HBASE-12511 namespace permissions - add support from table creation privilege in a namespace 'C' (Huaiyu Zhu)
This commit is contained in:
parent
7fff4b6cf9
commit
ec64415570
|
@ -504,8 +504,7 @@ public class AccessController extends BaseMasterAndRegionObserver
|
|||
private void requireGlobalPermission(String request, Action perm, TableName tableName,
|
||||
Map<byte[], ? extends Collection<byte[]>> familyMap) throws IOException {
|
||||
User user = getActiveUser();
|
||||
if (authManager.authorize(user, perm) || (tableName != null &&
|
||||
authManager.authorize(user, tableName.getNamespaceAsString(), perm))) {
|
||||
if (authManager.authorize(user, perm)) {
|
||||
logResult(AuthResult.allow(request, "Global check allowed", user, perm, tableName, familyMap));
|
||||
} else {
|
||||
logResult(AuthResult.deny(request, "Global check failed", user, perm, tableName, familyMap));
|
||||
|
@ -525,8 +524,7 @@ public class AccessController extends BaseMasterAndRegionObserver
|
|||
private void requireGlobalPermission(String request, Action perm,
|
||||
String namespace) throws IOException {
|
||||
User user = getActiveUser();
|
||||
if (authManager.authorize(user, perm)
|
||||
|| (namespace != null && authManager.authorize(user, namespace, perm))) {
|
||||
if (authManager.authorize(user, perm)) {
|
||||
logResult(AuthResult.allow(request, "Global check allowed", user, perm, namespace));
|
||||
} else {
|
||||
logResult(AuthResult.deny(request, "Global check failed", user, perm, namespace));
|
||||
|
@ -536,6 +534,34 @@ public class AccessController extends BaseMasterAndRegionObserver
|
|||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks that the user has the given global or namespace permission.
|
||||
* @param namespace
|
||||
* @param perm Action being requested
|
||||
*/
|
||||
public void requireNamespacePermission(String request, String namespace,
|
||||
Action... permissions) throws IOException {
|
||||
User user = getActiveUser();
|
||||
AuthResult result = null;
|
||||
|
||||
for (Action permission : permissions) {
|
||||
if (authManager.authorize(user, namespace, permission)) {
|
||||
result = AuthResult.allow(request, "Namespace permission granted",
|
||||
user, permission, namespace);
|
||||
break;
|
||||
} else {
|
||||
// rest of the world
|
||||
result = AuthResult.deny(request, "Insufficient permissions", user,
|
||||
permission, namespace);
|
||||
}
|
||||
}
|
||||
logResult(result);
|
||||
if (!result.isAllowed()) {
|
||||
throw new AccessDeniedException("Insufficient permissions "
|
||||
+ result.toContextString());
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns <code>true</code> if the current user is allowed the given action
|
||||
* over at least one of the column qualifiers in the given column families.
|
||||
|
@ -822,7 +848,7 @@ public class AccessController extends BaseMasterAndRegionObserver
|
|||
}
|
||||
|
||||
/* ---- MasterObserver implementation ---- */
|
||||
|
||||
@Override
|
||||
public void start(CoprocessorEnvironment env) throws IOException {
|
||||
CompoundConfiguration conf = new CompoundConfiguration();
|
||||
conf.add(env.getConfiguration());
|
||||
|
@ -877,6 +903,7 @@ public class AccessController extends BaseMasterAndRegionObserver
|
|||
tableAcls = new MapMaker().weakValues().makeMap();
|
||||
}
|
||||
|
||||
@Override
|
||||
public void stop(CoprocessorEnvironment env) {
|
||||
|
||||
}
|
||||
|
@ -889,7 +916,7 @@ public class AccessController extends BaseMasterAndRegionObserver
|
|||
for (byte[] family: families) {
|
||||
familyMap.put(family, null);
|
||||
}
|
||||
requireGlobalPermission("createTable", Action.CREATE, desc.getTableName(), familyMap);
|
||||
requireNamespacePermission("createTable", desc.getTableName().getNamespaceAsString(), Action.CREATE);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
@ -1156,7 +1183,7 @@ public class AccessController extends BaseMasterAndRegionObserver
|
|||
@Override
|
||||
public void preCreateNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx,
|
||||
NamespaceDescriptor ns) throws IOException {
|
||||
requirePermission("createNamespace", Action.ADMIN);
|
||||
requireGlobalPermission("createNamespace", Action.ADMIN, ns.getName());
|
||||
}
|
||||
|
||||
@Override
|
||||
|
@ -1182,13 +1209,15 @@ public class AccessController extends BaseMasterAndRegionObserver
|
|||
@Override
|
||||
public void preModifyNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx,
|
||||
NamespaceDescriptor ns) throws IOException {
|
||||
// We require only global permission so that
|
||||
// a user with NS admin cannot altering namespace configurations. i.e. namespace quota
|
||||
requireGlobalPermission("modifyNamespace", Action.ADMIN, ns.getName());
|
||||
}
|
||||
|
||||
@Override
|
||||
public void preGetNamespaceDescriptor(ObserverContext<MasterCoprocessorEnvironment> ctx, String namespace)
|
||||
throws IOException {
|
||||
requireGlobalPermission("getNamespaceDescriptor", Action.ADMIN, namespace);
|
||||
requireNamespacePermission("getNamespaceDescriptor", namespace, Action.ADMIN);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
@ -1200,7 +1229,7 @@ public class AccessController extends BaseMasterAndRegionObserver
|
|||
while (itr.hasNext()) {
|
||||
NamespaceDescriptor desc = itr.next();
|
||||
try {
|
||||
requireGlobalPermission("listNamespaces", Action.ADMIN, desc.getName());
|
||||
requireNamespacePermission("listNamespaces", desc.getName(), Action.ADMIN);
|
||||
} catch (AccessDeniedException e) {
|
||||
itr.remove();
|
||||
}
|
||||
|
@ -2141,7 +2170,7 @@ public class AccessController extends BaseMasterAndRegionObserver
|
|||
});
|
||||
} else if (request.getType() == AccessControlProtos.Permission.Type.Namespace) {
|
||||
final String namespace = request.getNamespaceName().toStringUtf8();
|
||||
requireGlobalPermission("userPermissions", Action.ADMIN, namespace);
|
||||
requireNamespacePermission("userPermissions", namespace, Action.ADMIN);
|
||||
perms = User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() {
|
||||
@Override
|
||||
public List<UserPermission> run() throws Exception {
|
||||
|
|
|
@ -282,7 +282,9 @@ public class TestAccessController extends SecureTestUtil {
|
|||
// Test deleted the table, no problem
|
||||
LOG.info("Test deleted table " + TEST_TABLE.getTableName());
|
||||
}
|
||||
// Verify all table/namespace permissions are erased
|
||||
assertEquals(0, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size());
|
||||
assertEquals(0, AccessControlLists.getNamespacePermissions(conf, TEST_TABLE.getTableName().getNameAsString()).size());
|
||||
}
|
||||
|
||||
@Test
|
||||
|
|
|
@ -64,14 +64,33 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
|
||||
// user with all permissions
|
||||
private static User SUPERUSER;
|
||||
|
||||
// user with A permission on global
|
||||
private static User USER_GLOBAL_ADMIN;
|
||||
// user with C permission on global
|
||||
private static User USER_GLOBAL_CREATE;
|
||||
// user with W permission on global
|
||||
private static User USER_GLOBAL_WRITE;
|
||||
// user with R permission on global
|
||||
private static User USER_GLOBAL_READ;
|
||||
// user with X permission on global
|
||||
private static User USER_GLOBAL_EXEC;
|
||||
|
||||
// user with A permission on namespace
|
||||
private static User USER_NS_ADMIN;
|
||||
// user with C permission on namespace
|
||||
private static User USER_NS_CREATE;
|
||||
// user with W permission on namespace
|
||||
private static User USER_NS_WRITE;
|
||||
// user with R permission on namespace.
|
||||
private static User USER_NS_READ;
|
||||
// user with X permission on namespace.
|
||||
private static User USER_NS_EXEC;
|
||||
|
||||
// user with rw permissions
|
||||
private static User USER_RW;
|
||||
// user with create table permissions alone
|
||||
private static User USER_CREATE;
|
||||
// user with permission on namespace for testing all operations.
|
||||
private static User USER_NSP_WRITE;
|
||||
// user with admin permission on namespace.
|
||||
private static User USER_NSP_ADMIN;
|
||||
private static User USER_TABLE_WRITE; // TODO: WE DO NOT GIVE ANY PERMS TO THIS USER
|
||||
//user with create table permissions alone
|
||||
private static User USER_TABLE_CREATE; // TODO: WE DO NOT GIVE ANY PERMS TO THIS USER
|
||||
|
||||
private static String TEST_TABLE = TEST_NAMESPACE + ":testtable";
|
||||
private static byte[] TEST_FAMILY = Bytes.toBytes("f1");
|
||||
|
@ -82,10 +101,22 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
enableSecurity(conf);
|
||||
|
||||
SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
|
||||
USER_RW = User.createUserForTesting(conf, "rw_user", new String[0]);
|
||||
USER_CREATE = User.createUserForTesting(conf, "create_user", new String[0]);
|
||||
USER_NSP_WRITE = User.createUserForTesting(conf, "namespace_write", new String[0]);
|
||||
USER_NSP_ADMIN = User.createUserForTesting(conf, "namespace_admin", new String[0]);
|
||||
// Users with global permissions
|
||||
USER_GLOBAL_ADMIN = User.createUserForTesting(conf, "global_admin", new String[0]);
|
||||
USER_GLOBAL_CREATE = User.createUserForTesting(conf, "global_create", new String[0]);
|
||||
USER_GLOBAL_WRITE = User.createUserForTesting(conf, "global_write", new String[0]);
|
||||
USER_GLOBAL_READ = User.createUserForTesting(conf, "global_read", new String[0]);
|
||||
USER_GLOBAL_EXEC = User.createUserForTesting(conf, "global_exec", new String[0]);
|
||||
|
||||
USER_NS_ADMIN = User.createUserForTesting(conf, "namespace_admin", new String[0]);
|
||||
USER_NS_CREATE = User.createUserForTesting(conf, "namespace_create", new String[0]);
|
||||
USER_NS_WRITE = User.createUserForTesting(conf, "namespace_write", new String[0]);
|
||||
USER_NS_READ = User.createUserForTesting(conf, "namespace_read", new String[0]);
|
||||
USER_NS_EXEC = User.createUserForTesting(conf, "namespace_exec", new String[0]);
|
||||
|
||||
USER_TABLE_CREATE = User.createUserForTesting(conf, "table_create", new String[0]);
|
||||
USER_TABLE_WRITE = User.createUserForTesting(conf, "table_write", new String[0]);
|
||||
// TODO: other table perms
|
||||
|
||||
UTIL.startMiniCluster();
|
||||
// Wait for the ACL table to become available
|
||||
|
@ -98,11 +129,21 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
UTIL.getHBaseAdmin().createNamespace(NamespaceDescriptor.create(TEST_NAMESPACE).build());
|
||||
UTIL.getHBaseAdmin().createNamespace(NamespaceDescriptor.create(TEST_NAMESPACE2).build());
|
||||
|
||||
grantOnNamespace(UTIL, USER_NSP_WRITE.getShortName(),
|
||||
TEST_NAMESPACE, Permission.Action.WRITE, Permission.Action.CREATE);
|
||||
// grants on global
|
||||
grantGlobal(UTIL, USER_GLOBAL_ADMIN.getShortName(), Permission.Action.ADMIN);
|
||||
grantGlobal(UTIL, USER_GLOBAL_CREATE.getShortName(), Permission.Action.CREATE);
|
||||
grantGlobal(UTIL, USER_GLOBAL_WRITE.getShortName(), Permission.Action.WRITE);
|
||||
grantGlobal(UTIL, USER_GLOBAL_READ.getShortName(), Permission.Action.READ);
|
||||
grantGlobal(UTIL, USER_GLOBAL_EXEC.getShortName(), Permission.Action.EXEC);
|
||||
|
||||
grantOnNamespace(UTIL, USER_NSP_ADMIN.getShortName(), TEST_NAMESPACE, Permission.Action.ADMIN);
|
||||
grantOnNamespace(UTIL, USER_NSP_ADMIN.getShortName(), TEST_NAMESPACE2, Permission.Action.ADMIN);
|
||||
// grants on namespace
|
||||
grantOnNamespace(UTIL, USER_NS_ADMIN.getShortName(), TEST_NAMESPACE, Permission.Action.ADMIN);
|
||||
grantOnNamespace(UTIL, USER_NS_CREATE.getShortName(), TEST_NAMESPACE, Permission.Action.CREATE);
|
||||
grantOnNamespace(UTIL, USER_NS_WRITE.getShortName(), TEST_NAMESPACE, Permission.Action.WRITE);
|
||||
grantOnNamespace(UTIL, USER_NS_READ.getShortName(), TEST_NAMESPACE, Permission.Action.READ);
|
||||
grantOnNamespace(UTIL, USER_NS_EXEC.getShortName(), TEST_NAMESPACE, Permission.Action.EXEC);
|
||||
|
||||
grantOnNamespace(UTIL, USER_NS_ADMIN.getShortName(), TEST_NAMESPACE2, Permission.Action.ADMIN);
|
||||
}
|
||||
|
||||
@AfterClass
|
||||
|
@ -117,15 +158,20 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
String userTestNamespace = "userTestNsp";
|
||||
Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
|
||||
try {
|
||||
ListMultimap<String, TablePermission> perms =
|
||||
AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE);
|
||||
|
||||
perms = AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE);
|
||||
assertEquals(5, perms.size());
|
||||
|
||||
// Grant and check state in ACL table
|
||||
grantOnNamespace(UTIL, userTestNamespace, TEST_NAMESPACE,
|
||||
Permission.Action.WRITE);
|
||||
|
||||
Result result = acl.get(new Get(Bytes.toBytes(userTestNamespace)));
|
||||
assertTrue(result != null);
|
||||
ListMultimap<String, TablePermission> perms =
|
||||
AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE);
|
||||
assertEquals(3, perms.size());
|
||||
perms = AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE);
|
||||
assertEquals(6, perms.size());
|
||||
List<TablePermission> namespacePerms = perms.get(userTestNamespace);
|
||||
assertTrue(perms.containsKey(userTestNamespace));
|
||||
assertEquals(1, namespacePerms.size());
|
||||
|
@ -141,7 +187,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
Permission.Action.WRITE);
|
||||
|
||||
perms = AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE);
|
||||
assertEquals(2, perms.size());
|
||||
assertEquals(5, perms.size());
|
||||
} finally {
|
||||
acl.close();
|
||||
}
|
||||
|
@ -156,15 +202,28 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
return null;
|
||||
}
|
||||
};
|
||||
// verify that superuser or hbase admin can modify namespaces.
|
||||
verifyAllowed(modifyNamespace, SUPERUSER, USER_NSP_ADMIN);
|
||||
// all others should be denied
|
||||
verifyDenied(modifyNamespace, USER_NSP_WRITE, USER_CREATE, USER_RW);
|
||||
|
||||
// modifyNamespace: superuser | global(A) | NS(A)
|
||||
verifyAllowed(modifyNamespace,
|
||||
SUPERUSER,
|
||||
USER_GLOBAL_ADMIN);
|
||||
|
||||
verifyDeniedWithException(modifyNamespace,
|
||||
USER_GLOBAL_CREATE,
|
||||
USER_GLOBAL_WRITE,
|
||||
USER_GLOBAL_READ,
|
||||
USER_GLOBAL_EXEC,
|
||||
USER_NS_ADMIN,
|
||||
USER_NS_CREATE,
|
||||
USER_NS_WRITE,
|
||||
USER_NS_READ,
|
||||
USER_NS_EXEC);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCreateAndDeleteNamespace() throws Exception {
|
||||
AccessTestAction createNamespace = new AccessTestAction() {
|
||||
@Override
|
||||
public Object run() throws Exception {
|
||||
ACCESS_CONTROLLER.preCreateNamespace(ObserverContext.createAndPrepare(CP_ENV, null),
|
||||
NamespaceDescriptor.create(TEST_NAMESPACE2).build());
|
||||
|
@ -173,6 +232,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
};
|
||||
|
||||
AccessTestAction deleteNamespace = new AccessTestAction() {
|
||||
@Override
|
||||
public Object run() throws Exception {
|
||||
ACCESS_CONTROLLER.preDeleteNamespace(ObserverContext.createAndPrepare(CP_ENV, null),
|
||||
TEST_NAMESPACE2);
|
||||
|
@ -180,29 +240,71 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
}
|
||||
};
|
||||
|
||||
// verify that only superuser can create namespaces.
|
||||
verifyAllowed(createNamespace, SUPERUSER);
|
||||
// verify that superuser or hbase admin can delete namespaces.
|
||||
verifyAllowed(deleteNamespace, SUPERUSER, USER_NSP_ADMIN);
|
||||
// createNamespace: superuser | global(A)
|
||||
verifyAllowed(createNamespace,
|
||||
SUPERUSER,
|
||||
USER_GLOBAL_ADMIN);
|
||||
|
||||
// all others should be denied
|
||||
verifyDenied(createNamespace, USER_NSP_WRITE, USER_CREATE, USER_RW, USER_NSP_ADMIN);
|
||||
verifyDenied(deleteNamespace, USER_NSP_WRITE, USER_CREATE, USER_RW);
|
||||
verifyDeniedWithException(createNamespace,
|
||||
USER_GLOBAL_CREATE,
|
||||
USER_GLOBAL_WRITE,
|
||||
USER_GLOBAL_READ,
|
||||
USER_GLOBAL_EXEC,
|
||||
USER_NS_ADMIN,
|
||||
USER_NS_CREATE,
|
||||
USER_NS_WRITE,
|
||||
USER_NS_READ,
|
||||
USER_NS_EXEC,
|
||||
USER_TABLE_CREATE,
|
||||
USER_TABLE_WRITE);
|
||||
|
||||
// deleteNamespace: superuser | global(A) | NS(A)
|
||||
verifyAllowed(deleteNamespace,
|
||||
SUPERUSER,
|
||||
USER_GLOBAL_ADMIN);
|
||||
|
||||
verifyDeniedWithException(deleteNamespace,
|
||||
USER_GLOBAL_CREATE,
|
||||
USER_GLOBAL_WRITE,
|
||||
USER_GLOBAL_READ,
|
||||
USER_GLOBAL_EXEC,
|
||||
USER_NS_ADMIN,
|
||||
USER_NS_CREATE,
|
||||
USER_NS_WRITE,
|
||||
USER_NS_READ,
|
||||
USER_NS_EXEC,
|
||||
USER_TABLE_CREATE,
|
||||
USER_TABLE_WRITE);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testGetNamespaceDescriptor() throws Exception {
|
||||
AccessTestAction getNamespaceAction = new AccessTestAction() {
|
||||
@Override
|
||||
public Object run() throws Exception {
|
||||
ACCESS_CONTROLLER.preGetNamespaceDescriptor(ObserverContext.createAndPrepare(CP_ENV, null),
|
||||
TEST_NAMESPACE);
|
||||
return null;
|
||||
}
|
||||
};
|
||||
// verify that superuser or hbase admin can get the namespace descriptor.
|
||||
verifyAllowed(getNamespaceAction, SUPERUSER, USER_NSP_ADMIN);
|
||||
// all others should be denied
|
||||
verifyDenied(getNamespaceAction, USER_NSP_WRITE, USER_CREATE, USER_RW);
|
||||
// getNamespaceDescriptor : superuser | global(A) | NS(A)
|
||||
verifyAllowed(getNamespaceAction,
|
||||
SUPERUSER,
|
||||
USER_GLOBAL_ADMIN,
|
||||
USER_NS_ADMIN);
|
||||
|
||||
verifyDeniedWithException(getNamespaceAction,
|
||||
USER_GLOBAL_CREATE,
|
||||
USER_GLOBAL_WRITE,
|
||||
USER_GLOBAL_READ,
|
||||
USER_GLOBAL_EXEC,
|
||||
USER_NS_CREATE,
|
||||
USER_NS_WRITE,
|
||||
USER_NS_READ,
|
||||
USER_NS_EXEC,
|
||||
USER_TABLE_CREATE,
|
||||
USER_TABLE_WRITE);
|
||||
}
|
||||
|
||||
@Test
|
||||
|
@ -222,12 +324,30 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
}
|
||||
};
|
||||
|
||||
verifyAllowed(listAction, SUPERUSER, USER_NSP_ADMIN);
|
||||
verifyDenied(listAction, USER_NSP_WRITE, USER_CREATE, USER_RW);
|
||||
// listNamespaces : All access*
|
||||
// * Returned list will only show what you can call getNamespaceDescriptor()
|
||||
|
||||
verifyAllowed(listAction,
|
||||
SUPERUSER,
|
||||
USER_GLOBAL_ADMIN,
|
||||
USER_NS_ADMIN);
|
||||
|
||||
// we have 3 namespaces: [default, hbase, TEST_NAMESPACE, TEST_NAMESPACE2]
|
||||
assertEquals(4, ((List)SUPERUSER.runAs(listAction)).size());
|
||||
assertEquals(2, ((List)USER_NSP_ADMIN.runAs(listAction)).size());
|
||||
assertEquals(4, ((List)USER_GLOBAL_ADMIN.runAs(listAction)).size());
|
||||
|
||||
assertEquals(2, ((List)USER_NS_ADMIN.runAs(listAction)).size());
|
||||
|
||||
assertEquals(0, ((List)USER_GLOBAL_CREATE.runAs(listAction)).size());
|
||||
assertEquals(0, ((List)USER_GLOBAL_WRITE.runAs(listAction)).size());
|
||||
assertEquals(0, ((List)USER_GLOBAL_READ.runAs(listAction)).size());
|
||||
assertEquals(0, ((List)USER_GLOBAL_EXEC.runAs(listAction)).size());
|
||||
assertEquals(0, ((List)USER_NS_CREATE.runAs(listAction)).size());
|
||||
assertEquals(0, ((List)USER_NS_WRITE.runAs(listAction)).size());
|
||||
assertEquals(0, ((List)USER_NS_READ.runAs(listAction)).size());
|
||||
assertEquals(0, ((List)USER_NS_EXEC.runAs(listAction)).size());
|
||||
assertEquals(0, ((List)USER_TABLE_CREATE.runAs(listAction)).size());
|
||||
assertEquals(0, ((List)USER_TABLE_WRITE.runAs(listAction)).size());
|
||||
}
|
||||
|
||||
@Test
|
||||
|
@ -237,6 +357,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
// Test if client API actions are authorized
|
||||
|
||||
AccessTestAction grantAction = new AccessTestAction() {
|
||||
@Override
|
||||
public Object run() throws Exception {
|
||||
Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
|
||||
try {
|
||||
|
@ -284,16 +405,56 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
}
|
||||
};
|
||||
|
||||
// Only HBase super user should be able to grant and revoke permissions to
|
||||
// namespaces
|
||||
verifyAllowed(grantAction, SUPERUSER, USER_NSP_ADMIN);
|
||||
verifyDenied(grantAction, USER_CREATE, USER_RW);
|
||||
verifyAllowed(revokeAction, SUPERUSER, USER_NSP_ADMIN);
|
||||
verifyDenied(revokeAction, USER_CREATE, USER_RW);
|
||||
verifyAllowed(grantAction,
|
||||
SUPERUSER,
|
||||
USER_GLOBAL_ADMIN);
|
||||
|
||||
// Only an admin should be able to get the user permission
|
||||
verifyAllowed(revokeAction, SUPERUSER, USER_NSP_ADMIN);
|
||||
verifyDeniedWithException(revokeAction, USER_CREATE, USER_RW);
|
||||
verifyDeniedWithException(grantAction,
|
||||
USER_GLOBAL_CREATE,
|
||||
USER_GLOBAL_WRITE,
|
||||
USER_GLOBAL_READ,
|
||||
USER_GLOBAL_EXEC,
|
||||
USER_NS_ADMIN,
|
||||
USER_NS_CREATE,
|
||||
USER_NS_WRITE,
|
||||
USER_NS_READ,
|
||||
USER_NS_EXEC,
|
||||
USER_TABLE_CREATE,
|
||||
USER_TABLE_WRITE);
|
||||
|
||||
verifyAllowed(revokeAction,
|
||||
SUPERUSER,
|
||||
USER_GLOBAL_ADMIN);
|
||||
|
||||
verifyDeniedWithException(revokeAction,
|
||||
USER_GLOBAL_CREATE,
|
||||
USER_GLOBAL_WRITE,
|
||||
USER_GLOBAL_READ,
|
||||
USER_GLOBAL_EXEC,
|
||||
USER_NS_ADMIN,
|
||||
USER_NS_CREATE,
|
||||
USER_NS_WRITE,
|
||||
USER_NS_READ,
|
||||
USER_NS_EXEC,
|
||||
USER_TABLE_CREATE,
|
||||
USER_TABLE_WRITE);
|
||||
|
||||
verifyAllowed(getPermissionsAction,
|
||||
SUPERUSER,
|
||||
USER_GLOBAL_ADMIN,
|
||||
USER_NS_ADMIN);
|
||||
|
||||
verifyDeniedWithException(getPermissionsAction,
|
||||
USER_GLOBAL_CREATE,
|
||||
USER_GLOBAL_WRITE,
|
||||
USER_GLOBAL_READ,
|
||||
USER_GLOBAL_EXEC,
|
||||
USER_NS_CREATE,
|
||||
USER_NS_WRITE,
|
||||
USER_NS_READ,
|
||||
USER_NS_EXEC,
|
||||
USER_TABLE_CREATE,
|
||||
USER_TABLE_WRITE);
|
||||
}
|
||||
|
||||
@Test
|
||||
|
@ -308,10 +469,22 @@ public class TestNamespaceCommands extends SecureTestUtil {
|
|||
}
|
||||
};
|
||||
|
||||
// Only users with create permissions on namespace should be able to create a new table
|
||||
verifyAllowed(createTable, SUPERUSER, USER_NSP_WRITE);
|
||||
//createTable : superuser | global(C) | NS(C)
|
||||
verifyAllowed(createTable,
|
||||
SUPERUSER,
|
||||
USER_GLOBAL_CREATE,
|
||||
USER_NS_CREATE);
|
||||
|
||||
// all others should be denied
|
||||
verifyDenied(createTable, USER_CREATE, USER_RW);
|
||||
verifyDeniedWithException(createTable,
|
||||
USER_GLOBAL_ADMIN,
|
||||
USER_GLOBAL_WRITE,
|
||||
USER_GLOBAL_READ,
|
||||
USER_GLOBAL_EXEC,
|
||||
USER_NS_ADMIN,
|
||||
USER_NS_WRITE,
|
||||
USER_NS_READ,
|
||||
USER_NS_EXEC,
|
||||
USER_TABLE_CREATE,
|
||||
USER_TABLE_WRITE);
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue