Apache
/
hbase
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HBASE-22084 Rename AccessControlLists to PermissionStorage 

Signed-off-by: Guanghao Zhang <zghao@apache.org>
This commit is contained in:
meiyi 2019-04-10 16:49:11 +08:00 committed by Guanghao Zhang
parent 2bae04fb2b
commit 94d9dc1e84
32 changed files with 210 additions and 220 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
hbase-endpoint/src/test/java/org/apache/hadoop/hbase/coprocessor/TestSecureExport.java
View File

@ -54,8 +54,8 @@ import org.apache.hadoop.hbase.security.HadoopSecurityEnabledUserProviderForTest
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.UserProvider;
import org.apache.hadoop.hbase.security.access.AccessControlConstants;
import org.apache.hadoop.hbase.security.access.AccessControlLists;
import org.apache.hadoop.hbase.security.access.Permission;
import org.apache.hadoop.hbase.security.access.PermissionStorage;
import org.apache.hadoop.hbase.security.access.SecureTestUtil;
import org.apache.hadoop.hbase.security.access.SecureTestUtil.AccessTestAction;
import org.apache.hadoop.hbase.security.visibility.Authorizations;
@ -204,9 +204,9 @@ public class TestSecureExport {
SecureTestUtil.verifyConfiguration(UTIL.getConfiguration());
setUpClusterKdc();
UTIL.startMiniCluster();
UTIL.waitUntilAllRegionsAssigned(AccessControlLists.ACL_TABLE_NAME);
UTIL.waitUntilAllRegionsAssigned(PermissionStorage.ACL_TABLE_NAME);
UTIL.waitUntilAllRegionsAssigned(VisibilityConstants.LABELS_TABLE_NAME);
UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME, 50000);
UTIL.waitTableEnabled(PermissionStorage.ACL_TABLE_NAME, 50000);
UTIL.waitTableEnabled(VisibilityConstants.LABELS_TABLE_NAME, 50000);
SecureTestUtil.grantGlobal(UTIL, USER_ADMIN,
Permission.Action.ADMIN,
@ -249,8 +249,8 @@ public class TestSecureExport {
SecureTestUtil.grantOnTable(UTIL, USER_XO,
TableName.valueOf(exportTable), null, null,
Permission.Action.EXEC);
assertEquals(4, AccessControlLists.getTablePermissions(UTIL.getConfiguration(),
TableName.valueOf(exportTable)).size());
assertEquals(4, PermissionStorage
.getTablePermissions(UTIL.getConfiguration(), TableName.valueOf(exportTable)).size());
AccessTestAction putAction = () -> {
Put p = new Put(ROW1);
p.addColumn(FAMILYA, Bytes.toBytes("qual_0"), NOW, QUAL);

5
hbase-mapreduce/src/test/java/org/apache/hadoop/hbase/snapshot/TestMobSecureExportSnapshot.java
View File

@ -20,13 +20,12 @@ package org.apache.hadoop.hbase.snapshot;
import org.apache.hadoop.hbase.HBaseClassTestRule;
import org.apache.hadoop.hbase.security.HadoopSecurityEnabledUserProviderForTesting;
import org.apache.hadoop.hbase.security.UserProvider;
import org.apache.hadoop.hbase.security.access.AccessControlLists;
import org.apache.hadoop.hbase.security.access.PermissionStorage;
import org.apache.hadoop.hbase.security.access.SecureTestUtil;
import org.apache.hadoop.hbase.testclassification.LargeTests;
import org.apache.hadoop.hbase.testclassification.VerySlowRegionServerTests;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Ignore;
import org.junit.experimental.categories.Category;
/**
@ -57,6 +56,6 @@ public class TestMobSecureExportSnapshot extends TestMobExportSnapshot {
TEST_UTIL.startMiniMapReduceCluster();
// Wait for the ACL table to become available
TEST_UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME);
TEST_UTIL.waitTableEnabled(PermissionStorage.ACL_TABLE_NAME);
}
}

4
hbase-mapreduce/src/test/java/org/apache/hadoop/hbase/snapshot/TestSecureExportSnapshot.java
View File

@ -20,7 +20,7 @@ package org.apache.hadoop.hbase.snapshot;
import org.apache.hadoop.hbase.HBaseClassTestRule;
import org.apache.hadoop.hbase.security.HadoopSecurityEnabledUserProviderForTesting;
import org.apache.hadoop.hbase.security.UserProvider;
import org.apache.hadoop.hbase.security.access.AccessControlLists;
import org.apache.hadoop.hbase.security.access.PermissionStorage;
import org.apache.hadoop.hbase.security.access.SecureTestUtil;
import org.apache.hadoop.hbase.testclassification.LargeTests;
import org.apache.hadoop.hbase.testclassification.VerySlowRegionServerTests;
@ -56,6 +56,6 @@ public class TestSecureExportSnapshot extends TestExportSnapshot {
TEST_UTIL.startMiniMapReduceCluster();
// Wait for the ACL table to become available
TEST_UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME);
TEST_UTIL.waitTableEnabled(PermissionStorage.ACL_TABLE_NAME);
}
}

12
hbase-rsgroup/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsWithACL.java
View File

@ -34,9 +34,9 @@ import org.apache.hadoop.hbase.client.TableDescriptorBuilder;
import org.apache.hadoop.hbase.coprocessor.CoprocessorHost;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.access.AccessControlClient;
import org.apache.hadoop.hbase.security.access.AccessControlLists;
import org.apache.hadoop.hbase.security.access.AuthManager;
import org.apache.hadoop.hbase.security.access.Permission;
import org.apache.hadoop.hbase.security.access.PermissionStorage;
import org.apache.hadoop.hbase.security.access.SecureTestUtil;
import org.apache.hadoop.hbase.testclassification.MediumTests;
import org.apache.hadoop.hbase.testclassification.SecurityTests;
@ -113,7 +113,7 @@ public class TestRSGroupsWithACL extends SecureTestUtil{
rsGroupAdminEndpoint = (RSGroupAdminEndpoint) TEST_UTIL.getMiniHBaseCluster().getMaster().
getMasterCoprocessorHost().findCoprocessor(RSGroupAdminEndpoint.class.getName());
// Wait for the ACL table to become available
TEST_UTIL.waitUntilAllRegionsAssigned(AccessControlLists.ACL_TABLE_NAME);
TEST_UTIL.waitUntilAllRegionsAssigned(PermissionStorage.ACL_TABLE_NAME);
// create a set of test users
SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
@ -174,7 +174,7 @@ public class TestRSGroupsWithACL extends SecureTestUtil{
grantGlobal(TEST_UTIL, toGroupEntry(GROUP_READ), Permission.Action.READ);
grantGlobal(TEST_UTIL, toGroupEntry(GROUP_WRITE), Permission.Action.WRITE);
assertEquals(4, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size());
assertEquals(4, PermissionStorage.getTablePermissions(conf, TEST_TABLE).size());
try {
assertEquals(4, AccessControlClient.getUserPermissions(systemUserConnection,
TEST_TABLE.toString()).size());
@ -194,9 +194,9 @@ public class TestRSGroupsWithACL extends SecureTestUtil{
LOG.info("Test deleted table " + TEST_TABLE);
}
// Verify all table/namespace permissions are erased
assertEquals(0, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size());
assertEquals(0, AccessControlLists.getNamespacePermissions(conf,
TEST_TABLE.getNamespaceAsString()).size());
assertEquals(0, PermissionStorage.getTablePermissions(conf, TEST_TABLE).size());
assertEquals(0,
PermissionStorage.getNamespacePermissions(conf, TEST_TABLE.getNamespaceAsString()).size());
}
@AfterClass

4
hbase-server/src/main/jamon/org/apache/hadoop/hbase/tmpl/master/MasterStatusTmpl.jamon
View File

@ -52,7 +52,7 @@ org.apache.hadoop.hbase.master.RegionState;
org.apache.hadoop.hbase.master.ServerManager;
org.apache.hadoop.hbase.protobuf.ProtobufUtil;
org.apache.hadoop.hbase.quotas.QuotaUtil;
org.apache.hadoop.hbase.security.access.AccessControlLists;
org.apache.hadoop.hbase.security.access.PermissionStorage;
org.apache.hadoop.hbase.security.visibility.VisibilityConstants;
org.apache.hadoop.hbase.shaded.protobuf.generated.SnapshotProtos.SnapshotDescription;
org.apache.hadoop.hbase.tool.Canary;
@ -444,7 +444,7 @@ AssignmentManager assignmentManager = master.getAssignmentManager();
} else if (tableName.equals(Canary.DEFAULT_WRITE_TABLE_NAME)){
description = "The hbase:canary table is used to sniff the write availbility of"
+ " each regionserver.";
} else if (tableName.equals(AccessControlLists.ACL_TABLE_NAME)){
} else if (tableName.equals(PermissionStorage.ACL_TABLE_NAME)){
description = "The hbase:acl table holds information about acl.";
} else if (tableName.equals(VisibilityConstants.LABELS_TABLE_NAME)){
description = "The hbase:labels table holds information about visibility labels.";

18
hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
View File

@ -102,10 +102,10 @@ import org.apache.hadoop.hbase.security.Superusers;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.access.AccessChecker;
import org.apache.hadoop.hbase.security.access.AccessChecker.InputUser;
import org.apache.hadoop.hbase.security.access.AccessControlLists;
import org.apache.hadoop.hbase.security.access.AccessController;
import org.apache.hadoop.hbase.security.access.Permission;
import org.apache.hadoop.hbase.security.access.Permission.Action;
import org.apache.hadoop.hbase.security.access.PermissionStorage;
import org.apache.hadoop.hbase.security.access.ShadedAccessControlUtil;
import org.apache.hadoop.hbase.security.access.UserPermission;
import org.apache.hadoop.hbase.security.visibility.VisibilityController;
@ -2712,8 +2712,8 @@ public class MasterRpcServices extends RSRpcServices
if (master.cpHost != null) {
master.cpHost.preGrant(perm, mergeExistingPermissions);
}
try (Table table = master.getConnection().getTable(AccessControlLists.ACL_TABLE_NAME)) {
AccessControlLists.addUserPermission(getConfiguration(), perm, table,
try (Table table = master.getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {
PermissionStorage.addUserPermission(getConfiguration(), perm, table,
mergeExistingPermissions);
}
if (master.cpHost != null) {
@ -2734,8 +2734,8 @@ public class MasterRpcServices extends RSRpcServices
if (master.cpHost != null) {
master.cpHost.preRevoke(userPermission);
}
try (Table table = master.getConnection().getTable(AccessControlLists.ACL_TABLE_NAME)) {
AccessControlLists.removeUserPermission(master.getConfiguration(), userPermission, table);
try (Table table = master.getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {
PermissionStorage.removeUserPermission(master.getConfiguration(), userPermission, table);
}
if (master.cpHost != null) {
master.cpHost.postRevoke(userPermission);
@ -2765,17 +2765,17 @@ public class MasterRpcServices extends RSRpcServices
List<UserPermission> perms = null;
if (permissionType == Type.Table) {
boolean filter = (cf != null || userName != null) ? true : false;
perms = AccessControlLists.getUserTablePermissions(master.getConfiguration(), table, cf, cq,
perms = PermissionStorage.getUserTablePermissions(master.getConfiguration(), table, cf, cq,
userName, filter);
} else if (permissionType == Type.Namespace) {
perms = AccessControlLists.getUserNamespacePermissions(master.getConfiguration(), namespace,
perms = PermissionStorage.getUserNamespacePermissions(master.getConfiguration(), namespace,
userName, userName != null ? true : false);
} else {
perms = AccessControlLists.getUserPermissions(master.getConfiguration(), null, null, null,
perms = PermissionStorage.getUserPermissions(master.getConfiguration(), null, null, null,
userName, userName != null ? true : false);
// Skip super users when filter user is specified
if (userName == null) {
// Adding superusers explicitly to the result set as AccessControlLists do not store
// Adding superusers explicitly to the result set as PermissionStorage do not store
// them. Also using acl as table name to be inline with the results of global admin and
// will help in avoiding any leakage of information about being superusers.
for (String user : Superusers.getSuperUsers()) {

78
hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
View File

@ -244,14 +244,14 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
private void initialize(RegionCoprocessorEnvironment e) throws IOException {
final Region region = e.getRegion();
Configuration conf = e.getConfiguration();
Map<byte[], ListMultimap<String, UserPermission>> tables = AccessControlLists.loadAll(region);
Map<byte[], ListMultimap<String, UserPermission>> tables = PermissionStorage.loadAll(region);
// For each table, write out the table's permissions to the respective
// znode for that table.
for (Map.Entry<byte[], ListMultimap<String, UserPermission>> t:
tables.entrySet()) {
byte[] entry = t.getKey();
ListMultimap<String, UserPermission> perms = t.getValue();
byte[] serialized = AccessControlLists.writePermissionsAsBytes(perms, conf);
byte[] serialized = PermissionStorage.writePermissionsAsBytes(perms, conf);
getAuthManager().getZKPermissionWatcher().writeToZookeeper(entry, serialized);
}
initialized = true;
@ -268,7 +268,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
for (Map.Entry<byte[], List<Cell>> f : familyMap.entrySet()) {
List<Cell> cells = f.getValue();
for (Cell cell: cells) {
if (CellUtil.matchingFamily(cell, AccessControlLists.ACL_LIST_FAMILY)) {
if (CellUtil.matchingFamily(cell, PermissionStorage.ACL_LIST_FAMILY)) {
entries.add(CellUtil.cloneRow(cell));
}
}
@ -283,12 +283,12 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
// to and fro conversion overhead. get req is converted to PB req
// and results are converted to PB results 1st and then to POJOs
// again. We could have avoided such at least in ACL table context..
try (Table t = e.getConnection().getTable(AccessControlLists.ACL_TABLE_NAME)) {
try (Table t = e.getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {
for (byte[] entry : entries) {
currentEntry = entry;
ListMultimap<String, UserPermission> perms =
AccessControlLists.getPermissions(conf, entry, t, null, null, null, false);
byte[] serialized = AccessControlLists.writePermissionsAsBytes(perms, conf);
PermissionStorage.getPermissions(conf, entry, t, null, null, null, false);
byte[] serialized = PermissionStorage.writePermissionsAsBytes(perms, conf);
zkw.writeToZookeeper(entry, serialized);
}
} catch(IOException ex) {
@ -624,7 +624,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
for (Cell cell: e.getValue()) {
// Prepend the supplied perms in a new ACL tag to an update list of tags for the cell
List<Tag> tags = new ArrayList<>();
tags.add(new ArrayBackedTag(AccessControlLists.ACL_TAG_TYPE, perms));
tags.add(new ArrayBackedTag(PermissionStorage.ACL_TAG_TYPE, perms));
Iterator<Tag> tagIterator = PrivateCellUtil.tagsIterator(cell);
while (tagIterator.hasNext()) {
tags.add(tagIterator.next());
@ -656,7 +656,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
for (CellScanner cellScanner = m.cellScanner(); cellScanner.advance();) {
Iterator<Tag> tagsItr = PrivateCellUtil.tagsIterator(cellScanner.current());
while (tagsItr.hasNext()) {
if (tagsItr.next().getType() == AccessControlLists.ACL_TAG_TYPE) {
if (tagsItr.next().getType() == PermissionStorage.ACL_TAG_TYPE) {
throw new AccessDeniedException("Mutation contains cell with reserved type tag");
}
}
@ -786,12 +786,12 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
// creating acl table, getting delayed and by that time another table creation got over and
// this hook is getting called. In such a case, we will need a wait logic here which will
// wait till the acl table is created.
if (AccessControlLists.isAclTable(desc)) {
if (PermissionStorage.isAclTable(desc)) {
this.aclTabAvailable = true;
} else {
if (!aclTabAvailable) {
LOG.warn("Not adding owner permission for table " + desc.getTableName() + ". "
+ AccessControlLists.ACL_TABLE_NAME + " is not yet created. "
+ PermissionStorage.ACL_TABLE_NAME + " is not yet created. "
+ getClass().getSimpleName() + " should be configured as the first Coprocessor");
} else {
String owner = desc.getOwnerString();
@ -804,9 +804,9 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
try (Table table = c.getEnvironment().getConnection().
getTable(AccessControlLists.ACL_TABLE_NAME)) {
AccessControlLists.addUserPermission(c.getEnvironment().getConfiguration(),
try (Table table =
c.getEnvironment().getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {
PermissionStorage.addUserPermission(c.getEnvironment().getConfiguration(),
userPermission, table);
}
return null;
@ -830,9 +830,9 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
try (Table table = c.getEnvironment().getConnection().
getTable(AccessControlLists.ACL_TABLE_NAME)) {
AccessControlLists.removeTablePermissions(conf, tableName, table);
try (Table table =
c.getEnvironment().getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {
PermissionStorage.removeTablePermissions(conf, tableName, table);
}
return null;
}
@ -851,7 +851,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
@Override
public Void run() throws Exception {
List<UserPermission> acls =
AccessControlLists.getUserTablePermissions(conf, tableName, null, null, null, false);
PermissionStorage.getUserTablePermissions(conf, tableName, null, null, null, false);
if (acls != null) {
tableAcls.put(tableName, acls);
}
@ -870,9 +870,9 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
List<UserPermission> perms = tableAcls.get(tableName);
if (perms != null) {
for (UserPermission perm : perms) {
try (Table table = ctx.getEnvironment().getConnection().
getTable(AccessControlLists.ACL_TABLE_NAME)) {
AccessControlLists.addUserPermission(conf, perm, table);
try (Table table =
ctx.getEnvironment().getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {
PermissionStorage.addUserPermission(conf, perm, table);
}
}
}
@ -903,9 +903,9 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
public Void run() throws Exception {
UserPermission userperm = new UserPermission(owner,
Permission.newBuilder(currentDesc.getTableName()).withActions(Action.values()).build());
try (Table table = c.getEnvironment().getConnection().
getTable(AccessControlLists.ACL_TABLE_NAME)) {
AccessControlLists.addUserPermission(conf, userperm, table);
try (Table table =
c.getEnvironment().getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {
PermissionStorage.addUserPermission(conf, userperm, table);
}
return null;
}
@ -922,13 +922,13 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
@Override
public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName)
throws IOException {
if (Bytes.equals(tableName.getName(), AccessControlLists.ACL_GLOBAL_NAME)) {
if (Bytes.equals(tableName.getName(), PermissionStorage.ACL_GLOBAL_NAME)) {
// We have to unconditionally disallow disable of the ACL table when we are installed,
// even if not enforcing authorizations. We are still allowing grants and revocations,
// checking permissions and logging audit messages, etc. If the ACL table is not
// available we will fail random actions all over the place.
throw new AccessDeniedException("Not allowed to disable "
+ AccessControlLists.ACL_TABLE_NAME + " table with AccessController installed");
throw new AccessDeniedException("Not allowed to disable " + PermissionStorage.ACL_TABLE_NAME
+ " table with AccessController installed");
}
requirePermission(c, "disableTable",
tableName, null, null, Action.ADMIN, Action.CREATE);
@ -1022,7 +1022,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
public void postStartMaster(ObserverContext<MasterCoprocessorEnvironment> ctx)
throws IOException {
try (Admin admin = ctx.getEnvironment().getConnection().getAdmin()) {
if (!admin.tableExists(AccessControlLists.ACL_TABLE_NAME)) {
if (!admin.tableExists(PermissionStorage.ACL_TABLE_NAME)) {
createACLTable(admin);
} else {
this.aclTabAvailable = true;
@ -1036,7 +1036,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
private static void createACLTable(Admin admin) throws IOException {
/** Table descriptor for ACL table */
ColumnFamilyDescriptor cfd =
ColumnFamilyDescriptorBuilder.newBuilder(AccessControlLists.ACL_LIST_FAMILY).
ColumnFamilyDescriptorBuilder.newBuilder(PermissionStorage.ACL_LIST_FAMILY).
setMaxVersions(1).
setInMemory(true).
setBlockCacheEnabled(true).
@ -1044,7 +1044,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
setBloomFilterType(BloomType.NONE).
setScope(HConstants.REPLICATION_SCOPE_LOCAL).build();
TableDescriptor td =
TableDescriptorBuilder.newBuilder(AccessControlLists.ACL_TABLE_NAME).
TableDescriptorBuilder.newBuilder(PermissionStorage.ACL_TABLE_NAME).
setColumnFamily(cfd).build();
admin.createTable(td);
}
@ -1140,15 +1140,15 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
try (Table table = ctx.getEnvironment().getConnection().
getTable(AccessControlLists.ACL_TABLE_NAME)) {
AccessControlLists.removeNamespacePermissions(conf, namespace, table);
try (Table table =
ctx.getEnvironment().getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {
PermissionStorage.removeNamespacePermissions(conf, namespace, table);
}
return null;
}
});
getAuthManager().getZKPermissionWatcher().deleteNamespaceACLNode(namespace);
LOG.info(namespace + " entry deleted in " + AccessControlLists.ACL_TABLE_NAME + " table.");
LOG.info(namespace + " entry deleted in " + PermissionStorage.ACL_TABLE_NAME + " table.");
}
@Override
@ -1253,7 +1253,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
LOG.error("NULL region from RegionCoprocessorEnvironment in postOpen()");
return;
}
if (AccessControlLists.isAclRegion(region)) {
if (PermissionStorage.isAclRegion(region)) {
aclRegion = true;
try {
initialize(env);
@ -1798,7 +1798,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
Iterator<Tag> tagIterator = PrivateCellUtil.tagsIterator(oldCell);
while (tagIterator.hasNext()) {
Tag tag = tagIterator.next();
if (tag.getType() != AccessControlLists.ACL_TAG_TYPE) {
if (tag.getType() != PermissionStorage.ACL_TAG_TYPE) {
// Not an ACL tag, just carry it through
if (LOG.isTraceEnabled()) {
LOG.trace("Carrying forward tag from " + oldCell + ": type " + tag.getType()
@ -1815,7 +1815,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
byte[] aclBytes = mutation.getACL();
if (aclBytes != null) {
// Yes, use it
tags.add(new ArrayBackedTag(AccessControlLists.ACL_TAG_TYPE, aclBytes));
tags.add(new ArrayBackedTag(PermissionStorage.ACL_TAG_TYPE, aclBytes));
} else {
// No, use what we carried forward
if (perms != null) {
@ -1997,7 +1997,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
}
} else {
throw new CoprocessorException(AccessController.class, "This method "
+ "can only execute at " + AccessControlLists.ACL_TABLE_NAME + " table.");
+ "can only execute at " + PermissionStorage.ACL_TABLE_NAME + " table.");
}
response = AccessControlProtos.GrantResponse.getDefaultInstance();
} catch (IOException ioe) {
@ -2037,7 +2037,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
}
} else {
throw new CoprocessorException(AccessController.class, "This method "
+ "can only execute at " + AccessControlLists.ACL_TABLE_NAME + " table.");
+ "can only execute at " + PermissionStorage.ACL_TABLE_NAME + " table.");
}
response = AccessControlProtos.RevokeResponse.getDefaultInstance();
} catch (IOException ioe) {
@ -2089,7 +2089,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
response = AccessControlUtil.buildGetUserPermissionsResponse(perms);
} else {
throw new CoprocessorException(AccessController.class, "This method "
+ "can only execute at " + AccessControlLists.ACL_TABLE_NAME + " table.");
+ "can only execute at " + PermissionStorage.ACL_TABLE_NAME + " table.");
}
} catch (IOException ioe) {
// pass exception back up

14
hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AuthManager.java
View File

@ -147,10 +147,9 @@ public final class AuthManager implements Closeable {
public void refreshTableCacheFromWritable(TableName table, byte[] data) throws IOException {
if (data != null && data.length > 0) {
try {
ListMultimap<String, Permission> perms =
AccessControlLists.readPermissions(data, conf);
ListMultimap<String, Permission> perms = PermissionStorage.readPermissions(data, conf);
if (perms != null) {
if (Bytes.equals(table.getName(), AccessControlLists.ACL_GLOBAL_NAME)) {
if (Bytes.equals(table.getName(), PermissionStorage.ACL_GLOBAL_NAME)) {
updateGlobalCache(perms);
} else {
updateTableCache(table, perms);
@ -173,8 +172,7 @@ public final class AuthManager implements Closeable {
public void refreshNamespaceCacheFromWritable(String namespace, byte[] data) throws IOException {
if (data != null && data.length > 0) {
try {
ListMultimap<String, Permission> perms =
AccessControlLists.readPermissions(data, conf);
ListMultimap<String, Permission> perms = PermissionStorage.readPermissions(data, conf);
if (perms != null) {
updateNamespaceCache(namespace, perms);
}
@ -324,7 +322,7 @@ public final class AuthManager implements Closeable {
return false;
}
if (table == null) {
table = AccessControlLists.ACL_TABLE_NAME;
table = PermissionStorage.ACL_TABLE_NAME;
}
if (authorizeUserNamespace(user, table.getNamespaceAsString(), action)) {
return true;
@ -393,7 +391,7 @@ public final class AuthManager implements Closeable {
return false;
}
if (table == null) {
table = AccessControlLists.ACL_TABLE_NAME;
table = PermissionStorage.ACL_TABLE_NAME;
}
if (authorizeUserNamespace(user, table.getNamespaceAsString(), action)) {
return true;
@ -473,7 +471,7 @@ public final class AuthManager implements Closeable {
*/
public boolean authorizeCell(User user, TableName table, Cell cell, Permission.Action action) {
try {
List<Permission> perms = AccessControlLists.getCellPermissionsForUser(user, cell);
List<Permission> perms = PermissionStorage.getCellPermissionsForUser(user, cell);
if (LOG.isTraceEnabled()) {
LOG.trace("Perms for user {} in table {} in cell {}: {}",
user.getShortName(), table, cell, (perms != null ? perms : ""));

56
hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlLists.java → hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/PermissionStorage.java
View File

@ -63,10 +63,6 @@ import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos;
import org.apache.hadoop.hbase.regionserver.InternalScanner;
import org.apache.hadoop.hbase.regionserver.Region;
import org.apache.hadoop.hbase.security.User;
import org.apache.hbase.thirdparty.com.google.common.annotations.VisibleForTesting;
import org.apache.hbase.thirdparty.com.google.common.collect.ArrayListMultimap;
import org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap;
import org.apache.hbase.thirdparty.com.google.common.collect.Lists;
import org.apache.hadoop.hbase.util.Bytes;
import org.apache.hadoop.hbase.util.Pair;
import org.apache.hadoop.io.Text;
@ -77,6 +73,11 @@ import org.apache.yetus.audience.InterfaceAudience;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.apache.hbase.thirdparty.com.google.common.annotations.VisibleForTesting;
import org.apache.hbase.thirdparty.com.google.common.collect.ArrayListMultimap;
import org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap;
import org.apache.hbase.thirdparty.com.google.common.collect.Lists;
/**
* Maintains lists of permission grants to users and groups to allow for
* authorization checks by {@link AccessController}.
@ -102,7 +103,7 @@ import org.slf4j.LoggerFactory;
* </p>
*/
@InterfaceAudience.Private
public class AccessControlLists {
public final class PermissionStorage {
/** Internal storage table for access control lists */
public static final TableName ACL_TABLE_NAME =
TableName.valueOf(NamespaceDescriptor.SYSTEM_NAMESPACE_NAME_STR, "acl");
@ -120,7 +121,10 @@ public class AccessControlLists {
* _acl_ table info: column keys */
public static final char ACL_KEY_DELIMITER = ',';
private static final Logger LOG = LoggerFactory.getLogger(AccessControlLists.class);
private static final Logger LOG = LoggerFactory.getLogger(PermissionStorage.class);
private PermissionStorage() {
}
/**
* Stores a new user permission grant in the access control lists table.
@ -177,10 +181,8 @@ public class AccessControlLists {
.setValue(value)
.build());
if (LOG.isDebugEnabled()) {
LOG.debug("Writing permission with rowKey "+
Bytes.toString(rowKey)+" "+
Bytes.toString(key)+": "+Bytes.toStringBinary(value)
);
LOG.debug("Writing permission with rowKey " + Bytes.toString(rowKey) + " "
+ Bytes.toString(key) + ": " + Bytes.toStringBinary(value));
}
try {
t.put(p);
@ -319,8 +321,12 @@ public class AccessControlLists {
table.delete(d);
}
} finally {
if (scanner != null) scanner.close();
if (closeTable) table.close();
if (scanner != null) {
scanner.close();
}
if (closeTable) {
table.close();
}
}
}
@ -396,13 +402,12 @@ public class AccessControlLists {
* Loads all of the permission grants stored in a region of the {@code _acl_}
* table.
*
* @param aclRegion
* @param aclRegion the acl region
* @return a map of the permissions for this table.
* @throws IOException
* @throws IOException if an error occurs
*/
static Map<byte[], ListMultimap<String, UserPermission>> loadAll(Region aclRegion)
throws IOException {
if (!isAclRegion(aclRegion)) {
throw new IOException("Can only load permissions from "+ACL_TABLE_NAME);
}
@ -479,7 +484,9 @@ public class AccessControlLists {
allPerms.put(row.getRow(), resultPerms);
}
} finally {
if (scanner != null) scanner.close();
if (scanner != null) {
scanner.close();
}
}
}
}
@ -504,12 +511,14 @@ public class AccessControlLists {
* Reads user permission assignments stored in the <code>l:</code> column family of the first
* table row in <code>_acl_</code>.
* <p>
* See {@link AccessControlLists class documentation} for the key structure used for storage.
* See {@link PermissionStorage class documentation} for the key structure used for storage.
* </p>
*/
static ListMultimap<String, UserPermission> getPermissions(Configuration conf, byte[] entryName,
Table t, byte[] cf, byte[] cq, String user, boolean hasFilterUser) throws IOException {
if (entryName == null) entryName = ACL_GLOBAL_NAME;
if (entryName == null) {
entryName = ACL_GLOBAL_NAME;
}
// for normal user tables, we just read the table row from _acl_
ListMultimap<String, UserPermission> perms = ArrayListMultimap.create();
Get get = new Get(entryName);
@ -737,7 +746,8 @@ public class AccessControlLists {
*/
public static byte[] writePermissionsAsBytes(ListMultimap<String, UserPermission> perms,
Configuration conf) {
return ProtobufUtil.prependPBMagic(AccessControlUtil.toUserTablePermissions(perms).toByteArray());
return ProtobufUtil
.prependPBMagic(AccessControlUtil.toUserTablePermissions(perms).toByteArray());
}
// This is part of the old HbaseObjectWritableFor96Migration.
@ -845,8 +855,9 @@ public class AccessControlLists {
}
public static String fromNamespaceEntry(String namespace) {
if(namespace.charAt(0) != NAMESPACE_PREFIX)
if (namespace.charAt(0) != NAMESPACE_PREFIX) {
throw new IllegalArgumentException("Argument is not a valid namespace entry");
}
return namespace.substring(1);
}
@ -882,7 +893,8 @@ public class AccessControlLists {
AccessControlProtos.UsersAndPermissions.Builder builder =
AccessControlProtos.UsersAndPermissions.newBuilder();
if (tag.hasArray()) {
ProtobufUtil.mergeFrom(builder, tag.getValueArray(), tag.getValueOffset(), tag.getValueLength());
ProtobufUtil.mergeFrom(builder, tag.getValueArray(), tag.getValueOffset(),
tag.getValueLength());
} else {
ProtobufUtil.mergeFrom(builder, Tag.cloneValue(tag));
}
@ -894,7 +906,7 @@ public class AccessControlLists {
results.addAll(userPerms);
}
// Are there permissions for any of the groups this user belongs to?
String groupNames[] = user.getGroupNames();
String[] groupNames = user.getGroupNames();
if (groupNames != null) {
for (String group : groupNames) {
List<Permission> groupPerms = kvPerms.get(AuthUtil.toGroupEntry(group));

10
hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/ZKPermissionWatcher.java
View File

@ -146,7 +146,7 @@ public class ZKPermissionWatcher extends ZKListener implements Closeable {
@Override
public void run() {
String table = ZKUtil.getNodeName(path);
if(AccessControlLists.isNamespaceEntry(table)) {
if (PermissionStorage.isNamespaceEntry(table)) {
authManager.removeNamespace(Bytes.toBytes(table));
} else {
authManager.removeTable(TableName.valueOf(table));
@ -245,9 +245,9 @@ public class ZKPermissionWatcher extends ZKListener implements Closeable {
LOG.debug("Updating permissions cache from {} with data {}", entry,
Bytes.toStringBinary(nodeData));
}
if(AccessControlLists.isNamespaceEntry(entry)) {
authManager.refreshNamespaceCacheFromWritable(
AccessControlLists.fromNamespaceEntry(entry), nodeData);
if (PermissionStorage.isNamespaceEntry(entry)) {
authManager.refreshNamespaceCacheFromWritable(PermissionStorage.fromNamespaceEntry(entry),
nodeData);
} else {
authManager.refreshTableCacheFromWritable(TableName.valueOf(entry), nodeData);
}
@ -296,7 +296,7 @@ public class ZKPermissionWatcher extends ZKListener implements Closeable {
*/
public void deleteNamespaceACLNode(final String namespace) {
String zkNode = ZNodePaths.joinZNode(watcher.getZNodePaths().baseZNode, ACL_NODE);
zkNode = ZNodePaths.joinZNode(zkNode, AccessControlLists.NAMESPACE_PREFIX + namespace);
zkNode = ZNodePaths.joinZNode(zkNode, PermissionStorage.NAMESPACE_PREFIX + namespace);
try {
ZKUtil.deleteNode(watcher, zkNode);

6
hbase-server/src/main/java/org/apache/hadoop/hbase/snapshot/SnapshotDescriptionUtils.java
View File

@ -33,7 +33,7 @@ import org.apache.hadoop.hbase.client.Admin;
import org.apache.hadoop.hbase.client.Connection;
import org.apache.hadoop.hbase.client.ConnectionFactory;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.access.AccessControlLists;
import org.apache.hadoop.hbase.security.access.PermissionStorage;
import org.apache.hadoop.hbase.security.access.ShadedAccessControlUtil;
import org.apache.hadoop.hbase.security.access.UserPermission;
import org.apache.hadoop.hbase.util.EnvironmentEdgeManager;
@ -418,7 +418,7 @@ public final class SnapshotDescriptionUtils {
public static boolean isSecurityAvailable(Configuration conf) throws IOException {
try (Connection conn = ConnectionFactory.createConnection(conf)) {
try (Admin admin = conn.getAdmin()) {
return admin.tableExists(AccessControlLists.ACL_TABLE_NAME);
return admin.tableExists(PermissionStorage.ACL_TABLE_NAME);
}
}
}
@ -429,7 +429,7 @@ public final class SnapshotDescriptionUtils {
User.runAsLoginUser(new PrivilegedExceptionAction<ListMultimap<String, UserPermission>>() {
@Override
public ListMultimap<String, UserPermission> run() throws Exception {
return AccessControlLists.getTablePermissions(conf,
return PermissionStorage.getTablePermissions(conf,
TableName.valueOf(snapshot.getTable()));
}
});

2
hbase-server/src/test/java/org/apache/hadoop/hbase/TestJMXConnectorServer.java
View File

@ -28,11 +28,9 @@ import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment;
import org.apache.hadoop.hbase.coprocessor.ObserverContext;
import org.apache.hadoop.hbase.coprocessor.RegionServerCoprocessorEnvironment;
import org.apache.hadoop.hbase.security.AccessDeniedException;
import org.apache.hadoop.hbase.security.access.AccessControlLists;
import org.apache.hadoop.hbase.security.access.AccessController;
import org.apache.hadoop.hbase.testclassification.MediumTests;
import org.apache.hadoop.hbase.testclassification.MiscTests;
import org.apache.hadoop.hbase.util.Threads;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;

4
hbase-server/src/test/java/org/apache/hadoop/hbase/client/SnapshotWithAclTestBase.java
View File

@ -26,9 +26,9 @@ import org.apache.hadoop.hbase.coprocessor.CoprocessorHost;
import org.apache.hadoop.hbase.master.MasterCoprocessorHost;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.access.AccessControlConstants;
import org.apache.hadoop.hbase.security.access.AccessControlLists;
import org.apache.hadoop.hbase.security.access.AccessController;
import org.apache.hadoop.hbase.security.access.Permission;
import org.apache.hadoop.hbase.security.access.PermissionStorage;
import org.apache.hadoop.hbase.security.access.SecureTestUtil;
import org.apache.hadoop.hbase.util.Bytes;
import org.junit.AfterClass;
@ -108,7 +108,7 @@ public abstract class SnapshotWithAclTestBase extends SecureTestUtil {
// Enable EXEC permission checking
conf.setBoolean(AccessControlConstants.EXEC_PERMISSION_CHECKS_KEY, true);
TEST_UTIL.startMiniCluster();
TEST_UTIL.waitUntilAllRegionsAssigned(AccessControlLists.ACL_TABLE_NAME);
TEST_UTIL.waitUntilAllRegionsAssigned(PermissionStorage.ACL_TABLE_NAME);
MasterCoprocessorHost cpHost =
TEST_UTIL.getMiniHBaseCluster().getMaster().getMasterCoprocessorHost();
cpHost.load(AccessController.class, Coprocessor.PRIORITY_HIGHEST, conf);

4
hbase-server/src/test/java/org/apache/hadoop/hbase/client/TestAsyncAccessControlAdminApi.java
View File

@ -20,9 +20,9 @@ import java.util.List;
import org.apache.hadoop.hbase.HBaseClassTestRule;
import org.apache.hadoop.hbase.TableName;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.access.AccessControlLists;
import org.apache.hadoop.hbase.security.access.GetUserPermissionsRequest;
import org.apache.hadoop.hbase.security.access.Permission;
import org.apache.hadoop.hbase.security.access.PermissionStorage;
import org.apache.hadoop.hbase.security.access.SecureTestUtil;
import org.apache.hadoop.hbase.security.access.SecureTestUtil.AccessTestAction;
import org.apache.hadoop.hbase.security.access.UserPermission;
@ -48,7 +48,7 @@ public class TestAsyncAccessControlAdminApi extends TestAsyncAdminBase {
public static void setUpBeforeClass() throws Exception {
SecureTestUtil.enableSecurity(TEST_UTIL.getConfiguration());
TEST_UTIL.startMiniCluster(1);
TEST_UTIL.waitTableAvailable(AccessControlLists.ACL_TABLE_NAME);
TEST_UTIL.waitTableAvailable(PermissionStorage.ACL_TABLE_NAME);
ASYNC_CONN = ConnectionFactory.createAsyncConnection(TEST_UTIL.getConfiguration()).get();
}

2
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
View File

@ -808,7 +808,7 @@ public class SecureTestUtil {
}
public static String convertToNamespace(String namespace) {
return AccessControlLists.NAMESPACE_PREFIX + namespace;
return PermissionStorage.NAMESPACE_PREFIX + namespace;
}
public static void checkGlobalPerms(HBaseTestingUtility testUtil, Permission.Action... actions)

2
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessControlFilter.java
View File

@ -86,7 +86,7 @@ public class TestAccessControlFilter extends SecureTestUtil {
conf.setBoolean(AccessControlConstants.CF_ATTRIBUTE_EARLY_OUT, false);
TEST_UTIL.startMiniCluster();
TEST_UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME.getName(), 50000);
TEST_UTIL.waitTableEnabled(PermissionStorage.ACL_TABLE_NAME.getName(), 50000);
READER = User.createUserForTesting(conf, "reader", new String[0]);
LIMITED = User.createUserForTesting(conf, "limited", new String[0]);

29
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
View File

@ -245,7 +245,7 @@ public class TestAccessController extends SecureTestUtil {
RSCP_ENV = rsCpHost.createEnvironment(ACCESS_CONTROLLER, Coprocessor.PRIORITY_HIGHEST, 1, conf);
// Wait for the ACL table to become available
TEST_UTIL.waitUntilAllRegionsAssigned(AccessControlLists.ACL_TABLE_NAME);
TEST_UTIL.waitUntilAllRegionsAssigned(PermissionStorage.ACL_TABLE_NAME);
// create a set of test users
SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
@ -323,7 +323,7 @@ public class TestAccessController extends SecureTestUtil {
grantGlobal(TEST_UTIL, toGroupEntry(GROUP_READ), Permission.Action.READ);
grantGlobal(TEST_UTIL, toGroupEntry(GROUP_WRITE), Permission.Action.WRITE);
assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size());
assertEquals(5, PermissionStorage.getTablePermissions(conf, TEST_TABLE).size());
int size = 0;
try {
size = AccessControlClient.getUserPermissions(systemUserConnection, TEST_TABLE.toString())
@ -344,11 +344,9 @@ public class TestAccessController extends SecureTestUtil {
LOG.info("Test deleted table " + TEST_TABLE);
}
// Verify all table/namespace permissions are erased
assertEquals(0, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size());
assertEquals(
0,
AccessControlLists.getNamespacePermissions(conf,
TEST_TABLE.getNamespaceAsString()).size());
assertEquals(0, PermissionStorage.getTablePermissions(conf, TEST_TABLE).size());
assertEquals(0,
PermissionStorage.getNamespacePermissions(conf, TEST_TABLE.getNamespaceAsString()).size());
}
@Test
@ -477,7 +475,7 @@ public class TestAccessController extends SecureTestUtil {
@Override
public Object run() throws Exception {
ACCESS_CONTROLLER.preDisableTable(ObserverContextImpl.createAndPrepare(CP_ENV),
AccessControlLists.ACL_TABLE_NAME);
PermissionStorage.ACL_TABLE_NAME);
return null;
}
};
@ -1204,8 +1202,7 @@ public class TestAccessController extends SecureTestUtil {
AccessTestAction getGlobalPermissionsAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf);
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
try (Connection conn = ConnectionFactory.createConnection(conf)) {
conn.getAdmin().getUserPermissions(GetUserPermissionsRequest.newBuilder().build());
}
return null;
@ -1237,7 +1234,7 @@ public class TestAccessController extends SecureTestUtil {
@Override
public Object run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf);
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
Table acl = conn.getTable(PermissionStorage.ACL_TABLE_NAME)) {
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName());
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
@ -1252,7 +1249,7 @@ public class TestAccessController extends SecureTestUtil {
@Override
public Object run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf);
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
Table acl = conn.getTable(PermissionStorage.ACL_TABLE_NAME)) {
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName());
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
@ -1914,7 +1911,7 @@ public class TestAccessController extends SecureTestUtil {
AccessControlProtos.TablePermission.newBuilder()
.setTableName(ProtobufUtil.toProtoTableName(TEST_TABLE))
.addAction(AccessControlProtos.Permission.Action.CREATE))).build();
Table acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
Table acl = systemUserConnection.getTable(PermissionStorage.ACL_TABLE_NAME);
try {
BlockingRpcChannel channel = acl.coprocessorService(new byte[0]);
AccessControlService.BlockingInterface protocol =
@ -2770,7 +2767,7 @@ public class TestAccessController extends SecureTestUtil {
int expectedAmount, String expectedNamespace) throws HBaseException {
try {
List<UserPermission> namespacePermissions = AccessControlClient.getUserPermissions(
systemUserConnection, AccessControlLists.toNamespaceEntry(namespaceRegexWithoutPrefix));
systemUserConnection, PermissionStorage.toNamespaceEntry(namespaceRegexWithoutPrefix));
assertTrue(namespacePermissions != null);
assertEquals(expectedAmount, namespacePermissions.size());
for (UserPermission namespacePermission : namespacePermissions) {
@ -2862,7 +2859,7 @@ public class TestAccessController extends SecureTestUtil {
createTable(TEST_UTIL, htd);
// Verify that we can read sys-tables
String aclTableName = AccessControlLists.ACL_TABLE_NAME.getNameAsString();
String aclTableName = PermissionStorage.ACL_TABLE_NAME.getNameAsString();
assertEquals(5, SUPERUSER.runAs(getPrivilegedAction(aclTableName)).size());
assertEquals(0, testRegexHandler.runAs(getPrivilegedAction(aclTableName)).size());
@ -3336,7 +3333,7 @@ public class TestAccessController extends SecureTestUtil {
@Override
public Object run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf);
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
Table acl = conn.getTable(PermissionStorage.ACL_TABLE_NAME)) {
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName());
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);

21
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
View File

@ -122,7 +122,7 @@ public class TestAccessController2 extends SecureTestUtil {
verifyConfiguration(conf);
TEST_UTIL.startMiniCluster();
// Wait for the ACL table to become available
TEST_UTIL.waitUntilAllRegionsAssigned(AccessControlLists.ACL_TABLE_NAME);
TEST_UTIL.waitUntilAllRegionsAssigned(PermissionStorage.ACL_TABLE_NAME);
TESTGROUP_1_NAME = toGroupEntry(TESTGROUP_1);
TESTGROUP1_USER1 =
@ -146,7 +146,7 @@ public class TestAccessController2 extends SecureTestUtil {
new Put(TEST_ROW_3).addColumn(TEST_FAMILY_2, Q1, value1)));
}
assertEquals(1, AccessControlLists.getTablePermissions(conf, tableName).size());
assertEquals(1, PermissionStorage.getTablePermissions(conf, tableName).size());
try {
assertEquals(1, AccessControlClient.getUserPermissions(systemUserConnection,
tableName.toString()).size());
@ -173,8 +173,8 @@ public class TestAccessController2 extends SecureTestUtil {
}
deleteNamespace(TEST_UTIL, namespace);
// Verify all table/namespace permissions are erased
assertEquals(0, AccessControlLists.getTablePermissions(conf, tableName).size());
assertEquals(0, AccessControlLists.getNamespacePermissions(conf, namespace).size());
assertEquals(0, PermissionStorage.getTablePermissions(conf, tableName).size());
assertEquals(0, PermissionStorage.getNamespacePermissions(conf, namespace).size());
}
@Test
@ -201,9 +201,8 @@ public class TestAccessController2 extends SecureTestUtil {
TEST_UTIL.waitTableAvailable(TEST_TABLE.getTableName());
// Verify that owner permissions have been granted to the test user on the
// table just created
List<UserPermission> perms =
AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName())
.get(testUser.getShortName());
List<UserPermission> perms = PermissionStorage
.getTablePermissions(conf, TEST_TABLE.getTableName()).get(testUser.getShortName());
assertNotNull(perms);
assertFalse(perms.isEmpty());
// Should be RWXCA
@ -293,9 +292,9 @@ public class TestAccessController2 extends SecureTestUtil {
public Object run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
t.put(new Put(TEST_ROW).addColumn(AccessControlLists.ACL_LIST_FAMILY,
TEST_QUALIFIER, TEST_VALUE));
Table t = conn.getTable(PermissionStorage.ACL_TABLE_NAME)) {
t.put(new Put(TEST_ROW).addColumn(PermissionStorage.ACL_LIST_FAMILY, TEST_QUALIFIER,
TEST_VALUE));
return null;
} finally {
}
@ -320,7 +319,7 @@ public class TestAccessController2 extends SecureTestUtil {
@Override
public Object run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
Table t = conn.getTable(PermissionStorage.ACL_TABLE_NAME)) {
ResultScanner s = t.getScanner(new Scan());
try {
for (Result r = s.next(); r != null; r = s.next()) {

12
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController3.java
View File

@ -168,7 +168,7 @@ public class TestAccessController3 extends SecureTestUtil {
RSCP_ENV = rsHost.createEnvironment(ACCESS_CONTROLLER, Coprocessor.PRIORITY_HIGHEST, 1, conf);
// Wait for the ACL table to become available
TEST_UTIL.waitUntilAllRegionsAssigned(AccessControlLists.ACL_TABLE_NAME);
TEST_UTIL.waitUntilAllRegionsAssigned(PermissionStorage.ACL_TABLE_NAME);
// create a set of test users
SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
@ -250,7 +250,7 @@ public class TestAccessController3 extends SecureTestUtil {
grantGlobal(TEST_UTIL, toGroupEntry(GROUP_READ), Permission.Action.READ);
grantGlobal(TEST_UTIL, toGroupEntry(GROUP_WRITE), Permission.Action.WRITE);
assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size());
assertEquals(5, PermissionStorage.getTablePermissions(conf, TEST_TABLE).size());
try {
assertEquals(5, AccessControlClient.getUserPermissions(systemUserConnection,
TEST_TABLE.toString()).size());
@ -271,11 +271,9 @@ public class TestAccessController3 extends SecureTestUtil {
LOG.info("Test deleted table " + TEST_TABLE);
}
// Verify all table/namespace permissions are erased
assertEquals(0, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size());
assertEquals(
0,
AccessControlLists.getNamespacePermissions(conf,
TEST_TABLE.getNamespaceAsString()).size());
assertEquals(0, PermissionStorage.getTablePermissions(conf, TEST_TABLE).size());
assertEquals(0,
PermissionStorage.getNamespacePermissions(conf, TEST_TABLE.getNamespaceAsString()).size());
}
@Test

4
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLWithMultipleVersions.java
View File

@ -115,7 +115,7 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
rsHost.createEnvironment(ac, Coprocessor.PRIORITY_HIGHEST, 1, conf);
// Wait for the ACL table to become available
TEST_UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME);
TEST_UTIL.waitTableEnabled(PermissionStorage.ACL_TABLE_NAME);
// create a set of test users
USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]);
@ -976,6 +976,6 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
// Test deleted the table, no problem
LOG.info("Test deleted table " + TEST_TABLE.getTableName());
}
assertEquals(0, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size());
assertEquals(0, PermissionStorage.getTablePermissions(conf, TEST_TABLE.getTableName()).size());
}
}

4
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLs.java
View File

@ -118,7 +118,7 @@ public class TestCellACLs extends SecureTestUtil {
rsHost.createEnvironment(ac, Coprocessor.PRIORITY_HIGHEST, 1, conf);
// Wait for the ACL table to become available
TEST_UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME);
TEST_UTIL.waitTableEnabled(PermissionStorage.ACL_TABLE_NAME);
// create a set of test users
USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]);
@ -460,6 +460,6 @@ public class TestCellACLs extends SecureTestUtil {
// Test deleted the table, no problem
LOG.info("Test deleted table " + TEST_TABLE.getTableName());
}
assertEquals(0, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size());
assertEquals(0, PermissionStorage.getTablePermissions(conf, TEST_TABLE.getTableName()).size());
}
}

14
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
View File

@ -156,7 +156,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
UTIL.getConfiguration().setInt(HConstants.HBASE_CLIENT_RETRIES_NUMBER, 2);
UTIL.startMiniCluster();
// Wait for the ACL table to become available
UTIL.waitTableAvailable(AccessControlLists.ACL_TABLE_NAME.getName(), 30 * 1000);
UTIL.waitTableAvailable(PermissionStorage.ACL_TABLE_NAME.getName(), 30 * 1000);
// Find the Access Controller CP. Could be on master or if master is not serving regions, is
// on an arbitrary server.
@ -204,10 +204,10 @@ public class TestNamespaceCommands extends SecureTestUtil {
@Test
public void testAclTableEntries() throws Exception {
String userTestNamespace = "userTestNsp";
Table acl = UTIL.getConnection().getTable(AccessControlLists.ACL_TABLE_NAME);
Table acl = UTIL.getConnection().getTable(PermissionStorage.ACL_TABLE_NAME);
try {
ListMultimap<String, UserPermission> perms =
AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE);
PermissionStorage.getNamespacePermissions(conf, TEST_NAMESPACE);
for (Map.Entry<String, UserPermission> entry : perms.entries()) {
LOG.debug(Objects.toString(entry));
}
@ -219,7 +219,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
Result result = acl.get(new Get(Bytes.toBytes(userTestNamespace)));
assertTrue(result != null);
perms = AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE);
perms = PermissionStorage.getNamespacePermissions(conf, TEST_NAMESPACE);
assertEquals(7, perms.size());
List<UserPermission> namespacePerms = perms.get(userTestNamespace);
assertTrue(perms.containsKey(userTestNamespace));
@ -233,7 +233,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
revokeFromNamespace(UTIL, userTestNamespace, TEST_NAMESPACE,
Permission.Action.WRITE);
perms = AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE);
perms = PermissionStorage.getNamespacePermissions(conf, TEST_NAMESPACE);
assertEquals(6, perms.size());
} finally {
acl.close();
@ -438,7 +438,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
@Override
public Object run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf);
Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME)) {
Table acl = connection.getTable(PermissionStorage.ACL_TABLE_NAME)) {
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
@ -451,7 +451,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
@Override
public Object run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf);
Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME)) {
Table acl = connection.getTable(PermissionStorage.ACL_TABLE_NAME)) {
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);

2
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestRpcAccessChecks.java
View File

@ -153,7 +153,7 @@ public class TestRpcAccessChecks {
TEST_UTIL.startMiniCluster();
// Wait for the ACL table to become available
TEST_UTIL.waitUntilAllRegionsAssigned(AccessControlLists.ACL_TABLE_NAME);
TEST_UTIL.waitUntilAllRegionsAssigned(PermissionStorage.ACL_TABLE_NAME);
// Assign permissions to groups
SecureTestUtil.grantGlobal(TEST_UTIL, toGroupEntry(GROUP_ADMIN),

4
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestScanEarlyTermination.java
View File

@ -101,7 +101,7 @@ public class TestScanEarlyTermination extends SecureTestUtil {
rsHost.createEnvironment(ac, Coprocessor.PRIORITY_HIGHEST, 1, conf);
// Wait for the ACL table to become available
TEST_UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME);
TEST_UTIL.waitTableEnabled(PermissionStorage.ACL_TABLE_NAME);
// create a set of test users
USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]);
@ -142,7 +142,7 @@ public class TestScanEarlyTermination extends SecureTestUtil {
// Test deleted the table, no problem
LOG.info("Test deleted table " + TEST_TABLE.getTableName());
}
assertEquals(0, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size());
assertEquals(0, PermissionStorage.getTablePermissions(conf, TEST_TABLE.getTableName()).size());
}
@Test

56
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestTablePermissions.java
View File

@ -101,7 +101,7 @@ public class TestTablePermissions {
UTIL.startMiniCluster();
// Wait for the ACL table to become available
UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME);
UTIL.waitTableEnabled(PermissionStorage.ACL_TABLE_NAME);
ZKW = new ZKWatcher(UTIL.getConfiguration(),
"TestTablePermissions", ABORTABLE);
@ -119,19 +119,19 @@ public class TestTablePermissions {
public void tearDown() throws Exception {
Configuration conf = UTIL.getConfiguration();
try (Connection connection = ConnectionFactory.createConnection(conf);
Table table = connection.getTable(AccessControlLists.ACL_TABLE_NAME)) {
AccessControlLists.removeTablePermissions(conf, TEST_TABLE, table);
AccessControlLists.removeTablePermissions(conf, TEST_TABLE2, table);
AccessControlLists.removeTablePermissions(conf, AccessControlLists.ACL_TABLE_NAME, table);
Table table = connection.getTable(PermissionStorage.ACL_TABLE_NAME)) {
PermissionStorage.removeTablePermissions(conf, TEST_TABLE, table);
PermissionStorage.removeTablePermissions(conf, TEST_TABLE2, table);
PermissionStorage.removeTablePermissions(conf, PermissionStorage.ACL_TABLE_NAME, table);
}
}
/**
* The AccessControlLists.addUserPermission may throw exception before closing the table.
* The PermissionStorage.addUserPermission may throw exception before closing the table.
*/
private void addUserPermission(Configuration conf, UserPermission userPerm, Table t) throws IOException {
try {
AccessControlLists.addUserPermission(conf, userPerm, t);
PermissionStorage.addUserPermission(conf, userPerm, t);
} finally {
t.close();
}
@ -146,20 +146,20 @@ public class TestTablePermissions {
new UserPermission("george",
Permission.newBuilder(TEST_TABLE)
.withActions(Permission.Action.READ, Permission.Action.WRITE).build()),
connection.getTable(AccessControlLists.ACL_TABLE_NAME));
connection.getTable(PermissionStorage.ACL_TABLE_NAME));
addUserPermission(conf,
new UserPermission("hubert",
Permission.newBuilder(TEST_TABLE).withActions(Permission.Action.READ).build()),
connection.getTable(AccessControlLists.ACL_TABLE_NAME));
connection.getTable(PermissionStorage.ACL_TABLE_NAME));
addUserPermission(conf,
new UserPermission("humphrey",
Permission.newBuilder(TEST_TABLE).withFamily(TEST_FAMILY).withQualifier(TEST_QUALIFIER)
.withActions(Permission.Action.READ).build()),
connection.getTable(AccessControlLists.ACL_TABLE_NAME));
connection.getTable(PermissionStorage.ACL_TABLE_NAME));
}
// retrieve the same
ListMultimap<String, UserPermission> perms =
AccessControlLists.getTablePermissions(conf, TEST_TABLE);
PermissionStorage.getTablePermissions(conf, TEST_TABLE);
List<UserPermission> userPerms = perms.get("george");
assertNotNull("Should have permissions for george", userPerms);
assertEquals("Should have 1 permission for george", 1, userPerms.size());
@ -213,15 +213,14 @@ public class TestTablePermissions {
// table 2 permissions
try (Connection connection = ConnectionFactory.createConnection(conf);
Table table = connection.getTable(AccessControlLists.ACL_TABLE_NAME)) {
AccessControlLists.addUserPermission(conf,
Table table = connection.getTable(PermissionStorage.ACL_TABLE_NAME)) {
PermissionStorage.addUserPermission(conf,
new UserPermission("hubert", Permission.newBuilder(TEST_TABLE2)
.withActions(Permission.Action.READ, Permission.Action.WRITE).build()),
table);
}
// check full load
Map<byte[], ListMultimap<String, UserPermission>> allPerms =
AccessControlLists.loadAll(conf);
Map<byte[], ListMultimap<String, UserPermission>> allPerms = PermissionStorage.loadAll(conf);
assertEquals("Full permission map should have entries for both test tables",
2, allPerms.size());
@ -253,26 +252,26 @@ public class TestTablePermissions {
addUserPermission(conf,
new UserPermission("albert",
Permission.newBuilder(TEST_TABLE).withActions(Permission.Action.READ).build()),
connection.getTable(AccessControlLists.ACL_TABLE_NAME));
connection.getTable(PermissionStorage.ACL_TABLE_NAME));
addUserPermission(conf,
new UserPermission("betty",
Permission.newBuilder(TEST_TABLE)
.withActions(Permission.Action.READ, Permission.Action.WRITE).build()),
connection.getTable(AccessControlLists.ACL_TABLE_NAME));
connection.getTable(PermissionStorage.ACL_TABLE_NAME));
addUserPermission(conf,
new UserPermission("clark",
Permission.newBuilder(TEST_TABLE).withFamily(TEST_FAMILY)
.withActions(Permission.Action.READ).build()),
connection.getTable(AccessControlLists.ACL_TABLE_NAME));
connection.getTable(PermissionStorage.ACL_TABLE_NAME));
addUserPermission(conf,
new UserPermission("dwight",
Permission.newBuilder(TEST_TABLE).withFamily(TEST_FAMILY).withQualifier(TEST_QUALIFIER)
.withActions(Permission.Action.WRITE).build()),
connection.getTable(AccessControlLists.ACL_TABLE_NAME));
connection.getTable(PermissionStorage.ACL_TABLE_NAME));
}
// verify permissions survive changes in table metadata
ListMultimap<String, UserPermission> preperms =
AccessControlLists.getTablePermissions(conf, TEST_TABLE);
PermissionStorage.getTablePermissions(conf, TEST_TABLE);
Table table = UTIL.getConnection().getTable(TEST_TABLE);
table.put(
@ -295,7 +294,7 @@ public class TestTablePermissions {
Thread.sleep(10000);
ListMultimap<String, UserPermission> postperms =
AccessControlLists.getTablePermissions(conf, TEST_TABLE);
PermissionStorage.getTablePermissions(conf, TEST_TABLE);
checkMultimapEqual(preperms, postperms);
}
@ -304,10 +303,10 @@ public class TestTablePermissions {
public void testSerialization() throws Exception {
Configuration conf = UTIL.getConfiguration();
ListMultimap<String, UserPermission> permissions = createPermissions();
byte[] permsData = AccessControlLists.writePermissionsAsBytes(permissions, conf);
byte[] permsData = PermissionStorage.writePermissionsAsBytes(permissions, conf);
ListMultimap<String, UserPermission> copy =
AccessControlLists.readUserPermission(permsData, conf);
PermissionStorage.readUserPermission(permsData, conf);
checkMultimapEqual(permissions, copy);
}
@ -410,21 +409,20 @@ public class TestTablePermissions {
addUserPermission(conf,
new UserPermission("user1", Permission.newBuilder()
.withActions(Permission.Action.READ, Permission.Action.WRITE).build()),
connection.getTable(AccessControlLists.ACL_TABLE_NAME));
connection.getTable(PermissionStorage.ACL_TABLE_NAME));
addUserPermission(conf,
new UserPermission("user2",
Permission.newBuilder().withActions(Permission.Action.CREATE).build()),
connection.getTable(AccessControlLists.ACL_TABLE_NAME));
connection.getTable(PermissionStorage.ACL_TABLE_NAME));
addUserPermission(conf,
new UserPermission("user3",
Permission.newBuilder()
.withActions(Permission.Action.ADMIN, Permission.Action.READ,
Permission.Action.CREATE)
.build()),
connection.getTable(AccessControlLists.ACL_TABLE_NAME));
connection.getTable(PermissionStorage.ACL_TABLE_NAME));
}
ListMultimap<String, UserPermission> perms =
AccessControlLists.getTablePermissions(conf, null);
ListMultimap<String, UserPermission> perms = PermissionStorage.getTablePermissions(conf, null);
List<UserPermission> user1Perms = perms.get("user1");
assertEquals("Should have 1 permission for user1", 1, user1Perms.size());
assertEquals("user1 should have WRITE permission",
@ -465,7 +463,7 @@ public class TestTablePermissions {
.withActions(Permission.Action.ADMIN, Permission.Action.READ,
Permission.Action.WRITE)
.build()),
connection.getTable(AccessControlLists.ACL_TABLE_NAME));
connection.getTable(PermissionStorage.ACL_TABLE_NAME));
// make sure the system user still shows as authorized
assertTrue("Failed current user auth check on iter "+i,
authManager.authorizeUserGlobal(currentUser, Permission.Action.ADMIN));

12
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestWithDisabledAuthorization.java
View File

@ -155,7 +155,7 @@ public class TestWithDisabledAuthorization extends SecureTestUtil {
RSCP_ENV = rsHost.createEnvironment(ACCESS_CONTROLLER, Coprocessor.PRIORITY_HIGHEST, 1, conf);
// Wait for the ACL table to become available
TEST_UTIL.waitUntilAllRegionsAssigned(AccessControlLists.ACL_TABLE_NAME);
TEST_UTIL.waitUntilAllRegionsAssigned(PermissionStorage.ACL_TABLE_NAME);
// create a set of test users
SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
@ -219,8 +219,8 @@ public class TestWithDisabledAuthorization extends SecureTestUtil {
Permission.Action.READ,
Permission.Action.WRITE);
assertEquals(5, AccessControlLists.getTablePermissions(TEST_UTIL.getConfiguration(),
TEST_TABLE.getTableName()).size());
assertEquals(5, PermissionStorage
.getTablePermissions(TEST_UTIL.getConfiguration(), TEST_TABLE.getTableName()).size());
}
@After
@ -233,9 +233,9 @@ public class TestWithDisabledAuthorization extends SecureTestUtil {
LOG.info("Test deleted table " + TEST_TABLE.getTableName());
}
// Verify all table/namespace permissions are erased
assertEquals(0, AccessControlLists.getTablePermissions(TEST_UTIL.getConfiguration(),
TEST_TABLE.getTableName()).size());
assertEquals(0, AccessControlLists.getNamespacePermissions(TEST_UTIL.getConfiguration(),
assertEquals(0, PermissionStorage
.getTablePermissions(TEST_UTIL.getConfiguration(), TEST_TABLE.getTableName()).size());
assertEquals(0, PermissionStorage.getNamespacePermissions(TEST_UTIL.getConfiguration(),
TEST_TABLE.getTableName().getNamespaceAsString()).size());
}

4
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestZKPermissionWatcher.java
View File

@ -117,7 +117,7 @@ public class TestZKPermissionWatcher {
.withActions(Permission.Action.READ, Permission.Action.WRITE).build()));
ListMultimap<String, UserPermission> multimap = ArrayListMultimap.create();
multimap.putAll(george.getShortName(), acl);
byte[] serialized = AccessControlLists.writePermissionsAsBytes(multimap, conf);
byte[] serialized = PermissionStorage.writePermissionsAsBytes(multimap, conf);
AUTH_A.getZKPermissionWatcher().writeToZookeeper(TEST_TABLE.getName(), serialized);
final long mtimeB = AUTH_B.getMTime();
// Wait for the update to propagate
@ -145,7 +145,7 @@ public class TestZKPermissionWatcher {
Permission.newBuilder(TEST_TABLE).withActions(TablePermission.Action.READ).build()));
final long mtimeA = AUTH_A.getMTime();
multimap.putAll(hubert.getShortName(), acl2);
byte[] serialized2 = AccessControlLists.writePermissionsAsBytes(multimap, conf);
byte[] serialized2 = PermissionStorage.writePermissionsAsBytes(multimap, conf);
AUTH_B.getZKPermissionWatcher().writeToZookeeper(TEST_TABLE.getName(), serialized2);
// Wait for the update to propagate
UTIL.waitFor(10000, 100, new Predicate<Exception>() {

4
hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithACL.java
View File

@ -43,9 +43,9 @@ import org.apache.hadoop.hbase.client.Table;
import org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.GetAuthsResponse;
import org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.access.AccessControlLists;
import org.apache.hadoop.hbase.security.access.AccessController;
import org.apache.hadoop.hbase.security.access.Permission;
import org.apache.hadoop.hbase.security.access.PermissionStorage;
import org.apache.hadoop.hbase.security.access.SecureTestUtil;
import org.apache.hadoop.hbase.testclassification.MediumTests;
import org.apache.hadoop.hbase.testclassification.SecurityTests;
@ -92,7 +92,7 @@ public class TestVisibilityLabelsWithACL {
+ VisibilityController.class.getName());
TEST_UTIL.startMiniCluster(2);
TEST_UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME.getName(), 50000);
TEST_UTIL.waitTableEnabled(PermissionStorage.ACL_TABLE_NAME.getName(), 50000);
// Wait for the labels table to become available
TEST_UTIL.waitTableEnabled(LABELS_TABLE_NAME.getName(), 50000);
addLabels();

4
hbase-server/src/test/java/org/apache/hadoop/hbase/tool/TestSecureLoadIncrementalHFiles.java
View File

@ -22,7 +22,7 @@ import org.apache.hadoop.hbase.HConstants;
import org.apache.hadoop.hbase.codec.KeyValueCodecWithTags;
import org.apache.hadoop.hbase.security.HadoopSecurityEnabledUserProviderForTesting;
import org.apache.hadoop.hbase.security.UserProvider;
import org.apache.hadoop.hbase.security.access.AccessControlLists;
import org.apache.hadoop.hbase.security.access.PermissionStorage;
import org.apache.hadoop.hbase.security.access.SecureTestUtil;
import org.apache.hadoop.hbase.testclassification.LargeTests;
import org.apache.hadoop.hbase.testclassification.MiscTests;
@ -62,7 +62,7 @@ public class TestSecureLoadIncrementalHFiles extends TestLoadIncrementalHFiles {
util.startMiniCluster();
// Wait for the ACL table to become available
util.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME);
util.waitTableEnabled(PermissionStorage.ACL_TABLE_NAME);
setupNamespace();
}

4
hbase-server/src/test/java/org/apache/hadoop/hbase/tool/TestSecureLoadIncrementalHFilesSplitRecovery.java
View File

@ -21,7 +21,7 @@ import org.apache.hadoop.hbase.HBaseClassTestRule;
import org.apache.hadoop.hbase.HBaseTestingUtility;
import org.apache.hadoop.hbase.security.HadoopSecurityEnabledUserProviderForTesting;
import org.apache.hadoop.hbase.security.UserProvider;
import org.apache.hadoop.hbase.security.access.AccessControlLists;
import org.apache.hadoop.hbase.security.access.PermissionStorage;
import org.apache.hadoop.hbase.security.access.SecureTestUtil;
import org.apache.hadoop.hbase.testclassification.LargeTests;
import org.apache.hadoop.hbase.testclassification.MiscTests;
@ -61,7 +61,7 @@ public class TestSecureLoadIncrementalHFilesSplitRecovery
util.startMiniCluster();
// Wait for the ACL table to become available
util.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME);
util.waitTableEnabled(PermissionStorage.ACL_TABLE_NAME);
}
// Disabling this test as it does not work in secure mode

2
hbase-shell/src/main/ruby/hbase/security.rb
View File

@ -202,7 +202,7 @@ module Hbase
# If we are unable to use getSecurityCapabilities, fall back with a check for
# deployment of the ACL table
raise(ArgumentError, 'DISABLED: Security features are not available') unless \
exists?(org.apache.hadoop.hbase.security.access.AccessControlLists::ACL_TABLE_NAME.getNameAsString)
exists?(org.apache.hadoop.hbase.security.access.PermissionStorage::ACL_TABLE_NAME.getNameAsString)
return
end
raise(ArgumentError, 'DISABLED: Security features are not available') unless \

23
src/main/asciidoc/_chapters/security.adoc
View File

@ -1036,12 +1036,10 @@ public static void grantOnTable(final HBaseTestingUtility util, final String use
SecureTestUtil.updateACLs(util, new Callable<Void>() {
@Override
public Void call() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration());
Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME)) {
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
AccessControlUtil.grant(null, protocol, user, table, family, qualifier, false, actions);
try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
connection.getAdmin().grant(new UserPermission(user, Permission.newBuilder(table)
.withFamily(family).withQualifier(qualifier).withActions(actions).build()),
false);
}
return null;
}
@ -1084,16 +1082,9 @@ public static void revokeFromTable(final HBaseTestingUtility util, final String
SecureTestUtil.updateACLs(util, new Callable<Void>() {
@Override
public Void call() throws Exception {
Configuration conf = HBaseConfiguration.create();
Connection connection = ConnectionFactory.createConnection(conf);
Table acl = connection.getTable(util.getConfiguration(), AccessControlLists.ACL_TABLE_NAME);
try {
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
ProtobufUtil.revoke(protocol, user, table, family, qualifier, actions);
} finally {
acl.close();
try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
connection.getAdmin().revoke(new UserPermission(user, Permission.newBuilder(table)
.withFamily(family).withQualifier(qualifier).withActions(actions).build()));
}
return null;
}