HBASE-12346 Scan's default auths behavior under Visibility labels.(Jerry He)
This commit is contained in:
parent
c5690b1be3
commit
83f9f39e2a
|
@ -27,20 +27,21 @@ import org.apache.hadoop.conf.Configuration;
|
||||||
import org.apache.hadoop.hbase.security.User;
|
import org.apache.hadoop.hbase.security.User;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This is the default implementation for ScanLabelGenerator. It will extract labels passed via
|
* This is an implementation for ScanLabelGenerator.
|
||||||
* Scan#authorizations and cross check against the global auths set for the user. The labels for which
|
* It will extract labels from passed in authorizations and cross check
|
||||||
* user is not authenticated will be dropped even if it is passed via Scan Authorizations.
|
* against the set of predefined authorization labels for given user.
|
||||||
|
* The labels for which the user is not authorized will be dropped.
|
||||||
*/
|
*/
|
||||||
@InterfaceAudience.Private
|
@InterfaceAudience.Private
|
||||||
public class DefaultScanLabelGenerator implements ScanLabelGenerator {
|
public class DefinedSetFilterScanLabelGenerator implements ScanLabelGenerator {
|
||||||
|
|
||||||
private static final Log LOG = LogFactory.getLog(DefaultScanLabelGenerator.class);
|
private static final Log LOG = LogFactory.getLog(DefinedSetFilterScanLabelGenerator.class);
|
||||||
|
|
||||||
private Configuration conf;
|
private Configuration conf;
|
||||||
|
|
||||||
private VisibilityLabelsCache labelsCache;
|
private VisibilityLabelsCache labelsCache;
|
||||||
|
|
||||||
public DefaultScanLabelGenerator() {
|
public DefinedSetFilterScanLabelGenerator() {
|
||||||
this.labelsCache = VisibilityLabelsCache.get();
|
this.labelsCache = VisibilityLabelsCache.get();
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,70 @@
|
||||||
|
/**
|
||||||
|
* Licensed to the Apache Software Foundation (ASF) under one
|
||||||
|
* or more contributor license agreements. See the NOTICE file
|
||||||
|
* distributed with this work for additional information
|
||||||
|
* regarding copyright ownership. The ASF licenses this file
|
||||||
|
* to you under the Apache License, Version 2.0 (the
|
||||||
|
* "License"); you may not use this file except in compliance
|
||||||
|
* with the License. You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package org.apache.hadoop.hbase.security.visibility;
|
||||||
|
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
|
import org.apache.commons.logging.Log;
|
||||||
|
import org.apache.commons.logging.LogFactory;
|
||||||
|
import org.apache.hadoop.hbase.classification.InterfaceAudience;
|
||||||
|
import org.apache.hadoop.conf.Configuration;
|
||||||
|
import org.apache.hadoop.hbase.security.User;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* If the passed in authorization is null, then this ScanLabelGenerator
|
||||||
|
* feeds the set of predefined authorization labels for the given user. That is
|
||||||
|
* the set defined by the admin using the VisibilityClient admin interface
|
||||||
|
* or the set_auths shell command.
|
||||||
|
* Otherwise the passed in authorization labels are returned with no change.
|
||||||
|
*
|
||||||
|
* Note: This SLG should not be used alone because it does not check
|
||||||
|
* the passed in authorization labels against what the user is authorized for.
|
||||||
|
*/
|
||||||
|
@InterfaceAudience.Private
|
||||||
|
public class FeedUserAuthScanLabelGenerator implements ScanLabelGenerator {
|
||||||
|
|
||||||
|
private static final Log LOG = LogFactory.getLog(FeedUserAuthScanLabelGenerator.class);
|
||||||
|
|
||||||
|
private Configuration conf;
|
||||||
|
private VisibilityLabelsCache labelsCache;
|
||||||
|
|
||||||
|
public FeedUserAuthScanLabelGenerator() {
|
||||||
|
this.labelsCache = VisibilityLabelsCache.get();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void setConf(Configuration conf) {
|
||||||
|
this.conf = conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Configuration getConf() {
|
||||||
|
return this.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public List<String> getLabels(User user, Authorizations authorizations) {
|
||||||
|
if (authorizations == null || authorizations.getLabels() == null
|
||||||
|
|| authorizations.getLabels().isEmpty()) {
|
||||||
|
String userName = user.getShortName();
|
||||||
|
return this.labelsCache.getAuths(userName);
|
||||||
|
}
|
||||||
|
return authorizations.getLabels();
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -188,10 +188,17 @@ public class VisibilityUtils {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
// If the conf is not configured by default we need to have one SLG to be used
|
// If no SLG is specified in conf, by default we'll add two SLGs
|
||||||
// ie. DefaultScanLabelGenerator
|
// 1. FeedUserAuthScanLabelGenerator
|
||||||
|
// 2. DefinedSetFilterScanLabelGenerator
|
||||||
|
// This stacking will achieve the following default behavior:
|
||||||
|
// 1. If there is no Auths in the scan, we will obtain the global defined set for the user
|
||||||
|
// from the labels table.
|
||||||
|
// 2. If there is Auths in the scan, we will examine the passed in Auths and filter out the
|
||||||
|
// labels that the user is not entitled to. Then use the resulting label set.
|
||||||
if (slgs.isEmpty()) {
|
if (slgs.isEmpty()) {
|
||||||
slgs.add(ReflectionUtils.newInstance(DefaultScanLabelGenerator.class, conf));
|
slgs.add(ReflectionUtils.newInstance(FeedUserAuthScanLabelGenerator.class, conf));
|
||||||
|
slgs.add(ReflectionUtils.newInstance(DefinedSetFilterScanLabelGenerator.class, conf));
|
||||||
}
|
}
|
||||||
return slgs;
|
return slgs;
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,210 @@
|
||||||
|
/**
|
||||||
|
* Licensed to the Apache Software Foundation (ASF) under one
|
||||||
|
* or more contributor license agreements. See the NOTICE file
|
||||||
|
* distributed with this work for additional information
|
||||||
|
* regarding copyright ownership. The ASF licenses this file
|
||||||
|
* to you under the Apache License, Version 2.0 (the
|
||||||
|
* "License"); you may not use this file except in compliance
|
||||||
|
* with the License. You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package org.apache.hadoop.hbase.security.visibility;
|
||||||
|
|
||||||
|
import static org.apache.hadoop.hbase.security.visibility.VisibilityConstants.LABELS_TABLE_NAME;
|
||||||
|
import static org.junit.Assert.assertFalse;
|
||||||
|
import static org.junit.Assert.assertTrue;
|
||||||
|
import static org.junit.Assert.assertNull;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.security.PrivilegedExceptionAction;
|
||||||
|
|
||||||
|
import org.apache.hadoop.conf.Configuration;
|
||||||
|
import org.apache.hadoop.hbase.Cell;
|
||||||
|
import org.apache.hadoop.hbase.CellScanner;
|
||||||
|
import org.apache.hadoop.hbase.HBaseTestingUtility;
|
||||||
|
import org.apache.hadoop.hbase.HConstants;
|
||||||
|
import org.apache.hadoop.hbase.TableName;
|
||||||
|
import org.apache.hadoop.hbase.client.Get;
|
||||||
|
import org.apache.hadoop.hbase.client.HTable;
|
||||||
|
import org.apache.hadoop.hbase.client.Put;
|
||||||
|
import org.apache.hadoop.hbase.client.Result;
|
||||||
|
import org.apache.hadoop.hbase.client.ResultScanner;
|
||||||
|
import org.apache.hadoop.hbase.client.Scan;
|
||||||
|
import org.apache.hadoop.hbase.client.Table;
|
||||||
|
import org.apache.hadoop.hbase.security.User;
|
||||||
|
import org.apache.hadoop.hbase.testclassification.MediumTests;
|
||||||
|
import org.apache.hadoop.hbase.testclassification.SecurityTests;
|
||||||
|
import org.apache.hadoop.hbase.util.Bytes;
|
||||||
|
import org.junit.AfterClass;
|
||||||
|
import org.junit.BeforeClass;
|
||||||
|
import org.junit.Rule;
|
||||||
|
import org.junit.Test;
|
||||||
|
import org.junit.experimental.categories.Category;
|
||||||
|
import org.junit.rules.TestName;
|
||||||
|
|
||||||
|
@Category({SecurityTests.class, MediumTests.class})
|
||||||
|
public class TestDefaultScanLabelGeneratorStack {
|
||||||
|
|
||||||
|
public static final String CONFIDENTIAL = "confidential";
|
||||||
|
private static final String SECRET = "secret";
|
||||||
|
public static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();
|
||||||
|
private static final byte[] ROW_1 = Bytes.toBytes("row1");
|
||||||
|
private final static byte[] CF = Bytes.toBytes("f");
|
||||||
|
private final static byte[] Q1 = Bytes.toBytes("q1");
|
||||||
|
private final static byte[] Q2 = Bytes.toBytes("q2");
|
||||||
|
private final static byte[] Q3 = Bytes.toBytes("q3");
|
||||||
|
private final static byte[] value1 = Bytes.toBytes("value1");
|
||||||
|
private final static byte[] value2 = Bytes.toBytes("value2");
|
||||||
|
private final static byte[] value3 = Bytes.toBytes("value3");
|
||||||
|
public static Configuration conf;
|
||||||
|
|
||||||
|
@Rule
|
||||||
|
public final TestName TEST_NAME = new TestName();
|
||||||
|
public static User SUPERUSER;
|
||||||
|
public static User TESTUSER;
|
||||||
|
|
||||||
|
@BeforeClass
|
||||||
|
public static void setupBeforeClass() throws Exception {
|
||||||
|
// setup configuration
|
||||||
|
conf = TEST_UTIL.getConfiguration();
|
||||||
|
VisibilityTestUtil.enableVisiblityLabels(conf);
|
||||||
|
// Not setting any SLG class. This means to use the default behavior.
|
||||||
|
conf.set("hbase.superuser", "admin");
|
||||||
|
TEST_UTIL.startMiniCluster(1);
|
||||||
|
SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
|
||||||
|
TESTUSER = User.createUserForTesting(conf, "test", new String[] { });
|
||||||
|
|
||||||
|
// Wait for the labels table to become available
|
||||||
|
TEST_UTIL.waitTableEnabled(LABELS_TABLE_NAME.getName(), 50000);
|
||||||
|
|
||||||
|
// Set up for the test
|
||||||
|
SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() {
|
||||||
|
public Void run() throws Exception {
|
||||||
|
try {
|
||||||
|
VisibilityClient.addLabels(conf, new String[] { SECRET, CONFIDENTIAL });
|
||||||
|
VisibilityClient.setAuths(conf, new String[] { CONFIDENTIAL }, TESTUSER.getShortName());
|
||||||
|
} catch (Throwable t) {
|
||||||
|
throw new IOException(t);
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testDefaultScanLabelGeneratorStack() throws Exception {
|
||||||
|
final TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
|
||||||
|
|
||||||
|
SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() {
|
||||||
|
public Void run() throws Exception {
|
||||||
|
Table table = TEST_UTIL.createTable(tableName, CF);
|
||||||
|
try {
|
||||||
|
Put put = new Put(ROW_1);
|
||||||
|
put.add(CF, Q1, HConstants.LATEST_TIMESTAMP, value1);
|
||||||
|
put.setCellVisibility(new CellVisibility(SECRET));
|
||||||
|
table.put(put);
|
||||||
|
put = new Put(ROW_1);
|
||||||
|
put.add(CF, Q2, HConstants.LATEST_TIMESTAMP, value2);
|
||||||
|
put.setCellVisibility(new CellVisibility(CONFIDENTIAL));
|
||||||
|
table.put(put);
|
||||||
|
put = new Put(ROW_1);
|
||||||
|
put.add(CF, Q3, HConstants.LATEST_TIMESTAMP, value3);
|
||||||
|
table.put(put);
|
||||||
|
return null;
|
||||||
|
} finally {
|
||||||
|
table.close();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
TESTUSER.runAs(new PrivilegedExceptionAction<Void>() {
|
||||||
|
public Void run() throws Exception {
|
||||||
|
Table table = new HTable(conf, tableName);
|
||||||
|
try {
|
||||||
|
// Test scan with no auth attribute
|
||||||
|
Scan s = new Scan();
|
||||||
|
ResultScanner scanner = table.getScanner(s);
|
||||||
|
Result[] next = scanner.next(1);
|
||||||
|
|
||||||
|
assertTrue(next.length == 1);
|
||||||
|
CellScanner cellScanner = next[0].cellScanner();
|
||||||
|
cellScanner.advance();
|
||||||
|
Cell current = cellScanner.current();
|
||||||
|
// test user can see value2 (CONFIDENTIAL) and value3 (no label)
|
||||||
|
assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(),
|
||||||
|
current.getRowLength(), ROW_1, 0, ROW_1.length));
|
||||||
|
assertTrue(Bytes.equals(current.getQualifier(), Q2));
|
||||||
|
assertTrue(Bytes.equals(current.getValue(), value2));
|
||||||
|
cellScanner.advance();
|
||||||
|
current = cellScanner.current();
|
||||||
|
// test user can see value2 (CONFIDENTIAL) and value3 (no label)
|
||||||
|
assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(),
|
||||||
|
current.getRowLength(), ROW_1, 0, ROW_1.length));
|
||||||
|
assertTrue(Bytes.equals(current.getQualifier(), Q3));
|
||||||
|
assertTrue(Bytes.equals(current.getValue(), value3));
|
||||||
|
|
||||||
|
// Test scan with correct auth attribute for test user
|
||||||
|
Scan s1 = new Scan();
|
||||||
|
// test user is entitled to 'CONFIDENTIAL'.
|
||||||
|
// If we set both labels in the scan, 'SECRET' will be dropped by the SLGs.
|
||||||
|
s1.setAuthorizations(new Authorizations(new String[] { SECRET, CONFIDENTIAL }));
|
||||||
|
ResultScanner scanner1 = table.getScanner(s1);
|
||||||
|
Result[] next1 = scanner1.next(1);
|
||||||
|
|
||||||
|
assertTrue(next1.length == 1);
|
||||||
|
CellScanner cellScanner1 = next1[0].cellScanner();
|
||||||
|
cellScanner1.advance();
|
||||||
|
Cell current1 = cellScanner1.current();
|
||||||
|
// test user can see value2 (CONFIDENTIAL) and value3 (no label)
|
||||||
|
assertTrue(Bytes.equals(current1.getRowArray(), current1.getRowOffset(),
|
||||||
|
current1.getRowLength(), ROW_1, 0, ROW_1.length));
|
||||||
|
assertTrue(Bytes.equals(current1.getQualifier(), Q2));
|
||||||
|
assertTrue(Bytes.equals(current1.getValue(), value2));
|
||||||
|
cellScanner1.advance();
|
||||||
|
current1 = cellScanner1.current();
|
||||||
|
// test user can see value2 (CONFIDENTIAL) and value3 (no label)
|
||||||
|
assertTrue(Bytes.equals(current1.getRowArray(), current1.getRowOffset(),
|
||||||
|
current1.getRowLength(), ROW_1, 0, ROW_1.length));
|
||||||
|
assertTrue(Bytes.equals(current1.getQualifier(), Q3));
|
||||||
|
assertTrue(Bytes.equals(current1.getValue(), value3));
|
||||||
|
|
||||||
|
// Test scan with incorrect auth attribute for test user
|
||||||
|
Scan s2 = new Scan();
|
||||||
|
// test user is entitled to 'CONFIDENTIAL'.
|
||||||
|
// If we set 'SECRET', it will be dropped by the SLGs.
|
||||||
|
s2.setAuthorizations(new Authorizations(new String[] { SECRET }));
|
||||||
|
ResultScanner scanner2 = table.getScanner(s2);
|
||||||
|
Result next2 = scanner2.next();
|
||||||
|
CellScanner cellScanner2 = next2.cellScanner();
|
||||||
|
cellScanner2.advance();
|
||||||
|
Cell current2 = cellScanner2.current();
|
||||||
|
// This scan will only see value3 (no label)
|
||||||
|
assertTrue(Bytes.equals(current2.getRowArray(), current2.getRowOffset(),
|
||||||
|
current2.getRowLength(), ROW_1, 0, ROW_1.length));
|
||||||
|
assertTrue(Bytes.equals(current2.getQualifier(), Q3));
|
||||||
|
assertTrue(Bytes.equals(current2.getValue(), value3));
|
||||||
|
|
||||||
|
assertFalse(cellScanner2.advance());
|
||||||
|
|
||||||
|
|
||||||
|
return null;
|
||||||
|
} finally {
|
||||||
|
table.close();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
@AfterClass
|
||||||
|
public static void tearDownAfterClass() throws Exception {
|
||||||
|
TEST_UTIL.shutdownMiniCluster();
|
||||||
|
}
|
||||||
|
}
|
|
@ -68,7 +68,7 @@ public class TestEnforcingScanLabelGenerator {
|
||||||
// setup configuration
|
// setup configuration
|
||||||
conf = TEST_UTIL.getConfiguration();
|
conf = TEST_UTIL.getConfiguration();
|
||||||
VisibilityTestUtil.enableVisiblityLabels(conf);
|
VisibilityTestUtil.enableVisiblityLabels(conf);
|
||||||
String classes = DefaultScanLabelGenerator.class.getCanonicalName() + " , "
|
String classes = DefinedSetFilterScanLabelGenerator.class.getCanonicalName() + " , "
|
||||||
+ EnforcingScanLabelGenerator.class.getCanonicalName();
|
+ EnforcingScanLabelGenerator.class.getCanonicalName();
|
||||||
conf.setStrings(VisibilityUtils.VISIBILITY_LABEL_GENERATOR_CLASS, classes);
|
conf.setStrings(VisibilityUtils.VISIBILITY_LABEL_GENERATOR_CLASS, classes);
|
||||||
conf.set("hbase.superuser", "admin");
|
conf.set("hbase.superuser", "admin");
|
||||||
|
|
Loading…
Reference in New Issue