Apache
/
hbase
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HBASE-13828 Add group permissions testing coverage to AC 

Signed-off-by: Andrew Purtell <apurtell@apache.org>
This commit is contained in:
Ashish Singhi 2015-06-10 22:13:54 +05:30 committed by Andrew Purtell
parent 399fddddc3
commit 349cbe102a
3 changed files with 331 additions and 304 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

299
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
View File

@ -160,6 +160,16 @@ public class TestAccessController extends SecureTestUtil {
// user with admin rights on the column family
private static User USER_ADMIN_CF;
private static final String GROUP_ADMIN = "group_admin";
private static final String GROUP_CREATE = "group_create";
private static final String GROUP_READ = "group_read";
private static final String GROUP_WRITE = "group_write";
private static User USER_GROUP_ADMIN;
private static User USER_GROUP_CREATE;
private static User USER_GROUP_READ;
private static User USER_GROUP_WRITE;
// TODO: convert this test to cover the full matrix in
// https://hbase.apache.org/book/appendix_acl_matrix.html
// creating all Scope x Permission combinations
@ -214,6 +224,15 @@ public class TestAccessController extends SecureTestUtil {
USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]);
USER_ADMIN_CF = User.createUserForTesting(conf, "col_family_admin", new String[0]);
USER_GROUP_ADMIN =
User.createUserForTesting(conf, "user_group_admin", new String[] { GROUP_ADMIN });
USER_GROUP_CREATE =
User.createUserForTesting(conf, "user_group_create", new String[] { GROUP_CREATE });
USER_GROUP_READ =
User.createUserForTesting(conf, "user_group_read", new String[] { GROUP_READ });
USER_GROUP_WRITE =
User.createUserForTesting(conf, "user_group_write", new String[] { GROUP_WRITE });
systemUserConnection = TEST_UTIL.getConnection();
setUpTableAndUserPermissions();
}
@ -265,6 +284,11 @@ public class TestAccessController extends SecureTestUtil {
TEST_TABLE, TEST_FAMILY,
null, Permission.Action.ADMIN, Permission.Action.CREATE);
grantGlobal(TEST_UTIL, convertToGroup(GROUP_ADMIN), Permission.Action.ADMIN);
grantGlobal(TEST_UTIL, convertToGroup(GROUP_CREATE), Permission.Action.CREATE);
grantGlobal(TEST_UTIL, convertToGroup(GROUP_READ), Permission.Action.READ);
grantGlobal(TEST_UTIL, convertToGroup(GROUP_WRITE), Permission.Action.WRITE);
assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size());
try {
assertEquals(5, AccessControlClient.getUserPermissions(systemUserConnection,
@ -303,10 +327,11 @@ public class TestAccessController extends SecureTestUtil {
};
// verify that superuser can create tables
verifyAllowed(createTable, SUPERUSER, USER_ADMIN);
verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE);
// all others should be denied
verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE);
verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_ADMIN,
USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@ -323,8 +348,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyAllowed(modifyTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
verifyDenied(modifyTable, USER_RW, USER_RO, USER_NONE);
verifyAllowed(modifyTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
USER_GROUP_ADMIN);
verifyDenied(modifyTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@ -338,8 +364,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyAllowed(deleteTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
verifyDenied(deleteTable, USER_RW, USER_RO, USER_NONE);
verifyAllowed(deleteTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
USER_GROUP_ADMIN);
verifyDenied(deleteTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@ -354,8 +381,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE);
verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
USER_GROUP_ADMIN);
verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@ -370,8 +398,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
verifyDenied(action, USER_RW, USER_RO, USER_NONE);
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
USER_GROUP_ADMIN);
verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@ -387,8 +416,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF);
verifyDenied(action, USER_RW, USER_RO, USER_NONE);
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF,
USER_GROUP_CREATE, USER_GROUP_ADMIN);
verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@ -402,8 +432,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF);
verifyDenied(action, USER_RW, USER_RO, USER_NONE);
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF,
USER_GROUP_CREATE, USER_GROUP_ADMIN);
verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@ -426,11 +457,13 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyAllowed(disableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
verifyDenied(disableTable, USER_RW, USER_RO, USER_NONE);
verifyAllowed(disableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
USER_GROUP_ADMIN);
verifyDenied(disableTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
// No user should be allowed to disable _acl_ table
verifyDenied(disableAclTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW, USER_RO);
verifyDenied(disableAclTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW, USER_RO,
USER_GROUP_CREATE, USER_GROUP_ADMIN, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@ -444,8 +477,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyAllowed(enableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
verifyDenied(enableTable, USER_RW, USER_RO, USER_NONE);
verifyAllowed(enableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
USER_GROUP_ADMIN);
verifyDenied(enableTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@ -466,8 +500,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@ -486,8 +521,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@ -506,8 +542,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@ -526,8 +563,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@ -540,8 +578,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyAllowed(action, SUPERUSER, USER_ADMIN);
verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@ -554,8 +593,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyAllowed(action, SUPERUSER, USER_ADMIN);
verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@ -568,8 +608,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyAllowed(action, SUPERUSER, USER_ADMIN);
verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@ -582,13 +623,15 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyAllowed(action, SUPERUSER, USER_ADMIN);
verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_WRITE, USER_GROUP_CREATE);
}
private void verifyWrite(AccessTestAction action) throws Exception {
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW);
verifyDenied(action, USER_NONE, USER_RO);
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW,
USER_GROUP_WRITE);
verifyDenied(action, USER_NONE, USER_RO, USER_GROUP_ADMIN, USER_GROUP_READ, USER_GROUP_CREATE);
}
@Test
@ -601,8 +644,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@ -617,8 +661,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@ -638,8 +683,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_WRITE, USER_GROUP_CREATE);
} finally {
deleteTable(TEST_UTIL, tname);
}
@ -655,8 +701,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE);
verifyDenied(action, USER_RW, USER_RO, USER_NONE);
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_GROUP_CREATE,
USER_GROUP_ADMIN);
verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@ -670,18 +717,21 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE);
verifyDenied(action, USER_RW, USER_RO, USER_NONE);
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_GROUP_CREATE,
USER_GROUP_ADMIN);
verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
private void verifyRead(AccessTestAction action) throws Exception {
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, USER_RO);
verifyDenied(action, USER_NONE);
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, USER_RO,
USER_GROUP_READ);
verifyDenied(action, USER_NONE, USER_GROUP_CREATE, USER_GROUP_ADMIN, USER_GROUP_WRITE);
}
private void verifyReadWrite(AccessTestAction action) throws Exception {
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW);
verifyDenied(action, USER_NONE, USER_RO);
verifyDenied(action, USER_NONE, USER_RO, USER_GROUP_ADMIN, USER_GROUP_CREATE, USER_GROUP_READ,
USER_GROUP_WRITE);
}
@Test
@ -837,8 +887,10 @@ public class TestAccessController extends SecureTestUtil {
// User performing bulk loads must have privilege to read table metadata
// (ADMIN or CREATE)
verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE);
verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO);
verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE,
USER_GROUP_CREATE);
verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO, USER_GROUP_READ, USER_GROUP_WRITE,
USER_GROUP_ADMIN);
} finally {
// Reinit after the bulk upload
TEST_UTIL.getHBaseAdmin().disableTable(TEST_TABLE);
@ -943,8 +995,10 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyAllowed(appendAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW);
verifyDenied(appendAction, USER_RO, USER_NONE);
verifyAllowed(appendAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW,
USER_GROUP_WRITE);
verifyDenied(appendAction, USER_RO, USER_NONE, USER_GROUP_CREATE, USER_GROUP_READ,
USER_GROUP_ADMIN);
}
@Test
@ -1007,18 +1061,21 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER);
verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_WRITE, USER_GROUP_CREATE);
try {
verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER);
verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_WRITE, USER_GROUP_CREATE);
verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER);
verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE,
USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN);
verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
verifyDenied(getGlobalPermissionsAction, USER_CREATE, USER_OWNER, USER_RW, USER_RO,
USER_NONE);
USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
} finally {
// Cleanup, Grant the revoked permission back to the user
grantOnTable(TEST_UTIL, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null,
@ -1524,8 +1581,8 @@ public class TestAccessController extends SecureTestUtil {
}
UserPermission adminPerm = new UserPermission(Bytes.toBytes(USER_ADMIN.getShortName()),
AccessControlLists.ACL_TABLE_NAME, null, null, Bytes.toBytes("ACRW"));
assertTrue("Only user admin has permission on table _acl_ per setup",
perms.size() == 1 && hasFoundUserPermission(adminPerm, perms));
assertTrue("Only global users and user admin has permission on table _acl_ per setup",
perms.size() == 5 && hasFoundUserPermission(adminPerm, perms));
}
/** global operations */
@ -1712,8 +1769,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyAllowed(action, SUPERUSER, USER_ADMIN);
verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@ -1726,8 +1784,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyAllowed(action, SUPERUSER, USER_ADMIN);
verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@ -1740,8 +1799,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyAllowed(action, SUPERUSER, USER_ADMIN);
verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, USER_GROUP_CREATE,
USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@ -1754,8 +1814,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyAllowed(action, SUPERUSER, USER_ADMIN);
verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, USER_GROUP_CREATE,
USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@ -1802,17 +1863,21 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN, USER_OWNER);
verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_WRITE, USER_GROUP_CREATE);
verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN);
verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN);
verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN);
verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@ -1832,8 +1897,9 @@ public class TestAccessController extends SecureTestUtil {
return null;
}
};
verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN, USER_OWNER);
verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_WRITE, USER_GROUP_CREATE);
AccessTestAction deleteAction = new AccessTestAction() {
@Override
@ -1843,8 +1909,9 @@ public class TestAccessController extends SecureTestUtil {
return null;
}
};
verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN, USER_OWNER);
verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_WRITE, USER_GROUP_CREATE);
AccessTestAction restoreAction = new AccessTestAction() {
@Override
@ -1854,8 +1921,9 @@ public class TestAccessController extends SecureTestUtil {
return null;
}
};
verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN, USER_OWNER);
verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_WRITE, USER_GROUP_CREATE);
AccessTestAction cloneAction = new AccessTestAction() {
@Override
@ -1867,8 +1935,9 @@ public class TestAccessController extends SecureTestUtil {
};
// Clone by snapshot owner is not allowed , because clone operation creates a new table,
// which needs global admin permission.
verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN);
verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@ -1962,12 +2031,15 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN);
verifyIfEmptyList(listTablesAction, USER_RW, USER_RO, USER_NONE);
verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN,
USER_GROUP_CREATE, USER_GROUP_ADMIN);
verifyIfEmptyList(listTablesAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_WRITE);
verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER,
TABLE_ADMIN);
verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE);
TABLE_ADMIN, USER_GROUP_CREATE, USER_GROUP_ADMIN);
verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_WRITE);
} finally {
// Cleanup, revoke TABLE ADMIN privs
revokeFromTable(TEST_UTIL, TABLE_ADMIN.getShortName(), TEST_TABLE, null, null,
@ -1992,8 +2064,8 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER,
USER_RW, USER_RO);
verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW,
USER_RO, USER_GROUP_CREATE, USER_GROUP_ADMIN, USER_GROUP_READ, USER_GROUP_WRITE);
verifyIfEmptyList(listTablesAction, USER_NONE);
}
@ -2022,7 +2094,8 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyDenied(deleteTableAction, USER_RW, USER_RO, USER_NONE);
verifyDenied(deleteTableAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
USER_GROUP_WRITE);
verifyAllowed(deleteTableAction, TABLE_ADMIN);
}
@ -2354,21 +2427,24 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyAllowed(setUserQuotaAction, SUPERUSER, USER_ADMIN);
verifyDenied(setUserQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
verifyAllowed(setUserQuotaAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
verifyDenied(setUserQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
verifyAllowed(setUserTableQuotaAction, SUPERUSER, USER_ADMIN, USER_OWNER);
verifyDenied(setUserTableQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
verifyAllowed(setUserTableQuotaAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(setUserTableQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE,
USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
verifyAllowed(setUserNamespaceQuotaAction, SUPERUSER, USER_ADMIN);
verifyDenied(setUserNamespaceQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE,
USER_OWNER);
verifyAllowed(setUserNamespaceQuotaAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
verifyDenied(setUserNamespaceQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
verifyAllowed(setTableQuotaAction, SUPERUSER, USER_ADMIN, USER_OWNER);
verifyAllowed(setTableQuotaAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(setTableQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
verifyAllowed(setNamespaceQuotaAction, SUPERUSER, USER_ADMIN);
verifyDenied(setNamespaceQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
verifyAllowed(setNamespaceQuotaAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
verifyDenied(setNamespaceQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@ -2466,7 +2542,7 @@ public class TestAccessController extends SecureTestUtil {
// Verify that we can read sys-tables
String aclTableName = AccessControlLists.ACL_TABLE_NAME.getNameAsString();
assertEquals(1, SUPERUSER.runAs(getPrivilegedAction(aclTableName)).size());
assertEquals(5, SUPERUSER.runAs(getPrivilegedAction(aclTableName)).size());
assertEquals(0, testRegexHandler.runAs(getPrivilegedAction(aclTableName)).size());
// Grant TABLE ADMIN privs to testUserPerms
@ -2491,8 +2567,10 @@ public class TestAccessController extends SecureTestUtil {
}
private void verifyAnyCreate(AccessTestAction action) throws Exception {
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF);
verifyDenied(action, USER_NONE, USER_RO, USER_RW);
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF,
USER_GROUP_CREATE);
verifyDenied(action, USER_NONE, USER_RO, USER_RW, USER_GROUP_READ, USER_GROUP_WRITE,
USER_GROUP_ADMIN);
}
@Test
@ -2530,7 +2608,8 @@ public class TestAccessController extends SecureTestUtil {
}
};
verifyAllowed(replicateLogEntriesAction, SUPERUSER, USER_ADMIN);
verifyDenied(replicateLogEntriesAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
verifyAllowed(replicateLogEntriesAction, SUPERUSER, USER_ADMIN, USER_GROUP_WRITE);
verifyDenied(replicateLogEntriesAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
USER_GROUP_READ, USER_GROUP_ADMIN, USER_GROUP_CREATE);
}
}

143
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
View File

@ -42,7 +42,6 @@ import org.apache.hadoop.hbase.client.Result;
import org.apache.hadoop.hbase.client.ResultScanner;
import org.apache.hadoop.hbase.client.Scan;
import org.apache.hadoop.hbase.client.Table;
import org.apache.hadoop.hbase.master.HMaster;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.access.Permission.Action;
import org.apache.hadoop.hbase.testclassification.LargeTests;
@ -97,6 +96,7 @@ public class TestAccessController2 extends SecureTestUtil {
private String namespace = "testNamespace";
private String tname = namespace + ":testtable1";
private TableName tableName = TableName.valueOf(tname);
private static String TESTGROUP_1_NAME;
@BeforeClass
public static void setupBeforeClass() throws Exception {
@ -109,6 +109,7 @@ public class TestAccessController2 extends SecureTestUtil {
// Wait for the ACL table to become available
TEST_UTIL.waitUntilAllRegionsAssigned(AccessControlLists.ACL_TABLE_NAME);
TESTGROUP_1_NAME = convertToGroup(TESTGROUP_1);
TESTGROUP1_USER1 =
User.createUserForTesting(conf, "testgroup1_user1", new String[] { TESTGROUP_1 });
TESTGROUP2_USER1 =
@ -200,23 +201,27 @@ public class TestAccessController2 extends SecureTestUtil {
@Test
public void testCreateTableWithGroupPermissions() throws Exception {
grantGlobal(TEST_UTIL, convertToGroup(TESTGROUP_1), Action.CREATE);
AccessTestAction createAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
HTableDescriptor desc = new HTableDescriptor(TEST_TABLE.getTableName());
desc.addFamily(new HColumnDescriptor(TEST_FAMILY));
try (Connection connection = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) {
try (Admin admin = connection.getAdmin()) {
admin.createTable(desc);
grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.CREATE);
try {
AccessTestAction createAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
HTableDescriptor desc = new HTableDescriptor(TEST_TABLE.getTableName());
desc.addFamily(new HColumnDescriptor(TEST_FAMILY));
try (Connection connection =
ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) {
try (Admin admin = connection.getAdmin()) {
admin.createTable(desc);
}
}
return null;
}
return null;
}
};
verifyAllowed(createAction, TESTGROUP1_USER1);
verifyDenied(createAction, TESTGROUP2_USER1);
revokeGlobal(TEST_UTIL, convertToGroup(TESTGROUP_1), Action.CREATE);
};
verifyAllowed(createAction, TESTGROUP1_USER1);
verifyDenied(createAction, TESTGROUP2_USER1);
} finally {
revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.CREATE);
}
}
@Test
@ -264,55 +269,65 @@ public class TestAccessController2 extends SecureTestUtil {
SecureTestUtil.grantOnTable(TEST_UTIL, tableAdmin.getShortName(),
TEST_TABLE.getTableName(), null, null, Action.ADMIN);
// Write tests
grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.WRITE);
try {
// Write tests
AccessTestAction writeAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
AccessTestAction writeAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
t.put(new Put(TEST_ROW).add(AccessControlLists.ACL_LIST_FAMILY, TEST_QUALIFIER,
TEST_VALUE));
return null;
} finally {
}
}
};
// All writes to ACL table denied except for GLOBAL WRITE permission and superuser
verifyDenied(writeAction, globalAdmin, globalCreate, globalRead);
verifyDenied(writeAction, nsAdmin, nsCreate, nsRead, nsWrite);
verifyDenied(writeAction, tableAdmin, tableCreate, tableRead, tableWrite);
verifyAllowed(writeAction, superUser, globalWrite);
// Read tests
AccessTestAction scanAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
ResultScanner s = t.getScanner(new Scan());
try {
for (Result r = s.next(); r != null; r = s.next()) {
// do nothing
}
try (Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
t.put(new Put(TEST_ROW).add(AccessControlLists.ACL_LIST_FAMILY, TEST_QUALIFIER,
TEST_VALUE));
return null;
} finally {
s.close();
}
return null;
}
}
};
};
// All reads from ACL table denied except for GLOBAL READ and superuser
// All writes to ACL table denied except for GLOBAL WRITE permission and superuser
verifyDenied(scanAction, globalAdmin, globalCreate, globalWrite);
verifyDenied(scanAction, nsCreate, nsAdmin, nsRead, nsWrite);
verifyDenied(scanAction, tableCreate, tableAdmin, tableRead, tableWrite);
verifyAllowed(scanAction, superUser, globalRead);
verifyDenied(writeAction, globalAdmin, globalCreate, globalRead, TESTGROUP2_USER1);
verifyDenied(writeAction, nsAdmin, nsCreate, nsRead, nsWrite);
verifyDenied(writeAction, tableAdmin, tableCreate, tableRead, tableWrite);
verifyAllowed(writeAction, superUser, globalWrite, TESTGROUP1_USER1);
} finally {
revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.WRITE);
}
grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.READ);
try {
// Read tests
AccessTestAction scanAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
ResultScanner s = t.getScanner(new Scan());
try {
for (Result r = s.next(); r != null; r = s.next()) {
// do nothing
}
} finally {
s.close();
}
return null;
}
}
};
// All reads from ACL table denied except for GLOBAL READ and superuser
verifyDenied(scanAction, globalAdmin, globalCreate, globalWrite, TESTGROUP2_USER1);
verifyDenied(scanAction, nsCreate, nsAdmin, nsRead, nsWrite);
verifyDenied(scanAction, tableCreate, tableAdmin, tableRead, tableWrite);
verifyAllowed(scanAction, superUser, globalRead, TESTGROUP1_USER1);
} finally {
revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.READ);
}
}
/*
@ -412,17 +427,17 @@ public class TestAccessController2 extends SecureTestUtil {
// Verify user from a group which has table level access can read all the data and group which
// has no access can't read any data.
grantOnTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, null, null, Action.READ);
grantOnTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, null, null, Action.READ);
verifyAllowed(TESTGROUP1_USER1, scanTableActionForGroupWithTableLevelAccess);
verifyDenied(TESTGROUP2_USER1, scanTableActionForGroupWithTableLevelAccess);
// Verify user from a group whose table level access has been revoked can't read any data.
revokeFromTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, null, null);
revokeFromTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, null, null);
verifyDenied(TESTGROUP1_USER1, scanTableActionForGroupWithTableLevelAccess);
// Verify user from a group which has column family level access can read all the data
// belonging to that family and group which has no access can't read any data.
grantOnTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, null,
grantOnTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, TEST_FAMILY, null,
Permission.Action.READ);
verifyAllowed(TESTGROUP1_USER1, scanTableActionForGroupWithFamilyLevelAccess);
verifyDenied(TESTGROUP1_USER1, scanFamilyActionForGroupWithFamilyLevelAccess);
@ -431,12 +446,12 @@ public class TestAccessController2 extends SecureTestUtil {
// Verify user from a group whose column family level access has been revoked can't read any
// data from that family.
revokeFromTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, null);
revokeFromTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, TEST_FAMILY, null);
verifyDenied(TESTGROUP1_USER1, scanTableActionForGroupWithFamilyLevelAccess);
// Verify user from a group which has column qualifier level access can read data that has this
// family and qualifier, and group which has no access can't read any data.
grantOnTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, Q1, Action.READ);
grantOnTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, TEST_FAMILY, Q1, Action.READ);
verifyAllowed(TESTGROUP1_USER1, scanTableActionForGroupWithQualifierLevelAccess);
verifyDenied(TESTGROUP1_USER1, scanFamilyActionForGroupWithQualifierLevelAccess);
verifyDenied(TESTGROUP1_USER1, scanQualifierActionForGroupWithQualifierLevelAccess);
@ -446,7 +461,7 @@ public class TestAccessController2 extends SecureTestUtil {
// Verify user from a group whose column qualifier level access has been revoked can't read the
// data having this column family and qualifier.
revokeFromTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, Q1);
revokeFromTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, TEST_FAMILY, Q1);
verifyDenied(TESTGROUP1_USER1, scanTableActionForGroupWithQualifierLevelAccess);
}

193
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
View File

@ -92,6 +92,16 @@ public class TestNamespaceCommands extends SecureTestUtil {
//user with create table permissions alone
private static User USER_TABLE_CREATE; // TODO: WE DO NOT GIVE ANY PERMS TO THIS USER
private static final String GROUP_ADMIN = "group_admin";
private static final String GROUP_CREATE = "group_create";
private static final String GROUP_READ = "group_read";
private static final String GROUP_WRITE = "group_write";
private static User USER_GROUP_ADMIN;
private static User USER_GROUP_CREATE;
private static User USER_GROUP_READ;
private static User USER_GROUP_WRITE;
private static String TEST_TABLE = TEST_NAMESPACE + ":testtable";
private static byte[] TEST_FAMILY = Bytes.toBytes("f1");
@ -116,6 +126,15 @@ public class TestNamespaceCommands extends SecureTestUtil {
USER_TABLE_CREATE = User.createUserForTesting(conf, "table_create", new String[0]);
USER_TABLE_WRITE = User.createUserForTesting(conf, "table_write", new String[0]);
USER_GROUP_ADMIN =
User.createUserForTesting(conf, "user_group_admin", new String[] { GROUP_ADMIN });
USER_GROUP_CREATE =
User.createUserForTesting(conf, "user_group_create", new String[] { GROUP_CREATE });
USER_GROUP_READ =
User.createUserForTesting(conf, "user_group_read", new String[] { GROUP_READ });
USER_GROUP_WRITE =
User.createUserForTesting(conf, "user_group_write", new String[] { GROUP_WRITE });
// TODO: other table perms
UTIL.startMiniCluster();
@ -144,6 +163,11 @@ public class TestNamespaceCommands extends SecureTestUtil {
grantOnNamespace(UTIL, USER_NS_EXEC.getShortName(), TEST_NAMESPACE, Permission.Action.EXEC);
grantOnNamespace(UTIL, USER_NS_ADMIN.getShortName(), TEST_NAMESPACE2, Permission.Action.ADMIN);
grantGlobal(UTIL, convertToGroup(GROUP_ADMIN), Permission.Action.ADMIN);
grantGlobal(UTIL, convertToGroup(GROUP_CREATE), Permission.Action.CREATE);
grantGlobal(UTIL, convertToGroup(GROUP_READ), Permission.Action.READ);
grantGlobal(UTIL, convertToGroup(GROUP_WRITE), Permission.Action.WRITE);
}
@AfterClass
@ -204,20 +228,10 @@ public class TestNamespaceCommands extends SecureTestUtil {
};
// modifyNamespace: superuser | global(A) | NS(A)
verifyAllowed(modifyNamespace,
SUPERUSER,
USER_GLOBAL_ADMIN);
verifyDenied(modifyNamespace,
USER_GLOBAL_CREATE,
USER_GLOBAL_WRITE,
USER_GLOBAL_READ,
USER_GLOBAL_EXEC,
USER_NS_ADMIN,
USER_NS_CREATE,
USER_NS_WRITE,
USER_NS_READ,
USER_NS_EXEC);
verifyAllowed(modifyNamespace, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
verifyDenied(modifyNamespace, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@ -241,41 +255,17 @@ public class TestNamespaceCommands extends SecureTestUtil {
};
// createNamespace: superuser | global(A)
verifyAllowed(createNamespace,
SUPERUSER,
USER_GLOBAL_ADMIN);
verifyAllowed(createNamespace, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
// all others should be denied
verifyDenied(createNamespace,
USER_GLOBAL_CREATE,
USER_GLOBAL_WRITE,
USER_GLOBAL_READ,
USER_GLOBAL_EXEC,
USER_NS_ADMIN,
USER_NS_CREATE,
USER_NS_WRITE,
USER_NS_READ,
USER_NS_EXEC,
USER_TABLE_CREATE,
USER_TABLE_WRITE);
verifyDenied(createNamespace, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
// deleteNamespace: superuser | global(A) | NS(A)
verifyAllowed(deleteNamespace,
SUPERUSER,
USER_GLOBAL_ADMIN);
verifyDenied(deleteNamespace,
USER_GLOBAL_CREATE,
USER_GLOBAL_WRITE,
USER_GLOBAL_READ,
USER_GLOBAL_EXEC,
USER_NS_ADMIN,
USER_NS_CREATE,
USER_NS_WRITE,
USER_NS_READ,
USER_NS_EXEC,
USER_TABLE_CREATE,
USER_TABLE_WRITE);
verifyAllowed(deleteNamespace, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
verifyDenied(deleteNamespace, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@ -289,22 +279,11 @@ public class TestNamespaceCommands extends SecureTestUtil {
}
};
// getNamespaceDescriptor : superuser | global(A) | NS(A)
verifyAllowed(getNamespaceAction,
SUPERUSER,
USER_GLOBAL_ADMIN,
USER_NS_ADMIN);
verifyDenied(getNamespaceAction,
USER_GLOBAL_CREATE,
USER_GLOBAL_WRITE,
USER_GLOBAL_READ,
USER_GLOBAL_EXEC,
USER_NS_CREATE,
USER_NS_WRITE,
USER_NS_READ,
USER_NS_EXEC,
USER_TABLE_CREATE,
USER_TABLE_WRITE);
verifyAllowed(getNamespaceAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_NS_ADMIN,
USER_GROUP_ADMIN);
verifyDenied(getNamespaceAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@ -327,14 +306,12 @@ public class TestNamespaceCommands extends SecureTestUtil {
// listNamespaces : All access*
// * Returned list will only show what you can call getNamespaceDescriptor()
verifyAllowed(listAction,
SUPERUSER,
USER_GLOBAL_ADMIN,
USER_NS_ADMIN);
verifyAllowed(listAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_NS_ADMIN, USER_GROUP_ADMIN);
// we have 3 namespaces: [default, hbase, TEST_NAMESPACE, TEST_NAMESPACE2]
assertEquals(4, ((List)SUPERUSER.runAs(listAction)).size());
assertEquals(4, ((List)USER_GLOBAL_ADMIN.runAs(listAction)).size());
assertEquals(4, ((List)USER_GROUP_ADMIN.runAs(listAction)).size());
assertEquals(2, ((List)USER_NS_ADMIN.runAs(listAction)).size());
@ -348,6 +325,9 @@ public class TestNamespaceCommands extends SecureTestUtil {
assertEquals(0, ((List)USER_NS_EXEC.runAs(listAction)).size());
assertEquals(0, ((List)USER_TABLE_CREATE.runAs(listAction)).size());
assertEquals(0, ((List)USER_TABLE_WRITE.runAs(listAction)).size());
assertEquals(0, ((List)USER_GROUP_CREATE.runAs(listAction)).size());
assertEquals(0, ((List)USER_GROUP_READ.runAs(listAction)).size());
assertEquals(0, ((List)USER_GROUP_WRITE.runAs(listAction)).size());
}
@Test
@ -411,56 +391,21 @@ public class TestNamespaceCommands extends SecureTestUtil {
}
};
verifyAllowed(grantAction,
SUPERUSER,
USER_GLOBAL_ADMIN);
verifyAllowed(grantAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
verifyDenied(grantAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
verifyDenied(grantAction,
USER_GLOBAL_CREATE,
USER_GLOBAL_WRITE,
USER_GLOBAL_READ,
USER_GLOBAL_EXEC,
USER_NS_ADMIN,
USER_NS_CREATE,
USER_NS_WRITE,
USER_NS_READ,
USER_NS_EXEC,
USER_TABLE_CREATE,
USER_TABLE_WRITE);
verifyAllowed(revokeAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
verifyDenied(revokeAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
verifyAllowed(revokeAction,
SUPERUSER,
USER_GLOBAL_ADMIN);
verifyDenied(revokeAction,
USER_GLOBAL_CREATE,
USER_GLOBAL_WRITE,
USER_GLOBAL_READ,
USER_GLOBAL_EXEC,
USER_NS_ADMIN,
USER_NS_CREATE,
USER_NS_WRITE,
USER_NS_READ,
USER_NS_EXEC,
USER_TABLE_CREATE,
USER_TABLE_WRITE);
verifyAllowed(getPermissionsAction,
SUPERUSER,
USER_GLOBAL_ADMIN,
USER_NS_ADMIN);
verifyDenied(getPermissionsAction,
USER_GLOBAL_CREATE,
USER_GLOBAL_WRITE,
USER_GLOBAL_READ,
USER_GLOBAL_EXEC,
USER_NS_CREATE,
USER_NS_WRITE,
USER_NS_READ,
USER_NS_EXEC,
USER_TABLE_CREATE,
USER_TABLE_WRITE);
verifyAllowed(getPermissionsAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_NS_ADMIN,
USER_GROUP_ADMIN);
verifyDenied(getPermissionsAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@ -476,21 +421,9 @@ public class TestNamespaceCommands extends SecureTestUtil {
};
//createTable : superuser | global(C) | NS(C)
verifyAllowed(createTable,
SUPERUSER,
USER_GLOBAL_CREATE,
USER_NS_CREATE);
verifyDenied(createTable,
USER_GLOBAL_ADMIN,
USER_GLOBAL_WRITE,
USER_GLOBAL_READ,
USER_GLOBAL_EXEC,
USER_NS_ADMIN,
USER_NS_WRITE,
USER_NS_READ,
USER_NS_EXEC,
USER_TABLE_CREATE,
USER_TABLE_WRITE);
verifyAllowed(createTable, SUPERUSER, USER_GLOBAL_CREATE, USER_NS_CREATE, USER_GROUP_CREATE);
verifyDenied(createTable, USER_GLOBAL_ADMIN, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_ADMIN);
}
}