hbase-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From anoopsamj...@apache.org
Subject svn commit: r1543314 [6/6] - in /hbase/trunk: hbase-client/src/main/java/org/apache/hadoop/hbase/client/ hbase-client/src/main/java/org/apache/hadoop/hbase/protobuf/ hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/ hbase-common/s...
Date Tue, 19 Nov 2013 05:39:49 GMT
Added: hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabels.java
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabels.java?rev=1543314&view=auto
==============================================================================
--- hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabels.java (added)
+++ hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabels.java Tue Nov 19 05:39:47 2013
@@ -0,0 +1,675 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hbase.security.visibility;
+
+import static org.apache.hadoop.hbase.security.visibility.VisibilityConstants.LABELS_TABLE_FAMILY;
+import static org.apache.hadoop.hbase.security.visibility.VisibilityConstants.LABELS_TABLE_NAME;
+import static org.apache.hadoop.hbase.security.visibility.VisibilityConstants.LABEL_QUALIFIER;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import java.io.IOException;
+import java.security.PrivilegedExceptionAction;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hbase.Cell;
+import org.apache.hadoop.hbase.CellScanner;
+import org.apache.hadoop.hbase.HBaseTestingUtility;
+import org.apache.hadoop.hbase.HConstants;
+import org.apache.hadoop.hbase.MediumTests;
+import org.apache.hadoop.hbase.TableName;
+import org.apache.hadoop.hbase.client.Append;
+import org.apache.hadoop.hbase.client.Get;
+import org.apache.hadoop.hbase.client.HTable;
+import org.apache.hadoop.hbase.client.Increment;
+import org.apache.hadoop.hbase.client.Put;
+import org.apache.hadoop.hbase.client.Result;
+import org.apache.hadoop.hbase.client.ResultScanner;
+import org.apache.hadoop.hbase.client.Scan;
+import org.apache.hadoop.hbase.protobuf.generated.ClientProtos.RegionActionResult;
+import org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.GetAuthsResponse;
+import org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse;
+import org.apache.hadoop.hbase.regionserver.HRegion;
+import org.apache.hadoop.hbase.regionserver.HRegionServer;
+import org.apache.hadoop.hbase.security.User;
+import org.apache.hadoop.hbase.util.Bytes;
+import org.apache.hadoop.hbase.util.JVMClusterUtil.RegionServerThread;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+import org.junit.rules.TestName;
+
+import com.google.protobuf.ByteString;
+
+/**
+ * Test class that tests the visibility labels
+ */
+@Category(MediumTests.class)
+public class TestVisibilityLabels {
+
+  private static final String TOPSECRET = "topsecret";
+  private static final String PUBLIC = "public";
+  private static final String PRIVATE = "private";
+  private static final String CONFIDENTIAL = "confidential";
+  private static final String SECRET = "secret";
+  private static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();
+  private static final byte[] row1 = Bytes.toBytes("row1");
+  private static final byte[] row2 = Bytes.toBytes("row2");
+  private static final byte[] row3 = Bytes.toBytes("row3");
+  private static final byte[] row4 = Bytes.toBytes("row4");
+  private final static byte[] fam = Bytes.toBytes("info");
+  private final static byte[] qual = Bytes.toBytes("qual");
+  private final static byte[] value = Bytes.toBytes("value");
+  private static Configuration conf;
+
+  private volatile boolean killedRS = false;
+  @Rule 
+  public final TestName TEST_NAME = new TestName();
+  private static User SUPERUSER;
+
+  @BeforeClass
+  public static void setupBeforeClass() throws Exception {
+    // setup configuration
+    conf = TEST_UTIL.getConfiguration();
+    conf.setInt("hfile.format.version", 3);
+    conf.set("hbase.coprocessor.master.classes", VisibilityController.class.getName());
+    conf.set("hbase.coprocessor.region.classes", VisibilityController.class.getName());
+    conf.setClass(VisibilityUtils.VISIBILITY_LABEL_GENERATOR_CLASS, SimpleScanLabelGenerator.class,
+        ScanLabelGenerator.class);
+    String currentUser = User.getCurrent().getName();
+    conf.set("hbase.superuser", "admin,"+currentUser);
+    TEST_UTIL.startMiniCluster(2);
+    SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
+
+    // Wait for the labels table to become available
+    TEST_UTIL.waitTableEnabled(LABELS_TABLE_NAME.getName(), 50000);
+    addLabels();
+  }
+
+  @AfterClass
+  public static void tearDownAfterClass() throws Exception {
+    TEST_UTIL.shutdownMiniCluster();
+  }
+
+  @After
+  public void tearDown() throws Exception {
+    killedRS = false;
+  }
+
+  @Test
+  public void testSimpleVisibilityLabels() throws Exception {
+    TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
+    HTable table = createTableAndWriteDataWithLabels(tableName, SECRET + "|" + CONFIDENTIAL,
+        PRIVATE + "|" + CONFIDENTIAL);
+    try {
+      Scan s = new Scan();
+      s.setAuthorizations(new Authorizations(SECRET, CONFIDENTIAL, PRIVATE));
+      ResultScanner scanner = table.getScanner(s);
+      Result[] next = scanner.next(3);
+
+      assertTrue(next.length == 2);
+      CellScanner cellScanner = next[0].cellScanner();
+      cellScanner.advance();
+      Cell current = cellScanner.current();
+      assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(),
+          current.getRowLength(), row1, 0, row1.length));
+      cellScanner = next[1].cellScanner();
+      cellScanner.advance();
+      current = cellScanner.current();
+      assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(),
+          current.getRowLength(), row2, 0, row2.length));
+    } finally {
+      if (table != null) {
+        table.close();
+      }
+    }
+  }
+
+  @Test
+  public void testVisibilityLabelsWithComplexLabels() throws Exception {
+    TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
+    HTable table = createTableAndWriteDataWithLabels(tableName, "(" + SECRET + "|" + CONFIDENTIAL
+        + ")" + "&" + "!" + TOPSECRET, "(" + PRIVATE + "&" + CONFIDENTIAL + "&" + SECRET + ")", "("
+        + PRIVATE + "&" + CONFIDENTIAL + "&" + SECRET + ")", "(" + PRIVATE + "&" + CONFIDENTIAL
+        + "&" + SECRET + ")");
+    try {
+      Scan s = new Scan();
+      s.setAuthorizations(new Authorizations(TOPSECRET, CONFIDENTIAL, PRIVATE, PUBLIC, SECRET));
+      ResultScanner scanner = table.getScanner(s);
+      Result[] next = scanner.next(4);
+      assertEquals(3, next.length);
+      CellScanner cellScanner = next[0].cellScanner();
+      cellScanner.advance();
+      Cell current = cellScanner.current();
+      assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(),
+          current.getRowLength(), row2, 0, row2.length));
+      cellScanner = next[1].cellScanner();
+      cellScanner.advance();
+      current = cellScanner.current();
+      assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(),
+          current.getRowLength(), row3, 0, row3.length));
+      cellScanner = next[2].cellScanner();
+      cellScanner.advance();
+      current = cellScanner.current();
+      assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(),
+          current.getRowLength(), row4, 0, row4.length));
+    } finally {
+      if (table != null) {
+        table.close();
+      }
+    }
+  }
+
+  @Test
+  public void testVisibilityLabelsThatDoesNotPassTheCriteria() throws Exception {
+    TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
+    HTable table = createTableAndWriteDataWithLabels(tableName, "(" + SECRET + "|" + CONFIDENTIAL
+        + ")", PRIVATE);
+    try {
+      Scan s = new Scan();
+      s.setAuthorizations(new Authorizations(PUBLIC));
+      ResultScanner scanner = table.getScanner(s);
+      Result[] next = scanner.next(3);
+      assertTrue(next.length == 0);
+    } finally {
+      if (table != null) {
+        table.close();
+      }
+    }
+  }
+
+  @Test
+  public void testVisibilityLabelsInPutsThatDoesNotMatchAnyDefinedLabels() throws Exception {
+    TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
+    try {
+      createTableAndWriteDataWithLabels(tableName, "SAMPLE_LABEL", "TEST");
+      fail("Should have failed with failed sanity check exception");
+    } catch (Exception e) {
+    }
+  }
+
+  @Test
+  public void testVisibilityLabelsInScanThatDoesNotMatchAnyDefinedLabels() throws Exception {
+    TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
+    HTable table = createTableAndWriteDataWithLabels(tableName, "(" + SECRET + "|" + CONFIDENTIAL
+        + ")", PRIVATE);
+    try {
+      Scan s = new Scan();
+      s.setAuthorizations(new Authorizations("SAMPLE"));
+      ResultScanner scanner = table.getScanner(s);
+      Result[] next = scanner.next(3);
+      assertTrue(next.length == 0);
+    } finally {
+      if (table != null) {
+        table.close();
+      }
+    }
+  }
+
+  @Test
+  public void testVisibilityLabelsWithGet() throws Exception {
+    TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
+    HTable table = createTableAndWriteDataWithLabels(tableName, SECRET + "&" + CONFIDENTIAL + "&!"
+        + PRIVATE, SECRET + "&" + CONFIDENTIAL + "&" + PRIVATE);
+    try {
+      Get get = new Get(row1);
+      get.setAuthorizations(new Authorizations(SECRET, CONFIDENTIAL));
+      Result result = table.get(get);
+      assertTrue(!result.isEmpty());
+      Cell cell = result.getColumnLatestCell(fam, qual);
+      assertTrue(Bytes.equals(value, 0, value.length, cell.getValueArray(), cell.getValueOffset(),
+          cell.getValueLength()));
+    } finally {
+      if (table != null) {
+        table.close();
+      }
+    }
+  }
+
+  @Test
+  public void testVisibilityLabelsOnKillingOfRSContainingLabelsTable() throws Exception {
+    List<RegionServerThread> regionServerThreads = TEST_UTIL.getHBaseCluster()
+        .getRegionServerThreads();
+    int liveRS = 0;
+    for (RegionServerThread rsThreads : regionServerThreads) {
+      if (!rsThreads.getRegionServer().isAborted()) {
+        liveRS++;
+      }
+    }
+    if (liveRS == 1) {
+      TEST_UTIL.getHBaseCluster().startRegionServer();
+    }
+    Thread t1 = new Thread() {
+      public void run() {
+        List<RegionServerThread> regionServerThreads = TEST_UTIL.getHBaseCluster()
+            .getRegionServerThreads();
+        for (RegionServerThread rsThread : regionServerThreads) {
+          List<HRegion> onlineRegions = rsThread.getRegionServer().getOnlineRegions(
+              LABELS_TABLE_NAME);
+          if (onlineRegions.size() > 0) {
+            rsThread.getRegionServer().abort("Aborting ");
+            killedRS = true;
+            break;
+          }
+        }
+      }
+
+    };
+    t1.start();
+    final TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
+    Thread t = new Thread() {
+      public void run() {
+        try {
+          while (!killedRS) {
+            Thread.sleep(1);
+          }
+          createTableAndWriteDataWithLabels(tableName, "(" + SECRET + "|" + CONFIDENTIAL + ")",
+              PRIVATE);
+        } catch (Exception e) {
+        }
+      }
+    };
+    t.start();
+    regionServerThreads = TEST_UTIL.getHBaseCluster().getRegionServerThreads();
+    while (!killedRS) {
+      Thread.sleep(10);
+    }
+    regionServerThreads = TEST_UTIL.getHBaseCluster().getRegionServerThreads();
+    for (RegionServerThread rsThread : regionServerThreads) {
+      while (true) {
+        if (!rsThread.getRegionServer().isAborted()) {
+          List<HRegion> onlineRegions = rsThread.getRegionServer().getOnlineRegions(
+              LABELS_TABLE_NAME);
+          if (onlineRegions.size() > 0) {
+            break;
+          } else {
+            Thread.sleep(10);
+          }
+        } else {
+          break;
+        }
+      }
+    }
+    TEST_UTIL.waitTableEnabled(LABELS_TABLE_NAME.getName(), 50000);
+    t.join();
+    HTable table = null;
+    try {
+      table = new HTable(TEST_UTIL.getConfiguration(), tableName);
+      Scan s = new Scan();
+      s.setAuthorizations(new Authorizations(SECRET));
+      ResultScanner scanner = table.getScanner(s);
+      Result[] next = scanner.next(3);
+      assertTrue(next.length == 1);
+    } finally {
+      if (table != null) {
+        table.close();
+      }
+    }
+  }
+
+  @Test
+  public void testVisibilityLabelsOnRSRestart() throws Exception {
+    final TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
+    List<RegionServerThread> regionServerThreads = TEST_UTIL.getHBaseCluster()
+        .getRegionServerThreads();
+    for (RegionServerThread rsThread : regionServerThreads) {
+      rsThread.getRegionServer().abort("Aborting ");
+    }
+    // Start one new RS
+    RegionServerThread rs = TEST_UTIL.getHBaseCluster().startRegionServer();
+    HRegionServer regionServer = rs.getRegionServer();
+    while (!regionServer.isOnline()) {
+      try {
+        Thread.sleep(10);
+      } catch (InterruptedException e) {
+      }
+    }
+    HTable table = createTableAndWriteDataWithLabels(tableName, "(" + SECRET + "|" + CONFIDENTIAL
+        + ")", PRIVATE);
+    try {
+      Scan s = new Scan();
+      s.setAuthorizations(new Authorizations(SECRET));
+      ResultScanner scanner = table.getScanner(s);
+      Result[] next = scanner.next(3);
+      assertTrue(next.length == 1);
+    } finally {
+      if (table != null) {
+        table.close();
+      }
+    }
+  }
+
+  @Test
+  public void testAddVisibilityLabelsOnRSRestart() throws Exception {
+    List<RegionServerThread> regionServerThreads = TEST_UTIL.getHBaseCluster()
+        .getRegionServerThreads();
+    for (RegionServerThread rsThread : regionServerThreads) {
+      rsThread.getRegionServer().abort("Aborting ");
+    }
+    // Start one new RS
+    RegionServerThread rs = TEST_UTIL.getHBaseCluster().startRegionServer();
+    HRegionServer regionServer = rs.getRegionServer();
+    while (!regionServer.isOnline()) {
+      try {
+        Thread.sleep(10);
+      } catch (InterruptedException e) {
+      }
+    }
+    String[] labels = { SECRET, CONFIDENTIAL, PRIVATE, "ABC", "XYZ" };
+    try {
+      VisibilityClient.addLabels(conf, labels);
+    } catch (Throwable t) {
+      throw new IOException(t);
+    }
+    // Scan the visibility label
+    Scan s = new Scan();
+    s.setAuthorizations(new Authorizations(VisibilityUtils.SYSTEM_LABEL));
+    HTable ht = new HTable(conf, LABELS_TABLE_NAME.getName());
+    int i = 0;
+    try {
+      ResultScanner scanner = ht.getScanner(s);
+      while (true) {
+        Result next = scanner.next();
+        if (next == null) {
+          break;
+        }
+        i++;
+      }
+    } finally {
+      if (ht != null) {
+        ht.close();
+      }
+    }
+    // One label is the "system" label.
+    Assert.assertEquals("The count should be 8", 8, i);
+  }
+
+  @Test
+  public void testVisibilityLabelsInGetThatDoesNotMatchAnyDefinedLabels() throws Exception {
+    TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
+    HTable table = createTableAndWriteDataWithLabels(tableName, "(" + SECRET + "|" + CONFIDENTIAL
+        + ")", PRIVATE);
+    try {
+      Get get = new Get(row1);
+      get.setAuthorizations(new Authorizations("SAMPLE"));
+      Result result = table.get(get);
+      assertTrue(result.isEmpty());
+    } finally {
+      if (table != null) {
+        table.close();
+      }
+    }
+  }
+
+  @Test
+  public void testAddLabels() throws Throwable {
+    String[] labels = { "L1", SECRET, "L2", "invalid~", "L3" };
+    VisibilityLabelsResponse response = VisibilityClient.addLabels(conf, labels);
+    List<RegionActionResult> resultList = response.getResultList();
+    assertEquals(5, resultList.size());
+    assertTrue(resultList.get(0).getException().getValue().isEmpty());
+    assertEquals("org.apache.hadoop.hbase.security.visibility.LabelAlreadyExistsException",
+        resultList.get(1).getException().getName());
+    assertTrue(resultList.get(2).getException().getValue().isEmpty());
+    assertEquals("org.apache.hadoop.hbase.security.visibility.InvalidLabelException", resultList
+        .get(3).getException().getName());
+    assertTrue(resultList.get(4).getException().getValue().isEmpty());
+  }
+
+  @Test
+  public void testSetAndGetUserAuths() throws Throwable {
+    String[] auths = { SECRET, CONFIDENTIAL };
+    String user = "user1";
+    VisibilityClient.setAuths(conf, auths, user);
+    HTable ht = null;
+    try {
+      ht = new HTable(conf, LABELS_TABLE_NAME);
+      ResultScanner scanner = ht.getScanner(new Scan());
+      Result result = null;
+      while ((result = scanner.next()) != null) {
+        Cell label = result.getColumnLatestCell(LABELS_TABLE_FAMILY, LABEL_QUALIFIER);
+        Cell userAuth = result.getColumnLatestCell(LABELS_TABLE_FAMILY, user.getBytes());
+        if (Bytes.equals(SECRET.getBytes(), 0, SECRET.getBytes().length, label.getValueArray(),
+            label.getValueOffset(), label.getValueLength())
+            || Bytes.equals(CONFIDENTIAL.getBytes(), 0, CONFIDENTIAL.getBytes().length,
+                label.getValueArray(), label.getValueOffset(), label.getValueLength())) {
+          assertNotNull(userAuth);
+        } else {
+          assertNull(userAuth);
+        }
+      }
+    } finally {
+      if (ht != null) {
+        ht.close();
+      }
+    }
+    GetAuthsResponse authsResponse = VisibilityClient.getAuths(conf, user);
+    List<String> authsList = new ArrayList<String>();
+    for (ByteString authBS : authsResponse.getAuthList()) {
+      authsList.add(Bytes.toString(authBS.toByteArray()));
+    }
+    assertEquals(2, authsList.size());
+    assertTrue(authsList.contains(SECRET));
+    assertTrue(authsList.contains(CONFIDENTIAL));
+    
+    // Try doing setAuths once again and there should not be any duplicates
+    String[] auths1 = { SECRET, CONFIDENTIAL };
+    user = "user1";
+    VisibilityClient.setAuths(conf, auths1, user);
+    
+    authsResponse = VisibilityClient.getAuths(conf, user);
+    authsList = new ArrayList<String>();
+    for (ByteString authBS : authsResponse.getAuthList()) {
+      authsList.add(Bytes.toString(authBS.toByteArray()));
+    }
+    assertEquals(2, authsList.size());
+    assertTrue(authsList.contains(SECRET));
+    assertTrue(authsList.contains(CONFIDENTIAL));
+  }
+
+  @Test
+  public void testClearUserAuths() throws Throwable {
+    String[] auths = { SECRET, CONFIDENTIAL, PRIVATE };
+    String user = "testUser";
+    VisibilityClient.setAuths(conf, auths, user);
+    // Removing the auths for SECRET and CONFIDENTIAL for the user.
+    // Passing a non existing auth also.
+    auths = new String[] { SECRET, PUBLIC, CONFIDENTIAL };
+    VisibilityLabelsResponse response = VisibilityClient.clearAuths(conf, auths, user);
+    List<RegionActionResult> resultList = response.getResultList();
+    assertEquals(3, resultList.size());
+    assertTrue(resultList.get(0).getException().getValue().isEmpty());
+    assertEquals("org.apache.hadoop.hbase.security.visibility.InvalidLabelException",
+        resultList.get(1).getException().getName());
+    assertTrue(resultList.get(2).getException().getValue().isEmpty());
+    HTable ht = null;
+    try {
+      ht = new HTable(conf, LABELS_TABLE_NAME);
+      ResultScanner scanner = ht.getScanner(new Scan());
+      Result result = null;
+      while ((result = scanner.next()) != null) {
+        Cell label = result.getColumnLatestCell(LABELS_TABLE_FAMILY, LABEL_QUALIFIER);
+        Cell userAuth = result.getColumnLatestCell(LABELS_TABLE_FAMILY, user.getBytes());
+        if (Bytes.equals(PRIVATE.getBytes(), 0, PRIVATE.getBytes().length, label.getValueArray(),
+            label.getValueOffset(), label.getValueLength())) {
+          assertNotNull(userAuth);
+        } else {
+          assertNull(userAuth);
+        }
+      }
+    } finally {
+      if (ht != null) {
+        ht.close();
+      }
+    }
+
+    GetAuthsResponse authsResponse = VisibilityClient.getAuths(conf, user);
+    List<String> authsList = new ArrayList<String>();
+    for (ByteString authBS : authsResponse.getAuthList()) {
+      authsList.add(Bytes.toString(authBS.toByteArray()));
+    }
+    assertEquals(1, authsList.size());
+    assertTrue(authsList.contains(PRIVATE));
+  }
+
+  @Test
+  public void testLablesWithCheckAndPut() throws Throwable {
+    TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
+    HTable table = null;
+    try {
+      table = TEST_UTIL.createTable(tableName, fam);
+      byte[] row1 = Bytes.toBytes("row1");
+      Put put = new Put(row1);
+      put.add(fam, qual, HConstants.LATEST_TIMESTAMP, value);
+      put.setCellVisibility(new CellVisibility(SECRET + " & " + CONFIDENTIAL));
+      table.checkAndPut(row1, fam, qual, null, put);
+      byte[] row2 = Bytes.toBytes("row2");
+      put = new Put(row2);
+      put.add(fam, qual, HConstants.LATEST_TIMESTAMP, value);
+      put.setCellVisibility(new CellVisibility(SECRET));
+      table.checkAndPut(row2, fam, qual, null, put);
+      
+      Scan scan = new Scan();
+      scan.setAuthorizations(new Authorizations(SECRET));
+      ResultScanner scanner = table.getScanner(scan);
+      Result result = scanner.next();
+      assertTrue(!result.isEmpty());
+      assertTrue(Bytes.equals(row2, result.getRow()));
+      result = scanner.next();
+      assertNull(result);
+    } finally {
+      if (table != null) {
+        table.close();
+      }
+    }
+  }
+
+  @Test
+  public void testLablesWithIncrement() throws Throwable {
+    TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
+    HTable table = null;
+    try {
+      table = TEST_UTIL.createTable(tableName, fam);
+      byte[] row1 = Bytes.toBytes("row1");
+      byte[] val = Bytes.toBytes(1L);
+      Put put = new Put(row1);
+      put.add(fam, qual, HConstants.LATEST_TIMESTAMP, val);
+      put.setCellVisibility(new CellVisibility(SECRET + " & " + CONFIDENTIAL));
+      table.put(put);
+      Get get = new Get(row1);
+      get.setAuthorizations(new Authorizations(SECRET));
+      Result result = table.get(get);
+      assertTrue(result.isEmpty());
+      table.incrementColumnValue(row1, fam, qual, 2L);
+      result = table.get(get);
+      assertTrue(result.isEmpty());
+      Increment increment = new Increment(row1);
+      increment.addColumn(fam, qual, 2L);
+      increment.setCellVisibility(new CellVisibility(SECRET));
+      table.increment(increment);
+      result = table.get(get);
+      assertTrue(!result.isEmpty());
+    } finally {
+      if (table != null) {
+        table.close();
+      }
+    }
+  }
+
+  @Test
+  public void testLablesWithAppend() throws Throwable {
+    TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
+    HTable table = null;
+    try {
+      table = TEST_UTIL.createTable(tableName, fam);
+      byte[] row1 = Bytes.toBytes("row1");
+      byte[] val = Bytes.toBytes("a");
+      Put put = new Put(row1);
+      put.add(fam, qual, HConstants.LATEST_TIMESTAMP, val);
+      put.setCellVisibility(new CellVisibility(SECRET + " & " + CONFIDENTIAL));
+      table.put(put);
+      Get get = new Get(row1);
+      get.setAuthorizations(new Authorizations(SECRET));
+      Result result = table.get(get);
+      assertTrue(result.isEmpty());
+      Append append = new Append(row1);
+      append.add(fam, qual, Bytes.toBytes("b"));
+      table.append(append);
+      result = table.get(get);
+      assertTrue(result.isEmpty());
+      append = new Append(row1);
+      append.add(fam, qual, Bytes.toBytes("c"));
+      append.setCellVisibility(new CellVisibility(SECRET));
+      table.append(append);
+      result = table.get(get);
+      assertTrue(!result.isEmpty());
+    } finally {
+      if (table != null) {
+        table.close();
+      }
+    }
+  }
+
+  private static HTable createTableAndWriteDataWithLabels(TableName tableName, String... labelExps)
+      throws Exception {
+    HTable table = null;
+    try {
+      table = TEST_UTIL.createTable(tableName, fam);
+      int i = 1;
+      List<Put> puts = new ArrayList<Put>();
+      for (String labelExp : labelExps) {
+        Put put = new Put(Bytes.toBytes("row" + i));
+        put.add(fam, qual, HConstants.LATEST_TIMESTAMP, value);
+        put.setCellVisibility(new CellVisibility(labelExp));
+        puts.add(put);
+        i++;
+      }
+      table.put(puts);
+    } finally {
+      if (table != null) {
+        table.close();
+      }
+    }
+    return table;
+  }
+
+  private static void addLabels() throws Exception {
+    PrivilegedExceptionAction<VisibilityLabelsResponse> action =
+        new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
+      public VisibilityLabelsResponse run() throws Exception {
+        String[] labels = { SECRET, TOPSECRET, CONFIDENTIAL, PUBLIC, PRIVATE };
+        try {
+          VisibilityClient.addLabels(conf, labels);
+        } catch (Throwable t) {
+          throw new IOException(t);
+        }
+        return null;
+      }
+    };
+    SUPERUSER.runAs(action);
+  }
+}

Added: hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsOpWithDifferentUsersNoACL.java
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsOpWithDifferentUsersNoACL.java?rev=1543314&view=auto
==============================================================================
--- hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsOpWithDifferentUsersNoACL.java (added)
+++ hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsOpWithDifferentUsersNoACL.java Tue Nov 19 05:39:47 2013
@@ -0,0 +1,175 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hbase.security.visibility;
+
+import static org.apache.hadoop.hbase.security.visibility.VisibilityConstants.LABELS_TABLE_NAME;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.io.IOException;
+import java.security.PrivilegedExceptionAction;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hbase.HBaseTestingUtility;
+import org.apache.hadoop.hbase.MediumTests;
+import org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.GetAuthsResponse;
+import org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse;
+import org.apache.hadoop.hbase.security.User;
+import org.apache.hadoop.hbase.util.Bytes;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+import org.junit.rules.TestName;
+
+import com.google.protobuf.ByteString;
+
+@Category(MediumTests.class)
+public class TestVisibilityLabelsOpWithDifferentUsersNoACL {
+  private static final String PRIVATE = "private";
+  private static final String CONFIDENTIAL = "confidential";
+  private static final String SECRET = "secret";
+  private static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();
+  private static Configuration conf;
+
+  @Rule
+  public final TestName TEST_NAME = new TestName();
+  private static User SUPERUSER;
+  private static User NORMAL_USER;
+  private static User NORMAL_USER1;
+
+  @BeforeClass
+  public static void setupBeforeClass() throws Exception {
+    // setup configuration
+    conf = TEST_UTIL.getConfiguration();
+    conf.setInt("hfile.format.version", 3);
+    String currentUser = User.getCurrent().getName();
+    conf.set("hbase.superuser", "admin,"+currentUser);
+    conf.set("hbase.coprocessor.master.classes", VisibilityController.class.getName());
+    conf.set("hbase.coprocessor.region.classes", VisibilityController.class.getName());
+    TEST_UTIL.startMiniCluster(2);
+
+    // Wait for the labels table to become available
+    TEST_UTIL.waitTableEnabled(LABELS_TABLE_NAME.getName(), 50000);
+    SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
+    NORMAL_USER = User.createUserForTesting(conf, "user1", new String[] {});
+    NORMAL_USER1 = User.createUserForTesting(conf, "user2", new String[] {});
+    addLabels();
+  }
+
+  @AfterClass
+  public static void tearDownAfterClass() throws Exception {
+    TEST_UTIL.shutdownMiniCluster();
+  }
+
+  @Test
+  public void testLabelsTableOpsWithDifferentUsers() throws Throwable {
+    PrivilegedExceptionAction<VisibilityLabelsResponse> action =
+        new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
+      public VisibilityLabelsResponse run() throws Exception {
+        try {
+          return VisibilityClient.setAuths(conf, new String[] { CONFIDENTIAL, PRIVATE }, "user1");
+        } catch (Throwable e) {
+        }
+        return null;
+      }
+    };
+    VisibilityLabelsResponse response = SUPERUSER.runAs(action);
+    assertTrue(response.getResult(0).getException().getValue().isEmpty());
+    assertTrue(response.getResult(1).getException().getValue().isEmpty());
+    
+    // Ideally this should not be allowed.  this operation should fail or do nothing.
+    action = new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
+      public VisibilityLabelsResponse run() throws Exception {
+        try {
+          return VisibilityClient.setAuths(conf, new String[] { CONFIDENTIAL, PRIVATE }, "user3");
+        } catch (Throwable e) {
+        }
+        return null;
+      }
+    };
+    response = NORMAL_USER1.runAs(action);
+    assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response
+        .getResult(0).getException().getName());
+    assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response
+        .getResult(1).getException().getName());
+
+    PrivilegedExceptionAction<GetAuthsResponse> action1 =
+        new PrivilegedExceptionAction<GetAuthsResponse>() {
+      public GetAuthsResponse run() throws Exception {
+        try {
+          return VisibilityClient.getAuths(conf, "user1");
+        } catch (Throwable e) {
+        }
+        return null;
+      }
+    };
+    GetAuthsResponse authsResponse = NORMAL_USER.runAs(action1);
+    assertTrue(authsResponse.getAuthList().isEmpty());
+    authsResponse = NORMAL_USER1.runAs(action1);
+    assertTrue(authsResponse.getAuthList().isEmpty());
+    authsResponse = SUPERUSER.runAs(action1);
+    List<String> authsList = new ArrayList<String>();
+    for (ByteString authBS : authsResponse.getAuthList()) {
+      authsList.add(Bytes.toString(authBS.toByteArray()));
+    }
+    assertEquals(2, authsList.size());
+    assertTrue(authsList.contains(CONFIDENTIAL));
+    assertTrue(authsList.contains(PRIVATE));
+
+    PrivilegedExceptionAction<VisibilityLabelsResponse> action2 = 
+        new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
+      public VisibilityLabelsResponse run() throws Exception {
+        try {
+          return VisibilityClient.clearAuths(conf, new String[] { CONFIDENTIAL, PRIVATE }, "user1");
+        } catch (Throwable e) {
+        }
+        return null;
+      }
+    };
+    response = NORMAL_USER1.runAs(action2);
+    assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response
+        .getResult(0).getException().getName());
+    assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response
+        .getResult(1).getException().getName());
+    response = SUPERUSER.runAs(action2);
+    assertTrue(response.getResult(0).getException().getValue().isEmpty());
+    assertTrue(response.getResult(1).getException().getValue().isEmpty());
+    authsResponse = SUPERUSER.runAs(action1);
+    assertTrue(authsResponse.getAuthList().isEmpty());
+  }
+
+  private static void addLabels() throws Exception {
+    PrivilegedExceptionAction<VisibilityLabelsResponse> action = 
+        new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
+      public VisibilityLabelsResponse run() throws Exception {
+        String[] labels = { SECRET, CONFIDENTIAL, PRIVATE };
+        try {
+          VisibilityClient.addLabels(conf, labels);
+        } catch (Throwable t) {
+          throw new IOException(t);
+        }
+        return null;
+      }
+    };
+    SUPERUSER.runAs(action);
+  }
+}

Added: hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithACL.java
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithACL.java?rev=1543314&view=auto
==============================================================================
--- hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithACL.java (added)
+++ hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithACL.java Tue Nov 19 05:39:47 2013
@@ -0,0 +1,273 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hbase.security.visibility;
+
+import static org.apache.hadoop.hbase.security.visibility.VisibilityConstants.LABELS_TABLE_NAME;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+
+import java.io.IOException;
+import java.security.PrivilegedExceptionAction;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hbase.HBaseTestingUtility;
+import org.apache.hadoop.hbase.HConstants;
+import org.apache.hadoop.hbase.MediumTests;
+import org.apache.hadoop.hbase.TableName;
+import org.apache.hadoop.hbase.client.Get;
+import org.apache.hadoop.hbase.client.HTable;
+import org.apache.hadoop.hbase.client.Put;
+import org.apache.hadoop.hbase.client.Result;
+import org.apache.hadoop.hbase.client.ResultScanner;
+import org.apache.hadoop.hbase.client.Scan;
+import org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.GetAuthsResponse;
+import org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse;
+import org.apache.hadoop.hbase.security.User;
+import org.apache.hadoop.hbase.security.access.AccessControlLists;
+import org.apache.hadoop.hbase.security.access.AccessController;
+import org.apache.hadoop.hbase.security.access.SecureTestUtil;
+import org.apache.hadoop.hbase.util.Bytes;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+import org.junit.rules.TestName;
+
+import com.google.protobuf.ByteString;
+
+@Category(MediumTests.class)
+public class TestVisibilityLabelsWithACL {
+
+  private static final String PRIVATE = "private";
+  private static final String CONFIDENTIAL = "confidential";
+  private static final String SECRET = "secret";
+  private static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();
+  private static final byte[] row1 = Bytes.toBytes("row1");
+  private final static byte[] fam = Bytes.toBytes("info");
+  private final static byte[] qual = Bytes.toBytes("qual");
+  private final static byte[] value = Bytes.toBytes("value");
+  private static Configuration conf;
+
+  @Rule
+  public final TestName TEST_NAME = new TestName();
+  private static User SUPERUSER;
+  private static User NORMAL_USER;
+
+  @BeforeClass
+  public static void setupBeforeClass() throws Exception {
+    // setup configuration
+    conf = TEST_UTIL.getConfiguration();
+    conf.setInt("hfile.format.version", 3);
+    SecureTestUtil.enableSecurity(conf);
+    conf.set("hbase.coprocessor.master.classes", AccessController.class.getName() + ","
+        + VisibilityController.class.getName());
+    conf.set("hbase.coprocessor.region.classes", AccessController.class.getName() + ","
+        + VisibilityController.class.getName());
+    TEST_UTIL.startMiniCluster(2);
+
+    TEST_UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME.getName(), 50000);
+    // Wait for the labels table to become available
+    TEST_UTIL.waitTableEnabled(LABELS_TABLE_NAME.getName(), 50000);
+    SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
+    NORMAL_USER = User.createUserForTesting(conf, "user1", new String[] {});
+    addLabels();
+  }
+
+  @AfterClass
+  public static void tearDownAfterClass() throws Exception {
+    TEST_UTIL.shutdownMiniCluster();
+  }
+
+  @Test
+  public void testScanForUserWithFewerLabelAuthsThanLabelsInScanAuthorizations() throws Throwable {
+    String[] auths = { SECRET };
+    String user = "admin";
+    VisibilityClient.setAuths(conf, auths, user);
+    TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
+    final HTable table = createTableAndWriteDataWithLabels(tableName, SECRET + "&" + CONFIDENTIAL
+        + "&!" + PRIVATE, SECRET + "&!" + PRIVATE);
+    PrivilegedExceptionAction<Void> scanAction = new PrivilegedExceptionAction<Void>() {
+      public Void run() throws Exception {
+        Scan s = new Scan();
+        s.setAuthorizations(new Authorizations(SECRET, CONFIDENTIAL));
+        HTable t = new HTable(conf, table.getTableName());
+        try {
+          ResultScanner scanner = t.getScanner(s);
+          Result result = scanner.next();
+          assertTrue(!result.isEmpty());
+          assertTrue(Bytes.equals(Bytes.toBytes("row2"), result.getRow()));
+          result = scanner.next();
+          assertNull(result);
+        } finally {
+          t.close();
+        }
+        return null;
+      }
+    };
+    SUPERUSER.runAs(scanAction);
+  }
+
+  @Test
+  public void testVisibilityLabelsForUserWithNoAuths() throws Throwable {
+    String user = "admin";
+    String[] auths = { SECRET };
+    VisibilityClient.clearAuths(conf, auths, user); // Removing all auths if any.
+    VisibilityClient.setAuths(conf, auths, "user1");
+    TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
+    final HTable table = createTableAndWriteDataWithLabels(tableName, SECRET);
+    PrivilegedExceptionAction<Void> getAction = new PrivilegedExceptionAction<Void>() {
+      public Void run() throws Exception {
+        Get g = new Get(row1);
+        g.setAuthorizations(new Authorizations(SECRET, CONFIDENTIAL));
+        HTable t = new HTable(conf, table.getTableName());
+        try {
+          Result result = t.get(g);
+          assertTrue(result.isEmpty());
+        } finally {
+          t.close();
+        }
+        return null;
+      }
+    };
+    SUPERUSER.runAs(getAction);
+  }
+
+  @Test
+  public void testLabelsTableOpsWithDifferentUsers() throws Throwable {
+    PrivilegedExceptionAction<VisibilityLabelsResponse> action = 
+        new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
+      public VisibilityLabelsResponse run() throws Exception {
+        try {
+          return VisibilityClient.addLabels(conf, new String[] { "l1", "l2" });
+        } catch (Throwable e) {
+        }
+        return null;
+      }
+    };
+    VisibilityLabelsResponse response = NORMAL_USER.runAs(action);
+    assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response
+        .getResult(0).getException().getName());
+    assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response
+        .getResult(1).getException().getName());
+
+    action = new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
+      public VisibilityLabelsResponse run() throws Exception {
+        try {
+          return VisibilityClient.setAuths(conf, new String[] { CONFIDENTIAL, PRIVATE }, "user1");
+        } catch (Throwable e) {
+        }
+        return null;
+      }
+    };
+    response = NORMAL_USER.runAs(action);
+    assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response
+        .getResult(0).getException().getName());
+    assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response
+        .getResult(1).getException().getName());
+
+    action = new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
+      public VisibilityLabelsResponse run() throws Exception {
+        try {
+          return VisibilityClient.setAuths(conf, new String[] { CONFIDENTIAL, PRIVATE }, "user1");
+        } catch (Throwable e) {
+        }
+        return null;
+      }
+    };
+    response = SUPERUSER.runAs(action);
+    assertTrue(response.getResult(0).getException().getValue().isEmpty());
+    assertTrue(response.getResult(1).getException().getValue().isEmpty());
+
+    action = new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
+      public VisibilityLabelsResponse run() throws Exception {
+        try {
+          return VisibilityClient.clearAuths(conf, new String[] { CONFIDENTIAL, PRIVATE }, "user1");
+        } catch (Throwable e) {
+        }
+        return null;
+      }
+    };
+    response = NORMAL_USER.runAs(action);
+    assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response.getResult(0)
+        .getException().getName());
+    assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response.getResult(1)
+        .getException().getName());
+
+    response = VisibilityClient.clearAuths(conf, new String[] { CONFIDENTIAL, PRIVATE }, "user1");
+    assertTrue(response.getResult(0).getException().getValue().isEmpty());
+    assertTrue(response.getResult(1).getException().getValue().isEmpty());
+
+    VisibilityClient.setAuths(conf, new String[] { CONFIDENTIAL, PRIVATE }, "user2");
+    PrivilegedExceptionAction<GetAuthsResponse> action1 = 
+        new PrivilegedExceptionAction<GetAuthsResponse>() {
+      public GetAuthsResponse run() throws Exception {
+        try {
+          return VisibilityClient.getAuths(conf, "user2");
+        } catch (Throwable e) {
+        }
+        return null;
+      }
+    };
+    GetAuthsResponse authsResponse = NORMAL_USER.runAs(action1);
+    assertNull(authsResponse);
+    authsResponse = SUPERUSER.runAs(action1);
+    List<String> authsList = new ArrayList<String>();
+    for (ByteString authBS : authsResponse.getAuthList()) {
+      authsList.add(Bytes.toString(authBS.toByteArray()));
+    }
+    assertEquals(2, authsList.size());
+    assertTrue(authsList.contains(CONFIDENTIAL));
+    assertTrue(authsList.contains(PRIVATE));
+  }
+
+  private static HTable createTableAndWriteDataWithLabels(TableName tableName, String... labelExps)
+      throws Exception {
+    HTable table = null;
+    try {
+      table = TEST_UTIL.createTable(tableName, fam);
+      int i = 1;
+      List<Put> puts = new ArrayList<Put>();
+      for (String labelExp : labelExps) {
+        Put put = new Put(Bytes.toBytes("row" + i));
+        put.add(fam, qual, HConstants.LATEST_TIMESTAMP, value);
+        put.setCellVisibility(new CellVisibility(labelExp));
+        puts.add(put);
+        i++;
+      }
+      table.put(puts);
+    } finally {
+      if (table != null) {
+        table.close();
+      }
+    }
+    return table;
+  }
+
+  private static void addLabels() throws IOException {
+    String[] labels = { SECRET, CONFIDENTIAL, PRIVATE };
+    try {
+      VisibilityClient.addLabels(conf, labels);
+    } catch (Throwable t) {
+      throw new IOException(t);
+    }
+  }
+}

Modified: hbase/trunk/hbase-shell/src/main/ruby/hbase.rb
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-shell/src/main/ruby/hbase.rb?rev=1543314&r1=1543313&r2=1543314&view=diff
==============================================================================
--- hbase/trunk/hbase-shell/src/main/ruby/hbase.rb (original)
+++ hbase/trunk/hbase-shell/src/main/ruby/hbase.rb Tue Nov 19 05:39:47 2013
@@ -79,3 +79,4 @@ require 'hbase/admin'
 require 'hbase/table'
 require 'hbase/replication_admin'
 require 'hbase/security'
+require 'hbase/visibility_labels'

Modified: hbase/trunk/hbase-shell/src/main/ruby/hbase/hbase.rb
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-shell/src/main/ruby/hbase/hbase.rb?rev=1543314&r1=1543313&r2=1543314&view=diff
==============================================================================
--- hbase/trunk/hbase-shell/src/main/ruby/hbase/hbase.rb (original)
+++ hbase/trunk/hbase-shell/src/main/ruby/hbase/hbase.rb Tue Nov 19 05:39:47 2013
@@ -22,6 +22,7 @@ include Java
 require 'hbase/admin'
 require 'hbase/table'
 require 'hbase/security'
+require 'hbase/visibility_labels'
 
 module Hbase
   class Hbase
@@ -55,5 +56,9 @@ module Hbase
     def security_admin(formatter)
       ::Hbase::SecurityAdmin.new(configuration, formatter)
     end
+
+    def visibility_labels_admin(formatter)
+      ::Hbase::VisibilityLabelsAdmin.new(configuration, formatter)
+    end
   end
 end

Added: hbase/trunk/hbase-shell/src/main/ruby/hbase/visibility_labels.rb
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-shell/src/main/ruby/hbase/visibility_labels.rb?rev=1543314&view=auto
==============================================================================
--- hbase/trunk/hbase-shell/src/main/ruby/hbase/visibility_labels.rb (added)
+++ hbase/trunk/hbase-shell/src/main/ruby/hbase/visibility_labels.rb Tue Nov 19 05:39:47 2013
@@ -0,0 +1,134 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include Java
+java_import org.apache.hadoop.hbase.security.visibility.VisibilityClient
+java_import org.apache.hadoop.hbase.security.visibility.VisibilityConstants
+java_import org.apache.hadoop.hbase.util.Bytes
+
+module Hbase
+  class VisibilityLabelsAdmin
+
+    def initialize(configuration, formatter)
+      @config = configuration
+      @formatter = formatter
+      @admin = org.apache.hadoop.hbase.client.HBaseAdmin.new(configuration)
+    end
+
+    def add_labels(*args)
+      lables_table_available?
+
+      # Normalize args
+      if args.kind_of?(Array)
+        labels = [ args ].flatten.compact
+      end
+
+      begin
+        response = VisibilityClient.addLabels(@config, labels.to_java(:string))
+        if response.nil?
+          raise(ArgumentError, "DISABLED: Visibility labels feature is not available")
+        end
+        labelsWithException = ""
+        list = response.getResultList()
+        list.each do |result|
+            if result.hasException()
+               labelsWithException += Bytes.toString(result.getException().getValue().toByteArray())
+            end
+        end    
+        if labelsWithException.length > 0
+          raise(ArgumentError, labelsWithException)
+        end  
+      end
+    end
+
+    def set_auths(user, *args)
+      lables_table_available?
+      # Normalize args
+      if args.kind_of?(Array)
+        auths = [ args ].flatten.compact
+      end
+
+      begin
+        response = VisibilityClient.setAuths(@config, auths.to_java(:string), user)
+        if response.nil?
+          raise(ArgumentError, "DISABLED: Visibility labels feature is not available")
+        end
+        labelsWithException = ""
+        list = response.getResultList()
+        list.each do |result|
+            if result.hasException()
+               labelsWithException += Bytes.toString(result.getException().getValue().toByteArray())
+            end
+        end    
+        if labelsWithException.length > 0
+          raise(ArgumentError, labelsWithException)
+        end
+      end
+    end
+
+    def get_auths(user)
+      lables_table_available?
+      begin
+        response = VisibilityClient.getAuths(@config, user)
+        if response.nil?
+          raise(ArgumentError, "DISABLED: Visibility labels feature is not available")
+        end
+        if response.getAuthList.empty?
+          raise(ArgumentError, "No authentication set for the given user " + user)
+        end
+        return response.getAuthList
+      end
+    end
+
+    def clear_auths(user, *args)
+      lables_table_available?
+      # Normalize args
+      if args.kind_of?(Array)
+        auths = [ args ].flatten.compact
+      end
+
+      begin
+        response = VisibilityClient.clearAuths(@config, auths.to_java(:string), user)
+        if response.nil?
+          raise(ArgumentError, "DISABLED: Visibility labels feature is not available")
+        end
+        labelsWithException = ""
+        list = response.getResultList()
+        list.each do |result|
+            if result.hasException()
+               labelsWithException += Bytes.toString(result.getException().getValue().toByteArray())
+            end
+        end    
+        if labelsWithException.length > 0
+          raise(ArgumentError, labelsWithException)
+        end
+      end
+    end
+
+    # Make sure that lables table is available
+    def lables_table_available?()
+      raise(ArgumentError, "DISABLED: Visibility labels feature is not available") \
+        unless exists?(VisibilityConstants::LABELS_TABLE_NAME)
+    end
+
+    # Does table exist?
+    def exists?(table_name)
+      @admin.tableExists(table_name)
+    end
+  end
+end
\ No newline at end of file

Modified: hbase/trunk/hbase-shell/src/main/ruby/shell.rb
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-shell/src/main/ruby/shell.rb?rev=1543314&r1=1543313&r2=1543314&view=diff
==============================================================================
--- hbase/trunk/hbase-shell/src/main/ruby/shell.rb (original)
+++ hbase/trunk/hbase-shell/src/main/ruby/shell.rb Tue Nov 19 05:39:47 2013
@@ -90,6 +90,10 @@ module Shell
       @hbase_security_admin ||= hbase.security_admin(formatter)
     end
 
+    def hbase_visibility_labels_admin
+      @hbase_visibility_labels_admin ||= hbase.visibility_labels_admin(formatter)
+    end
+
     def export_commands(where)
       ::Shell.commands.keys.each do |cmd|
         # here where is the IRB namespace
@@ -346,3 +350,14 @@ Shell.load_command_group(
   ]
 )
 
+Shell.load_command_group(
+  'visibility labels',
+  :full_name => 'VISIBILITY LABEL TOOLS',
+  :comment => "NOTE: Above commands are only applicable if running with the VisibilityController coprocessor",
+  :commands => %w[
+    add_labels
+    set_auths
+    get_auths
+    clear_auths
+  ]
+)
\ No newline at end of file

Modified: hbase/trunk/hbase-shell/src/main/ruby/shell/commands.rb
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-shell/src/main/ruby/shell/commands.rb?rev=1543314&r1=1543313&r2=1543314&view=diff
==============================================================================
--- hbase/trunk/hbase-shell/src/main/ruby/shell/commands.rb (original)
+++ hbase/trunk/hbase-shell/src/main/ruby/shell/commands.rb Tue Nov 19 05:39:47 2013
@@ -62,6 +62,10 @@ module Shell
         @shell.hbase_security_admin
       end
 
+      def visibility_labels_admin
+        @shell.hbase_visibility_labels_admin
+      end
+
       #----------------------------------------------------------------------
 
       def formatter

Added: hbase/trunk/hbase-shell/src/main/ruby/shell/commands/add_labels.rb
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-shell/src/main/ruby/shell/commands/add_labels.rb?rev=1543314&view=auto
==============================================================================
--- hbase/trunk/hbase-shell/src/main/ruby/shell/commands/add_labels.rb (added)
+++ hbase/trunk/hbase-shell/src/main/ruby/shell/commands/add_labels.rb Tue Nov 19 05:39:47 2013
@@ -0,0 +1,40 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+module Shell
+  module Commands
+    class AddLabels < Command
+      def help
+        return <<-EOF
+Add a set of visibility labels.
+Syntax : add_labels [label1, label2]
+
+For example:
+
+    hbase> add_labels ['SECRET','PRIVATE']
+EOF
+      end
+
+      def command(*args)
+        format_simple_command do
+          visibility_labels_admin.add_labels(args)
+        end
+      end
+    end
+  end
+end

Added: hbase/trunk/hbase-shell/src/main/ruby/shell/commands/clear_auths.rb
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-shell/src/main/ruby/shell/commands/clear_auths.rb?rev=1543314&view=auto
==============================================================================
--- hbase/trunk/hbase-shell/src/main/ruby/shell/commands/clear_auths.rb (added)
+++ hbase/trunk/hbase-shell/src/main/ruby/shell/commands/clear_auths.rb Tue Nov 19 05:39:47 2013
@@ -0,0 +1,39 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+module Shell
+  module Commands
+    class ClearAuths < Command
+      def help
+        return <<-EOF
+Add a set of visibility labels for an user that has to removed
+Syntax : clear_auths 'user1',[label1, label2]
+
+For example:
+
+    hbase> clear_auths 'user1', ['SECRET','PRIVATE']
+EOF
+      end
+
+      def command(user, *args)
+        format_simple_command do
+          visibility_labels_admin.clear_auths(user, args)
+        end
+      end
+    end
+  end
+end

Added: hbase/trunk/hbase-shell/src/main/ruby/shell/commands/get_auths.rb
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-shell/src/main/ruby/shell/commands/get_auths.rb?rev=1543314&view=auto
==============================================================================
--- hbase/trunk/hbase-shell/src/main/ruby/shell/commands/get_auths.rb (added)
+++ hbase/trunk/hbase-shell/src/main/ruby/shell/commands/get_auths.rb Tue Nov 19 05:39:47 2013
@@ -0,0 +1,42 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+module Shell
+  module Commands
+    class GetAuths < Command
+      def help
+        return <<-EOF
+Get the visibility labels set for a particular user
+Syntax : get_auths 'user1'
+
+For example:
+
+    hbase> get_auths 'user1'
+EOF
+      end
+
+      def command(user)
+        format_simple_command do
+          list = visibility_labels_admin.get_auths(user)
+          list.each do |auths|
+            formatter.row([org.apache.hadoop.hbase.util.Bytes::toStringBinary(auths.toByteArray)])
+          end  
+        end
+      end
+    end
+  end
+end

Added: hbase/trunk/hbase-shell/src/main/ruby/shell/commands/set_auths.rb
URL: http://svn.apache.org/viewvc/hbase/trunk/hbase-shell/src/main/ruby/shell/commands/set_auths.rb?rev=1543314&view=auto
==============================================================================
--- hbase/trunk/hbase-shell/src/main/ruby/shell/commands/set_auths.rb (added)
+++ hbase/trunk/hbase-shell/src/main/ruby/shell/commands/set_auths.rb Tue Nov 19 05:39:47 2013
@@ -0,0 +1,39 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+module Shell
+  module Commands
+    class SetAuths < Command
+      def help
+        return <<-EOF
+Add a set of visibility labels for an user
+Syntax : set_auths 'user1',[label1, label2]
+
+For example:
+
+    hbase> set_auths 'user1', ['SECRET','PRIVATE']
+EOF
+      end
+
+      def command(user, *args)
+        format_simple_command do
+          visibility_labels_admin.set_auths(user, args)
+        end
+      end
+    end
+  end
+end



Mime
View raw message