HBASE-10326 Super user should be able scan all the cells irrespective of the visibility labels(Ram)
git-svn-id: https://svn.apache.org/repos/asf/hbase/trunk@1557792 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
634b1a4f1a
commit
721147acf5
|
@ -855,6 +855,11 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb
|
||||||
RegionScanner s) throws IOException {
|
RegionScanner s) throws IOException {
|
||||||
HRegion region = e.getEnvironment().getRegion();
|
HRegion region = e.getEnvironment().getRegion();
|
||||||
Authorizations authorizations = null;
|
Authorizations authorizations = null;
|
||||||
|
// If a super user issues a scan, he should be able to scan the cells
|
||||||
|
// irrespective of the Visibility labels
|
||||||
|
if (checkIfScanOrGetFromSuperUser()) {
|
||||||
|
return s;
|
||||||
|
}
|
||||||
try {
|
try {
|
||||||
authorizations = scan.getAuthorizations();
|
authorizations = scan.getAuthorizations();
|
||||||
} catch (DeserializationException de) {
|
} catch (DeserializationException de) {
|
||||||
|
@ -872,6 +877,15 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb
|
||||||
return s;
|
return s;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private boolean checkIfScanOrGetFromSuperUser() throws IOException {
|
||||||
|
User user = getActiveUser();
|
||||||
|
if (user != null && user.getShortName() != null) {
|
||||||
|
List<String> auths = this.visibilityManager.getAuths(user.getShortName());
|
||||||
|
return (auths.contains(SYSTEM_LABEL));
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public RegionScanner postScannerOpen(final ObserverContext<RegionCoprocessorEnvironment> c,
|
public RegionScanner postScannerOpen(final ObserverContext<RegionCoprocessorEnvironment> c,
|
||||||
final Scan scan, final RegionScanner s) throws IOException {
|
final Scan scan, final RegionScanner s) throws IOException {
|
||||||
|
@ -921,6 +935,11 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb
|
||||||
public void preGetOp(ObserverContext<RegionCoprocessorEnvironment> e, Get get, List<Cell> results)
|
public void preGetOp(ObserverContext<RegionCoprocessorEnvironment> e, Get get, List<Cell> results)
|
||||||
throws IOException {
|
throws IOException {
|
||||||
Authorizations authorizations = null;
|
Authorizations authorizations = null;
|
||||||
|
// If a super user issues a get, he should be able to scan the cells
|
||||||
|
// irrespective of the Visibility labels
|
||||||
|
if (checkIfScanOrGetFromSuperUser()) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
try {
|
try {
|
||||||
authorizations = get.getAuthorizations();
|
authorizations = get.getAuthorizations();
|
||||||
} catch (DeserializationException de) {
|
} catch (DeserializationException de) {
|
||||||
|
|
|
@ -101,7 +101,7 @@ public class TestVisibilityLabels {
|
||||||
conf.setClass(VisibilityUtils.VISIBILITY_LABEL_GENERATOR_CLASS, SimpleScanLabelGenerator.class,
|
conf.setClass(VisibilityUtils.VISIBILITY_LABEL_GENERATOR_CLASS, SimpleScanLabelGenerator.class,
|
||||||
ScanLabelGenerator.class);
|
ScanLabelGenerator.class);
|
||||||
String currentUser = User.getCurrent().getName();
|
String currentUser = User.getCurrent().getName();
|
||||||
conf.set("hbase.superuser", "admin,"+currentUser);
|
conf.set("hbase.superuser", "admin");
|
||||||
TEST_UTIL.startMiniCluster(2);
|
TEST_UTIL.startMiniCluster(2);
|
||||||
SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
|
SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
|
||||||
|
|
||||||
|
@ -367,12 +367,19 @@ public class TestVisibilityLabels {
|
||||||
// Start one new RS
|
// Start one new RS
|
||||||
RegionServerThread rs = TEST_UTIL.getHBaseCluster().startRegionServer();
|
RegionServerThread rs = TEST_UTIL.getHBaseCluster().startRegionServer();
|
||||||
waitForLabelsRegionAvailability(rs.getRegionServer());
|
waitForLabelsRegionAvailability(rs.getRegionServer());
|
||||||
String[] labels = { SECRET, CONFIDENTIAL, PRIVATE, "ABC", "XYZ" };
|
PrivilegedExceptionAction<VisibilityLabelsResponse> action =
|
||||||
try {
|
new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
|
||||||
VisibilityClient.addLabels(conf, labels);
|
public VisibilityLabelsResponse run() throws Exception {
|
||||||
} catch (Throwable t) {
|
String[] labels = { SECRET, CONFIDENTIAL, PRIVATE, "ABC", "XYZ" };
|
||||||
throw new IOException(t);
|
try {
|
||||||
}
|
VisibilityClient.addLabels(conf, labels);
|
||||||
|
} catch (Throwable t) {
|
||||||
|
throw new IOException(t);
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
};
|
||||||
|
SUPERUSER.runAs(action);
|
||||||
// Scan the visibility label
|
// Scan the visibility label
|
||||||
Scan s = new Scan();
|
Scan s = new Scan();
|
||||||
s.setAuthorizations(new Authorizations(VisibilityUtils.SYSTEM_LABEL));
|
s.setAuthorizations(new Authorizations(VisibilityUtils.SYSTEM_LABEL));
|
||||||
|
@ -437,24 +444,45 @@ public class TestVisibilityLabels {
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testAddLabels() throws Throwable {
|
public void testAddLabels() throws Throwable {
|
||||||
String[] labels = { "L1", SECRET, "L2", "invalid~", "L3" };
|
PrivilegedExceptionAction<VisibilityLabelsResponse> action =
|
||||||
VisibilityLabelsResponse response = VisibilityClient.addLabels(conf, labels);
|
new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
|
||||||
List<RegionActionResult> resultList = response.getResultList();
|
public VisibilityLabelsResponse run() throws Exception {
|
||||||
assertEquals(5, resultList.size());
|
String[] labels = { "L1", SECRET, "L2", "invalid~", "L3" };
|
||||||
assertTrue(resultList.get(0).getException().getValue().isEmpty());
|
VisibilityLabelsResponse response = null;
|
||||||
assertEquals("org.apache.hadoop.hbase.security.visibility.LabelAlreadyExistsException",
|
try {
|
||||||
resultList.get(1).getException().getName());
|
response = VisibilityClient.addLabels(conf, labels);
|
||||||
assertTrue(resultList.get(2).getException().getValue().isEmpty());
|
} catch (Throwable e) {
|
||||||
assertEquals("org.apache.hadoop.hbase.security.visibility.InvalidLabelException", resultList
|
fail("Should not have thrown exception");
|
||||||
.get(3).getException().getName());
|
}
|
||||||
assertTrue(resultList.get(4).getException().getValue().isEmpty());
|
List<RegionActionResult> resultList = response.getResultList();
|
||||||
|
assertEquals(5, resultList.size());
|
||||||
|
assertTrue(resultList.get(0).getException().getValue().isEmpty());
|
||||||
|
assertEquals("org.apache.hadoop.hbase.security.visibility.LabelAlreadyExistsException",
|
||||||
|
resultList.get(1).getException().getName());
|
||||||
|
assertTrue(resultList.get(2).getException().getValue().isEmpty());
|
||||||
|
assertEquals("org.apache.hadoop.hbase.security.visibility.InvalidLabelException",
|
||||||
|
resultList.get(3).getException().getName());
|
||||||
|
assertTrue(resultList.get(4).getException().getValue().isEmpty());
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
};
|
||||||
|
SUPERUSER.runAs(action);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testSetAndGetUserAuths() throws Throwable {
|
public void testSetAndGetUserAuths() throws Throwable {
|
||||||
String[] auths = { SECRET, CONFIDENTIAL };
|
final String user = "user1";
|
||||||
String user = "user1";
|
PrivilegedExceptionAction<Void> action = new PrivilegedExceptionAction<Void>() {
|
||||||
VisibilityClient.setAuths(conf, auths, user);
|
public Void run() throws Exception {
|
||||||
|
String[] auths = { SECRET, CONFIDENTIAL };
|
||||||
|
try {
|
||||||
|
VisibilityClient.setAuths(conf, auths, user);
|
||||||
|
} catch (Throwable e) {
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
};
|
||||||
|
SUPERUSER.runAs(action);
|
||||||
HTable ht = null;
|
HTable ht = null;
|
||||||
try {
|
try {
|
||||||
ht = new HTable(conf, LABELS_TABLE_NAME);
|
ht = new HTable(conf, LABELS_TABLE_NAME);
|
||||||
|
@ -477,73 +505,117 @@ public class TestVisibilityLabels {
|
||||||
ht.close();
|
ht.close();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
GetAuthsResponse authsResponse = VisibilityClient.getAuths(conf, user);
|
|
||||||
List<String> authsList = new ArrayList<String>();
|
action = new PrivilegedExceptionAction<Void>() {
|
||||||
for (ByteString authBS : authsResponse.getAuthList()) {
|
public Void run() throws Exception {
|
||||||
authsList.add(Bytes.toString(authBS.toByteArray()));
|
GetAuthsResponse authsResponse = null;
|
||||||
}
|
try {
|
||||||
assertEquals(2, authsList.size());
|
authsResponse = VisibilityClient.getAuths(conf, user);
|
||||||
assertTrue(authsList.contains(SECRET));
|
} catch (Throwable e) {
|
||||||
assertTrue(authsList.contains(CONFIDENTIAL));
|
fail("Should not have failed");
|
||||||
|
}
|
||||||
|
List<String> authsList = new ArrayList<String>();
|
||||||
|
for (ByteString authBS : authsResponse.getAuthList()) {
|
||||||
|
authsList.add(Bytes.toString(authBS.toByteArray()));
|
||||||
|
}
|
||||||
|
assertEquals(2, authsList.size());
|
||||||
|
assertTrue(authsList.contains(SECRET));
|
||||||
|
assertTrue(authsList.contains(CONFIDENTIAL));
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
};
|
||||||
|
SUPERUSER.runAs(action);
|
||||||
|
|
||||||
// Try doing setAuths once again and there should not be any duplicates
|
// Try doing setAuths once again and there should not be any duplicates
|
||||||
String[] auths1 = { SECRET, CONFIDENTIAL };
|
action = new PrivilegedExceptionAction<Void>() {
|
||||||
user = "user1";
|
public Void run() throws Exception {
|
||||||
VisibilityClient.setAuths(conf, auths1, user);
|
String[] auths1 = { SECRET, CONFIDENTIAL };
|
||||||
|
GetAuthsResponse authsResponse = null;
|
||||||
authsResponse = VisibilityClient.getAuths(conf, user);
|
try {
|
||||||
authsList = new ArrayList<String>();
|
VisibilityClient.setAuths(conf, auths1, user);
|
||||||
for (ByteString authBS : authsResponse.getAuthList()) {
|
try {
|
||||||
authsList.add(Bytes.toString(authBS.toByteArray()));
|
authsResponse = VisibilityClient.getAuths(conf, user);
|
||||||
}
|
} catch (Throwable e) {
|
||||||
assertEquals(2, authsList.size());
|
fail("Should not have failed");
|
||||||
assertTrue(authsList.contains(SECRET));
|
}
|
||||||
assertTrue(authsList.contains(CONFIDENTIAL));
|
} catch (Throwable e) {
|
||||||
|
}
|
||||||
|
List<String> authsList = new ArrayList<String>();
|
||||||
|
for (ByteString authBS : authsResponse.getAuthList()) {
|
||||||
|
authsList.add(Bytes.toString(authBS.toByteArray()));
|
||||||
|
}
|
||||||
|
assertEquals(2, authsList.size());
|
||||||
|
assertTrue(authsList.contains(SECRET));
|
||||||
|
assertTrue(authsList.contains(CONFIDENTIAL));
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
};
|
||||||
|
SUPERUSER.runAs(action);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testClearUserAuths() throws Throwable {
|
public void testClearUserAuths() throws Throwable {
|
||||||
String[] auths = { SECRET, CONFIDENTIAL, PRIVATE };
|
PrivilegedExceptionAction<Void> action = new PrivilegedExceptionAction<Void>() {
|
||||||
String user = "testUser";
|
public Void run() throws Exception {
|
||||||
VisibilityClient.setAuths(conf, auths, user);
|
String[] auths = { SECRET, CONFIDENTIAL, PRIVATE };
|
||||||
// Removing the auths for SECRET and CONFIDENTIAL for the user.
|
String user = "testUser";
|
||||||
// Passing a non existing auth also.
|
try {
|
||||||
auths = new String[] { SECRET, PUBLIC, CONFIDENTIAL };
|
VisibilityClient.setAuths(conf, auths, user);
|
||||||
VisibilityLabelsResponse response = VisibilityClient.clearAuths(conf, auths, user);
|
} catch (Throwable e) {
|
||||||
List<RegionActionResult> resultList = response.getResultList();
|
fail("Should not have failed");
|
||||||
assertEquals(3, resultList.size());
|
}
|
||||||
assertTrue(resultList.get(0).getException().getValue().isEmpty());
|
// Removing the auths for SECRET and CONFIDENTIAL for the user.
|
||||||
assertEquals("org.apache.hadoop.hbase.security.visibility.InvalidLabelException",
|
// Passing a non existing auth also.
|
||||||
resultList.get(1).getException().getName());
|
auths = new String[] { SECRET, PUBLIC, CONFIDENTIAL };
|
||||||
assertTrue(resultList.get(2).getException().getValue().isEmpty());
|
VisibilityLabelsResponse response = null;
|
||||||
HTable ht = null;
|
try {
|
||||||
try {
|
response = VisibilityClient.clearAuths(conf, auths, user);
|
||||||
ht = new HTable(conf, LABELS_TABLE_NAME);
|
} catch (Throwable e) {
|
||||||
ResultScanner scanner = ht.getScanner(new Scan());
|
fail("Should not have failed");
|
||||||
Result result = null;
|
}
|
||||||
while ((result = scanner.next()) != null) {
|
List<RegionActionResult> resultList = response.getResultList();
|
||||||
Cell label = result.getColumnLatestCell(LABELS_TABLE_FAMILY, LABEL_QUALIFIER);
|
assertEquals(3, resultList.size());
|
||||||
Cell userAuth = result.getColumnLatestCell(LABELS_TABLE_FAMILY, user.getBytes());
|
assertTrue(resultList.get(0).getException().getValue().isEmpty());
|
||||||
if (Bytes.equals(PRIVATE.getBytes(), 0, PRIVATE.getBytes().length, label.getValueArray(),
|
assertEquals("org.apache.hadoop.hbase.security.visibility.InvalidLabelException",
|
||||||
label.getValueOffset(), label.getValueLength())) {
|
resultList.get(1).getException().getName());
|
||||||
assertNotNull(userAuth);
|
assertTrue(resultList.get(2).getException().getValue().isEmpty());
|
||||||
} else {
|
HTable ht = null;
|
||||||
assertNull(userAuth);
|
try {
|
||||||
|
ht = new HTable(conf, LABELS_TABLE_NAME);
|
||||||
|
ResultScanner scanner = ht.getScanner(new Scan());
|
||||||
|
Result result = null;
|
||||||
|
while ((result = scanner.next()) != null) {
|
||||||
|
Cell label = result.getColumnLatestCell(LABELS_TABLE_FAMILY, LABEL_QUALIFIER);
|
||||||
|
Cell userAuth = result.getColumnLatestCell(LABELS_TABLE_FAMILY, user.getBytes());
|
||||||
|
if (Bytes.equals(PRIVATE.getBytes(), 0, PRIVATE.getBytes().length,
|
||||||
|
label.getValueArray(), label.getValueOffset(), label.getValueLength())) {
|
||||||
|
assertNotNull(userAuth);
|
||||||
|
} else {
|
||||||
|
assertNull(userAuth);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} finally {
|
||||||
|
if (ht != null) {
|
||||||
|
ht.close();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
} finally {
|
|
||||||
if (ht != null) {
|
|
||||||
ht.close();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
GetAuthsResponse authsResponse = VisibilityClient.getAuths(conf, user);
|
GetAuthsResponse authsResponse = null;
|
||||||
List<String> authsList = new ArrayList<String>();
|
try {
|
||||||
for (ByteString authBS : authsResponse.getAuthList()) {
|
authsResponse = VisibilityClient.getAuths(conf, user);
|
||||||
authsList.add(Bytes.toString(authBS.toByteArray()));
|
} catch (Throwable e) {
|
||||||
}
|
fail("Should not have failed");
|
||||||
assertEquals(1, authsList.size());
|
}
|
||||||
assertTrue(authsList.contains(PRIVATE));
|
List<String> authsList = new ArrayList<String>();
|
||||||
|
for (ByteString authBS : authsResponse.getAuthList()) {
|
||||||
|
authsList.add(Bytes.toString(authBS.toByteArray()));
|
||||||
|
}
|
||||||
|
assertEquals(1, authsList.size());
|
||||||
|
assertTrue(authsList.contains(PRIVATE));
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
};
|
||||||
|
SUPERUSER.runAs(action);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
|
|
@ -48,7 +48,6 @@ import org.apache.hadoop.hbase.security.access.AccessController;
|
||||||
import org.apache.hadoop.hbase.security.access.Permission;
|
import org.apache.hadoop.hbase.security.access.Permission;
|
||||||
import org.apache.hadoop.hbase.security.access.SecureTestUtil;
|
import org.apache.hadoop.hbase.security.access.SecureTestUtil;
|
||||||
import org.apache.hadoop.hbase.util.Bytes;
|
import org.apache.hadoop.hbase.util.Bytes;
|
||||||
|
|
||||||
import org.junit.AfterClass;
|
import org.junit.AfterClass;
|
||||||
import org.junit.BeforeClass;
|
import org.junit.BeforeClass;
|
||||||
import org.junit.Rule;
|
import org.junit.Rule;
|
||||||
|
@ -75,7 +74,8 @@ public class TestVisibilityLabelsWithACL {
|
||||||
@Rule
|
@Rule
|
||||||
public final TestName TEST_NAME = new TestName();
|
public final TestName TEST_NAME = new TestName();
|
||||||
private static User SUPERUSER;
|
private static User SUPERUSER;
|
||||||
private static User NORMAL_USER;
|
private static User NORMAL_USER1;
|
||||||
|
private static User NORMAL_USER2;
|
||||||
|
|
||||||
@BeforeClass
|
@BeforeClass
|
||||||
public static void setupBeforeClass() throws Exception {
|
public static void setupBeforeClass() throws Exception {
|
||||||
|
@ -95,7 +95,8 @@ public class TestVisibilityLabelsWithACL {
|
||||||
|
|
||||||
// Create users for testing
|
// Create users for testing
|
||||||
SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
|
SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
|
||||||
NORMAL_USER = User.createUserForTesting(conf, "user1", new String[] {});
|
NORMAL_USER1 = User.createUserForTesting(conf, "user1", new String[] {});
|
||||||
|
NORMAL_USER2 = User.createUserForTesting(conf, "user2", new String[] {});
|
||||||
// Grant NORMAL_USER EXEC privilege on the labels table. For the purposes of this
|
// Grant NORMAL_USER EXEC privilege on the labels table. For the purposes of this
|
||||||
// test, we want to insure that access is denied even with the ability to access
|
// test, we want to insure that access is denied even with the ability to access
|
||||||
// the endpoint.
|
// the endpoint.
|
||||||
|
@ -104,8 +105,10 @@ public class TestVisibilityLabelsWithACL {
|
||||||
BlockingRpcChannel service = acl.coprocessorService(LABELS_TABLE_NAME.getName());
|
BlockingRpcChannel service = acl.coprocessorService(LABELS_TABLE_NAME.getName());
|
||||||
AccessControlService.BlockingInterface protocol =
|
AccessControlService.BlockingInterface protocol =
|
||||||
AccessControlService.newBlockingStub(service);
|
AccessControlService.newBlockingStub(service);
|
||||||
ProtobufUtil.grant(protocol, NORMAL_USER.getShortName(), LABELS_TABLE_NAME, null, null,
|
ProtobufUtil.grant(protocol, NORMAL_USER1.getShortName(), LABELS_TABLE_NAME, null, null,
|
||||||
Permission.Action.EXEC);
|
Permission.Action.EXEC);
|
||||||
|
ProtobufUtil.grant(protocol, NORMAL_USER2.getShortName(), LABELS_TABLE_NAME, null, null,
|
||||||
|
Permission.Action.EXEC);
|
||||||
} finally {
|
} finally {
|
||||||
acl.close();
|
acl.close();
|
||||||
}
|
}
|
||||||
|
@ -119,11 +122,21 @@ public class TestVisibilityLabelsWithACL {
|
||||||
@Test
|
@Test
|
||||||
public void testScanForUserWithFewerLabelAuthsThanLabelsInScanAuthorizations() throws Throwable {
|
public void testScanForUserWithFewerLabelAuthsThanLabelsInScanAuthorizations() throws Throwable {
|
||||||
String[] auths = { SECRET };
|
String[] auths = { SECRET };
|
||||||
String user = "admin";
|
String user = "user2";
|
||||||
VisibilityClient.setAuths(conf, auths, user);
|
VisibilityClient.setAuths(conf, auths, user);
|
||||||
TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
|
TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
|
||||||
final HTable table = createTableAndWriteDataWithLabels(tableName, SECRET + "&" + CONFIDENTIAL
|
final HTable table = createTableAndWriteDataWithLabels(tableName, SECRET + "&" + CONFIDENTIAL
|
||||||
+ "&!" + PRIVATE, SECRET + "&!" + PRIVATE);
|
+ "&!" + PRIVATE, SECRET + "&!" + PRIVATE);
|
||||||
|
HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
|
||||||
|
try {
|
||||||
|
BlockingRpcChannel service = acl.coprocessorService(tableName.getName());
|
||||||
|
AccessControlService.BlockingInterface protocol = AccessControlService
|
||||||
|
.newBlockingStub(service);
|
||||||
|
ProtobufUtil.grant(protocol, NORMAL_USER2.getShortName(), tableName, null, null,
|
||||||
|
Permission.Action.READ);
|
||||||
|
} finally {
|
||||||
|
acl.close();
|
||||||
|
}
|
||||||
PrivilegedExceptionAction<Void> scanAction = new PrivilegedExceptionAction<Void>() {
|
PrivilegedExceptionAction<Void> scanAction = new PrivilegedExceptionAction<Void>() {
|
||||||
public Void run() throws Exception {
|
public Void run() throws Exception {
|
||||||
Scan s = new Scan();
|
Scan s = new Scan();
|
||||||
|
@ -142,6 +155,57 @@ public class TestVisibilityLabelsWithACL {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
NORMAL_USER2.runAs(scanAction);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testScanForSuperUserWithFewerLabelAuths() throws Throwable {
|
||||||
|
String[] auths = { SECRET };
|
||||||
|
String user = "admin";
|
||||||
|
VisibilityClient.setAuths(conf, auths, user);
|
||||||
|
TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
|
||||||
|
final HTable table = createTableAndWriteDataWithLabels(tableName, SECRET + "&" + CONFIDENTIAL
|
||||||
|
+ "&!" + PRIVATE, SECRET + "&!" + PRIVATE);
|
||||||
|
PrivilegedExceptionAction<Void> scanAction = new PrivilegedExceptionAction<Void>() {
|
||||||
|
public Void run() throws Exception {
|
||||||
|
Scan s = new Scan();
|
||||||
|
s.setAuthorizations(new Authorizations(SECRET, CONFIDENTIAL));
|
||||||
|
HTable t = new HTable(conf, table.getTableName());
|
||||||
|
try {
|
||||||
|
ResultScanner scanner = t.getScanner(s);
|
||||||
|
Result[] result = scanner.next(5);
|
||||||
|
assertTrue(result.length == 2);
|
||||||
|
} finally {
|
||||||
|
t.close();
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
};
|
||||||
|
SUPERUSER.runAs(scanAction);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testGetForSuperUserWithFewerLabelAuths() throws Throwable {
|
||||||
|
String[] auths = { SECRET };
|
||||||
|
String user = "admin";
|
||||||
|
VisibilityClient.setAuths(conf, auths, user);
|
||||||
|
TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
|
||||||
|
final HTable table = createTableAndWriteDataWithLabels(tableName, SECRET + "&" + CONFIDENTIAL
|
||||||
|
+ "&!" + PRIVATE, SECRET + "&!" + PRIVATE);
|
||||||
|
PrivilegedExceptionAction<Void> scanAction = new PrivilegedExceptionAction<Void>() {
|
||||||
|
public Void run() throws Exception {
|
||||||
|
Get g = new Get(row1);
|
||||||
|
g.setAuthorizations(new Authorizations(SECRET, CONFIDENTIAL));
|
||||||
|
HTable t = new HTable(conf, table.getTableName());
|
||||||
|
try {
|
||||||
|
Result result = t.get(g);
|
||||||
|
assertTrue(!result.isEmpty());
|
||||||
|
} finally {
|
||||||
|
t.close();
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
};
|
||||||
SUPERUSER.runAs(scanAction);
|
SUPERUSER.runAs(scanAction);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -153,7 +217,20 @@ public class TestVisibilityLabelsWithACL {
|
||||||
VisibilityClient.setAuths(conf, auths, "user1");
|
VisibilityClient.setAuths(conf, auths, "user1");
|
||||||
TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
|
TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
|
||||||
final HTable table = createTableAndWriteDataWithLabels(tableName, SECRET);
|
final HTable table = createTableAndWriteDataWithLabels(tableName, SECRET);
|
||||||
PrivilegedExceptionAction<Void> getAction = new PrivilegedExceptionAction<Void>() {
|
HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
|
||||||
|
try {
|
||||||
|
BlockingRpcChannel service = acl.coprocessorService(tableName.getName());
|
||||||
|
AccessControlService.BlockingInterface protocol = AccessControlService
|
||||||
|
.newBlockingStub(service);
|
||||||
|
ProtobufUtil.grant(protocol, NORMAL_USER1.getShortName(), tableName, null, null,
|
||||||
|
Permission.Action.READ);
|
||||||
|
ProtobufUtil.grant(protocol, NORMAL_USER2.getShortName(), tableName, null, null,
|
||||||
|
Permission.Action.READ);
|
||||||
|
} finally {
|
||||||
|
acl.close();
|
||||||
|
}
|
||||||
|
|
||||||
|
PrivilegedExceptionAction<Void> getAction = new PrivilegedExceptionAction<Void>() {
|
||||||
public Void run() throws Exception {
|
public Void run() throws Exception {
|
||||||
Get g = new Get(row1);
|
Get g = new Get(row1);
|
||||||
g.setAuthorizations(new Authorizations(SECRET, CONFIDENTIAL));
|
g.setAuthorizations(new Authorizations(SECRET, CONFIDENTIAL));
|
||||||
|
@ -167,7 +244,7 @@ public class TestVisibilityLabelsWithACL {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
SUPERUSER.runAs(getAction);
|
NORMAL_USER2.runAs(getAction);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
@ -182,7 +259,7 @@ public class TestVisibilityLabelsWithACL {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
VisibilityLabelsResponse response = NORMAL_USER.runAs(action);
|
VisibilityLabelsResponse response = NORMAL_USER1.runAs(action);
|
||||||
assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response
|
assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response
|
||||||
.getResult(0).getException().getName());
|
.getResult(0).getException().getName());
|
||||||
assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response
|
assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response
|
||||||
|
@ -197,7 +274,7 @@ public class TestVisibilityLabelsWithACL {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
response = NORMAL_USER.runAs(action);
|
response = NORMAL_USER1.runAs(action);
|
||||||
assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response
|
assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response
|
||||||
.getResult(0).getException().getName());
|
.getResult(0).getException().getName());
|
||||||
assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response
|
assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response
|
||||||
|
@ -225,7 +302,7 @@ public class TestVisibilityLabelsWithACL {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
response = NORMAL_USER.runAs(action);
|
response = NORMAL_USER1.runAs(action);
|
||||||
assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response.getResult(0)
|
assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response.getResult(0)
|
||||||
.getException().getName());
|
.getException().getName());
|
||||||
assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response.getResult(1)
|
assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response.getResult(1)
|
||||||
|
@ -235,18 +312,18 @@ public class TestVisibilityLabelsWithACL {
|
||||||
assertTrue(response.getResult(0).getException().getValue().isEmpty());
|
assertTrue(response.getResult(0).getException().getValue().isEmpty());
|
||||||
assertTrue(response.getResult(1).getException().getValue().isEmpty());
|
assertTrue(response.getResult(1).getException().getValue().isEmpty());
|
||||||
|
|
||||||
VisibilityClient.setAuths(conf, new String[] { CONFIDENTIAL, PRIVATE }, "user2");
|
VisibilityClient.setAuths(conf, new String[] { CONFIDENTIAL, PRIVATE }, "user3");
|
||||||
PrivilegedExceptionAction<GetAuthsResponse> action1 =
|
PrivilegedExceptionAction<GetAuthsResponse> action1 =
|
||||||
new PrivilegedExceptionAction<GetAuthsResponse>() {
|
new PrivilegedExceptionAction<GetAuthsResponse>() {
|
||||||
public GetAuthsResponse run() throws Exception {
|
public GetAuthsResponse run() throws Exception {
|
||||||
try {
|
try {
|
||||||
return VisibilityClient.getAuths(conf, "user2");
|
return VisibilityClient.getAuths(conf, "user3");
|
||||||
} catch (Throwable e) {
|
} catch (Throwable e) {
|
||||||
}
|
}
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
GetAuthsResponse authsResponse = NORMAL_USER.runAs(action1);
|
GetAuthsResponse authsResponse = NORMAL_USER1.runAs(action1);
|
||||||
assertNull(authsResponse);
|
assertNull(authsResponse);
|
||||||
authsResponse = SUPERUSER.runAs(action1);
|
authsResponse = SUPERUSER.runAs(action1);
|
||||||
List<String> authsList = new ArrayList<String>();
|
List<String> authsList = new ArrayList<String>();
|
||||||
|
|
Loading…
Reference in New Issue