HBASE-10963 Refactor cell ACL tests
git-svn-id: https://svn.apache.org/repos/asf/hbase/trunk@1586785 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
49a3f5e4d1
commit
51c7b82c74
|
@ -18,6 +18,7 @@
|
|||
|
||||
package org.apache.hadoop.hbase.security.access;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.fail;
|
||||
|
||||
import java.io.IOException;
|
||||
|
@ -57,6 +58,7 @@ import com.google.protobuf.ServiceException;
|
|||
* Utility methods for testing security
|
||||
*/
|
||||
public class SecureTestUtil {
|
||||
|
||||
private static final Log LOG = LogFactory.getLog(SecureTestUtil.class);
|
||||
private static final int WAIT_TIME = 10000;
|
||||
|
||||
|
@ -85,6 +87,17 @@ public class SecureTestUtil {
|
|||
conf.setInt("hfile.format.version", 3);
|
||||
}
|
||||
|
||||
public static void verifyConfiguration(Configuration conf) {
|
||||
if (!(conf.get(CoprocessorHost.MASTER_COPROCESSOR_CONF_KEY).contains(
|
||||
AccessController.class.getName())
|
||||
&& conf.get(CoprocessorHost.REGION_COPROCESSOR_CONF_KEY).contains(
|
||||
AccessController.class.getName()) && conf.get(
|
||||
CoprocessorHost.REGIONSERVER_COPROCESSOR_CONF_KEY).contains(
|
||||
AccessController.class.getName()))) {
|
||||
throw new RuntimeException("AccessController is missing from a system coprocessor list");
|
||||
}
|
||||
}
|
||||
|
||||
public void checkTablePerms(Configuration conf, byte[] table, byte[] family, byte[] column,
|
||||
Permission.Action... actions) throws IOException {
|
||||
Permission[] perms = new Permission[actions.length];
|
||||
|
@ -148,6 +161,21 @@ public class SecureTestUtil {
|
|||
}
|
||||
}
|
||||
|
||||
public void verifyAllowed(User user, AccessTestAction action, int count) throws Exception {
|
||||
try {
|
||||
Object obj = user.runAs(action);
|
||||
if (obj != null && obj instanceof List<?>) {
|
||||
List<?> results = (List<?>) obj;
|
||||
if (results != null && results.isEmpty()) {
|
||||
fail("Empty non null results from action for user '" + user.getShortName() + "'");
|
||||
}
|
||||
assertEquals(results.size(), count);
|
||||
}
|
||||
} catch (AccessDeniedException ade) {
|
||||
fail("Expected action to pass for user '" + user.getShortName() + "' but was denied");
|
||||
}
|
||||
}
|
||||
|
||||
public void verifyDenied(User user, AccessTestAction... actions) throws Exception {
|
||||
for (AccessTestAction action : actions) {
|
||||
try {
|
||||
|
|
|
@ -24,8 +24,6 @@ import static org.junit.Assert.assertTrue;
|
|||
import static org.junit.Assert.fail;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.security.PrivilegedExceptionAction;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.NavigableMap;
|
||||
|
@ -37,7 +35,6 @@ import org.apache.hadoop.fs.FileStatus;
|
|||
import org.apache.hadoop.fs.FileSystem;
|
||||
import org.apache.hadoop.fs.Path;
|
||||
import org.apache.hadoop.fs.permission.FsPermission;
|
||||
import org.apache.hadoop.hbase.Cell;
|
||||
import org.apache.hadoop.hbase.Coprocessor;
|
||||
import org.apache.hadoop.hbase.CoprocessorEnvironment;
|
||||
import org.apache.hadoop.hbase.HBaseTestingUtility;
|
||||
|
@ -61,7 +58,6 @@ import org.apache.hadoop.hbase.client.Put;
|
|||
import org.apache.hadoop.hbase.client.Result;
|
||||
import org.apache.hadoop.hbase.client.ResultScanner;
|
||||
import org.apache.hadoop.hbase.client.Scan;
|
||||
import org.apache.hadoop.hbase.coprocessor.CoprocessorHost;
|
||||
import org.apache.hadoop.hbase.coprocessor.CoprocessorService;
|
||||
import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment;
|
||||
import org.apache.hadoop.hbase.coprocessor.ObserverContext;
|
||||
|
@ -110,7 +106,6 @@ import org.junit.Rule;
|
|||
import org.junit.Test;
|
||||
import org.junit.experimental.categories.Category;
|
||||
|
||||
import com.google.common.collect.Lists;
|
||||
import com.google.protobuf.BlockingRpcChannel;
|
||||
import com.google.protobuf.RpcCallback;
|
||||
import com.google.protobuf.RpcController;
|
||||
|
@ -160,17 +155,6 @@ public class TestAccessController extends SecureTestUtil {
|
|||
private static RegionServerCoprocessorEnvironment RSCP_ENV;
|
||||
private RegionCoprocessorEnvironment RCP_ENV;
|
||||
|
||||
static void verifyConfiguration(Configuration conf) {
|
||||
if (!(conf.get(CoprocessorHost.MASTER_COPROCESSOR_CONF_KEY)
|
||||
.contains(AccessController.class.getName())
|
||||
&& conf.get(CoprocessorHost.REGION_COPROCESSOR_CONF_KEY)
|
||||
.contains(AccessController.class.getName())
|
||||
&& conf.get(CoprocessorHost.REGIONSERVER_COPROCESSOR_CONF_KEY)
|
||||
.contains(AccessController.class.getName()))) {
|
||||
throw new RuntimeException("AccessController is missing from a system coprocessor list");
|
||||
}
|
||||
}
|
||||
|
||||
@BeforeClass
|
||||
public static void setupBeforeClass() throws Exception {
|
||||
// setup configuration
|
||||
|
@ -181,7 +165,7 @@ public class TestAccessController extends SecureTestUtil {
|
|||
conf.set("hbase.master.logcleaner.plugins",
|
||||
"org.apache.hadoop.hbase.master.snapshot.SnapshotLogCleaner");
|
||||
// Enable security
|
||||
SecureTestUtil.enableSecurity(conf);
|
||||
enableSecurity(conf);
|
||||
// Verify enableSecurity sets up what we require
|
||||
verifyConfiguration(conf);
|
||||
|
||||
|
@ -237,25 +221,25 @@ public class TestAccessController extends SecureTestUtil {
|
|||
|
||||
// Set up initial grants
|
||||
|
||||
SecureTestUtil.grantGlobal(TEST_UTIL, USER_ADMIN.getShortName(),
|
||||
grantGlobal(TEST_UTIL, USER_ADMIN.getShortName(),
|
||||
Permission.Action.ADMIN,
|
||||
Permission.Action.CREATE,
|
||||
Permission.Action.READ,
|
||||
Permission.Action.WRITE);
|
||||
|
||||
SecureTestUtil.grantOnTable(TEST_UTIL, USER_RW.getShortName(),
|
||||
grantOnTable(TEST_UTIL, USER_RW.getShortName(),
|
||||
TEST_TABLE.getTableName(), TEST_FAMILY, null,
|
||||
Permission.Action.READ,
|
||||
Permission.Action.WRITE);
|
||||
|
||||
// USER_CREATE is USER_RW plus CREATE permissions
|
||||
SecureTestUtil.grantOnTable(TEST_UTIL, USER_CREATE.getShortName(),
|
||||
grantOnTable(TEST_UTIL, USER_CREATE.getShortName(),
|
||||
TEST_TABLE.getTableName(), null, null,
|
||||
Permission.Action.CREATE,
|
||||
Permission.Action.READ,
|
||||
Permission.Action.WRITE);
|
||||
|
||||
SecureTestUtil.grantOnTable(TEST_UTIL, USER_RO.getShortName(),
|
||||
grantOnTable(TEST_UTIL, USER_RO.getShortName(),
|
||||
TEST_TABLE.getTableName(), TEST_FAMILY, null,
|
||||
Permission.Action.READ);
|
||||
|
||||
|
@ -955,383 +939,6 @@ public class TestAccessController extends SecureTestUtil {
|
|||
verifyDenied(appendAction, USER_RO, USER_NONE);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCellPermissions() throws Exception {
|
||||
// table/column/qualifier level permissions
|
||||
final byte[] TEST_ROW = Bytes.toBytes("cellpermtest");
|
||||
final byte[] TEST_Q1 = Bytes.toBytes("q1");
|
||||
final byte[] TEST_Q2 = Bytes.toBytes("q2");
|
||||
final byte[] TEST_Q3 = Bytes.toBytes("q3");
|
||||
final byte[] TEST_Q4 = Bytes.toBytes("q4");
|
||||
// test value
|
||||
final byte[] ZERO = Bytes.toBytes(0L);
|
||||
|
||||
/* ---- Setup ---- */
|
||||
|
||||
// additional test user
|
||||
final User userOther = User.createUserForTesting(conf, "user_check_cell_perms_other",
|
||||
new String[0]);
|
||||
|
||||
// store two sets of values, one store with a cell level ACL, and one without
|
||||
verifyAllowed(new AccessTestAction() {
|
||||
@Override
|
||||
public Object run() throws Exception {
|
||||
HTable t = new HTable(conf, TEST_TABLE.getTableName());
|
||||
try {
|
||||
Put p;
|
||||
// with ro ACL
|
||||
p = new Put(TEST_ROW).add(TEST_FAMILY, TEST_Q1, ZERO);
|
||||
p.setACL(userOther.getShortName(), new Permission(Permission.Action.READ));
|
||||
t.put(p);
|
||||
// with rw ACL
|
||||
p = new Put(TEST_ROW).add(TEST_FAMILY, TEST_Q2, ZERO);
|
||||
p.setACL(userOther.getShortName(), new Permission(Permission.Action.READ,
|
||||
Permission.Action.WRITE));
|
||||
t.put(p);
|
||||
// no ACL
|
||||
p = new Put(TEST_ROW)
|
||||
.add(TEST_FAMILY, TEST_Q3, ZERO)
|
||||
.add(TEST_FAMILY, TEST_Q4, ZERO);
|
||||
t.put(p);
|
||||
} finally {
|
||||
t.close();
|
||||
}
|
||||
return null;
|
||||
}
|
||||
}, USER_OWNER);
|
||||
|
||||
/* ---- Gets ---- */
|
||||
|
||||
AccessTestAction getQ1 = new AccessTestAction() {
|
||||
@Override
|
||||
public Object run() throws Exception {
|
||||
Get get = new Get(TEST_ROW).addColumn(TEST_FAMILY, TEST_Q1);
|
||||
HTable t = new HTable(conf, TEST_TABLE.getTableName());
|
||||
try {
|
||||
return t.get(get).listCells();
|
||||
} finally {
|
||||
t.close();
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
AccessTestAction getQ2 = new AccessTestAction() {
|
||||
@Override
|
||||
public Object run() throws Exception {
|
||||
Get get = new Get(TEST_ROW).addColumn(TEST_FAMILY, TEST_Q2);
|
||||
HTable t = new HTable(conf, TEST_TABLE.getTableName());
|
||||
try {
|
||||
return t.get(get).listCells();
|
||||
} finally {
|
||||
t.close();
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
AccessTestAction getQ3 = new AccessTestAction() {
|
||||
@Override
|
||||
public Object run() throws Exception {
|
||||
Get get = new Get(TEST_ROW).addColumn(TEST_FAMILY, TEST_Q3);
|
||||
HTable t = new HTable(conf, TEST_TABLE.getTableName());
|
||||
try {
|
||||
return t.get(get).listCells();
|
||||
} finally {
|
||||
t.close();
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
AccessTestAction getQ4 = new AccessTestAction() {
|
||||
@Override
|
||||
public Object run() throws Exception {
|
||||
Get get = new Get(TEST_ROW).addColumn(TEST_FAMILY, TEST_Q4);
|
||||
HTable t = new HTable(conf, TEST_TABLE.getTableName());
|
||||
try {
|
||||
return t.get(get).listCells();
|
||||
} finally {
|
||||
t.close();
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
// Confirm special read access set at cell level
|
||||
|
||||
verifyAllowed(getQ1, userOther);
|
||||
verifyAllowed(getQ2, userOther);
|
||||
|
||||
// Confirm this access does not extend to other cells
|
||||
|
||||
verifyDenied(getQ3, userOther);
|
||||
verifyDenied(getQ4, userOther);
|
||||
|
||||
/* ---- Scans ---- */
|
||||
|
||||
// check that a scan over the test data returns the expected number of KVs
|
||||
|
||||
final List<Cell> scanResults = Lists.newArrayList();
|
||||
|
||||
AccessTestAction scanAction = new AccessTestAction() {
|
||||
@Override
|
||||
public List<Cell> run() throws Exception {
|
||||
Scan scan = new Scan();
|
||||
scan.setStartRow(TEST_ROW);
|
||||
scan.setStopRow(Bytes.add(TEST_ROW, new byte[]{ 0 } ));
|
||||
scan.addFamily(TEST_FAMILY);
|
||||
HTable t = new HTable(conf, TEST_TABLE.getTableName());
|
||||
try {
|
||||
ResultScanner scanner = t.getScanner(scan);
|
||||
Result result = null;
|
||||
do {
|
||||
result = scanner.next();
|
||||
if (result != null) {
|
||||
scanResults.addAll(result.listCells());
|
||||
}
|
||||
} while (result != null);
|
||||
} finally {
|
||||
t.close();
|
||||
}
|
||||
return scanResults;
|
||||
}
|
||||
};
|
||||
|
||||
// owner will see all values
|
||||
scanResults.clear();
|
||||
verifyAllowed(scanAction, USER_OWNER);
|
||||
assertEquals(4, scanResults.size());
|
||||
|
||||
// other user will see 2 values
|
||||
scanResults.clear();
|
||||
verifyAllowed(scanAction, userOther);
|
||||
assertEquals(2, scanResults.size());
|
||||
|
||||
/* ---- Increments ---- */
|
||||
|
||||
AccessTestAction incrementQ1 = new AccessTestAction() {
|
||||
@Override
|
||||
public Object run() throws Exception {
|
||||
Increment i = new Increment(TEST_ROW).addColumn(TEST_FAMILY, TEST_Q1, 1L);
|
||||
HTable t = new HTable(conf, TEST_TABLE.getTableName());
|
||||
try {
|
||||
t.increment(i);
|
||||
} finally {
|
||||
t.close();
|
||||
}
|
||||
return null;
|
||||
}
|
||||
};
|
||||
|
||||
AccessTestAction incrementQ2 = new AccessTestAction() {
|
||||
@Override
|
||||
public Object run() throws Exception {
|
||||
Increment i = new Increment(TEST_ROW).addColumn(TEST_FAMILY, TEST_Q2, 1L);
|
||||
HTable t = new HTable(conf, TEST_TABLE.getTableName());
|
||||
try {
|
||||
t.increment(i);
|
||||
} finally {
|
||||
t.close();
|
||||
}
|
||||
return null;
|
||||
}
|
||||
};
|
||||
|
||||
AccessTestAction incrementQ2newDenyACL = new AccessTestAction() {
|
||||
@Override
|
||||
public Object run() throws Exception {
|
||||
Increment i = new Increment(TEST_ROW).addColumn(TEST_FAMILY, TEST_Q2, 1L);
|
||||
// Tag this increment with an ACL that denies write permissions to userOther
|
||||
i.setACL(userOther.getShortName(), new Permission(Permission.Action.READ));
|
||||
HTable t = new HTable(conf, TEST_TABLE.getTableName());
|
||||
try {
|
||||
t.increment(i);
|
||||
} finally {
|
||||
t.close();
|
||||
}
|
||||
return null;
|
||||
}
|
||||
};
|
||||
|
||||
AccessTestAction incrementQ3 = new AccessTestAction() {
|
||||
@Override
|
||||
public Object run() throws Exception {
|
||||
Increment i = new Increment(TEST_ROW).addColumn(TEST_FAMILY, TEST_Q3, 1L);
|
||||
HTable t = new HTable(conf, TEST_TABLE.getTableName());
|
||||
try {
|
||||
t.increment(i);
|
||||
} finally {
|
||||
t.close();
|
||||
}
|
||||
return null;
|
||||
}
|
||||
};
|
||||
|
||||
verifyDenied(incrementQ1, userOther);
|
||||
verifyDenied(incrementQ3, userOther);
|
||||
|
||||
// We should be able to increment Q2 twice, the previous ACL will be
|
||||
// carried forward
|
||||
verifyAllowed(incrementQ2, userOther);
|
||||
verifyAllowed(incrementQ2newDenyACL, userOther);
|
||||
// But not again after we denied ourselves write permission with an ACL
|
||||
// update
|
||||
verifyDenied(incrementQ2, userOther);
|
||||
|
||||
/* ---- Deletes ---- */
|
||||
|
||||
AccessTestAction deleteFamily = new AccessTestAction() {
|
||||
@Override
|
||||
public Object run() throws Exception {
|
||||
Delete delete = new Delete(TEST_ROW).deleteFamily(TEST_FAMILY);
|
||||
HTable t = new HTable(conf, TEST_TABLE.getTableName());
|
||||
try {
|
||||
t.delete(delete);
|
||||
} finally {
|
||||
t.close();
|
||||
}
|
||||
return null;
|
||||
}
|
||||
};
|
||||
|
||||
AccessTestAction deleteQ1 = new AccessTestAction() {
|
||||
@Override
|
||||
public Object run() throws Exception {
|
||||
Delete delete = new Delete(TEST_ROW).deleteColumn(TEST_FAMILY, TEST_Q1);
|
||||
HTable t = new HTable(conf, TEST_TABLE.getTableName());
|
||||
try {
|
||||
t.delete(delete);
|
||||
} finally {
|
||||
t.close();
|
||||
}
|
||||
return null;
|
||||
}
|
||||
};
|
||||
|
||||
verifyDenied(deleteFamily, userOther);
|
||||
verifyDenied(deleteQ1, userOther);
|
||||
verifyAllowed(deleteQ1, USER_OWNER);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCellPermissionsWithDeleteMutipleVersions() throws Exception {
|
||||
// table/column/qualifier level permissions
|
||||
final byte[] TEST_ROW1 = Bytes.toBytes("r1");
|
||||
final byte[] TEST_ROW2 = Bytes.toBytes("r2");
|
||||
final byte[] TEST_Q1 = Bytes.toBytes("q1");
|
||||
final byte[] TEST_Q2 = Bytes.toBytes("q2");
|
||||
final byte[] ZERO = Bytes.toBytes(0L);
|
||||
|
||||
// additional test user
|
||||
final User user1 = User.createUserForTesting(conf, "user1", new String[0]);
|
||||
final User user2 = User.createUserForTesting(conf, "user2", new String[0]);
|
||||
|
||||
verifyAllowed(new AccessTestAction() {
|
||||
@Override
|
||||
public Object run() throws Exception {
|
||||
HTable t = new HTable(conf, TEST_TABLE.getTableName());
|
||||
try {
|
||||
// with rw ACL for "user1"
|
||||
Put p = new Put(TEST_ROW1);
|
||||
p.add(TEST_FAMILY, TEST_Q1, ZERO);
|
||||
p.add(TEST_FAMILY, TEST_Q2, ZERO);
|
||||
p.setACL(user1.getShortName(), new Permission(Permission.Action.READ,
|
||||
Permission.Action.WRITE));
|
||||
t.put(p);
|
||||
// with rw ACL for "user1"
|
||||
p = new Put(TEST_ROW2);
|
||||
p.add(TEST_FAMILY, TEST_Q1, ZERO);
|
||||
p.add(TEST_FAMILY, TEST_Q2, ZERO);
|
||||
p.setACL(user1.getShortName(), new Permission(Permission.Action.READ,
|
||||
Permission.Action.WRITE));
|
||||
t.put(p);
|
||||
} finally {
|
||||
t.close();
|
||||
}
|
||||
return null;
|
||||
}
|
||||
}, USER_OWNER);
|
||||
|
||||
verifyAllowed(new AccessTestAction() {
|
||||
@Override
|
||||
public Object run() throws Exception {
|
||||
HTable t = new HTable(conf, TEST_TABLE.getTableName());
|
||||
try {
|
||||
// with rw ACL for "user1" and "user2"
|
||||
Put p = new Put(TEST_ROW1);
|
||||
p.add(TEST_FAMILY, TEST_Q1, ZERO);
|
||||
p.add(TEST_FAMILY, TEST_Q2, ZERO);
|
||||
Map<String, Permission> perms = new HashMap<String, Permission>();
|
||||
perms.put(user1.getShortName(), new Permission(Permission.Action.READ,
|
||||
Permission.Action.WRITE));
|
||||
perms.put(user2.getShortName(), new Permission(Permission.Action.READ,
|
||||
Permission.Action.WRITE));
|
||||
p.setACL(perms);
|
||||
t.put(p);
|
||||
// with rw ACL for "user1" and "user2"
|
||||
p = new Put(TEST_ROW2);
|
||||
p.add(TEST_FAMILY, TEST_Q1, ZERO);
|
||||
p.add(TEST_FAMILY, TEST_Q2, ZERO);
|
||||
p.setACL(perms);
|
||||
t.put(p);
|
||||
} finally {
|
||||
t.close();
|
||||
}
|
||||
return null;
|
||||
}
|
||||
}, user1);
|
||||
|
||||
// user1 should be allowed to delete TEST_ROW1 as he is having write permission on both
|
||||
// versions of the cells
|
||||
user1.runAs(new PrivilegedExceptionAction<Void>() {
|
||||
@Override
|
||||
public Void run() throws Exception {
|
||||
HTable t = new HTable(conf, TEST_TABLE.getTableName());
|
||||
try {
|
||||
Delete d = new Delete(TEST_ROW1);
|
||||
d.deleteColumns(TEST_FAMILY, TEST_Q1);
|
||||
d.deleteColumns(TEST_FAMILY, TEST_Q2);
|
||||
t.delete(d);
|
||||
} finally {
|
||||
t.close();
|
||||
}
|
||||
return null;
|
||||
}
|
||||
});
|
||||
// user2 should not be allowed to delete TEST_ROW2 as he is having write permission only on one
|
||||
// version of the cells.
|
||||
user2.runAs(new PrivilegedExceptionAction<Void>() {
|
||||
@Override
|
||||
public Void run() throws Exception {
|
||||
HTable t = new HTable(conf, TEST_TABLE.getTableName());
|
||||
try {
|
||||
Delete d = new Delete(TEST_ROW2);
|
||||
d.deleteColumns(TEST_FAMILY, TEST_Q1);
|
||||
d.deleteColumns(TEST_FAMILY, TEST_Q2);
|
||||
t.delete(d);
|
||||
fail("user2 should not be allowed to delete the row");
|
||||
} catch (Exception e) {
|
||||
|
||||
} finally {
|
||||
t.close();
|
||||
}
|
||||
return null;
|
||||
}
|
||||
});
|
||||
// user1 should be allowed to delete the cf. (All data under cf for a row)
|
||||
user1.runAs(new PrivilegedExceptionAction<Void>() {
|
||||
@Override
|
||||
public Void run() throws Exception {
|
||||
HTable t = new HTable(conf, TEST_TABLE.getTableName());
|
||||
try {
|
||||
Delete d = new Delete(TEST_ROW2);
|
||||
d.deleteFamily(TEST_FAMILY);
|
||||
t.delete(d);
|
||||
} finally {
|
||||
t.close();
|
||||
}
|
||||
return null;
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testGrantRevoke() throws Exception {
|
||||
AccessTestAction grantAction = new AccessTestAction() {
|
||||
|
@ -1568,9 +1175,9 @@ public class TestAccessController extends SecureTestUtil {
|
|||
verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);
|
||||
|
||||
// grant table read permission
|
||||
SecureTestUtil.grantGlobal(TEST_UTIL, gblUser.getShortName(),
|
||||
grantGlobal(TEST_UTIL, gblUser.getShortName(),
|
||||
Permission.Action.READ);
|
||||
SecureTestUtil.grantOnTable(TEST_UTIL, tblUser.getShortName(),
|
||||
grantOnTable(TEST_UTIL, tblUser.getShortName(),
|
||||
tableName, null, null,
|
||||
Permission.Action.READ);
|
||||
|
||||
|
@ -1584,9 +1191,9 @@ public class TestAccessController extends SecureTestUtil {
|
|||
verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);
|
||||
|
||||
// grant table write permission while revoking read permissions
|
||||
SecureTestUtil.grantGlobal(TEST_UTIL, gblUser.getShortName(),
|
||||
grantGlobal(TEST_UTIL, gblUser.getShortName(),
|
||||
Permission.Action.WRITE);
|
||||
SecureTestUtil.grantOnTable(TEST_UTIL, tblUser.getShortName(),
|
||||
grantOnTable(TEST_UTIL, tblUser.getShortName(),
|
||||
tableName, null, null,
|
||||
Permission.Action.WRITE);
|
||||
|
||||
|
@ -1599,8 +1206,8 @@ public class TestAccessController extends SecureTestUtil {
|
|||
verifyAllowed(gblUser, deleteActionAll, deleteAction1, deleteAction2);
|
||||
|
||||
// revoke table permissions
|
||||
SecureTestUtil.revokeGlobal(TEST_UTIL, gblUser.getShortName());
|
||||
SecureTestUtil.revokeFromTable(TEST_UTIL, tblUser.getShortName(),
|
||||
revokeGlobal(TEST_UTIL, gblUser.getShortName());
|
||||
revokeFromTable(TEST_UTIL, tblUser.getShortName(),
|
||||
tableName, null, null);
|
||||
|
||||
verifyDenied(tblUser, getActionAll, getAction1, getAction2);
|
||||
|
@ -1612,9 +1219,9 @@ public class TestAccessController extends SecureTestUtil {
|
|||
verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);
|
||||
|
||||
// grant column family read permission
|
||||
SecureTestUtil.grantGlobal(TEST_UTIL, gblUser.getShortName(),
|
||||
grantGlobal(TEST_UTIL, gblUser.getShortName(),
|
||||
Permission.Action.READ);
|
||||
SecureTestUtil.grantOnTable(TEST_UTIL, tblUser.getShortName(),
|
||||
grantOnTable(TEST_UTIL, tblUser.getShortName(),
|
||||
tableName, family1, null, Permission.Action.READ);
|
||||
|
||||
// Access should be denied for family2
|
||||
|
@ -1628,9 +1235,9 @@ public class TestAccessController extends SecureTestUtil {
|
|||
verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);
|
||||
|
||||
// grant column family write permission
|
||||
SecureTestUtil.grantGlobal(TEST_UTIL, gblUser.getShortName(),
|
||||
grantGlobal(TEST_UTIL, gblUser.getShortName(),
|
||||
Permission.Action.WRITE);
|
||||
SecureTestUtil.grantOnTable(TEST_UTIL, tblUser.getShortName(),
|
||||
grantOnTable(TEST_UTIL, tblUser.getShortName(),
|
||||
tableName, family2, null, Permission.Action.WRITE);
|
||||
|
||||
// READ from family1, WRITE to family2 are allowed
|
||||
|
@ -1645,8 +1252,8 @@ public class TestAccessController extends SecureTestUtil {
|
|||
verifyAllowed(gblUser, deleteActionAll, deleteAction1, deleteAction2);
|
||||
|
||||
// revoke column family permission
|
||||
SecureTestUtil.revokeGlobal(TEST_UTIL, gblUser.getShortName());
|
||||
SecureTestUtil.revokeFromTable(TEST_UTIL, tblUser.getShortName(), tableName, family2, null);
|
||||
revokeGlobal(TEST_UTIL, gblUser.getShortName());
|
||||
revokeFromTable(TEST_UTIL, tblUser.getShortName(), tableName, family2, null);
|
||||
|
||||
// Revoke on family2 should not have impact on family1 permissions
|
||||
verifyAllowed(tblUser, getActionAll, getAction1);
|
||||
|
@ -1736,13 +1343,13 @@ public class TestAccessController extends SecureTestUtil {
|
|||
}
|
||||
};
|
||||
|
||||
SecureTestUtil.revokeFromTable(TEST_UTIL, user.getShortName(), tableName, family1, null);
|
||||
revokeFromTable(TEST_UTIL, user.getShortName(), tableName, family1, null);
|
||||
|
||||
verifyDenied(user, getQualifierAction);
|
||||
verifyDenied(user, putQualifierAction);
|
||||
verifyDenied(user, deleteQualifierAction);
|
||||
|
||||
SecureTestUtil.grantOnTable(TEST_UTIL, user.getShortName(),
|
||||
grantOnTable(TEST_UTIL, user.getShortName(),
|
||||
tableName, family1, qualifier,
|
||||
Permission.Action.READ);
|
||||
|
||||
|
@ -1752,7 +1359,7 @@ public class TestAccessController extends SecureTestUtil {
|
|||
|
||||
// only grant write permission
|
||||
// TODO: comment this portion after HBASE-3583
|
||||
SecureTestUtil.grantOnTable(TEST_UTIL, user.getShortName(),
|
||||
grantOnTable(TEST_UTIL, user.getShortName(),
|
||||
tableName, family1, qualifier,
|
||||
Permission.Action.WRITE);
|
||||
|
||||
|
@ -1761,7 +1368,7 @@ public class TestAccessController extends SecureTestUtil {
|
|||
verifyAllowed(user, deleteQualifierAction);
|
||||
|
||||
// grant both read and write permission
|
||||
SecureTestUtil.grantOnTable(TEST_UTIL, user.getShortName(),
|
||||
grantOnTable(TEST_UTIL, user.getShortName(),
|
||||
tableName, family1, qualifier,
|
||||
Permission.Action.READ, Permission.Action.WRITE);
|
||||
|
||||
|
@ -1770,7 +1377,7 @@ public class TestAccessController extends SecureTestUtil {
|
|||
verifyAllowed(user, deleteQualifierAction);
|
||||
|
||||
// revoke family level permission won't impact column level
|
||||
SecureTestUtil.revokeFromTable(TEST_UTIL, user.getShortName(),
|
||||
revokeFromTable(TEST_UTIL, user.getShortName(),
|
||||
tableName, family1, qualifier);
|
||||
|
||||
verifyDenied(user, getQualifierAction);
|
||||
|
@ -1828,7 +1435,7 @@ public class TestAccessController extends SecureTestUtil {
|
|||
hasFoundUserPermission(up, perms));
|
||||
|
||||
// grant read permission
|
||||
SecureTestUtil.grantOnTable(TEST_UTIL, user.getShortName(),
|
||||
grantOnTable(TEST_UTIL, user.getShortName(),
|
||||
tableName, family1, qualifier, Permission.Action.READ);
|
||||
|
||||
acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
|
||||
|
@ -1852,7 +1459,7 @@ public class TestAccessController extends SecureTestUtil {
|
|||
hasFoundUserPermission(upToVerify, perms));
|
||||
|
||||
// grant read+write
|
||||
SecureTestUtil.grantOnTable(TEST_UTIL, user.getShortName(),
|
||||
grantOnTable(TEST_UTIL, user.getShortName(),
|
||||
tableName, family1, qualifier,
|
||||
Permission.Action.WRITE, Permission.Action.READ);
|
||||
|
||||
|
@ -1872,7 +1479,7 @@ public class TestAccessController extends SecureTestUtil {
|
|||
hasFoundUserPermission(upToVerify, perms));
|
||||
|
||||
// revoke
|
||||
SecureTestUtil.revokeFromTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier,
|
||||
revokeFromTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier,
|
||||
Permission.Action.WRITE, Permission.Action.READ);
|
||||
|
||||
acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
|
||||
|
@ -2031,13 +1638,13 @@ public class TestAccessController extends SecureTestUtil {
|
|||
User userColumn = User.createUserForTesting(conf, "user_check_perms_family", new String[0]);
|
||||
User userQualifier = User.createUserForTesting(conf, "user_check_perms_q", new String[0]);
|
||||
|
||||
SecureTestUtil.grantOnTable(TEST_UTIL, userTable.getShortName(),
|
||||
grantOnTable(TEST_UTIL, userTable.getShortName(),
|
||||
TEST_TABLE.getTableName(), null, null,
|
||||
Permission.Action.READ);
|
||||
SecureTestUtil.grantOnTable(TEST_UTIL, userColumn.getShortName(),
|
||||
grantOnTable(TEST_UTIL, userColumn.getShortName(),
|
||||
TEST_TABLE.getTableName(), TEST_FAMILY, null,
|
||||
Permission.Action.READ);
|
||||
SecureTestUtil.grantOnTable(TEST_UTIL, userQualifier.getShortName(),
|
||||
grantOnTable(TEST_UTIL, userQualifier.getShortName(),
|
||||
TEST_TABLE.getTableName(), TEST_FAMILY, TEST_Q1,
|
||||
Permission.Action.READ);
|
||||
|
||||
|
@ -2252,7 +1859,7 @@ public class TestAccessController extends SecureTestUtil {
|
|||
String currentUser = User.getCurrent().getShortName();
|
||||
String activeUserForNewRs = currentUser + ".hfs." +
|
||||
hbaseCluster.getLiveRegionServerThreads().size();
|
||||
SecureTestUtil.grantGlobal(TEST_UTIL, activeUserForNewRs,
|
||||
grantGlobal(TEST_UTIL, activeUserForNewRs,
|
||||
Permission.Action.ADMIN, Permission.Action.CREATE, Permission.Action.READ,
|
||||
Permission.Action.WRITE);
|
||||
|
||||
|
@ -2320,7 +1927,7 @@ public class TestAccessController extends SecureTestUtil {
|
|||
User TABLE_ADMIN = User.createUserForTesting(conf, "UserA", new String[0]);
|
||||
|
||||
// Grant TABLE ADMIN privs
|
||||
SecureTestUtil.grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(),
|
||||
grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(),
|
||||
TEST_TABLE.getTableName(), null, null,
|
||||
Permission.Action.ADMIN);
|
||||
|
||||
|
@ -2362,7 +1969,7 @@ public class TestAccessController extends SecureTestUtil {
|
|||
User TABLE_ADMIN = User.createUserForTesting(conf, "TestUser", new String[0]);
|
||||
|
||||
// Grant TABLE ADMIN privs
|
||||
SecureTestUtil.grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(),
|
||||
grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(),
|
||||
TEST_TABLE.getTableName(), null, null,
|
||||
Permission.Action.ADMIN);
|
||||
|
||||
|
@ -2401,7 +2008,7 @@ public class TestAccessController extends SecureTestUtil {
|
|||
verifyDenied(getAction, USER_NONE);
|
||||
|
||||
// Grant namespace READ to USER_NONE, this should supersede any table permissions
|
||||
SecureTestUtil.grantOnNamespace(TEST_UTIL, USER_NONE.getShortName(),
|
||||
grantOnNamespace(TEST_UTIL, USER_NONE.getShortName(),
|
||||
TEST_TABLE.getTableName().getNamespaceAsString(),
|
||||
Permission.Action.READ);
|
||||
|
||||
|
@ -2471,7 +2078,7 @@ public class TestAccessController extends SecureTestUtil {
|
|||
User userA = User.createUserForTesting(conf, "UserA", new String[0]);
|
||||
User userB = User.createUserForTesting(conf, "UserB", new String[0]);
|
||||
|
||||
SecureTestUtil.grantOnTable(TEST_UTIL, userA.getShortName(),
|
||||
grantOnTable(TEST_UTIL, userA.getShortName(),
|
||||
TEST_TABLE.getTableName(), null, null,
|
||||
Permission.Action.EXEC);
|
||||
|
||||
|
@ -2495,7 +2102,7 @@ public class TestAccessController extends SecureTestUtil {
|
|||
verifyAllowed(execEndpointAction, userA);
|
||||
|
||||
// Now grant EXEC to the entire namespace to user B
|
||||
SecureTestUtil.grantOnNamespace(TEST_UTIL, userB.getShortName(),
|
||||
grantOnNamespace(TEST_UTIL, userB.getShortName(),
|
||||
TEST_TABLE.getTableName().getNamespaceAsString(),
|
||||
Permission.Action.EXEC);
|
||||
|
||||
|
|
|
@ -20,7 +20,9 @@ package org.apache.hadoop.hbase.security.access;
|
|||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.fail;
|
||||
|
||||
import java.util.List;
|
||||
import java.security.PrivilegedExceptionAction;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
@ -31,19 +33,20 @@ import org.apache.hadoop.hbase.HColumnDescriptor;
|
|||
import org.apache.hadoop.hbase.HTableDescriptor;
|
||||
import org.apache.hadoop.hbase.MediumTests;
|
||||
import org.apache.hadoop.hbase.TableNotFoundException;
|
||||
import org.apache.hadoop.hbase.client.Delete;
|
||||
import org.apache.hadoop.hbase.client.Get;
|
||||
import org.apache.hadoop.hbase.client.HBaseAdmin;
|
||||
import org.apache.hadoop.hbase.client.HTable;
|
||||
import org.apache.hadoop.hbase.client.Put;
|
||||
import org.apache.hadoop.hbase.coprocessor.CoprocessorHost;
|
||||
import org.apache.hadoop.hbase.master.MasterCoprocessorHost;
|
||||
import org.apache.hadoop.hbase.regionserver.RegionServerCoprocessorHost;
|
||||
import org.apache.hadoop.hbase.security.AccessDeniedException;
|
||||
import org.apache.hadoop.hbase.security.User;
|
||||
import org.apache.hadoop.hbase.util.Bytes;
|
||||
import org.apache.hadoop.hbase.util.TestTableName;
|
||||
|
||||
import org.apache.log4j.Level;
|
||||
import org.apache.log4j.Logger;
|
||||
|
||||
import org.junit.After;
|
||||
import org.junit.AfterClass;
|
||||
import org.junit.Before;
|
||||
|
@ -51,6 +54,7 @@ import org.junit.BeforeClass;
|
|||
import org.junit.Rule;
|
||||
import org.junit.Test;
|
||||
import org.junit.experimental.categories.Category;
|
||||
|
||||
@Category(MediumTests.class)
|
||||
public class TestCellACLWithMultipleVersions extends SecureTestUtil {
|
||||
private static final Log LOG = LogFactory.getLog(TestCellACLWithMultipleVersions.class);
|
||||
|
@ -63,25 +67,16 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
|
|||
|
||||
@Rule
|
||||
public TestTableName TEST_TABLE = new TestTableName();
|
||||
private static HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();
|
||||
private static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();
|
||||
private static final byte[] TEST_FAMILY = Bytes.toBytes("f1");
|
||||
private static final byte[] TEST_ROW = Bytes.toBytes("cellpermtest");
|
||||
private static final byte[] TEST_Q1 = Bytes.toBytes("q1");
|
||||
private static final byte[] ZERO = Bytes.toBytes(0L);
|
||||
|
||||
private static Configuration conf;
|
||||
|
||||
// user is table owner. will have all permissions on table
|
||||
private static User USER_OWNER;
|
||||
private static byte[] TEST_FAMILY = Bytes.toBytes("f1");
|
||||
|
||||
private static AccessController ACCESS_CONTROLLER;
|
||||
|
||||
static void verifyConfiguration(Configuration conf) {
|
||||
if (!(conf.get(CoprocessorHost.MASTER_COPROCESSOR_CONF_KEY).contains(
|
||||
AccessController.class.getName())
|
||||
&& conf.get(CoprocessorHost.REGION_COPROCESSOR_CONF_KEY).contains(
|
||||
AccessController.class.getName()) && conf.get(
|
||||
CoprocessorHost.REGIONSERVER_COPROCESSOR_CONF_KEY).contains(
|
||||
AccessController.class.getName()))) {
|
||||
throw new RuntimeException("AccessController is missing from a system coprocessor list");
|
||||
}
|
||||
}
|
||||
private static User USER_OTHER;
|
||||
|
||||
@BeforeClass
|
||||
public static void setupBeforeClass() throws Exception {
|
||||
|
@ -93,7 +88,7 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
|
|||
conf.set("hbase.master.logcleaner.plugins",
|
||||
"org.apache.hadoop.hbase.master.snapshot.SnapshotLogCleaner");
|
||||
// Enable security
|
||||
SecureTestUtil.enableSecurity(conf);
|
||||
enableSecurity(conf);
|
||||
// Verify enableSecurity sets up what we require
|
||||
verifyConfiguration(conf);
|
||||
|
||||
|
@ -104,19 +99,19 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
|
|||
MasterCoprocessorHost cpHost = TEST_UTIL.getMiniHBaseCluster().getMaster()
|
||||
.getMasterCoprocessorHost();
|
||||
cpHost.load(AccessController.class, Coprocessor.PRIORITY_HIGHEST, conf);
|
||||
ACCESS_CONTROLLER = (AccessController) cpHost.findCoprocessor(AccessController.class.getName());
|
||||
cpHost.createEnvironment(AccessController.class, ACCESS_CONTROLLER,
|
||||
Coprocessor.PRIORITY_HIGHEST, 1, conf);
|
||||
AccessController ac = (AccessController)
|
||||
cpHost.findCoprocessor(AccessController.class.getName());
|
||||
cpHost.createEnvironment(AccessController.class, ac, Coprocessor.PRIORITY_HIGHEST, 1, conf);
|
||||
RegionServerCoprocessorHost rsHost = TEST_UTIL.getMiniHBaseCluster().getRegionServer(0)
|
||||
.getRegionServerCoprocessorHost();
|
||||
rsHost.createEnvironment(AccessController.class, ACCESS_CONTROLLER,
|
||||
Coprocessor.PRIORITY_HIGHEST, 1, conf);
|
||||
rsHost.createEnvironment(AccessController.class, ac, Coprocessor.PRIORITY_HIGHEST, 1, conf);
|
||||
|
||||
// Wait for the ACL table to become available
|
||||
TEST_UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME.getName());
|
||||
|
||||
// create a set of test users
|
||||
USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]);
|
||||
USER_OTHER = User.createUserForTesting(conf, "other", new String[0]);
|
||||
}
|
||||
|
||||
@AfterClass
|
||||
|
@ -139,19 +134,6 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
|
|||
|
||||
@Test
|
||||
public void testCellPermissionwithVersions() throws Exception {
|
||||
// table/column/qualifier level permissions
|
||||
final byte[] TEST_ROW = Bytes.toBytes("cellpermtest");
|
||||
final byte[] TEST_ROW1 = Bytes.toBytes("cellpermtest1");
|
||||
final byte[] TEST_Q1 = Bytes.toBytes("q1");
|
||||
// test value
|
||||
final byte[] ZERO = Bytes.toBytes(0L);
|
||||
|
||||
/* ---- Setup ---- */
|
||||
|
||||
// additional test user
|
||||
final User userOther = User.createUserForTesting(conf, "user_check_cell_perms_other",
|
||||
new String[0]);
|
||||
|
||||
// store two sets of values, one store with a cell level ACL, and one
|
||||
// without
|
||||
verifyAllowed(new AccessTestAction() {
|
||||
|
@ -162,20 +144,20 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
|
|||
Put p;
|
||||
// with ro ACL
|
||||
p = new Put(TEST_ROW).add(TEST_FAMILY, TEST_Q1, ZERO);
|
||||
p.setACL(userOther.getShortName(), new Permission(Permission.Action.WRITE));
|
||||
p.setACL(USER_OTHER.getShortName(), new Permission(Permission.Action.WRITE));
|
||||
t.put(p);
|
||||
// with ro ACL
|
||||
p = new Put(TEST_ROW).add(TEST_FAMILY, TEST_Q1, ZERO);
|
||||
p.setACL(userOther.getShortName(), new Permission(Permission.Action.READ));
|
||||
p.setACL(USER_OTHER.getShortName(), new Permission(Permission.Action.READ));
|
||||
t.put(p);
|
||||
p = new Put(TEST_ROW).add(TEST_FAMILY, TEST_Q1, ZERO);
|
||||
p.setACL(userOther.getShortName(), new Permission(Permission.Action.WRITE));
|
||||
p.setACL(USER_OTHER.getShortName(), new Permission(Permission.Action.WRITE));
|
||||
t.put(p);
|
||||
p = new Put(TEST_ROW).add(TEST_FAMILY, TEST_Q1, ZERO);
|
||||
p.setACL(userOther.getShortName(), new Permission(Permission.Action.READ));
|
||||
p.setACL(USER_OTHER.getShortName(), new Permission(Permission.Action.READ));
|
||||
t.put(p);
|
||||
p = new Put(TEST_ROW).add(TEST_FAMILY, TEST_Q1, ZERO);
|
||||
p.setACL(userOther.getShortName(), new Permission(Permission.Action.WRITE));
|
||||
p.setACL(USER_OTHER.getShortName(), new Permission(Permission.Action.WRITE));
|
||||
t.put(p);
|
||||
} finally {
|
||||
t.close();
|
||||
|
@ -203,7 +185,7 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
|
|||
AccessTestAction get2 = new AccessTestAction() {
|
||||
@Override
|
||||
public Object run() throws Exception {
|
||||
Get get = new Get(TEST_ROW1);
|
||||
Get get = new Get(TEST_ROW);
|
||||
get.setMaxVersions(10);
|
||||
HTable t = new HTable(conf, TEST_TABLE.getTableName());
|
||||
try {
|
||||
|
@ -215,7 +197,7 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
|
|||
};
|
||||
// Confirm special read access set at cell level
|
||||
|
||||
verifyAllowed(userOther, getQ1, 2);
|
||||
verifyAllowed(USER_OTHER, getQ1, 2);
|
||||
|
||||
// store two sets of values, one store with a cell level ACL, and one
|
||||
// without
|
||||
|
@ -225,14 +207,14 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
|
|||
HTable t = new HTable(conf, TEST_TABLE.getTableName());
|
||||
try {
|
||||
Put p;
|
||||
p = new Put(TEST_ROW1).add(TEST_FAMILY, TEST_Q1, ZERO);
|
||||
p.setACL(userOther.getShortName(), new Permission(Permission.Action.WRITE));
|
||||
p = new Put(TEST_ROW).add(TEST_FAMILY, TEST_Q1, ZERO);
|
||||
p.setACL(USER_OTHER.getShortName(), new Permission(Permission.Action.WRITE));
|
||||
t.put(p);
|
||||
p = new Put(TEST_ROW1).add(TEST_FAMILY, TEST_Q1, ZERO);
|
||||
p.setACL(userOther.getShortName(), new Permission(Permission.Action.READ));
|
||||
p = new Put(TEST_ROW).add(TEST_FAMILY, TEST_Q1, ZERO);
|
||||
p.setACL(USER_OTHER.getShortName(), new Permission(Permission.Action.READ));
|
||||
t.put(p);
|
||||
p = new Put(TEST_ROW1).add(TEST_FAMILY, TEST_Q1, ZERO);
|
||||
p.setACL(userOther.getShortName(), new Permission(Permission.Action.WRITE));
|
||||
p = new Put(TEST_ROW).add(TEST_FAMILY, TEST_Q1, ZERO);
|
||||
p.setACL(USER_OTHER.getShortName(), new Permission(Permission.Action.WRITE));
|
||||
t.put(p);
|
||||
} finally {
|
||||
t.close();
|
||||
|
@ -242,22 +224,129 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
|
|||
}, USER_OWNER);
|
||||
// Confirm special read access set at cell level
|
||||
|
||||
verifyAllowed(userOther, get2, 1);
|
||||
verifyAllowed(USER_OTHER, get2, 1);
|
||||
}
|
||||
|
||||
public void verifyAllowed(User user, AccessTestAction action, int count) throws Exception {
|
||||
try {
|
||||
Object obj = user.runAs(action);
|
||||
if (obj != null && obj instanceof List<?>) {
|
||||
List<?> results = (List<?>) obj;
|
||||
if (results != null && results.isEmpty()) {
|
||||
fail("Empty non null results from action for user '" + user.getShortName() + "'");
|
||||
@Test
|
||||
public void testCellPermissionsWithDeleteMutipleVersions() throws Exception {
|
||||
// table/column/qualifier level permissions
|
||||
final byte[] TEST_ROW1 = Bytes.toBytes("r1");
|
||||
final byte[] TEST_ROW2 = Bytes.toBytes("r2");
|
||||
final byte[] TEST_Q1 = Bytes.toBytes("q1");
|
||||
final byte[] TEST_Q2 = Bytes.toBytes("q2");
|
||||
final byte[] ZERO = Bytes.toBytes(0L);
|
||||
|
||||
// additional test user
|
||||
final User user1 = User.createUserForTesting(conf, "user1", new String[0]);
|
||||
final User user2 = User.createUserForTesting(conf, "user2", new String[0]);
|
||||
|
||||
verifyAllowed(new AccessTestAction() {
|
||||
@Override
|
||||
public Object run() throws Exception {
|
||||
HTable t = new HTable(conf, TEST_TABLE.getTableName());
|
||||
try {
|
||||
// with rw ACL for "user1"
|
||||
Put p = new Put(TEST_ROW1);
|
||||
p.add(TEST_FAMILY, TEST_Q1, ZERO);
|
||||
p.add(TEST_FAMILY, TEST_Q2, ZERO);
|
||||
p.setACL(user1.getShortName(), new Permission(Permission.Action.READ,
|
||||
Permission.Action.WRITE));
|
||||
t.put(p);
|
||||
// with rw ACL for "user1"
|
||||
p = new Put(TEST_ROW2);
|
||||
p.add(TEST_FAMILY, TEST_Q1, ZERO);
|
||||
p.add(TEST_FAMILY, TEST_Q2, ZERO);
|
||||
p.setACL(user1.getShortName(), new Permission(Permission.Action.READ,
|
||||
Permission.Action.WRITE));
|
||||
t.put(p);
|
||||
} finally {
|
||||
t.close();
|
||||
}
|
||||
assertEquals(results.size(), count);
|
||||
return null;
|
||||
}
|
||||
} catch (AccessDeniedException ade) {
|
||||
fail("Expected action to pass for user '" + user.getShortName() + "' but was denied");
|
||||
}
|
||||
}, USER_OWNER);
|
||||
|
||||
verifyAllowed(new AccessTestAction() {
|
||||
@Override
|
||||
public Object run() throws Exception {
|
||||
HTable t = new HTable(conf, TEST_TABLE.getTableName());
|
||||
try {
|
||||
// with rw ACL for "user1" and "user2"
|
||||
Put p = new Put(TEST_ROW1);
|
||||
p.add(TEST_FAMILY, TEST_Q1, ZERO);
|
||||
p.add(TEST_FAMILY, TEST_Q2, ZERO);
|
||||
Map<String, Permission> perms = new HashMap<String, Permission>();
|
||||
perms.put(user1.getShortName(), new Permission(Permission.Action.READ,
|
||||
Permission.Action.WRITE));
|
||||
perms.put(user2.getShortName(), new Permission(Permission.Action.READ,
|
||||
Permission.Action.WRITE));
|
||||
p.setACL(perms);
|
||||
t.put(p);
|
||||
// with rw ACL for "user1" and "user2"
|
||||
p = new Put(TEST_ROW2);
|
||||
p.add(TEST_FAMILY, TEST_Q1, ZERO);
|
||||
p.add(TEST_FAMILY, TEST_Q2, ZERO);
|
||||
p.setACL(perms);
|
||||
t.put(p);
|
||||
} finally {
|
||||
t.close();
|
||||
}
|
||||
return null;
|
||||
}
|
||||
}, user1);
|
||||
|
||||
// user1 should be allowed to delete TEST_ROW1 as he is having write permission on both
|
||||
// versions of the cells
|
||||
user1.runAs(new PrivilegedExceptionAction<Void>() {
|
||||
@Override
|
||||
public Void run() throws Exception {
|
||||
HTable t = new HTable(conf, TEST_TABLE.getTableName());
|
||||
try {
|
||||
Delete d = new Delete(TEST_ROW1);
|
||||
d.deleteColumns(TEST_FAMILY, TEST_Q1);
|
||||
d.deleteColumns(TEST_FAMILY, TEST_Q2);
|
||||
t.delete(d);
|
||||
} finally {
|
||||
t.close();
|
||||
}
|
||||
return null;
|
||||
}
|
||||
});
|
||||
// user2 should not be allowed to delete TEST_ROW2 as he is having write permission only on one
|
||||
// version of the cells.
|
||||
user2.runAs(new PrivilegedExceptionAction<Void>() {
|
||||
@Override
|
||||
public Void run() throws Exception {
|
||||
HTable t = new HTable(conf, TEST_TABLE.getTableName());
|
||||
try {
|
||||
Delete d = new Delete(TEST_ROW2);
|
||||
d.deleteColumns(TEST_FAMILY, TEST_Q1);
|
||||
d.deleteColumns(TEST_FAMILY, TEST_Q2);
|
||||
t.delete(d);
|
||||
fail("user2 should not be allowed to delete the row");
|
||||
} catch (Exception e) {
|
||||
|
||||
} finally {
|
||||
t.close();
|
||||
}
|
||||
return null;
|
||||
}
|
||||
});
|
||||
// user1 should be allowed to delete the cf. (All data under cf for a row)
|
||||
user1.runAs(new PrivilegedExceptionAction<Void>() {
|
||||
@Override
|
||||
public Void run() throws Exception {
|
||||
HTable t = new HTable(conf, TEST_TABLE.getTableName());
|
||||
try {
|
||||
Delete d = new Delete(TEST_ROW2);
|
||||
d.deleteFamily(TEST_FAMILY);
|
||||
t.delete(d);
|
||||
} finally {
|
||||
t.close();
|
||||
}
|
||||
return null;
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
@After
|
||||
|
|
|
@ -66,7 +66,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
@BeforeClass
|
||||
public static void beforeClass() throws Exception {
|
||||
conf = UTIL.getConfiguration();
|
||||
SecureTestUtil.enableSecurity(conf);
|
||||
enableSecurity(conf);
|
||||
|
||||
SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
|
||||
USER_RW = User.createUserForTesting(conf, "rw_user", new String[0]);
|
||||
|
@ -83,7 +83,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
|
||||
UTIL.getHBaseAdmin().createNamespace(NamespaceDescriptor.create(TestNamespace).build());
|
||||
|
||||
SecureTestUtil.grantOnNamespace(UTIL, USER_NSP_WRITE.getShortName(),
|
||||
grantOnNamespace(UTIL, USER_NSP_WRITE.getShortName(),
|
||||
TestNamespace, Permission.Action.WRITE);
|
||||
}
|
||||
|
||||
|
@ -99,7 +99,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
|
||||
try {
|
||||
// Grant and check state in ACL table
|
||||
SecureTestUtil.grantOnNamespace(UTIL, userTestNamespace, TestNamespace,
|
||||
grantOnNamespace(UTIL, userTestNamespace, TestNamespace,
|
||||
Permission.Action.WRITE);
|
||||
|
||||
Result result = acl.get(new Get(Bytes.toBytes(userTestNamespace)));
|
||||
|
@ -118,7 +118,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
assertEquals(Permission.Action.WRITE, namespacePerms.get(0).getActions()[0]);
|
||||
|
||||
// Revoke and check state in ACL table
|
||||
SecureTestUtil.revokeFromNamespace(UTIL, userTestNamespace, TestNamespace,
|
||||
revokeFromNamespace(UTIL, userTestNamespace, TestNamespace,
|
||||
Permission.Action.WRITE);
|
||||
|
||||
perms = AccessControlLists.getNamespacePermissions(conf, TestNamespace);
|
||||
|
|
Loading…
Reference in New Issue