Apache
/
hbase
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HBASE-13294 Fix the critical ancient loopholes in security testing infrastructure (Srikanth Srungarapu)

This commit is contained in:
Andrew Purtell 2015-03-25 09:28:12 -07:00
parent 01fdafb5ee
commit 050028c32e
7 changed files with 269 additions and 383 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
View File

@ -154,6 +154,7 @@ public class SecureTestUtil {
*/ */
static interface AccessTestAction extends PrivilegedExceptionAction<Object> { } static interface AccessTestAction extends PrivilegedExceptionAction<Object> { }
/** This fails only in case of ADE or empty list for any of the actions. */
public static void verifyAllowed(User user, AccessTestAction... actions) throws Exception { public static void verifyAllowed(User user, AccessTestAction... actions) throws Exception {
for (AccessTestAction action : actions) { for (AccessTestAction action : actions) {
try { try {
@ -170,6 +171,7 @@ public class SecureTestUtil {
} }
} }
/** This fails only in case of ADE or empty list for any of the users. */
public static void verifyAllowed(AccessTestAction action, User... users) throws Exception { public static void verifyAllowed(AccessTestAction action, User... users) throws Exception {
for (User user : users) { for (User user : users) {
verifyAllowed(user, action); verifyAllowed(user, action);
@ -191,36 +193,53 @@ public class SecureTestUtil {
} }
} }
public static void verifyDeniedWithException(User user, AccessTestAction... actions) /** This passes only in case of ADE for all users. */
throws Exception { public static void verifyDenied(AccessTestAction action, User... users) throws Exception {
verifyDenied(user, true, actions);
}
public static void verifyDeniedWithException(AccessTestAction action, User... users)
throws Exception {
for (User user : users) { for (User user : users) {
verifyDenied(user, true, action); verifyDenied(user, action);
} }
} }
public static void verifyDenied(User user, AccessTestAction... actions) throws Exception { /** This passes only in case of empty list for all users. */
verifyDenied(user, false, actions); public static void verifyIfEmptyList(AccessTestAction action, User... users) throws Exception {
} for (User user : users) {
public static void verifyDenied(User user, boolean requireException,
AccessTestAction... actions) throws Exception {
for (AccessTestAction action : actions) {
try { try {
Object obj = user.runAs(action); Object obj = user.runAs(action);
if (requireException) {
fail("Expected exception was not thrown for user '" + user.getShortName() + "'");
}
if (obj != null && obj instanceof List<?>) { if (obj != null && obj instanceof List<?>) {
List<?> results = (List<?>) obj; List<?> results = (List<?>) obj;
if (results != null && !results.isEmpty()) { if (results != null && !results.isEmpty()) {
fail("Unexpected results for user '" + user.getShortName() + "'"); fail("Unexpected action results: " + results + " for user '"
+ user.getShortName() + "'");
} }
} else {
fail("Unexpected results for user '" + user.getShortName() + "'");
} }
} catch (AccessDeniedException ade) {
fail("Expected action to pass for user '" + user.getShortName() + "' but was denied");
}
}
}
/** This passes only in case of null for all users. */
public static void verifyIfNull(AccessTestAction action, User... users) throws Exception {
for (User user : users) {
try {
Object obj = user.runAs(action);
if (obj != null) {
fail("Non null results from action for user '" + user.getShortName() + "'");
}
} catch (AccessDeniedException ade) {
fail("Expected action to pass for user '" + user.getShortName() + "' but was denied");
}
}
}
/** This passes only in case of ADE for all actions. */
public static void verifyDenied(User user, AccessTestAction... actions) throws Exception {
for (AccessTestAction action : actions) {
try {
user.runAs(action);
fail("Expected exception was not thrown for user '" + user.getShortName() + "'");
} catch (IOException e) { } catch (IOException e) {
boolean isAccessDeniedException = false; boolean isAccessDeniedException = false;
if(e instanceof RetriesExhaustedWithDetailsException) { if(e instanceof RetriesExhaustedWithDetailsException) {
@ -266,12 +285,6 @@ public class SecureTestUtil {
} }
} }
public static void verifyDenied(AccessTestAction action, User... users) throws Exception {
for (User user : users) {
verifyDenied(user, action);
}
}
private static List<AccessController> getAccessControllers(MiniHBaseCluster cluster) { private static List<AccessController> getAccessControllers(MiniHBaseCluster cluster) {
List<AccessController> result = Lists.newArrayList(); List<AccessController> result = Lists.newArrayList();
for (RegionServerThread t: cluster.getLiveRegionServerThreads()) { for (RegionServerThread t: cluster.getLiveRegionServerThreads()) {

352
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
View File

@ -137,7 +137,11 @@ public class TestAccessController extends SecureTestUtil {
@Rule public TestTableName TEST_TABLE = new TestTableName(); @Rule public TestTableName TEST_TABLE = new TestTableName();
private static HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility(); private static HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();
private static Configuration conf; private static Configuration conf;
private static Connection connection;
/** The systemUserConnection created here is tied to the system user. In case, you are planning
* to create AccessTestAction, DON'T use this systemUserConnection as the 'doAs' user
* gets eclipsed by the system user. */
private static Connection systemUserConnection;
// user with all permissions // user with all permissions
@ -211,12 +215,11 @@ public class TestAccessController extends SecureTestUtil {
USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]); USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]);
USER_ADMIN_CF = User.createUserForTesting(conf, "col_family_admin", new String[0]); USER_ADMIN_CF = User.createUserForTesting(conf, "col_family_admin", new String[0]);
connection = ConnectionFactory.createConnection(conf); systemUserConnection = TEST_UTIL.getConnection();
} }
@AfterClass @AfterClass
public static void tearDownAfterClass() throws Exception { public static void tearDownAfterClass() throws Exception {
connection.close();
TEST_UTIL.shutdownMiniCluster(); TEST_UTIL.shutdownMiniCluster();
} }
@ -267,7 +270,7 @@ public class TestAccessController extends SecureTestUtil {
assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size()); assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size());
try { try {
assertEquals(5, AccessControlClient.getUserPermissions(connection, assertEquals(5, AccessControlClient.getUserPermissions(systemUserConnection,
TEST_TABLE.toString()).size()); TEST_TABLE.toString()).size());
} catch (Throwable e) { } catch (Throwable e) {
LOG.error("error during call of AccessControlClient.getUserPermissions. ", e); LOG.error("error during call of AccessControlClient.getUserPermissions. ", e);
@ -355,8 +358,8 @@ public class TestAccessController extends SecureTestUtil {
} }
}; };
verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN, USER_CREATE); verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE, USER_OWNER); verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE);
} }
@Test @Test
@ -452,8 +455,7 @@ public class TestAccessController extends SecureTestUtil {
@Test @Test
public void testMove() throws Exception { public void testMove() throws Exception {
List<HRegionLocation> regions; List<HRegionLocation> regions;
try (RegionLocator locator = try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) {
TEST_UTIL.getConnection().getRegionLocator(TEST_TABLE.getTableName())) {
regions = locator.getAllRegionLocations(); regions = locator.getAllRegionLocations();
} }
HRegionLocation location = regions.get(0); HRegionLocation location = regions.get(0);
@ -475,8 +477,7 @@ public class TestAccessController extends SecureTestUtil {
@Test @Test
public void testAssign() throws Exception { public void testAssign() throws Exception {
List<HRegionLocation> regions; List<HRegionLocation> regions;
try (RegionLocator locator = try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) {
TEST_UTIL.getConnection().getRegionLocator(TEST_TABLE.getTableName())) {
regions = locator.getAllRegionLocations(); regions = locator.getAllRegionLocations();
} }
HRegionLocation location = regions.get(0); HRegionLocation location = regions.get(0);
@ -496,8 +497,7 @@ public class TestAccessController extends SecureTestUtil {
@Test @Test
public void testUnassign() throws Exception { public void testUnassign() throws Exception {
List<HRegionLocation> regions; List<HRegionLocation> regions;
try (RegionLocator locator = try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) {
TEST_UTIL.getConnection().getRegionLocator(TEST_TABLE.getTableName())) {
regions = locator.getAllRegionLocations(); regions = locator.getAllRegionLocations();
} }
HRegionLocation location = regions.get(0); HRegionLocation location = regions.get(0);
@ -517,8 +517,7 @@ public class TestAccessController extends SecureTestUtil {
@Test @Test
public void testRegionOffline() throws Exception { public void testRegionOffline() throws Exception {
List<HRegionLocation> regions; List<HRegionLocation> regions;
try (RegionLocator locator = try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) {
TEST_UTIL.getConnection().getRegionLocator(TEST_TABLE.getTableName())) {
regions = locator.getAllRegionLocations(); regions = locator.getAllRegionLocations();
} }
HRegionLocation location = regions.get(0); HRegionLocation location = regions.get(0);
@ -674,20 +673,6 @@ public class TestAccessController extends SecureTestUtil {
verifyDenied(action, USER_RW, USER_RO, USER_NONE); verifyDenied(action, USER_RW, USER_RO, USER_NONE);
} }
@Test
public void testPreCompactSelection() throws Exception {
AccessTestAction action = new AccessTestAction() {
@Override
public Object run() throws Exception {
ACCESS_CONTROLLER.preCompactSelection(ObserverContext.createAndPrepare(RCP_ENV, null), null, null);
return null;
}
};
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
}
private void verifyRead(AccessTestAction action) throws Exception { private void verifyRead(AccessTestAction action) throws Exception {
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, USER_RO); verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, USER_RO);
verifyDenied(action, USER_NONE); verifyDenied(action, USER_NONE);
@ -706,11 +691,9 @@ public class TestAccessController extends SecureTestUtil {
public Object run() throws Exception { public Object run() throws Exception {
Get g = new Get(TEST_ROW); Get g = new Get(TEST_ROW);
g.addFamily(TEST_FAMILY); g.addFamily(TEST_FAMILY);
Table t = new HTable(conf, TEST_TABLE.getTableName()); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table t = conn.getTable(TEST_TABLE.getTableName())) {
t.get(g); t.get(g);
} finally {
t.close();
} }
return null; return null;
} }
@ -724,9 +707,9 @@ public class TestAccessController extends SecureTestUtil {
Scan s = new Scan(); Scan s = new Scan();
s.addFamily(TEST_FAMILY); s.addFamily(TEST_FAMILY);
Table table = new HTable(conf, TEST_TABLE.getTableName()); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table t = conn.getTable(TEST_TABLE.getTableName())) {
ResultScanner scanner = table.getScanner(s); ResultScanner scanner = t.getScanner(s);
try { try {
for (Result r = scanner.next(); r != null; r = scanner.next()) { for (Result r = scanner.next(); r != null; r = scanner.next()) {
// do nothing // do nothing
@ -735,8 +718,6 @@ public class TestAccessController extends SecureTestUtil {
} finally { } finally {
scanner.close(); scanner.close();
} }
} finally {
table.close();
} }
return null; return null;
} }
@ -753,11 +734,9 @@ public class TestAccessController extends SecureTestUtil {
public Object run() throws Exception { public Object run() throws Exception {
Put p = new Put(TEST_ROW); Put p = new Put(TEST_ROW);
p.add(TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes(1)); p.add(TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes(1));
Table t = new HTable(conf, TEST_TABLE.getTableName()); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table t = conn.getTable(TEST_TABLE.getTableName())) {
t.put(p); t.put(p);
} finally {
t.close();
} }
return null; return null;
} }
@ -770,11 +749,9 @@ public class TestAccessController extends SecureTestUtil {
public Object run() throws Exception { public Object run() throws Exception {
Delete d = new Delete(TEST_ROW); Delete d = new Delete(TEST_ROW);
d.deleteFamily(TEST_FAMILY); d.deleteFamily(TEST_FAMILY);
Table t = new HTable(conf, TEST_TABLE.getTableName()); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table t = conn.getTable(TEST_TABLE.getTableName())) {
t.delete(d); t.delete(d);
} finally {
t.close();
} }
return null; return null;
} }
@ -787,11 +764,9 @@ public class TestAccessController extends SecureTestUtil {
public Object run() throws Exception { public Object run() throws Exception {
Increment inc = new Increment(TEST_ROW); Increment inc = new Increment(TEST_ROW);
inc.addColumn(TEST_FAMILY, TEST_QUALIFIER, 1); inc.addColumn(TEST_FAMILY, TEST_QUALIFIER, 1);
Table t = new HTable(conf, TEST_TABLE.getTableName()); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table t = conn.getTable(TEST_TABLE.getTableName())) {
t.increment(inc); t.increment(inc);
} finally {
t.close();
} }
return null; return null;
} }
@ -807,12 +782,10 @@ public class TestAccessController extends SecureTestUtil {
public Object run() throws Exception { public Object run() throws Exception {
Delete d = new Delete(TEST_ROW); Delete d = new Delete(TEST_ROW);
d.deleteFamily(TEST_FAMILY); d.deleteFamily(TEST_FAMILY);
Table t = new HTable(conf, TEST_TABLE.getTableName()); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table t = conn.getTable(TEST_TABLE.getTableName())) {
t.checkAndDelete(TEST_ROW, TEST_FAMILY, TEST_QUALIFIER, t.checkAndDelete(TEST_ROW, TEST_FAMILY, TEST_QUALIFIER,
Bytes.toBytes("test_value"), d); Bytes.toBytes("test_value"), d);
} finally {
t.close();
} }
return null; return null;
} }
@ -825,12 +798,10 @@ public class TestAccessController extends SecureTestUtil {
public Object run() throws Exception { public Object run() throws Exception {
Put p = new Put(TEST_ROW); Put p = new Put(TEST_ROW);
p.add(TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes(1)); p.add(TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes(1));
Table t = new HTable(conf, TEST_TABLE.getTableName()); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table t = conn.getTable(TEST_TABLE.getTableName())) {
t.checkAndPut(TEST_ROW, TEST_FAMILY, TEST_QUALIFIER, t.checkAndPut(TEST_ROW, TEST_FAMILY, TEST_QUALIFIER,
Bytes.toBytes("test_value"), p); Bytes.toBytes("test_value"), p);
} finally {
t.close();
} }
return null; return null;
} }
@ -927,7 +898,8 @@ public class TestAccessController extends SecureTestUtil {
//set global read so RegionServer can move it //set global read so RegionServer can move it
setPermission(loadPath, FsPermission.valueOf("-rwxrwxrwx")); setPermission(loadPath, FsPermission.valueOf("-rwxrwxrwx"));
try (HTable table = (HTable)TEST_UTIL.getConnection().getTable(tableName)) { try (Connection conn = ConnectionFactory.createConnection(conf);
HTable table = (HTable)conn.getTable(tableName)) {
TEST_UTIL.waitUntilAllRegionsAssigned(tableName); TEST_UTIL.waitUntilAllRegionsAssigned(tableName);
LoadIncrementalHFiles loader = new LoadIncrementalHFiles(conf); LoadIncrementalHFiles loader = new LoadIncrementalHFiles(conf);
loader.doBulkLoad(loadPath, table); loader.doBulkLoad(loadPath, table);
@ -959,12 +931,10 @@ public class TestAccessController extends SecureTestUtil {
put.add(TEST_FAMILY, qualifier, Bytes.toBytes(1)); put.add(TEST_FAMILY, qualifier, Bytes.toBytes(1));
Append append = new Append(row); Append append = new Append(row);
append.add(TEST_FAMILY, qualifier, Bytes.toBytes(2)); append.add(TEST_FAMILY, qualifier, Bytes.toBytes(2));
Table t = new HTable(conf, TEST_TABLE.getTableName()); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table t = conn.getTable(TEST_TABLE.getTableName())) {
t.put(put); t.put(put);
t.append(append); t.append(append);
} finally {
t.close();
} }
return null; return null;
} }
@ -979,15 +949,13 @@ public class TestAccessController extends SecureTestUtil {
AccessTestAction grantAction = new AccessTestAction() { AccessTestAction grantAction = new AccessTestAction() {
@Override @Override
public Object run() throws Exception { public Object run() throws Exception {
Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName()); BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName());
AccessControlService.BlockingInterface protocol = AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service); AccessControlService.newBlockingStub(service);
ProtobufUtil.grant(protocol, USER_RO.getShortName(), TEST_TABLE.getTableName(), ProtobufUtil.grant(protocol, USER_RO.getShortName(), TEST_TABLE.getTableName(),
TEST_FAMILY, null, Action.READ); TEST_FAMILY, null, Action.READ);
} finally {
acl.close();
} }
return null; return null;
} }
@ -996,15 +964,13 @@ public class TestAccessController extends SecureTestUtil {
AccessTestAction revokeAction = new AccessTestAction() { AccessTestAction revokeAction = new AccessTestAction() {
@Override @Override
public Object run() throws Exception { public Object run() throws Exception {
Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName()); BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName());
AccessControlService.BlockingInterface protocol = AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service); AccessControlService.newBlockingStub(service);
ProtobufUtil.revoke(protocol, USER_RO.getShortName(), TEST_TABLE.getTableName(), ProtobufUtil.revoke(protocol, USER_RO.getShortName(), TEST_TABLE.getTableName(),
TEST_FAMILY, null, Action.READ); TEST_FAMILY, null, Action.READ);
} finally {
acl.close();
} }
return null; return null;
} }
@ -1013,14 +979,12 @@ public class TestAccessController extends SecureTestUtil {
AccessTestAction getTablePermissionsAction = new AccessTestAction() { AccessTestAction getTablePermissionsAction = new AccessTestAction() {
@Override @Override
public Object run() throws Exception { public Object run() throws Exception {
Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName()); BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName());
AccessControlService.BlockingInterface protocol = AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service); AccessControlService.newBlockingStub(service);
ProtobufUtil.getUserPermissions(protocol, TEST_TABLE.getTableName()); ProtobufUtil.getUserPermissions(protocol, TEST_TABLE.getTableName());
} finally {
acl.close();
} }
return null; return null;
} }
@ -1029,14 +993,12 @@ public class TestAccessController extends SecureTestUtil {
AccessTestAction getGlobalPermissionsAction = new AccessTestAction() { AccessTestAction getGlobalPermissionsAction = new AccessTestAction() {
@Override @Override
public Object run() throws Exception { public Object run() throws Exception {
Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW); BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
AccessControlService.BlockingInterface protocol = AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service); AccessControlService.newBlockingStub(service);
ProtobufUtil.getUserPermissions(protocol); ProtobufUtil.getUserPermissions(protocol);
} finally {
acl.close();
} }
return null; return null;
} }
@ -1052,7 +1014,7 @@ public class TestAccessController extends SecureTestUtil {
verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN); verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN);
verifyDeniedWithException(getGlobalPermissionsAction, USER_CREATE, verifyDenied(getGlobalPermissionsAction, USER_CREATE,
USER_OWNER, USER_RW, USER_RO, USER_NONE); USER_OWNER, USER_RW, USER_RO, USER_NONE);
} }
@ -1087,11 +1049,9 @@ public class TestAccessController extends SecureTestUtil {
Put p = new Put(Bytes.toBytes("a")); Put p = new Put(Bytes.toBytes("a"));
p.add(family1, qualifier, Bytes.toBytes("v1")); p.add(family1, qualifier, Bytes.toBytes("v1"));
p.add(family2, qualifier, Bytes.toBytes("v2")); p.add(family2, qualifier, Bytes.toBytes("v2"));
Table t = new HTable(conf, tableName); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table t = conn.getTable(tableName)) {
t.put(p); t.put(p);
} finally {
t.close();
} }
return null; return null;
} }
@ -1102,11 +1062,9 @@ public class TestAccessController extends SecureTestUtil {
public Object run() throws Exception { public Object run() throws Exception {
Put p = new Put(Bytes.toBytes("a")); Put p = new Put(Bytes.toBytes("a"));
p.add(family1, qualifier, Bytes.toBytes("v1")); p.add(family1, qualifier, Bytes.toBytes("v1"));
Table t = new HTable(conf, tableName); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table t = conn.getTable(tableName)) {
t.put(p); t.put(p);
} finally {
t.close();
} }
return null; return null;
} }
@ -1117,11 +1075,9 @@ public class TestAccessController extends SecureTestUtil {
public Object run() throws Exception { public Object run() throws Exception {
Put p = new Put(Bytes.toBytes("a")); Put p = new Put(Bytes.toBytes("a"));
p.add(family2, qualifier, Bytes.toBytes("v2")); p.add(family2, qualifier, Bytes.toBytes("v2"));
Table t = new HTable(conf, tableName); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table t = conn.getTable(tableName)) {
t.put(p); t.put(p);
} finally {
t.close();
} }
return null; return null;
} }
@ -1133,11 +1089,9 @@ public class TestAccessController extends SecureTestUtil {
Get g = new Get(TEST_ROW); Get g = new Get(TEST_ROW);
g.addFamily(family1); g.addFamily(family1);
g.addFamily(family2); g.addFamily(family2);
Table t = new HTable(conf, tableName); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table t = conn.getTable(tableName)) {
t.get(g); t.get(g);
} finally {
t.close();
} }
return null; return null;
} }
@ -1148,11 +1102,9 @@ public class TestAccessController extends SecureTestUtil {
public Object run() throws Exception { public Object run() throws Exception {
Get g = new Get(TEST_ROW); Get g = new Get(TEST_ROW);
g.addFamily(family1); g.addFamily(family1);
Table t = new HTable(conf, tableName); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table t = conn.getTable(tableName)) {
t.get(g); t.get(g);
} finally {
t.close();
} }
return null; return null;
} }
@ -1163,11 +1115,9 @@ public class TestAccessController extends SecureTestUtil {
public Object run() throws Exception { public Object run() throws Exception {
Get g = new Get(TEST_ROW); Get g = new Get(TEST_ROW);
g.addFamily(family2); g.addFamily(family2);
Table t = new HTable(conf, tableName); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table t = conn.getTable(tableName)) {
t.get(g); t.get(g);
} finally {
t.close();
} }
return null; return null;
} }
@ -1179,11 +1129,9 @@ public class TestAccessController extends SecureTestUtil {
Delete d = new Delete(TEST_ROW); Delete d = new Delete(TEST_ROW);
d.deleteFamily(family1); d.deleteFamily(family1);
d.deleteFamily(family2); d.deleteFamily(family2);
Table t = new HTable(conf, tableName); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table t = conn.getTable(tableName)) {
t.delete(d); t.delete(d);
} finally {
t.close();
} }
return null; return null;
} }
@ -1194,11 +1142,9 @@ public class TestAccessController extends SecureTestUtil {
public Object run() throws Exception { public Object run() throws Exception {
Delete d = new Delete(TEST_ROW); Delete d = new Delete(TEST_ROW);
d.deleteFamily(family1); d.deleteFamily(family1);
Table t = new HTable(conf, tableName); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table t = conn.getTable(tableName)) {
t.delete(d); t.delete(d);
} finally {
t.close();
} }
return null; return null;
} }
@ -1209,11 +1155,9 @@ public class TestAccessController extends SecureTestUtil {
public Object run() throws Exception { public Object run() throws Exception {
Delete d = new Delete(TEST_ROW); Delete d = new Delete(TEST_ROW);
d.deleteFamily(family2); d.deleteFamily(family2);
Table t = new HTable(conf, tableName); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table t = conn.getTable(tableName)) {
t.delete(d); t.delete(d);
} finally {
t.close();
} }
return null; return null;
} }
@ -1354,11 +1298,9 @@ public class TestAccessController extends SecureTestUtil {
public Object run() throws Exception { public Object run() throws Exception {
Get g = new Get(TEST_ROW); Get g = new Get(TEST_ROW);
g.addColumn(family1, qualifier); g.addColumn(family1, qualifier);
Table t = new HTable(conf, tableName); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table t = conn.getTable(tableName)) {
t.get(g); t.get(g);
} finally {
t.close();
} }
return null; return null;
} }
@ -1369,11 +1311,9 @@ public class TestAccessController extends SecureTestUtil {
public Object run() throws Exception { public Object run() throws Exception {
Put p = new Put(TEST_ROW); Put p = new Put(TEST_ROW);
p.add(family1, qualifier, Bytes.toBytes("v1")); p.add(family1, qualifier, Bytes.toBytes("v1"));
Table t = new HTable(conf, tableName); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table t = conn.getTable(tableName)) {
t.put(p); t.put(p);
} finally {
t.close();
} }
return null; return null;
} }
@ -1385,11 +1325,9 @@ public class TestAccessController extends SecureTestUtil {
Delete d = new Delete(TEST_ROW); Delete d = new Delete(TEST_ROW);
d.deleteColumn(family1, qualifier); d.deleteColumn(family1, qualifier);
// d.deleteFamily(family1); // d.deleteFamily(family1);
Table t = new HTable(conf, tableName); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table t = conn.getTable(tableName)) {
t.delete(d); t.delete(d);
} finally {
t.close();
} }
return null; return null;
} }
@ -1461,7 +1399,7 @@ public class TestAccessController extends SecureTestUtil {
List<UserPermission> perms; List<UserPermission> perms;
Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); Table acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
try { try {
BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); BlockingRpcChannel service = acl.coprocessorService(tableName.getName());
AccessControlService.BlockingInterface protocol = AccessControlService.BlockingInterface protocol =
@ -1474,7 +1412,7 @@ public class TestAccessController extends SecureTestUtil {
UserPermission ownerperm = new UserPermission( UserPermission ownerperm = new UserPermission(
Bytes.toBytes(USER_OWNER.getName()), tableName, null, Action.values()); Bytes.toBytes(USER_OWNER.getName()), tableName, null, Action.values());
assertTrue("Owner should have all permissions on table", assertTrue("Owner should have all permissions on table",
hasFoundUserPermission(ownerperm, perms)); hasFoundUserPermission(ownerperm, perms));
User user = User.createUserForTesting(TEST_UTIL.getConfiguration(), "user", new String[0]); User user = User.createUserForTesting(TEST_UTIL.getConfiguration(), "user", new String[0]);
byte[] userName = Bytes.toBytes(user.getShortName()); byte[] userName = Bytes.toBytes(user.getShortName());
@ -1488,7 +1426,7 @@ public class TestAccessController extends SecureTestUtil {
grantOnTable(TEST_UTIL, user.getShortName(), grantOnTable(TEST_UTIL, user.getShortName(),
tableName, family1, qualifier, Permission.Action.READ); tableName, family1, qualifier, Permission.Action.READ);
acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
try { try {
BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); BlockingRpcChannel service = acl.coprocessorService(tableName.getName());
AccessControlService.BlockingInterface protocol = AccessControlService.BlockingInterface protocol =
@ -1513,7 +1451,7 @@ public class TestAccessController extends SecureTestUtil {
tableName, family1, qualifier, tableName, family1, qualifier,
Permission.Action.WRITE, Permission.Action.READ); Permission.Action.WRITE, Permission.Action.READ);
acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
try { try {
BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); BlockingRpcChannel service = acl.coprocessorService(tableName.getName());
AccessControlService.BlockingInterface protocol = AccessControlService.BlockingInterface protocol =
@ -1532,7 +1470,7 @@ public class TestAccessController extends SecureTestUtil {
revokeFromTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier, revokeFromTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier,
Permission.Action.WRITE, Permission.Action.READ); Permission.Action.WRITE, Permission.Action.READ);
acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
try { try {
BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); BlockingRpcChannel service = acl.coprocessorService(tableName.getName());
AccessControlService.BlockingInterface protocol = AccessControlService.BlockingInterface protocol =
@ -1543,7 +1481,7 @@ public class TestAccessController extends SecureTestUtil {
} }
assertFalse("User should not be granted permission: " + upToVerify.toString(), assertFalse("User should not be granted permission: " + upToVerify.toString(),
hasFoundUserPermission(upToVerify, perms)); hasFoundUserPermission(upToVerify, perms));
// disable table before modification // disable table before modification
admin.disableTable(tableName); admin.disableTable(tableName);
@ -1552,7 +1490,7 @@ public class TestAccessController extends SecureTestUtil {
htd.setOwner(newOwner); htd.setOwner(newOwner);
admin.modifyTable(tableName, htd); admin.modifyTable(tableName, htd);
acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
try { try {
BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); BlockingRpcChannel service = acl.coprocessorService(tableName.getName());
AccessControlService.BlockingInterface protocol = AccessControlService.BlockingInterface protocol =
@ -1565,7 +1503,7 @@ public class TestAccessController extends SecureTestUtil {
UserPermission newOwnerperm = new UserPermission( UserPermission newOwnerperm = new UserPermission(
Bytes.toBytes(newOwner.getName()), tableName, null, Action.values()); Bytes.toBytes(newOwner.getName()), tableName, null, Action.values());
assertTrue("New owner should have all permissions on table", assertTrue("New owner should have all permissions on table",
hasFoundUserPermission(newOwnerperm, perms)); hasFoundUserPermission(newOwnerperm, perms));
// delete table // delete table
deleteTable(TEST_UTIL, tableName); deleteTable(TEST_UTIL, tableName);
@ -1574,7 +1512,7 @@ public class TestAccessController extends SecureTestUtil {
@Test @Test
public void testGlobalPermissionList() throws Exception { public void testGlobalPermissionList() throws Exception {
List<UserPermission> perms; List<UserPermission> perms;
Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); Table acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
try { try {
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW); BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
AccessControlService.BlockingInterface protocol = AccessControlService.BlockingInterface protocol =
@ -1609,8 +1547,8 @@ public class TestAccessController extends SecureTestUtil {
AccessControlProtos.GlobalPermission.newBuilder() AccessControlProtos.GlobalPermission.newBuilder()
.addAction(ProtobufUtil.toPermissionAction(a)).build())); .addAction(ProtobufUtil.toPermissionAction(a)).build()));
} }
Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
BlockingRpcChannel channel = acl.coprocessorService(new byte[0]); BlockingRpcChannel channel = acl.coprocessorService(new byte[0]);
AccessControlService.BlockingInterface protocol = AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(channel); AccessControlService.newBlockingStub(channel);
@ -1619,8 +1557,6 @@ public class TestAccessController extends SecureTestUtil {
} catch (ServiceException se) { } catch (ServiceException se) {
ProtobufUtil.toIOException(se); ProtobufUtil.toIOException(se);
} }
} finally {
acl.close();
} }
} }
@ -1639,8 +1575,8 @@ public class TestAccessController extends SecureTestUtil {
for (Permission p : perms) { for (Permission p : perms) {
request.addPermission(ProtobufUtil.toPermission(p)); request.addPermission(ProtobufUtil.toPermission(p));
} }
Table acl = new HTable(conf, table); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table acl = conn.getTable(table)) {
AccessControlService.BlockingInterface protocol = AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(acl.coprocessorService(new byte[0])); AccessControlService.newBlockingStub(acl.coprocessorService(new byte[0]));
try { try {
@ -1648,8 +1584,6 @@ public class TestAccessController extends SecureTestUtil {
} catch (ServiceException se) { } catch (ServiceException se) {
ProtobufUtil.toIOException(se); ProtobufUtil.toIOException(se);
} }
} finally {
acl.close();
} }
} }
@ -1789,7 +1723,7 @@ public class TestAccessController extends SecureTestUtil {
.setTableName(ProtobufUtil.toProtoTableName(TEST_TABLE.getTableName())) .setTableName(ProtobufUtil.toProtoTableName(TEST_TABLE.getTableName()))
.addAction(AccessControlProtos.Permission.Action.CREATE)) .addAction(AccessControlProtos.Permission.Action.CREATE))
).build(); ).build();
Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); Table acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
try { try {
BlockingRpcChannel channel = acl.coprocessorService(new byte[0]); BlockingRpcChannel channel = acl.coprocessorService(new byte[0]);
AccessControlService.BlockingInterface protocol = AccessControlService.BlockingInterface protocol =
@ -1939,13 +1873,13 @@ public class TestAccessController extends SecureTestUtil {
// Move region to the new RegionServer. // Move region to the new RegionServer.
List<HRegionLocation> regions; List<HRegionLocation> regions;
try (RegionLocator locator = TEST_UTIL.getConnection().getRegionLocator(TEST_TABLE2)) { try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE2)) {
regions = locator.getAllRegionLocations(); regions = locator.getAllRegionLocations();
} }
HRegionLocation location = regions.get(0); HRegionLocation location = regions.get(0);
final HRegionInfo hri = location.getRegionInfo(); final HRegionInfo hri = location.getRegionInfo();
final ServerName server = location.getServerName(); final ServerName server = location.getServerName();
try (HTable table = (HTable)TEST_UTIL.getConnection().getTable(TEST_TABLE2)) { try (HTable table = (HTable) systemUserConnection.getTable(TEST_TABLE2)) {
AccessTestAction moveAction = new AccessTestAction() { AccessTestAction moveAction = new AccessTestAction() {
@Override @Override
public Object run() throws Exception { public Object run() throws Exception {
@ -1997,37 +1931,25 @@ public class TestAccessController extends SecureTestUtil {
AccessTestAction listTablesAction = new AccessTestAction() { AccessTestAction listTablesAction = new AccessTestAction() {
@Override @Override
public Object run() throws Exception { public Object run() throws Exception {
Connection unmanagedConnection = try(Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); Admin admin = conn.getAdmin()) {
Admin admin = unmanagedConnection.getAdmin(); return Arrays.asList(admin.listTables());
try {
admin.listTables();
} finally {
admin.close();
unmanagedConnection.close();
} }
return null;
} }
}; };
AccessTestAction getTableDescAction = new AccessTestAction() { AccessTestAction getTableDescAction = new AccessTestAction() {
@Override @Override
public Object run() throws Exception { public Object run() throws Exception {
Connection unmanagedConnection = try(Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); Admin admin = conn.getAdmin();) {
Admin admin = unmanagedConnection.getAdmin(); return admin.getTableDescriptor(TEST_TABLE.getTableName());
try {
admin.getTableDescriptor(TEST_TABLE.getTableName());
} finally {
admin.close();
unmanagedConnection.close();
} }
return null;
} }
}; };
verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, TABLE_ADMIN); verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, TABLE_ADMIN);
verifyDenied(listTablesAction, USER_RW, USER_RO, USER_NONE); verifyIfEmptyList(listTablesAction, USER_RW, USER_RO, USER_NONE);
verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, TABLE_ADMIN); verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, TABLE_ADMIN);
verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE); verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE);
@ -2051,7 +1973,7 @@ public class TestAccessController extends SecureTestUtil {
}; };
verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_RW, USER_RO); verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_RW, USER_RO);
verifyDenied(listTablesAction, USER_NONE); verifyIfEmptyList(listTablesAction, USER_NONE);
} }
@Test @Test
@ -2087,28 +2009,23 @@ public class TestAccessController extends SecureTestUtil {
AccessTestAction getAction = new AccessTestAction() { AccessTestAction getAction = new AccessTestAction() {
@Override @Override
public Object run() throws Exception { public Object run() throws Exception {
Table t = TEST_UTIL.getConnection().getTable(TEST_TABLE.getTableName()); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table t = conn.getTable(TEST_TABLE.getTableName());) {
return t.get(new Get(TEST_ROW)); return t.get(new Get(TEST_ROW));
} finally {
t.close();
} }
} }
}; };
verifyDenied(getAction, USER_NONE); String namespace = TEST_TABLE.getTableName().getNamespaceAsString();
String namespace = "testNamespaceUserGrant";
NamespaceDescriptor desc = NamespaceDescriptor.create(namespace).build();
TEST_UTIL.getMiniHBaseCluster().getMaster().createNamespace(desc);
// Grant namespace READ to USER_NONE, this should supersede any table permissions // Grant namespace READ to USER_NONE, this should supersede any table permissions
grantOnNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ); grantOnNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ);
// Now USER_NONE should be able to read
// Now USER_NONE should be able to read also
verifyAllowed(getAction, USER_NONE); verifyAllowed(getAction, USER_NONE);
TEST_UTIL.getMiniHBaseCluster().getMaster().deleteNamespace(namespace); // Revoke namespace READ to USER_NONE
revokeFromNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ);
verifyDenied(getAction, USER_NONE);
} }
@Test @Test
@ -2118,11 +2035,9 @@ public class TestAccessController extends SecureTestUtil {
AccessTestAction getAction = new AccessTestAction() { AccessTestAction getAction = new AccessTestAction() {
@Override @Override
public Object run() throws Exception { public Object run() throws Exception {
HTable t = new HTable(conf, TEST_TABLE.getTableName()); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table t = conn.getTable(TEST_TABLE.getTableName())) {
return t.get(new Get(TEST_ROW)); return t.get(new Get(TEST_ROW));
} finally {
t.close();
} }
} }
}; };
@ -2131,7 +2046,7 @@ public class TestAccessController extends SecureTestUtil {
// Grant table READ permissions to testGrantRevoke. // Grant table READ permissions to testGrantRevoke.
try { try {
grantOnTableUsingAccessControlClient(TEST_UTIL, connection, testGrantRevoke.getShortName(), grantOnTableUsingAccessControlClient(TEST_UTIL, systemUserConnection, testGrantRevoke.getShortName(),
TEST_TABLE.getTableName(), null, null, Permission.Action.READ); TEST_TABLE.getTableName(), null, null, Permission.Action.READ);
} catch (Throwable e) { } catch (Throwable e) {
LOG.error("error during call of AccessControlClient.grant. ", e); LOG.error("error during call of AccessControlClient.grant. ", e);
@ -2142,7 +2057,7 @@ public class TestAccessController extends SecureTestUtil {
// Revoke table READ permission to testGrantRevoke. // Revoke table READ permission to testGrantRevoke.
try { try {
revokeFromTableUsingAccessControlClient(TEST_UTIL, connection, testGrantRevoke.getShortName(), revokeFromTableUsingAccessControlClient(TEST_UTIL, systemUserConnection, testGrantRevoke.getShortName(),
TEST_TABLE.getTableName(), null, null, Permission.Action.READ); TEST_TABLE.getTableName(), null, null, Permission.Action.READ);
} catch (Throwable e) { } catch (Throwable e) {
LOG.error("error during call of AccessControlClient.revoke ", e); LOG.error("error during call of AccessControlClient.revoke ", e);
@ -2160,11 +2075,9 @@ public class TestAccessController extends SecureTestUtil {
AccessTestAction getAction = new AccessTestAction() { AccessTestAction getAction = new AccessTestAction() {
@Override @Override
public Object run() throws Exception { public Object run() throws Exception {
HTable t = new HTable(conf, TEST_TABLE.getTableName()); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table t = conn.getTable(TEST_TABLE.getTableName())) {
return t.get(new Get(TEST_ROW)); return t.get(new Get(TEST_ROW));
} finally {
t.close();
} }
} }
}; };
@ -2173,7 +2086,7 @@ public class TestAccessController extends SecureTestUtil {
// Grant table READ permissions to testGlobalGrantRevoke. // Grant table READ permissions to testGlobalGrantRevoke.
try { try {
grantGlobalUsingAccessControlClient(TEST_UTIL, connection, grantGlobalUsingAccessControlClient(TEST_UTIL, systemUserConnection,
testGlobalGrantRevoke.getShortName(), Permission.Action.READ); testGlobalGrantRevoke.getShortName(), Permission.Action.READ);
} catch (Throwable e) { } catch (Throwable e) {
LOG.error("error during call of AccessControlClient.grant. ", e); LOG.error("error during call of AccessControlClient.grant. ", e);
@ -2184,7 +2097,7 @@ public class TestAccessController extends SecureTestUtil {
// Revoke table READ permission to testGlobalGrantRevoke. // Revoke table READ permission to testGlobalGrantRevoke.
try { try {
revokeGlobalUsingAccessControlClient(TEST_UTIL, connection, revokeGlobalUsingAccessControlClient(TEST_UTIL, systemUserConnection,
testGlobalGrantRevoke.getShortName(), Permission.Action.READ); testGlobalGrantRevoke.getShortName(), Permission.Action.READ);
} catch (Throwable e) { } catch (Throwable e) {
LOG.error("error during call of AccessControlClient.revoke ", e); LOG.error("error during call of AccessControlClient.revoke ", e);
@ -2201,11 +2114,9 @@ public class TestAccessController extends SecureTestUtil {
AccessTestAction getAction = new AccessTestAction() { AccessTestAction getAction = new AccessTestAction() {
@Override @Override
public Object run() throws Exception { public Object run() throws Exception {
HTable t = new HTable(conf, TEST_TABLE.getTableName()); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table t = conn.getTable(TEST_TABLE.getTableName())) {
return t.get(new Get(TEST_ROW)); return t.get(new Get(TEST_ROW));
} finally {
t.close();
} }
} }
}; };
@ -2214,7 +2125,7 @@ public class TestAccessController extends SecureTestUtil {
// Grant namespace READ to testNS, this should supersede any table permissions // Grant namespace READ to testNS, this should supersede any table permissions
try { try {
grantOnNamespaceUsingAccessControlClient(TEST_UTIL, connection, testNS.getShortName(), grantOnNamespaceUsingAccessControlClient(TEST_UTIL, systemUserConnection, testNS.getShortName(),
TEST_TABLE.getTableName().getNamespaceAsString(), Permission.Action.READ); TEST_TABLE.getTableName().getNamespaceAsString(), Permission.Action.READ);
} catch (Throwable e) { } catch (Throwable e) {
LOG.error("error during call of AccessControlClient.grant. ", e); LOG.error("error during call of AccessControlClient.grant. ", e);
@ -2225,7 +2136,7 @@ public class TestAccessController extends SecureTestUtil {
// Revoke namespace READ to testNS, this should supersede any table permissions // Revoke namespace READ to testNS, this should supersede any table permissions
try { try {
revokeFromNamespaceUsingAccessControlClient(TEST_UTIL, connection, testNS.getShortName(), revokeFromNamespaceUsingAccessControlClient(TEST_UTIL, systemUserConnection, testNS.getShortName(),
TEST_TABLE.getTableName().getNamespaceAsString(), Permission.Action.READ); TEST_TABLE.getTableName().getNamespaceAsString(), Permission.Action.READ);
} catch (Throwable e) { } catch (Throwable e) {
LOG.error("error during call of AccessControlClient.revoke ", e); LOG.error("error during call of AccessControlClient.revoke ", e);
@ -2306,32 +2217,25 @@ public class TestAccessController extends SecureTestUtil {
AccessTestAction execEndpointAction = new AccessTestAction() { AccessTestAction execEndpointAction = new AccessTestAction() {
@Override @Override
public Object run() throws Exception { public Object run() throws Exception {
Table t = TEST_UTIL.getConnection().getTable(TEST_TABLE.getTableName()); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table t = conn.getTable(TEST_TABLE.getTableName());) {
BlockingRpcChannel service = t.coprocessorService(HConstants.EMPTY_BYTE_ARRAY); BlockingRpcChannel service = t.coprocessorService(HConstants.EMPTY_BYTE_ARRAY);
PingCoprocessor.newBlockingStub(service).noop(null, NoopRequest.newBuilder().build()); PingCoprocessor.newBlockingStub(service).noop(null, NoopRequest.newBuilder().build());
} finally {
t.close();
} }
return null; return null;
} }
}; };
// Verify that EXEC permission is checked correctly String namespace = TEST_TABLE.getTableName().getNamespaceAsString();
verifyDenied(execEndpointAction, userB);
verifyAllowed(execEndpointAction, userA);
String namespace = "testCoprocessorExec";
NamespaceDescriptor desc = NamespaceDescriptor.create(namespace).build();
TEST_UTIL.getMiniHBaseCluster().getMaster().createNamespace(desc);
// Now grant EXEC to the entire namespace to user B // Now grant EXEC to the entire namespace to user B
grantOnNamespace(TEST_UTIL, userB.getShortName(), namespace, Permission.Action.EXEC); grantOnNamespace(TEST_UTIL, userB.getShortName(), namespace, Permission.Action.EXEC);
// User B should now be allowed also // User B should now be allowed also
verifyAllowed(execEndpointAction, userA, userB); verifyAllowed(execEndpointAction, userA, userB);
TEST_UTIL.getMiniHBaseCluster().getMaster().deleteNamespace(namespace); revokeFromNamespace(TEST_UTIL, userB.getShortName(), namespace, Permission.Action.EXEC);
// Verify that EXEC permission is checked correctly
verifyDenied(execEndpointAction, userB);
verifyAllowed(execEndpointAction, userA);
} }
@Test @Test
@ -2368,7 +2272,7 @@ public class TestAccessController extends SecureTestUtil {
grantOnNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ); grantOnNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ);
try { try {
List<UserPermission> namespacePermissions = AccessControlClient.getUserPermissions( List<UserPermission> namespacePermissions = AccessControlClient.getUserPermissions(
connection, AccessControlLists.toNamespaceEntry(namespace)); systemUserConnection, AccessControlLists.toNamespaceEntry(namespace));
assertTrue(namespacePermissions != null); assertTrue(namespacePermissions != null);
assertTrue(namespacePermissions.size() == 1); assertTrue(namespacePermissions.size() == 1);
} catch (Throwable thw) { } catch (Throwable thw) {
@ -2380,15 +2284,15 @@ public class TestAccessController extends SecureTestUtil {
@Test @Test
public void testTruncatePerms() throws Throwable { public void testTruncatePerms() throws Throwable {
List<UserPermission> existingPerms = List<UserPermission> existingPerms =
AccessControlClient.getUserPermissions(connection, AccessControlClient.getUserPermissions(systemUserConnection,
TEST_TABLE.getTableName().getNameAsString()); TEST_TABLE.getTableName().getNameAsString());
assertTrue(existingPerms != null); assertTrue(existingPerms != null);
assertTrue(existingPerms.size() > 1); assertTrue(existingPerms.size() > 1);
try (Admin admin = connection.getAdmin()) { try (Admin admin = systemUserConnection.getAdmin()) {
admin.disableTable(TEST_TABLE.getTableName()); admin.disableTable(TEST_TABLE.getTableName());
admin.truncateTable(TEST_TABLE.getTableName(), true); admin.truncateTable(TEST_TABLE.getTableName(), true);
} }
List<UserPermission> perms = AccessControlClient.getUserPermissions(connection, List<UserPermission> perms = AccessControlClient.getUserPermissions(systemUserConnection,
TEST_TABLE.getTableName().getNameAsString()); TEST_TABLE.getTableName().getNameAsString());
assertTrue(perms != null); assertTrue(perms != null);
assertEquals(existingPerms.size(), perms.size()); assertEquals(existingPerms.size(), perms.size());
@ -2398,19 +2302,11 @@ public class TestAccessController extends SecureTestUtil {
return new PrivilegedAction<List<UserPermission>>() { return new PrivilegedAction<List<UserPermission>>() {
@Override @Override
public List<UserPermission> run() { public List<UserPermission> run() {
Connection connection = null; try(Connection conn = ConnectionFactory.createConnection(conf);) {
try { return AccessControlClient.getUserPermissions(conn, regex);
connection = ConnectionFactory.createConnection(conf);
return AccessControlClient.getUserPermissions(connection, regex);
} catch (Throwable e) { } catch (Throwable e) {
LOG.error("error during call of AccessControlClient.getUserPermissions.", e); LOG.error("error during call of AccessControlClient.getUserPermissions.", e);
return null; return null;
} finally {
try {
connection.close();
} catch (IOException e) {
LOG.error("Error during close of connection.", e);
}
} }
} }
}; };

19
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
View File

@ -68,7 +68,7 @@ public class TestAccessController2 extends SecureTestUtil {
private static HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility(); private static HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();
private static Configuration conf; private static Configuration conf;
private static Connection connection; private static Connection systemUserConnection;
private final static byte[] Q1 = Bytes.toBytes("q1"); private final static byte[] Q1 = Bytes.toBytes("q1");
private final static byte[] value1 = Bytes.toBytes("value1"); private final static byte[] value1 = Bytes.toBytes("value1");
@ -108,7 +108,7 @@ public class TestAccessController2 extends SecureTestUtil {
TESTGROUP2_USER1 = TESTGROUP2_USER1 =
User.createUserForTesting(conf, "testgroup2_user2", new String[] { TESTGROUP_2 }); User.createUserForTesting(conf, "testgroup2_user2", new String[] { TESTGROUP_2 });
connection = ConnectionFactory.createConnection(conf); systemUserConnection = ConnectionFactory.createConnection(conf);
} }
@Before @Before
@ -138,7 +138,7 @@ public class TestAccessController2 extends SecureTestUtil {
assertEquals(1, AccessControlLists.getTablePermissions(conf, tableName).size()); assertEquals(1, AccessControlLists.getTablePermissions(conf, tableName).size());
try { try {
assertEquals(1, AccessControlClient.getUserPermissions(connection, tableName.toString()) assertEquals(1, AccessControlClient.getUserPermissions(systemUserConnection, tableName.toString())
.size()); .size());
} catch (Throwable e) { } catch (Throwable e) {
LOG.error("Error during call of AccessControlClient.getUserPermissions. ", e); LOG.error("Error during call of AccessControlClient.getUserPermissions. ", e);
@ -148,7 +148,6 @@ public class TestAccessController2 extends SecureTestUtil {
@AfterClass @AfterClass
public static void tearDownAfterClass() throws Exception { public static void tearDownAfterClass() throws Exception {
connection.close();
TEST_UTIL.shutdownMiniCluster(); TEST_UTIL.shutdownMiniCluster();
} }
@ -254,13 +253,11 @@ public class TestAccessController2 extends SecureTestUtil {
AccessTestAction writeAction = new AccessTestAction() { AccessTestAction writeAction = new AccessTestAction() {
@Override @Override
public Object run() throws Exception { public Object run() throws Exception {
HTable t = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
t.put(new Put(TEST_ROW).add(AccessControlLists.ACL_LIST_FAMILY, TEST_QUALIFIER, t.put(new Put(TEST_ROW).add(AccessControlLists.ACL_LIST_FAMILY, TEST_QUALIFIER,
TEST_VALUE)); TEST_VALUE));
return null; return null;
} finally {
t.close();
} }
} }
}; };
@ -277,8 +274,8 @@ public class TestAccessController2 extends SecureTestUtil {
AccessTestAction scanAction = new AccessTestAction() { AccessTestAction scanAction = new AccessTestAction() {
@Override @Override
public Object run() throws Exception { public Object run() throws Exception {
HTable t = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
ResultScanner s = t.getScanner(new Scan()); ResultScanner s = t.getScanner(new Scan());
try { try {
for (Result r = s.next(); r != null; r = s.next()) { for (Result r = s.next(); r != null; r = s.next()) {
@ -288,8 +285,6 @@ public class TestAccessController2 extends SecureTestUtil {
s.close(); s.close();
} }
return null; return null;
} finally {
t.close();
} }
} }
}; };

27
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLWithMultipleVersions.java
View File

@ -38,7 +38,6 @@ import org.apache.hadoop.hbase.client.Connection;
import org.apache.hadoop.hbase.client.ConnectionFactory; import org.apache.hadoop.hbase.client.ConnectionFactory;
import org.apache.hadoop.hbase.client.Delete; import org.apache.hadoop.hbase.client.Delete;
import org.apache.hadoop.hbase.client.Get; import org.apache.hadoop.hbase.client.Get;
import org.apache.hadoop.hbase.client.HTable;
import org.apache.hadoop.hbase.client.Increment; import org.apache.hadoop.hbase.client.Increment;
import org.apache.hadoop.hbase.client.Put; import org.apache.hadoop.hbase.client.Put;
import org.apache.hadoop.hbase.client.Table; import org.apache.hadoop.hbase.client.Table;
@ -153,8 +152,8 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
verifyAllowed(new AccessTestAction() { verifyAllowed(new AccessTestAction() {
@Override @Override
public Object run() throws Exception { public Object run() throws Exception {
Table t = new HTable(conf, TEST_TABLE.getTableName()); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table t = conn.getTable(TEST_TABLE.getTableName())) {
Put p; Put p;
// with ro ACL // with ro ACL
p = new Put(TEST_ROW).add(TEST_FAMILY1, TEST_Q1, ZERO); p = new Put(TEST_ROW).add(TEST_FAMILY1, TEST_Q1, ZERO);
@ -173,8 +172,6 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
p = new Put(TEST_ROW).add(TEST_FAMILY1, TEST_Q1, ZERO); p = new Put(TEST_ROW).add(TEST_FAMILY1, TEST_Q1, ZERO);
p.setACL(USER_OTHER.getShortName(), new Permission(Permission.Action.WRITE)); p.setACL(USER_OTHER.getShortName(), new Permission(Permission.Action.WRITE));
t.put(p); t.put(p);
} finally {
t.close();
} }
return null; return null;
} }
@ -187,11 +184,9 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
public Object run() throws Exception { public Object run() throws Exception {
Get get = new Get(TEST_ROW); Get get = new Get(TEST_ROW);
get.setMaxVersions(10); get.setMaxVersions(10);
Table t = new HTable(conf, TEST_TABLE.getTableName()); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table t = conn.getTable(TEST_TABLE.getTableName())) {
return t.get(get).listCells(); return t.get(get).listCells();
} finally {
t.close();
} }
} }
}; };
@ -201,11 +196,9 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
public Object run() throws Exception { public Object run() throws Exception {
Get get = new Get(TEST_ROW); Get get = new Get(TEST_ROW);
get.setMaxVersions(10); get.setMaxVersions(10);
Table t = new HTable(conf, TEST_TABLE.getTableName()); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table t = conn.getTable(TEST_TABLE.getTableName())) {
return t.get(get).listCells(); return t.get(get).listCells();
} finally {
t.close();
} }
} }
}; };
@ -218,8 +211,8 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
verifyAllowed(new AccessTestAction() { verifyAllowed(new AccessTestAction() {
@Override @Override
public Object run() throws Exception { public Object run() throws Exception {
Table t = new HTable(conf, TEST_TABLE.getTableName()); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table t = conn.getTable(TEST_TABLE.getTableName())) {
Put p; Put p;
p = new Put(TEST_ROW).add(TEST_FAMILY1, TEST_Q1, ZERO); p = new Put(TEST_ROW).add(TEST_FAMILY1, TEST_Q1, ZERO);
p.setACL(USER_OTHER.getShortName(), new Permission(Permission.Action.WRITE)); p.setACL(USER_OTHER.getShortName(), new Permission(Permission.Action.WRITE));
@ -230,8 +223,6 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
p = new Put(TEST_ROW).add(TEST_FAMILY1, TEST_Q1, ZERO); p = new Put(TEST_ROW).add(TEST_FAMILY1, TEST_Q1, ZERO);
p.setACL(USER_OTHER.getShortName(), new Permission(Permission.Action.WRITE)); p.setACL(USER_OTHER.getShortName(), new Permission(Permission.Action.WRITE));
t.put(p); t.put(p);
} finally {
t.close();
} }
return null; return null;
} }
@ -439,7 +430,7 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
// The other put should be covered by the tombstone // The other put should be covered by the tombstone
verifyDenied(getQ2, USER_OTHER); verifyIfNull(getQ2, USER_OTHER);
} }
@Test @Test

4
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLs.java
View File

@ -228,8 +228,8 @@ public class TestCellACLs extends SecureTestUtil {
// Confirm this access does not extend to other cells // Confirm this access does not extend to other cells
verifyDenied(getQ3, USER_OTHER); verifyIfNull(getQ3, USER_OTHER);
verifyDenied(getQ4, USER_OTHER); verifyIfNull(getQ4, USER_OTHER);
/* ---- Scans ---- */ /* ---- Scans ---- */

185
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
View File

@ -35,7 +35,6 @@ import org.apache.hadoop.hbase.client.Admin;
import org.apache.hadoop.hbase.client.Connection; import org.apache.hadoop.hbase.client.Connection;
import org.apache.hadoop.hbase.client.ConnectionFactory; import org.apache.hadoop.hbase.client.ConnectionFactory;
import org.apache.hadoop.hbase.client.Get; import org.apache.hadoop.hbase.client.Get;
import org.apache.hadoop.hbase.client.HTable;
import org.apache.hadoop.hbase.client.Result; import org.apache.hadoop.hbase.client.Result;
import org.apache.hadoop.hbase.client.Table; import org.apache.hadoop.hbase.client.Table;
import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment; import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment;
@ -156,8 +155,8 @@ public class TestNamespaceCommands extends SecureTestUtil {
@Test @Test
public void testAclTableEntries() throws Exception { public void testAclTableEntries() throws Exception {
String userTestNamespace = "userTestNsp"; String userTestNamespace = "userTestNsp";
Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
ListMultimap<String, TablePermission> perms = ListMultimap<String, TablePermission> perms =
AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE); AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE);
@ -188,8 +187,6 @@ public class TestNamespaceCommands extends SecureTestUtil {
perms = AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE); perms = AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE);
assertEquals(5, perms.size()); assertEquals(5, perms.size());
} finally {
acl.close();
} }
} }
@ -208,16 +205,16 @@ public class TestNamespaceCommands extends SecureTestUtil {
SUPERUSER, SUPERUSER,
USER_GLOBAL_ADMIN); USER_GLOBAL_ADMIN);
verifyDeniedWithException(modifyNamespace, verifyDenied(modifyNamespace,
USER_GLOBAL_CREATE, USER_GLOBAL_CREATE,
USER_GLOBAL_WRITE, USER_GLOBAL_WRITE,
USER_GLOBAL_READ, USER_GLOBAL_READ,
USER_GLOBAL_EXEC, USER_GLOBAL_EXEC,
USER_NS_ADMIN, USER_NS_ADMIN,
USER_NS_CREATE, USER_NS_CREATE,
USER_NS_WRITE, USER_NS_WRITE,
USER_NS_READ, USER_NS_READ,
USER_NS_EXEC); USER_NS_EXEC);
} }
@Test @Test
@ -246,7 +243,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
USER_GLOBAL_ADMIN); USER_GLOBAL_ADMIN);
// all others should be denied // all others should be denied
verifyDeniedWithException(createNamespace, verifyDenied(createNamespace,
USER_GLOBAL_CREATE, USER_GLOBAL_CREATE,
USER_GLOBAL_WRITE, USER_GLOBAL_WRITE,
USER_GLOBAL_READ, USER_GLOBAL_READ,
@ -264,18 +261,18 @@ public class TestNamespaceCommands extends SecureTestUtil {
SUPERUSER, SUPERUSER,
USER_GLOBAL_ADMIN); USER_GLOBAL_ADMIN);
verifyDeniedWithException(deleteNamespace, verifyDenied(deleteNamespace,
USER_GLOBAL_CREATE, USER_GLOBAL_CREATE,
USER_GLOBAL_WRITE, USER_GLOBAL_WRITE,
USER_GLOBAL_READ, USER_GLOBAL_READ,
USER_GLOBAL_EXEC, USER_GLOBAL_EXEC,
USER_NS_ADMIN, USER_NS_ADMIN,
USER_NS_CREATE, USER_NS_CREATE,
USER_NS_WRITE, USER_NS_WRITE,
USER_NS_READ, USER_NS_READ,
USER_NS_EXEC, USER_NS_EXEC,
USER_TABLE_CREATE, USER_TABLE_CREATE,
USER_TABLE_WRITE); USER_TABLE_WRITE);
} }
@Test @Test
@ -294,17 +291,17 @@ public class TestNamespaceCommands extends SecureTestUtil {
USER_GLOBAL_ADMIN, USER_GLOBAL_ADMIN,
USER_NS_ADMIN); USER_NS_ADMIN);
verifyDeniedWithException(getNamespaceAction, verifyDenied(getNamespaceAction,
USER_GLOBAL_CREATE, USER_GLOBAL_CREATE,
USER_GLOBAL_WRITE, USER_GLOBAL_WRITE,
USER_GLOBAL_READ, USER_GLOBAL_READ,
USER_GLOBAL_EXEC, USER_GLOBAL_EXEC,
USER_NS_CREATE, USER_NS_CREATE,
USER_NS_WRITE, USER_NS_WRITE,
USER_NS_READ, USER_NS_READ,
USER_NS_EXEC, USER_NS_EXEC,
USER_TABLE_CREATE, USER_TABLE_CREATE,
USER_TABLE_WRITE); USER_TABLE_WRITE);
} }
@Test @Test
@ -359,15 +356,13 @@ public class TestNamespaceCommands extends SecureTestUtil {
AccessTestAction grantAction = new AccessTestAction() { AccessTestAction grantAction = new AccessTestAction() {
@Override @Override
public Object run() throws Exception { public Object run() throws Exception {
Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
BlockingRpcChannel service = BlockingRpcChannel service =
acl.coprocessorService(HConstants.EMPTY_START_ROW); acl.coprocessorService(HConstants.EMPTY_START_ROW);
AccessControlService.BlockingInterface protocol = AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service); AccessControlService.newBlockingStub(service);
ProtobufUtil.grant(protocol, testUser, TEST_NAMESPACE, Action.WRITE); ProtobufUtil.grant(protocol, testUser, TEST_NAMESPACE, Action.WRITE);
} finally {
acl.close();
} }
return null; return null;
} }
@ -375,15 +370,13 @@ public class TestNamespaceCommands extends SecureTestUtil {
AccessTestAction revokeAction = new AccessTestAction() { AccessTestAction revokeAction = new AccessTestAction() {
public Object run() throws Exception { public Object run() throws Exception {
Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
BlockingRpcChannel service = BlockingRpcChannel service =
acl.coprocessorService(HConstants.EMPTY_START_ROW); acl.coprocessorService(HConstants.EMPTY_START_ROW);
AccessControlService.BlockingInterface protocol = AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service); AccessControlService.newBlockingStub(service);
ProtobufUtil.revoke(protocol, testUser, TEST_NAMESPACE, Action.WRITE); ProtobufUtil.revoke(protocol, testUser, TEST_NAMESPACE, Action.WRITE);
} finally {
acl.close();
} }
return null; return null;
} }
@ -392,14 +385,12 @@ public class TestNamespaceCommands extends SecureTestUtil {
AccessTestAction getPermissionsAction = new AccessTestAction() { AccessTestAction getPermissionsAction = new AccessTestAction() {
@Override @Override
public Object run() throws Exception { public Object run() throws Exception {
Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); try(Connection conn = ConnectionFactory.createConnection(conf);
try { Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW); BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
AccessControlService.BlockingInterface protocol = AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service); AccessControlService.newBlockingStub(service);
ProtobufUtil.getUserPermissions(protocol, Bytes.toBytes(TEST_NAMESPACE)); ProtobufUtil.getUserPermissions(protocol, Bytes.toBytes(TEST_NAMESPACE));
} finally {
acl.close();
} }
return null; return null;
} }
@ -409,52 +400,52 @@ public class TestNamespaceCommands extends SecureTestUtil {
SUPERUSER, SUPERUSER,
USER_GLOBAL_ADMIN); USER_GLOBAL_ADMIN);
verifyDeniedWithException(grantAction, verifyDenied(grantAction,
USER_GLOBAL_CREATE, USER_GLOBAL_CREATE,
USER_GLOBAL_WRITE, USER_GLOBAL_WRITE,
USER_GLOBAL_READ, USER_GLOBAL_READ,
USER_GLOBAL_EXEC, USER_GLOBAL_EXEC,
USER_NS_ADMIN, USER_NS_ADMIN,
USER_NS_CREATE, USER_NS_CREATE,
USER_NS_WRITE, USER_NS_WRITE,
USER_NS_READ, USER_NS_READ,
USER_NS_EXEC, USER_NS_EXEC,
USER_TABLE_CREATE, USER_TABLE_CREATE,
USER_TABLE_WRITE); USER_TABLE_WRITE);
verifyAllowed(revokeAction, verifyAllowed(revokeAction,
SUPERUSER, SUPERUSER,
USER_GLOBAL_ADMIN); USER_GLOBAL_ADMIN);
verifyDeniedWithException(revokeAction, verifyDenied(revokeAction,
USER_GLOBAL_CREATE, USER_GLOBAL_CREATE,
USER_GLOBAL_WRITE, USER_GLOBAL_WRITE,
USER_GLOBAL_READ, USER_GLOBAL_READ,
USER_GLOBAL_EXEC, USER_GLOBAL_EXEC,
USER_NS_ADMIN, USER_NS_ADMIN,
USER_NS_CREATE, USER_NS_CREATE,
USER_NS_WRITE, USER_NS_WRITE,
USER_NS_READ, USER_NS_READ,
USER_NS_EXEC, USER_NS_EXEC,
USER_TABLE_CREATE, USER_TABLE_CREATE,
USER_TABLE_WRITE); USER_TABLE_WRITE);
verifyAllowed(getPermissionsAction, verifyAllowed(getPermissionsAction,
SUPERUSER, SUPERUSER,
USER_GLOBAL_ADMIN, USER_GLOBAL_ADMIN,
USER_NS_ADMIN); USER_NS_ADMIN);
verifyDeniedWithException(getPermissionsAction, verifyDenied(getPermissionsAction,
USER_GLOBAL_CREATE, USER_GLOBAL_CREATE,
USER_GLOBAL_WRITE, USER_GLOBAL_WRITE,
USER_GLOBAL_READ, USER_GLOBAL_READ,
USER_GLOBAL_EXEC, USER_GLOBAL_EXEC,
USER_NS_CREATE, USER_NS_CREATE,
USER_NS_WRITE, USER_NS_WRITE,
USER_NS_READ, USER_NS_READ,
USER_NS_EXEC, USER_NS_EXEC,
USER_TABLE_CREATE, USER_TABLE_CREATE,
USER_TABLE_WRITE); USER_TABLE_WRITE);
} }
@Test @Test
@ -475,16 +466,16 @@ public class TestNamespaceCommands extends SecureTestUtil {
USER_GLOBAL_CREATE, USER_GLOBAL_CREATE,
USER_NS_CREATE); USER_NS_CREATE);
verifyDeniedWithException(createTable, verifyDenied(createTable,
USER_GLOBAL_ADMIN, USER_GLOBAL_ADMIN,
USER_GLOBAL_WRITE, USER_GLOBAL_WRITE,
USER_GLOBAL_READ, USER_GLOBAL_READ,
USER_GLOBAL_EXEC, USER_GLOBAL_EXEC,
USER_NS_ADMIN, USER_NS_ADMIN,
USER_NS_WRITE, USER_NS_WRITE,
USER_NS_READ, USER_NS_READ,
USER_NS_EXEC, USER_NS_EXEC,
USER_TABLE_CREATE, USER_TABLE_CREATE,
USER_TABLE_WRITE); USER_TABLE_WRITE);
} }
} }

2
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestScanEarlyTermination.java
View File

@ -220,7 +220,7 @@ public class TestScanEarlyTermination extends SecureTestUtil {
}, USER_OTHER); }, USER_OTHER);
// A scan of FAMILY2 will throw an AccessDeniedException // A scan of FAMILY2 will throw an AccessDeniedException
verifyDeniedWithException(new AccessTestAction() { verifyDenied(new AccessTestAction() {
@Override @Override
public Object run() throws Exception { public Object run() throws Exception {
// force a new RS connection // force a new RS connection