accumulo-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From vi...@apache.org
Subject svn commit: r1350414 - in /accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server: master/ security/ test/ test/functional/
Date Thu, 14 Jun 2012 22:25:05 GMT
Author: vines
Date: Thu Jun 14 22:25:04 2012
New Revision: 1350414

URL: http://svn.apache.org/viewvc?rev=1350414&view=rev
Log:
Resolved some tests for ACCUMULO-259


Modified:
    accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/master/Master.java
    accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/AuditedSecurityOperation.java
    accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/SecurityOperationImpl.java
    accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/ZKAuthorizor.java
    accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/ZKSecurityTool.java
    accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/test/VerifyIngest.java
    accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/test/functional/PermissionsTest.java

Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/master/Master.java
URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/master/Master.java?rev=1350414&r1=1350413&r2=1350414&view=diff
==============================================================================
--- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/master/Master.java
(original)
+++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/master/Master.java
Thu Jun 14 22:25:04 2012
@@ -713,7 +713,8 @@ public class Master implements LiveTServ
     private void alterTableProperty(AuthInfo c, String tableName, String property, String
value, TableOperation op) throws ThriftSecurityException,
         ThriftTableOperationException {
       final String tableId = checkTableId(tableName, op);
-      security.canAlterTable(c, tableId);
+      if (!security.canAlterTable(c, tableId))
+        throw new ThriftSecurityException(c.user, SecurityErrorCode.PERMISSION_DENIED);
       
       try {
         if (value == null) {

Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/AuditedSecurityOperation.java
URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/AuditedSecurityOperation.java?rev=1350414&r1=1350413&r2=1350414&view=diff
==============================================================================
--- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/AuditedSecurityOperation.java
(original)
+++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/AuditedSecurityOperation.java
Thu Jun 14 22:25:04 2012
@@ -42,7 +42,7 @@ public class AuditedSecurityOperation im
   }
   
   private void audit(AuthInfo credentials, ThriftSecurityException ex, String template, Object...
args) {
-    log.log(AuditLevel.AUDIT, "Error: authentication operation failed: " + credentials.user
+ ": " + String.format(template, args));
+    log.log(AuditLevel.AUDIT, "Error: authenticated operation failed: " + credentials.user
+ ": " + String.format(template, args));
   }
   
   private void audit(AuthInfo credentials, String template, Object... args) {

Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/SecurityOperationImpl.java
URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/SecurityOperationImpl.java?rev=1350414&r1=1350413&r2=1350414&view=diff
==============================================================================
--- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/SecurityOperationImpl.java
(original)
+++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/SecurityOperationImpl.java
Thu Jun 14 22:25:04 2012
@@ -100,6 +100,12 @@ public class SecurityOperationImpl imple
 
     authenticator.initializeSecurity(credentials, rootuser, rootpass);
     authorizor.initializeSecurity(rootuser);
+    try {
+      authorizor.grantTablePermission(rootuser, Constants.METADATA_TABLE_ID, TablePermission.ALTER_TABLE);
+    } catch (TableNotFoundException e) {
+      // Shouldn't happen
+      throw new RuntimeException(e);
+    }
   }
 
   public synchronized String getRootUsername() {
@@ -207,7 +213,7 @@ public class SecurityOperationImpl imple
    * @throws ThriftTableOperationException
    */
   private boolean hasTablePermission(String user, String table, TablePermission permission)
throws ThriftSecurityException {
-    if (user.equals(getRootUsername()) || user.equals(SecurityConstants.SYSTEM_USERNAME))
+    if (user.equals(SecurityConstants.SYSTEM_USERNAME))
       return true;
     
     targetUserExists(user);
@@ -433,7 +439,7 @@ public class SecurityOperationImpl imple
     authenticate(c);
     if (user.equals(SecurityConstants.SYSTEM_USERNAME))
       throw new ThriftSecurityException(c.user, SecurityErrorCode.PERMISSION_DENIED);
-    return hasSystemPermission(c.user, SystemPermission.ALTER_TABLE);
+    return hasSystemPermission(c.user, SystemPermission.ALTER_USER);
   }
 
   /**

Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/ZKAuthorizor.java
URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/ZKAuthorizor.java?rev=1350414&r1=1350413&r2=1350414&view=diff
==============================================================================
--- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/ZKAuthorizor.java
(original)
+++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/ZKAuthorizor.java
Thu Jun 14 22:25:04 2012
@@ -227,7 +227,6 @@ public class ZKAuthorizor implements Aut
       initUser(rootuser);
       zoo.putPersistentData(ZKUserPath + "/" + rootuser + ZKUserAuths, ZKSecurityTool.convertAuthorizations(Constants.NO_AUTHS),
NodeExistsPolicy.FAIL);
       zoo.putPersistentData(ZKUserPath + "/" + rootuser + ZKUserSysPerms, ZKSecurityTool.convertSystemPermissions(rootPerms),
NodeExistsPolicy.FAIL);
-      zoo.putPersistentData(ZKUserPath + "/" + rootuser + ZKUserTablePerms, new byte[0],
NodeExistsPolicy.FAIL);
       for (Entry<String,Set<TablePermission>> entry : tablePerms.entrySet())
         createTablePerm(rootuser, entry.getKey(), entry.getValue());
     } catch (KeeperException e) {
@@ -258,7 +257,7 @@ public class ZKAuthorizor implements Aut
   }
   
   /**
-   * Sets up a new table configuration for the provided user/table. No checking for existance
is done here, it should be done before calling.
+   * Sets up a new table configuration for the provided user/table. No checking for existence
is done here, it should be done before calling.
    */
   private void createTablePerm(String user, String table, Set<TablePermission> perms)
throws KeeperException, InterruptedException {
     synchronized (zooCache) {
@@ -330,10 +329,11 @@ public class ZKAuthorizor implements Aut
   public void dropUser(String user) throws AccumuloSecurityException {
     try {
       synchronized (zooCache) {
+        IZooReaderWriter zoo = ZooReaderWriter.getRetryingInstance();
+        zoo.recursiveDelete(ZKUserPath + "/" + user + ZKUserAuths, NodeMissingPolicy.SKIP);
+        zoo.recursiveDelete(ZKUserPath + "/" + user + ZKUserSysPerms, NodeMissingPolicy.SKIP);
+        zoo.recursiveDelete(ZKUserPath + "/" + user + ZKUserTablePerms, NodeMissingPolicy.SKIP);
         zooCache.clear(ZKUserPath + "/" + user);
-        ZooReaderWriter.getRetryingInstance().recursiveDelete(ZKUserPath + "/" + user + ZKUserAuths,
NodeMissingPolicy.FAIL);
-        ZooReaderWriter.getRetryingInstance().recursiveDelete(ZKUserPath + "/" + user + ZKUserSysPerms,
NodeMissingPolicy.FAIL);
-        ZooReaderWriter.getRetryingInstance().recursiveDelete(ZKUserPath + "/" + user + ZKUserTablePerms,
NodeMissingPolicy.FAIL);
       }
     } catch (InterruptedException e) {
       log.error(e, e);

Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/ZKSecurityTool.java
URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/ZKSecurityTool.java?rev=1350414&r1=1350413&r2=1350414&view=diff
==============================================================================
--- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/ZKSecurityTool.java
(original)
+++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/ZKSecurityTool.java
Thu Jun 14 22:25:04 2012
@@ -32,6 +32,7 @@ import org.apache.accumulo.core.client.A
 import org.apache.accumulo.core.security.Authorizations;
 import org.apache.accumulo.core.security.SystemPermission;
 import org.apache.accumulo.core.security.TablePermission;
+import org.apache.log4j.Logger;
 
 /**
  * All the static too methods used for this class, so that we can separate out stuff that
isn't using ZooKeeper. That way, we can check the synchronization
@@ -39,6 +40,7 @@ import org.apache.accumulo.core.security
  * won't, and so don't need to be checked.
  */
 class ZKSecurityTool {
+  private static final Logger log = Logger.getLogger(ZKSecurityTool.class);
   private static final int SALT_LENGTH = 8;
   
   // Generates a byte array salt of length SALT_LENGTH
@@ -65,7 +67,7 @@ class ZKSecurityTool {
     try {
       passwordToCheck = convertPass(password, salt);
     } catch (NoSuchAlgorithmException e) {
-      ZKAuthenticator.log.error("Count not create hashed password", e);
+      log.error("Count not create hashed password", e);
       return false;
     }
     return java.util.Arrays.equals(passwordToCheck, zkData);
@@ -76,7 +78,7 @@ class ZKSecurityTool {
     try {
       return convertPass(password, salt);
     } catch (NoSuchAlgorithmException e) {
-      ZKAuthenticator.log.error("Count not create hashed password", e);
+      log.error("Count not create hashed password", e);
       throw new AccumuloException("Count not create hashed password", e);
     }
   }
@@ -107,7 +109,7 @@ class ZKSecurityTool {
       for (SystemPermission sp : systempermissions)
         out.writeByte(sp.getId());
     } catch (IOException e) {
-      ZKAuthenticator.log.error(e, e);
+      log.error(e, e);
       throw new RuntimeException(e); // this is impossible with ByteArrayOutputStream; crash
hard if this happens
     }
     return bytes.toByteArray();
@@ -121,7 +123,7 @@ class ZKSecurityTool {
       while (in.available() > 0)
         toReturn.add(SystemPermission.getPermissionById(in.readByte()));
     } catch (IOException e) {
-      ZKAuthenticator.log.error("User database is corrupt; error converting system permissions",
e);
+      log.error("User database is corrupt; error converting system permissions", e);
       toReturn.clear();
     }
     return toReturn;
@@ -134,7 +136,7 @@ class ZKSecurityTool {
       for (TablePermission tp : tablepermissions)
         out.writeByte(tp.getId());
     } catch (IOException e) {
-      ZKAuthenticator.log.error(e, e);
+      log.error(e, e);
       throw new RuntimeException(e); // this is impossible with ByteArrayOutputStream; crash
hard if this happens
     }
     return bytes.toByteArray();

Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/test/VerifyIngest.java
URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/test/VerifyIngest.java?rev=1350414&r1=1350413&r2=1350414&view=diff
==============================================================================
--- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/test/VerifyIngest.java
(original)
+++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/test/VerifyIngest.java
Thu Jun 14 22:25:04 2012
@@ -93,6 +93,8 @@ public class VerifyIngest {
       
       int errors = 0;
       
+      connector.securityOperations().changeUserAuthorizations(username, labelAuths);
+
       while (expectedRow < (ingestArgs.rows + ingestArgs.startRow)) {
         
         if (ingestArgs.useGet) {

Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/test/functional/PermissionsTest.java
URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/test/functional/PermissionsTest.java?rev=1350414&r1=1350413&r2=1350414&view=diff
==============================================================================
--- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/test/functional/PermissionsTest.java
(original)
+++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/test/functional/PermissionsTest.java
Thu Jun 14 22:25:04 2012
@@ -234,6 +234,13 @@ public class PermissionsTest {
           if (!ServerConfiguration.getTableConfiguration(instance, tableId).get(Property.TABLE_BLOOM_ERRORRATE).equals("003.14159%"))
             throw new IllegalStateException("Should be able to set a table property");
           test_user_conn.tableOperations().removeProperty(tableName, Property.TABLE_BLOOM_ERRORRATE.getKey());
+          // Surprised we got away without pausing before. 
+          try {
+            Thread.sleep(100);
+          } catch (InterruptedException e) {
+            // TODO Auto-generated catch block
+            e.printStackTrace();
+          }
           if (ServerConfiguration.getTableConfiguration(instance, tableId).get(Property.TABLE_BLOOM_ERRORRATE).equals("003.14159%"))
             throw new IllegalStateException("Should be able to remove a table property");
           test_user_conn.tableOperations().rename(tableName, table2);
@@ -296,6 +303,12 @@ public class PermissionsTest {
     private static final Logger log = Logger.getLogger(SystemPermissionsTest.class);
     private static final String TEST_TABLE = "__TABLE_PERMISSION_TEST__";
     
+    public static void main(String args[]) throws Exception
+    {
+      FunctionalTest.main(args);
+      new TablePermissionsTest().run();
+    }
+    
     @Override
     public void cleanup() throws Exception {}
     



Mime
View raw message