hbase-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From apurt...@apache.org
Subject [2/5] hbase git commit: HBASE-13294 Fix the critical ancient loopholes in security testing infrastructure (Srikanth Srungarapu)
Date Wed, 25 Mar 2015 18:21:46 GMT
HBASE-13294 Fix the critical ancient loopholes in security testing infrastructure (Srikanth Srungarapu)


Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/050028c3
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/050028c3
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/050028c3

Branch: refs/heads/branch-1
Commit: 050028c32ea26e20ad2c7931036c1d7ebd4d4638
Parents: 01fdafb
Author: Andrew Purtell <apurtell@apache.org>
Authored: Wed Mar 25 09:28:12 2015 -0700
Committer: Andrew Purtell <apurtell@apache.org>
Committed: Wed Mar 25 09:28:12 2015 -0700

----------------------------------------------------------------------
 .../hbase/security/access/SecureTestUtil.java   |  63 ++--
 .../security/access/TestAccessController.java   | 352 +++++++------------
 .../security/access/TestAccessController2.java  |  19 +-
 .../access/TestCellACLWithMultipleVersions.java |  27 +-
 .../hbase/security/access/TestCellACLs.java     |   4 +-
 .../security/access/TestNamespaceCommands.java  | 185 +++++-----
 .../access/TestScanEarlyTermination.java        |   2 +-
 7 files changed, 269 insertions(+), 383 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hbase/blob/050028c3/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
index f77bb85..6487ebe 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
@@ -154,6 +154,7 @@ public class SecureTestUtil {
    */
   static interface AccessTestAction extends PrivilegedExceptionAction<Object> { }
 
+  /** This fails only in case of ADE or empty list for any of the actions. */
   public static void verifyAllowed(User user, AccessTestAction... actions) throws Exception {
     for (AccessTestAction action : actions) {
       try {
@@ -170,6 +171,7 @@ public class SecureTestUtil {
     }
   }
 
+  /** This fails only in case of ADE or empty list for any of the users. */
   public static void verifyAllowed(AccessTestAction action, User... users) throws Exception {
     for (User user : users) {
       verifyAllowed(user, action);
@@ -191,36 +193,53 @@ public class SecureTestUtil {
     }
   }
 
-  public static void verifyDeniedWithException(User user, AccessTestAction... actions)
-      throws Exception {
-    verifyDenied(user, true, actions);
-  }
-
-  public static void verifyDeniedWithException(AccessTestAction action, User... users)
-      throws Exception {
+  /** This passes only in case of ADE for all users. */
+  public static void verifyDenied(AccessTestAction action, User... users) throws Exception {
     for (User user : users) {
-      verifyDenied(user, true, action);
+      verifyDenied(user, action);
     }
   }
 
-  public static void verifyDenied(User user, AccessTestAction... actions) throws Exception {
-    verifyDenied(user, false, actions);
-  }
-
-  public static void verifyDenied(User user, boolean requireException,
-      AccessTestAction... actions) throws Exception {
-    for (AccessTestAction action : actions) {
+  /** This passes only in case of empty list for all users. */
+  public static void verifyIfEmptyList(AccessTestAction action, User... users) throws Exception {
+    for (User user : users) {
       try {
         Object obj = user.runAs(action);
-        if (requireException) {
-          fail("Expected exception was not thrown for user '" + user.getShortName() + "'");
-        }
         if (obj != null && obj instanceof List<?>) {
           List<?> results = (List<?>) obj;
           if (results != null && !results.isEmpty()) {
-            fail("Unexpected results for user '" + user.getShortName() + "'");
+            fail("Unexpected action results: " +  results + " for user '"
+                + user.getShortName() + "'");
           }
+        } else {
+          fail("Unexpected results for user '" + user.getShortName() + "'");
         }
+      } catch (AccessDeniedException ade) {
+        fail("Expected action to pass for user '" + user.getShortName() + "' but was denied");
+      }
+    }
+  }
+
+  /** This passes only in case of null for all users. */
+  public static void verifyIfNull(AccessTestAction  action, User... users) throws Exception {
+    for (User user : users) {
+      try {
+        Object obj = user.runAs(action);
+        if (obj != null) {
+          fail("Non null results from action for user '" + user.getShortName() + "'");
+        }
+      } catch (AccessDeniedException ade) {
+        fail("Expected action to pass for user '" + user.getShortName() + "' but was denied");
+      }
+    }
+  }
+
+  /** This passes only in case of ADE for all actions. */
+  public static void verifyDenied(User user, AccessTestAction... actions) throws Exception {
+    for (AccessTestAction action : actions) {
+      try {
+        user.runAs(action);
+        fail("Expected exception was not thrown for user '" + user.getShortName() + "'");
       } catch (IOException e) {
         boolean isAccessDeniedException = false;
         if(e instanceof RetriesExhaustedWithDetailsException) {
@@ -266,12 +285,6 @@ public class SecureTestUtil {
     }
   }
 
-  public static void verifyDenied(AccessTestAction action, User... users) throws Exception {
-    for (User user : users) {
-      verifyDenied(user, action);
-    }
-  }
-
   private static List<AccessController> getAccessControllers(MiniHBaseCluster cluster) {
     List<AccessController> result = Lists.newArrayList();
     for (RegionServerThread t: cluster.getLiveRegionServerThreads()) {

http://git-wip-us.apache.org/repos/asf/hbase/blob/050028c3/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
index e148558..d8f4d2d 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
@@ -137,7 +137,11 @@ public class TestAccessController extends SecureTestUtil {
   @Rule public TestTableName TEST_TABLE = new TestTableName();
   private static HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();
   private static Configuration conf;
-  private static Connection connection;
+
+  /** The systemUserConnection created here is tied to the system user. In case, you are planning
+   * to create AccessTestAction, DON'T use this systemUserConnection as the 'doAs' user
+   * gets  eclipsed by the system user. */
+  private static Connection systemUserConnection;
 
 
   // user with all permissions
@@ -211,12 +215,11 @@ public class TestAccessController extends SecureTestUtil {
     USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]);
     USER_ADMIN_CF = User.createUserForTesting(conf, "col_family_admin", new String[0]);
 
-    connection = ConnectionFactory.createConnection(conf);
+    systemUserConnection = TEST_UTIL.getConnection();
   }
 
   @AfterClass
   public static void tearDownAfterClass() throws Exception {
-    connection.close();
     TEST_UTIL.shutdownMiniCluster();
   }
 
@@ -267,7 +270,7 @@ public class TestAccessController extends SecureTestUtil {
 
     assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size());
     try {
-      assertEquals(5, AccessControlClient.getUserPermissions(connection,
+      assertEquals(5, AccessControlClient.getUserPermissions(systemUserConnection,
           TEST_TABLE.toString()).size());
     } catch (Throwable e) {
       LOG.error("error during call of AccessControlClient.getUserPermissions. ", e);
@@ -355,8 +358,8 @@ public class TestAccessController extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN, USER_CREATE);
-    verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+    verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
+    verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE);
   }
 
   @Test
@@ -452,8 +455,7 @@ public class TestAccessController extends SecureTestUtil {
   @Test
   public void testMove() throws Exception {
     List<HRegionLocation> regions;
-    try (RegionLocator locator =
-      TEST_UTIL.getConnection().getRegionLocator(TEST_TABLE.getTableName())) {
+    try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) {
       regions = locator.getAllRegionLocations();
     }
     HRegionLocation location = regions.get(0);
@@ -475,8 +477,7 @@ public class TestAccessController extends SecureTestUtil {
   @Test
   public void testAssign() throws Exception {
     List<HRegionLocation> regions;
-    try (RegionLocator locator =
-      TEST_UTIL.getConnection().getRegionLocator(TEST_TABLE.getTableName())) {
+    try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) {
       regions = locator.getAllRegionLocations();
     }
     HRegionLocation location = regions.get(0);
@@ -496,8 +497,7 @@ public class TestAccessController extends SecureTestUtil {
   @Test
   public void testUnassign() throws Exception {
     List<HRegionLocation> regions;
-    try (RegionLocator locator =
-      TEST_UTIL.getConnection().getRegionLocator(TEST_TABLE.getTableName())) {
+    try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) {
       regions = locator.getAllRegionLocations();
     }
     HRegionLocation location = regions.get(0);
@@ -517,8 +517,7 @@ public class TestAccessController extends SecureTestUtil {
   @Test
   public void testRegionOffline() throws Exception {
     List<HRegionLocation> regions;
-    try (RegionLocator locator =
-      TEST_UTIL.getConnection().getRegionLocator(TEST_TABLE.getTableName())) {
+    try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) {
       regions = locator.getAllRegionLocations();
     }
     HRegionLocation location = regions.get(0);
@@ -674,20 +673,6 @@ public class TestAccessController extends SecureTestUtil {
     verifyDenied(action, USER_RW, USER_RO, USER_NONE);
   }
 
-  @Test
-  public void testPreCompactSelection() throws Exception {
-    AccessTestAction action = new AccessTestAction() {
-      @Override
-      public Object run() throws Exception {
-        ACCESS_CONTROLLER.preCompactSelection(ObserverContext.createAndPrepare(RCP_ENV, null), null, null);
-        return null;
-      }
-    };
-
-    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
-    verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
-  }
-
   private void verifyRead(AccessTestAction action) throws Exception {
     verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, USER_RO);
     verifyDenied(action, USER_NONE);
@@ -706,11 +691,9 @@ public class TestAccessController extends SecureTestUtil {
       public Object run() throws Exception {
         Get g = new Get(TEST_ROW);
         g.addFamily(TEST_FAMILY);
-        Table t = new HTable(conf, TEST_TABLE.getTableName());
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table t = conn.getTable(TEST_TABLE.getTableName())) {
           t.get(g);
-        } finally {
-          t.close();
         }
         return null;
       }
@@ -724,9 +707,9 @@ public class TestAccessController extends SecureTestUtil {
         Scan s = new Scan();
         s.addFamily(TEST_FAMILY);
 
-        Table table = new HTable(conf, TEST_TABLE.getTableName());
-        try {
-          ResultScanner scanner = table.getScanner(s);
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table t = conn.getTable(TEST_TABLE.getTableName())) {
+          ResultScanner scanner = t.getScanner(s);
           try {
             for (Result r = scanner.next(); r != null; r = scanner.next()) {
               // do nothing
@@ -735,8 +718,6 @@ public class TestAccessController extends SecureTestUtil {
           } finally {
             scanner.close();
           }
-        } finally {
-          table.close();
         }
         return null;
       }
@@ -753,11 +734,9 @@ public class TestAccessController extends SecureTestUtil {
       public Object run() throws Exception {
         Put p = new Put(TEST_ROW);
         p.add(TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes(1));
-        Table t = new HTable(conf, TEST_TABLE.getTableName());
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table t = conn.getTable(TEST_TABLE.getTableName())) {
           t.put(p);
-        } finally {
-          t.close();
         }
         return null;
       }
@@ -770,11 +749,9 @@ public class TestAccessController extends SecureTestUtil {
       public Object run() throws Exception {
         Delete d = new Delete(TEST_ROW);
         d.deleteFamily(TEST_FAMILY);
-        Table t = new HTable(conf, TEST_TABLE.getTableName());
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table t = conn.getTable(TEST_TABLE.getTableName())) {
           t.delete(d);
-        } finally {
-          t.close();
         }
         return null;
       }
@@ -787,11 +764,9 @@ public class TestAccessController extends SecureTestUtil {
       public Object run() throws Exception {
         Increment inc = new Increment(TEST_ROW);
         inc.addColumn(TEST_FAMILY, TEST_QUALIFIER, 1);
-        Table t = new HTable(conf, TEST_TABLE.getTableName());
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table t = conn.getTable(TEST_TABLE.getTableName())) {
           t.increment(inc);
-        } finally {
-          t.close();
         }
         return null;
       }
@@ -807,12 +782,10 @@ public class TestAccessController extends SecureTestUtil {
       public Object run() throws Exception {
         Delete d = new Delete(TEST_ROW);
         d.deleteFamily(TEST_FAMILY);
-        Table t = new HTable(conf, TEST_TABLE.getTableName());
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table t = conn.getTable(TEST_TABLE.getTableName())) {
           t.checkAndDelete(TEST_ROW, TEST_FAMILY, TEST_QUALIFIER,
-            Bytes.toBytes("test_value"), d);
-        } finally {
-          t.close();
+              Bytes.toBytes("test_value"), d);
         }
         return null;
       }
@@ -825,12 +798,10 @@ public class TestAccessController extends SecureTestUtil {
       public Object run() throws Exception {
         Put p = new Put(TEST_ROW);
         p.add(TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes(1));
-        Table t = new HTable(conf, TEST_TABLE.getTableName());
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table t = conn.getTable(TEST_TABLE.getTableName())) {
           t.checkAndPut(TEST_ROW, TEST_FAMILY, TEST_QUALIFIER,
-           Bytes.toBytes("test_value"), p);
-        } finally {
-          t.close();
+              Bytes.toBytes("test_value"), p);
         }
         return null;
       }
@@ -927,7 +898,8 @@ public class TestAccessController extends SecureTestUtil {
       //set global read so RegionServer can move it
       setPermission(loadPath, FsPermission.valueOf("-rwxrwxrwx"));
 
-      try (HTable table = (HTable)TEST_UTIL.getConnection().getTable(tableName)) {
+      try (Connection conn = ConnectionFactory.createConnection(conf);
+           HTable table = (HTable)conn.getTable(tableName)) {
         TEST_UTIL.waitUntilAllRegionsAssigned(tableName);
         LoadIncrementalHFiles loader = new LoadIncrementalHFiles(conf);
         loader.doBulkLoad(loadPath, table);
@@ -959,12 +931,10 @@ public class TestAccessController extends SecureTestUtil {
         put.add(TEST_FAMILY, qualifier, Bytes.toBytes(1));
         Append append = new Append(row);
         append.add(TEST_FAMILY, qualifier, Bytes.toBytes(2));
-        Table t = new HTable(conf, TEST_TABLE.getTableName());
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table t = conn.getTable(TEST_TABLE.getTableName())) {
           t.put(put);
           t.append(append);
-        } finally {
-          t.close();
         }
         return null;
       }
@@ -979,15 +949,13 @@ public class TestAccessController extends SecureTestUtil {
     AccessTestAction grantAction = new AccessTestAction() {
       @Override
       public Object run() throws Exception {
-        Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
           BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName());
           AccessControlService.BlockingInterface protocol =
             AccessControlService.newBlockingStub(service);
           ProtobufUtil.grant(protocol, USER_RO.getShortName(), TEST_TABLE.getTableName(),
             TEST_FAMILY, null, Action.READ);
-        } finally {
-          acl.close();
         }
         return null;
       }
@@ -996,15 +964,13 @@ public class TestAccessController extends SecureTestUtil {
     AccessTestAction revokeAction = new AccessTestAction() {
       @Override
       public Object run() throws Exception {
-        Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
           BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName());
           AccessControlService.BlockingInterface protocol =
             AccessControlService.newBlockingStub(service);
           ProtobufUtil.revoke(protocol, USER_RO.getShortName(), TEST_TABLE.getTableName(),
-            TEST_FAMILY, null, Action.READ);
-        } finally {
-          acl.close();
+              TEST_FAMILY, null, Action.READ);
         }
         return null;
       }
@@ -1013,14 +979,12 @@ public class TestAccessController extends SecureTestUtil {
     AccessTestAction getTablePermissionsAction = new AccessTestAction() {
       @Override
       public Object run() throws Exception {
-        Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
           BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName());
           AccessControlService.BlockingInterface protocol =
             AccessControlService.newBlockingStub(service);
           ProtobufUtil.getUserPermissions(protocol, TEST_TABLE.getTableName());
-        } finally {
-          acl.close();
         }
         return null;
       }
@@ -1029,14 +993,12 @@ public class TestAccessController extends SecureTestUtil {
     AccessTestAction getGlobalPermissionsAction = new AccessTestAction() {
       @Override
       public Object run() throws Exception {
-        Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
           BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
           AccessControlService.BlockingInterface protocol =
             AccessControlService.newBlockingStub(service);
           ProtobufUtil.getUserPermissions(protocol);
-        } finally {
-          acl.close();
         }
         return null;
       }
@@ -1052,7 +1014,7 @@ public class TestAccessController extends SecureTestUtil {
     verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
 
     verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN);
-    verifyDeniedWithException(getGlobalPermissionsAction, USER_CREATE,
+    verifyDenied(getGlobalPermissionsAction, USER_CREATE,
         USER_OWNER, USER_RW, USER_RO, USER_NONE);
   }
 
@@ -1087,11 +1049,9 @@ public class TestAccessController extends SecureTestUtil {
         Put p = new Put(Bytes.toBytes("a"));
         p.add(family1, qualifier, Bytes.toBytes("v1"));
         p.add(family2, qualifier, Bytes.toBytes("v2"));
-        Table t = new HTable(conf, tableName);
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table t = conn.getTable(tableName)) {
           t.put(p);
-        } finally {
-          t.close();
         }
         return null;
       }
@@ -1102,11 +1062,9 @@ public class TestAccessController extends SecureTestUtil {
       public Object run() throws Exception {
         Put p = new Put(Bytes.toBytes("a"));
         p.add(family1, qualifier, Bytes.toBytes("v1"));
-        Table t = new HTable(conf, tableName);
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table t = conn.getTable(tableName)) {
           t.put(p);
-        } finally {
-          t.close();
         }
         return null;
       }
@@ -1117,11 +1075,9 @@ public class TestAccessController extends SecureTestUtil {
       public Object run() throws Exception {
         Put p = new Put(Bytes.toBytes("a"));
         p.add(family2, qualifier, Bytes.toBytes("v2"));
-        Table t = new HTable(conf, tableName);
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table t = conn.getTable(tableName)) {
           t.put(p);
-        } finally {
-          t.close();
         }
         return null;
       }
@@ -1133,11 +1089,9 @@ public class TestAccessController extends SecureTestUtil {
         Get g = new Get(TEST_ROW);
         g.addFamily(family1);
         g.addFamily(family2);
-        Table t = new HTable(conf, tableName);
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table t = conn.getTable(tableName)) {
           t.get(g);
-        } finally {
-          t.close();
         }
         return null;
       }
@@ -1148,11 +1102,9 @@ public class TestAccessController extends SecureTestUtil {
       public Object run() throws Exception {
         Get g = new Get(TEST_ROW);
         g.addFamily(family1);
-        Table t = new HTable(conf, tableName);
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table t = conn.getTable(tableName)) {
           t.get(g);
-        } finally {
-          t.close();
         }
         return null;
       }
@@ -1163,11 +1115,9 @@ public class TestAccessController extends SecureTestUtil {
       public Object run() throws Exception {
         Get g = new Get(TEST_ROW);
         g.addFamily(family2);
-        Table t = new HTable(conf, tableName);
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table t = conn.getTable(tableName)) {
           t.get(g);
-        } finally {
-          t.close();
         }
         return null;
       }
@@ -1179,11 +1129,9 @@ public class TestAccessController extends SecureTestUtil {
         Delete d = new Delete(TEST_ROW);
         d.deleteFamily(family1);
         d.deleteFamily(family2);
-        Table t = new HTable(conf, tableName);
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table t = conn.getTable(tableName)) {
           t.delete(d);
-        } finally {
-          t.close();
         }
         return null;
       }
@@ -1194,11 +1142,9 @@ public class TestAccessController extends SecureTestUtil {
       public Object run() throws Exception {
         Delete d = new Delete(TEST_ROW);
         d.deleteFamily(family1);
-        Table t = new HTable(conf, tableName);
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table t = conn.getTable(tableName)) {
           t.delete(d);
-        } finally {
-          t.close();
         }
         return null;
       }
@@ -1209,11 +1155,9 @@ public class TestAccessController extends SecureTestUtil {
       public Object run() throws Exception {
         Delete d = new Delete(TEST_ROW);
         d.deleteFamily(family2);
-        Table t = new HTable(conf, tableName);
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table t = conn.getTable(tableName)) {
           t.delete(d);
-        } finally {
-          t.close();
         }
         return null;
       }
@@ -1354,11 +1298,9 @@ public class TestAccessController extends SecureTestUtil {
       public Object run() throws Exception {
         Get g = new Get(TEST_ROW);
         g.addColumn(family1, qualifier);
-        Table t = new HTable(conf, tableName);
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table t = conn.getTable(tableName)) {
           t.get(g);
-        } finally {
-          t.close();
         }
         return null;
       }
@@ -1369,11 +1311,9 @@ public class TestAccessController extends SecureTestUtil {
       public Object run() throws Exception {
         Put p = new Put(TEST_ROW);
         p.add(family1, qualifier, Bytes.toBytes("v1"));
-        Table t = new HTable(conf, tableName);
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table t = conn.getTable(tableName)) {
           t.put(p);
-        } finally {
-          t.close();
         }
         return null;
       }
@@ -1385,11 +1325,9 @@ public class TestAccessController extends SecureTestUtil {
         Delete d = new Delete(TEST_ROW);
         d.deleteColumn(family1, qualifier);
         // d.deleteFamily(family1);
-        Table t = new HTable(conf, tableName);
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table t = conn.getTable(tableName)) {
           t.delete(d);
-        } finally {
-          t.close();
         }
         return null;
       }
@@ -1461,7 +1399,7 @@ public class TestAccessController extends SecureTestUtil {
 
     List<UserPermission> perms;
 
-    Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
+    Table acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
     try {
       BlockingRpcChannel service = acl.coprocessorService(tableName.getName());
       AccessControlService.BlockingInterface protocol =
@@ -1474,7 +1412,7 @@ public class TestAccessController extends SecureTestUtil {
     UserPermission ownerperm = new UserPermission(
       Bytes.toBytes(USER_OWNER.getName()), tableName, null, Action.values());
     assertTrue("Owner should have all permissions on table",
-      hasFoundUserPermission(ownerperm, perms));
+        hasFoundUserPermission(ownerperm, perms));
 
     User user = User.createUserForTesting(TEST_UTIL.getConfiguration(), "user", new String[0]);
     byte[] userName = Bytes.toBytes(user.getShortName());
@@ -1488,7 +1426,7 @@ public class TestAccessController extends SecureTestUtil {
     grantOnTable(TEST_UTIL, user.getShortName(),
       tableName, family1, qualifier, Permission.Action.READ);
 
-    acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
+    acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
     try {
       BlockingRpcChannel service = acl.coprocessorService(tableName.getName());
       AccessControlService.BlockingInterface protocol =
@@ -1513,7 +1451,7 @@ public class TestAccessController extends SecureTestUtil {
       tableName, family1, qualifier,
       Permission.Action.WRITE, Permission.Action.READ);
 
-    acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
+    acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
     try {
       BlockingRpcChannel service = acl.coprocessorService(tableName.getName());
       AccessControlService.BlockingInterface protocol =
@@ -1532,7 +1470,7 @@ public class TestAccessController extends SecureTestUtil {
     revokeFromTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier,
       Permission.Action.WRITE, Permission.Action.READ);
 
-    acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
+    acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
     try {
       BlockingRpcChannel service = acl.coprocessorService(tableName.getName());
       AccessControlService.BlockingInterface protocol =
@@ -1543,7 +1481,7 @@ public class TestAccessController extends SecureTestUtil {
     }
 
     assertFalse("User should not be granted permission: " + upToVerify.toString(),
-      hasFoundUserPermission(upToVerify, perms));
+        hasFoundUserPermission(upToVerify, perms));
 
     // disable table before modification
     admin.disableTable(tableName);
@@ -1552,7 +1490,7 @@ public class TestAccessController extends SecureTestUtil {
     htd.setOwner(newOwner);
     admin.modifyTable(tableName, htd);
 
-    acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
+    acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
     try {
       BlockingRpcChannel service = acl.coprocessorService(tableName.getName());
       AccessControlService.BlockingInterface protocol =
@@ -1565,7 +1503,7 @@ public class TestAccessController extends SecureTestUtil {
     UserPermission newOwnerperm = new UserPermission(
       Bytes.toBytes(newOwner.getName()), tableName, null, Action.values());
     assertTrue("New owner should have all permissions on table",
-      hasFoundUserPermission(newOwnerperm, perms));
+        hasFoundUserPermission(newOwnerperm, perms));
 
     // delete table
     deleteTable(TEST_UTIL, tableName);
@@ -1574,7 +1512,7 @@ public class TestAccessController extends SecureTestUtil {
   @Test
   public void testGlobalPermissionList() throws Exception {
     List<UserPermission> perms;
-    Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
+    Table acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
     try {
       BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
       AccessControlService.BlockingInterface protocol =
@@ -1609,8 +1547,8 @@ public class TestAccessController extends SecureTestUtil {
               AccessControlProtos.GlobalPermission.newBuilder()
                   .addAction(ProtobufUtil.toPermissionAction(a)).build()));
     }
-    Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
-    try {
+    try(Connection conn = ConnectionFactory.createConnection(conf);
+        Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
       BlockingRpcChannel channel = acl.coprocessorService(new byte[0]);
       AccessControlService.BlockingInterface protocol =
         AccessControlService.newBlockingStub(channel);
@@ -1619,8 +1557,6 @@ public class TestAccessController extends SecureTestUtil {
       } catch (ServiceException se) {
         ProtobufUtil.toIOException(se);
       }
-    } finally {
-      acl.close();
     }
   }
 
@@ -1639,8 +1575,8 @@ public class TestAccessController extends SecureTestUtil {
     for (Permission p : perms) {
       request.addPermission(ProtobufUtil.toPermission(p));
     }
-    Table acl = new HTable(conf, table);
-    try {
+    try(Connection conn = ConnectionFactory.createConnection(conf);
+        Table acl = conn.getTable(table)) {
       AccessControlService.BlockingInterface protocol =
         AccessControlService.newBlockingStub(acl.coprocessorService(new byte[0]));
       try {
@@ -1648,8 +1584,6 @@ public class TestAccessController extends SecureTestUtil {
       } catch (ServiceException se) {
         ProtobufUtil.toIOException(se);
       }
-    } finally {
-      acl.close();
     }
   }
 
@@ -1789,7 +1723,7 @@ public class TestAccessController extends SecureTestUtil {
                   .setTableName(ProtobufUtil.toProtoTableName(TEST_TABLE.getTableName()))
                   .addAction(AccessControlProtos.Permission.Action.CREATE))
       ).build();
-    Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
+    Table acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
     try {
       BlockingRpcChannel channel = acl.coprocessorService(new byte[0]);
       AccessControlService.BlockingInterface protocol =
@@ -1939,13 +1873,13 @@ public class TestAccessController extends SecureTestUtil {
 
     // Move region to the new RegionServer.
     List<HRegionLocation> regions;
-    try (RegionLocator locator = TEST_UTIL.getConnection().getRegionLocator(TEST_TABLE2)) {
+    try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE2)) {
       regions = locator.getAllRegionLocations();
     }
     HRegionLocation location = regions.get(0);
     final HRegionInfo hri = location.getRegionInfo();
     final ServerName server = location.getServerName();
-    try (HTable table = (HTable)TEST_UTIL.getConnection().getTable(TEST_TABLE2)) {
+    try (HTable table = (HTable) systemUserConnection.getTable(TEST_TABLE2)) {
       AccessTestAction moveAction = new AccessTestAction() {
         @Override
         public Object run() throws Exception {
@@ -1997,37 +1931,25 @@ public class TestAccessController extends SecureTestUtil {
     AccessTestAction listTablesAction = new AccessTestAction() {
       @Override
       public Object run() throws Exception {
-        Connection unmanagedConnection =
-          ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
-        Admin admin = unmanagedConnection.getAdmin();
-        try {
-          admin.listTables();
-        } finally {
-          admin.close();
-          unmanagedConnection.close();
+        try(Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
+             Admin admin = conn.getAdmin()) {
+          return Arrays.asList(admin.listTables());
         }
-        return null;
       }
     };
 
     AccessTestAction getTableDescAction = new AccessTestAction() {
       @Override
       public Object run() throws Exception {
-        Connection unmanagedConnection =
-          ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
-        Admin admin = unmanagedConnection.getAdmin();
-        try {
-          admin.getTableDescriptor(TEST_TABLE.getTableName());
-        } finally {
-          admin.close();
-          unmanagedConnection.close();
+        try(Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
+            Admin admin = conn.getAdmin();) {
+          return admin.getTableDescriptor(TEST_TABLE.getTableName());
         }
-        return null;
       }
     };
 
     verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, TABLE_ADMIN);
-    verifyDenied(listTablesAction, USER_RW, USER_RO, USER_NONE);
+    verifyIfEmptyList(listTablesAction, USER_RW, USER_RO, USER_NONE);
 
     verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, TABLE_ADMIN);
     verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE);
@@ -2051,7 +1973,7 @@ public class TestAccessController extends SecureTestUtil {
     };
 
     verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_RW, USER_RO);
-    verifyDenied(listTablesAction, USER_NONE);
+    verifyIfEmptyList(listTablesAction, USER_NONE);
   }
 
   @Test
@@ -2087,28 +2009,23 @@ public class TestAccessController extends SecureTestUtil {
     AccessTestAction getAction = new AccessTestAction() {
       @Override
       public Object run() throws Exception {
-        Table t = TEST_UTIL.getConnection().getTable(TEST_TABLE.getTableName());
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table t = conn.getTable(TEST_TABLE.getTableName());) {
           return t.get(new Get(TEST_ROW));
-        } finally {
-          t.close();
         }
       }
     };
 
-    verifyDenied(getAction, USER_NONE);
-
-    String namespace = "testNamespaceUserGrant";
-    NamespaceDescriptor desc = NamespaceDescriptor.create(namespace).build();
-    TEST_UTIL.getMiniHBaseCluster().getMaster().createNamespace(desc);
+    String namespace = TEST_TABLE.getTableName().getNamespaceAsString();
 
     // Grant namespace READ to USER_NONE, this should supersede any table permissions
     grantOnNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ);
-
-    // Now USER_NONE should be able to read also
+    // Now USER_NONE should be able to read
     verifyAllowed(getAction, USER_NONE);
 
-    TEST_UTIL.getMiniHBaseCluster().getMaster().deleteNamespace(namespace);
+    // Revoke namespace READ to USER_NONE
+    revokeFromNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ);
+    verifyDenied(getAction, USER_NONE);
   }
 
   @Test
@@ -2118,11 +2035,9 @@ public class TestAccessController extends SecureTestUtil {
     AccessTestAction getAction = new AccessTestAction() {
       @Override
       public Object run() throws Exception {
-        HTable t = new HTable(conf, TEST_TABLE.getTableName());
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table t = conn.getTable(TEST_TABLE.getTableName())) {
           return t.get(new Get(TEST_ROW));
-        } finally {
-          t.close();
         }
       }
     };
@@ -2131,7 +2046,7 @@ public class TestAccessController extends SecureTestUtil {
 
     // Grant table READ permissions to testGrantRevoke.
     try {
-      grantOnTableUsingAccessControlClient(TEST_UTIL, connection, testGrantRevoke.getShortName(),
+      grantOnTableUsingAccessControlClient(TEST_UTIL, systemUserConnection, testGrantRevoke.getShortName(),
           TEST_TABLE.getTableName(), null, null, Permission.Action.READ);
     } catch (Throwable e) {
       LOG.error("error during call of AccessControlClient.grant. ", e);
@@ -2142,7 +2057,7 @@ public class TestAccessController extends SecureTestUtil {
 
     // Revoke table READ permission to testGrantRevoke.
     try {
-      revokeFromTableUsingAccessControlClient(TEST_UTIL, connection, testGrantRevoke.getShortName(),
+      revokeFromTableUsingAccessControlClient(TEST_UTIL, systemUserConnection, testGrantRevoke.getShortName(),
           TEST_TABLE.getTableName(), null, null, Permission.Action.READ);
     } catch (Throwable e) {
       LOG.error("error during call of AccessControlClient.revoke ", e);
@@ -2160,11 +2075,9 @@ public class TestAccessController extends SecureTestUtil {
     AccessTestAction getAction = new AccessTestAction() {
       @Override
       public Object run() throws Exception {
-        HTable t = new HTable(conf, TEST_TABLE.getTableName());
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table t = conn.getTable(TEST_TABLE.getTableName())) {
           return t.get(new Get(TEST_ROW));
-        } finally {
-          t.close();
         }
       }
     };
@@ -2173,7 +2086,7 @@ public class TestAccessController extends SecureTestUtil {
 
     // Grant table READ permissions to testGlobalGrantRevoke.
     try {
-      grantGlobalUsingAccessControlClient(TEST_UTIL, connection,
+      grantGlobalUsingAccessControlClient(TEST_UTIL, systemUserConnection,
           testGlobalGrantRevoke.getShortName(), Permission.Action.READ);
     } catch (Throwable e) {
       LOG.error("error during call of AccessControlClient.grant. ", e);
@@ -2184,7 +2097,7 @@ public class TestAccessController extends SecureTestUtil {
 
     // Revoke table READ permission to testGlobalGrantRevoke.
     try {
-      revokeGlobalUsingAccessControlClient(TEST_UTIL, connection,
+      revokeGlobalUsingAccessControlClient(TEST_UTIL, systemUserConnection,
           testGlobalGrantRevoke.getShortName(), Permission.Action.READ);
     } catch (Throwable e) {
       LOG.error("error during call of AccessControlClient.revoke ", e);
@@ -2201,11 +2114,9 @@ public class TestAccessController extends SecureTestUtil {
     AccessTestAction getAction = new AccessTestAction() {
       @Override
       public Object run() throws Exception {
-        HTable t = new HTable(conf, TEST_TABLE.getTableName());
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table t = conn.getTable(TEST_TABLE.getTableName())) {
           return t.get(new Get(TEST_ROW));
-        } finally {
-          t.close();
         }
       }
     };
@@ -2214,7 +2125,7 @@ public class TestAccessController extends SecureTestUtil {
 
     // Grant namespace READ to testNS, this should supersede any table permissions
     try {
-      grantOnNamespaceUsingAccessControlClient(TEST_UTIL, connection, testNS.getShortName(),
+      grantOnNamespaceUsingAccessControlClient(TEST_UTIL, systemUserConnection, testNS.getShortName(),
           TEST_TABLE.getTableName().getNamespaceAsString(), Permission.Action.READ);
     } catch (Throwable e) {
       LOG.error("error during call of AccessControlClient.grant. ", e);
@@ -2225,7 +2136,7 @@ public class TestAccessController extends SecureTestUtil {
 
     // Revoke namespace READ to testNS, this should supersede any table permissions
     try {
-      revokeFromNamespaceUsingAccessControlClient(TEST_UTIL, connection, testNS.getShortName(),
+      revokeFromNamespaceUsingAccessControlClient(TEST_UTIL, systemUserConnection, testNS.getShortName(),
           TEST_TABLE.getTableName().getNamespaceAsString(), Permission.Action.READ);
     } catch (Throwable e) {
       LOG.error("error during call of AccessControlClient.revoke ", e);
@@ -2306,32 +2217,25 @@ public class TestAccessController extends SecureTestUtil {
     AccessTestAction execEndpointAction = new AccessTestAction() {
       @Override
       public Object run() throws Exception {
-        Table t = TEST_UTIL.getConnection().getTable(TEST_TABLE.getTableName());
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table t = conn.getTable(TEST_TABLE.getTableName());) {
           BlockingRpcChannel service = t.coprocessorService(HConstants.EMPTY_BYTE_ARRAY);
           PingCoprocessor.newBlockingStub(service).noop(null, NoopRequest.newBuilder().build());
-        } finally {
-          t.close();
         }
         return null;
       }
     };
 
-    // Verify that EXEC permission is checked correctly
-    verifyDenied(execEndpointAction, userB);
-    verifyAllowed(execEndpointAction, userA);
-
-    String namespace = "testCoprocessorExec";
-    NamespaceDescriptor desc = NamespaceDescriptor.create(namespace).build();
-    TEST_UTIL.getMiniHBaseCluster().getMaster().createNamespace(desc);
-
+    String namespace = TEST_TABLE.getTableName().getNamespaceAsString();
     // Now grant EXEC to the entire namespace to user B
     grantOnNamespace(TEST_UTIL, userB.getShortName(), namespace, Permission.Action.EXEC);
-
     // User B should now be allowed also
     verifyAllowed(execEndpointAction, userA, userB);
 
-    TEST_UTIL.getMiniHBaseCluster().getMaster().deleteNamespace(namespace);
+    revokeFromNamespace(TEST_UTIL, userB.getShortName(), namespace, Permission.Action.EXEC);
+    // Verify that EXEC permission is checked correctly
+    verifyDenied(execEndpointAction, userB);
+    verifyAllowed(execEndpointAction, userA);
   }
 
   @Test
@@ -2368,7 +2272,7 @@ public class TestAccessController extends SecureTestUtil {
      grantOnNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ);
      try {
        List<UserPermission> namespacePermissions = AccessControlClient.getUserPermissions(
-           connection, AccessControlLists.toNamespaceEntry(namespace));
+           systemUserConnection, AccessControlLists.toNamespaceEntry(namespace));
        assertTrue(namespacePermissions != null);
        assertTrue(namespacePermissions.size() == 1);
      } catch (Throwable thw) {
@@ -2380,15 +2284,15 @@ public class TestAccessController extends SecureTestUtil {
   @Test
   public void testTruncatePerms() throws Throwable {
     List<UserPermission> existingPerms =
-        AccessControlClient.getUserPermissions(connection,
+        AccessControlClient.getUserPermissions(systemUserConnection,
             TEST_TABLE.getTableName().getNameAsString());
     assertTrue(existingPerms != null);
     assertTrue(existingPerms.size() > 1);
-    try (Admin admin = connection.getAdmin()) {
+    try (Admin admin = systemUserConnection.getAdmin()) {
       admin.disableTable(TEST_TABLE.getTableName());
       admin.truncateTable(TEST_TABLE.getTableName(), true);
     }
-    List<UserPermission> perms = AccessControlClient.getUserPermissions(connection,
+    List<UserPermission> perms = AccessControlClient.getUserPermissions(systemUserConnection,
         TEST_TABLE.getTableName().getNameAsString());
     assertTrue(perms != null);
     assertEquals(existingPerms.size(), perms.size());
@@ -2398,19 +2302,11 @@ public class TestAccessController extends SecureTestUtil {
     return new PrivilegedAction<List<UserPermission>>() {
       @Override
       public List<UserPermission> run() {
-        Connection connection = null;
-        try {
-          connection = ConnectionFactory.createConnection(conf);
-          return AccessControlClient.getUserPermissions(connection, regex);
+        try(Connection conn = ConnectionFactory.createConnection(conf);) {
+          return AccessControlClient.getUserPermissions(conn, regex);
         } catch (Throwable e) {
           LOG.error("error during call of AccessControlClient.getUserPermissions.", e);
           return null;
-        } finally {
-          try {
-            connection.close();
-          } catch (IOException e) {
-            LOG.error("Error during close of connection.", e);
-          }
         }
       }
     };

http://git-wip-us.apache.org/repos/asf/hbase/blob/050028c3/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
index 54f1b1e..e828429 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
@@ -68,7 +68,7 @@ public class TestAccessController2 extends SecureTestUtil {
   private static HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();
   private static Configuration conf;
 
-  private static Connection connection;
+  private static Connection systemUserConnection;
 
   private final static byte[] Q1 = Bytes.toBytes("q1");
   private final static byte[] value1 = Bytes.toBytes("value1");
@@ -108,7 +108,7 @@ public class TestAccessController2 extends SecureTestUtil {
     TESTGROUP2_USER1 =
         User.createUserForTesting(conf, "testgroup2_user2", new String[] { TESTGROUP_2 });
 
-    connection = ConnectionFactory.createConnection(conf);
+    systemUserConnection = ConnectionFactory.createConnection(conf);
   }
 
   @Before
@@ -138,7 +138,7 @@ public class TestAccessController2 extends SecureTestUtil {
 
     assertEquals(1, AccessControlLists.getTablePermissions(conf, tableName).size());
     try {
-      assertEquals(1, AccessControlClient.getUserPermissions(connection, tableName.toString())
+      assertEquals(1, AccessControlClient.getUserPermissions(systemUserConnection, tableName.toString())
           .size());
     } catch (Throwable e) {
       LOG.error("Error during call of AccessControlClient.getUserPermissions. ", e);
@@ -148,7 +148,6 @@ public class TestAccessController2 extends SecureTestUtil {
 
   @AfterClass
   public static void tearDownAfterClass() throws Exception {
-    connection.close();
     TEST_UTIL.shutdownMiniCluster();
   }
 
@@ -254,13 +253,11 @@ public class TestAccessController2 extends SecureTestUtil {
     AccessTestAction writeAction = new AccessTestAction() {
       @Override
       public Object run() throws Exception {
-        HTable t = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
           t.put(new Put(TEST_ROW).add(AccessControlLists.ACL_LIST_FAMILY, TEST_QUALIFIER,
             TEST_VALUE));
           return null;
-        } finally {
-          t.close();
         }
       }
     };
@@ -277,8 +274,8 @@ public class TestAccessController2 extends SecureTestUtil {
     AccessTestAction scanAction = new AccessTestAction() {
       @Override
       public Object run() throws Exception {
-        HTable t = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
           ResultScanner s = t.getScanner(new Scan());
           try {
             for (Result r = s.next(); r != null; r = s.next()) {
@@ -288,8 +285,6 @@ public class TestAccessController2 extends SecureTestUtil {
             s.close();
           }
           return null;
-        } finally {
-          t.close();
         }
       }
     };

http://git-wip-us.apache.org/repos/asf/hbase/blob/050028c3/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLWithMultipleVersions.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLWithMultipleVersions.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLWithMultipleVersions.java
index 0edc1e9..289b0e5 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLWithMultipleVersions.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLWithMultipleVersions.java
@@ -38,7 +38,6 @@ import org.apache.hadoop.hbase.client.Connection;
 import org.apache.hadoop.hbase.client.ConnectionFactory;
 import org.apache.hadoop.hbase.client.Delete;
 import org.apache.hadoop.hbase.client.Get;
-import org.apache.hadoop.hbase.client.HTable;
 import org.apache.hadoop.hbase.client.Increment;
 import org.apache.hadoop.hbase.client.Put;
 import org.apache.hadoop.hbase.client.Table;
@@ -153,8 +152,8 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
     verifyAllowed(new AccessTestAction() {
       @Override
       public Object run() throws Exception {
-        Table t = new HTable(conf, TEST_TABLE.getTableName());
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table t = conn.getTable(TEST_TABLE.getTableName())) {
           Put p;
           // with ro ACL
           p = new Put(TEST_ROW).add(TEST_FAMILY1, TEST_Q1, ZERO);
@@ -173,8 +172,6 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
           p = new Put(TEST_ROW).add(TEST_FAMILY1, TEST_Q1, ZERO);
           p.setACL(USER_OTHER.getShortName(), new Permission(Permission.Action.WRITE));
           t.put(p);
-        } finally {
-          t.close();
         }
         return null;
       }
@@ -187,11 +184,9 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
       public Object run() throws Exception {
         Get get = new Get(TEST_ROW);
         get.setMaxVersions(10);
-        Table t = new HTable(conf, TEST_TABLE.getTableName());
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table t = conn.getTable(TEST_TABLE.getTableName())) {
           return t.get(get).listCells();
-        } finally {
-          t.close();
         }
       }
     };
@@ -201,11 +196,9 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
       public Object run() throws Exception {
         Get get = new Get(TEST_ROW);
         get.setMaxVersions(10);
-        Table t = new HTable(conf, TEST_TABLE.getTableName());
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table t = conn.getTable(TEST_TABLE.getTableName())) {
           return t.get(get).listCells();
-        } finally {
-          t.close();
         }
       }
     };
@@ -218,8 +211,8 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
     verifyAllowed(new AccessTestAction() {
       @Override
       public Object run() throws Exception {
-        Table t = new HTable(conf, TEST_TABLE.getTableName());
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table t = conn.getTable(TEST_TABLE.getTableName())) {
           Put p;
           p = new Put(TEST_ROW).add(TEST_FAMILY1, TEST_Q1, ZERO);
           p.setACL(USER_OTHER.getShortName(), new Permission(Permission.Action.WRITE));
@@ -230,8 +223,6 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
           p = new Put(TEST_ROW).add(TEST_FAMILY1, TEST_Q1, ZERO);
           p.setACL(USER_OTHER.getShortName(), new Permission(Permission.Action.WRITE));
           t.put(p);
-        } finally {
-          t.close();
         }
         return null;
       }
@@ -439,7 +430,7 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
     
     // The other put should be covered by the tombstone
 
-    verifyDenied(getQ2, USER_OTHER);
+    verifyIfNull(getQ2, USER_OTHER);
   }
 
   @Test

http://git-wip-us.apache.org/repos/asf/hbase/blob/050028c3/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLs.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLs.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLs.java
index ae08a15..bccf17c 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLs.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLs.java
@@ -228,8 +228,8 @@ public class TestCellACLs extends SecureTestUtil {
 
     // Confirm this access does not extend to other cells
 
-    verifyDenied(getQ3, USER_OTHER);
-    verifyDenied(getQ4, USER_OTHER);
+    verifyIfNull(getQ3, USER_OTHER);
+    verifyIfNull(getQ4, USER_OTHER);
 
     /* ---- Scans ---- */
 

http://git-wip-us.apache.org/repos/asf/hbase/blob/050028c3/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
index 91b38ea..4576260 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
@@ -35,7 +35,6 @@ import org.apache.hadoop.hbase.client.Admin;
 import org.apache.hadoop.hbase.client.Connection;
 import org.apache.hadoop.hbase.client.ConnectionFactory;
 import org.apache.hadoop.hbase.client.Get;
-import org.apache.hadoop.hbase.client.HTable;
 import org.apache.hadoop.hbase.client.Result;
 import org.apache.hadoop.hbase.client.Table;
 import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment;
@@ -156,8 +155,8 @@ public class TestNamespaceCommands extends SecureTestUtil {
   @Test
   public void testAclTableEntries() throws Exception {
     String userTestNamespace = "userTestNsp";
-    Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
-    try {
+    try(Connection conn = ConnectionFactory.createConnection(conf);
+        Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
       ListMultimap<String, TablePermission> perms =
           AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE);
 
@@ -188,8 +187,6 @@ public class TestNamespaceCommands extends SecureTestUtil {
 
       perms = AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE);
       assertEquals(5, perms.size());
-    } finally {
-      acl.close();
     }
   }
 
@@ -208,16 +205,16 @@ public class TestNamespaceCommands extends SecureTestUtil {
       SUPERUSER,
       USER_GLOBAL_ADMIN);
 
-    verifyDeniedWithException(modifyNamespace,
-      USER_GLOBAL_CREATE,
-      USER_GLOBAL_WRITE,
-      USER_GLOBAL_READ,
-      USER_GLOBAL_EXEC,
-      USER_NS_ADMIN,
-      USER_NS_CREATE,
-      USER_NS_WRITE,
-      USER_NS_READ,
-      USER_NS_EXEC);
+    verifyDenied(modifyNamespace,
+        USER_GLOBAL_CREATE,
+        USER_GLOBAL_WRITE,
+        USER_GLOBAL_READ,
+        USER_GLOBAL_EXEC,
+        USER_NS_ADMIN,
+        USER_NS_CREATE,
+        USER_NS_WRITE,
+        USER_NS_READ,
+        USER_NS_EXEC);
   }
 
   @Test
@@ -246,7 +243,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
       USER_GLOBAL_ADMIN);
 
     // all others should be denied
-    verifyDeniedWithException(createNamespace,
+    verifyDenied(createNamespace,
         USER_GLOBAL_CREATE,
         USER_GLOBAL_WRITE,
         USER_GLOBAL_READ,
@@ -264,18 +261,18 @@ public class TestNamespaceCommands extends SecureTestUtil {
       SUPERUSER,
       USER_GLOBAL_ADMIN);
 
-    verifyDeniedWithException(deleteNamespace,
-      USER_GLOBAL_CREATE,
-      USER_GLOBAL_WRITE,
-      USER_GLOBAL_READ,
-      USER_GLOBAL_EXEC,
-      USER_NS_ADMIN,
-      USER_NS_CREATE,
-      USER_NS_WRITE,
-      USER_NS_READ,
-      USER_NS_EXEC,
-      USER_TABLE_CREATE,
-      USER_TABLE_WRITE);
+    verifyDenied(deleteNamespace,
+        USER_GLOBAL_CREATE,
+        USER_GLOBAL_WRITE,
+        USER_GLOBAL_READ,
+        USER_GLOBAL_EXEC,
+        USER_NS_ADMIN,
+        USER_NS_CREATE,
+        USER_NS_WRITE,
+        USER_NS_READ,
+        USER_NS_EXEC,
+        USER_TABLE_CREATE,
+        USER_TABLE_WRITE);
   }
 
   @Test
@@ -294,17 +291,17 @@ public class TestNamespaceCommands extends SecureTestUtil {
       USER_GLOBAL_ADMIN,
       USER_NS_ADMIN);
 
-    verifyDeniedWithException(getNamespaceAction,
-      USER_GLOBAL_CREATE,
-      USER_GLOBAL_WRITE,
-      USER_GLOBAL_READ,
-      USER_GLOBAL_EXEC,
-      USER_NS_CREATE,
-      USER_NS_WRITE,
-      USER_NS_READ,
-      USER_NS_EXEC,
-      USER_TABLE_CREATE,
-      USER_TABLE_WRITE);
+    verifyDenied(getNamespaceAction,
+        USER_GLOBAL_CREATE,
+        USER_GLOBAL_WRITE,
+        USER_GLOBAL_READ,
+        USER_GLOBAL_EXEC,
+        USER_NS_CREATE,
+        USER_NS_WRITE,
+        USER_NS_READ,
+        USER_NS_EXEC,
+        USER_TABLE_CREATE,
+        USER_TABLE_WRITE);
   }
 
   @Test
@@ -359,15 +356,13 @@ public class TestNamespaceCommands extends SecureTestUtil {
     AccessTestAction grantAction = new AccessTestAction() {
       @Override
       public Object run() throws Exception {
-        Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
           BlockingRpcChannel service =
               acl.coprocessorService(HConstants.EMPTY_START_ROW);
           AccessControlService.BlockingInterface protocol =
             AccessControlService.newBlockingStub(service);
           ProtobufUtil.grant(protocol, testUser, TEST_NAMESPACE, Action.WRITE);
-        } finally {
-          acl.close();
         }
         return null;
       }
@@ -375,15 +370,13 @@ public class TestNamespaceCommands extends SecureTestUtil {
 
     AccessTestAction revokeAction = new AccessTestAction() {
       public Object run() throws Exception {
-        Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
           BlockingRpcChannel service =
               acl.coprocessorService(HConstants.EMPTY_START_ROW);
           AccessControlService.BlockingInterface protocol =
             AccessControlService.newBlockingStub(service);
           ProtobufUtil.revoke(protocol, testUser, TEST_NAMESPACE, Action.WRITE);
-        } finally {
-          acl.close();
         }
         return null;
       }
@@ -392,14 +385,12 @@ public class TestNamespaceCommands extends SecureTestUtil {
     AccessTestAction getPermissionsAction = new AccessTestAction() {
       @Override
       public Object run() throws Exception {
-        Table acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
-        try {
+        try(Connection conn = ConnectionFactory.createConnection(conf);
+            Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
           BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
           AccessControlService.BlockingInterface protocol =
             AccessControlService.newBlockingStub(service);
           ProtobufUtil.getUserPermissions(protocol, Bytes.toBytes(TEST_NAMESPACE));
-        } finally {
-          acl.close();
         }
         return null;
       }
@@ -409,52 +400,52 @@ public class TestNamespaceCommands extends SecureTestUtil {
       SUPERUSER,
       USER_GLOBAL_ADMIN);
 
-    verifyDeniedWithException(grantAction,
-      USER_GLOBAL_CREATE,
-      USER_GLOBAL_WRITE,
-      USER_GLOBAL_READ,
-      USER_GLOBAL_EXEC,
-      USER_NS_ADMIN,
-      USER_NS_CREATE,
-      USER_NS_WRITE,
-      USER_NS_READ,
-      USER_NS_EXEC,
-      USER_TABLE_CREATE,
-      USER_TABLE_WRITE);
+    verifyDenied(grantAction,
+        USER_GLOBAL_CREATE,
+        USER_GLOBAL_WRITE,
+        USER_GLOBAL_READ,
+        USER_GLOBAL_EXEC,
+        USER_NS_ADMIN,
+        USER_NS_CREATE,
+        USER_NS_WRITE,
+        USER_NS_READ,
+        USER_NS_EXEC,
+        USER_TABLE_CREATE,
+        USER_TABLE_WRITE);
 
     verifyAllowed(revokeAction,
       SUPERUSER,
       USER_GLOBAL_ADMIN);
 
-    verifyDeniedWithException(revokeAction,
-      USER_GLOBAL_CREATE,
-      USER_GLOBAL_WRITE,
-      USER_GLOBAL_READ,
-      USER_GLOBAL_EXEC,
-      USER_NS_ADMIN,
-      USER_NS_CREATE,
-      USER_NS_WRITE,
-      USER_NS_READ,
-      USER_NS_EXEC,
-      USER_TABLE_CREATE,
-      USER_TABLE_WRITE);
+    verifyDenied(revokeAction,
+        USER_GLOBAL_CREATE,
+        USER_GLOBAL_WRITE,
+        USER_GLOBAL_READ,
+        USER_GLOBAL_EXEC,
+        USER_NS_ADMIN,
+        USER_NS_CREATE,
+        USER_NS_WRITE,
+        USER_NS_READ,
+        USER_NS_EXEC,
+        USER_TABLE_CREATE,
+        USER_TABLE_WRITE);
 
     verifyAllowed(getPermissionsAction,
       SUPERUSER,
       USER_GLOBAL_ADMIN,
       USER_NS_ADMIN);
 
-    verifyDeniedWithException(getPermissionsAction,
-      USER_GLOBAL_CREATE,
-      USER_GLOBAL_WRITE,
-      USER_GLOBAL_READ,
-      USER_GLOBAL_EXEC,
-      USER_NS_CREATE,
-      USER_NS_WRITE,
-      USER_NS_READ,
-      USER_NS_EXEC,
-      USER_TABLE_CREATE,
-      USER_TABLE_WRITE);
+    verifyDenied(getPermissionsAction,
+        USER_GLOBAL_CREATE,
+        USER_GLOBAL_WRITE,
+        USER_GLOBAL_READ,
+        USER_GLOBAL_EXEC,
+        USER_NS_CREATE,
+        USER_NS_WRITE,
+        USER_NS_READ,
+        USER_NS_EXEC,
+        USER_TABLE_CREATE,
+        USER_TABLE_WRITE);
   }
 
   @Test
@@ -475,16 +466,16 @@ public class TestNamespaceCommands extends SecureTestUtil {
       USER_GLOBAL_CREATE,
       USER_NS_CREATE);
 
-    verifyDeniedWithException(createTable,
-      USER_GLOBAL_ADMIN,
-      USER_GLOBAL_WRITE,
-      USER_GLOBAL_READ,
-      USER_GLOBAL_EXEC,
-      USER_NS_ADMIN,
-      USER_NS_WRITE,
-      USER_NS_READ,
-      USER_NS_EXEC,
-      USER_TABLE_CREATE,
-      USER_TABLE_WRITE);
+    verifyDenied(createTable,
+        USER_GLOBAL_ADMIN,
+        USER_GLOBAL_WRITE,
+        USER_GLOBAL_READ,
+        USER_GLOBAL_EXEC,
+        USER_NS_ADMIN,
+        USER_NS_WRITE,
+        USER_NS_READ,
+        USER_NS_EXEC,
+        USER_TABLE_CREATE,
+        USER_TABLE_WRITE);
   }
 }

http://git-wip-us.apache.org/repos/asf/hbase/blob/050028c3/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestScanEarlyTermination.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestScanEarlyTermination.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestScanEarlyTermination.java
index b14c706..0e618bd 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestScanEarlyTermination.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestScanEarlyTermination.java
@@ -220,7 +220,7 @@ public class TestScanEarlyTermination extends SecureTestUtil {
     }, USER_OTHER);
 
     // A scan of FAMILY2 will throw an AccessDeniedException
-    verifyDeniedWithException(new AccessTestAction() {
+    verifyDenied(new AccessTestAction() {
       @Override
       public Object run() throws Exception {
         // force a new RS connection


Mime
View raw message