hbase-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From st...@apache.org
Subject svn commit: r1513666 [4/4] - in /hbase/trunk: hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/ hbase-client/src/main/java/org/apache/hadoop/hbase/security/access/ hbase-common/src/main/java/org/apache/hadoop/hbase/ hbase-protocol/src/main/j...
Date Tue, 13 Aug 2013 21:49:57 GMT
Modified: hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java?rev=1513666&r1=1513665&r2=1513666&view=diff
==============================================================================
--- hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
(original)
+++ hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
Tue Aug 13 21:49:56 2013
@@ -18,8 +18,8 @@
 
 package org.apache.hadoop.hbase.security.access;
 
-import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 
@@ -103,7 +103,7 @@ import com.google.protobuf.ServiceExcept
  */
 @Category(LargeTests.class)
 @SuppressWarnings("rawtypes")
-public class TestAccessController {
+public class TestAccessController extends SecureTestUtil {
   private static final Log LOG = LogFactory.getLog(TestAccessController.class);
   @Rule public TestTableName TEST_TABLE = new TestTableName();
   private static HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();
@@ -156,7 +156,7 @@ public class TestAccessController {
       Coprocessor.PRIORITY_HIGHEST, 1, conf);
 
     // Wait for the ACL table to become available
-    TEST_UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME);
+    TEST_UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME.getName());
 
     // create a set of test users
     SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
@@ -196,7 +196,6 @@ public class TestAccessController {
         AccessControlService.newBlockingStub(service);
 
       protocol.grant(null, RequestConverter.buildGrantRequest(USER_ADMIN.getShortName(),
-        null, null, null,
         AccessControlProtos.Permission.Action.ADMIN,
         AccessControlProtos.Permission.Action.CREATE,
         AccessControlProtos.Permission.Action.READ,
@@ -235,17 +234,6 @@ public class TestAccessController {
     assertEquals(0, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size());
   }
 
-  public void verifyAllowed(User user, PrivilegedExceptionAction... actions) throws Exception
{
-    for (PrivilegedExceptionAction action : actions) {
-      try {
-        user.runAs(action);
-      } catch (AccessDeniedException ade) {
-        fail("Expected action to pass for user '" + user.getShortName() + "' but was denied:
" +
-          ade.toString());
-      }
-    }
-  }
-
   public void verifyAllowed(PrivilegedExceptionAction action, User... users) throws Exception
{
     for (User user : users) {
       verifyAllowed(user, action);
@@ -415,7 +403,7 @@ public class TestAccessController {
     PrivilegedExceptionAction disableAclTable = new PrivilegedExceptionAction() {
       public Object run() throws Exception {
         ACCESS_CONTROLLER.preDisableTable(ObserverContext.createAndPrepare(CP_ENV, null),
-            AccessControlLists.ACL_TABLE);
+            AccessControlLists.ACL_TABLE_NAME);
         return null;
       }
     };
@@ -1164,7 +1152,7 @@ public class TestAccessController {
       ProtobufUtil.grant(protocol, tblUser.getShortName(),
         tableName, null, null, Permission.Action.READ);
       ProtobufUtil.grant(protocol, gblUser.getShortName(),
-        null, null, null, Permission.Action.READ);
+          Permission.Action.READ);
     } finally {
       acl.close();
     }
@@ -1188,7 +1176,7 @@ public class TestAccessController {
       ProtobufUtil.grant(protocol, tblUser.getShortName(),
         tableName, null, null, Permission.Action.WRITE);
       ProtobufUtil.grant(protocol, gblUser.getShortName(),
-        null, null, null, Permission.Action.WRITE);
+          Permission.Action.WRITE);
     } finally {
       acl.close();
     }
@@ -1212,7 +1200,7 @@ public class TestAccessController {
       ProtobufUtil.grant(protocol, tblUser.getShortName(), tableName, null, null,
         Permission.Action.READ, Permission.Action.WRITE);
       ProtobufUtil.revoke(protocol, tblUser.getShortName(), tableName, null, null);
-      ProtobufUtil.revoke(protocol, gblUser.getShortName(), null, null, null);
+      ProtobufUtil.revoke(protocol, gblUser.getShortName());
     } finally {
       acl.close();
     }
@@ -1236,7 +1224,7 @@ public class TestAccessController {
       ProtobufUtil.grant(protocol, tblUser.getShortName(),
         tableName, family1, null, Permission.Action.READ);
       ProtobufUtil.grant(protocol, gblUser.getShortName(),
-        null, null, null, Permission.Action.READ);
+          Permission.Action.READ);
     } finally {
       acl.close();
     }
@@ -1262,7 +1250,7 @@ public class TestAccessController {
       ProtobufUtil.grant(protocol, tblUser.getShortName(),
         tableName, family2, null, Permission.Action.WRITE);
       ProtobufUtil.grant(protocol, gblUser.getShortName(),
-        null, null, null, Permission.Action.WRITE);
+          Permission.Action.WRITE);
     } finally {
       acl.close();
     }
@@ -1287,7 +1275,7 @@ public class TestAccessController {
       AccessControlService.BlockingInterface protocol =
         AccessControlService.newBlockingStub(service);
       ProtobufUtil.revoke(protocol, tblUser.getShortName(), tableName, family2, null);
-      ProtobufUtil.revoke(protocol, gblUser.getShortName(), null, null, null);
+      ProtobufUtil.revoke(protocol, gblUser.getShortName());
     } finally {
       acl.close();
     }
@@ -1607,12 +1595,12 @@ public class TestAccessController {
       BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
       AccessControlService.BlockingInterface protocol =
         AccessControlService.newBlockingStub(service);
-      perms = ProtobufUtil.getUserPermissions(protocol, null);
+      perms = ProtobufUtil.getUserPermissions(protocol);
     } finally {
       acl.close();
     }
     UserPermission adminPerm = new UserPermission(Bytes.toBytes(USER_ADMIN.getShortName()),
-      AccessControlLists.ACL_TABLE, null, null, Bytes.toBytes("ACRW"));
+      AccessControlLists.ACL_TABLE_NAME, null, null, Bytes.toBytes("ACRW"));
     assertTrue("Only user admin has permission on table _acl_ per setup",
       perms.size() == 1 && hasFoundUserPermission(adminPerm, perms));
   }
@@ -1632,7 +1620,10 @@ public class TestAccessController {
     CheckPermissionsRequest.Builder request = CheckPermissionsRequest.newBuilder();
     for (Action a : actions) {
       request.addPermission(AccessControlProtos.Permission.newBuilder()
-          .addAction(ProtobufUtil.toPermissionAction(a)).build());
+          .setType(AccessControlProtos.Permission.Type.Global)
+          .setGlobalPermission(
+              AccessControlProtos.GlobalPermission.newBuilder()
+                  .addAction(ProtobufUtil.toPermissionAction(a)).build()));
     }
     HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
     try {
@@ -1813,8 +1804,11 @@ public class TestAccessController {
     // check for wrong table region
     CheckPermissionsRequest checkRequest = CheckPermissionsRequest.newBuilder()
       .addPermission(AccessControlProtos.Permission.newBuilder()
-        .setTableName(ProtobufUtil.toProtoTableName(TEST_TABLE.getTableName()))
-        .addAction(AccessControlProtos.Permission.Action.CREATE)
+          .setType(AccessControlProtos.Permission.Type.Table)
+          .setTablePermission(
+              AccessControlProtos.TablePermission.newBuilder()
+                  .setTableName(ProtobufUtil.toProtoTableName(TEST_TABLE.getTableName()))
+                  .addAction(AccessControlProtos.Permission.Action.CREATE))
       ).build();
     acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
     try {
@@ -1935,7 +1929,7 @@ public class TestAccessController {
       // User name for the new RegionServer we plan to add.
       String activeUserForNewRs = currentUser + ".hfs."
           + hbaseCluster.getLiveRegionServerThreads().size();
-      ProtobufUtil.grant(protocol, activeUserForNewRs, null, null, null,
+      ProtobufUtil.grant(protocol, activeUserForNewRs,
         Permission.Action.ADMIN, Permission.Action.CREATE,
         Permission.Action.READ, Permission.Action.WRITE);
     } finally {

Added: hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java?rev=1513666&view=auto
==============================================================================
--- hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
(added)
+++ hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
Tue Aug 13 21:49:56 2013
@@ -0,0 +1,200 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hbase.security.access;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.security.PrivilegedExceptionAction;
+import java.util.List;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hbase.Coprocessor;
+import org.apache.hadoop.hbase.HBaseTestingUtility;
+import org.apache.hadoop.hbase.HColumnDescriptor;
+import org.apache.hadoop.hbase.HConstants;
+import org.apache.hadoop.hbase.HTableDescriptor;
+import org.apache.hadoop.hbase.MediumTests;
+import org.apache.hadoop.hbase.NamespaceDescriptor;
+import org.apache.hadoop.hbase.TableName;
+import org.apache.hadoop.hbase.client.Get;
+import org.apache.hadoop.hbase.client.HTable;
+import org.apache.hadoop.hbase.client.Result;
+import org.apache.hadoop.hbase.coprocessor.CoprocessorHost;
+import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment;
+import org.apache.hadoop.hbase.coprocessor.ObserverContext;
+import org.apache.hadoop.hbase.master.MasterCoprocessorHost;
+import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
+import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessControlService;
+import org.apache.hadoop.hbase.security.User;
+import org.apache.hadoop.hbase.security.access.Permission.Action;
+import org.apache.hadoop.hbase.util.Bytes;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+
+import com.google.common.collect.ListMultimap;
+import com.google.protobuf.BlockingRpcChannel;
+
+@Category(MediumTests.class)
+@SuppressWarnings("rawtypes")
+public class TestNamespaceCommands extends SecureTestUtil {
+  private static HBaseTestingUtility UTIL = new HBaseTestingUtility();
+  private static String TestNamespace = "ns1";
+  private static Configuration conf;
+  private static MasterCoprocessorEnvironment CP_ENV;
+  private static AccessController ACCESS_CONTROLLER;
+  
+//user with all permissions
+  private static User SUPERUSER;
+ // user with rw permissions
+  private static User USER_RW;
+ // user with create table permissions alone
+  private static User USER_CREATE;
+  // user with permission on namespace for testing all operations.
+  private static User USER_NSP_WRITE;
+  
+  @BeforeClass
+  public static void beforeClass() throws Exception {
+    conf = UTIL.getConfiguration();
+    SecureTestUtil.enableSecurity(conf);
+    conf.set(CoprocessorHost.MASTER_COPROCESSOR_CONF_KEY, AccessController.class.getName());
+    UTIL.startMiniCluster();
+    SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
+    USER_RW = User.createUserForTesting(conf, "rw_user", new String[0]);
+    USER_CREATE = User.createUserForTesting(conf, "create_user", new String[0]);
+    USER_NSP_WRITE = User.createUserForTesting(conf, "namespace_write", new String[0]);
+    UTIL.getHBaseAdmin().createNamespace(NamespaceDescriptor.create(TestNamespace).build());
+
+    // Wait for the ACL table to become available
+    UTIL.waitTableAvailable(AccessControlLists.ACL_TABLE_NAME.getName(), 8000);
+
+    HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
+    MasterCoprocessorHost cpHost = UTIL.getMiniHBaseCluster().getMaster().getCoprocessorHost();
+    cpHost.load(AccessController.class, Coprocessor.PRIORITY_HIGHEST, conf);
+    ACCESS_CONTROLLER = (AccessController) cpHost.findCoprocessor(AccessController.class.getName());
+    try {
+      BlockingRpcChannel service =
+          acl.coprocessorService(HConstants.EMPTY_START_ROW);
+      AccessControlService.BlockingInterface protocol =
+        AccessControlService.newBlockingStub(service);
+      ProtobufUtil.grant(protocol, USER_NSP_WRITE.getShortName(),
+          TestNamespace, Action.WRITE);
+    } finally {
+      acl.close();
+    }
+  }
+  
+  @AfterClass
+  public static void afterClass() throws Exception {
+    UTIL.getHBaseAdmin().deleteNamespace(TestNamespace);
+    UTIL.shutdownMiniCluster();
+  }
+
+  @Test
+  public void testAclTableEntries() throws Exception {
+    String userTestNamespace = "userTestNsp";
+    AccessControlService.BlockingInterface protocol = null;
+    HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
+    try {
+      BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
+      protocol = AccessControlService.newBlockingStub(service);
+      ProtobufUtil.grant(protocol, userTestNamespace, TestNamespace, Permission.Action.WRITE);
+      Result result = acl.get(new Get(Bytes.toBytes(userTestNamespace)));
+      assertTrue(result != null);
+      ListMultimap<String, TablePermission> perms =
+          AccessControlLists.getNamespacePermissions(conf, TestNamespace);
+      assertEquals(2, perms.size());
+      List<TablePermission> namespacePerms = perms.get(userTestNamespace);
+      assertTrue(perms.containsKey(userTestNamespace));
+      assertEquals(1, namespacePerms.size());
+      assertEquals(TestNamespace,
+        namespacePerms.get(0).getNamespace());
+      assertEquals(null, namespacePerms.get(0).getFamily());
+      assertEquals(null, namespacePerms.get(0).getQualifier());
+      assertEquals(1, namespacePerms.get(0).getActions().length);
+      assertEquals(Permission.Action.WRITE, namespacePerms.get(0).getActions()[0]);
+      // Now revoke and check.
+      ProtobufUtil.revoke(protocol, userTestNamespace, TestNamespace,
+          Permission.Action.WRITE);
+      perms = AccessControlLists.getNamespacePermissions(conf, TestNamespace);
+      assertEquals(1, perms.size());
+    } finally {
+      acl.close();
+    }
+  }
+  
+  @Test
+  public void testModifyNamespace() throws Exception {
+    PrivilegedExceptionAction modifyNamespace = new PrivilegedExceptionAction() {
+      public Object run() throws Exception {
+        ACCESS_CONTROLLER.preModifyNamespace(ObserverContext.createAndPrepare(CP_ENV, null),
+          NamespaceDescriptor.create(TestNamespace).addConfiguration("abc", "156").build());
+        return null;
+      }
+    };
+    // verify that superuser or hbase admin can modify namespaces.
+    verifyAllowed(modifyNamespace, SUPERUSER);
+    // all others should be denied
+    verifyDenied(modifyNamespace, USER_NSP_WRITE, USER_CREATE, USER_RW);
+  }
+  
+  @Test
+  public void testGrantRevoke() throws Exception{
+    //Only HBase super user should be able to grant and revoke permissions to
+    // namespaces.
+    final String testUser = "testUser";
+    PrivilegedExceptionAction grantAction = new PrivilegedExceptionAction() {
+      public Object run() throws Exception {
+        HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
+        try {
+          BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
+          AccessControlService.BlockingInterface protocol =
+            AccessControlService.newBlockingStub(service);
+          ProtobufUtil.grant(protocol, testUser, TestNamespace, Action.WRITE);
+        } finally {
+          acl.close();
+        }
+        return null;
+      }
+    };
+
+    PrivilegedExceptionAction revokeAction = new PrivilegedExceptionAction() {
+      public Object run() throws Exception {
+        HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
+        try {
+          BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
+          AccessControlService.BlockingInterface protocol =
+            AccessControlService.newBlockingStub(service);
+          ProtobufUtil.revoke(protocol, testUser, TestNamespace, Action.WRITE);
+        } finally {
+          acl.close();
+        }
+        return null;
+      }
+    };
+    
+    verifyAllowed(grantAction, SUPERUSER);
+    verifyDenied(grantAction, USER_CREATE, USER_RW);
+
+    verifyAllowed(revokeAction, SUPERUSER);
+    verifyDenied(revokeAction, USER_CREATE, USER_RW);
+    
+  }
+}

Modified: hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestTablePermissions.java
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestTablePermissions.java?rev=1513666&r1=1513665&r2=1513666&view=diff
==============================================================================
--- hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestTablePermissions.java
(original)
+++ hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestTablePermissions.java
Tue Aug 13 21:49:56 2013
@@ -97,7 +97,7 @@ public class TestTablePermissions {
     UTIL.startMiniCluster();
 
     // Wait for the ACL table to become available
-    UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME);
+    UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME.getName());
 
     ZKW = new ZooKeeperWatcher(UTIL.getConfiguration(),
       "TestTablePermissions", ABORTABLE);
@@ -116,7 +116,7 @@ public class TestTablePermissions {
     Configuration conf = UTIL.getConfiguration();
     AccessControlLists.removeTablePermissions(conf, TEST_TABLE);
     AccessControlLists.removeTablePermissions(conf, TEST_TABLE2);
-    AccessControlLists.removeTablePermissions(conf, AccessControlLists.ACL_TABLE);
+    AccessControlLists.removeTablePermissions(conf, AccessControlLists.ACL_TABLE_NAME);
   }
 
   /**
@@ -240,12 +240,12 @@ public class TestTablePermissions {
             TablePermission.Action.READ, TablePermission.Action.WRITE));
 
     // check full load
-    Map<TableName,ListMultimap<String,TablePermission>> allPerms =
+    Map<byte[], ListMultimap<String,TablePermission>> allPerms =
         AccessControlLists.loadAll(conf);
     assertEquals("Full permission map should have entries for both test tables",
         2, allPerms.size());
 
-    userPerms = allPerms.get(TEST_TABLE).get("hubert");
+    userPerms = allPerms.get(TEST_TABLE.getName()).get("hubert");
     assertNotNull(userPerms);
     assertEquals(1, userPerms.size());
     permission = userPerms.get(0);
@@ -253,7 +253,7 @@ public class TestTablePermissions {
     assertEquals(1, permission.getActions().length);
     assertEquals(TablePermission.Action.READ, permission.getActions()[0]);
 
-    userPerms = allPerms.get(TEST_TABLE2).get("hubert");
+    userPerms = allPerms.get(TEST_TABLE2.getName()).get("hubert");
     assertNotNull(userPerms);
     assertEquals(1, userPerms.size());
     permission = userPerms.get(0);
@@ -310,7 +310,7 @@ public class TestTablePermissions {
     ListMultimap<String,TablePermission> permissions = createPermissions();
     byte[] permsData = AccessControlLists.writePermissionsAsBytes(permissions, conf);
 
-    ListMultimap<String,TablePermission> copy =
+    ListMultimap<String, TablePermission> copy =
         AccessControlLists.readPermissions(permsData, conf);
 
     checkMultimapEqual(permissions, copy);

Modified: hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestZKPermissionsWatcher.java
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestZKPermissionsWatcher.java?rev=1513666&r1=1513665&r2=1513666&view=diff
==============================================================================
--- hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestZKPermissionsWatcher.java
(original)
+++ hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestZKPermissionsWatcher.java
Tue Aug 13 21:49:56 2013
@@ -108,7 +108,7 @@ public class TestZKPermissionsWatcher {
     List<TablePermission> acl = new ArrayList<TablePermission>();
     acl.add(new TablePermission(TEST_TABLE, null, TablePermission.Action.READ,
       TablePermission.Action.WRITE));
-    AUTH_A.setUserPermissions("george", TEST_TABLE, acl);
+    AUTH_A.setTableUserPermissions("george", TEST_TABLE, acl);
     Thread.sleep(100);
 
     // check it
@@ -132,7 +132,7 @@ public class TestZKPermissionsWatcher {
     // update ACL: hubert R
     acl = new ArrayList<TablePermission>();
     acl.add(new TablePermission(TEST_TABLE, null, TablePermission.Action.READ));
-    AUTH_B.setUserPermissions("hubert", TEST_TABLE, acl);
+    AUTH_B.setTableUserPermissions("hubert", TEST_TABLE, acl);
     Thread.sleep(100);
 
     // check it



Mime
View raw message