diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java index 27a6bb98a85..b3c80fa46df 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java @@ -151,34 +151,38 @@ public class TestAccessController { htd.setOwner(USER_OWNER); admin.createTable(htd); - // initilize access control - HTable meta = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); - BlockingRpcChannel service = meta.coprocessorService(TEST_TABLE); - AccessControlService.BlockingInterface protocol = - AccessControlService.newBlockingStub(service); - HRegion region = TEST_UTIL.getHBaseCluster().getRegions(TEST_TABLE).get(0); RegionCoprocessorHost rcpHost = region.getCoprocessorHost(); RCP_ENV = rcpHost.createEnvironment(AccessController.class, ACCESS_CONTROLLER, Coprocessor.PRIORITY_HIGHEST, 1, conf); - protocol.grant(null, RequestConverter.buildGrantRequest(USER_ADMIN.getShortName(), + // initilize access control + HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + + protocol.grant(null, RequestConverter.buildGrantRequest(USER_ADMIN.getShortName(), null, null, null, AccessControlProtos.Permission.Action.ADMIN, AccessControlProtos.Permission.Action.CREATE, AccessControlProtos.Permission.Action.READ, AccessControlProtos.Permission.Action.WRITE)); - protocol.grant(null, RequestConverter.buildGrantRequest(USER_RW.getShortName(), + protocol.grant(null, RequestConverter.buildGrantRequest(USER_RW.getShortName(), TEST_TABLE, TEST_FAMILY, null, AccessControlProtos.Permission.Action.READ, AccessControlProtos.Permission.Action.WRITE)); - protocol.grant(null, RequestConverter.buildGrantRequest(USER_RO.getShortName(), TEST_TABLE, + protocol.grant(null, RequestConverter.buildGrantRequest(USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null, AccessControlProtos.Permission.Action.READ)); - protocol.grant(null, RequestConverter.buildGrantRequest(USER_CREATE.getShortName(), + protocol.grant(null, RequestConverter.buildGrantRequest(USER_CREATE.getShortName(), TEST_TABLE, null, null, AccessControlProtos.Permission.Action.CREATE)); + } finally { + acl.close(); + } } @AfterClass @@ -393,8 +397,13 @@ public class TestAccessController { @Test public void testMove() throws Exception { + Map regions; HTable table = new HTable(TEST_UTIL.getConfiguration(), TEST_TABLE); - Map regions = table.getRegionLocations(); + try { + regions = table.getRegionLocations(); + } finally { + table.close(); + } final Map.Entry firstRegion = regions.entrySet().iterator().next(); final ServerName server = TEST_UTIL.getHBaseCluster().getRegionServer(0).getServerName(); PrivilegedExceptionAction action = new PrivilegedExceptionAction() { @@ -411,8 +420,13 @@ public class TestAccessController { @Test public void testAssign() throws Exception { + Map regions; HTable table = new HTable(TEST_UTIL.getConfiguration(), TEST_TABLE); - Map regions = table.getRegionLocations(); + try { + regions = table.getRegionLocations(); + } finally { + table.close(); + } final Map.Entry firstRegion = regions.entrySet().iterator().next(); PrivilegedExceptionAction action = new PrivilegedExceptionAction() { @@ -429,8 +443,13 @@ public class TestAccessController { @Test public void testUnassign() throws Exception { + Map regions; HTable table = new HTable(TEST_UTIL.getConfiguration(), TEST_TABLE); - Map regions = table.getRegionLocations(); + try { + regions = table.getRegionLocations(); + } finally { + table.close(); + } final Map.Entry firstRegion = regions.entrySet().iterator().next(); PrivilegedExceptionAction action = new PrivilegedExceptionAction() { @@ -588,7 +607,11 @@ public class TestAccessController { Get g = new Get(Bytes.toBytes("random_row")); g.addFamily(TEST_FAMILY); HTable t = new HTable(conf, TEST_TABLE); - t.get(g); + try { + t.get(g); + } finally { + t.close(); + } return null; } }; @@ -601,14 +624,18 @@ public class TestAccessController { s.addFamily(TEST_FAMILY); HTable table = new HTable(conf, TEST_TABLE); - ResultScanner scanner = table.getScanner(s); try { - for (Result r = scanner.next(); r != null; r = scanner.next()) { - // do nothing + ResultScanner scanner = table.getScanner(s); + try { + for (Result r = scanner.next(); r != null; r = scanner.next()) { + // do nothing + } + } catch (IOException e) { + } finally { + scanner.close(); } - } catch (IOException e) { } finally { - scanner.close(); + table.close(); } return null; } @@ -625,7 +652,11 @@ public class TestAccessController { Put p = new Put(Bytes.toBytes("random_row")); p.add(TEST_FAMILY, Bytes.toBytes("Qualifier"), Bytes.toBytes(1)); HTable t = new HTable(conf, TEST_TABLE); - t.put(p); + try { + t.put(p); + } finally { + t.close(); + } return null; } }; @@ -637,7 +668,11 @@ public class TestAccessController { Delete d = new Delete(Bytes.toBytes("random_row")); d.deleteFamily(TEST_FAMILY); HTable t = new HTable(conf, TEST_TABLE); - t.delete(d); + try { + t.delete(d); + } finally { + t.close(); + } return null; } }; @@ -649,7 +684,11 @@ public class TestAccessController { Increment inc = new Increment(Bytes.toBytes("random_row")); inc.addColumn(TEST_FAMILY, Bytes.toBytes("Qualifier"), 1); HTable t = new HTable(conf, TEST_TABLE); - t.increment(inc); + try { + t.increment(inc); + } finally { + t.close(); + } return null; } }; @@ -663,10 +702,13 @@ public class TestAccessController { public Object run() throws Exception { Delete d = new Delete(Bytes.toBytes("random_row")); d.deleteFamily(TEST_FAMILY); - HTable t = new HTable(conf, TEST_TABLE); - t.checkAndDelete(Bytes.toBytes("random_row"), TEST_FAMILY, Bytes.toBytes("q"), - Bytes.toBytes("test_value"), d); + try { + t.checkAndDelete(Bytes.toBytes("random_row"), TEST_FAMILY, Bytes.toBytes("q"), + Bytes.toBytes("test_value"), d); + } finally { + t.close(); + } return null; } }; @@ -675,11 +717,15 @@ public class TestAccessController { // action for checkAndPut() PrivilegedExceptionAction checkAndPut = new PrivilegedExceptionAction() { public Object run() throws Exception { - HTable t = new HTable(conf, TEST_TABLE); Put p = new Put(Bytes.toBytes("random_row")); p.add(TEST_FAMILY, Bytes.toBytes("Qualifier"), Bytes.toBytes(1)); - t.checkAndPut(Bytes.toBytes("random_row"), TEST_FAMILY, Bytes.toBytes("q"), - Bytes.toBytes("test_value"), p); + HTable t = new HTable(conf, TEST_TABLE); + try { + t.checkAndPut(Bytes.toBytes("random_row"), TEST_FAMILY, Bytes.toBytes("q"), + Bytes.toBytes("test_value"), p); + } finally { + t.close(); + } return null; } }; @@ -770,9 +816,13 @@ public class TestAccessController { setPermission(loadPath, FsPermission.valueOf("-rwxrwxrwx")); HTable table = new HTable(conf, tableName); - TEST_UTIL.waitTableAvailable(tableName, 30000); - LoadIncrementalHFiles loader = new LoadIncrementalHFiles(conf); - loader.doBulkLoad(loadPath, table); + try { + TEST_UTIL.waitTableAvailable(tableName, 30000); + LoadIncrementalHFiles loader = new LoadIncrementalHFiles(conf); + loader.doBulkLoad(loadPath, table); + } finally { + table.close(); + } } public void setPermission(Path dir, FsPermission perm) throws IOException { @@ -795,13 +845,17 @@ public class TestAccessController { public Object run() throws Exception { byte[] row = Bytes.toBytes("random_row"); byte[] qualifier = Bytes.toBytes("q"); - HTable t = new HTable(conf, TEST_TABLE); Put put = new Put(row); put.add(TEST_FAMILY, qualifier, Bytes.toBytes(1)); - t.put(put); Append append = new Append(row); append.add(TEST_FAMILY, qualifier, Bytes.toBytes(2)); - t.append(append); + HTable t = new HTable(conf, TEST_TABLE); + try { + t.put(put); + t.append(append); + } finally { + t.close(); + } return null; } }; @@ -816,11 +870,15 @@ public class TestAccessController { PrivilegedExceptionAction grantAction = new PrivilegedExceptionAction() { public Object run() throws Exception { HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); - BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE); - AccessControlService.BlockingInterface protocol = - AccessControlService.newBlockingStub(service); - ProtobufUtil.grant(protocol, USER_RO.getShortName(), TEST_TABLE, - TEST_FAMILY, null, Action.READ); + try { + BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + ProtobufUtil.grant(protocol, USER_RO.getShortName(), TEST_TABLE, + TEST_FAMILY, null, Action.READ); + } finally { + acl.close(); + } return null; } }; @@ -828,11 +886,15 @@ public class TestAccessController { PrivilegedExceptionAction revokeAction = new PrivilegedExceptionAction() { public Object run() throws Exception { HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); - BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE); - AccessControlService.BlockingInterface protocol = - AccessControlService.newBlockingStub(service); - ProtobufUtil.revoke(protocol, USER_RO.getShortName(), TEST_TABLE, - TEST_FAMILY, null, Action.READ); + try { + BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + ProtobufUtil.revoke(protocol, USER_RO.getShortName(), TEST_TABLE, + TEST_FAMILY, null, Action.READ); + } finally { + acl.close(); + } return null; } }; @@ -840,10 +902,14 @@ public class TestAccessController { PrivilegedExceptionAction getPermissionsAction = new PrivilegedExceptionAction() { public Object run() throws Exception { HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); - BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE); - AccessControlService.BlockingInterface protocol = - AccessControlService.newBlockingStub(service); - ProtobufUtil.getUserPermissions(protocol, TEST_TABLE); + try { + BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + ProtobufUtil.getUserPermissions(protocol, TEST_TABLE); + } finally { + acl.close(); + } return null; } }; @@ -882,12 +948,6 @@ public class TestAccessController { User gblUser = User .createUserForTesting(TEST_UTIL.getConfiguration(), "gbluser", new String[0]); - // perms only stored against the first region - HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); - BlockingRpcChannel service = acl.coprocessorService(tableName); - AccessControlService.BlockingInterface protocol = - AccessControlService.newBlockingStub(service); - // prepare actions: PrivilegedExceptionAction putActionAll = new PrivilegedExceptionAction() { public Object run() throws Exception { @@ -895,7 +955,11 @@ public class TestAccessController { p.add(family1, qualifier, Bytes.toBytes("v1")); p.add(family2, qualifier, Bytes.toBytes("v2")); HTable t = new HTable(conf, tableName); - t.put(p); + try { + t.put(p); + } finally { + t.close(); + } return null; } }; @@ -904,7 +968,11 @@ public class TestAccessController { Put p = new Put(Bytes.toBytes("a")); p.add(family1, qualifier, Bytes.toBytes("v1")); HTable t = new HTable(conf, tableName); - t.put(p); + try { + t.put(p); + } finally { + t.close(); + } return null; } }; @@ -913,7 +981,11 @@ public class TestAccessController { Put p = new Put(Bytes.toBytes("a")); p.add(family2, qualifier, Bytes.toBytes("v2")); HTable t = new HTable(conf, tableName); - t.put(p); + try { + t.put(p); + } finally { + t.close(); + } return null; } }; @@ -923,7 +995,11 @@ public class TestAccessController { g.addFamily(family1); g.addFamily(family2); HTable t = new HTable(conf, tableName); - t.get(g); + try { + t.get(g); + } finally { + t.close(); + } return null; } }; @@ -932,7 +1008,11 @@ public class TestAccessController { Get g = new Get(Bytes.toBytes("random_row")); g.addFamily(family1); HTable t = new HTable(conf, tableName); - t.get(g); + try { + t.get(g); + } finally { + t.close(); + } return null; } }; @@ -941,7 +1021,11 @@ public class TestAccessController { Get g = new Get(Bytes.toBytes("random_row")); g.addFamily(family2); HTable t = new HTable(conf, tableName); - t.get(g); + try { + t.get(g); + } finally { + t.close(); + } return null; } }; @@ -951,7 +1035,11 @@ public class TestAccessController { d.deleteFamily(family1); d.deleteFamily(family2); HTable t = new HTable(conf, tableName); - t.delete(d); + try { + t.delete(d); + } finally { + t.close(); + } return null; } }; @@ -960,7 +1048,11 @@ public class TestAccessController { Delete d = new Delete(Bytes.toBytes("random_row")); d.deleteFamily(family1); HTable t = new HTable(conf, tableName); - t.delete(d); + try { + t.delete(d); + } finally { + t.close(); + } return null; } }; @@ -969,7 +1061,11 @@ public class TestAccessController { Delete d = new Delete(Bytes.toBytes("random_row")); d.deleteFamily(family2); HTable t = new HTable(conf, tableName); - t.delete(d); + try { + t.delete(d); + } finally { + t.close(); + } return null; } }; @@ -984,10 +1080,18 @@ public class TestAccessController { verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); // grant table read permission - ProtobufUtil.grant(protocol, tblUser.getShortName(), - tableName, null, null, Permission.Action.READ); - ProtobufUtil.grant(protocol, gblUser.getShortName(), - null, null, null, Permission.Action.READ); + HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(tableName); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + ProtobufUtil.grant(protocol, tblUser.getShortName(), + tableName, null, null, Permission.Action.READ); + ProtobufUtil.grant(protocol, gblUser.getShortName(), + null, null, null, Permission.Action.READ); + } finally { + acl.close(); + } Thread.sleep(100); // check @@ -1000,10 +1104,19 @@ public class TestAccessController { verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); // grant table write permission - ProtobufUtil.grant(protocol, tblUser.getShortName(), - tableName, null, null, Permission.Action.WRITE); - ProtobufUtil.grant(protocol, gblUser.getShortName(), - null, null, null, Permission.Action.WRITE); + acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(tableName); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + ProtobufUtil.grant(protocol, tblUser.getShortName(), + tableName, null, null, Permission.Action.WRITE); + ProtobufUtil.grant(protocol, gblUser.getShortName(), + null, null, null, Permission.Action.WRITE); + } finally { + acl.close(); + } + Thread.sleep(100); verifyDenied(tblUser, getActionAll, getAction1, getAction2); @@ -1015,10 +1128,19 @@ public class TestAccessController { verifyAllowed(gblUser, deleteActionAll, deleteAction1, deleteAction2); // revoke table permission - ProtobufUtil.grant(protocol, tblUser.getShortName(), tableName, null, null, - Permission.Action.READ, Permission.Action.WRITE); - ProtobufUtil.revoke(protocol, tblUser.getShortName(), tableName, null, null); - ProtobufUtil.revoke(protocol, gblUser.getShortName(), null, null, null); + acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(tableName); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + ProtobufUtil.grant(protocol, tblUser.getShortName(), tableName, null, null, + Permission.Action.READ, Permission.Action.WRITE); + ProtobufUtil.revoke(protocol, tblUser.getShortName(), tableName, null, null); + ProtobufUtil.revoke(protocol, gblUser.getShortName(), null, null, null); + } finally { + acl.close(); + } + Thread.sleep(100); verifyDenied(tblUser, getActionAll, getAction1, getAction2); @@ -1030,10 +1152,18 @@ public class TestAccessController { verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); // grant column family read permission - ProtobufUtil.grant(protocol, tblUser.getShortName(), - tableName, family1, null, Permission.Action.READ); - ProtobufUtil.grant(protocol, gblUser.getShortName(), - null, null, null, Permission.Action.READ); + acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(tableName); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + ProtobufUtil.grant(protocol, tblUser.getShortName(), + tableName, family1, null, Permission.Action.READ); + ProtobufUtil.grant(protocol, gblUser.getShortName(), + null, null, null, Permission.Action.READ); + } finally { + acl.close(); + } Thread.sleep(100); @@ -1048,10 +1178,19 @@ public class TestAccessController { verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); // grant column family write permission - ProtobufUtil.grant(protocol, tblUser.getShortName(), - tableName, family2, null, Permission.Action.WRITE); - ProtobufUtil.grant(protocol, gblUser.getShortName(), - null, null, null, Permission.Action.WRITE); + acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(tableName); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + ProtobufUtil.grant(protocol, tblUser.getShortName(), + tableName, family2, null, Permission.Action.WRITE); + ProtobufUtil.grant(protocol, gblUser.getShortName(), + null, null, null, Permission.Action.WRITE); + } finally { + acl.close(); + } + Thread.sleep(100); // READ from family1, WRITE to family2 are allowed @@ -1066,8 +1205,16 @@ public class TestAccessController { verifyAllowed(gblUser, deleteActionAll, deleteAction1, deleteAction2); // revoke column family permission - ProtobufUtil.revoke(protocol, tblUser.getShortName(), tableName, family2, null); - ProtobufUtil.revoke(protocol, gblUser.getShortName(), null, null, null); + acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(tableName); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + ProtobufUtil.revoke(protocol, tblUser.getShortName(), tableName, family2, null); + ProtobufUtil.revoke(protocol, gblUser.getShortName(), null, null, null); + } finally { + acl.close(); + } Thread.sleep(100); @@ -1100,7 +1247,6 @@ public class TestAccessController { // create table HBaseAdmin admin = TEST_UTIL.getHBaseAdmin(); - if (admin.tableExists(tableName)) { admin.disableTable(tableName); admin.deleteTable(tableName); @@ -1113,17 +1259,16 @@ public class TestAccessController { // create temp users User user = User.createUserForTesting(TEST_UTIL.getConfiguration(), "user", new String[0]); - HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); - BlockingRpcChannel service = acl.coprocessorService(tableName); - AccessControlService.BlockingInterface protocol = - AccessControlService.newBlockingStub(service); - PrivilegedExceptionAction getQualifierAction = new PrivilegedExceptionAction() { public Object run() throws Exception { Get g = new Get(Bytes.toBytes("random_row")); g.addColumn(family1, qualifier); HTable t = new HTable(conf, tableName); - t.get(g); + try { + t.get(g); + } finally { + t.close(); + } return null; } }; @@ -1132,7 +1277,11 @@ public class TestAccessController { Put p = new Put(Bytes.toBytes("random_row")); p.add(family1, qualifier, Bytes.toBytes("v1")); HTable t = new HTable(conf, tableName); - t.put(p); + try { + t.put(p); + } finally { + t.close(); + } return null; } }; @@ -1142,18 +1291,42 @@ public class TestAccessController { d.deleteColumn(family1, qualifier); // d.deleteFamily(family1); HTable t = new HTable(conf, tableName); - t.delete(d); + try { + t.delete(d); + } finally { + t.close(); + } return null; } }; - ProtobufUtil.revoke(protocol, user.getShortName(), tableName, family1, null); + HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(tableName); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + ProtobufUtil.revoke(protocol, user.getShortName(), tableName, family1, null); + } finally { + acl.close(); + } + + Thread.sleep(100); + verifyDenied(user, getQualifierAction); verifyDenied(user, putQualifierAction); verifyDenied(user, deleteQualifierAction); - ProtobufUtil.grant(protocol, user.getShortName(), - tableName, family1, qualifier, Permission.Action.READ); + acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(tableName); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + ProtobufUtil.grant(protocol, user.getShortName(), + tableName, family1, qualifier, Permission.Action.READ); + } finally { + acl.close(); + } + Thread.sleep(100); verifyAllowed(user, getQualifierAction); @@ -1162,8 +1335,17 @@ public class TestAccessController { // only grant write permission // TODO: comment this portion after HBASE-3583 - ProtobufUtil.grant(protocol, user.getShortName(), - tableName, family1, qualifier, Permission.Action.WRITE); + acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(tableName); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + ProtobufUtil.grant(protocol, user.getShortName(), + tableName, family1, qualifier, Permission.Action.WRITE); + } finally { + acl.close(); + } + Thread.sleep(100); verifyDenied(user, getQualifierAction); @@ -1171,9 +1353,18 @@ public class TestAccessController { verifyAllowed(user, deleteQualifierAction); // grant both read and write permission. - ProtobufUtil.grant(protocol, user.getShortName(), - tableName, family1, qualifier, - Permission.Action.READ, Permission.Action.WRITE); + acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(tableName); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + ProtobufUtil.grant(protocol, user.getShortName(), + tableName, family1, qualifier, + Permission.Action.READ, Permission.Action.WRITE); + } finally { + acl.close(); + } + Thread.sleep(100); verifyAllowed(user, getQualifierAction); @@ -1181,8 +1372,17 @@ public class TestAccessController { verifyAllowed(user, deleteQualifierAction); // revoke family level permission won't impact column level. - ProtobufUtil.revoke(protocol, user.getShortName(), - tableName, family1, qualifier); + acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(tableName); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + ProtobufUtil.revoke(protocol, user.getShortName(), + tableName, family1, qualifier); + } finally { + acl.close(); + } + Thread.sleep(100); verifyDenied(user, getQualifierAction); @@ -1213,12 +1413,17 @@ public class TestAccessController { htd.setOwner(USER_OWNER); admin.createTable(htd); - HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); - BlockingRpcChannel service = acl.coprocessorService(tableName); - AccessControlService.BlockingInterface protocol = - AccessControlService.newBlockingStub(service); + List perms; - List perms = ProtobufUtil.getUserPermissions(protocol, tableName); + HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(tableName); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + perms = ProtobufUtil.getUserPermissions(protocol, tableName); + } finally { + acl.close(); + } UserPermission ownerperm = new UserPermission( Bytes.toBytes(USER_OWNER.getName()), tableName, null, Action.values()); @@ -1234,9 +1439,17 @@ public class TestAccessController { hasFoundUserPermission(up, perms)); // grant read permission - ProtobufUtil.grant(protocol, user.getShortName(), - tableName, family1, qualifier, Permission.Action.READ); - perms = ProtobufUtil.getUserPermissions(protocol, tableName); + acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(tableName); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + ProtobufUtil.grant(protocol, user.getShortName(), + tableName, family1, qualifier, Permission.Action.READ); + perms = ProtobufUtil.getUserPermissions(protocol, tableName); + } finally { + acl.close(); + } UserPermission upToVerify = new UserPermission( userName, tableName, family1, qualifier, Permission.Action.READ); @@ -1249,19 +1462,36 @@ public class TestAccessController { hasFoundUserPermission(upToVerify, perms)); // grant read+write - ProtobufUtil.grant(protocol, user.getShortName(), - tableName, family1, qualifier, - Permission.Action.WRITE, Permission.Action.READ); - perms = ProtobufUtil.getUserPermissions(protocol, tableName); + acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(tableName); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + ProtobufUtil.grant(protocol, user.getShortName(), + tableName, family1, qualifier, + Permission.Action.WRITE, Permission.Action.READ); + perms = ProtobufUtil.getUserPermissions(protocol, tableName); + } finally { + acl.close(); + } upToVerify = new UserPermission(userName, tableName, family1, qualifier, Permission.Action.WRITE, Permission.Action.READ); assertTrue("User should be granted permission: " + upToVerify.toString(), hasFoundUserPermission(upToVerify, perms)); - ProtobufUtil.revoke(protocol, user.getShortName(), tableName, family1, qualifier, - Permission.Action.WRITE, Permission.Action.READ); - perms = ProtobufUtil.getUserPermissions(protocol, tableName); + acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(tableName); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + ProtobufUtil.revoke(protocol, user.getShortName(), tableName, family1, qualifier, + Permission.Action.WRITE, Permission.Action.READ); + perms = ProtobufUtil.getUserPermissions(protocol, tableName); + } finally { + acl.close(); + } + assertFalse("User should not be granted permission: " + upToVerify.toString(), hasFoundUserPermission(upToVerify, perms)); @@ -1271,7 +1501,17 @@ public class TestAccessController { User newOwner = User.createUserForTesting(conf, "new_owner", new String[] {}); htd.setOwner(newOwner); admin.modifyTable(tableName, htd); - perms = ProtobufUtil.getUserPermissions(protocol, tableName); + + acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(tableName); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + perms = ProtobufUtil.getUserPermissions(protocol, tableName); + } finally { + acl.close(); + } + UserPermission newOwnerperm = new UserPermission( Bytes.toBytes(newOwner.getName()), tableName, null, Action.values()); assertTrue("New owner should have all permissions on table", @@ -1283,11 +1523,16 @@ public class TestAccessController { @Test public void testGlobalPermissionList() throws Exception { + List perms; HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); - BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW); - AccessControlService.BlockingInterface protocol = - AccessControlService.newBlockingStub(service); - List perms = ProtobufUtil.getUserPermissions(protocol, null); + try { + BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + perms = ProtobufUtil.getUserPermissions(protocol, null); + } finally { + acl.close(); + } UserPermission adminPerm = new UserPermission(Bytes.toBytes(USER_ADMIN.getShortName()), AccessControlLists.ACL_TABLE_NAME, null, null, Bytes.toBytes("ACRW")); assertTrue("Only user admin has permission on table _acl_ per setup", @@ -1302,25 +1547,27 @@ public class TestAccessController { } public void checkGlobalPerms(Permission.Action... actions) throws IOException { - HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); - BlockingRpcChannel channel = acl.coprocessorService(new byte[0]); - AccessControlService.BlockingInterface protocol = - AccessControlService.newBlockingStub(channel); - Permission[] perms = new Permission[actions.length]; for (int i = 0; i < actions.length; i++) { perms[i] = new Permission(actions[i]); } - CheckPermissionsRequest.Builder request = CheckPermissionsRequest.newBuilder(); for (Action a : actions) { request.addPermission(AccessControlProtos.Permission.newBuilder() .addAction(ProtobufUtil.toPermissionAction(a)).build()); } + HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); try { - protocol.checkPermissions(null, request.build()); - } catch (ServiceException se) { - ProtobufUtil.toIOException(se); + BlockingRpcChannel channel = acl.coprocessorService(new byte[0]); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(channel); + try { + protocol.checkPermissions(null, request.build()); + } catch (ServiceException se) { + ProtobufUtil.toIOException(se); + } + } finally { + acl.close(); } } @@ -1335,27 +1582,26 @@ public class TestAccessController { } public void checkTablePerms(byte[] table, Permission... perms) throws IOException { - HTable acl = new HTable(conf, table); - AccessControlService.BlockingInterface protocol = - AccessControlService.newBlockingStub(acl.coprocessorService(new byte[0])); CheckPermissionsRequest.Builder request = CheckPermissionsRequest.newBuilder(); for (Permission p : perms) { request.addPermission(ProtobufUtil.toPermission(p)); } + HTable acl = new HTable(conf, table); try { - protocol.checkPermissions(null, request.build()); - } catch (ServiceException se) { - ProtobufUtil.toIOException(se); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(acl.coprocessorService(new byte[0])); + try { + protocol.checkPermissions(null, request.build()); + } catch (ServiceException se) { + ProtobufUtil.toIOException(se); + } + } finally { + acl.close(); } } @Test public void testCheckPermissions() throws Exception { - final HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); - BlockingRpcChannel channel = acl.coprocessorService(new byte[0]); - AccessControlService.BlockingInterface protocol = - AccessControlService.newBlockingStub(channel); - // -------------------------------------- // test global permissions PrivilegedExceptionAction globalAdmin = new PrivilegedExceptionAction() { @@ -1389,12 +1635,20 @@ public class TestAccessController { User userColumn = User.createUserForTesting(conf, "user_check_perms_family", new String[0]); User userQualifier = User.createUserForTesting(conf, "user_check_perms_q", new String[0]); - ProtobufUtil.grant(protocol, userTable.getShortName(), - TEST_TABLE, null, null, Permission.Action.READ); - ProtobufUtil.grant(protocol, userColumn.getShortName(), - TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ); - ProtobufUtil.grant(protocol, userQualifier.getShortName(), - TEST_TABLE, TEST_FAMILY, TEST_Q1, Permission.Action.READ); + HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel channel = acl.coprocessorService(new byte[0]); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(channel); + ProtobufUtil.grant(protocol, userTable.getShortName(), + TEST_TABLE, null, null, Permission.Action.READ); + ProtobufUtil.grant(protocol, userColumn.getShortName(), + TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ); + ProtobufUtil.grant(protocol, userQualifier.getShortName(), + TEST_TABLE, TEST_FAMILY, TEST_Q1, Permission.Action.READ); + } finally { + acl.close(); + } PrivilegedExceptionAction tableRead = new PrivilegedExceptionAction() { @Override @@ -1479,19 +1733,26 @@ public class TestAccessController { // -------------------------------------- // check for wrong table region + CheckPermissionsRequest checkRequest = CheckPermissionsRequest.newBuilder() + .addPermission(AccessControlProtos.Permission.newBuilder() + .setTable(ByteString.copyFrom(TEST_TABLE)) + .addAction(AccessControlProtos.Permission.Action.CREATE) + ).build(); + acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); try { - CheckPermissionsRequest checkRequest = - CheckPermissionsRequest.newBuilder().addPermission( - AccessControlProtos.Permission.newBuilder() - .setTable(ByteString.copyFrom(TEST_TABLE)).addAction(AccessControlProtos.Permission.Action.CREATE) - ).build(); - // but ask for TablePermissions for TEST_TABLE - protocol.checkPermissions(null, checkRequest); - fail("this should have thrown CoprocessorException"); - } catch (ServiceException ex) { - // expected + BlockingRpcChannel channel = acl.coprocessorService(new byte[0]); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(channel); + try { + // but ask for TablePermissions for TEST_TABLE + protocol.checkPermissions(null, checkRequest); + fail("this should have thrown CoprocessorException"); + } catch (ServiceException ex) { + // expected + } + } finally { + acl.close(); } - } @Test