From ce636701ff16e41e957c21c82356c732e9b2fcfb Mon Sep 17 00:00:00 2001 From: Srikanth Srungarapu Date: Tue, 2 Jun 2015 15:24:59 -0700 Subject: [PATCH] HBASE-13658 Improve the test run time for TestAccessController class (Ashish Singhi) --- .../security/access/TestAccessController.java | 1614 +++++++++-------- 1 file changed, 822 insertions(+), 792 deletions(-) diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java index 75971d67096..3b915541a91 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java @@ -38,6 +38,7 @@ import org.apache.hadoop.fs.Path; import org.apache.hadoop.fs.permission.FsPermission; import org.apache.hadoop.hbase.Coprocessor; import org.apache.hadoop.hbase.CoprocessorEnvironment; +import org.apache.hadoop.hbase.HBaseIOException; import org.apache.hadoop.hbase.HBaseTestingUtility; import org.apache.hadoop.hbase.HColumnDescriptor; import org.apache.hadoop.hbase.HConstants; @@ -105,14 +106,10 @@ import org.apache.hadoop.hbase.security.User; import org.apache.hadoop.hbase.security.access.Permission.Action; import org.apache.hadoop.hbase.util.Bytes; import org.apache.hadoop.hbase.util.JVMClusterUtil; -import org.apache.hadoop.hbase.util.TestTableName; import org.apache.log4j.Level; import org.apache.log4j.Logger; -import org.junit.After; import org.junit.AfterClass; -import org.junit.Before; import org.junit.BeforeClass; -import org.junit.Rule; import org.junit.Test; import org.junit.experimental.categories.Category; @@ -136,7 +133,7 @@ public class TestAccessController extends SecureTestUtil { Logger.getLogger(TableAuthManager.class).setLevel(Level.TRACE); } - @Rule public TestTableName TEST_TABLE = new TestTableName(); + private static TableName TEST_TABLE = TableName.valueOf("testtable1"); private static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility(); private static Configuration conf; @@ -175,7 +172,7 @@ public class TestAccessController extends SecureTestUtil { private static MasterCoprocessorEnvironment CP_ENV; private static AccessController ACCESS_CONTROLLER; private static RegionServerCoprocessorEnvironment RSCP_ENV; - private RegionCoprocessorEnvironment RCP_ENV; + private static RegionCoprocessorEnvironment RCP_ENV; @BeforeClass public static void setupBeforeClass() throws Exception { @@ -218,25 +215,24 @@ public class TestAccessController extends SecureTestUtil { USER_ADMIN_CF = User.createUserForTesting(conf, "col_family_admin", new String[0]); systemUserConnection = TEST_UTIL.getConnection(); + setUpTableAndUserPermissions(); } @AfterClass public static void tearDownAfterClass() throws Exception { + cleanUp(); TEST_UTIL.shutdownMiniCluster(); } - @Before - public void setUp() throws Exception { - // Create the test table (owner added to the _acl_ table) - Admin admin = TEST_UTIL.getHBaseAdmin(); - HTableDescriptor htd = new HTableDescriptor(TEST_TABLE.getTableName()); + private static void setUpTableAndUserPermissions() throws Exception { + HTableDescriptor htd = new HTableDescriptor(TEST_TABLE); HColumnDescriptor hcd = new HColumnDescriptor(TEST_FAMILY); hcd.setMaxVersions(100); htd.addFamily(hcd); htd.setOwner(USER_OWNER); createTable(TEST_UTIL, htd, new byte[][] { Bytes.toBytes("s") }); - Region region = TEST_UTIL.getHBaseCluster().getRegions(TEST_TABLE.getTableName()).get(0); + Region region = TEST_UTIL.getHBaseCluster().getRegions(TEST_TABLE).get(0); RegionCoprocessorHost rcpHost = region.getCoprocessorHost(); RCP_ENV = rcpHost.createEnvironment(AccessController.class, ACCESS_CONTROLLER, Coprocessor.PRIORITY_HIGHEST, 1, conf); @@ -250,26 +246,26 @@ public class TestAccessController extends SecureTestUtil { Permission.Action.WRITE); grantOnTable(TEST_UTIL, USER_RW.getShortName(), - TEST_TABLE.getTableName(), TEST_FAMILY, null, + TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ, Permission.Action.WRITE); // USER_CREATE is USER_RW plus CREATE permissions grantOnTable(TEST_UTIL, USER_CREATE.getShortName(), - TEST_TABLE.getTableName(), null, null, + TEST_TABLE, null, null, Permission.Action.CREATE, Permission.Action.READ, Permission.Action.WRITE); grantOnTable(TEST_UTIL, USER_RO.getShortName(), - TEST_TABLE.getTableName(), TEST_FAMILY, null, + TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ); grantOnTable(TEST_UTIL, USER_ADMIN_CF.getShortName(), - TEST_TABLE.getTableName(), TEST_FAMILY, + TEST_TABLE, TEST_FAMILY, null, Permission.Action.ADMIN, Permission.Action.CREATE); - assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size()); + assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size()); try { assertEquals(5, AccessControlClient.getUserPermissions(systemUserConnection, TEST_TABLE.toString()).size()); @@ -278,21 +274,20 @@ public class TestAccessController extends SecureTestUtil { } } - @After - public void tearDown() throws Exception { + private static void cleanUp() throws Exception { // Clean the _acl_ table try { - deleteTable(TEST_UTIL, TEST_TABLE.getTableName()); + deleteTable(TEST_UTIL, TEST_TABLE); } catch (TableNotFoundException ex) { // Test deleted the table, no problem - LOG.info("Test deleted table " + TEST_TABLE.getTableName()); + LOG.info("Test deleted table " + TEST_TABLE); } // Verify all table/namespace permissions are erased - assertEquals(0, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size()); + assertEquals(0, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size()); assertEquals( - 0, - AccessControlLists.getNamespacePermissions(conf, - TEST_TABLE.getTableName().getNamespaceAsString()).size()); + 0, + AccessControlLists.getNamespacePermissions(conf, + TEST_TABLE.getNamespaceAsString()).size()); } @Test @@ -319,11 +314,11 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction modifyTable = new AccessTestAction() { @Override public Object run() throws Exception { - HTableDescriptor htd = new HTableDescriptor(TEST_TABLE.getTableName()); + HTableDescriptor htd = new HTableDescriptor(TEST_TABLE); htd.addFamily(new HColumnDescriptor(TEST_FAMILY)); htd.addFamily(new HColumnDescriptor("fam_" + User.getCurrent().getShortName())); ACCESS_CONTROLLER.preModifyTable(ObserverContext.createAndPrepare(CP_ENV, null), - TEST_TABLE.getTableName(), htd); + TEST_TABLE, htd); return null; } }; @@ -338,7 +333,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER - .preDeleteTable(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE.getTableName()); + .preDeleteTable(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE); return null; } }; @@ -354,7 +349,7 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { ACCESS_CONTROLLER .preTruncateTable(ObserverContext.createAndPrepare(CP_ENV, null), - TEST_TABLE.getTableName()); + TEST_TABLE); return null; } }; @@ -369,8 +364,8 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction action = new AccessTestAction() { @Override public Object run() throws Exception { - ACCESS_CONTROLLER.preAddColumn(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE.getTableName(), - hcd); + ACCESS_CONTROLLER.preAddColumn(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE, + hcd); return null; } }; @@ -387,7 +382,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER.preModifyColumn(ObserverContext.createAndPrepare(CP_ENV, null), - TEST_TABLE.getTableName(), hcd); + TEST_TABLE, hcd); return null; } }; @@ -402,7 +397,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER.preDeleteColumn(ObserverContext.createAndPrepare(CP_ENV, null), - TEST_TABLE.getTableName(), TEST_FAMILY); + TEST_TABLE, TEST_FAMILY); return null; } }; @@ -417,7 +412,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER.preDisableTable(ObserverContext.createAndPrepare(CP_ENV, null), - TEST_TABLE.getTableName()); + TEST_TABLE); return null; } }; @@ -444,7 +439,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER - .preEnableTable(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE.getTableName()); + .preEnableTable(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE); return null; } }; @@ -456,7 +451,7 @@ public class TestAccessController extends SecureTestUtil { @Test public void testMove() throws Exception { List regions; - try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) { + try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE)) { regions = locator.getAllRegionLocations(); } HRegionLocation location = regions.get(0); @@ -466,7 +461,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER.preMove(ObserverContext.createAndPrepare(CP_ENV, null), - hri, server, server); + hri, server, server); return null; } }; @@ -478,7 +473,7 @@ public class TestAccessController extends SecureTestUtil { @Test public void testAssign() throws Exception { List regions; - try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) { + try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE)) { regions = locator.getAllRegionLocations(); } HRegionLocation location = regions.get(0); @@ -498,7 +493,7 @@ public class TestAccessController extends SecureTestUtil { @Test public void testUnassign() throws Exception { List regions; - try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) { + try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE)) { regions = locator.getAllRegionLocations(); } HRegionLocation location = regions.get(0); @@ -518,7 +513,7 @@ public class TestAccessController extends SecureTestUtil { @Test public void testRegionOffline() throws Exception { List regions; - try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) { + try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE)) { regions = locator.getAllRegionLocations(); } HRegionLocation location = regions.get(0); @@ -628,21 +623,26 @@ public class TestAccessController extends SecureTestUtil { @Test public void testMergeRegions() throws Exception { - final List regions = TEST_UTIL.getHBaseCluster().findRegionsForTable(TEST_TABLE.getTableName()); - assertTrue("not enough regions: " + regions.size(), regions.size() >= 2); + final TableName tname = TableName.valueOf("testMergeRegions"); + createTestTable(tname); + try { + final List regions = TEST_UTIL.getHBaseCluster().findRegionsForTable(tname); + assertTrue("not enough regions: " + regions.size(), regions.size() >= 2); - AccessTestAction action = new AccessTestAction() { - @Override - public Object run() throws Exception { - ACCESS_CONTROLLER.preMerge( - ObserverContext.createAndPrepare(RSCP_ENV, null), - regions.get(0),regions.get(1)); - return null; - } - }; + AccessTestAction action = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preMerge(ObserverContext.createAndPrepare(RSCP_ENV, null), + regions.get(0), regions.get(1)); + return null; + } + }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + } finally { + deleteTable(TEST_UTIL, tname); + } } @Test @@ -693,7 +693,7 @@ public class TestAccessController extends SecureTestUtil { Get g = new Get(TEST_ROW); g.addFamily(TEST_FAMILY); try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName())) { + Table t = conn.getTable(TEST_TABLE)) { t.get(g); } return null; @@ -709,8 +709,8 @@ public class TestAccessController extends SecureTestUtil { s.addFamily(TEST_FAMILY); try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName())) { - ResultScanner scanner = t.getScanner(s); + Table table = conn.getTable(TEST_TABLE)) { + ResultScanner scanner = table.getScanner(s); try { for (Result r = scanner.next(); r != null; r = scanner.next()) { // do nothing @@ -736,7 +736,7 @@ public class TestAccessController extends SecureTestUtil { Put p = new Put(TEST_ROW); p.add(TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes(1)); try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName())) { + Table t = conn.getTable(TEST_TABLE)) { t.put(p); } return null; @@ -751,7 +751,7 @@ public class TestAccessController extends SecureTestUtil { Delete d = new Delete(TEST_ROW); d.deleteFamily(TEST_FAMILY); try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName())) { + Table t = conn.getTable(TEST_TABLE)) { t.delete(d); } return null; @@ -766,7 +766,7 @@ public class TestAccessController extends SecureTestUtil { Increment inc = new Increment(TEST_ROW); inc.addColumn(TEST_FAMILY, TEST_QUALIFIER, 1); try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName())) { + Table t = conn.getTable(TEST_TABLE);) { t.increment(inc); } return null; @@ -784,7 +784,7 @@ public class TestAccessController extends SecureTestUtil { Delete d = new Delete(TEST_ROW); d.deleteFamily(TEST_FAMILY); try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName())) { + Table t = conn.getTable(TEST_TABLE);) { t.checkAndDelete(TEST_ROW, TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes("test_value"), d); } @@ -800,7 +800,7 @@ public class TestAccessController extends SecureTestUtil { Put p = new Put(TEST_ROW); p.add(TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes(1)); try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName())) { + Table t = conn.getTable(TEST_TABLE);) { t.checkAndPut(TEST_ROW, TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes("test_value"), p); } @@ -812,37 +812,39 @@ public class TestAccessController extends SecureTestUtil { @Test public void testBulkLoad() throws Exception { - FileSystem fs = TEST_UTIL.getTestFileSystem(); - final Path dir = TEST_UTIL.getDataTestDirOnTestFS("testBulkLoad"); - fs.mkdirs(dir); - //need to make it globally writable - //so users creating HFiles have write permissions - fs.setPermission(dir, FsPermission.valueOf("-rwxrwxrwx")); + try { + FileSystem fs = TEST_UTIL.getTestFileSystem(); + final Path dir = TEST_UTIL.getDataTestDirOnTestFS("testBulkLoad"); + fs.mkdirs(dir); + // need to make it globally writable + // so users creating HFiles have write permissions + fs.setPermission(dir, FsPermission.valueOf("-rwxrwxrwx")); - AccessTestAction bulkLoadAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - int numRows = 3; + AccessTestAction bulkLoadAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + int numRows = 3; - //Making the assumption that the test table won't split between the range - byte[][][] hfileRanges = {{{(byte)0}, {(byte)9}}}; + // Making the assumption that the test table won't split between the range + byte[][][] hfileRanges = { { { (byte) 0 }, { (byte) 9 } } }; - Path bulkLoadBasePath = new Path(dir, new Path(User.getCurrent().getName())); - new BulkLoadHelper(bulkLoadBasePath) - .bulkLoadHFile(TEST_TABLE.getTableName(), TEST_FAMILY, TEST_QUALIFIER, hfileRanges, numRows); + Path bulkLoadBasePath = new Path(dir, new Path(User.getCurrent().getName())); + new BulkLoadHelper(bulkLoadBasePath).bulkLoadHFile(TEST_TABLE, TEST_FAMILY, + TEST_QUALIFIER, hfileRanges, numRows); - return null; - } - }; + return null; + } + }; - // User performing bulk loads must have privilege to read table metadata - // (ADMIN or CREATE) - verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE); - verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO); - - // Reinit after the bulk upload - TEST_UTIL.getHBaseAdmin().disableTable(TEST_TABLE.getTableName()); - TEST_UTIL.getHBaseAdmin().enableTable(TEST_TABLE.getTableName()); + // User performing bulk loads must have privilege to read table metadata + // (ADMIN or CREATE) + verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE); + verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO); + } finally { + // Reinit after the bulk upload + TEST_UTIL.getHBaseAdmin().disableTable(TEST_TABLE); + TEST_UTIL.getHBaseAdmin().enableTable(TEST_TABLE); + } } public class BulkLoadHelper { @@ -933,7 +935,7 @@ public class TestAccessController extends SecureTestUtil { Append append = new Append(row); append.add(TEST_FAMILY, qualifier, Bytes.toBytes(2)); try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName())) { + Table t = conn.getTable(TEST_TABLE)) { t.put(put); t.append(append); } @@ -952,11 +954,11 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) { - BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName()); + BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName()); AccessControlService.BlockingInterface protocol = AccessControlService.newBlockingStub(service); - ProtobufUtil.grant(protocol, USER_RO.getShortName(), TEST_TABLE.getTableName(), - TEST_FAMILY, null, Action.READ); + ProtobufUtil.grant(protocol, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null, + Action.READ); } return null; } @@ -967,11 +969,11 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) { - BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName()); + BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName()); AccessControlService.BlockingInterface protocol = AccessControlService.newBlockingStub(service); - ProtobufUtil.revoke(protocol, USER_RO.getShortName(), TEST_TABLE.getTableName(), - TEST_FAMILY, null, Action.READ); + ProtobufUtil.revoke(protocol, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null, + Action.READ); } return null; } @@ -981,11 +983,11 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); - Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) { - BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName()); + Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)){ + BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName()); AccessControlService.BlockingInterface protocol = - AccessControlService.newBlockingStub(service); - ProtobufUtil.getUserPermissions(protocol, TEST_TABLE.getTableName()); + AccessControlService.newBlockingStub(service); + ProtobufUtil.getUserPermissions(protocol, TEST_TABLE); } return null; } @@ -1007,16 +1009,21 @@ public class TestAccessController extends SecureTestUtil { verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER); verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + try { + verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); - verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); - verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); - - verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN); - verifyDenied(getGlobalPermissionsAction, USER_CREATE, - USER_OWNER, USER_RW, USER_RO, USER_NONE); + verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN); + verifyDenied(getGlobalPermissionsAction, USER_CREATE, USER_OWNER, USER_RW, USER_RO, + USER_NONE); + } finally { + // Cleanup, Grant the revoked permission back to the user + grantOnTable(TEST_UTIL, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null, + Permission.Action.READ); + } } @Test @@ -1036,237 +1043,231 @@ public class TestAccessController extends SecureTestUtil { htd.addFamily(new HColumnDescriptor(family1)); htd.addFamily(new HColumnDescriptor(family2)); createTable(TEST_UTIL, htd); + try { + // create temp users + User tblUser = + User.createUserForTesting(TEST_UTIL.getConfiguration(), "tbluser", new String[0]); + User gblUser = + User.createUserForTesting(TEST_UTIL.getConfiguration(), "gbluser", new String[0]); - // create temp users - User tblUser = User - .createUserForTesting(TEST_UTIL.getConfiguration(), "tbluser", new String[0]); - User gblUser = User - .createUserForTesting(TEST_UTIL.getConfiguration(), "gbluser", new String[0]); - - // prepare actions: - AccessTestAction putActionAll = new AccessTestAction() { - @Override - public Object run() throws Exception { - Put p = new Put(Bytes.toBytes("a")); - p.add(family1, qualifier, Bytes.toBytes("v1")); - p.add(family2, qualifier, Bytes.toBytes("v2")); - try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(tableName)) { - t.put(p); + // prepare actions: + AccessTestAction putActionAll = new AccessTestAction() { + @Override + public Object run() throws Exception { + Put p = new Put(Bytes.toBytes("a")); + p.add(family1, qualifier, Bytes.toBytes("v1")); + p.add(family2, qualifier, Bytes.toBytes("v2")); + try (Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName);) { + t.put(p); + } + return null; } - return null; - } - }; + }; - AccessTestAction putAction1 = new AccessTestAction() { - @Override - public Object run() throws Exception { - Put p = new Put(Bytes.toBytes("a")); - p.add(family1, qualifier, Bytes.toBytes("v1")); - try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(tableName)) { - t.put(p); + AccessTestAction putAction1 = new AccessTestAction() { + @Override + public Object run() throws Exception { + Put p = new Put(Bytes.toBytes("a")); + p.add(family1, qualifier, Bytes.toBytes("v1")); + + try (Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName)) { + t.put(p); + } + return null; } - return null; - } - }; + }; - AccessTestAction putAction2 = new AccessTestAction() { - @Override - public Object run() throws Exception { - Put p = new Put(Bytes.toBytes("a")); - p.add(family2, qualifier, Bytes.toBytes("v2")); - try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(tableName)) { - t.put(p); + AccessTestAction putAction2 = new AccessTestAction() { + @Override + public Object run() throws Exception { + Put p = new Put(Bytes.toBytes("a")); + p.add(family2, qualifier, Bytes.toBytes("v2")); + try (Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName);) { + t.put(p); + } + return null; } - return null; - } - }; + }; - AccessTestAction getActionAll = new AccessTestAction() { - @Override - public Object run() throws Exception { - Get g = new Get(TEST_ROW); - g.addFamily(family1); - g.addFamily(family2); - try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(tableName)) { - t.get(g); + AccessTestAction getActionAll = new AccessTestAction() { + @Override + public Object run() throws Exception { + Get g = new Get(TEST_ROW); + g.addFamily(family1); + g.addFamily(family2); + try (Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName);) { + t.get(g); + } + return null; } - return null; - } - }; + }; - AccessTestAction getAction1 = new AccessTestAction() { - @Override - public Object run() throws Exception { - Get g = new Get(TEST_ROW); - g.addFamily(family1); - try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(tableName)) { - t.get(g); + AccessTestAction getAction1 = new AccessTestAction() { + @Override + public Object run() throws Exception { + Get g = new Get(TEST_ROW); + g.addFamily(family1); + try (Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName)) { + t.get(g); + } + return null; } - return null; - } - }; + }; - AccessTestAction getAction2 = new AccessTestAction() { - @Override - public Object run() throws Exception { - Get g = new Get(TEST_ROW); - g.addFamily(family2); - try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(tableName)) { - t.get(g); + AccessTestAction getAction2 = new AccessTestAction() { + @Override + public Object run() throws Exception { + Get g = new Get(TEST_ROW); + g.addFamily(family2); + try (Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName)) { + t.get(g); + } + return null; } - return null; - } - }; + }; - AccessTestAction deleteActionAll = new AccessTestAction() { - @Override - public Object run() throws Exception { - Delete d = new Delete(TEST_ROW); - d.deleteFamily(family1); - d.deleteFamily(family2); - try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(tableName)) { - t.delete(d); + AccessTestAction deleteActionAll = new AccessTestAction() { + @Override + public Object run() throws Exception { + Delete d = new Delete(TEST_ROW); + d.deleteFamily(family1); + d.deleteFamily(family2); + try (Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName)) { + t.delete(d); + } + return null; } - return null; - } - }; + }; - AccessTestAction deleteAction1 = new AccessTestAction() { - @Override - public Object run() throws Exception { - Delete d = new Delete(TEST_ROW); - d.deleteFamily(family1); - try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(tableName)) { - t.delete(d); + AccessTestAction deleteAction1 = new AccessTestAction() { + @Override + public Object run() throws Exception { + Delete d = new Delete(TEST_ROW); + d.deleteFamily(family1); + try (Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName)) { + t.delete(d); + } + return null; } - return null; - } - }; + }; - AccessTestAction deleteAction2 = new AccessTestAction() { - @Override - public Object run() throws Exception { - Delete d = new Delete(TEST_ROW); - d.deleteFamily(family2); - try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(tableName)) { - t.delete(d); + AccessTestAction deleteAction2 = new AccessTestAction() { + @Override + public Object run() throws Exception { + Delete d = new Delete(TEST_ROW); + d.deleteFamily(family2); + try (Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName)) { + t.delete(d); + } + return null; } - return null; - } - }; + }; - // initial check: - verifyDenied(tblUser, getActionAll, getAction1, getAction2); - verifyDenied(tblUser, putActionAll, putAction1, putAction2); - verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); + // initial check: + verifyDenied(tblUser, getActionAll, getAction1, getAction2); + verifyDenied(tblUser, putActionAll, putAction1, putAction2); + verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); - verifyDenied(gblUser, getActionAll, getAction1, getAction2); - verifyDenied(gblUser, putActionAll, putAction1, putAction2); - verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); + verifyDenied(gblUser, getActionAll, getAction1, getAction2); + verifyDenied(gblUser, putActionAll, putAction1, putAction2); + verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); - // grant table read permission - grantGlobal(TEST_UTIL, gblUser.getShortName(), - Permission.Action.READ); - grantOnTable(TEST_UTIL, tblUser.getShortName(), - tableName, null, null, - Permission.Action.READ); + // grant table read permission + grantGlobal(TEST_UTIL, gblUser.getShortName(), Permission.Action.READ); + grantOnTable(TEST_UTIL, tblUser.getShortName(), tableName, null, null, Permission.Action.READ); - // check - verifyAllowed(tblUser, getActionAll, getAction1, getAction2); - verifyDenied(tblUser, putActionAll, putAction1, putAction2); - verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); + // check + verifyAllowed(tblUser, getActionAll, getAction1, getAction2); + verifyDenied(tblUser, putActionAll, putAction1, putAction2); + verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); - verifyAllowed(gblUser, getActionAll, getAction1, getAction2); - verifyDenied(gblUser, putActionAll, putAction1, putAction2); - verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); + verifyAllowed(gblUser, getActionAll, getAction1, getAction2); + verifyDenied(gblUser, putActionAll, putAction1, putAction2); + verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); - // grant table write permission while revoking read permissions - grantGlobal(TEST_UTIL, gblUser.getShortName(), - Permission.Action.WRITE); - grantOnTable(TEST_UTIL, tblUser.getShortName(), - tableName, null, null, - Permission.Action.WRITE); + // grant table write permission while revoking read permissions + grantGlobal(TEST_UTIL, gblUser.getShortName(), Permission.Action.WRITE); + grantOnTable(TEST_UTIL, tblUser.getShortName(), tableName, null, null, + Permission.Action.WRITE); - verifyDenied(tblUser, getActionAll, getAction1, getAction2); - verifyAllowed(tblUser, putActionAll, putAction1, putAction2); - verifyAllowed(tblUser, deleteActionAll, deleteAction1, deleteAction2); + verifyDenied(tblUser, getActionAll, getAction1, getAction2); + verifyAllowed(tblUser, putActionAll, putAction1, putAction2); + verifyAllowed(tblUser, deleteActionAll, deleteAction1, deleteAction2); - verifyDenied(gblUser, getActionAll, getAction1, getAction2); - verifyAllowed(gblUser, putActionAll, putAction1, putAction2); - verifyAllowed(gblUser, deleteActionAll, deleteAction1, deleteAction2); + verifyDenied(gblUser, getActionAll, getAction1, getAction2); + verifyAllowed(gblUser, putActionAll, putAction1, putAction2); + verifyAllowed(gblUser, deleteActionAll, deleteAction1, deleteAction2); - // revoke table permissions - revokeGlobal(TEST_UTIL, gblUser.getShortName()); - revokeFromTable(TEST_UTIL, tblUser.getShortName(), - tableName, null, null); + // revoke table permissions + revokeGlobal(TEST_UTIL, gblUser.getShortName()); + revokeFromTable(TEST_UTIL, tblUser.getShortName(), tableName, null, null); - verifyDenied(tblUser, getActionAll, getAction1, getAction2); - verifyDenied(tblUser, putActionAll, putAction1, putAction2); - verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); + verifyDenied(tblUser, getActionAll, getAction1, getAction2); + verifyDenied(tblUser, putActionAll, putAction1, putAction2); + verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); - verifyDenied(gblUser, getActionAll, getAction1, getAction2); - verifyDenied(gblUser, putActionAll, putAction1, putAction2); - verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); + verifyDenied(gblUser, getActionAll, getAction1, getAction2); + verifyDenied(gblUser, putActionAll, putAction1, putAction2); + verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); - // grant column family read permission - grantGlobal(TEST_UTIL, gblUser.getShortName(), - Permission.Action.READ); - grantOnTable(TEST_UTIL, tblUser.getShortName(), - tableName, family1, null, Permission.Action.READ); + // grant column family read permission + grantGlobal(TEST_UTIL, gblUser.getShortName(), Permission.Action.READ); + grantOnTable(TEST_UTIL, tblUser.getShortName(), tableName, family1, null, + Permission.Action.READ); - // Access should be denied for family2 - verifyAllowed(tblUser, getActionAll, getAction1); - verifyDenied(tblUser, getAction2); - verifyDenied(tblUser, putActionAll, putAction1, putAction2); - verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); + // Access should be denied for family2 + verifyAllowed(tblUser, getActionAll, getAction1); + verifyDenied(tblUser, getAction2); + verifyDenied(tblUser, putActionAll, putAction1, putAction2); + verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); - verifyAllowed(gblUser, getActionAll, getAction1, getAction2); - verifyDenied(gblUser, putActionAll, putAction1, putAction2); - verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); + verifyAllowed(gblUser, getActionAll, getAction1, getAction2); + verifyDenied(gblUser, putActionAll, putAction1, putAction2); + verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); - // grant column family write permission - grantGlobal(TEST_UTIL, gblUser.getShortName(), - Permission.Action.WRITE); - grantOnTable(TEST_UTIL, tblUser.getShortName(), - tableName, family2, null, Permission.Action.WRITE); + // grant column family write permission + grantGlobal(TEST_UTIL, gblUser.getShortName(), Permission.Action.WRITE); + grantOnTable(TEST_UTIL, tblUser.getShortName(), tableName, family2, null, + Permission.Action.WRITE); - // READ from family1, WRITE to family2 are allowed - verifyAllowed(tblUser, getActionAll, getAction1); - verifyAllowed(tblUser, putAction2, deleteAction2); - verifyDenied(tblUser, getAction2); - verifyDenied(tblUser, putActionAll, putAction1); - verifyDenied(tblUser, deleteActionAll, deleteAction1); + // READ from family1, WRITE to family2 are allowed + verifyAllowed(tblUser, getActionAll, getAction1); + verifyAllowed(tblUser, putAction2, deleteAction2); + verifyDenied(tblUser, getAction2); + verifyDenied(tblUser, putActionAll, putAction1); + verifyDenied(tblUser, deleteActionAll, deleteAction1); - verifyDenied(gblUser, getActionAll, getAction1, getAction2); - verifyAllowed(gblUser, putActionAll, putAction1, putAction2); - verifyAllowed(gblUser, deleteActionAll, deleteAction1, deleteAction2); + verifyDenied(gblUser, getActionAll, getAction1, getAction2); + verifyAllowed(gblUser, putActionAll, putAction1, putAction2); + verifyAllowed(gblUser, deleteActionAll, deleteAction1, deleteAction2); - // revoke column family permission - revokeGlobal(TEST_UTIL, gblUser.getShortName()); - revokeFromTable(TEST_UTIL, tblUser.getShortName(), tableName, family2, null); + // revoke column family permission + revokeGlobal(TEST_UTIL, gblUser.getShortName()); + revokeFromTable(TEST_UTIL, tblUser.getShortName(), tableName, family2, null); - // Revoke on family2 should not have impact on family1 permissions - verifyAllowed(tblUser, getActionAll, getAction1); - verifyDenied(tblUser, getAction2); - verifyDenied(tblUser, putActionAll, putAction1, putAction2); - verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); + // Revoke on family2 should not have impact on family1 permissions + verifyAllowed(tblUser, getActionAll, getAction1); + verifyDenied(tblUser, getAction2); + verifyDenied(tblUser, putActionAll, putAction1, putAction2); + verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); - // Should not have access as global permissions are completely revoked - verifyDenied(gblUser, getActionAll, getAction1, getAction2); - verifyDenied(gblUser, putActionAll, putAction1, putAction2); - verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); - - // delete table - deleteTable(TEST_UTIL, tableName); + // Should not have access as global permissions are completely revoked + verifyDenied(gblUser, getActionAll, getAction1, getAction2); + verifyDenied(gblUser, putActionAll, putAction1, putAction2); + verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); + } finally { + // delete table + deleteTable(TEST_UTIL, tableName); + } } private boolean hasFoundUserPermission(UserPermission userPermission, List perms) { @@ -1291,92 +1292,90 @@ public class TestAccessController extends SecureTestUtil { htd.addFamily(new HColumnDescriptor(family2)); createTable(TEST_UTIL, htd); - // create temp users - User user = User.createUserForTesting(TEST_UTIL.getConfiguration(), "user", new String[0]); + try { + // create temp users + User user = User.createUserForTesting(TEST_UTIL.getConfiguration(), "user", new String[0]); - AccessTestAction getQualifierAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - Get g = new Get(TEST_ROW); - g.addColumn(family1, qualifier); - try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(tableName)) { - t.get(g); + AccessTestAction getQualifierAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + Get g = new Get(TEST_ROW); + g.addColumn(family1, qualifier); + try (Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName)) { + t.get(g); + } + return null; } - return null; - } - }; + }; - AccessTestAction putQualifierAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - Put p = new Put(TEST_ROW); - p.add(family1, qualifier, Bytes.toBytes("v1")); - try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(tableName)) { - t.put(p); + AccessTestAction putQualifierAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + Put p = new Put(TEST_ROW); + p.add(family1, qualifier, Bytes.toBytes("v1")); + try (Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName)) { + t.put(p); + } + return null; } - return null; - } - }; + }; - AccessTestAction deleteQualifierAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - Delete d = new Delete(TEST_ROW); - d.deleteColumn(family1, qualifier); - // d.deleteFamily(family1); - try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(tableName)) { - t.delete(d); + AccessTestAction deleteQualifierAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + Delete d = new Delete(TEST_ROW); + d.deleteColumn(family1, qualifier); + // d.deleteFamily(family1); + try (Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName)) { + t.delete(d); + } + return null; } - return null; - } - }; + }; - revokeFromTable(TEST_UTIL, user.getShortName(), tableName, family1, null); + revokeFromTable(TEST_UTIL, user.getShortName(), tableName, family1, null); - verifyDenied(user, getQualifierAction); - verifyDenied(user, putQualifierAction); - verifyDenied(user, deleteQualifierAction); + verifyDenied(user, getQualifierAction); + verifyDenied(user, putQualifierAction); + verifyDenied(user, deleteQualifierAction); - grantOnTable(TEST_UTIL, user.getShortName(), - tableName, family1, qualifier, - Permission.Action.READ); + grantOnTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier, + Permission.Action.READ); - verifyAllowed(user, getQualifierAction); - verifyDenied(user, putQualifierAction); - verifyDenied(user, deleteQualifierAction); + verifyAllowed(user, getQualifierAction); + verifyDenied(user, putQualifierAction); + verifyDenied(user, deleteQualifierAction); - // only grant write permission - // TODO: comment this portion after HBASE-3583 - grantOnTable(TEST_UTIL, user.getShortName(), - tableName, family1, qualifier, - Permission.Action.WRITE); + // only grant write permission + // TODO: comment this portion after HBASE-3583 + grantOnTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier, + Permission.Action.WRITE); - verifyDenied(user, getQualifierAction); - verifyAllowed(user, putQualifierAction); - verifyAllowed(user, deleteQualifierAction); + verifyDenied(user, getQualifierAction); + verifyAllowed(user, putQualifierAction); + verifyAllowed(user, deleteQualifierAction); - // grant both read and write permission - grantOnTable(TEST_UTIL, user.getShortName(), - tableName, family1, qualifier, - Permission.Action.READ, Permission.Action.WRITE); + // grant both read and write permission + grantOnTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier, + Permission.Action.READ, Permission.Action.WRITE); - verifyAllowed(user, getQualifierAction); - verifyAllowed(user, putQualifierAction); - verifyAllowed(user, deleteQualifierAction); + verifyAllowed(user, getQualifierAction); + verifyAllowed(user, putQualifierAction); + verifyAllowed(user, deleteQualifierAction); - // revoke family level permission won't impact column level - revokeFromTable(TEST_UTIL, user.getShortName(), - tableName, family1, qualifier); + // revoke family level permission won't impact column level + revokeFromTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier); - verifyDenied(user, getQualifierAction); - verifyDenied(user, putQualifierAction); - verifyDenied(user, deleteQualifierAction); - - // delete table - deleteTable(TEST_UTIL, tableName); + verifyDenied(user, getQualifierAction); + verifyDenied(user, putQualifierAction); + verifyDenied(user, deleteQualifierAction); + } finally { + // delete table + deleteTable(TEST_UTIL, tableName); + } } @Test @@ -1397,117 +1396,117 @@ public class TestAccessController extends SecureTestUtil { htd.addFamily(new HColumnDescriptor(family2)); htd.setOwner(USER_OWNER); createTable(TEST_UTIL, htd); - - List perms; - - Table acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); try { - BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); - AccessControlService.BlockingInterface protocol = - AccessControlService.newBlockingStub(service); - perms = ProtobufUtil.getUserPermissions(protocol, tableName); - } finally { - acl.close(); - } + List perms; + Table acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + perms = ProtobufUtil.getUserPermissions(protocol, tableName); + } finally { + acl.close(); + } - UserPermission ownerperm = new UserPermission( - Bytes.toBytes(USER_OWNER.getName()), tableName, null, Action.values()); - assertTrue("Owner should have all permissions on table", + UserPermission ownerperm = + new UserPermission(Bytes.toBytes(USER_OWNER.getName()), tableName, null, Action.values()); + assertTrue("Owner should have all permissions on table", hasFoundUserPermission(ownerperm, perms)); - User user = User.createUserForTesting(TEST_UTIL.getConfiguration(), "user", new String[0]); - byte[] userName = Bytes.toBytes(user.getShortName()); + User user = User.createUserForTesting(TEST_UTIL.getConfiguration(), "user", new String[0]); + byte[] userName = Bytes.toBytes(user.getShortName()); - UserPermission up = new UserPermission(userName, - tableName, family1, qualifier, Permission.Action.READ); - assertFalse("User should not be granted permission: " + up.toString(), - hasFoundUserPermission(up, perms)); + UserPermission up = + new UserPermission(userName, tableName, family1, qualifier, Permission.Action.READ); + assertFalse("User should not be granted permission: " + up.toString(), + hasFoundUserPermission(up, perms)); - // grant read permission - grantOnTable(TEST_UTIL, user.getShortName(), - tableName, family1, qualifier, Permission.Action.READ); + // grant read permission + grantOnTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier, + Permission.Action.READ); - acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); - try { - BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); - AccessControlService.BlockingInterface protocol = - AccessControlService.newBlockingStub(service); - perms = ProtobufUtil.getUserPermissions(protocol, tableName); - } finally { - acl.close(); - } + acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + perms = ProtobufUtil.getUserPermissions(protocol, tableName); + } finally { + acl.close(); + } - UserPermission upToVerify = new UserPermission( - userName, tableName, family1, qualifier, Permission.Action.READ); - assertTrue("User should be granted permission: " + upToVerify.toString(), - hasFoundUserPermission(upToVerify, perms)); - - upToVerify = new UserPermission( - userName, tableName, family1, qualifier, Permission.Action.WRITE); - assertFalse("User should not be granted permission: " + upToVerify.toString(), - hasFoundUserPermission(upToVerify, perms)); - - // grant read+write - grantOnTable(TEST_UTIL, user.getShortName(), - tableName, family1, qualifier, - Permission.Action.WRITE, Permission.Action.READ); - - acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); - try { - BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); - AccessControlService.BlockingInterface protocol = - AccessControlService.newBlockingStub(service); - perms = ProtobufUtil.getUserPermissions(protocol, tableName); - } finally { - acl.close(); - } - - upToVerify = new UserPermission(userName, tableName, family1, - qualifier, Permission.Action.WRITE, Permission.Action.READ); - assertTrue("User should be granted permission: " + upToVerify.toString(), - hasFoundUserPermission(upToVerify, perms)); - - // revoke - revokeFromTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier, - Permission.Action.WRITE, Permission.Action.READ); - - acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); - try { - BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); - AccessControlService.BlockingInterface protocol = - AccessControlService.newBlockingStub(service); - perms = ProtobufUtil.getUserPermissions(protocol, tableName); - } finally { - acl.close(); - } - - assertFalse("User should not be granted permission: " + upToVerify.toString(), + UserPermission upToVerify = + new UserPermission(userName, tableName, family1, qualifier, Permission.Action.READ); + assertTrue("User should be granted permission: " + upToVerify.toString(), hasFoundUserPermission(upToVerify, perms)); - // disable table before modification - admin.disableTable(tableName); + upToVerify = + new UserPermission(userName, tableName, family1, qualifier, Permission.Action.WRITE); + assertFalse("User should not be granted permission: " + upToVerify.toString(), + hasFoundUserPermission(upToVerify, perms)); - User newOwner = User.createUserForTesting(conf, "new_owner", new String[] {}); - htd.setOwner(newOwner); - admin.modifyTable(tableName, htd); + // grant read+write + grantOnTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier, + Permission.Action.WRITE, Permission.Action.READ); - acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); - try { - BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); - AccessControlService.BlockingInterface protocol = - AccessControlService.newBlockingStub(service); - perms = ProtobufUtil.getUserPermissions(protocol, tableName); - } finally { - acl.close(); - } + acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + perms = ProtobufUtil.getUserPermissions(protocol, tableName); + } finally { + acl.close(); + } - UserPermission newOwnerperm = new UserPermission( - Bytes.toBytes(newOwner.getName()), tableName, null, Action.values()); - assertTrue("New owner should have all permissions on table", + upToVerify = + new UserPermission(userName, tableName, family1, qualifier, Permission.Action.WRITE, + Permission.Action.READ); + assertTrue("User should be granted permission: " + upToVerify.toString(), + hasFoundUserPermission(upToVerify, perms)); + + // revoke + revokeFromTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier, + Permission.Action.WRITE, Permission.Action.READ); + + acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + perms = ProtobufUtil.getUserPermissions(protocol, tableName); + } finally { + acl.close(); + } + + assertFalse("User should not be granted permission: " + upToVerify.toString(), + hasFoundUserPermission(upToVerify, perms)); + + // disable table before modification + admin.disableTable(tableName); + + User newOwner = User.createUserForTesting(conf, "new_owner", new String[] {}); + htd.setOwner(newOwner); + admin.modifyTable(tableName, htd); + + acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + perms = ProtobufUtil.getUserPermissions(protocol, tableName); + } finally { + acl.close(); + } + + UserPermission newOwnerperm = + new UserPermission(Bytes.toBytes(newOwner.getName()), tableName, null, Action.values()); + assertTrue("New owner should have all permissions on table", hasFoundUserPermission(newOwnerperm, perms)); - - // delete table - deleteTable(TEST_UTIL, tableName); + } finally { + // delete table + deleteTable(TEST_UTIL, tableName); + } } @Test @@ -1525,7 +1524,7 @@ public class TestAccessController extends SecureTestUtil { UserPermission adminPerm = new UserPermission(Bytes.toBytes(USER_ADMIN.getShortName()), AccessControlLists.ACL_TABLE_NAME, null, null, Bytes.toBytes("ACRW")); assertTrue("Only user admin has permission on table _acl_ per setup", - perms.size() == 1 && hasFoundUserPermission(adminPerm, perms)); + perms.size() == 1 && hasFoundUserPermission(adminPerm, perms)); } /** global operations */ @@ -1571,127 +1570,134 @@ public class TestAccessController extends SecureTestUtil { User userQualifier = User.createUserForTesting(conf, "user_check_perms_q", new String[0]); grantOnTable(TEST_UTIL, userTable.getShortName(), - TEST_TABLE.getTableName(), null, null, + TEST_TABLE, null, null, Permission.Action.READ); grantOnTable(TEST_UTIL, userColumn.getShortName(), - TEST_TABLE.getTableName(), TEST_FAMILY, null, + TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ); grantOnTable(TEST_UTIL, userQualifier.getShortName(), - TEST_TABLE.getTableName(), TEST_FAMILY, TEST_Q1, + TEST_TABLE, TEST_FAMILY, TEST_Q1, Permission.Action.READ); - AccessTestAction tableRead = new AccessTestAction() { - @Override - public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), null, null, - Permission.Action.READ); - return null; - } - }; - - AccessTestAction columnRead = new AccessTestAction() { - @Override - public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), TEST_FAMILY, null, - Permission.Action.READ); - return null; - } - }; - - AccessTestAction qualifierRead = new AccessTestAction() { - @Override - public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), TEST_FAMILY, TEST_Q1, - Permission.Action.READ); - return null; - } - }; - - AccessTestAction multiQualifierRead = new AccessTestAction() { - @Override - public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), new Permission[] { - new TablePermission(TEST_TABLE.getTableName(), TEST_FAMILY, TEST_Q1, - Permission.Action.READ), - new TablePermission(TEST_TABLE.getTableName(), TEST_FAMILY, TEST_Q2, - Permission.Action.READ), }); - return null; - } - }; - - AccessTestAction globalAndTableRead = new AccessTestAction() { - @Override - public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), - new Permission[] { new Permission(Permission.Action.READ), - new TablePermission(TEST_TABLE.getTableName(), null, (byte[]) null, - Permission.Action.READ), }); - return null; - } - }; - - AccessTestAction noCheck = new AccessTestAction() { - @Override - public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), new Permission[0]); - return null; - } - }; - - verifyAllowed(tableRead, SUPERUSER, userTable); - verifyDenied(tableRead, userColumn, userQualifier); - - verifyAllowed(columnRead, SUPERUSER, userTable, userColumn); - verifyDenied(columnRead, userQualifier); - - verifyAllowed(qualifierRead, SUPERUSER, userTable, userColumn, userQualifier); - - verifyAllowed(multiQualifierRead, SUPERUSER, userTable, userColumn); - verifyDenied(multiQualifierRead, userQualifier); - - verifyAllowed(globalAndTableRead, SUPERUSER); - verifyDenied(globalAndTableRead, userTable, userColumn, userQualifier); - - verifyAllowed(noCheck, SUPERUSER, userTable, userColumn, userQualifier); - - // -------------------------------------- - // test family level multiple permissions - AccessTestAction familyReadWrite = new AccessTestAction() { - @Override - public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), TEST_FAMILY, null, - Permission.Action.READ, Permission.Action.WRITE); - return null; - } - }; - - verifyAllowed(familyReadWrite, SUPERUSER, USER_OWNER, USER_CREATE, USER_RW); - verifyDenied(familyReadWrite, USER_NONE, USER_RO); - - // -------------------------------------- - // check for wrong table region - CheckPermissionsRequest checkRequest = CheckPermissionsRequest.newBuilder() - .addPermission(AccessControlProtos.Permission.newBuilder() - .setType(AccessControlProtos.Permission.Type.Table) - .setTablePermission( - AccessControlProtos.TablePermission.newBuilder() - .setTableName(ProtobufUtil.toProtoTableName(TEST_TABLE.getTableName())) - .addAction(AccessControlProtos.Permission.Action.CREATE)) - ).build(); - Table acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); try { - BlockingRpcChannel channel = acl.coprocessorService(new byte[0]); - AccessControlService.BlockingInterface protocol = - AccessControlService.newBlockingStub(channel); + AccessTestAction tableRead = new AccessTestAction() { + @Override + public Void run() throws Exception { + checkTablePerms(TEST_UTIL, TEST_TABLE, null, null, Permission.Action.READ); + return null; + } + }; + + AccessTestAction columnRead = new AccessTestAction() { + @Override + public Void run() throws Exception { + checkTablePerms(TEST_UTIL, TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ); + return null; + } + }; + + AccessTestAction qualifierRead = new AccessTestAction() { + @Override + public Void run() throws Exception { + checkTablePerms(TEST_UTIL, TEST_TABLE, TEST_FAMILY, TEST_Q1, Permission.Action.READ); + return null; + } + }; + + AccessTestAction multiQualifierRead = new AccessTestAction() { + @Override + public Void run() throws Exception { + checkTablePerms(TEST_UTIL, TEST_TABLE, new Permission[] { + new TablePermission(TEST_TABLE, TEST_FAMILY, TEST_Q1, Permission.Action.READ), + new TablePermission(TEST_TABLE, TEST_FAMILY, TEST_Q2, Permission.Action.READ), }); + return null; + } + }; + + AccessTestAction globalAndTableRead = new AccessTestAction() { + @Override + public Void run() throws Exception { + checkTablePerms(TEST_UTIL, TEST_TABLE, new Permission[] { + new Permission(Permission.Action.READ), + new TablePermission(TEST_TABLE, null, (byte[]) null, Permission.Action.READ), }); + return null; + } + }; + + AccessTestAction noCheck = new AccessTestAction() { + @Override + public Void run() throws Exception { + checkTablePerms(TEST_UTIL, TEST_TABLE, new Permission[0]); + return null; + } + }; + + verifyAllowed(tableRead, SUPERUSER, userTable); + verifyDenied(tableRead, userColumn, userQualifier); + + verifyAllowed(columnRead, SUPERUSER, userTable, userColumn); + verifyDenied(columnRead, userQualifier); + + verifyAllowed(qualifierRead, SUPERUSER, userTable, userColumn, userQualifier); + + verifyAllowed(multiQualifierRead, SUPERUSER, userTable, userColumn); + verifyDenied(multiQualifierRead, userQualifier); + + verifyAllowed(globalAndTableRead, SUPERUSER); + verifyDenied(globalAndTableRead, userTable, userColumn, userQualifier); + + verifyAllowed(noCheck, SUPERUSER, userTable, userColumn, userQualifier); + + // -------------------------------------- + // test family level multiple permissions + AccessTestAction familyReadWrite = new AccessTestAction() { + @Override + public Void run() throws Exception { + checkTablePerms(TEST_UTIL, TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ, + Permission.Action.WRITE); + return null; + } + }; + + verifyAllowed(familyReadWrite, SUPERUSER, USER_OWNER, USER_CREATE, USER_RW); + verifyDenied(familyReadWrite, USER_NONE, USER_RO); + + // -------------------------------------- + // check for wrong table region + CheckPermissionsRequest checkRequest = + CheckPermissionsRequest + .newBuilder() + .addPermission( + AccessControlProtos.Permission + .newBuilder() + .setType(AccessControlProtos.Permission.Type.Table) + .setTablePermission( + AccessControlProtos.TablePermission.newBuilder() + .setTableName(ProtobufUtil.toProtoTableName(TEST_TABLE)) + .addAction(AccessControlProtos.Permission.Action.CREATE))).build(); + Table acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); try { - // but ask for TablePermissions for TEST_TABLE - protocol.checkPermissions(null, checkRequest); - fail("this should have thrown CoprocessorException"); - } catch (ServiceException ex) { - // expected + BlockingRpcChannel channel = acl.coprocessorService(new byte[0]); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(channel); + try { + // but ask for TablePermissions for TEST_TABLE + protocol.checkPermissions(null, checkRequest); + fail("this should have thrown CoprocessorException"); + } catch (ServiceException ex) { + // expected + } + } finally { + acl.close(); } + } finally { - acl.close(); + revokeFromTable(TEST_UTIL, userTable.getShortName(), TEST_TABLE, null, null, + Permission.Action.READ); + revokeFromTable(TEST_UTIL, userColumn.getShortName(), TEST_TABLE, TEST_FAMILY, null, + Permission.Action.READ); + revokeFromTable(TEST_UTIL, userQualifier.getShortName(), TEST_TABLE, TEST_FAMILY, TEST_Q1, + Permission.Action.READ); } } @@ -1754,10 +1760,10 @@ public class TestAccessController extends SecureTestUtil { @Test public void testSnapshot() throws Exception { Admin admin = TEST_UTIL.getHBaseAdmin(); - final HTableDescriptor htd = admin.getTableDescriptor(TEST_TABLE.getTableName()); + final HTableDescriptor htd = admin.getTableDescriptor(TEST_TABLE); SnapshotDescription.Builder builder = SnapshotDescription.newBuilder(); - builder.setName(TEST_TABLE.getTableName().getNameAsString() + "-snapshot"); - builder.setTable(TEST_TABLE.getTableName().getNameAsString()); + builder.setName(TEST_TABLE.getNameAsString() + "-snapshot"); + builder.setTable(TEST_TABLE.getNameAsString()); final SnapshotDescription snapshot = builder.build(); AccessTestAction snapshotAction = new AccessTestAction() { @Override @@ -1811,10 +1817,10 @@ public class TestAccessController extends SecureTestUtil { @Test public void testSnapshotWithOwner() throws Exception { Admin admin = TEST_UTIL.getHBaseAdmin(); - final HTableDescriptor htd = admin.getTableDescriptor(TEST_TABLE.getTableName()); + final HTableDescriptor htd = admin.getTableDescriptor(TEST_TABLE); SnapshotDescription.Builder builder = SnapshotDescription.newBuilder(); - builder.setName(TEST_TABLE.getTableName().getNameAsString() + "-snapshot"); - builder.setTable(TEST_TABLE.getTableName().getNameAsString()); + builder.setName(TEST_TABLE.getNameAsString() + "-snapshot"); + builder.setTable(TEST_TABLE.getNameAsString()); builder.setOwner(USER_OWNER.getName()); final SnapshotDescription snapshot = builder.build(); AccessTestAction snapshotAction = new AccessTestAction() { @@ -1869,15 +1875,6 @@ public class TestAccessController extends SecureTestUtil { LOG.debug("Test for global authorization for a new registered RegionServer."); MiniHBaseCluster hbaseCluster = TEST_UTIL.getHBaseCluster(); - // Since each RegionServer running on different user, add global - // permissions for the new user. - String currentUser = User.getCurrent().getShortName(); - String activeUserForNewRs = currentUser + ".hfs." + - hbaseCluster.getLiveRegionServerThreads().size(); - grantGlobal(TEST_UTIL, activeUserForNewRs, - Permission.Action.ADMIN, Permission.Action.CREATE, Permission.Action.READ, - Permission.Action.WRITE); - final Admin admin = TEST_UTIL.getHBaseAdmin(); HTableDescriptor htd = new HTableDescriptor(TEST_TABLE2); htd.addFamily(new HColumnDescriptor(TEST_FAMILY)); @@ -1941,35 +1938,40 @@ public class TestAccessController extends SecureTestUtil { User TABLE_ADMIN = User.createUserForTesting(conf, "UserA", new String[0]); // Grant TABLE ADMIN privs - grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(), - TEST_TABLE.getTableName(), null, null, + grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(), TEST_TABLE, null, null, Permission.Action.ADMIN); - - AccessTestAction listTablesAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - try(Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); - Admin admin = conn.getAdmin()) { - return Arrays.asList(admin.listTables()); + try { + AccessTestAction listTablesAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); + Admin admin = conn.getAdmin()) { + return Arrays.asList(admin.listTables()); + } } - } - }; + }; - AccessTestAction getTableDescAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - try(Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); - Admin admin = conn.getAdmin();) { - return admin.getTableDescriptor(TEST_TABLE.getTableName()); + AccessTestAction getTableDescAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); + Admin admin = conn.getAdmin();) { + return admin.getTableDescriptor(TEST_TABLE); + } } - } - }; + }; - verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN); - verifyIfEmptyList(listTablesAction, USER_RW, USER_RO, USER_NONE); + verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN); + verifyIfEmptyList(listTablesAction, USER_RW, USER_RO, USER_NONE); - verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN); - verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE); + verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, + TABLE_ADMIN); + verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE); + } finally { + // Cleanup, revoke TABLE ADMIN privs + revokeFromTable(TEST_UTIL, TABLE_ADMIN.getShortName(), TEST_TABLE, null, null, + Permission.Action.ADMIN); + } } @Test @@ -1997,19 +1999,20 @@ public class TestAccessController extends SecureTestUtil { @Test public void testTableDeletion() throws Exception { User TABLE_ADMIN = User.createUserForTesting(conf, "TestUser", new String[0]); + final TableName tname = TableName.valueOf("testTableDeletion"); + createTestTable(tname); // Grant TABLE ADMIN privs - grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(), - TEST_TABLE.getTableName(), null, null, - Permission.Action.ADMIN); + grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(), tname, null, null, Permission.Action.ADMIN); AccessTestAction deleteTableAction = new AccessTestAction() { @Override public Object run() throws Exception { - Connection unmanagedConnection = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); + Connection unmanagedConnection = + ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); Admin admin = unmanagedConnection.getAdmin(); try { - deleteTable(TEST_UTIL, admin, TEST_TABLE.getTableName()); + deleteTable(TEST_UTIL, admin, tname); } finally { admin.close(); unmanagedConnection.close(); @@ -2022,19 +2025,28 @@ public class TestAccessController extends SecureTestUtil { verifyAllowed(deleteTableAction, TABLE_ADMIN); } + private void createTestTable(TableName tname) throws Exception { + HTableDescriptor htd = new HTableDescriptor(tname); + HColumnDescriptor hcd = new HColumnDescriptor(TEST_FAMILY); + hcd.setMaxVersions(100); + htd.addFamily(hcd); + htd.setOwner(USER_OWNER); + createTable(TEST_UTIL, htd, new byte[][]{Bytes.toBytes("s")}); + } + @Test public void testNamespaceUserGrant() throws Exception { AccessTestAction getAction = new AccessTestAction() { @Override public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName());) { + Table t = conn.getTable(TEST_TABLE);) { return t.get(new Get(TEST_ROW)); } } }; - String namespace = TEST_TABLE.getTableName().getNamespaceAsString(); + String namespace = TEST_TABLE.getNamespaceAsString(); // Grant namespace READ to USER_NONE, this should supersede any table permissions grantOnNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ); @@ -2054,7 +2066,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName())) { + Table t = conn.getTable(TEST_TABLE);) { return t.get(new Get(TEST_ROW)); } } @@ -2064,8 +2076,8 @@ public class TestAccessController extends SecureTestUtil { // Grant table READ permissions to testGrantRevoke. try { - grantOnTableUsingAccessControlClient(TEST_UTIL, systemUserConnection, testGrantRevoke.getShortName(), - TEST_TABLE.getTableName(), null, null, Permission.Action.READ); + grantOnTableUsingAccessControlClient(TEST_UTIL, systemUserConnection, + testGrantRevoke.getShortName(), TEST_TABLE, null, null, Permission.Action.READ); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.grant. ", e); } @@ -2075,8 +2087,8 @@ public class TestAccessController extends SecureTestUtil { // Revoke table READ permission to testGrantRevoke. try { - revokeFromTableUsingAccessControlClient(TEST_UTIL, systemUserConnection, testGrantRevoke.getShortName(), - TEST_TABLE.getTableName(), null, null, Permission.Action.READ); + revokeFromTableUsingAccessControlClient(TEST_UTIL, systemUserConnection, + testGrantRevoke.getShortName(), TEST_TABLE, null, null, Permission.Action.READ); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.revoke ", e); } @@ -2094,7 +2106,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName())) { + Table t = conn.getTable(TEST_TABLE)) { return t.get(new Get(TEST_ROW)); } } @@ -2103,26 +2115,30 @@ public class TestAccessController extends SecureTestUtil { verifyDenied(getAction, testGlobalGrantRevoke); // Grant table READ permissions to testGlobalGrantRevoke. + String userName = testGlobalGrantRevoke.getShortName(); try { grantGlobalUsingAccessControlClient(TEST_UTIL, systemUserConnection, - testGlobalGrantRevoke.getShortName(), Permission.Action.READ); + userName, Permission.Action.READ); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.grant. ", e); } - - // Now testGlobalGrantRevoke should be able to read also - verifyAllowed(getAction, testGlobalGrantRevoke); - - // Revoke table READ permission to testGlobalGrantRevoke. try { - revokeGlobalUsingAccessControlClient(TEST_UTIL, systemUserConnection, - testGlobalGrantRevoke.getShortName(), Permission.Action.READ); - } catch (Throwable e) { - LOG.error("error during call of AccessControlClient.revoke ", e); - } + // Now testGlobalGrantRevoke should be able to read also + verifyAllowed(getAction, testGlobalGrantRevoke); - // Now testGlobalGrantRevoke shouldn't be able read - verifyDenied(getAction, testGlobalGrantRevoke); + // Revoke table READ permission to testGlobalGrantRevoke. + try { + revokeGlobalUsingAccessControlClient(TEST_UTIL, systemUserConnection, + userName, Permission.Action.READ); + } catch (Throwable e) { + LOG.error("error during call of AccessControlClient.revoke ", e); + } + + // Now testGlobalGrantRevoke shouldn't be able read + verifyDenied(getAction, testGlobalGrantRevoke); + } finally { + revokeGlobal(TEST_UTIL, userName, Permission.Action.READ); + } } @Test @@ -2133,7 +2149,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName())) { + Table t = conn.getTable(TEST_TABLE);) { return t.get(new Get(TEST_ROW)); } } @@ -2141,27 +2157,32 @@ public class TestAccessController extends SecureTestUtil { verifyDenied(getAction, testNS); + String userName = testNS.getShortName(); + String namespace = TEST_TABLE.getNamespaceAsString(); // Grant namespace READ to testNS, this should supersede any table permissions try { - grantOnNamespaceUsingAccessControlClient(TEST_UTIL, systemUserConnection, testNS.getShortName(), - TEST_TABLE.getTableName().getNamespaceAsString(), Permission.Action.READ); + grantOnNamespaceUsingAccessControlClient(TEST_UTIL, systemUserConnection, userName, + namespace, Permission.Action.READ); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.grant. ", e); } - - // Now testNS should be able to read also - verifyAllowed(getAction, testNS); - - // Revoke namespace READ to testNS, this should supersede any table permissions try { - revokeFromNamespaceUsingAccessControlClient(TEST_UTIL, systemUserConnection, testNS.getShortName(), - TEST_TABLE.getTableName().getNamespaceAsString(), Permission.Action.READ); - } catch (Throwable e) { - LOG.error("error during call of AccessControlClient.revoke ", e); - } + // Now testNS should be able to read also + verifyAllowed(getAction, testNS); - // Now testNS shouldn't be able read - verifyDenied(getAction, testNS); + // Revoke namespace READ to testNS, this should supersede any table permissions + try { + revokeFromNamespaceUsingAccessControlClient(TEST_UTIL, systemUserConnection, userName, + namespace, Permission.Action.READ); + } catch (Throwable e) { + LOG.error("error during call of AccessControlClient.revoke ", e); + } + + // Now testNS shouldn't be able read + verifyDenied(getAction, testNS); + } finally { + revokeFromNamespace(TEST_UTIL, userName, namespace, Permission.Action.READ); + } } @@ -2216,7 +2237,7 @@ public class TestAccessController extends SecureTestUtil { for (JVMClusterUtil.RegionServerThread thread: TEST_UTIL.getMiniHBaseCluster().getRegionServerThreads()) { HRegionServer rs = thread.getRegionServer(); - for (Region region: rs.getOnlineRegions(TEST_TABLE.getTableName())) { + for (Region region: rs.getOnlineRegions(TEST_TABLE)) { region.getCoprocessorHost().load(PingCoprocessor.class, Coprocessor.PRIORITY_USER, conf); } @@ -2228,32 +2249,37 @@ public class TestAccessController extends SecureTestUtil { User userB = User.createUserForTesting(conf, "UserB", new String[0]); grantOnTable(TEST_UTIL, userA.getShortName(), - TEST_TABLE.getTableName(), null, null, + TEST_TABLE, null, null, Permission.Action.EXEC); - - // Create an action for invoking our test endpoint - AccessTestAction execEndpointAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName());) { - BlockingRpcChannel service = t.coprocessorService(HConstants.EMPTY_BYTE_ARRAY); - PingCoprocessor.newBlockingStub(service).noop(null, NoopRequest.newBuilder().build()); + try { + // Create an action for invoking our test endpoint + AccessTestAction execEndpointAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + try (Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(TEST_TABLE);) { + BlockingRpcChannel service = t.coprocessorService(HConstants.EMPTY_BYTE_ARRAY); + PingCoprocessor.newBlockingStub(service).noop(null, NoopRequest.newBuilder().build()); + } + return null; } - return null; - } - }; + }; - String namespace = TEST_TABLE.getTableName().getNamespaceAsString(); - // Now grant EXEC to the entire namespace to user B - grantOnNamespace(TEST_UTIL, userB.getShortName(), namespace, Permission.Action.EXEC); - // User B should now be allowed also - verifyAllowed(execEndpointAction, userA, userB); + String namespace = TEST_TABLE.getNamespaceAsString(); + // Now grant EXEC to the entire namespace to user B + grantOnNamespace(TEST_UTIL, userB.getShortName(), namespace, Permission.Action.EXEC); + // User B should now be allowed also + verifyAllowed(execEndpointAction, userA, userB); - revokeFromNamespace(TEST_UTIL, userB.getShortName(), namespace, Permission.Action.EXEC); - // Verify that EXEC permission is checked correctly - verifyDenied(execEndpointAction, userB); - verifyAllowed(execEndpointAction, userA); + revokeFromNamespace(TEST_UTIL, userB.getShortName(), namespace, Permission.Action.EXEC); + // Verify that EXEC permission is checked correctly + verifyDenied(execEndpointAction, userB); + verifyAllowed(execEndpointAction, userA); + } finally { + // Cleanup, revoke the userA privileges + revokeFromTable(TEST_UTIL, userA.getShortName(), TEST_TABLE, null, null, + Permission.Action.EXEC); + } } @Test @@ -2261,16 +2287,14 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction putWithReservedTag = new AccessTestAction() { @Override public Object run() throws Exception { - Table t = new HTable(conf, TEST_TABLE.getTableName()); - try { + try(Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(TEST_TABLE);) { KeyValue kv = new KeyValue(TEST_ROW, TEST_FAMILY, TEST_QUALIFIER, HConstants.LATEST_TIMESTAMP, HConstants.EMPTY_BYTE_ARRAY, new Tag[] { new Tag(AccessControlLists.ACL_TAG_TYPE, ProtobufUtil.toUsersAndPermissions(USER_OWNER.getShortName(), new Permission(Permission.Action.READ)).toByteArray()) }); t.put(new Put(TEST_ROW).add(kv)); - } finally { - t.close(); } return null; } @@ -2282,38 +2306,104 @@ public class TestAccessController extends SecureTestUtil { verifyDenied(putWithReservedTag, USER_OWNER, USER_ADMIN, USER_CREATE, USER_RW, USER_RO); } - @Test - public void testGetNamespacePermission() throws Exception { - String namespace = "testGetNamespacePermission"; - NamespaceDescriptor desc = NamespaceDescriptor.create(namespace).build(); - createNamespace(TEST_UTIL, desc); - grantOnNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ); - try { - List namespacePermissions = AccessControlClient.getUserPermissions( - systemUserConnection, AccessControlLists.toNamespaceEntry(namespace)); - assertTrue(namespacePermissions != null); - assertTrue(namespacePermissions.size() == 1); - } catch (Throwable thw) { - throw new HBaseException(thw); - } - deleteNamespace(TEST_UTIL, namespace); - } + @Test + public void testSetQuota() throws Exception { + AccessTestAction setUserQuotaAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preSetUserQuota(ObserverContext.createAndPrepare(CP_ENV, null), + null, null); + return null; + } + }; + + AccessTestAction setUserTableQuotaAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preSetUserQuota(ObserverContext.createAndPrepare(CP_ENV, null), null, + TEST_TABLE, null); + return null; + } + }; + + AccessTestAction setUserNamespaceQuotaAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preSetUserQuota(ObserverContext.createAndPrepare(CP_ENV, null), + null, (String)null, null); + return null; + } + }; + + AccessTestAction setTableQuotaAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preSetTableQuota(ObserverContext.createAndPrepare(CP_ENV, null), + TEST_TABLE, null); + return null; + } + }; + + AccessTestAction setNamespaceQuotaAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preSetNamespaceQuota(ObserverContext.createAndPrepare(CP_ENV, null), + null, null); + return null; + } + }; + + verifyAllowed(setUserQuotaAction, SUPERUSER, USER_ADMIN); + verifyDenied(setUserQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + + verifyAllowed(setUserTableQuotaAction, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyDenied(setUserTableQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + + verifyAllowed(setUserNamespaceQuotaAction, SUPERUSER, USER_ADMIN); + verifyDenied(setUserNamespaceQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, + USER_OWNER); + + verifyAllowed(setTableQuotaAction, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyDenied(setTableQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + + verifyAllowed(setNamespaceQuotaAction, SUPERUSER, USER_ADMIN); + verifyDenied(setNamespaceQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + } @Test - public void testTruncatePerms() throws Throwable { - List existingPerms = - AccessControlClient.getUserPermissions(systemUserConnection, - TEST_TABLE.getTableName().getNameAsString()); - assertTrue(existingPerms != null); - assertTrue(existingPerms.size() > 1); - try (Admin admin = systemUserConnection.getAdmin()) { - admin.disableTable(TEST_TABLE.getTableName()); - admin.truncateTable(TEST_TABLE.getTableName(), true); + public void testGetNamespacePermission() throws Exception { + String namespace = "testGetNamespacePermission"; + NamespaceDescriptor desc = NamespaceDescriptor.create(namespace).build(); + createNamespace(TEST_UTIL, desc); + grantOnNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ); + try { + List namespacePermissions = AccessControlClient.getUserPermissions( + systemUserConnection, AccessControlLists.toNamespaceEntry(namespace)); + assertTrue(namespacePermissions != null); + assertTrue(namespacePermissions.size() == 1); + } catch (Throwable thw) { + throw new HBaseException(thw); + } + deleteNamespace(TEST_UTIL, namespace); + } + + @Test + public void testTruncatePerms() throws Exception { + try { + List existingPerms = AccessControlClient.getUserPermissions( + systemUserConnection, TEST_TABLE.getNameAsString()); + assertTrue(existingPerms != null); + assertTrue(existingPerms.size() > 1); + TEST_UTIL.getHBaseAdmin().disableTable(TEST_TABLE); + TEST_UTIL.truncateTable(TEST_TABLE); + TEST_UTIL.waitTableAvailable(TEST_TABLE); + List perms = AccessControlClient.getUserPermissions( + systemUserConnection, TEST_TABLE.getNameAsString()); + assertTrue(perms != null); + assertEquals(existingPerms.size(), perms.size()); + } catch (Throwable e) { + throw new HBaseIOException(e); } - List perms = AccessControlClient.getUserPermissions(systemUserConnection, - TEST_TABLE.getTableName().getNameAsString()); - assertTrue(perms != null); - assertEquals(existingPerms.size(), perms.size()); } private PrivilegedAction> getPrivilegedAction(final String regex) { @@ -2332,20 +2422,21 @@ public class TestAccessController extends SecureTestUtil { @Test public void testAccessControlClientUserPerms() throws Exception { - // adding default prefix explicitly as it is not included in the table name. - assertEquals(NamespaceDescriptor.DEFAULT_NAMESPACE_NAME_STR, - TEST_TABLE.getTableName().getNamespaceAsString()); - final String regex = NamespaceDescriptor.DEFAULT_NAMESPACE_NAME_STR + - TableName.NAMESPACE_DELIM + TEST_TABLE.getTableName().getNameAsString(); - User testUserPerms = User.createUserForTesting(conf, "testUserPerms", new String[0]); - assertEquals(0, testUserPerms.runAs(getPrivilegedAction(regex)).size()); - // Grant TABLE ADMIN privs to testUserPerms - grantOnTable(TEST_UTIL, testUserPerms.getShortName(), TEST_TABLE.getTableName(), null, - null, Action.ADMIN); - List perms = testUserPerms.runAs(getPrivilegedAction(regex)); - assertNotNull(perms); - // USER_ADMIN, USER_CREATE, USER_RW, USER_RO, testUserPerms, USER_ADMIN_CF has row each. - assertEquals(6, perms.size()); + TableName tname = TableName.valueOf("testAccessControlClientUserPerms"); + createTestTable(tname); + try { + final String regex = tname.getNameWithNamespaceInclAsString(); + User testUserPerms = User.createUserForTesting(conf, "testUserPerms", new String[0]); + assertEquals(0, testUserPerms.runAs(getPrivilegedAction(regex)).size()); + // Grant TABLE ADMIN privs to testUserPerms + grantOnTable(TEST_UTIL, testUserPerms.getShortName(), tname, null, null, Action.ADMIN); + List perms = testUserPerms.runAs(getPrivilegedAction(regex)); + assertNotNull(perms); + // Superuser, testUserPerms + assertEquals(2, perms.size()); + } finally { + deleteTable(TEST_UTIL, tname); + } } @Test @@ -2408,14 +2499,16 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction prepareBulkLoadAction = new AccessTestAction() { @Override public Object run() throws Exception { - ACCESS_CONTROLLER.prePrepareBulkLoad(ObserverContext.createAndPrepare(RCP_ENV, null), null); + ACCESS_CONTROLLER.prePrepareBulkLoad(ObserverContext.createAndPrepare(RCP_ENV, null), + null); return null; } }; AccessTestAction cleanupBulkLoadAction = new AccessTestAction() { @Override public Object run() throws Exception { - ACCESS_CONTROLLER.preCleanupBulkLoad(ObserverContext.createAndPrepare(RCP_ENV, null), null); + ACCESS_CONTROLLER.preCleanupBulkLoad(ObserverContext.createAndPrepare(RCP_ENV, null), + null); return null; } }; @@ -2439,67 +2532,4 @@ public class TestAccessController extends SecureTestUtil { verifyAllowed(replicateLogEntriesAction, SUPERUSER, USER_ADMIN); verifyDenied(replicateLogEntriesAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); } - - @Test - public void testSetQuota() throws Exception { - AccessTestAction setUserQuotaAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - ACCESS_CONTROLLER.preSetUserQuota(ObserverContext.createAndPrepare(CP_ENV, null), - null, null); - return null; - } - }; - - AccessTestAction setUserTableQuotaAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - ACCESS_CONTROLLER.preSetUserQuota(ObserverContext.createAndPrepare(CP_ENV, null), - null, TEST_TABLE.getTableName(), null); - return null; - } - }; - - AccessTestAction setUserNamespaceQuotaAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - ACCESS_CONTROLLER.preSetUserQuota(ObserverContext.createAndPrepare(CP_ENV, null), - null, (String)null, null); - return null; - } - }; - - AccessTestAction setTableQuotaAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - ACCESS_CONTROLLER.preSetTableQuota(ObserverContext.createAndPrepare(CP_ENV, null), - TEST_TABLE.getTableName(), null); - return null; - } - }; - - AccessTestAction setNamespaceQuotaAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - ACCESS_CONTROLLER.preSetNamespaceQuota(ObserverContext.createAndPrepare(CP_ENV, null), - null, null); - return null; - } - }; - - verifyAllowed(setUserQuotaAction, SUPERUSER, USER_ADMIN); - verifyDenied(setUserQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); - - verifyAllowed(setUserTableQuotaAction, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(setUserTableQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); - - verifyAllowed(setUserNamespaceQuotaAction, SUPERUSER, USER_ADMIN); - verifyDenied(setUserNamespaceQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); - - verifyAllowed(setTableQuotaAction, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(setTableQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); - - verifyAllowed(setNamespaceQuotaAction, SUPERUSER, USER_ADMIN); - verifyDenied(setNamespaceQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); - } }