diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/DefaultScanLabelGenerator.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/DefinedSetFilterScanLabelGenerator.java similarity index 84% rename from hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/DefaultScanLabelGenerator.java rename to hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/DefinedSetFilterScanLabelGenerator.java index f4bf87ef3b4..a42def0ccd3 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/DefaultScanLabelGenerator.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/DefinedSetFilterScanLabelGenerator.java @@ -27,20 +27,21 @@ import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hbase.security.User; /** - * This is the default implementation for ScanLabelGenerator. It will extract labels passed via - * Scan#authorizations and cross check against the global auths set for the user. The labels for which - * user is not authenticated will be dropped even if it is passed via Scan Authorizations. + * This is an implementation for ScanLabelGenerator. + * It will extract labels from passed in authorizations and cross check + * against the set of predefined authorization labels for given user. + * The labels for which the user is not authorized will be dropped. */ @InterfaceAudience.Private -public class DefaultScanLabelGenerator implements ScanLabelGenerator { +public class DefinedSetFilterScanLabelGenerator implements ScanLabelGenerator { + + private static final Log LOG = LogFactory.getLog(DefinedSetFilterScanLabelGenerator.class); - private static final Log LOG = LogFactory.getLog(DefaultScanLabelGenerator.class); - private Configuration conf; - + private VisibilityLabelsCache labelsCache; - - public DefaultScanLabelGenerator() { + + public DefinedSetFilterScanLabelGenerator() { this.labelsCache = VisibilityLabelsCache.get(); } diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/FeedUserAuthScanLabelGenerator.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/FeedUserAuthScanLabelGenerator.java new file mode 100644 index 00000000000..3decbe822a6 --- /dev/null +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/FeedUserAuthScanLabelGenerator.java @@ -0,0 +1,70 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hbase.security.visibility; + +import java.util.List; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.hadoop.hbase.classification.InterfaceAudience; +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.hbase.security.User; + +/** + * If the passed in authorization is null, then this ScanLabelGenerator + * feeds the set of predefined authorization labels for the given user. That is + * the set defined by the admin using the VisibilityClient admin interface + * or the set_auths shell command. + * Otherwise the passed in authorization labels are returned with no change. + * + * Note: This SLG should not be used alone because it does not check + * the passed in authorization labels against what the user is authorized for. + */ +@InterfaceAudience.Private +public class FeedUserAuthScanLabelGenerator implements ScanLabelGenerator { + + private static final Log LOG = LogFactory.getLog(FeedUserAuthScanLabelGenerator.class); + + private Configuration conf; + private VisibilityLabelsCache labelsCache; + + public FeedUserAuthScanLabelGenerator() { + this.labelsCache = VisibilityLabelsCache.get(); + } + + @Override + public void setConf(Configuration conf) { + this.conf = conf; + } + + @Override + public Configuration getConf() { + return this.conf; + } + + @Override + public List getLabels(User user, Authorizations authorizations) { + if (authorizations == null || authorizations.getLabels() == null + || authorizations.getLabels().isEmpty()) { + String userName = user.getShortName(); + return this.labelsCache.getAuths(userName); + } + return authorizations.getLabels(); + } + +} diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityUtils.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityUtils.java index 96185ddd3af..0c081820b2a 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityUtils.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityUtils.java @@ -188,10 +188,17 @@ public class VisibilityUtils { } } } - // If the conf is not configured by default we need to have one SLG to be used - // ie. DefaultScanLabelGenerator + // If no SLG is specified in conf, by default we'll add two SLGs + // 1. FeedUserAuthScanLabelGenerator + // 2. DefinedSetFilterScanLabelGenerator + // This stacking will achieve the following default behavior: + // 1. If there is no Auths in the scan, we will obtain the global defined set for the user + // from the labels table. + // 2. If there is Auths in the scan, we will examine the passed in Auths and filter out the + // labels that the user is not entitled to. Then use the resulting label set. if (slgs.isEmpty()) { - slgs.add(ReflectionUtils.newInstance(DefaultScanLabelGenerator.class, conf)); + slgs.add(ReflectionUtils.newInstance(FeedUserAuthScanLabelGenerator.class, conf)); + slgs.add(ReflectionUtils.newInstance(DefinedSetFilterScanLabelGenerator.class, conf)); } return slgs; } diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestDefaultScanLabelGeneratorStack.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestDefaultScanLabelGeneratorStack.java new file mode 100644 index 00000000000..df2a61cc4fc --- /dev/null +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestDefaultScanLabelGeneratorStack.java @@ -0,0 +1,210 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hbase.security.visibility; + +import static org.apache.hadoop.hbase.security.visibility.VisibilityConstants.LABELS_TABLE_NAME; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.assertNull; + +import java.io.IOException; +import java.security.PrivilegedExceptionAction; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.hbase.Cell; +import org.apache.hadoop.hbase.CellScanner; +import org.apache.hadoop.hbase.HBaseTestingUtility; +import org.apache.hadoop.hbase.HConstants; +import org.apache.hadoop.hbase.TableName; +import org.apache.hadoop.hbase.client.Get; +import org.apache.hadoop.hbase.client.HTable; +import org.apache.hadoop.hbase.client.Put; +import org.apache.hadoop.hbase.client.Result; +import org.apache.hadoop.hbase.client.ResultScanner; +import org.apache.hadoop.hbase.client.Scan; +import org.apache.hadoop.hbase.client.Table; +import org.apache.hadoop.hbase.security.User; +import org.apache.hadoop.hbase.testclassification.MediumTests; +import org.apache.hadoop.hbase.testclassification.SecurityTests; +import org.apache.hadoop.hbase.util.Bytes; +import org.junit.AfterClass; +import org.junit.BeforeClass; +import org.junit.Rule; +import org.junit.Test; +import org.junit.experimental.categories.Category; +import org.junit.rules.TestName; + +@Category({SecurityTests.class, MediumTests.class}) +public class TestDefaultScanLabelGeneratorStack { + + public static final String CONFIDENTIAL = "confidential"; + private static final String SECRET = "secret"; + public static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility(); + private static final byte[] ROW_1 = Bytes.toBytes("row1"); + private final static byte[] CF = Bytes.toBytes("f"); + private final static byte[] Q1 = Bytes.toBytes("q1"); + private final static byte[] Q2 = Bytes.toBytes("q2"); + private final static byte[] Q3 = Bytes.toBytes("q3"); + private final static byte[] value1 = Bytes.toBytes("value1"); + private final static byte[] value2 = Bytes.toBytes("value2"); + private final static byte[] value3 = Bytes.toBytes("value3"); + public static Configuration conf; + + @Rule + public final TestName TEST_NAME = new TestName(); + public static User SUPERUSER; + public static User TESTUSER; + + @BeforeClass + public static void setupBeforeClass() throws Exception { + // setup configuration + conf = TEST_UTIL.getConfiguration(); + VisibilityTestUtil.enableVisiblityLabels(conf); + // Not setting any SLG class. This means to use the default behavior. + conf.set("hbase.superuser", "admin"); + TEST_UTIL.startMiniCluster(1); + SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" }); + TESTUSER = User.createUserForTesting(conf, "test", new String[] { }); + + // Wait for the labels table to become available + TEST_UTIL.waitTableEnabled(LABELS_TABLE_NAME.getName(), 50000); + + // Set up for the test + SUPERUSER.runAs(new PrivilegedExceptionAction() { + public Void run() throws Exception { + try { + VisibilityClient.addLabels(conf, new String[] { SECRET, CONFIDENTIAL }); + VisibilityClient.setAuths(conf, new String[] { CONFIDENTIAL }, TESTUSER.getShortName()); + } catch (Throwable t) { + throw new IOException(t); + } + return null; + } + }); + } + + @Test + public void testDefaultScanLabelGeneratorStack() throws Exception { + final TableName tableName = TableName.valueOf(TEST_NAME.getMethodName()); + + SUPERUSER.runAs(new PrivilegedExceptionAction() { + public Void run() throws Exception { + Table table = TEST_UTIL.createTable(tableName, CF); + try { + Put put = new Put(ROW_1); + put.add(CF, Q1, HConstants.LATEST_TIMESTAMP, value1); + put.setCellVisibility(new CellVisibility(SECRET)); + table.put(put); + put = new Put(ROW_1); + put.add(CF, Q2, HConstants.LATEST_TIMESTAMP, value2); + put.setCellVisibility(new CellVisibility(CONFIDENTIAL)); + table.put(put); + put = new Put(ROW_1); + put.add(CF, Q3, HConstants.LATEST_TIMESTAMP, value3); + table.put(put); + return null; + } finally { + table.close(); + } + } + }); + + TESTUSER.runAs(new PrivilegedExceptionAction() { + public Void run() throws Exception { + Table table = new HTable(conf, tableName); + try { + // Test scan with no auth attribute + Scan s = new Scan(); + ResultScanner scanner = table.getScanner(s); + Result[] next = scanner.next(1); + + assertTrue(next.length == 1); + CellScanner cellScanner = next[0].cellScanner(); + cellScanner.advance(); + Cell current = cellScanner.current(); + // test user can see value2 (CONFIDENTIAL) and value3 (no label) + assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), + current.getRowLength(), ROW_1, 0, ROW_1.length)); + assertTrue(Bytes.equals(current.getQualifier(), Q2)); + assertTrue(Bytes.equals(current.getValue(), value2)); + cellScanner.advance(); + current = cellScanner.current(); + // test user can see value2 (CONFIDENTIAL) and value3 (no label) + assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), + current.getRowLength(), ROW_1, 0, ROW_1.length)); + assertTrue(Bytes.equals(current.getQualifier(), Q3)); + assertTrue(Bytes.equals(current.getValue(), value3)); + + // Test scan with correct auth attribute for test user + Scan s1 = new Scan(); + // test user is entitled to 'CONFIDENTIAL'. + // If we set both labels in the scan, 'SECRET' will be dropped by the SLGs. + s1.setAuthorizations(new Authorizations(new String[] { SECRET, CONFIDENTIAL })); + ResultScanner scanner1 = table.getScanner(s1); + Result[] next1 = scanner1.next(1); + + assertTrue(next1.length == 1); + CellScanner cellScanner1 = next1[0].cellScanner(); + cellScanner1.advance(); + Cell current1 = cellScanner1.current(); + // test user can see value2 (CONFIDENTIAL) and value3 (no label) + assertTrue(Bytes.equals(current1.getRowArray(), current1.getRowOffset(), + current1.getRowLength(), ROW_1, 0, ROW_1.length)); + assertTrue(Bytes.equals(current1.getQualifier(), Q2)); + assertTrue(Bytes.equals(current1.getValue(), value2)); + cellScanner1.advance(); + current1 = cellScanner1.current(); + // test user can see value2 (CONFIDENTIAL) and value3 (no label) + assertTrue(Bytes.equals(current1.getRowArray(), current1.getRowOffset(), + current1.getRowLength(), ROW_1, 0, ROW_1.length)); + assertTrue(Bytes.equals(current1.getQualifier(), Q3)); + assertTrue(Bytes.equals(current1.getValue(), value3)); + + // Test scan with incorrect auth attribute for test user + Scan s2 = new Scan(); + // test user is entitled to 'CONFIDENTIAL'. + // If we set 'SECRET', it will be dropped by the SLGs. + s2.setAuthorizations(new Authorizations(new String[] { SECRET })); + ResultScanner scanner2 = table.getScanner(s2); + Result next2 = scanner2.next(); + CellScanner cellScanner2 = next2.cellScanner(); + cellScanner2.advance(); + Cell current2 = cellScanner2.current(); + // This scan will only see value3 (no label) + assertTrue(Bytes.equals(current2.getRowArray(), current2.getRowOffset(), + current2.getRowLength(), ROW_1, 0, ROW_1.length)); + assertTrue(Bytes.equals(current2.getQualifier(), Q3)); + assertTrue(Bytes.equals(current2.getValue(), value3)); + + assertFalse(cellScanner2.advance()); + + + return null; + } finally { + table.close(); + } + } + }); + + } + + @AfterClass + public static void tearDownAfterClass() throws Exception { + TEST_UTIL.shutdownMiniCluster(); + } +} diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestEnforcingScanLabelGenerator.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestEnforcingScanLabelGenerator.java index cec7517f102..565698e5470 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestEnforcingScanLabelGenerator.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestEnforcingScanLabelGenerator.java @@ -67,7 +67,7 @@ public class TestEnforcingScanLabelGenerator { // setup configuration conf = TEST_UTIL.getConfiguration(); VisibilityTestUtil.enableVisiblityLabels(conf); - String classes = DefaultScanLabelGenerator.class.getCanonicalName() + " , " + String classes = DefinedSetFilterScanLabelGenerator.class.getCanonicalName() + " , " + EnforcingScanLabelGenerator.class.getCanonicalName(); conf.setStrings(VisibilityUtils.VISIBILITY_LABEL_GENERATOR_CLASS, classes); conf.set("hbase.superuser", "admin");