Apache
/
hbase
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HBASE-13294 Fix the critical ancient loopholes in security testing infrastructure (Srikanth Srungarapu)

This commit is contained in:
Andrew Purtell 2015-03-25 09:28:12 -07:00
parent 01fdafb5ee
commit 050028c32e
7 changed files with 269 additions and 383 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
View File

@ -154,6 +154,7 @@ public class SecureTestUtil {
*/
static interface AccessTestAction extends PrivilegedExceptionAction<Object> { }
/** This fails only in case of ADE or empty list for any of the actions. */
public static void verifyAllowed(User user, AccessTestAction... actions) throws Exception {
for (AccessTestAction action : actions) {
try {
@ -170,6 +171,7 @@ public class SecureTestUtil {
}
}
/** This fails only in case of ADE or empty list for any of the users. */
public static void verifyAllowed(AccessTestAction action, User... users) throws Exception {
for (User user : users) {
verifyAllowed(user, action);
@ -191,36 +193,53 @@ public class SecureTestUtil {
}
}
public static void verifyDeniedWithException(User user, AccessTestAction... actions)
throws Exception {
verifyDenied(user, true, actions);
}
public static void verifyDeniedWithException(AccessTestAction action, User... users)
throws Exception {
/** This passes only in case of ADE for all users. */
public static void verifyDenied(AccessTestAction action, User... users) throws Exception {
for (User user : users) {
verifyDenied(user, true, action);
verifyDenied(user, action);
}
}
public static void verifyDenied(User user, AccessTestAction... actions) throws Exception {
verifyDenied(user, false, actions);
}
public static void verifyDenied(User user, boolean requireException,
AccessTestAction... actions) throws Exception {
for (AccessTestAction action : actions) {
/** This passes only in case of empty list for all users. */
public static void verifyIfEmptyList(AccessTestAction action, User... users) throws Exception {
for (User user : users) {
try {
Object obj = user.runAs(action);
if (requireException) {
fail("Expected exception was not thrown for user '" + user.getShortName() + "'");
}
if (obj != null && obj instanceof List<?>) {
List<?> results = (List<?>) obj;
if (results != null && !results.isEmpty()) {
fail("Unexpected results for user '" + user.getShortName() + "'");
fail("Unexpected action results: " + results + " for user '"
+ user.getShortName() + "'");
}
} else {
fail("Unexpected results for user '" + user.getShortName() + "'");
}
} catch (AccessDeniedException ade) {
fail("Expected action to pass for user '" + user.getShortName() + "' but was denied");
}
}
}
/** This passes only in case of null for all users. */
public static void verifyIfNull(AccessTestAction action, User... users) throws Exception {
for (User user : users) {
try {
Object obj = user.runAs(action);
if (obj != null) {
fail("Non null results from action for user '" + user.getShortName() + "'");
}
} catch (AccessDeniedException ade) {
fail("Expected action to pass for user '" + user.getShortName() + "' but was denied");
}
}
}
/** This passes only in case of ADE for all actions. */
public static void verifyDenied(User user, AccessTestAction... actions) throws Exception {
for (AccessTestAction action : actions) {
try {
user.runAs(action);
fail("Expected exception was not thrown for user '" + user.getShortName() + "'");
} catch (IOException e) {
boolean isAccessDeniedException = false;
if(e instanceof RetriesExhaustedWithDetailsException) {
@ -266,12 +285,6 @@ public class SecureTestUtil {
}
}
public static void verifyDenied(AccessTestAction action, User... users) throws Exception {
for (User user : users) {
verifyDenied(user, action);
}
}
private static List<AccessController> getAccessControllers(MiniHBaseCluster cluster) {
List<AccessController> result = Lists.newArrayList();
for (RegionServerThread t: cluster.getLiveRegionServerThreads()) {

352
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
View File

@ -137,7 +137,11 @@ public class TestAccessController extends SecureTestUtil {
@Rule public TestTableName TEST_TABLE = new TestTableName();
private static HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();
private static Configuration conf;
private static Connection connection;
/** The systemUserConnection created here is tied to the system user. In case, you are planning
* to create AccessTestAction, DON'T use this systemUserConnection as the 'doAs' user
* gets eclipsed by the system user. */
private static Connection systemUserConnection;
// user with all permissions
@ -211,12 +215,11 @@ public class TestAccessController extends SecureTestUtil {
USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]);
USER_ADMIN_CF = User.createUserForTesting(conf, "col_family_admin", new String[0]);
connection = ConnectionFactory.createConnection(conf);
systemUserConnection = TEST_UTIL.getConnection();
}
@AfterClass
public static void tearDownAfterClass() throws Exception {
connection.close();
TEST_UTIL.shutdownMiniCluster();
}
@ -267,7 +270,7 @@ public class TestAccessController extends SecureTestUtil {
assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size());
try {
assertEquals(5, AccessControlClient.getUserPermissions(connection,
assertEquals(5, AccessControlClient.getUserPermissions(systemUserConnection,
TEST_TABLE.toString()).size());
} catch (Throwable e) {
LOG.error("error during call of AccessControlClient.getUserPermissions. ", e);
@ -355,8 +358,8 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN, USER_CREATE);
verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE, USER_OWNER);
verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE);
}
@Test
@ -452,8 +455,7 @@ public class TestAccessController extends SecureTestUtil {
@Test
public void testMove() throws Exception {
List<HRegionLocation> regions;
try (RegionLocator locator =
TEST_UTIL.getConnection().getRegionLocator(TEST_TABLE.getTableName())) {
try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) {
regions = locator.getAllRegionLocations();
}
HRegionLocation location = regions.get(0);
@ -475,8 +477,7 @@ public class TestAccessController extends SecureTestUtil {
@Test
public void testAssign() throws Exception {
List<HRegionLocation> regions;
try (RegionLocator locator =
TEST_UTIL.getConnection().getRegionLocator(TEST_TABLE.getTableName())) {
try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) {
regions = locator.getAllRegionLocations();
}
HRegionLocation location = regions.get(0);
@ -496,8 +497,7 @@ public class TestAccessController extends SecureTestUtil {
@Test
public void testUnassign() throws Exception {
List<HRegionLocation> regions;
try (RegionLocator locator =
TEST_UTIL.getConnection().getRegionLocator(TEST_TABLE.getTableName())) {
try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) {
regions = locator.getAllRegionLocations();
}
HRegionLocation location = regions.get(0);
@ -517,8 +517,7 @@ public class TestAccessController extends SecureTestUtil {
@Test
public void testRegionOffline() throws Exception {
List<HRegionLocation> regions;
try (RegionLocator locator =
TEST_UTIL.getConnection().getRegionLocator(TEST_TABLE.getTableName())) {
try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) {
regions = locator.getAllRegionLocations();
}
HRegionLocation location = regions.get(0);
@ -674,20 +673,6 @@ public class TestAccessController extends SecureTestUtil {
verifyDenied(action, USER_RW, USER_RO, USER_NONE);
}
@Test
public void testPreCompactSelection() throws Exception {
AccessTestAction action = new AccessTestAction() {
@Override
public Object run() throws Exception {
ACCESS_CONTROLLER.preCompactSelection(ObserverContext.createAndPrepare(RCP_ENV, null), null, null);
return null;
}
};
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
}
private void verifyRead(AccessTestAction action) throws Exception {
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, USER_RO);
verifyDenied(action, USER_NONE);
@ -706,11 +691,9 @@ public class TestAccessController extends SecureTestUtil {
public Object run() throws Exception {
Get g = new Get(TEST_ROW);
g.addFamily(TEST_FAMILY);
Table t = new HTable(conf, TEST_TABLE.getTableName());
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(TEST_TABLE.getTableName())) {
t.get(g);
} finally {
t.close();
}
return null;
}
@ -724,9 +707,9 @@ public class TestAccessController extends SecureTestUtil {
Scan s = new Scan();
s.addFamily(TEST_FAMILY);
Table table = new HTable(conf, TEST_TABLE.getTableName());
try {
ResultScanner scanner = table.getScanner(s);
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(TEST_TABLE.getTableName())) {
ResultScanner scanner = t.getScanner(s);
try {
for (Result r = scanner.next(); r != null; r = scanner.next()) {
// do nothing
@ -735,8 +718,6 @@ public class TestAccessController extends SecureTestUtil {
} finally {
scanner.close();
}
} finally {
table.close();
}
return null;
}
@ -753,11 +734,9 @@ public class TestAccessController extends SecureTestUtil {
public Object run() throws Exception {
Put p = new Put(TEST_ROW);
p.add(TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes(1));
Table t = new HTable(conf, TEST_TABLE.getTableName());
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(TEST_TABLE.getTableName())) {
t.put(p);
} finally {
t.close();
}
return null;
}
@ -770,11 +749,9 @@ public class TestAccessController extends SecureTestUtil {
public Object run() throws Exception {
Delete d = new Delete(TEST_ROW);
d.deleteFamily(TEST_FAMILY);
Table t = new HTable(conf, TEST_TABLE.getTableName());
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(TEST_TABLE.getTableName())) {
t.delete(d);
} finally {
t.close();
}
return null;
}
@ -787,11 +764,9 @@ public class TestAccessController extends SecureTestUtil {
public Object run() throws Exception {
Increment inc = new Increment(TEST_ROW);
inc.addColumn(TEST_FAMILY, TEST_QUALIFIER, 1);
Table t = new HTable(conf, TEST_TABLE.getTableName());
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(TEST_TABLE.getTableName())) {
t.increment(inc);
} finally {
t.close();
}
return null;
}
@ -807,12 +782,10 @@ public class TestAccessController extends SecureTestUtil {
public Object run() throws Exception {
Delete d = new Delete(TEST_ROW);
d.deleteFamily(TEST_FAMILY);
Table t = new HTable(conf, TEST_TABLE.getTableName());
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(TEST_TABLE.getTableName())) {
t.checkAndDelete(TEST_ROW, TEST_FAMILY, TEST_QUALIFIER,
Bytes.toBytes("test_value"), d);
} finally {
t.close();
Bytes.toBytes("test_value"), d);
}
return null;
}
@ -825,12 +798,10 @@ public class TestAccessController extends SecureTestUtil {
public Object run() throws Exception {
Put p = new Put(TEST_ROW);
p.add(TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes(1));
Table t = new HTable(conf, TEST_TABLE.getTableName());
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(TEST_TABLE.getTableName())) {
t.checkAndPut(TEST_ROW, TEST_FAMILY, TEST_QUALIFIER,
Bytes.toBytes("test_value"), p);
} finally {
t.close();
Bytes.toBytes("test_value"), p);
}
return null;
}
@ -927,7 +898,8 @@ public class TestAccessController extends SecureTestUtil {
//set global read so RegionServer can move it
setPermission(loadPath, FsPermission.valueOf("-rwxrwxrwx"));
try (HTable table = (HTable)TEST_UTIL.getConnection().getTable(tableName)) {
try (Connection conn = ConnectionFactory.createConnection(conf);
HTable table = (HTable)conn.getTable(tableName)) {
TEST_UTIL.waitUntilAllRegionsAssigned(tableName);
LoadIncrementalHFiles loader = new LoadIncrementalHFiles(conf);
loader.doBulkLoad(loadPath, table);
@ -959,12 +931,10 @@ public class TestAccessController extends SecureTestUtil {
put.add(TEST_FAMILY, qualifier, Bytes.toBytes(1));
Append append = new Append(row);
append.add(TEST_FAMILY, qualifier, Bytes.toBytes(2));
Table t = new HTable(conf, TEST_TABLE.getTableName());
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(TEST_TABLE.getTableName())) {
t.put(put);
t.append(append);
} finally {
t.close();
}
return null;
}
@ -979,15 +949,13 @@ public class TestAccessController extends SecureTestUtil {
AccessTestAction grantAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName());
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
ProtobufUtil.grant(protocol, USER_RO.getShortName(), TEST_TABLE.getTableName(),
TEST_FAMILY, null, Action.READ);
} finally {
acl.close();
}
return null;
}
@ -996,15 +964,13 @@ public class TestAccessController extends SecureTestUtil {
AccessTestAction revokeAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName());
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
ProtobufUtil.revoke(protocol, USER_RO.getShortName(), TEST_TABLE.getTableName(),
TEST_FAMILY, null, Action.READ);
} finally {
acl.close();
TEST_FAMILY, null, Action.READ);
}
return null;
}
@ -1013,14 +979,12 @@ public class TestAccessController extends SecureTestUtil {
AccessTestAction getTablePermissionsAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName());
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
ProtobufUtil.getUserPermissions(protocol, TEST_TABLE.getTableName());
} finally {
acl.close();
}
return null;
}
@ -1029,14 +993,12 @@ public class TestAccessController extends SecureTestUtil {
AccessTestAction getGlobalPermissionsAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
ProtobufUtil.getUserPermissions(protocol);
} finally {
acl.close();
}
return null;
}
@ -1052,7 +1014,7 @@ public class TestAccessController extends SecureTestUtil {
verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN);
verifyDeniedWithException(getGlobalPermissionsAction, USER_CREATE,
verifyDenied(getGlobalPermissionsAction, USER_CREATE,
USER_OWNER, USER_RW, USER_RO, USER_NONE);
}
@ -1087,11 +1049,9 @@ public class TestAccessController extends SecureTestUtil {
Put p = new Put(Bytes.toBytes("a"));
p.add(family1, qualifier, Bytes.toBytes("v1"));
p.add(family2, qualifier, Bytes.toBytes("v2"));
Table t = new HTable(conf, tableName);
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(tableName)) {
t.put(p);
} finally {
t.close();
}
return null;
}
@ -1102,11 +1062,9 @@ public class TestAccessController extends SecureTestUtil {
public Object run() throws Exception {
Put p = new Put(Bytes.toBytes("a"));
p.add(family1, qualifier, Bytes.toBytes("v1"));
Table t = new HTable(conf, tableName);
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(tableName)) {
t.put(p);
} finally {
t.close();
}
return null;
}
@ -1117,11 +1075,9 @@ public class TestAccessController extends SecureTestUtil {
public Object run() throws Exception {
Put p = new Put(Bytes.toBytes("a"));
p.add(family2, qualifier, Bytes.toBytes("v2"));
Table t = new HTable(conf, tableName);
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(tableName)) {
t.put(p);
} finally {
t.close();
}
return null;
}
@ -1133,11 +1089,9 @@ public class TestAccessController extends SecureTestUtil {
Get g = new Get(TEST_ROW);
g.addFamily(family1);
g.addFamily(family2);
Table t = new HTable(conf, tableName);
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(tableName)) {
t.get(g);
} finally {
t.close();
}
return null;
}
@ -1148,11 +1102,9 @@ public class TestAccessController extends SecureTestUtil {
public Object run() throws Exception {
Get g = new Get(TEST_ROW);
g.addFamily(family1);
Table t = new HTable(conf, tableName);
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(tableName)) {
t.get(g);
} finally {
t.close();
}
return null;
}
@ -1163,11 +1115,9 @@ public class TestAccessController extends SecureTestUtil {
public Object run() throws Exception {
Get g = new Get(TEST_ROW);
g.addFamily(family2);
Table t = new HTable(conf, tableName);
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(tableName)) {
t.get(g);
} finally {
t.close();
}
return null;
}
@ -1179,11 +1129,9 @@ public class TestAccessController extends SecureTestUtil {
Delete d = new Delete(TEST_ROW);
d.deleteFamily(family1);
d.deleteFamily(family2);
Table t = new HTable(conf, tableName);
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(tableName)) {
t.delete(d);
} finally {
t.close();
}
return null;
}
@ -1194,11 +1142,9 @@ public class TestAccessController extends SecureTestUtil {
public Object run() throws Exception {
Delete d = new Delete(TEST_ROW);
d.deleteFamily(family1);
Table t = new HTable(conf, tableName);
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(tableName)) {
t.delete(d);
} finally {
t.close();
}
return null;
}
@ -1209,11 +1155,9 @@ public class TestAccessController extends SecureTestUtil {
public Object run() throws Exception {
Delete d = new Delete(TEST_ROW);
d.deleteFamily(family2);
Table t = new HTable(conf, tableName);
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(tableName)) {
t.delete(d);
} finally {
t.close();
}
return null;
}
@ -1354,11 +1298,9 @@ public class TestAccessController extends SecureTestUtil {
public Object run() throws Exception {
Get g = new Get(TEST_ROW);
g.addColumn(family1, qualifier);
Table t = new HTable(conf, tableName);
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(tableName)) {
t.get(g);
} finally {
t.close();
}
return null;
}
@ -1369,11 +1311,9 @@ public class TestAccessController extends SecureTestUtil {
public Object run() throws Exception {
Put p = new Put(TEST_ROW);
p.add(family1, qualifier, Bytes.toBytes("v1"));
Table t = new HTable(conf, tableName);
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(tableName)) {
t.put(p);
} finally {
t.close();
}
return null;
}
@ -1385,11 +1325,9 @@ public class TestAccessController extends SecureTestUtil {
Delete d = new Delete(TEST_ROW);
d.deleteColumn(family1, qualifier);
// d.deleteFamily(family1);
Table t = new HTable(conf, tableName);
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(tableName)) {
t.delete(d);
} finally {
t.close();
}
return null;
}
@ -1461,7 +1399,7 @@ public class TestAccessController extends SecureTestUtil {
List<UserPermission> perms;
Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
Table acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
try {
BlockingRpcChannel service = acl.coprocessorService(tableName.getName());
AccessControlService.BlockingInterface protocol =
@ -1474,7 +1412,7 @@ public class TestAccessController extends SecureTestUtil {
UserPermission ownerperm = new UserPermission(
Bytes.toBytes(USER_OWNER.getName()), tableName, null, Action.values());
assertTrue("Owner should have all permissions on table",
hasFoundUserPermission(ownerperm, perms));
hasFoundUserPermission(ownerperm, perms));
User user = User.createUserForTesting(TEST_UTIL.getConfiguration(), "user", new String[0]);
byte[] userName = Bytes.toBytes(user.getShortName());
@ -1488,7 +1426,7 @@ public class TestAccessController extends SecureTestUtil {
grantOnTable(TEST_UTIL, user.getShortName(),
tableName, family1, qualifier, Permission.Action.READ);
acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
try {
BlockingRpcChannel service = acl.coprocessorService(tableName.getName());
AccessControlService.BlockingInterface protocol =
@ -1513,7 +1451,7 @@ public class TestAccessController extends SecureTestUtil {
tableName, family1, qualifier,
Permission.Action.WRITE, Permission.Action.READ);
acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
try {
BlockingRpcChannel service = acl.coprocessorService(tableName.getName());
AccessControlService.BlockingInterface protocol =
@ -1532,7 +1470,7 @@ public class TestAccessController extends SecureTestUtil {
revokeFromTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier,
Permission.Action.WRITE, Permission.Action.READ);
acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
try {
BlockingRpcChannel service = acl.coprocessorService(tableName.getName());
AccessControlService.BlockingInterface protocol =
@ -1543,7 +1481,7 @@ public class TestAccessController extends SecureTestUtil {
}
assertFalse("User should not be granted permission: " + upToVerify.toString(),
hasFoundUserPermission(upToVerify, perms));
hasFoundUserPermission(upToVerify, perms));
// disable table before modification
admin.disableTable(tableName);
@ -1552,7 +1490,7 @@ public class TestAccessController extends SecureTestUtil {
htd.setOwner(newOwner);
admin.modifyTable(tableName, htd);
acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
try {
BlockingRpcChannel service = acl.coprocessorService(tableName.getName());
AccessControlService.BlockingInterface protocol =
@ -1565,7 +1503,7 @@ public class TestAccessController extends SecureTestUtil {
UserPermission newOwnerperm = new UserPermission(
Bytes.toBytes(newOwner.getName()), tableName, null, Action.values());
assertTrue("New owner should have all permissions on table",
hasFoundUserPermission(newOwnerperm, perms));
hasFoundUserPermission(newOwnerperm, perms));
// delete table
deleteTable(TEST_UTIL, tableName);
@ -1574,7 +1512,7 @@ public class TestAccessController extends SecureTestUtil {
@Test
public void testGlobalPermissionList() throws Exception {
List<UserPermission> perms;
Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
Table acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
try {
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
AccessControlService.BlockingInterface protocol =
@ -1609,8 +1547,8 @@ public class TestAccessController extends SecureTestUtil {
AccessControlProtos.GlobalPermission.newBuilder()
.addAction(ProtobufUtil.toPermissionAction(a)).build()));
}
Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
BlockingRpcChannel channel = acl.coprocessorService(new byte[0]);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(channel);
@ -1619,8 +1557,6 @@ public class TestAccessController extends SecureTestUtil {
} catch (ServiceException se) {
ProtobufUtil.toIOException(se);
}
} finally {
acl.close();
}
}
@ -1639,8 +1575,8 @@ public class TestAccessController extends SecureTestUtil {
for (Permission p : perms) {
request.addPermission(ProtobufUtil.toPermission(p));
}
Table acl = new HTable(conf, table);
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table acl = conn.getTable(table)) {
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(acl.coprocessorService(new byte[0]));
try {
@ -1648,8 +1584,6 @@ public class TestAccessController extends SecureTestUtil {
} catch (ServiceException se) {
ProtobufUtil.toIOException(se);
}
} finally {
acl.close();
}
}
@ -1789,7 +1723,7 @@ public class TestAccessController extends SecureTestUtil {
.setTableName(ProtobufUtil.toProtoTableName(TEST_TABLE.getTableName()))
.addAction(AccessControlProtos.Permission.Action.CREATE))
).build();
Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
Table acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
try {
BlockingRpcChannel channel = acl.coprocessorService(new byte[0]);
AccessControlService.BlockingInterface protocol =
@ -1939,13 +1873,13 @@ public class TestAccessController extends SecureTestUtil {
// Move region to the new RegionServer.
List<HRegionLocation> regions;
try (RegionLocator locator = TEST_UTIL.getConnection().getRegionLocator(TEST_TABLE2)) {
try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE2)) {
regions = locator.getAllRegionLocations();
}
HRegionLocation location = regions.get(0);
final HRegionInfo hri = location.getRegionInfo();
final ServerName server = location.getServerName();
try (HTable table = (HTable)TEST_UTIL.getConnection().getTable(TEST_TABLE2)) {
try (HTable table = (HTable) systemUserConnection.getTable(TEST_TABLE2)) {
AccessTestAction moveAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
@ -1997,37 +1931,25 @@ public class TestAccessController extends SecureTestUtil {
AccessTestAction listTablesAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
Connection unmanagedConnection =
ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
Admin admin = unmanagedConnection.getAdmin();
try {
admin.listTables();
} finally {
admin.close();
unmanagedConnection.close();
try(Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
Admin admin = conn.getAdmin()) {
return Arrays.asList(admin.listTables());
}
return null;
}
};
AccessTestAction getTableDescAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
Connection unmanagedConnection =
ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
Admin admin = unmanagedConnection.getAdmin();
try {
admin.getTableDescriptor(TEST_TABLE.getTableName());
} finally {
admin.close();
unmanagedConnection.close();
try(Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
Admin admin = conn.getAdmin();) {
return admin.getTableDescriptor(TEST_TABLE.getTableName());
}
return null;
}
};
verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, TABLE_ADMIN);
verifyDenied(listTablesAction, USER_RW, USER_RO, USER_NONE);
verifyIfEmptyList(listTablesAction, USER_RW, USER_RO, USER_NONE);
verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, TABLE_ADMIN);
verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE);
@ -2051,7 +1973,7 @@ public class TestAccessController extends SecureTestUtil {
};
verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_RW, USER_RO);
verifyDenied(listTablesAction, USER_NONE);
verifyIfEmptyList(listTablesAction, USER_NONE);
}
@Test
@ -2087,28 +2009,23 @@ public class TestAccessController extends SecureTestUtil {
AccessTestAction getAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
Table t = TEST_UTIL.getConnection().getTable(TEST_TABLE.getTableName());
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(TEST_TABLE.getTableName());) {
return t.get(new Get(TEST_ROW));
} finally {
t.close();
}
}
};
verifyDenied(getAction, USER_NONE);
String namespace = "testNamespaceUserGrant";
NamespaceDescriptor desc = NamespaceDescriptor.create(namespace).build();
TEST_UTIL.getMiniHBaseCluster().getMaster().createNamespace(desc);
String namespace = TEST_TABLE.getTableName().getNamespaceAsString();
// Grant namespace READ to USER_NONE, this should supersede any table permissions
grantOnNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ);
// Now USER_NONE should be able to read also
// Now USER_NONE should be able to read
verifyAllowed(getAction, USER_NONE);
TEST_UTIL.getMiniHBaseCluster().getMaster().deleteNamespace(namespace);
// Revoke namespace READ to USER_NONE
revokeFromNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ);
verifyDenied(getAction, USER_NONE);
}
@Test
@ -2118,11 +2035,9 @@ public class TestAccessController extends SecureTestUtil {
AccessTestAction getAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
HTable t = new HTable(conf, TEST_TABLE.getTableName());
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(TEST_TABLE.getTableName())) {
return t.get(new Get(TEST_ROW));
} finally {
t.close();
}
}
};
@ -2131,7 +2046,7 @@ public class TestAccessController extends SecureTestUtil {
// Grant table READ permissions to testGrantRevoke.
try {
grantOnTableUsingAccessControlClient(TEST_UTIL, connection, testGrantRevoke.getShortName(),
grantOnTableUsingAccessControlClient(TEST_UTIL, systemUserConnection, testGrantRevoke.getShortName(),
TEST_TABLE.getTableName(), null, null, Permission.Action.READ);
} catch (Throwable e) {
LOG.error("error during call of AccessControlClient.grant. ", e);
@ -2142,7 +2057,7 @@ public class TestAccessController extends SecureTestUtil {
// Revoke table READ permission to testGrantRevoke.
try {
revokeFromTableUsingAccessControlClient(TEST_UTIL, connection, testGrantRevoke.getShortName(),
revokeFromTableUsingAccessControlClient(TEST_UTIL, systemUserConnection, testGrantRevoke.getShortName(),
TEST_TABLE.getTableName(), null, null, Permission.Action.READ);
} catch (Throwable e) {
LOG.error("error during call of AccessControlClient.revoke ", e);
@ -2160,11 +2075,9 @@ public class TestAccessController extends SecureTestUtil {
AccessTestAction getAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
HTable t = new HTable(conf, TEST_TABLE.getTableName());
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(TEST_TABLE.getTableName())) {
return t.get(new Get(TEST_ROW));
} finally {
t.close();
}
}
};
@ -2173,7 +2086,7 @@ public class TestAccessController extends SecureTestUtil {
// Grant table READ permissions to testGlobalGrantRevoke.
try {
grantGlobalUsingAccessControlClient(TEST_UTIL, connection,
grantGlobalUsingAccessControlClient(TEST_UTIL, systemUserConnection,
testGlobalGrantRevoke.getShortName(), Permission.Action.READ);
} catch (Throwable e) {
LOG.error("error during call of AccessControlClient.grant. ", e);
@ -2184,7 +2097,7 @@ public class TestAccessController extends SecureTestUtil {
// Revoke table READ permission to testGlobalGrantRevoke.
try {
revokeGlobalUsingAccessControlClient(TEST_UTIL, connection,
revokeGlobalUsingAccessControlClient(TEST_UTIL, systemUserConnection,
testGlobalGrantRevoke.getShortName(), Permission.Action.READ);
} catch (Throwable e) {
LOG.error("error during call of AccessControlClient.revoke ", e);
@ -2201,11 +2114,9 @@ public class TestAccessController extends SecureTestUtil {
AccessTestAction getAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
HTable t = new HTable(conf, TEST_TABLE.getTableName());
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(TEST_TABLE.getTableName())) {
return t.get(new Get(TEST_ROW));
} finally {
t.close();
}
}
};
@ -2214,7 +2125,7 @@ public class TestAccessController extends SecureTestUtil {
// Grant namespace READ to testNS, this should supersede any table permissions
try {
grantOnNamespaceUsingAccessControlClient(TEST_UTIL, connection, testNS.getShortName(),
grantOnNamespaceUsingAccessControlClient(TEST_UTIL, systemUserConnection, testNS.getShortName(),
TEST_TABLE.getTableName().getNamespaceAsString(), Permission.Action.READ);
} catch (Throwable e) {
LOG.error("error during call of AccessControlClient.grant. ", e);
@ -2225,7 +2136,7 @@ public class TestAccessController extends SecureTestUtil {
// Revoke namespace READ to testNS, this should supersede any table permissions
try {
revokeFromNamespaceUsingAccessControlClient(TEST_UTIL, connection, testNS.getShortName(),
revokeFromNamespaceUsingAccessControlClient(TEST_UTIL, systemUserConnection, testNS.getShortName(),
TEST_TABLE.getTableName().getNamespaceAsString(), Permission.Action.READ);
} catch (Throwable e) {
LOG.error("error during call of AccessControlClient.revoke ", e);
@ -2306,32 +2217,25 @@ public class TestAccessController extends SecureTestUtil {
AccessTestAction execEndpointAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
Table t = TEST_UTIL.getConnection().getTable(TEST_TABLE.getTableName());
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(TEST_TABLE.getTableName());) {
BlockingRpcChannel service = t.coprocessorService(HConstants.EMPTY_BYTE_ARRAY);
PingCoprocessor.newBlockingStub(service).noop(null, NoopRequest.newBuilder().build());
} finally {
t.close();
}
return null;
}
};
// Verify that EXEC permission is checked correctly
verifyDenied(execEndpointAction, userB);
verifyAllowed(execEndpointAction, userA);
String namespace = "testCoprocessorExec";
NamespaceDescriptor desc = NamespaceDescriptor.create(namespace).build();
TEST_UTIL.getMiniHBaseCluster().getMaster().createNamespace(desc);
String namespace = TEST_TABLE.getTableName().getNamespaceAsString();
// Now grant EXEC to the entire namespace to user B
grantOnNamespace(TEST_UTIL, userB.getShortName(), namespace, Permission.Action.EXEC);
// User B should now be allowed also
verifyAllowed(execEndpointAction, userA, userB);
TEST_UTIL.getMiniHBaseCluster().getMaster().deleteNamespace(namespace);
revokeFromNamespace(TEST_UTIL, userB.getShortName(), namespace, Permission.Action.EXEC);
// Verify that EXEC permission is checked correctly
verifyDenied(execEndpointAction, userB);
verifyAllowed(execEndpointAction, userA);
}
@Test
@ -2368,7 +2272,7 @@ public class TestAccessController extends SecureTestUtil {
grantOnNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ);
try {
List<UserPermission> namespacePermissions = AccessControlClient.getUserPermissions(
connection, AccessControlLists.toNamespaceEntry(namespace));
systemUserConnection, AccessControlLists.toNamespaceEntry(namespace));
assertTrue(namespacePermissions != null);
assertTrue(namespacePermissions.size() == 1);
} catch (Throwable thw) {
@ -2380,15 +2284,15 @@ public class TestAccessController extends SecureTestUtil {
@Test
public void testTruncatePerms() throws Throwable {
List<UserPermission> existingPerms =
AccessControlClient.getUserPermissions(connection,
AccessControlClient.getUserPermissions(systemUserConnection,
TEST_TABLE.getTableName().getNameAsString());
assertTrue(existingPerms != null);
assertTrue(existingPerms.size() > 1);
try (Admin admin = connection.getAdmin()) {
try (Admin admin = systemUserConnection.getAdmin()) {
admin.disableTable(TEST_TABLE.getTableName());
admin.truncateTable(TEST_TABLE.getTableName(), true);
}
List<UserPermission> perms = AccessControlClient.getUserPermissions(connection,
List<UserPermission> perms = AccessControlClient.getUserPermissions(systemUserConnection,
TEST_TABLE.getTableName().getNameAsString());
assertTrue(perms != null);
assertEquals(existingPerms.size(), perms.size());
@ -2398,19 +2302,11 @@ public class TestAccessController extends SecureTestUtil {
return new PrivilegedAction<List<UserPermission>>() {
@Override
public List<UserPermission> run() {
Connection connection = null;
try {
connection = ConnectionFactory.createConnection(conf);
return AccessControlClient.getUserPermissions(connection, regex);
try(Connection conn = ConnectionFactory.createConnection(conf);) {
return AccessControlClient.getUserPermissions(conn, regex);
} catch (Throwable e) {
LOG.error("error during call of AccessControlClient.getUserPermissions.", e);
return null;
} finally {
try {
connection.close();
} catch (IOException e) {
LOG.error("Error during close of connection.", e);
}
}
}
};

19
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
View File

@ -68,7 +68,7 @@ public class TestAccessController2 extends SecureTestUtil {
private static HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();
private static Configuration conf;
private static Connection connection;
private static Connection systemUserConnection;
private final static byte[] Q1 = Bytes.toBytes("q1");
private final static byte[] value1 = Bytes.toBytes("value1");
@ -108,7 +108,7 @@ public class TestAccessController2 extends SecureTestUtil {
TESTGROUP2_USER1 =
User.createUserForTesting(conf, "testgroup2_user2", new String[] { TESTGROUP_2 });
connection = ConnectionFactory.createConnection(conf);
systemUserConnection = ConnectionFactory.createConnection(conf);
}
@Before
@ -138,7 +138,7 @@ public class TestAccessController2 extends SecureTestUtil {
assertEquals(1, AccessControlLists.getTablePermissions(conf, tableName).size());
try {
assertEquals(1, AccessControlClient.getUserPermissions(connection, tableName.toString())
assertEquals(1, AccessControlClient.getUserPermissions(systemUserConnection, tableName.toString())
.size());
} catch (Throwable e) {
LOG.error("Error during call of AccessControlClient.getUserPermissions. ", e);
@ -148,7 +148,6 @@ public class TestAccessController2 extends SecureTestUtil {
@AfterClass
public static void tearDownAfterClass() throws Exception {
connection.close();
TEST_UTIL.shutdownMiniCluster();
}
@ -254,13 +253,11 @@ public class TestAccessController2 extends SecureTestUtil {
AccessTestAction writeAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
HTable t = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
t.put(new Put(TEST_ROW).add(AccessControlLists.ACL_LIST_FAMILY, TEST_QUALIFIER,
TEST_VALUE));
return null;
} finally {
t.close();
}
}
};
@ -277,8 +274,8 @@ public class TestAccessController2 extends SecureTestUtil {
AccessTestAction scanAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
HTable t = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
ResultScanner s = t.getScanner(new Scan());
try {
for (Result r = s.next(); r != null; r = s.next()) {
@ -288,8 +285,6 @@ public class TestAccessController2 extends SecureTestUtil {
s.close();
}
return null;
} finally {
t.close();
}
}
};

27
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLWithMultipleVersions.java
View File

@ -38,7 +38,6 @@ import org.apache.hadoop.hbase.client.Connection;
import org.apache.hadoop.hbase.client.ConnectionFactory;
import org.apache.hadoop.hbase.client.Delete;
import org.apache.hadoop.hbase.client.Get;
import org.apache.hadoop.hbase.client.HTable;
import org.apache.hadoop.hbase.client.Increment;
import org.apache.hadoop.hbase.client.Put;
import org.apache.hadoop.hbase.client.Table;
@ -153,8 +152,8 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
verifyAllowed(new AccessTestAction() {
@Override
public Object run() throws Exception {
Table t = new HTable(conf, TEST_TABLE.getTableName());
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(TEST_TABLE.getTableName())) {
Put p;
// with ro ACL
p = new Put(TEST_ROW).add(TEST_FAMILY1, TEST_Q1, ZERO);
@ -173,8 +172,6 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
p = new Put(TEST_ROW).add(TEST_FAMILY1, TEST_Q1, ZERO);
p.setACL(USER_OTHER.getShortName(), new Permission(Permission.Action.WRITE));
t.put(p);
} finally {
t.close();
}
return null;
}
@ -187,11 +184,9 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
public Object run() throws Exception {
Get get = new Get(TEST_ROW);
get.setMaxVersions(10);
Table t = new HTable(conf, TEST_TABLE.getTableName());
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(TEST_TABLE.getTableName())) {
return t.get(get).listCells();
} finally {
t.close();
}
}
};
@ -201,11 +196,9 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
public Object run() throws Exception {
Get get = new Get(TEST_ROW);
get.setMaxVersions(10);
Table t = new HTable(conf, TEST_TABLE.getTableName());
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(TEST_TABLE.getTableName())) {
return t.get(get).listCells();
} finally {
t.close();
}
}
};
@ -218,8 +211,8 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
verifyAllowed(new AccessTestAction() {
@Override
public Object run() throws Exception {
Table t = new HTable(conf, TEST_TABLE.getTableName());
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(TEST_TABLE.getTableName())) {
Put p;
p = new Put(TEST_ROW).add(TEST_FAMILY1, TEST_Q1, ZERO);
p.setACL(USER_OTHER.getShortName(), new Permission(Permission.Action.WRITE));
@ -230,8 +223,6 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
p = new Put(TEST_ROW).add(TEST_FAMILY1, TEST_Q1, ZERO);
p.setACL(USER_OTHER.getShortName(), new Permission(Permission.Action.WRITE));
t.put(p);
} finally {
t.close();
}
return null;
}
@ -439,7 +430,7 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
// The other put should be covered by the tombstone
verifyDenied(getQ2, USER_OTHER);
verifyIfNull(getQ2, USER_OTHER);
}
@Test

4
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLs.java
View File

@ -228,8 +228,8 @@ public class TestCellACLs extends SecureTestUtil {
// Confirm this access does not extend to other cells
verifyDenied(getQ3, USER_OTHER);
verifyDenied(getQ4, USER_OTHER);
verifyIfNull(getQ3, USER_OTHER);
verifyIfNull(getQ4, USER_OTHER);
/* ---- Scans ---- */

185
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
View File

@ -35,7 +35,6 @@ import org.apache.hadoop.hbase.client.Admin;
import org.apache.hadoop.hbase.client.Connection;
import org.apache.hadoop.hbase.client.ConnectionFactory;
import org.apache.hadoop.hbase.client.Get;
import org.apache.hadoop.hbase.client.HTable;
import org.apache.hadoop.hbase.client.Result;
import org.apache.hadoop.hbase.client.Table;
import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment;
@ -156,8 +155,8 @@ public class TestNamespaceCommands extends SecureTestUtil {
@Test
public void testAclTableEntries() throws Exception {
String userTestNamespace = "userTestNsp";
Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
ListMultimap<String, TablePermission> perms =
AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE);
@ -188,8 +187,6 @@ public class TestNamespaceCommands extends SecureTestUtil {
perms = AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE);
assertEquals(5, perms.size());
} finally {
acl.close();
}
}
@ -208,16 +205,16 @@ public class TestNamespaceCommands extends SecureTestUtil {
SUPERUSER,
USER_GLOBAL_ADMIN);
verifyDeniedWithException(modifyNamespace,
USER_GLOBAL_CREATE,
USER_GLOBAL_WRITE,
USER_GLOBAL_READ,
USER_GLOBAL_EXEC,
USER_NS_ADMIN,
USER_NS_CREATE,
USER_NS_WRITE,
USER_NS_READ,
USER_NS_EXEC);
verifyDenied(modifyNamespace,
USER_GLOBAL_CREATE,
USER_GLOBAL_WRITE,
USER_GLOBAL_READ,
USER_GLOBAL_EXEC,
USER_NS_ADMIN,
USER_NS_CREATE,
USER_NS_WRITE,
USER_NS_READ,
USER_NS_EXEC);
}
@Test
@ -246,7 +243,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
USER_GLOBAL_ADMIN);
// all others should be denied
verifyDeniedWithException(createNamespace,
verifyDenied(createNamespace,
USER_GLOBAL_CREATE,
USER_GLOBAL_WRITE,
USER_GLOBAL_READ,
@ -264,18 +261,18 @@ public class TestNamespaceCommands extends SecureTestUtil {
SUPERUSER,
USER_GLOBAL_ADMIN);
verifyDeniedWithException(deleteNamespace,
USER_GLOBAL_CREATE,
USER_GLOBAL_WRITE,
USER_GLOBAL_READ,
USER_GLOBAL_EXEC,
USER_NS_ADMIN,
USER_NS_CREATE,
USER_NS_WRITE,
USER_NS_READ,
USER_NS_EXEC,
USER_TABLE_CREATE,
USER_TABLE_WRITE);
verifyDenied(deleteNamespace,
USER_GLOBAL_CREATE,
USER_GLOBAL_WRITE,
USER_GLOBAL_READ,
USER_GLOBAL_EXEC,
USER_NS_ADMIN,
USER_NS_CREATE,
USER_NS_WRITE,
USER_NS_READ,
USER_NS_EXEC,
USER_TABLE_CREATE,
USER_TABLE_WRITE);
}
@Test
@ -294,17 +291,17 @@ public class TestNamespaceCommands extends SecureTestUtil {
USER_GLOBAL_ADMIN,
USER_NS_ADMIN);
verifyDeniedWithException(getNamespaceAction,
USER_GLOBAL_CREATE,
USER_GLOBAL_WRITE,
USER_GLOBAL_READ,
USER_GLOBAL_EXEC,
USER_NS_CREATE,
USER_NS_WRITE,
USER_NS_READ,
USER_NS_EXEC,
USER_TABLE_CREATE,
USER_TABLE_WRITE);
verifyDenied(getNamespaceAction,
USER_GLOBAL_CREATE,
USER_GLOBAL_WRITE,
USER_GLOBAL_READ,
USER_GLOBAL_EXEC,
USER_NS_CREATE,
USER_NS_WRITE,
USER_NS_READ,
USER_NS_EXEC,
USER_TABLE_CREATE,
USER_TABLE_WRITE);
}
@Test
@ -359,15 +356,13 @@ public class TestNamespaceCommands extends SecureTestUtil {
AccessTestAction grantAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
BlockingRpcChannel service =
acl.coprocessorService(HConstants.EMPTY_START_ROW);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
ProtobufUtil.grant(protocol, testUser, TEST_NAMESPACE, Action.WRITE);
} finally {
acl.close();
}
return null;
}
@ -375,15 +370,13 @@ public class TestNamespaceCommands extends SecureTestUtil {
AccessTestAction revokeAction = new AccessTestAction() {
public Object run() throws Exception {
Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
BlockingRpcChannel service =
acl.coprocessorService(HConstants.EMPTY_START_ROW);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
ProtobufUtil.revoke(protocol, testUser, TEST_NAMESPACE, Action.WRITE);
} finally {
acl.close();
}
return null;
}
@ -392,14 +385,12 @@ public class TestNamespaceCommands extends SecureTestUtil {
AccessTestAction getPermissionsAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
ProtobufUtil.getUserPermissions(protocol, Bytes.toBytes(TEST_NAMESPACE));
} finally {
acl.close();
}
return null;
}
@ -409,52 +400,52 @@ public class TestNamespaceCommands extends SecureTestUtil {
SUPERUSER,
USER_GLOBAL_ADMIN);
verifyDeniedWithException(grantAction,
USER_GLOBAL_CREATE,
USER_GLOBAL_WRITE,
USER_GLOBAL_READ,
USER_GLOBAL_EXEC,
USER_NS_ADMIN,
USER_NS_CREATE,
USER_NS_WRITE,
USER_NS_READ,
USER_NS_EXEC,
USER_TABLE_CREATE,
USER_TABLE_WRITE);
verifyDenied(grantAction,
USER_GLOBAL_CREATE,
USER_GLOBAL_WRITE,
USER_GLOBAL_READ,
USER_GLOBAL_EXEC,
USER_NS_ADMIN,
USER_NS_CREATE,
USER_NS_WRITE,
USER_NS_READ,
USER_NS_EXEC,
USER_TABLE_CREATE,
USER_TABLE_WRITE);
verifyAllowed(revokeAction,
SUPERUSER,
USER_GLOBAL_ADMIN);
verifyDeniedWithException(revokeAction,
USER_GLOBAL_CREATE,
USER_GLOBAL_WRITE,
USER_GLOBAL_READ,
USER_GLOBAL_EXEC,
USER_NS_ADMIN,
USER_NS_CREATE,
USER_NS_WRITE,
USER_NS_READ,
USER_NS_EXEC,
USER_TABLE_CREATE,
USER_TABLE_WRITE);
verifyDenied(revokeAction,
USER_GLOBAL_CREATE,
USER_GLOBAL_WRITE,
USER_GLOBAL_READ,
USER_GLOBAL_EXEC,
USER_NS_ADMIN,
USER_NS_CREATE,
USER_NS_WRITE,
USER_NS_READ,
USER_NS_EXEC,
USER_TABLE_CREATE,
USER_TABLE_WRITE);
verifyAllowed(getPermissionsAction,
SUPERUSER,
USER_GLOBAL_ADMIN,
USER_NS_ADMIN);
verifyDeniedWithException(getPermissionsAction,
USER_GLOBAL_CREATE,
USER_GLOBAL_WRITE,
USER_GLOBAL_READ,
USER_GLOBAL_EXEC,
USER_NS_CREATE,
USER_NS_WRITE,
USER_NS_READ,
USER_NS_EXEC,
USER_TABLE_CREATE,
USER_TABLE_WRITE);
verifyDenied(getPermissionsAction,
USER_GLOBAL_CREATE,
USER_GLOBAL_WRITE,
USER_GLOBAL_READ,
USER_GLOBAL_EXEC,
USER_NS_CREATE,
USER_NS_WRITE,
USER_NS_READ,
USER_NS_EXEC,
USER_TABLE_CREATE,
USER_TABLE_WRITE);
}
@Test
@ -475,16 +466,16 @@ public class TestNamespaceCommands extends SecureTestUtil {
USER_GLOBAL_CREATE,
USER_NS_CREATE);
verifyDeniedWithException(createTable,
USER_GLOBAL_ADMIN,
USER_GLOBAL_WRITE,
USER_GLOBAL_READ,
USER_GLOBAL_EXEC,
USER_NS_ADMIN,
USER_NS_WRITE,
USER_NS_READ,
USER_NS_EXEC,
USER_TABLE_CREATE,
USER_TABLE_WRITE);
verifyDenied(createTable,
USER_GLOBAL_ADMIN,
USER_GLOBAL_WRITE,
USER_GLOBAL_READ,
USER_GLOBAL_EXEC,
USER_NS_ADMIN,
USER_NS_WRITE,
USER_NS_READ,
USER_NS_EXEC,
USER_TABLE_CREATE,
USER_TABLE_WRITE);
}
}

2
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestScanEarlyTermination.java
View File

@ -220,7 +220,7 @@ public class TestScanEarlyTermination extends SecureTestUtil {
}, USER_OTHER);
// A scan of FAMILY2 will throw an AccessDeniedException
verifyDeniedWithException(new AccessTestAction() {
verifyDenied(new AccessTestAction() {
@Override
public Object run() throws Exception {
// force a new RS connection