Apache
/
hbase
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HBASE-7585. TestAccessController tests should close HTables 

git-svn-id: https://svn.apache.org/repos/asf/hbase/trunk@1434846 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Andrew Kyle Purtell 2013-01-17 18:22:50 +00:00
parent b996b19d8e
commit d82b07dc6d
1 changed files with 422 additions and 161 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

583
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
View File

@ -151,34 +151,38 @@ public class TestAccessController {
htd.setOwner(USER_OWNER);
admin.createTable(htd);
// initilize access control
HTable meta = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
BlockingRpcChannel service = meta.coprocessorService(TEST_TABLE);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
HRegion region = TEST_UTIL.getHBaseCluster().getRegions(TEST_TABLE).get(0);
RegionCoprocessorHost rcpHost = region.getCoprocessorHost();
RCP_ENV = rcpHost.createEnvironment(AccessController.class, ACCESS_CONTROLLER,
Coprocessor.PRIORITY_HIGHEST, 1, conf);
protocol.grant(null, RequestConverter.buildGrantRequest(USER_ADMIN.getShortName(),
// initilize access control
HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
protocol.grant(null, RequestConverter.buildGrantRequest(USER_ADMIN.getShortName(),
null, null, null,
AccessControlProtos.Permission.Action.ADMIN,
AccessControlProtos.Permission.Action.CREATE,
AccessControlProtos.Permission.Action.READ,
AccessControlProtos.Permission.Action.WRITE));
protocol.grant(null, RequestConverter.buildGrantRequest(USER_RW.getShortName(),
protocol.grant(null, RequestConverter.buildGrantRequest(USER_RW.getShortName(),
TEST_TABLE, TEST_FAMILY, null,
AccessControlProtos.Permission.Action.READ,
AccessControlProtos.Permission.Action.WRITE));
protocol.grant(null, RequestConverter.buildGrantRequest(USER_RO.getShortName(), TEST_TABLE,
protocol.grant(null, RequestConverter.buildGrantRequest(USER_RO.getShortName(), TEST_TABLE,
TEST_FAMILY, null, AccessControlProtos.Permission.Action.READ));
protocol.grant(null, RequestConverter.buildGrantRequest(USER_CREATE.getShortName(),
protocol.grant(null, RequestConverter.buildGrantRequest(USER_CREATE.getShortName(),
TEST_TABLE, null, null, AccessControlProtos.Permission.Action.CREATE));
} finally {
acl.close();
}
}
@AfterClass
@ -393,8 +397,13 @@ public class TestAccessController {
@Test
public void testMove() throws Exception {
Map<HRegionInfo, ServerName> regions;
HTable table = new HTable(TEST_UTIL.getConfiguration(), TEST_TABLE);
Map<HRegionInfo, ServerName> regions = table.getRegionLocations();
try {
regions = table.getRegionLocations();
} finally {
table.close();
}
final Map.Entry<HRegionInfo, ServerName> firstRegion = regions.entrySet().iterator().next();
final ServerName server = TEST_UTIL.getHBaseCluster().getRegionServer(0).getServerName();
PrivilegedExceptionAction action = new PrivilegedExceptionAction() {
@ -411,8 +420,13 @@ public class TestAccessController {
@Test
public void testAssign() throws Exception {
Map<HRegionInfo, ServerName> regions;
HTable table = new HTable(TEST_UTIL.getConfiguration(), TEST_TABLE);
Map<HRegionInfo, ServerName> regions = table.getRegionLocations();
try {
regions = table.getRegionLocations();
} finally {
table.close();
}
final Map.Entry<HRegionInfo, ServerName> firstRegion = regions.entrySet().iterator().next();
PrivilegedExceptionAction action = new PrivilegedExceptionAction() {
@ -429,8 +443,13 @@ public class TestAccessController {
@Test
public void testUnassign() throws Exception {
Map<HRegionInfo, ServerName> regions;
HTable table = new HTable(TEST_UTIL.getConfiguration(), TEST_TABLE);
Map<HRegionInfo, ServerName> regions = table.getRegionLocations();
try {
regions = table.getRegionLocations();
} finally {
table.close();
}
final Map.Entry<HRegionInfo, ServerName> firstRegion = regions.entrySet().iterator().next();
PrivilegedExceptionAction action = new PrivilegedExceptionAction() {
@ -588,7 +607,11 @@ public class TestAccessController {
Get g = new Get(Bytes.toBytes("random_row"));
g.addFamily(TEST_FAMILY);
HTable t = new HTable(conf, TEST_TABLE);
t.get(g);
try {
t.get(g);
} finally {
t.close();
}
return null;
}
};
@ -601,14 +624,18 @@ public class TestAccessController {
s.addFamily(TEST_FAMILY);
HTable table = new HTable(conf, TEST_TABLE);
ResultScanner scanner = table.getScanner(s);
try {
for (Result r = scanner.next(); r != null; r = scanner.next()) {
// do nothing
ResultScanner scanner = table.getScanner(s);
try {
for (Result r = scanner.next(); r != null; r = scanner.next()) {
// do nothing
}
} catch (IOException e) {
} finally {
scanner.close();
}
} catch (IOException e) {
} finally {
scanner.close();
table.close();
}
return null;
}
@ -625,7 +652,11 @@ public class TestAccessController {
Put p = new Put(Bytes.toBytes("random_row"));
p.add(TEST_FAMILY, Bytes.toBytes("Qualifier"), Bytes.toBytes(1));
HTable t = new HTable(conf, TEST_TABLE);
t.put(p);
try {
t.put(p);
} finally {
t.close();
}
return null;
}
};
@ -637,7 +668,11 @@ public class TestAccessController {
Delete d = new Delete(Bytes.toBytes("random_row"));
d.deleteFamily(TEST_FAMILY);
HTable t = new HTable(conf, TEST_TABLE);
t.delete(d);
try {
t.delete(d);
} finally {
t.close();
}
return null;
}
};
@ -649,7 +684,11 @@ public class TestAccessController {
Increment inc = new Increment(Bytes.toBytes("random_row"));
inc.addColumn(TEST_FAMILY, Bytes.toBytes("Qualifier"), 1);
HTable t = new HTable(conf, TEST_TABLE);
t.increment(inc);
try {
t.increment(inc);
} finally {
t.close();
}
return null;
}
};
@ -663,10 +702,13 @@ public class TestAccessController {
public Object run() throws Exception {
Delete d = new Delete(Bytes.toBytes("random_row"));
d.deleteFamily(TEST_FAMILY);
HTable t = new HTable(conf, TEST_TABLE);
t.checkAndDelete(Bytes.toBytes("random_row"), TEST_FAMILY, Bytes.toBytes("q"),
Bytes.toBytes("test_value"), d);
try {
t.checkAndDelete(Bytes.toBytes("random_row"), TEST_FAMILY, Bytes.toBytes("q"),
Bytes.toBytes("test_value"), d);
} finally {
t.close();
}
return null;
}
};
@ -675,11 +717,15 @@ public class TestAccessController {
// action for checkAndPut()
PrivilegedExceptionAction checkAndPut = new PrivilegedExceptionAction() {
public Object run() throws Exception {
HTable t = new HTable(conf, TEST_TABLE);
Put p = new Put(Bytes.toBytes("random_row"));
p.add(TEST_FAMILY, Bytes.toBytes("Qualifier"), Bytes.toBytes(1));
t.checkAndPut(Bytes.toBytes("random_row"), TEST_FAMILY, Bytes.toBytes("q"),
Bytes.toBytes("test_value"), p);
HTable t = new HTable(conf, TEST_TABLE);
try {
t.checkAndPut(Bytes.toBytes("random_row"), TEST_FAMILY, Bytes.toBytes("q"),
Bytes.toBytes("test_value"), p);
} finally {
t.close();
}
return null;
}
};
@ -770,9 +816,13 @@ public class TestAccessController {
setPermission(loadPath, FsPermission.valueOf("-rwxrwxrwx"));
HTable table = new HTable(conf, tableName);
TEST_UTIL.waitTableAvailable(tableName, 30000);
LoadIncrementalHFiles loader = new LoadIncrementalHFiles(conf);
loader.doBulkLoad(loadPath, table);
try {
TEST_UTIL.waitTableAvailable(tableName, 30000);
LoadIncrementalHFiles loader = new LoadIncrementalHFiles(conf);
loader.doBulkLoad(loadPath, table);
} finally {
table.close();
}
}
public void setPermission(Path dir, FsPermission perm) throws IOException {
@ -795,13 +845,17 @@ public class TestAccessController {
public Object run() throws Exception {
byte[] row = Bytes.toBytes("random_row");
byte[] qualifier = Bytes.toBytes("q");
HTable t = new HTable(conf, TEST_TABLE);
Put put = new Put(row);
put.add(TEST_FAMILY, qualifier, Bytes.toBytes(1));
t.put(put);
Append append = new Append(row);
append.add(TEST_FAMILY, qualifier, Bytes.toBytes(2));
t.append(append);
HTable t = new HTable(conf, TEST_TABLE);
try {
t.put(put);
t.append(append);
} finally {
t.close();
}
return null;
}
};
@ -816,11 +870,15 @@ public class TestAccessController {
PrivilegedExceptionAction grantAction = new PrivilegedExceptionAction() {
public Object run() throws Exception {
HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
ProtobufUtil.grant(protocol, USER_RO.getShortName(), TEST_TABLE,
TEST_FAMILY, null, Action.READ);
try {
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
ProtobufUtil.grant(protocol, USER_RO.getShortName(), TEST_TABLE,
TEST_FAMILY, null, Action.READ);
} finally {
acl.close();
}
return null;
}
};
@ -828,11 +886,15 @@ public class TestAccessController {
PrivilegedExceptionAction revokeAction = new PrivilegedExceptionAction() {
public Object run() throws Exception {
HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
ProtobufUtil.revoke(protocol, USER_RO.getShortName(), TEST_TABLE,
TEST_FAMILY, null, Action.READ);
try {
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
ProtobufUtil.revoke(protocol, USER_RO.getShortName(), TEST_TABLE,
TEST_FAMILY, null, Action.READ);
} finally {
acl.close();
}
return null;
}
};
@ -840,10 +902,14 @@ public class TestAccessController {
PrivilegedExceptionAction getPermissionsAction = new PrivilegedExceptionAction() {
public Object run() throws Exception {
HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
ProtobufUtil.getUserPermissions(protocol, TEST_TABLE);
try {
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
ProtobufUtil.getUserPermissions(protocol, TEST_TABLE);
} finally {
acl.close();
}
return null;
}
};
@ -882,12 +948,6 @@ public class TestAccessController {
User gblUser = User
.createUserForTesting(TEST_UTIL.getConfiguration(), "gbluser", new String[0]);
// perms only stored against the first region
HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
BlockingRpcChannel service = acl.coprocessorService(tableName);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
// prepare actions:
PrivilegedExceptionAction putActionAll = new PrivilegedExceptionAction() {
public Object run() throws Exception {
@ -895,7 +955,11 @@ public class TestAccessController {
p.add(family1, qualifier, Bytes.toBytes("v1"));
p.add(family2, qualifier, Bytes.toBytes("v2"));
HTable t = new HTable(conf, tableName);
t.put(p);
try {
t.put(p);
} finally {
t.close();
}
return null;
}
};
@ -904,7 +968,11 @@ public class TestAccessController {
Put p = new Put(Bytes.toBytes("a"));
p.add(family1, qualifier, Bytes.toBytes("v1"));
HTable t = new HTable(conf, tableName);
t.put(p);
try {
t.put(p);
} finally {
t.close();
}
return null;
}
};
@ -913,7 +981,11 @@ public class TestAccessController {
Put p = new Put(Bytes.toBytes("a"));
p.add(family2, qualifier, Bytes.toBytes("v2"));
HTable t = new HTable(conf, tableName);
t.put(p);
try {
t.put(p);
} finally {
t.close();
}
return null;
}
};
@ -923,7 +995,11 @@ public class TestAccessController {
g.addFamily(family1);
g.addFamily(family2);
HTable t = new HTable(conf, tableName);
t.get(g);
try {
t.get(g);
} finally {
t.close();
}
return null;
}
};
@ -932,7 +1008,11 @@ public class TestAccessController {
Get g = new Get(Bytes.toBytes("random_row"));
g.addFamily(family1);
HTable t = new HTable(conf, tableName);
t.get(g);
try {
t.get(g);
} finally {
t.close();
}
return null;
}
};
@ -941,7 +1021,11 @@ public class TestAccessController {
Get g = new Get(Bytes.toBytes("random_row"));
g.addFamily(family2);
HTable t = new HTable(conf, tableName);
t.get(g);
try {
t.get(g);
} finally {
t.close();
}
return null;
}
};
@ -951,7 +1035,11 @@ public class TestAccessController {
d.deleteFamily(family1);
d.deleteFamily(family2);
HTable t = new HTable(conf, tableName);
t.delete(d);
try {
t.delete(d);
} finally {
t.close();
}
return null;
}
};
@ -960,7 +1048,11 @@ public class TestAccessController {
Delete d = new Delete(Bytes.toBytes("random_row"));
d.deleteFamily(family1);
HTable t = new HTable(conf, tableName);
t.delete(d);
try {
t.delete(d);
} finally {
t.close();
}
return null;
}
};
@ -969,7 +1061,11 @@ public class TestAccessController {
Delete d = new Delete(Bytes.toBytes("random_row"));
d.deleteFamily(family2);
HTable t = new HTable(conf, tableName);
t.delete(d);
try {
t.delete(d);
} finally {
t.close();
}
return null;
}
};
@ -984,10 +1080,18 @@ public class TestAccessController {
verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);
// grant table read permission
ProtobufUtil.grant(protocol, tblUser.getShortName(),
tableName, null, null, Permission.Action.READ);
ProtobufUtil.grant(protocol, gblUser.getShortName(),
null, null, null, Permission.Action.READ);
HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
BlockingRpcChannel service = acl.coprocessorService(tableName);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
ProtobufUtil.grant(protocol, tblUser.getShortName(),
tableName, null, null, Permission.Action.READ);
ProtobufUtil.grant(protocol, gblUser.getShortName(),
null, null, null, Permission.Action.READ);
} finally {
acl.close();
}
Thread.sleep(100);
// check
@ -1000,10 +1104,19 @@ public class TestAccessController {
verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);
// grant table write permission
ProtobufUtil.grant(protocol, tblUser.getShortName(),
tableName, null, null, Permission.Action.WRITE);
ProtobufUtil.grant(protocol, gblUser.getShortName(),
null, null, null, Permission.Action.WRITE);
acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
BlockingRpcChannel service = acl.coprocessorService(tableName);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
ProtobufUtil.grant(protocol, tblUser.getShortName(),
tableName, null, null, Permission.Action.WRITE);
ProtobufUtil.grant(protocol, gblUser.getShortName(),
null, null, null, Permission.Action.WRITE);
} finally {
acl.close();
}
Thread.sleep(100);
verifyDenied(tblUser, getActionAll, getAction1, getAction2);
@ -1015,10 +1128,19 @@ public class TestAccessController {
verifyAllowed(gblUser, deleteActionAll, deleteAction1, deleteAction2);
// revoke table permission
ProtobufUtil.grant(protocol, tblUser.getShortName(), tableName, null, null,
Permission.Action.READ, Permission.Action.WRITE);
ProtobufUtil.revoke(protocol, tblUser.getShortName(), tableName, null, null);
ProtobufUtil.revoke(protocol, gblUser.getShortName(), null, null, null);
acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
BlockingRpcChannel service = acl.coprocessorService(tableName);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
ProtobufUtil.grant(protocol, tblUser.getShortName(), tableName, null, null,
Permission.Action.READ, Permission.Action.WRITE);
ProtobufUtil.revoke(protocol, tblUser.getShortName(), tableName, null, null);
ProtobufUtil.revoke(protocol, gblUser.getShortName(), null, null, null);
} finally {
acl.close();
}
Thread.sleep(100);
verifyDenied(tblUser, getActionAll, getAction1, getAction2);
@ -1030,10 +1152,18 @@ public class TestAccessController {
verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);
// grant column family read permission
ProtobufUtil.grant(protocol, tblUser.getShortName(),
tableName, family1, null, Permission.Action.READ);
ProtobufUtil.grant(protocol, gblUser.getShortName(),
null, null, null, Permission.Action.READ);
acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
BlockingRpcChannel service = acl.coprocessorService(tableName);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
ProtobufUtil.grant(protocol, tblUser.getShortName(),
tableName, family1, null, Permission.Action.READ);
ProtobufUtil.grant(protocol, gblUser.getShortName(),
null, null, null, Permission.Action.READ);
} finally {
acl.close();
}
Thread.sleep(100);
@ -1048,10 +1178,19 @@ public class TestAccessController {
verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);
// grant column family write permission
ProtobufUtil.grant(protocol, tblUser.getShortName(),
tableName, family2, null, Permission.Action.WRITE);
ProtobufUtil.grant(protocol, gblUser.getShortName(),
null, null, null, Permission.Action.WRITE);
acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
BlockingRpcChannel service = acl.coprocessorService(tableName);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
ProtobufUtil.grant(protocol, tblUser.getShortName(),
tableName, family2, null, Permission.Action.WRITE);
ProtobufUtil.grant(protocol, gblUser.getShortName(),
null, null, null, Permission.Action.WRITE);
} finally {
acl.close();
}
Thread.sleep(100);
// READ from family1, WRITE to family2 are allowed
@ -1066,8 +1205,16 @@ public class TestAccessController {
verifyAllowed(gblUser, deleteActionAll, deleteAction1, deleteAction2);
// revoke column family permission
ProtobufUtil.revoke(protocol, tblUser.getShortName(), tableName, family2, null);
ProtobufUtil.revoke(protocol, gblUser.getShortName(), null, null, null);
acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
BlockingRpcChannel service = acl.coprocessorService(tableName);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
ProtobufUtil.revoke(protocol, tblUser.getShortName(), tableName, family2, null);
ProtobufUtil.revoke(protocol, gblUser.getShortName(), null, null, null);
} finally {
acl.close();
}
Thread.sleep(100);
@ -1100,7 +1247,6 @@ public class TestAccessController {
// create table
HBaseAdmin admin = TEST_UTIL.getHBaseAdmin();
if (admin.tableExists(tableName)) {
admin.disableTable(tableName);
admin.deleteTable(tableName);
@ -1113,17 +1259,16 @@ public class TestAccessController {
// create temp users
User user = User.createUserForTesting(TEST_UTIL.getConfiguration(), "user", new String[0]);
HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
BlockingRpcChannel service = acl.coprocessorService(tableName);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
PrivilegedExceptionAction getQualifierAction = new PrivilegedExceptionAction() {
public Object run() throws Exception {
Get g = new Get(Bytes.toBytes("random_row"));
g.addColumn(family1, qualifier);
HTable t = new HTable(conf, tableName);
t.get(g);
try {
t.get(g);
} finally {
t.close();
}
return null;
}
};
@ -1132,7 +1277,11 @@ public class TestAccessController {
Put p = new Put(Bytes.toBytes("random_row"));
p.add(family1, qualifier, Bytes.toBytes("v1"));
HTable t = new HTable(conf, tableName);
t.put(p);
try {
t.put(p);
} finally {
t.close();
}
return null;
}
};
@ -1142,18 +1291,42 @@ public class TestAccessController {
d.deleteColumn(family1, qualifier);
// d.deleteFamily(family1);
HTable t = new HTable(conf, tableName);
t.delete(d);
try {
t.delete(d);
} finally {
t.close();
}
return null;
}
};
ProtobufUtil.revoke(protocol, user.getShortName(), tableName, family1, null);
HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
BlockingRpcChannel service = acl.coprocessorService(tableName);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
ProtobufUtil.revoke(protocol, user.getShortName(), tableName, family1, null);
} finally {
acl.close();
}
Thread.sleep(100);
verifyDenied(user, getQualifierAction);
verifyDenied(user, putQualifierAction);
verifyDenied(user, deleteQualifierAction);
ProtobufUtil.grant(protocol, user.getShortName(),
tableName, family1, qualifier, Permission.Action.READ);
acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
BlockingRpcChannel service = acl.coprocessorService(tableName);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
ProtobufUtil.grant(protocol, user.getShortName(),
tableName, family1, qualifier, Permission.Action.READ);
} finally {
acl.close();
}
Thread.sleep(100);
verifyAllowed(user, getQualifierAction);
@ -1162,8 +1335,17 @@ public class TestAccessController {
// only grant write permission
// TODO: comment this portion after HBASE-3583
ProtobufUtil.grant(protocol, user.getShortName(),
tableName, family1, qualifier, Permission.Action.WRITE);
acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
BlockingRpcChannel service = acl.coprocessorService(tableName);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
ProtobufUtil.grant(protocol, user.getShortName(),
tableName, family1, qualifier, Permission.Action.WRITE);
} finally {
acl.close();
}
Thread.sleep(100);
verifyDenied(user, getQualifierAction);
@ -1171,9 +1353,18 @@ public class TestAccessController {
verifyAllowed(user, deleteQualifierAction);
// grant both read and write permission.
ProtobufUtil.grant(protocol, user.getShortName(),
tableName, family1, qualifier,
Permission.Action.READ, Permission.Action.WRITE);
acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
BlockingRpcChannel service = acl.coprocessorService(tableName);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
ProtobufUtil.grant(protocol, user.getShortName(),
tableName, family1, qualifier,
Permission.Action.READ, Permission.Action.WRITE);
} finally {
acl.close();
}
Thread.sleep(100);
verifyAllowed(user, getQualifierAction);
@ -1181,8 +1372,17 @@ public class TestAccessController {
verifyAllowed(user, deleteQualifierAction);
// revoke family level permission won't impact column level.
ProtobufUtil.revoke(protocol, user.getShortName(),
tableName, family1, qualifier);
acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
BlockingRpcChannel service = acl.coprocessorService(tableName);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
ProtobufUtil.revoke(protocol, user.getShortName(),
tableName, family1, qualifier);
} finally {
acl.close();
}
Thread.sleep(100);
verifyDenied(user, getQualifierAction);
@ -1213,12 +1413,17 @@ public class TestAccessController {
htd.setOwner(USER_OWNER);
admin.createTable(htd);
HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
BlockingRpcChannel service = acl.coprocessorService(tableName);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
List<UserPermission> perms;
List<UserPermission> perms = ProtobufUtil.getUserPermissions(protocol, tableName);
HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
BlockingRpcChannel service = acl.coprocessorService(tableName);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
perms = ProtobufUtil.getUserPermissions(protocol, tableName);
} finally {
acl.close();
}
UserPermission ownerperm = new UserPermission(
Bytes.toBytes(USER_OWNER.getName()), tableName, null, Action.values());
@ -1234,9 +1439,17 @@ public class TestAccessController {
hasFoundUserPermission(up, perms));
// grant read permission
ProtobufUtil.grant(protocol, user.getShortName(),
tableName, family1, qualifier, Permission.Action.READ);
perms = ProtobufUtil.getUserPermissions(protocol, tableName);
acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
BlockingRpcChannel service = acl.coprocessorService(tableName);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
ProtobufUtil.grant(protocol, user.getShortName(),
tableName, family1, qualifier, Permission.Action.READ);
perms = ProtobufUtil.getUserPermissions(protocol, tableName);
} finally {
acl.close();
}
UserPermission upToVerify = new UserPermission(
userName, tableName, family1, qualifier, Permission.Action.READ);
@ -1249,19 +1462,36 @@ public class TestAccessController {
hasFoundUserPermission(upToVerify, perms));
// grant read+write
ProtobufUtil.grant(protocol, user.getShortName(),
tableName, family1, qualifier,
Permission.Action.WRITE, Permission.Action.READ);
perms = ProtobufUtil.getUserPermissions(protocol, tableName);
acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
BlockingRpcChannel service = acl.coprocessorService(tableName);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
ProtobufUtil.grant(protocol, user.getShortName(),
tableName, family1, qualifier,
Permission.Action.WRITE, Permission.Action.READ);
perms = ProtobufUtil.getUserPermissions(protocol, tableName);
} finally {
acl.close();
}
upToVerify = new UserPermission(userName, tableName, family1,
qualifier, Permission.Action.WRITE, Permission.Action.READ);
assertTrue("User should be granted permission: " + upToVerify.toString(),
hasFoundUserPermission(upToVerify, perms));
ProtobufUtil.revoke(protocol, user.getShortName(), tableName, family1, qualifier,
Permission.Action.WRITE, Permission.Action.READ);
perms = ProtobufUtil.getUserPermissions(protocol, tableName);
acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
BlockingRpcChannel service = acl.coprocessorService(tableName);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
ProtobufUtil.revoke(protocol, user.getShortName(), tableName, family1, qualifier,
Permission.Action.WRITE, Permission.Action.READ);
perms = ProtobufUtil.getUserPermissions(protocol, tableName);
} finally {
acl.close();
}
assertFalse("User should not be granted permission: " + upToVerify.toString(),
hasFoundUserPermission(upToVerify, perms));
@ -1271,7 +1501,17 @@ public class TestAccessController {
User newOwner = User.createUserForTesting(conf, "new_owner", new String[] {});
htd.setOwner(newOwner);
admin.modifyTable(tableName, htd);
perms = ProtobufUtil.getUserPermissions(protocol, tableName);
acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
BlockingRpcChannel service = acl.coprocessorService(tableName);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
perms = ProtobufUtil.getUserPermissions(protocol, tableName);
} finally {
acl.close();
}
UserPermission newOwnerperm = new UserPermission(
Bytes.toBytes(newOwner.getName()), tableName, null, Action.values());
assertTrue("New owner should have all permissions on table",
@ -1283,11 +1523,16 @@ public class TestAccessController {
@Test
public void testGlobalPermissionList() throws Exception {
List<UserPermission> perms;
HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
List<UserPermission> perms = ProtobufUtil.getUserPermissions(protocol, null);
try {
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
perms = ProtobufUtil.getUserPermissions(protocol, null);
} finally {
acl.close();
}
UserPermission adminPerm = new UserPermission(Bytes.toBytes(USER_ADMIN.getShortName()),
AccessControlLists.ACL_TABLE_NAME, null, null, Bytes.toBytes("ACRW"));
assertTrue("Only user admin has permission on table _acl_ per setup",
@ -1302,25 +1547,27 @@ public class TestAccessController {
}
public void checkGlobalPerms(Permission.Action... actions) throws IOException {
HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
BlockingRpcChannel channel = acl.coprocessorService(new byte[0]);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(channel);
Permission[] perms = new Permission[actions.length];
for (int i = 0; i < actions.length; i++) {
perms[i] = new Permission(actions[i]);
}
CheckPermissionsRequest.Builder request = CheckPermissionsRequest.newBuilder();
for (Action a : actions) {
request.addPermission(AccessControlProtos.Permission.newBuilder()
.addAction(ProtobufUtil.toPermissionAction(a)).build());
}
HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
protocol.checkPermissions(null, request.build());
} catch (ServiceException se) {
ProtobufUtil.toIOException(se);
BlockingRpcChannel channel = acl.coprocessorService(new byte[0]);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(channel);
try {
protocol.checkPermissions(null, request.build());
} catch (ServiceException se) {
ProtobufUtil.toIOException(se);
}
} finally {
acl.close();
}
}
@ -1335,27 +1582,26 @@ public class TestAccessController {
}
public void checkTablePerms(byte[] table, Permission... perms) throws IOException {
HTable acl = new HTable(conf, table);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(acl.coprocessorService(new byte[0]));
CheckPermissionsRequest.Builder request = CheckPermissionsRequest.newBuilder();
for (Permission p : perms) {
request.addPermission(ProtobufUtil.toPermission(p));
}
HTable acl = new HTable(conf, table);
try {
protocol.checkPermissions(null, request.build());
} catch (ServiceException se) {
ProtobufUtil.toIOException(se);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(acl.coprocessorService(new byte[0]));
try {
protocol.checkPermissions(null, request.build());
} catch (ServiceException se) {
ProtobufUtil.toIOException(se);
}
} finally {
acl.close();
}
}
@Test
public void testCheckPermissions() throws Exception {
final HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
BlockingRpcChannel channel = acl.coprocessorService(new byte[0]);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(channel);
// --------------------------------------
// test global permissions
PrivilegedExceptionAction<Void> globalAdmin = new PrivilegedExceptionAction<Void>() {
@ -1389,12 +1635,20 @@ public class TestAccessController {
User userColumn = User.createUserForTesting(conf, "user_check_perms_family", new String[0]);
User userQualifier = User.createUserForTesting(conf, "user_check_perms_q", new String[0]);
ProtobufUtil.grant(protocol, userTable.getShortName(),
TEST_TABLE, null, null, Permission.Action.READ);
ProtobufUtil.grant(protocol, userColumn.getShortName(),
TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ);
ProtobufUtil.grant(protocol, userQualifier.getShortName(),
TEST_TABLE, TEST_FAMILY, TEST_Q1, Permission.Action.READ);
HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
BlockingRpcChannel channel = acl.coprocessorService(new byte[0]);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(channel);
ProtobufUtil.grant(protocol, userTable.getShortName(),
TEST_TABLE, null, null, Permission.Action.READ);
ProtobufUtil.grant(protocol, userColumn.getShortName(),
TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ);
ProtobufUtil.grant(protocol, userQualifier.getShortName(),
TEST_TABLE, TEST_FAMILY, TEST_Q1, Permission.Action.READ);
} finally {
acl.close();
}
PrivilegedExceptionAction<Void> tableRead = new PrivilegedExceptionAction<Void>() {
@Override
@ -1479,19 +1733,26 @@ public class TestAccessController {
// --------------------------------------
// check for wrong table region
CheckPermissionsRequest checkRequest = CheckPermissionsRequest.newBuilder()
.addPermission(AccessControlProtos.Permission.newBuilder()
.setTable(ByteString.copyFrom(TEST_TABLE))
.addAction(AccessControlProtos.Permission.Action.CREATE)
).build();
acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
CheckPermissionsRequest checkRequest =
CheckPermissionsRequest.newBuilder().addPermission(
AccessControlProtos.Permission.newBuilder()
.setTable(ByteString.copyFrom(TEST_TABLE)).addAction(AccessControlProtos.Permission.Action.CREATE)
).build();
// but ask for TablePermissions for TEST_TABLE
protocol.checkPermissions(null, checkRequest);
fail("this should have thrown CoprocessorException");
} catch (ServiceException ex) {
// expected
BlockingRpcChannel channel = acl.coprocessorService(new byte[0]);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(channel);
try {
// but ask for TablePermissions for TEST_TABLE
protocol.checkPermissions(null, checkRequest);
fail("this should have thrown CoprocessorException");
} catch (ServiceException ex) {
// expected
}
} finally {
acl.close();
}
}
@Test