Apache
/
hbase
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HBASE-10331. Insure security tests use SecureTestUtil methods for grants 

git-svn-id: https://svn.apache.org/repos/asf/hbase/trunk@1557856 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Andrew Kyle Purtell 2014-01-13 21:22:13 +00:00
parent f492b3fc63
commit 33df9fac20
2 changed files with 17 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessControlFilter.java
View File

@ -22,7 +22,6 @@ import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import java.io.IOException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.List;
@ -37,8 +36,6 @@ import org.apache.hadoop.hbase.client.Put;
import org.apache.hadoop.hbase.client.Result;
import org.apache.hadoop.hbase.client.ResultScanner;
import org.apache.hadoop.hbase.client.Scan;
import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessControlService;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.util.Bytes;
import org.junit.AfterClass;
@ -49,19 +46,15 @@ import org.junit.Test;
import org.junit.experimental.categories.Category;
import org.junit.rules.TestName;
import com.google.protobuf.BlockingRpcChannel;
@Category(LargeTests.class)
public class TestAccessControlFilter {
@Rule public TestName name = new TestName();
private static HBaseTestingUtility TEST_UTIL;
private static User ADMIN;
private static User READER;
private static User LIMITED;
private static User DENIED;
private static TableName TABLE;
private static byte[] FAMILY = Bytes.toBytes("f1");
private static byte[] PRIVATE_COL = Bytes.toBytes("private");
@ -83,7 +76,6 @@ public class TestAccessControlFilter {
TEST_UTIL.startMiniCluster();
TEST_UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME.getName());
ADMIN = User.createUserForTesting(conf, "admin", new String[]{"supergroup"});
READER = User.createUserForTesting(conf, "reader", new String[0]);
LIMITED = User.createUserForTesting(conf, "limited", new String[0]);
DENIED = User.createUserForTesting(conf, "denied", new String[0]);
@ -104,28 +96,12 @@ public class TestAccessControlFilter {
}
}
private void doQualifierAccess(final HTable table) throws IOException, InterruptedException {
private void doQualifierAccess(final HTable table) throws Exception {
// set permissions
ADMIN.runAs(new PrivilegedExceptionAction<Object>() {
@Override
public Object run() throws Exception {
HTable aclmeta = new HTable(TEST_UTIL.getConfiguration(),
AccessControlLists.ACL_TABLE_NAME);
try {
byte[] table = Bytes.toBytes(name.getMethodName());
BlockingRpcChannel service = aclmeta.coprocessorService(table);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
ProtobufUtil.grant(protocol, READER.getShortName(),
TABLE, null, null, Permission.Action.READ);
ProtobufUtil.grant(protocol, LIMITED.getShortName(),
TABLE, FAMILY, PUBLIC_COL, Permission.Action.READ);
return null;
} finally {
aclmeta.close();
}
}
});
SecureTestUtil.grantOnTable(TEST_UTIL, READER.getShortName(), TABLE, null, null,
Permission.Action.READ);
SecureTestUtil.grantOnTable(TEST_UTIL, LIMITED.getShortName(), TABLE, FAMILY, PUBLIC_COL,
Permission.Action.READ);
// put some test data
List<Put> puts = new ArrayList<Put>(100);

52
hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithACL.java
View File

@ -38,8 +38,6 @@ import org.apache.hadoop.hbase.client.Put;
import org.apache.hadoop.hbase.client.Result;
import org.apache.hadoop.hbase.client.ResultScanner;
import org.apache.hadoop.hbase.client.Scan;
import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessControlService;
import org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.GetAuthsResponse;
import org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse;
import org.apache.hadoop.hbase.security.User;
@ -55,7 +53,6 @@ import org.junit.Test;
import org.junit.experimental.categories.Category;
import org.junit.rules.TestName;
import com.google.protobuf.BlockingRpcChannel;
import com.google.protobuf.ByteString;
@Category(MediumTests.class)
@ -97,21 +94,13 @@ public class TestVisibilityLabelsWithACL {
SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
NORMAL_USER1 = User.createUserForTesting(conf, "user1", new String[] {});
NORMAL_USER2 = User.createUserForTesting(conf, "user2", new String[] {});
// Grant NORMAL_USER EXEC privilege on the labels table. For the purposes of this
// Grant users EXEC privilege on the labels table. For the purposes of this
// test, we want to insure that access is denied even with the ability to access
// the endpoint.
HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
BlockingRpcChannel service = acl.coprocessorService(LABELS_TABLE_NAME.getName());
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
ProtobufUtil.grant(protocol, NORMAL_USER1.getShortName(), LABELS_TABLE_NAME, null, null,
Permission.Action.EXEC);
ProtobufUtil.grant(protocol, NORMAL_USER2.getShortName(), LABELS_TABLE_NAME, null, null,
Permission.Action.EXEC);
} finally {
acl.close();
}
SecureTestUtil.grantOnTable(TEST_UTIL, NORMAL_USER1.getShortName(), LABELS_TABLE_NAME,
null, null, Permission.Action.EXEC);
SecureTestUtil.grantOnTable(TEST_UTIL, NORMAL_USER2.getShortName(), LABELS_TABLE_NAME,
null, null, Permission.Action.EXEC);
}
@AfterClass
@ -127,16 +116,8 @@ public class TestVisibilityLabelsWithACL {
TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
final HTable table = createTableAndWriteDataWithLabels(tableName, SECRET + "&" + CONFIDENTIAL
+ "&!" + PRIVATE, SECRET + "&!" + PRIVATE);
HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
BlockingRpcChannel service = acl.coprocessorService(tableName.getName());
AccessControlService.BlockingInterface protocol = AccessControlService
.newBlockingStub(service);
ProtobufUtil.grant(protocol, NORMAL_USER2.getShortName(), tableName, null, null,
Permission.Action.READ);
} finally {
acl.close();
}
SecureTestUtil.grantOnTable(TEST_UTIL, NORMAL_USER2.getShortName(), tableName,
null, null, Permission.Action.READ);
PrivilegedExceptionAction<Void> scanAction = new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
Scan s = new Scan();
@ -217,20 +198,11 @@ public class TestVisibilityLabelsWithACL {
VisibilityClient.setAuths(conf, auths, "user1");
TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
final HTable table = createTableAndWriteDataWithLabels(tableName, SECRET);
HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
BlockingRpcChannel service = acl.coprocessorService(tableName.getName());
AccessControlService.BlockingInterface protocol = AccessControlService
.newBlockingStub(service);
ProtobufUtil.grant(protocol, NORMAL_USER1.getShortName(), tableName, null, null,
Permission.Action.READ);
ProtobufUtil.grant(protocol, NORMAL_USER2.getShortName(), tableName, null, null,
Permission.Action.READ);
} finally {
acl.close();
}
PrivilegedExceptionAction<Void> getAction = new PrivilegedExceptionAction<Void>() {
SecureTestUtil.grantOnTable(TEST_UTIL, NORMAL_USER1.getShortName(), tableName,
null, null, Permission.Action.READ);
SecureTestUtil.grantOnTable(TEST_UTIL, NORMAL_USER2.getShortName(), tableName,
null, null, Permission.Action.READ);
PrivilegedExceptionAction<Void> getAction = new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
Get g = new Get(row1);
g.setAuthorizations(new Authorizations(SECRET, CONFIDENTIAL));