HBASE-11384 - [Visibility Controller]Check for users covering

authorizations for every mutation (Add new test file) (Ram)
2014-08-01 13:22:08 -07:00 · 2014-08-01 13:22:08 -07:00 · 04e06645ac
parent 4fd3b110f3
commit 04e06645ac
1 changed files with 231 additions and 0 deletions
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityWithCheckAuths.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityWithCheckAuths.java
@ -0,0 +1,231 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hbase.security.visibility;
+
+import static org.apache.hadoop.hbase.security.visibility.VisibilityConstants.LABELS_TABLE_NAME;
+import static org.junit.Assert.assertTrue;
+
+import java.io.IOException;
+import java.security.PrivilegedExceptionAction;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hbase.HBaseTestingUtility;
+import org.apache.hadoop.hbase.HColumnDescriptor;
+import org.apache.hadoop.hbase.HConstants;
+import org.apache.hadoop.hbase.HTableDescriptor;
+import org.apache.hadoop.hbase.MediumTests;
+import org.apache.hadoop.hbase.TableName;
+import org.apache.hadoop.hbase.client.Append;
+import org.apache.hadoop.hbase.client.HBaseAdmin;
+import org.apache.hadoop.hbase.client.HTable;
+import org.apache.hadoop.hbase.client.Put;
+import org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse;
+import org.apache.hadoop.hbase.security.User;
+import org.apache.hadoop.hbase.util.Bytes;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+import org.junit.rules.TestName;
+
+@Category(MediumTests.class)
+/**
+ * Test visibility by setting 'hbase.security.visibility.mutations.checkauths' to true
+ */
+public class TestVisibilityWithCheckAuths {
+  private static final String TOPSECRET = "TOPSECRET";
+  private static final String PUBLIC = "PUBLIC";
+  public static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();
+  private static final byte[] row1 = Bytes.toBytes("row1");
+  private final static byte[] fam = Bytes.toBytes("info");
+  private final static byte[] qual = Bytes.toBytes("qual");
+  private final static byte[] value = Bytes.toBytes("value");
+  public static Configuration conf;
+
+  @Rule
+  public final TestName TEST_NAME = new TestName();
+  public static User SUPERUSER;
+  public static User USER;
+  @BeforeClass
+  public static void setupBeforeClass() throws Exception {
+    // setup configuration
+    conf = TEST_UTIL.getConfiguration();
+    conf.setBoolean(HConstants.DISTRIBUTED_LOG_REPLAY_KEY, false);
+    conf.setInt("hfile.format.version", 3);
+    conf.set("hbase.coprocessor.master.classes", VisibilityController.class.getName());
+    conf.set("hbase.coprocessor.region.classes", VisibilityController.class.getName());
+    conf.setBoolean(VisibilityConstants.CHECK_AUTHS_FOR_MUTATION, true);
+    conf.setClass(VisibilityUtils.VISIBILITY_LABEL_GENERATOR_CLASS, SimpleScanLabelGenerator.class,
+        ScanLabelGenerator.class);
+    conf.set("hbase.superuser", "admin");
+    TEST_UTIL.startMiniCluster(2);
+    SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
+    USER = User.createUserForTesting(conf, "user", new String[]{});
+    // Wait for the labels table to become available
+    TEST_UTIL.waitTableEnabled(LABELS_TABLE_NAME.getName(), 50000);
+    addLabels();
+  }
+
+  @AfterClass
+  public static void tearDownAfterClass() throws Exception {
+    TEST_UTIL.shutdownMiniCluster();
+  }
+
+  public static void addLabels() throws Exception {
+    PrivilegedExceptionAction<VisibilityLabelsResponse> action = 
+        new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
+      public VisibilityLabelsResponse run() throws Exception {
+        String[] labels = { TOPSECRET };
+        try {
+          VisibilityClient.addLabels(conf, labels);
+        } catch (Throwable t) {
+          throw new IOException(t);
+        }
+        return null;
+      }
+    };
+    SUPERUSER.runAs(action);
+  }
+
+  @Test
+  public void testVerifyAccessDeniedForInvalidUserAuths() throws Exception {
+    PrivilegedExceptionAction<VisibilityLabelsResponse> action = 
+        new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
+      public VisibilityLabelsResponse run() throws Exception {
+        try {
+          return VisibilityClient.setAuths(conf, new String[] { TOPSECRET },
+              USER.getShortName());
+        } catch (Throwable e) {
+        }
+        return null;
+      }
+    };
+    SUPERUSER.runAs(action);
+    TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
+    HBaseAdmin hBaseAdmin = TEST_UTIL.getHBaseAdmin();
+    HColumnDescriptor colDesc = new HColumnDescriptor(fam);
+    colDesc.setMaxVersions(5);
+    HTableDescriptor desc = new HTableDescriptor(tableName);
+    desc.addFamily(colDesc);
+    hBaseAdmin.createTable(desc);
+    HTable table = null;
+    try {
+      TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString());
+      PrivilegedExceptionAction<Void> actiona = new PrivilegedExceptionAction<Void>() {
+        public Void run() throws Exception {
+          HTable table = null;
+          try {
+            table = new HTable(conf, TEST_NAME.getMethodName());
+            Put p = new Put(row1);
+            p.setCellVisibility(new CellVisibility(PUBLIC + "&" + TOPSECRET));
+            p.add(fam, qual, 125l, value);
+            table.put(p);
+            Assert.fail("Testcase should fail with AccesDeniedException");
+          } catch (Throwable t) {
+            assertTrue(t.getMessage().contains("AccessDeniedException"));
+          } finally {
+            table.close();
+          }
+          return null;
+        }
+      };
+      USER.runAs(actiona);
+    } catch (Exception e) {
+      throw new IOException(e);
+    }
+  }
+
+  @Test
+  public void testLabelsWithAppend() throws Throwable {
+    PrivilegedExceptionAction<VisibilityLabelsResponse> action = 
+        new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
+      public VisibilityLabelsResponse run() throws Exception {
+        try {
+          return VisibilityClient.setAuths(conf, new String[] { TOPSECRET },
+              USER.getShortName());
+        } catch (Throwable e) {
+        }
+        return null;
+      }
+    };
+    SUPERUSER.runAs(action);
+    TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
+    HTable table = null;
+    try {
+      table = TEST_UTIL.createTable(tableName, fam);
+      final byte[] row1 = Bytes.toBytes("row1");
+      final byte[] val = Bytes.toBytes("a");
+      PrivilegedExceptionAction<Void> actiona = new PrivilegedExceptionAction<Void>() {
+        public Void run() throws Exception {
+          HTable table = null;
+          try {
+            table = new HTable(conf, TEST_NAME.getMethodName());
+            Put put = new Put(row1);
+            put.add(fam, qual, HConstants.LATEST_TIMESTAMP, val);
+            put.setCellVisibility(new CellVisibility(TOPSECRET));
+            table.put(put);
+          } finally {
+            table.close();
+          }
+          return null;
+        }
+      };
+      USER.runAs(actiona);
+      actiona = new PrivilegedExceptionAction<Void>() {
+        public Void run() throws Exception {
+          HTable table = null;
+          try {
+            table = new HTable(conf, TEST_NAME.getMethodName());
+            Append append = new Append(row1);
+            append.add(fam, qual, Bytes.toBytes("b"));
+            table.append(append);
+          } finally {
+            table.close();
+          }
+          return null;
+        }
+      };
+      USER.runAs(actiona);
+      actiona = new PrivilegedExceptionAction<Void>() {
+        public Void run() throws Exception {
+          HTable table = null;
+          try {
+            table = new HTable(conf, TEST_NAME.getMethodName());
+            Append append = new Append(row1);
+            append.add(fam, qual, Bytes.toBytes("c"));
+            append.setCellVisibility(new CellVisibility(PUBLIC));
+            table.append(append);
+            Assert.fail("Testcase should fail with AccesDeniedException");
+          } catch (Throwable t) {
+            assertTrue(t.getMessage().contains("AccessDeniedException"));
+          } finally {
+            table.close();
+          }
+          return null;
+        }
+      };
+      USER.runAs(actiona);
+    } finally {
+      if (table != null) {
+        table.close();
+      }
+    }
+  }
+}