnGrantedRolesToGroup() {
         rangerAuthHivePlugin.onGrantedRolesToGroup(Lists.newArrayList(role), groupEntity1));
     verifyRoleInRanger(rangerAuthHivePlugin, role, null, null, Lists.newArrayList(groupName1));
 
+    // test to throw an exception
+    RangerClientExtension client = Mockito.mock(RangerClientExtension.class);
+    RangerClientExtension originClient = rangerAuthHivePlugin.getRangerClient();
+    rangerAuthHivePlugin.setRangerClient(client);
+    when(client.createGroup(any())).thenReturn(true);
+    when(client.grantRole(any(), any())).thenThrow(new AuthorizationPluginException("test"));
+    Assertions.assertThrows(
+        AuthorizationPluginException.class,
+        () -> rangerAuthHivePlugin.onGrantedRolesToGroup(Lists.newArrayList(role), groupEntity1));
+    rangerAuthHivePlugin.setRangerClient(originClient);
+
     // granted a role to the group2
     String groupName2 = "group2";
     GroupEntity groupEntity2 =
@@ -1204,7 +1278,7 @@ public void testOnGrantedRolesToGroup() {
   }
 
   @Test
-  public void testOnRevokedRolesFromGroup() {
+  public void testOnRevokedRolesFromGroup() throws Exception {
     // prepare to create a role
     RoleEntity role = mock3TableRole(currentFunName());
     Assertions.assertTrue(rangerAuthHivePlugin.onRoleCreated(role));
@@ -1233,6 +1307,17 @@ public void testOnRevokedRolesFromGroup() {
         rangerAuthHivePlugin.onRevokedRolesFromGroup(Lists.newArrayList(role), groupEntity1));
     verifyRoleInRanger(
         rangerAuthHivePlugin, role, null, null, null, Lists.newArrayList(groupName1));
+
+    // test to throw an exception
+    RangerClientExtension client = Mockito.mock(RangerClientExtension.class);
+    RangerClientExtension originClient = rangerAuthHivePlugin.getRangerClient();
+    rangerAuthHivePlugin.setRangerClient(client);
+    when(client.createGroup(any())).thenReturn(true);
+    when(client.revokeRole(any(), any())).thenThrow(new AuthorizationPluginException("test"));
+    Assertions.assertThrows(
+        AuthorizationPluginException.class,
+        () -> rangerAuthHivePlugin.onRevokedRolesFromGroup(Lists.newArrayList(role), groupEntity1));
+    rangerAuthHivePlugin.setRangerClient(originClient);
   }
 
   private void assertFindManagedPolicyItems(Role role, boolean gravitinoPolicyItemExist) {
