From 4bbc772ffcb7039a0f5de6bf09eaaceecd09ccdb Mon Sep 17 00:00:00 2001 From: WenFeiYi Date: Tue, 27 Oct 2020 22:01:57 +0800 Subject: [PATCH] HBASE-25173 Remove owner related methods in TableDescriptor/TableDescriptorBuilder (#2541) Signed-off-by: Duo Zhang --- .../hadoop/hbase/client/TableDescriptor.java | 7 --- .../hbase/client/TableDescriptorBuilder.java | 59 ------------------- .../hbase/coprocessor/TestSecureExport.java | 14 ++--- .../security/access/AccessController.java | 8 +-- .../SnapshotScannerHDFSAclController.java | 3 +- .../hadoop/hbase/HBaseTestingUtility.java | 26 +++++++- .../hbase/client/SnapshotWithAclTestBase.java | 13 ++-- .../hbase/rsgroup/TestRSGroupsWithACL.java | 6 +- .../hbase/security/access/SecureTestUtil.java | 12 ++++ .../security/access/TestAccessController.java | 34 +++++------ .../access/TestAccessController3.java | 8 ++- .../TestCellACLWithMultipleVersions.java | 13 ++-- .../hbase/security/access/TestCellACLs.java | 10 ++-- .../security/access/TestHDFSAclHelper.java | 29 +++++---- .../access/TestScanEarlyTermination.java | 9 +-- .../access/TestWithDisabledAuthorization.java | 10 ++-- hbase-shell/src/main/ruby/hbase/admin.rb | 3 +- .../src/main/ruby/shell/commands/alter.rb | 2 +- .../src/main/ruby/shell/commands/create.rb | 2 +- hbase-shell/src/test/ruby/hbase/admin_test.rb | 7 +-- 20 files changed, 123 insertions(+), 152 deletions(-) diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/client/TableDescriptor.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/client/TableDescriptor.java index a4523872c9c..1440c28787d 100644 --- a/hbase-client/src/main/java/org/apache/hadoop/hbase/client/TableDescriptor.java +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/client/TableDescriptor.java @@ -177,13 +177,6 @@ public interface TableDescriptor { */ TableName getTableName(); - /** - * @deprecated since 2.0.0 and will be removed in 3.0.0. - * @see HBASE-15583 - */ - @Deprecated - String getOwnerString(); - /** * Get the region server group this table belongs to. The regions of this table will be placed * only on the region servers within this group. If not present, will be placed on diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/client/TableDescriptorBuilder.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/client/TableDescriptorBuilder.java index 1328f7d017e..c611a217960 100644 --- a/hbase-client/src/main/java/org/apache/hadoop/hbase/client/TableDescriptorBuilder.java +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/client/TableDescriptorBuilder.java @@ -42,7 +42,6 @@ import org.apache.hadoop.hbase.HConstants; import org.apache.hadoop.hbase.TableName; import org.apache.hadoop.hbase.exceptions.DeserializationException; import org.apache.hadoop.hbase.rsgroup.RSGroupInfo; -import org.apache.hadoop.hbase.security.User; import org.apache.hadoop.hbase.util.Bytes; import org.apache.yetus.audience.InterfaceAudience; import org.slf4j.Logger; @@ -71,12 +70,6 @@ public class TableDescriptorBuilder { private static final Bytes MAX_FILESIZE_KEY = new Bytes(Bytes.toBytes(MAX_FILESIZE)); - @InterfaceAudience.Private - public static final String OWNER = "OWNER"; - @InterfaceAudience.Private - public static final Bytes OWNER_KEY - = new Bytes(Bytes.toBytes(OWNER)); - /** * Used by rest interface to access this metadata attribute * which denotes if the table is Read Only. @@ -485,26 +478,6 @@ public class TableDescriptorBuilder { return this; } - /** - * @deprecated since 2.0.0 and will be removed in 3.0.0. - * @see HBASE-15583 - */ - @Deprecated - public TableDescriptorBuilder setOwner(User owner) { - desc.setOwner(owner); - return this; - } - - /** - * @deprecated since 2.0.0 and will be removed in 3.0.0. - * @see HBASE-15583 - */ - @Deprecated - public TableDescriptorBuilder setOwnerString(String ownerString) { - desc.setOwnerString(ownerString); - return this; - } - public TableDescriptorBuilder setPriority(int priority) { desc.setPriority(priority); return this; @@ -1550,38 +1523,6 @@ public class TableDescriptorBuilder { } } - /** - * @deprecated since 2.0.0 and will be removed in 3.0.0. - * @see HBASE-15583 - */ - @Deprecated - public ModifyableTableDescriptor setOwner(User owner) { - return setOwnerString(owner != null ? owner.getShortName() : null); - } - - /** - * @deprecated since 2.0.0 and will be removed in 3.0.0. - * @see HBASE-15583 - */ - // used by admin.rb:alter(table_name,*args) to update owner. - @Deprecated - public ModifyableTableDescriptor setOwnerString(String ownerString) { - return setValue(OWNER_KEY, ownerString); - } - - /** - * @deprecated since 2.0.0 and will be removed in 3.0.0. - * @see HBASE-15583 - */ - @Override - @Deprecated - public String getOwnerString() { - // Note that every table should have an owner (i.e. should have OWNER_KEY set). - // hbase:meta should return system user as owner, not null (see - // MasterFileSystem.java:bootstrap()). - return getOrDefault(OWNER_KEY, Function.identity(), null); - } - /** * @return the bytes in pb format */ diff --git a/hbase-endpoint/src/test/java/org/apache/hadoop/hbase/coprocessor/TestSecureExport.java b/hbase-endpoint/src/test/java/org/apache/hadoop/hbase/coprocessor/TestSecureExport.java index 2f5024737db..d3be45b56f6 100644 --- a/hbase-endpoint/src/test/java/org/apache/hadoop/hbase/coprocessor/TestSecureExport.java +++ b/hbase-endpoint/src/test/java/org/apache/hadoop/hbase/coprocessor/TestSecureExport.java @@ -216,6 +216,7 @@ public class TestSecureExport { Permission.Action.EXEC, Permission.Action.READ, Permission.Action.WRITE); + SecureTestUtil.grantGlobal(UTIL, USER_OWNER, Permission.Action.CREATE); addLabels(UTIL.getConfiguration(), Arrays.asList(USER_OWNER), Arrays.asList(PRIVATE, CONFIDENTIAL, SECRET, TOPSECRET)); } @@ -236,11 +237,11 @@ public class TestSecureExport { public void testAccessCase() throws Throwable { final String exportTable = name.getMethodName(); TableDescriptor exportHtd = TableDescriptorBuilder - .newBuilder(TableName.valueOf(name.getMethodName())) + .newBuilder(TableName.valueOf(exportTable)) .setColumnFamily(ColumnFamilyDescriptorBuilder.of(FAMILYA)) - .setOwnerString(USER_OWNER) .build(); - SecureTestUtil.createTable(UTIL, exportHtd, new byte[][]{Bytes.toBytes("s")}); + User owner = User.createUserForTesting(UTIL.getConfiguration(), USER_OWNER, new String[0]); + SecureTestUtil.createTable(UTIL, owner, exportHtd, new byte[][]{Bytes.toBytes("s")}); SecureTestUtil.grantOnTable(UTIL, USER_RO, TableName.valueOf(exportTable), null, null, Permission.Action.READ); @@ -340,9 +341,9 @@ public class TestSecureExport { final TableDescriptor exportHtd = TableDescriptorBuilder .newBuilder(TableName.valueOf(exportTable)) .setColumnFamily(ColumnFamilyDescriptorBuilder.of(FAMILYA)) - .setOwnerString(USER_OWNER) .build(); - SecureTestUtil.createTable(UTIL, exportHtd, new byte[][]{Bytes.toBytes("s")}); + User owner = User.createUserForTesting(UTIL.getConfiguration(), USER_OWNER, new String[0]); + SecureTestUtil.createTable(UTIL, owner, exportHtd, new byte[][]{Bytes.toBytes("s")}); AccessTestAction putAction = () -> { Put p1 = new Put(ROW1); p1.addColumn(FAMILYA, QUAL, NOW, QUAL); @@ -398,9 +399,8 @@ public class TestSecureExport { final TableDescriptor importHtd = TableDescriptorBuilder .newBuilder(TableName.valueOf(importTable)) .setColumnFamily(ColumnFamilyDescriptorBuilder.of(FAMILYB)) - .setOwnerString(USER_OWNER) .build(); - SecureTestUtil.createTable(UTIL, importHtd, new byte[][]{Bytes.toBytes("s")}); + SecureTestUtil.createTable(UTIL, owner, importHtd, new byte[][]{Bytes.toBytes("s")}); AccessTestAction importAction = () -> { String[] args = new String[]{ "-D" + Import.CF_RENAME_PROP + "=" + FAMILYA_STRING + ":" + FAMILYB_STRING, diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java index 3779903f869..3a6c3aae657 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java @@ -804,10 +804,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, + PermissionStorage.ACL_TABLE_NAME + " is not yet created. " + getClass().getSimpleName() + " should be configured as the first Coprocessor"); } else { - String owner = desc.getOwnerString(); - // default the table owner to current user, if not specified. - if (owner == null) - owner = getActiveUser(c).getShortName(); + String owner = getActiveUser(c).getShortName(); final UserPermission userPermission = new UserPermission(owner, Permission.newBuilder(desc.getTableName()).withActions(Action.values()).build()); // switch to the real hbase master user for doing the RPC on the ACL table @@ -906,8 +903,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, TableDescriptor oldDesc, TableDescriptor currentDesc) throws IOException { final Configuration conf = c.getEnvironment().getConfiguration(); // default the table owner to current user, if not specified. - final String owner = (currentDesc.getOwnerString() != null) ? currentDesc.getOwnerString() : - getActiveUser(c).getShortName(); + final String owner = getActiveUser(c).getShortName(); User.runAsLoginUser(new PrivilegedExceptionAction() { @Override public Void run() throws Exception { diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/SnapshotScannerHDFSAclController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/SnapshotScannerHDFSAclController.java index 5c4ba0d6850..e52134e7d06 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/SnapshotScannerHDFSAclController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/SnapshotScannerHDFSAclController.java @@ -179,8 +179,7 @@ public class SnapshotScannerHDFSAclController implements MasterCoprocessor, Mast // 1. Create table directories to make HDFS acls can be inherited hdfsAclHelper.createTableDirectories(tableName); // 2. Add table owner HDFS acls - String owner = - desc.getOwnerString() == null ? getActiveUser(c).getShortName() : desc.getOwnerString(); + String owner = getActiveUser(c).getShortName(); hdfsAclHelper.addTableAcl(tableName, Sets.newHashSet(owner), "create"); // 3. Record table owner permission is synced to HDFS in acl table SnapshotScannerHDFSAclStorage.addUserTableHdfsAcl(c.getEnvironment().getConnection(), owner, diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/HBaseTestingUtility.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/HBaseTestingUtility.java index 1fb2f00d67c..cb2e9e92893 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/HBaseTestingUtility.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/HBaseTestingUtility.java @@ -2985,16 +2985,26 @@ public class HBaseTestingUtility extends HBaseZKTestingUtility { /** * Get a shared Connection to the cluster. - * this method is threadsafe. + * this method is thread safe. * @return A Connection that can be shared. Don't close. Will be closed on shutdown of cluster. */ public Connection getConnection() throws IOException { return getAsyncConnection().toConnection(); } + /** + * Get a assigned Connection to the cluster. + * this method is thread safe. + * @param user assigned user + * @return A Connection with assigned user. + */ + public Connection getConnection(User user) throws IOException { + return getAsyncConnection(user).toConnection(); + } + /** * Get a shared AsyncClusterConnection to the cluster. - * this method is threadsafe. + * this method is thread safe. * @return An AsyncClusterConnection that can be shared. Don't close. Will be closed on shutdown of cluster. */ public AsyncClusterConnection getAsyncConnection() throws IOException { @@ -3003,7 +3013,7 @@ public class HBaseTestingUtility extends HBaseZKTestingUtility { if (connection == null) { try { User user = UserProvider.instantiate(conf).getCurrent(); - connection = ClusterConnectionFactory.createAsyncClusterConnection(conf, null, user); + connection = getAsyncConnection(user); } catch(IOException ioe) { throw new UncheckedIOException("Failed to create connection", ioe); } @@ -3015,6 +3025,16 @@ public class HBaseTestingUtility extends HBaseZKTestingUtility { } } + /** + * Get a assigned AsyncClusterConnection to the cluster. + * this method is thread safe. + * @param user assigned user + * @return An AsyncClusterConnection with assigned user. + */ + public AsyncClusterConnection getAsyncConnection(User user) throws IOException { + return ClusterConnectionFactory.createAsyncClusterConnection(conf, null, user); + } + public void closeConnection() throws IOException { if (hbaseAdmin != null) { Closeables.close(hbaseAdmin, true); diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/client/SnapshotWithAclTestBase.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/client/SnapshotWithAclTestBase.java index f8dbc94f870..cfdbf43f847 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/client/SnapshotWithAclTestBase.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/client/SnapshotWithAclTestBase.java @@ -120,14 +120,17 @@ public abstract class SnapshotWithAclTestBase extends SecureTestUtil { USER_RW = User.createUserForTesting(conf, "rwuser", new String[0]); USER_RO = User.createUserForTesting(conf, "rouser", new String[0]); USER_NONE = User.createUserForTesting(conf, "usernone", new String[0]); + + // Grant table creation permission to USER_OWNER + grantGlobal(TEST_UTIL, USER_OWNER.getShortName(), Permission.Action.CREATE); } @Before public void setUp() throws Exception { - TEST_UTIL.createTable(TableDescriptorBuilder.newBuilder(TEST_TABLE) + TableDescriptor tableDescriptor = TableDescriptorBuilder.newBuilder(TEST_TABLE) .setColumnFamily( - ColumnFamilyDescriptorBuilder.newBuilder(TEST_FAMILY).setMaxVersions(100).build()) - .setOwner(USER_OWNER).build(), new byte[][] { Bytes.toBytes("s") }); + ColumnFamilyDescriptorBuilder.newBuilder(TEST_FAMILY).setMaxVersions(100).build()).build(); + createTable(TEST_UTIL, USER_OWNER, tableDescriptor, new byte[][] { Bytes.toBytes("s") }); TEST_UTIL.waitTableEnabled(TEST_TABLE); grantOnTable(TEST_UTIL, USER_RW.getShortName(), TEST_TABLE, TEST_FAMILY, null, @@ -200,9 +203,9 @@ public abstract class SnapshotWithAclTestBase extends SecureTestUtil { TableName tableName2 = TableName.valueOf(TEST_UTIL.getRandomUUID().toString()); cloneSnapshot(snapshotName1, tableName2, false); verifyRows(tableName2); - verifyAllowed(new AccessReadAction(tableName2), USER_OWNER); + verifyDenied(new AccessReadAction(tableName2), USER_OWNER); verifyDenied(new AccessReadAction(tableName2), USER_NONE, USER_RO, USER_RW); - verifyAllowed(new AccessWriteAction(tableName2), USER_OWNER); + verifyDenied(new AccessWriteAction(tableName2), USER_OWNER); verifyDenied(new AccessWriteAction(tableName2), USER_RO, USER_RW, USER_NONE); // remove read permission for USER_RO. diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsWithACL.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsWithACL.java index 8962dc6b4a6..c8932342b1a 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsWithACL.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsWithACL.java @@ -131,6 +131,9 @@ public class TestRSGroupsWithACL extends SecureTestUtil { USER_GROUP_WRITE = User.createUserForTesting(conf, "user_group_write", new String[] { GROUP_WRITE }); + // Grant table creation permission to USER_OWNER + grantGlobal(TEST_UTIL, USER_OWNER.getShortName(), Permission.Action.CREATE); + systemUserConnection = TEST_UTIL.getConnection(); setUpTableAndUserPermissions(); master = TEST_UTIL.getHBaseCluster().getMaster(); @@ -156,8 +159,7 @@ public class TestRSGroupsWithACL extends SecureTestUtil { ColumnFamilyDescriptorBuilder cfd = ColumnFamilyDescriptorBuilder.newBuilder(TEST_FAMILY); cfd.setMaxVersions(100); tableBuilder.setColumnFamily(cfd.build()); - tableBuilder.setValue(TableDescriptorBuilder.OWNER, USER_OWNER.getShortName()); - createTable(TEST_UTIL, tableBuilder.build(), new byte[][] { Bytes.toBytes("s") }); + createTable(TEST_UTIL, USER_OWNER, tableBuilder.build(), new byte[][] { Bytes.toBytes("s") }); // Set up initial grants grantGlobal(TEST_UTIL, USER_ADMIN.getShortName(), Permission.Action.ADMIN, diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java index 3892eb11f20..840c30d80f5 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java @@ -775,6 +775,18 @@ public class SecureTestUtil { testUtil.waitUntilAllRegionsAssigned(htd.getTableName()); } + public static void createTable(HBaseTestingUtility testUtil, User user, TableDescriptor htd) + throws Exception { + createTable(testUtil, user, htd, null); + } + + public static void createTable(HBaseTestingUtility testUtil, User user, TableDescriptor htd, + byte[][] splitKeys) throws Exception { + try (Connection con = testUtil.getConnection(user); Admin admin = con.getAdmin()) { + createTable(testUtil, admin, htd, splitKeys); + } + } + public static void deleteTable(HBaseTestingUtility testUtil, TableName tableName) throws Exception { deleteTable(testUtil, testUtil.getAdmin(), tableName); diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java index 5c0610f63b0..d53a84c260d 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java @@ -270,6 +270,9 @@ public class TestAccessController extends SecureTestUtil { USER_GROUP_WRITE = User.createUserForTesting(conf, "user_group_write", new String[] { GROUP_WRITE }); + // Grant table creation permission to USER_OWNER + grantGlobal(TEST_UTIL, USER_OWNER.getShortName(), Action.CREATE); + systemUserConnection = TEST_UTIL.getConnection(); setUpTableAndUserPermissions(); } @@ -283,9 +286,8 @@ public class TestAccessController extends SecureTestUtil { private static void setUpTableAndUserPermissions() throws Exception { TableDescriptor tableDescriptor = TableDescriptorBuilder.newBuilder(TEST_TABLE) .setColumnFamily( - ColumnFamilyDescriptorBuilder.newBuilder(TEST_FAMILY).setMaxVersions(100).build()) - .setOwner(USER_OWNER).build(); - createTable(TEST_UTIL, tableDescriptor, new byte[][] { Bytes.toBytes("s") }); + ColumnFamilyDescriptorBuilder.newBuilder(TEST_FAMILY).setMaxVersions(100).build()).build(); + createTable(TEST_UTIL, USER_OWNER, tableDescriptor, new byte[][] { Bytes.toBytes("s") }); HRegion region = TEST_UTIL.getHBaseCluster().getRegions(TEST_TABLE).get(0); RegionCoprocessorHost rcpHost = region.getCoprocessorHost(); @@ -1670,8 +1672,8 @@ public class TestAccessController extends SecureTestUtil { } TableDescriptor tableDescriptor = TableDescriptorBuilder.newBuilder(tableName) .setColumnFamily(ColumnFamilyDescriptorBuilder.of(family1)) - .setColumnFamily(ColumnFamilyDescriptorBuilder.of(family2)).setOwner(USER_OWNER).build(); - createTable(TEST_UTIL, tableDescriptor); + .setColumnFamily(ColumnFamilyDescriptorBuilder.of(family2)).build(); + createTable(TEST_UTIL, USER_OWNER, tableDescriptor); try { List perms = admin.getUserPermissions(GetUserPermissionsRequest.newBuilder(tableName).build()); @@ -1724,13 +1726,9 @@ public class TestAccessController extends SecureTestUtil { assertFalse("User should not be granted permission: " + upToVerify.toString(), hasFoundUserPermission(upToVerify, perms)); - // disable table before modification - admin.disableTable(tableName); - User newOwner = User.createUserForTesting(conf, "new_owner", new String[] {}); - tableDescriptor = - TableDescriptorBuilder.newBuilder(tableDescriptor).setOwner(newOwner).build(); - admin.modifyTable(tableDescriptor); + grantOnTable(TEST_UTIL, newOwner.getShortName(), tableName, + null, null, Permission.Action.values()); perms = admin.getUserPermissions(GetUserPermissionsRequest.newBuilder(tableName).build()); UserPermission newOwnerperm = new UserPermission(newOwner.getName(), @@ -1758,7 +1756,7 @@ public class TestAccessController extends SecureTestUtil { new UserPermission(user, Permission.newBuilder().withActions(Action.values()).build())); } assertTrue("Only super users, global users and user admin has permission on table hbase:acl " + - "per setup", perms.size() == 5 + superUsers.size() && + "per setup", perms.size() == 6 + superUsers.size() && hasFoundUserPermission(adminPerms, perms)); } @@ -2278,8 +2276,8 @@ public class TestAccessController extends SecureTestUtil { private void createTestTable(TableName tname, byte[] cf) throws Exception { TableDescriptor tableDescriptor = TableDescriptorBuilder.newBuilder(tname) .setColumnFamily(ColumnFamilyDescriptorBuilder.newBuilder(cf).setMaxVersions(100).build()) - .setOwner(USER_OWNER).build(); - createTable(TEST_UTIL, tableDescriptor, new byte[][] { Bytes.toBytes("s") }); + .build(); + createTable(TEST_UTIL, USER_OWNER, tableDescriptor, new byte[][] { Bytes.toBytes("s") }); } @Test @@ -2858,7 +2856,7 @@ public class TestAccessController extends SecureTestUtil { // Verify that we can read sys-tables String aclTableName = PermissionStorage.ACL_TABLE_NAME.getNameAsString(); - assertEquals(5, SUPERUSER.runAs(getPrivilegedAction(aclTableName)).size()); + assertEquals(6, SUPERUSER.runAs(getPrivilegedAction(aclTableName)).size()); assertEquals(0, testRegexHandler.runAs(getPrivilegedAction(aclTableName)).size()); // Grant TABLE ADMIN privs to testUserPerms @@ -3517,10 +3515,10 @@ public class TestAccessController extends SecureTestUtil { // Validate global user permission List userPermissions; - assertEquals(5 + superUserCount, AccessControlClient.getUserPermissions(conn, null).size()); - assertEquals(5 + superUserCount, + assertEquals(6 + superUserCount, AccessControlClient.getUserPermissions(conn, null).size()); + assertEquals(6 + superUserCount, AccessControlClient.getUserPermissions(conn, HConstants.EMPTY_STRING).size()); - assertEquals(5 + superUserCount, + assertEquals(6 + superUserCount, AccessControlClient.getUserPermissions(conn, null, HConstants.EMPTY_STRING).size()); userPermissions = AccessControlClient.getUserPermissions(conn, null, USER_ADMIN.getName()); verifyGetUserPermissionResult(userPermissions, 1, null, null, USER_ADMIN.getName(), superUsers); diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController3.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController3.java index 53e07ff8101..8860d5f0658 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController3.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController3.java @@ -189,6 +189,9 @@ public class TestAccessController3 extends SecureTestUtil { USER_GROUP_WRITE = User.createUserForTesting(conf, "user_group_write", new String[] { GROUP_WRITE }); + // Grant table creation permission to USER_OWNER + grantGlobal(TEST_UTIL, USER_OWNER.getShortName(), Permission.Action.CREATE); + systemUserConnection = TEST_UTIL.getConnection(); setUpTableAndUserPermissions(); } @@ -207,9 +210,8 @@ public class TestAccessController3 extends SecureTestUtil { private static void setUpTableAndUserPermissions() throws Exception { TableDescriptor tableDescriptor = TableDescriptorBuilder.newBuilder(TEST_TABLE) .setColumnFamily( - ColumnFamilyDescriptorBuilder.newBuilder(TEST_FAMILY).setMaxVersions(100).build()) - .setOwner(USER_OWNER).build(); - createTable(TEST_UTIL, tableDescriptor, new byte[][] { Bytes.toBytes("s") }); + ColumnFamilyDescriptorBuilder.newBuilder(TEST_FAMILY).setMaxVersions(100).build()).build(); + createTable(TEST_UTIL, USER_OWNER, tableDescriptor, new byte[][] { Bytes.toBytes("s") }); HRegion region = TEST_UTIL.getHBaseCluster().getRegions(TEST_TABLE).get(0); RegionCoprocessorHost rcpHost = region.getCoprocessorHost(); diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLWithMultipleVersions.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLWithMultipleVersions.java index 1d3a54e13f6..f3035a96cc4 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLWithMultipleVersions.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLWithMultipleVersions.java @@ -31,7 +31,6 @@ import org.apache.hadoop.hbase.HBaseClassTestRule; import org.apache.hadoop.hbase.HBaseTestingUtility; import org.apache.hadoop.hbase.TableNameTestRule; import org.apache.hadoop.hbase.TableNotFoundException; -import org.apache.hadoop.hbase.client.Admin; import org.apache.hadoop.hbase.client.ColumnFamilyDescriptorBuilder; import org.apache.hadoop.hbase.client.Connection; import org.apache.hadoop.hbase.client.ConnectionFactory; @@ -125,6 +124,9 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil { GROUP_USER = User.createUserForTesting(conf, "group_user", new String[] { GROUP }); usersAndGroups = new String[] { USER_OTHER.getShortName(), AuthUtil.toGroupEntry(GROUP) }; + + // Grant table creation permission to USER_OWNER + grantGlobal(TEST_UTIL, USER_OWNER.getShortName(), Action.CREATE); } @AfterClass @@ -138,14 +140,9 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil { .setColumnFamily( ColumnFamilyDescriptorBuilder.newBuilder(TEST_FAMILY1).setMaxVersions(4).build()) .setColumnFamily( - ColumnFamilyDescriptorBuilder.newBuilder(TEST_FAMILY2).setMaxVersions(4).build()) - .setOwner(USER_OWNER).build(); + ColumnFamilyDescriptorBuilder.newBuilder(TEST_FAMILY2).setMaxVersions(4).build()).build(); // Create the test table (owner added to the _acl_ table) - try (Connection connection = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) { - try (Admin admin = connection.getAdmin()) { - admin.createTable(tableDescriptor, new byte[][] { Bytes.toBytes("s") }); - } - } + createTable(TEST_UTIL, USER_OWNER, tableDescriptor, new byte[][] { Bytes.toBytes("s") }); TEST_UTIL.waitTableEnabled(testTable.getTableName()); LOG.info("Sleeping a second because of HBASE-12581"); Threads.sleep(1000); diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLs.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLs.java index 1515e1410a5..6d238284cdd 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLs.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLs.java @@ -31,7 +31,6 @@ import org.apache.hadoop.hbase.HBaseTestingUtility; import org.apache.hadoop.hbase.HConstants; import org.apache.hadoop.hbase.TableNameTestRule; import org.apache.hadoop.hbase.TableNotFoundException; -import org.apache.hadoop.hbase.client.Admin; import org.apache.hadoop.hbase.client.ColumnFamilyDescriptorBuilder; import org.apache.hadoop.hbase.client.Connection; import org.apache.hadoop.hbase.client.ConnectionFactory; @@ -127,6 +126,9 @@ public class TestCellACLs extends SecureTestUtil { GROUP_USER = User.createUserForTesting(conf, "group_user", new String[] { GROUP }); usersAndGroups = new String[] { USER_OTHER.getShortName(), AuthUtil.toGroupEntry(GROUP) }; + + // Grant table creation permission to USER_OWNER + grantGlobal(TEST_UTIL, USER_OWNER.getShortName(), Action.CREATE); } @AfterClass @@ -137,12 +139,10 @@ public class TestCellACLs extends SecureTestUtil { @Before public void setUp() throws Exception { // Create the test table (owner added to the _acl_ table) - Admin admin = TEST_UTIL.getAdmin(); TableDescriptor tableDescriptor = TableDescriptorBuilder.newBuilder(testTable.getTableName()) .setColumnFamily( - ColumnFamilyDescriptorBuilder.newBuilder(TEST_FAMILY).setMaxVersions(4).build()) - .setOwner(USER_OWNER).build(); - admin.createTable(tableDescriptor, new byte[][] { Bytes.toBytes("s") }); + ColumnFamilyDescriptorBuilder.newBuilder(TEST_FAMILY).setMaxVersions(4).build()).build(); + createTable(TEST_UTIL, USER_OWNER, tableDescriptor, new byte[][] { Bytes.toBytes("s") }); TEST_UTIL.waitTableEnabled(testTable.getTableName()); LOG.info("Sleeping a second because of HBASE-12581"); Threads.sleep(1000); diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestHDFSAclHelper.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestHDFSAclHelper.java index 420fb977bf4..e4e37e08ba7 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestHDFSAclHelper.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestHDFSAclHelper.java @@ -39,6 +39,8 @@ import static org.junit.Assert.assertEquals; final class TestHDFSAclHelper { private static final Logger LOG = LoggerFactory.getLogger(TestHDFSAclHelper.class); + private static final String USER_OWNER = "owner"; + private TestHDFSAclHelper() { } @@ -55,33 +57,41 @@ final class TestHDFSAclHelper { } } - static Table createTable(HBaseTestingUtility util, TableName tableName) throws IOException { + static Table createTable(HBaseTestingUtility util, TableName tableName) throws Exception { createNamespace(util, tableName.getNamespaceAsString()); TableDescriptor td = getTableDescriptorBuilder(util, tableName) .setValue(SnapshotScannerHDFSAclHelper.ACL_SYNC_TO_HDFS_ENABLE, "true").build(); byte[][] splits = new byte[][] { Bytes.toBytes("2"), Bytes.toBytes("4") }; - return util.createTable(td, splits); + User user = User.createUserForTesting(util.getConfiguration(), USER_OWNER, new String[] {}); + SecureTestUtil.grantGlobal(util, user.getShortName(), Permission.Action.CREATE); + SecureTestUtil.createTable(util, user, td, splits); + return util.getConnection().getTable(tableName); } - static Table createMobTable(HBaseTestingUtility util, TableName tableName) throws IOException { + static Table createMobTable(HBaseTestingUtility util, TableName tableName) throws Exception { createNamespace(util, tableName.getNamespaceAsString()); TableDescriptor td = TableDescriptorBuilder.newBuilder(tableName) .setColumnFamily(ColumnFamilyDescriptorBuilder.newBuilder(COLUMN1).setMobEnabled(true) .setMobThreshold(0).build()) .setColumnFamily(ColumnFamilyDescriptorBuilder.newBuilder(COLUMN2).setMobEnabled(true) .setMobThreshold(0).build()) - .setOwner(User.createUserForTesting(util.getConfiguration(), "owner", new String[] {})) .setValue(SnapshotScannerHDFSAclHelper.ACL_SYNC_TO_HDFS_ENABLE, "true").build(); byte[][] splits = new byte[][] { Bytes.toBytes("2"), Bytes.toBytes("4") }; - return util.createTable(td, splits); + User user = User.createUserForTesting(util.getConfiguration(), USER_OWNER, new String[] {}); + SecureTestUtil.grantGlobal(util, user.getShortName(), Permission.Action.CREATE); + SecureTestUtil.createTable(util, user, td, splits); + return util.getConnection().getTable(tableName); } static TableDescriptor createUserScanSnapshotDisabledTable(HBaseTestingUtility util, - TableName tableName) throws IOException { + TableName tableName) throws Exception { createNamespace(util, tableName.getNamespaceAsString()); TableDescriptor td = getTableDescriptorBuilder(util, tableName).build(); byte[][] splits = new byte[][] { Bytes.toBytes("2"), Bytes.toBytes("4") }; - try (Table t = util.createTable(td, splits)) { + User user = User.createUserForTesting(util.getConfiguration(), USER_OWNER, new String[] {}); + SecureTestUtil.grantGlobal(util, user.getShortName(), Permission.Action.CREATE); + SecureTestUtil.createTable(util, user, td, splits); + try (Table t = util.getConnection().getTable(tableName)) { put(t); } return td; @@ -91,11 +101,10 @@ final class TestHDFSAclHelper { TableName tableName) { return TableDescriptorBuilder.newBuilder(tableName) .setColumnFamily(ColumnFamilyDescriptorBuilder.newBuilder(COLUMN1).build()) - .setColumnFamily(ColumnFamilyDescriptorBuilder.newBuilder(COLUMN2).build()) - .setOwner(User.createUserForTesting(util.getConfiguration(), "owner", new String[] {})); + .setColumnFamily(ColumnFamilyDescriptorBuilder.newBuilder(COLUMN2).build()); } - static void createTableAndPut(HBaseTestingUtility util, TableName tableNam) throws IOException { + static void createTableAndPut(HBaseTestingUtility util, TableName tableNam) throws Exception { try (Table t = createTable(util, tableNam)) { put(t); } diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestScanEarlyTermination.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestScanEarlyTermination.java index f8ac4f696ae..aade90ca615 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestScanEarlyTermination.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestScanEarlyTermination.java @@ -28,7 +28,6 @@ import org.apache.hadoop.hbase.HBaseTestingUtility; import org.apache.hadoop.hbase.HConstants; import org.apache.hadoop.hbase.TableNameTestRule; import org.apache.hadoop.hbase.TableNotFoundException; -import org.apache.hadoop.hbase.client.Admin; import org.apache.hadoop.hbase.client.ColumnFamilyDescriptorBuilder; import org.apache.hadoop.hbase.client.Connection; import org.apache.hadoop.hbase.client.ConnectionFactory; @@ -107,6 +106,9 @@ public class TestScanEarlyTermination extends SecureTestUtil { // create a set of test users USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]); USER_OTHER = User.createUserForTesting(conf, "other", new String[0]); + + // Grant table creation permission to USER_OWNER + grantGlobal(TEST_UTIL, USER_OWNER.getShortName(), Action.CREATE); } @AfterClass @@ -116,9 +118,8 @@ public class TestScanEarlyTermination extends SecureTestUtil { @Before public void setUp() throws Exception { - Admin admin = TEST_UTIL.getAdmin(); TableDescriptor tableDescriptor = - TableDescriptorBuilder.newBuilder(testTable.getTableName()).setOwner(USER_OWNER) + TableDescriptorBuilder.newBuilder(testTable.getTableName()) .setColumnFamily( ColumnFamilyDescriptorBuilder.newBuilder(TEST_FAMILY1).setMaxVersions(10).build()) .setColumnFamily( @@ -127,7 +128,7 @@ public class TestScanEarlyTermination extends SecureTestUtil { // want to confirm that the per-table configuration is properly picked up. .setValue(AccessControlConstants.CF_ATTRIBUTE_EARLY_OUT, "true").build(); - admin.createTable(tableDescriptor); + createTable(TEST_UTIL, USER_OWNER, tableDescriptor); TEST_UTIL.waitUntilAllRegionsAssigned(testTable.getTableName()); } diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestWithDisabledAuthorization.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestWithDisabledAuthorization.java index 47458f3dd37..a08456a8917 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestWithDisabledAuthorization.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestWithDisabledAuthorization.java @@ -32,7 +32,6 @@ import org.apache.hadoop.hbase.ServerName; import org.apache.hadoop.hbase.TableName; import org.apache.hadoop.hbase.TableNameTestRule; import org.apache.hadoop.hbase.TableNotFoundException; -import org.apache.hadoop.hbase.client.Admin; import org.apache.hadoop.hbase.client.Append; import org.apache.hadoop.hbase.client.ColumnFamilyDescriptorBuilder; import org.apache.hadoop.hbase.client.Connection; @@ -167,6 +166,9 @@ public class TestWithDisabledAuthorization extends SecureTestUtil { USER_RO = User.createUserForTesting(conf, "rouser", new String[0]); USER_QUAL = User.createUserForTesting(conf, "rwpartial", new String[0]); USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]); + + // Grant table creation permission to USER_OWNER + grantGlobal(TEST_UTIL, USER_OWNER.getShortName(), Action.CREATE); } @AfterClass @@ -177,12 +179,10 @@ public class TestWithDisabledAuthorization extends SecureTestUtil { @Before public void setUp() throws Exception { // Create the test table (owner added to the _acl_ table) - Admin admin = TEST_UTIL.getAdmin(); TableDescriptor tableDescriptor = TableDescriptorBuilder.newBuilder(testTable.getTableName()) .setColumnFamily( - ColumnFamilyDescriptorBuilder.newBuilder(TEST_FAMILY).setMaxVersions(100).build()) - .setOwner(USER_OWNER).build(); - admin.createTable(tableDescriptor, new byte[][] { Bytes.toBytes("s") }); + ColumnFamilyDescriptorBuilder.newBuilder(TEST_FAMILY).setMaxVersions(100).build()).build(); + createTable(TEST_UTIL, USER_OWNER, tableDescriptor, new byte[][] { Bytes.toBytes("s") }); TEST_UTIL.waitUntilAllRegionsAssigned(testTable.getTableName()); HRegion region = TEST_UTIL.getHBaseCluster().getRegions(testTable.getTableName()).get(0); diff --git a/hbase-shell/src/main/ruby/hbase/admin.rb b/hbase-shell/src/main/ruby/hbase/admin.rb index a91b273033c..d3492fa7c1c 100644 --- a/hbase-shell/src/main/ruby/hbase/admin.rb +++ b/hbase-shell/src/main/ruby/hbase/admin.rb @@ -1470,8 +1470,8 @@ module Hbase end # Parse arguments and update TableDescriptorBuilder accordingly + # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity def update_tdb_from_arg(tdb, arg) - tdb.setOwnerString(arg.delete(TableDescriptorBuilder::OWNER)) if arg.include?(TableDescriptorBuilder::OWNER) tdb.setMaxFileSize(JLong.valueOf(arg.delete(TableDescriptorBuilder::MAX_FILESIZE))) if arg.include?(TableDescriptorBuilder::MAX_FILESIZE) tdb.setReadOnly(JBoolean.valueOf(arg.delete(TableDescriptorBuilder::READONLY))) if arg.include?(TableDescriptorBuilder::READONLY) tdb.setCompactionEnabled(JBoolean.valueOf(arg.delete(TableDescriptorBuilder::COMPACTION_ENABLED))) if arg.include?(TableDescriptorBuilder::COMPACTION_ENABLED) @@ -1490,6 +1490,7 @@ module Hbase set_user_metadata(tdb, arg.delete(METADATA)) if arg[METADATA] set_descriptor_config(tdb, arg.delete(CONFIGURATION)) if arg[CONFIGURATION] end + # rubocop:enable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity #---------------------------------------------------------------------------------------------- # clear compaction queues diff --git a/hbase-shell/src/main/ruby/shell/commands/alter.rb b/hbase-shell/src/main/ruby/shell/commands/alter.rb index 456d6d5dbd1..22e6e42e69c 100644 --- a/hbase-shell/src/main/ruby/shell/commands/alter.rb +++ b/hbase-shell/src/main/ruby/shell/commands/alter.rb @@ -95,7 +95,7 @@ There could be more than one alteration in one command: hbase> alter 't1', { NAME => 'f1', VERSIONS => 3 }, { MAX_FILESIZE => '134217728' }, { METHOD => 'delete', NAME => 'f2' }, - OWNER => 'johndoe', METADATA => { 'mykey' => 'myvalue' } + METADATA => { 'mykey' => 'myvalue' } EOF end diff --git a/hbase-shell/src/main/ruby/shell/commands/create.rb b/hbase-shell/src/main/ruby/shell/commands/create.rb index b82b2bfc346..897e8a744b9 100644 --- a/hbase-shell/src/main/ruby/shell/commands/create.rb +++ b/hbase-shell/src/main/ruby/shell/commands/create.rb @@ -45,7 +45,7 @@ Examples: hbase> create 'ns1:t1', 'f1', SPLITS => ['10', '20', '30', '40'] hbase> create 't1', 'f1', SPLITS => ['10', '20', '30', '40'] - hbase> create 't1', 'f1', SPLITS_FILE => 'splits.txt', OWNER => 'johndoe' + hbase> create 't1', 'f1', SPLITS_FILE => 'splits.txt' hbase> create 't1', {NAME => 'f1', VERSIONS => 5}, METADATA => { 'mykey' => 'myvalue' } hbase> # Optionally pre-split the table into NUMREGIONS, using hbase> # SPLITALGO ("HexStringSplit", "UniformSplit" or classname) diff --git a/hbase-shell/src/test/ruby/hbase/admin_test.rb b/hbase-shell/src/test/ruby/hbase/admin_test.rb index fac52ede51b..64a4a8b425c 100644 --- a/hbase-shell/src/test/ruby/hbase/admin_test.rb +++ b/hbase-shell/src/test/ruby/hbase/admin_test.rb @@ -426,7 +426,7 @@ module Hbase define_test "create should fail without columns when called with options" do drop_test_table(@create_test_name) assert_raise(ArgumentError) do - command(:create, @create_test_name, { OWNER => 'a' }) + command(:create, @create_test_name, { VERSIONS => '1' }) end end @@ -460,7 +460,6 @@ module Hbase define_test "create should be able to set table options" do drop_test_table(@create_test_name) command(:create, @create_test_name, 'a', 'b', 'MAX_FILESIZE' => 12345678, - OWNER => '987654321', PRIORITY => '77', FLUSH_POLICY => 'org.apache.hadoop.hbase.regionserver.FlushAllLargeStoresPolicy', REGION_MEMSTORE_REPLICATION => 'TRUE', @@ -470,7 +469,6 @@ module Hbase MERGE_ENABLED => 'false') assert_equal(['a:', 'b:'], table(@create_test_name).get_all_columns.sort) assert_match(/12345678/, admin.describe(@create_test_name)) - assert_match(/987654321/, admin.describe(@create_test_name)) assert_match(/77/, admin.describe(@create_test_name)) assert_match(/'COMPACTION_ENABLED' => 'false'/, admin.describe(@create_test_name)) assert_match(/'SPLIT_ENABLED' => 'false'/, admin.describe(@create_test_name)) @@ -484,9 +482,8 @@ module Hbase define_test "create should ignore table_att" do drop_test_table(@create_test_name) - command(:create, @create_test_name, 'a', 'b', METHOD => 'table_att', OWNER => '987654321') + command(:create, @create_test_name, 'a', 'b', METHOD => 'table_att') assert_equal(['a:', 'b:'], table(@create_test_name).get_all_columns.sort) - assert_match(/987654321/, admin.describe(@create_test_name)) end define_test "create should work with SPLITALGO" do