HBASE-12346 Scan's default auths behavior under Visibility labels.(Jerry He)
This commit is contained in:
parent
bfda57d4f2
commit
04ee2bc812
|
@ -27,20 +27,21 @@ import org.apache.hadoop.conf.Configuration;
|
|||
import org.apache.hadoop.hbase.security.User;
|
||||
|
||||
/**
|
||||
* This is the default implementation for ScanLabelGenerator. It will extract labels passed via
|
||||
* Scan#authorizations and cross check against the global auths set for the user. The labels for which
|
||||
* user is not authenticated will be dropped even if it is passed via Scan Authorizations.
|
||||
* This is an implementation for ScanLabelGenerator.
|
||||
* It will extract labels from passed in authorizations and cross check
|
||||
* against the set of predefined authorization labels for given user.
|
||||
* The labels for which the user is not authorized will be dropped.
|
||||
*/
|
||||
@InterfaceAudience.Private
|
||||
public class DefaultScanLabelGenerator implements ScanLabelGenerator {
|
||||
public class DefinedSetFilterScanLabelGenerator implements ScanLabelGenerator {
|
||||
|
||||
private static final Log LOG = LogFactory.getLog(DefaultScanLabelGenerator.class);
|
||||
private static final Log LOG = LogFactory.getLog(DefinedSetFilterScanLabelGenerator.class);
|
||||
|
||||
private Configuration conf;
|
||||
|
||||
private VisibilityLabelsCache labelsCache;
|
||||
|
||||
public DefaultScanLabelGenerator() {
|
||||
public DefinedSetFilterScanLabelGenerator() {
|
||||
this.labelsCache = VisibilityLabelsCache.get();
|
||||
}
|
||||
|
|
@ -0,0 +1,70 @@
|
|||
/**
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.apache.hadoop.hbase.security.visibility;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
import org.apache.hadoop.hbase.classification.InterfaceAudience;
|
||||
import org.apache.hadoop.conf.Configuration;
|
||||
import org.apache.hadoop.hbase.security.User;
|
||||
|
||||
/**
|
||||
* If the passed in authorization is null, then this ScanLabelGenerator
|
||||
* feeds the set of predefined authorization labels for the given user. That is
|
||||
* the set defined by the admin using the VisibilityClient admin interface
|
||||
* or the set_auths shell command.
|
||||
* Otherwise the passed in authorization labels are returned with no change.
|
||||
*
|
||||
* Note: This SLG should not be used alone because it does not check
|
||||
* the passed in authorization labels against what the user is authorized for.
|
||||
*/
|
||||
@InterfaceAudience.Private
|
||||
public class FeedUserAuthScanLabelGenerator implements ScanLabelGenerator {
|
||||
|
||||
private static final Log LOG = LogFactory.getLog(FeedUserAuthScanLabelGenerator.class);
|
||||
|
||||
private Configuration conf;
|
||||
private VisibilityLabelsCache labelsCache;
|
||||
|
||||
public FeedUserAuthScanLabelGenerator() {
|
||||
this.labelsCache = VisibilityLabelsCache.get();
|
||||
}
|
||||
|
||||
@Override
|
||||
public void setConf(Configuration conf) {
|
||||
this.conf = conf;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Configuration getConf() {
|
||||
return this.conf;
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<String> getLabels(User user, Authorizations authorizations) {
|
||||
if (authorizations == null || authorizations.getLabels() == null
|
||||
|| authorizations.getLabels().isEmpty()) {
|
||||
String userName = user.getShortName();
|
||||
return this.labelsCache.getAuths(userName);
|
||||
}
|
||||
return authorizations.getLabels();
|
||||
}
|
||||
|
||||
}
|
|
@ -188,10 +188,17 @@ public class VisibilityUtils {
|
|||
}
|
||||
}
|
||||
}
|
||||
// If the conf is not configured by default we need to have one SLG to be used
|
||||
// ie. DefaultScanLabelGenerator
|
||||
// If no SLG is specified in conf, by default we'll add two SLGs
|
||||
// 1. FeedUserAuthScanLabelGenerator
|
||||
// 2. DefinedSetFilterScanLabelGenerator
|
||||
// This stacking will achieve the following default behavior:
|
||||
// 1. If there is no Auths in the scan, we will obtain the global defined set for the user
|
||||
// from the labels table.
|
||||
// 2. If there is Auths in the scan, we will examine the passed in Auths and filter out the
|
||||
// labels that the user is not entitled to. Then use the resulting label set.
|
||||
if (slgs.isEmpty()) {
|
||||
slgs.add(ReflectionUtils.newInstance(DefaultScanLabelGenerator.class, conf));
|
||||
slgs.add(ReflectionUtils.newInstance(FeedUserAuthScanLabelGenerator.class, conf));
|
||||
slgs.add(ReflectionUtils.newInstance(DefinedSetFilterScanLabelGenerator.class, conf));
|
||||
}
|
||||
return slgs;
|
||||
}
|
||||
|
|
|
@ -0,0 +1,210 @@
|
|||
/**
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.apache.hadoop.hbase.security.visibility;
|
||||
|
||||
import static org.apache.hadoop.hbase.security.visibility.VisibilityConstants.LABELS_TABLE_NAME;
|
||||
import static org.junit.Assert.assertFalse;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
import static org.junit.Assert.assertNull;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.security.PrivilegedExceptionAction;
|
||||
|
||||
import org.apache.hadoop.conf.Configuration;
|
||||
import org.apache.hadoop.hbase.Cell;
|
||||
import org.apache.hadoop.hbase.CellScanner;
|
||||
import org.apache.hadoop.hbase.HBaseTestingUtility;
|
||||
import org.apache.hadoop.hbase.HConstants;
|
||||
import org.apache.hadoop.hbase.TableName;
|
||||
import org.apache.hadoop.hbase.client.Get;
|
||||
import org.apache.hadoop.hbase.client.HTable;
|
||||
import org.apache.hadoop.hbase.client.Put;
|
||||
import org.apache.hadoop.hbase.client.Result;
|
||||
import org.apache.hadoop.hbase.client.ResultScanner;
|
||||
import org.apache.hadoop.hbase.client.Scan;
|
||||
import org.apache.hadoop.hbase.client.Table;
|
||||
import org.apache.hadoop.hbase.security.User;
|
||||
import org.apache.hadoop.hbase.testclassification.MediumTests;
|
||||
import org.apache.hadoop.hbase.testclassification.SecurityTests;
|
||||
import org.apache.hadoop.hbase.util.Bytes;
|
||||
import org.junit.AfterClass;
|
||||
import org.junit.BeforeClass;
|
||||
import org.junit.Rule;
|
||||
import org.junit.Test;
|
||||
import org.junit.experimental.categories.Category;
|
||||
import org.junit.rules.TestName;
|
||||
|
||||
@Category({SecurityTests.class, MediumTests.class})
|
||||
public class TestDefaultScanLabelGeneratorStack {
|
||||
|
||||
public static final String CONFIDENTIAL = "confidential";
|
||||
private static final String SECRET = "secret";
|
||||
public static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();
|
||||
private static final byte[] ROW_1 = Bytes.toBytes("row1");
|
||||
private final static byte[] CF = Bytes.toBytes("f");
|
||||
private final static byte[] Q1 = Bytes.toBytes("q1");
|
||||
private final static byte[] Q2 = Bytes.toBytes("q2");
|
||||
private final static byte[] Q3 = Bytes.toBytes("q3");
|
||||
private final static byte[] value1 = Bytes.toBytes("value1");
|
||||
private final static byte[] value2 = Bytes.toBytes("value2");
|
||||
private final static byte[] value3 = Bytes.toBytes("value3");
|
||||
public static Configuration conf;
|
||||
|
||||
@Rule
|
||||
public final TestName TEST_NAME = new TestName();
|
||||
public static User SUPERUSER;
|
||||
public static User TESTUSER;
|
||||
|
||||
@BeforeClass
|
||||
public static void setupBeforeClass() throws Exception {
|
||||
// setup configuration
|
||||
conf = TEST_UTIL.getConfiguration();
|
||||
VisibilityTestUtil.enableVisiblityLabels(conf);
|
||||
// Not setting any SLG class. This means to use the default behavior.
|
||||
conf.set("hbase.superuser", "admin");
|
||||
TEST_UTIL.startMiniCluster(1);
|
||||
SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
|
||||
TESTUSER = User.createUserForTesting(conf, "test", new String[] { });
|
||||
|
||||
// Wait for the labels table to become available
|
||||
TEST_UTIL.waitTableEnabled(LABELS_TABLE_NAME.getName(), 50000);
|
||||
|
||||
// Set up for the test
|
||||
SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() {
|
||||
public Void run() throws Exception {
|
||||
try {
|
||||
VisibilityClient.addLabels(conf, new String[] { SECRET, CONFIDENTIAL });
|
||||
VisibilityClient.setAuths(conf, new String[] { CONFIDENTIAL }, TESTUSER.getShortName());
|
||||
} catch (Throwable t) {
|
||||
throw new IOException(t);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testDefaultScanLabelGeneratorStack() throws Exception {
|
||||
final TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
|
||||
|
||||
SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() {
|
||||
public Void run() throws Exception {
|
||||
Table table = TEST_UTIL.createTable(tableName, CF);
|
||||
try {
|
||||
Put put = new Put(ROW_1);
|
||||
put.add(CF, Q1, HConstants.LATEST_TIMESTAMP, value1);
|
||||
put.setCellVisibility(new CellVisibility(SECRET));
|
||||
table.put(put);
|
||||
put = new Put(ROW_1);
|
||||
put.add(CF, Q2, HConstants.LATEST_TIMESTAMP, value2);
|
||||
put.setCellVisibility(new CellVisibility(CONFIDENTIAL));
|
||||
table.put(put);
|
||||
put = new Put(ROW_1);
|
||||
put.add(CF, Q3, HConstants.LATEST_TIMESTAMP, value3);
|
||||
table.put(put);
|
||||
return null;
|
||||
} finally {
|
||||
table.close();
|
||||
}
|
||||
}
|
||||
});
|
||||
|
||||
TESTUSER.runAs(new PrivilegedExceptionAction<Void>() {
|
||||
public Void run() throws Exception {
|
||||
Table table = new HTable(conf, tableName);
|
||||
try {
|
||||
// Test scan with no auth attribute
|
||||
Scan s = new Scan();
|
||||
ResultScanner scanner = table.getScanner(s);
|
||||
Result[] next = scanner.next(1);
|
||||
|
||||
assertTrue(next.length == 1);
|
||||
CellScanner cellScanner = next[0].cellScanner();
|
||||
cellScanner.advance();
|
||||
Cell current = cellScanner.current();
|
||||
// test user can see value2 (CONFIDENTIAL) and value3 (no label)
|
||||
assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(),
|
||||
current.getRowLength(), ROW_1, 0, ROW_1.length));
|
||||
assertTrue(Bytes.equals(current.getQualifier(), Q2));
|
||||
assertTrue(Bytes.equals(current.getValue(), value2));
|
||||
cellScanner.advance();
|
||||
current = cellScanner.current();
|
||||
// test user can see value2 (CONFIDENTIAL) and value3 (no label)
|
||||
assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(),
|
||||
current.getRowLength(), ROW_1, 0, ROW_1.length));
|
||||
assertTrue(Bytes.equals(current.getQualifier(), Q3));
|
||||
assertTrue(Bytes.equals(current.getValue(), value3));
|
||||
|
||||
// Test scan with correct auth attribute for test user
|
||||
Scan s1 = new Scan();
|
||||
// test user is entitled to 'CONFIDENTIAL'.
|
||||
// If we set both labels in the scan, 'SECRET' will be dropped by the SLGs.
|
||||
s1.setAuthorizations(new Authorizations(new String[] { SECRET, CONFIDENTIAL }));
|
||||
ResultScanner scanner1 = table.getScanner(s1);
|
||||
Result[] next1 = scanner1.next(1);
|
||||
|
||||
assertTrue(next1.length == 1);
|
||||
CellScanner cellScanner1 = next1[0].cellScanner();
|
||||
cellScanner1.advance();
|
||||
Cell current1 = cellScanner1.current();
|
||||
// test user can see value2 (CONFIDENTIAL) and value3 (no label)
|
||||
assertTrue(Bytes.equals(current1.getRowArray(), current1.getRowOffset(),
|
||||
current1.getRowLength(), ROW_1, 0, ROW_1.length));
|
||||
assertTrue(Bytes.equals(current1.getQualifier(), Q2));
|
||||
assertTrue(Bytes.equals(current1.getValue(), value2));
|
||||
cellScanner1.advance();
|
||||
current1 = cellScanner1.current();
|
||||
// test user can see value2 (CONFIDENTIAL) and value3 (no label)
|
||||
assertTrue(Bytes.equals(current1.getRowArray(), current1.getRowOffset(),
|
||||
current1.getRowLength(), ROW_1, 0, ROW_1.length));
|
||||
assertTrue(Bytes.equals(current1.getQualifier(), Q3));
|
||||
assertTrue(Bytes.equals(current1.getValue(), value3));
|
||||
|
||||
// Test scan with incorrect auth attribute for test user
|
||||
Scan s2 = new Scan();
|
||||
// test user is entitled to 'CONFIDENTIAL'.
|
||||
// If we set 'SECRET', it will be dropped by the SLGs.
|
||||
s2.setAuthorizations(new Authorizations(new String[] { SECRET }));
|
||||
ResultScanner scanner2 = table.getScanner(s2);
|
||||
Result next2 = scanner2.next();
|
||||
CellScanner cellScanner2 = next2.cellScanner();
|
||||
cellScanner2.advance();
|
||||
Cell current2 = cellScanner2.current();
|
||||
// This scan will only see value3 (no label)
|
||||
assertTrue(Bytes.equals(current2.getRowArray(), current2.getRowOffset(),
|
||||
current2.getRowLength(), ROW_1, 0, ROW_1.length));
|
||||
assertTrue(Bytes.equals(current2.getQualifier(), Q3));
|
||||
assertTrue(Bytes.equals(current2.getValue(), value3));
|
||||
|
||||
assertFalse(cellScanner2.advance());
|
||||
|
||||
|
||||
return null;
|
||||
} finally {
|
||||
table.close();
|
||||
}
|
||||
}
|
||||
});
|
||||
|
||||
}
|
||||
|
||||
@AfterClass
|
||||
public static void tearDownAfterClass() throws Exception {
|
||||
TEST_UTIL.shutdownMiniCluster();
|
||||
}
|
||||
}
|
|
@ -67,7 +67,7 @@ public class TestEnforcingScanLabelGenerator {
|
|||
// setup configuration
|
||||
conf = TEST_UTIL.getConfiguration();
|
||||
VisibilityTestUtil.enableVisiblityLabels(conf);
|
||||
String classes = DefaultScanLabelGenerator.class.getCanonicalName() + " , "
|
||||
String classes = DefinedSetFilterScanLabelGenerator.class.getCanonicalName() + " , "
|
||||
+ EnforcingScanLabelGenerator.class.getCanonicalName();
|
||||
conf.setStrings(VisibilityUtils.VISIBILITY_LABEL_GENERATOR_CLASS, classes);
|
||||
conf.set("hbase.superuser", "admin");
|
||||
|
|
Loading…
Reference in New Issue