HBASE-6157. Revoke of Global permission is not taking effect without restart (Laxman)

git-svn-id: https://svn.apache.org/repos/asf/hbase/trunk@1348468 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Andrew Kyle Purtell 2012-06-09 18:19:46 +00:00
parent f82402aeab
commit 6610703576
2 changed files with 110 additions and 110 deletions

View File

@ -121,6 +121,14 @@ public class TableAuthManager {
* @param userPerms * @param userPerms
*/ */
private void updateGlobalCache(ListMultimap<String,TablePermission> userPerms) { private void updateGlobalCache(ListMultimap<String,TablePermission> userPerms) {
USER_CACHE.clear();
GROUP_CACHE.clear();
try {
initGlobal(conf);
} catch (IOException e) {
// Never happens
LOG.error("Error occured while updating the user cache", e);
}
for (Map.Entry<String,TablePermission> entry : userPerms.entries()) { for (Map.Entry<String,TablePermission> entry : userPerms.entries()) {
if (AccessControlLists.isGroupPrincipal(entry.getKey())) { if (AccessControlLists.isGroupPrincipal(entry.getKey())) {
GROUP_CACHE.put(AccessControlLists.getGroupName(entry.getKey()), GROUP_CACHE.put(AccessControlLists.getGroupName(entry.getKey()),

View File

@ -145,13 +145,14 @@ public class TestAccessController {
TEST_UTIL.shutdownMiniCluster(); TEST_UTIL.shutdownMiniCluster();
} }
public void verifyAllowed(User user, PrivilegedExceptionAction action) public void verifyAllowed(User user, PrivilegedExceptionAction... actions)
throws Exception { throws Exception {
try { for (PrivilegedExceptionAction action : actions) {
user.runAs(action); try {
} catch (AccessDeniedException ade) { user.runAs(action);
fail("Expected action to pass for user '" + user.getShortName() + } catch (AccessDeniedException ade) {
"' but was denied"); fail("Expected action to pass for user '" + user.getShortName() + "' but was denied");
}
} }
} }
@ -162,28 +163,29 @@ public class TestAccessController {
} }
} }
public void verifyDenied(User user, PrivilegedExceptionAction action) public void verifyDenied(User user, PrivilegedExceptionAction... actions)
throws Exception { throws Exception {
try { for (PrivilegedExceptionAction action : actions) {
user.runAs(action); try {
fail("Expected AccessDeniedException for user '" + user.getShortName() + "'"); user.runAs(action);
} catch (RetriesExhaustedWithDetailsException e) { fail("Expected AccessDeniedException for user '" + user.getShortName() + "'");
// in case of batch operations, and put, the client assembles a } catch (RetriesExhaustedWithDetailsException e) {
// RetriesExhaustedWithDetailsException instead of throwing an // in case of batch operations, and put, the client assembles a
// AccessDeniedException // RetriesExhaustedWithDetailsException instead of throwing an
boolean isAccessDeniedException = false; // AccessDeniedException
for ( Throwable ex : e.getCauses()) { boolean isAccessDeniedException = false;
if (ex instanceof AccessDeniedException) { for (Throwable ex : e.getCauses()) {
isAccessDeniedException = true; if (ex instanceof AccessDeniedException) {
break; isAccessDeniedException = true;
break;
}
} }
if (!isAccessDeniedException) {
fail("Not receiving AccessDeniedException for user '" + user.getShortName() + "'");
}
} catch (AccessDeniedException ade) {
// expected result
} }
if (!isAccessDeniedException ) {
fail("Not receiving AccessDeniedException for user '" +
user.getShortName() + "'");
}
} catch (AccessDeniedException ade) {
// expected result
} }
} }
@ -693,8 +695,8 @@ public class TestAccessController {
admin.createTable(htd); admin.createTable(htd);
// create temp users // create temp users
User user = User.createUserForTesting(TEST_UTIL.getConfiguration(), User tblUser = User.createUserForTesting(TEST_UTIL.getConfiguration(), "tbluser", new String[0]);
"user", new String[0]); User gblUser = User.createUserForTesting(TEST_UTIL.getConfiguration(), "gbluser", new String[0]);
// perms only stored against the first region // perms only stored against the first region
HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
@ -789,120 +791,110 @@ public class TestAccessController {
}; };
// initial check: // initial check:
verifyDenied(user, getActionAll); verifyDenied(tblUser, getActionAll, getAction1, getAction2);
verifyDenied(user, getAction1); verifyDenied(tblUser, putActionAll, putAction1, putAction2);
verifyDenied(user, getAction2); verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2);
verifyDenied(user, putActionAll); verifyDenied(gblUser, getActionAll, getAction1, getAction2);
verifyDenied(user, putAction1); verifyDenied(gblUser, putActionAll, putAction1, putAction2);
verifyDenied(user, putAction2); verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);
verifyDenied(user, deleteActionAll);
verifyDenied(user, deleteAction1);
verifyDenied(user, deleteAction2);
// grant table read permission // grant table read permission
protocol.grant(new UserPermission(Bytes.toBytes(user.getShortName()), protocol.grant(new UserPermission(Bytes.toBytes(tblUser.getShortName()), tableName, null,
tableName, null, Permission.Action.READ)); Permission.Action.READ));
protocol.grant(new UserPermission(Bytes.toBytes(gblUser.getShortName()), Permission.Action.READ));
Thread.sleep(100); Thread.sleep(100);
// check // check
verifyAllowed(user, getActionAll); verifyAllowed(tblUser, getActionAll, getAction1, getAction2);
verifyAllowed(user, getAction1); verifyDenied(tblUser, putActionAll, putAction1, putAction2);
verifyAllowed(user, getAction2); verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2);
verifyDenied(user, putActionAll); verifyAllowed(gblUser, getActionAll, getAction1, getAction2);
verifyDenied(user, putAction1); verifyDenied(gblUser, putActionAll, putAction1, putAction2);
verifyDenied(user, putAction2); verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);
verifyDenied(user, deleteActionAll);
verifyDenied(user, deleteAction1);
verifyDenied(user, deleteAction2);
// grant table write permission // grant table write permission
protocol.grant(new UserPermission(Bytes.toBytes(user.getShortName()), protocol.grant(new UserPermission(Bytes.toBytes(tblUser.getShortName()), tableName, null,
tableName, null, Permission.Action.WRITE)); Permission.Action.WRITE));
protocol.grant(new UserPermission(Bytes.toBytes(gblUser.getShortName()),
Permission.Action.WRITE));
Thread.sleep(100); Thread.sleep(100);
verifyDenied(user, getActionAll);
verifyDenied(user, getAction1);
verifyDenied(user, getAction2);
verifyAllowed(user, putActionAll); verifyDenied(tblUser, getActionAll, getAction1, getAction2);
verifyAllowed(user, putAction1); verifyAllowed(tblUser, putActionAll, putAction1, putAction2);
verifyAllowed(user, putAction2); verifyAllowed(tblUser, deleteActionAll, deleteAction1, deleteAction2);
verifyAllowed(user, deleteActionAll); verifyDenied(gblUser, getActionAll, getAction1, getAction2);
verifyAllowed(user, deleteAction1); verifyAllowed(gblUser, putActionAll, putAction1, putAction2);
verifyAllowed(user, deleteAction2); verifyAllowed(gblUser, deleteActionAll, deleteAction1, deleteAction2);
// revoke table permission // revoke table permission
protocol.grant(new UserPermission(Bytes.toBytes(user.getShortName()), protocol.grant(new UserPermission(Bytes.toBytes(tblUser.getShortName()), tableName, null,
tableName, null, Permission.Action.READ, Permission.Action.WRITE)); Permission.Action.READ, Permission.Action.WRITE));
protocol.revoke(new UserPermission(Bytes.toBytes(tblUser.getShortName()), tableName, null));
protocol.revoke(new UserPermission(Bytes.toBytes(user.getShortName()), protocol.revoke(new UserPermission(Bytes.toBytes(gblUser.getShortName())));
tableName, null));
Thread.sleep(100); Thread.sleep(100);
verifyDenied(user, getActionAll);
verifyDenied(user, getAction1);
verifyDenied(user, getAction2);
verifyDenied(user, putActionAll); verifyDenied(tblUser, getActionAll, getAction1, getAction2);
verifyDenied(user, putAction1); verifyDenied(tblUser, putActionAll, putAction1, putAction2);
verifyDenied(user, putAction2); verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2);
verifyDenied(user, deleteActionAll); verifyDenied(gblUser, getActionAll, getAction1, getAction2);
verifyDenied(user, deleteAction1); verifyDenied(gblUser, putActionAll, putAction1, putAction2);
verifyDenied(user, deleteAction2); verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);
// grant column family read permission // grant column family read permission
protocol.grant(new UserPermission(Bytes.toBytes(user.getShortName()), protocol.grant(new UserPermission(Bytes.toBytes(tblUser.getShortName()), tableName, family1,
tableName, family1, Permission.Action.READ)); Permission.Action.READ));
protocol.grant(new UserPermission(Bytes.toBytes(gblUser.getShortName()), Permission.Action.READ));
Thread.sleep(100); Thread.sleep(100);
verifyAllowed(user, getActionAll); // Access should be denied for family2
verifyAllowed(user, getAction1); verifyAllowed(tblUser, getActionAll, getAction1);
verifyDenied(user, getAction2); verifyDenied(tblUser, getAction2);
verifyDenied(tblUser, putActionAll, putAction1, putAction2);
verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2);
verifyDenied(user, putActionAll); verifyAllowed(gblUser, getActionAll, getAction1, getAction2);
verifyDenied(user, putAction1); verifyDenied(gblUser, putActionAll, putAction1, putAction2);
verifyDenied(user, putAction2); verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);
verifyDenied(user, deleteActionAll);
verifyDenied(user, deleteAction1);
verifyDenied(user, deleteAction2);
// grant column family write permission // grant column family write permission
protocol.grant(new UserPermission(Bytes.toBytes(user.getShortName()), protocol.grant(new UserPermission(Bytes.toBytes(tblUser.getShortName()), tableName, family2,
tableName, family2, Permission.Action.WRITE)); Permission.Action.WRITE));
protocol.grant(new UserPermission(Bytes.toBytes(gblUser.getShortName()),
Permission.Action.WRITE));
Thread.sleep(100); Thread.sleep(100);
verifyAllowed(user, getActionAll); // READ from family1, WRITE to family2 are allowed
verifyAllowed(user, getAction1); verifyAllowed(tblUser, getActionAll, getAction1);
verifyDenied(user, getAction2); verifyAllowed(tblUser, putAction2, deleteAction2);
verifyDenied(tblUser, getAction2);
verifyDenied(tblUser, putActionAll, putAction1);
verifyDenied(tblUser, deleteActionAll, deleteAction1);
verifyDenied(user, putActionAll); verifyDenied(gblUser, getActionAll, getAction1, getAction2);
verifyDenied(user, putAction1); verifyAllowed(gblUser, putActionAll, putAction1, putAction2);
verifyAllowed(user, putAction2); verifyAllowed(gblUser, deleteActionAll, deleteAction1, deleteAction2);
verifyDenied(user, deleteActionAll);
verifyDenied(user, deleteAction1);
verifyAllowed(user, deleteAction2);
// revoke column family permission // revoke column family permission
protocol.revoke(new UserPermission(Bytes.toBytes(user.getShortName()), protocol.revoke(new UserPermission(Bytes.toBytes(tblUser.getShortName()), tableName, family2));
tableName, family2)); protocol.revoke(new UserPermission(Bytes.toBytes(gblUser.getShortName())));
Thread.sleep(100); Thread.sleep(100);
verifyAllowed(user, getActionAll); // Revoke on family2 should not have impact on family1 permissions
verifyAllowed(user, getAction1); verifyAllowed(tblUser, getActionAll, getAction1);
verifyDenied(user, getAction2); verifyDenied(tblUser, getAction2);
verifyDenied(tblUser, putActionAll, putAction1, putAction2);
verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2);
verifyDenied(user, putActionAll); // Should not have access as global permissions are completely revoked
verifyDenied(user, putAction1); verifyDenied(gblUser, getActionAll, getAction1, getAction2);
verifyDenied(user, putAction2); verifyDenied(gblUser, putActionAll, putAction1, putAction2);
verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);
verifyDenied(user, deleteActionAll);
verifyDenied(user, deleteAction1);
verifyDenied(user, deleteAction2);
// delete table // delete table
admin.disableTable(tableName); admin.disableTable(tableName);