hbase-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ssrungar...@apache.org
Subject hbase git commit: HBASE-13296 Fix the deletion of acl notify nodes for namespace.
Date Wed, 01 Apr 2015 20:23:04 GMT
Repository: hbase
Updated Branches:
  refs/heads/branch-1 39b5ce947 -> a6ddcc8fa


HBASE-13296 Fix the deletion of acl notify nodes for namespace.


Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/a6ddcc8f
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/a6ddcc8f
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/a6ddcc8f

Branch: refs/heads/branch-1
Commit: a6ddcc8fa2b99d4c25b11d34270344954b286239
Parents: 39b5ce9
Author: Srikanth Srungarapu <ssrungarapu@cloudera.com>
Authored: Wed Apr 1 12:17:00 2015 -0700
Committer: Srikanth Srungarapu <ssrungarapu@cloudera.com>
Committed: Wed Apr 1 12:17:00 2015 -0700

----------------------------------------------------------------------
 .../hbase/security/access/AccessController.java |  3 +-
 .../security/access/ZKPermissionWatcher.java    | 17 +++++
 .../hbase/security/access/SecureTestUtil.java   | 19 +++++
 .../security/access/TestAccessController.java   |  8 +-
 .../security/access/TestAccessController2.java  | 79 +++++++++++++-------
 5 files changed, 93 insertions(+), 33 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hbase/blob/a6ddcc8f/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
index d72eef7..91fcadc 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
@@ -1280,7 +1280,8 @@ public class AccessController extends BaseMasterAndRegionObserver
         return null;
       }
     });
-    LOG.info(namespace + "entry deleted in "+AccessControlLists.ACL_TABLE_NAME+" table.");
+    this.authManager.getZKPermissionWatcher().deleteNamespaceACLNode(namespace);
+    LOG.info(namespace + " entry deleted in "+AccessControlLists.ACL_TABLE_NAME+" table.");
   }
 
   @Override

http://git-wip-us.apache.org/repos/asf/hbase/blob/a6ddcc8f/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/ZKPermissionWatcher.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/ZKPermissionWatcher.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/ZKPermissionWatcher.java
index 53de50f..2c051ea 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/ZKPermissionWatcher.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/ZKPermissionWatcher.java
@@ -211,4 +211,21 @@ public class ZKPermissionWatcher extends ZooKeeperListener {
       watcher.abort("Failed deleting node " + zkNode, e);
     }
   }
+
+  /***
+   * Delete the acl notify node of namespace
+   */
+  public void deleteNamespaceACLNode(final String namespace) {
+    String zkNode = ZKUtil.joinZNode(watcher.baseZNode, ACL_NODE);
+    zkNode = ZKUtil.joinZNode(zkNode, AccessControlLists.NAMESPACE_PREFIX + namespace);
+
+    try {
+      ZKUtil.deleteNode(watcher, zkNode);
+    } catch (KeeperException.NoNodeException e) {
+      LOG.warn("No acl notify node of namespace '" + namespace + "'");
+    } catch (KeeperException e) {
+      LOG.error("Failed deleting acl node of namespace '" + namespace + "'", e);
+      watcher.abort("Failed deleting node " + zkNode, e);
+    }
+  }
 }

http://git-wip-us.apache.org/repos/asf/hbase/blob/a6ddcc8f/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
index 89f10db..c45accd 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
@@ -39,6 +39,7 @@ import org.apache.hadoop.hbase.HConstants;
 import org.apache.hadoop.hbase.HTableDescriptor;
 import org.apache.hadoop.hbase.HRegionInfo;
 import org.apache.hadoop.hbase.MiniHBaseCluster;
+import org.apache.hadoop.hbase.NamespaceDescriptor;
 import org.apache.hadoop.hbase.TableName;
 import org.apache.hadoop.hbase.TableNotEnabledException;
 import org.apache.hadoop.hbase.Waiter.Predicate;
@@ -655,6 +656,16 @@ public class SecureTestUtil {
     deleteTable(testUtil, testUtil.getHBaseAdmin(), tableName);
   }
 
+  public static void createNamespace(HBaseTestingUtility testUtil, NamespaceDescriptor nsDesc)
+      throws Exception {
+    testUtil.getHBaseAdmin().createNamespace(nsDesc);
+  }
+
+  public static void deleteNamespace(HBaseTestingUtility testUtil, String namespace)
+      throws Exception {
+    testUtil.getHBaseAdmin().deleteNamespace(namespace);
+  }
+
   public static void deleteTable(HBaseTestingUtility testUtil, Admin admin, TableName tableName)
       throws Exception {
     // NOTE: We need a latch because admin is not sync,
@@ -671,4 +682,12 @@ public class SecureTestUtil {
     observer.tableDeletionLatch.await();
     observer.tableDeletionLatch = null;
   }
+
+  public static String convertToNamespace(String namespace) {
+    return AccessControlLists.NAMESPACE_PREFIX + namespace;
+  }
+
+  public static String convertToGroup(String group) {
+    return AccessControlLists.GROUP_PREFIX + group;
+  }
 }

http://git-wip-us.apache.org/repos/asf/hbase/blob/a6ddcc8f/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
index de452f9..a07064b 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
@@ -2269,7 +2269,7 @@ public class TestAccessController extends SecureTestUtil {
    public void testGetNamespacePermission() throws Exception {
      String namespace = "testGetNamespacePermission";
      NamespaceDescriptor desc = NamespaceDescriptor.create(namespace).build();
-     TEST_UTIL.getMiniHBaseCluster().getMaster().createNamespace(desc);
+     createNamespace(TEST_UTIL, desc);
      grantOnNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ);
      try {
        List<UserPermission> namespacePermissions = AccessControlClient.getUserPermissions(
@@ -2279,7 +2279,7 @@ public class TestAccessController extends SecureTestUtil {
      } catch (Throwable thw) {
        throw new HBaseException(thw);
      }
-     TEST_UTIL.getMiniHBaseCluster().getMaster().deleteNamespace(namespace);
+     deleteNamespace(TEST_UTIL, namespace);
    }
 
   @Test
@@ -2350,7 +2350,7 @@ public class TestAccessController extends SecureTestUtil {
     String ns = "testNamespace";
     NamespaceDescriptor desc = NamespaceDescriptor.create(ns).build();
     final TableName table2 = TableName.valueOf(ns, tableName);
-    TEST_UTIL.getMiniHBaseCluster().getMaster().createNamespace(desc);
+    createNamespace(TEST_UTIL, desc);
     htd = new HTableDescriptor(table2);
     htd.addFamily(new HColumnDescriptor(family));
     createTable(TEST_UTIL, htd);
@@ -2378,7 +2378,7 @@ public class TestAccessController extends SecureTestUtil {
 
     deleteTable(TEST_UTIL, table1);
     deleteTable(TEST_UTIL, table2);
-    TEST_UTIL.getMiniHBaseCluster().getMaster().deleteNamespace(ns);
+    deleteNamespace(TEST_UTIL, ns);
   }
 
   private void verifyAnyCreate(AccessTestAction action) throws Exception {

http://git-wip-us.apache.org/repos/asf/hbase/blob/a6ddcc8f/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
index e828429..43bc811 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
@@ -22,7 +22,7 @@ import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
 
-import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.List;
 
 import org.apache.commons.logging.Log;
@@ -37,7 +37,6 @@ import org.apache.hadoop.hbase.TableNotFoundException;
 import org.apache.hadoop.hbase.client.Admin;
 import org.apache.hadoop.hbase.client.Connection;
 import org.apache.hadoop.hbase.client.ConnectionFactory;
-import org.apache.hadoop.hbase.client.HTable;
 import org.apache.hadoop.hbase.client.Put;
 import org.apache.hadoop.hbase.client.Result;
 import org.apache.hadoop.hbase.client.ResultScanner;
@@ -48,6 +47,8 @@ import org.apache.hadoop.hbase.security.access.Permission.Action;
 import org.apache.hadoop.hbase.testclassification.LargeTests;
 import org.apache.hadoop.hbase.util.Bytes;
 import org.apache.hadoop.hbase.util.TestTableName;
+import org.apache.hadoop.hbase.zookeeper.ZKUtil;
+import org.apache.hadoop.hbase.zookeeper.ZooKeeperWatcher;
 import org.junit.After;
 import org.junit.AfterClass;
 import org.junit.Before;
@@ -68,6 +69,9 @@ public class TestAccessController2 extends SecureTestUtil {
   private static HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();
   private static Configuration conf;
 
+  /** The systemUserConnection created here is tied to the system user. In case, you are
planning
+   * to create AccessTestAction, DON'T use this systemUserConnection as the 'doAs' user
+   * gets  eclipsed by the system user. */
   private static Connection systemUserConnection;
 
   private final static byte[] Q1 = Bytes.toBytes("q1");
@@ -114,26 +118,14 @@ public class TestAccessController2 extends SecureTestUtil {
   @Before
   public void setUp() throws Exception {
     TEST_UTIL.getHBaseAdmin().createNamespace(NamespaceDescriptor.create(namespace).build());
-    try (Table table =
-        TEST_UTIL.createTable(tableName,
+    try (Table table = TEST_UTIL.createTable(tableName,
           new String[] { Bytes.toString(TEST_FAMILY), Bytes.toString(TEST_FAMILY_2) })) {
-      TEST_UTIL.waitTableEnabled(tableName);
+      TEST_UTIL.waitUntilAllRegionsAssigned(tableName);
 
-      List<Put> puts = new ArrayList<Put>(5);
-      Put put_1 = new Put(TEST_ROW);
-      put_1.addColumn(TEST_FAMILY, Q1, value1);
-
-      Put put_2 = new Put(TEST_ROW_2);
-      put_2.addColumn(TEST_FAMILY, Q2, value2);
-
-      Put put_3 = new Put(TEST_ROW_3);
-      put_3.addColumn(TEST_FAMILY_2, Q1, value1);
-
-      puts.add(put_1);
-      puts.add(put_2);
-      puts.add(put_3);
-
-      table.put(puts);
+      // Ingesting test data.
+      table.put(Arrays.asList(new Put(TEST_ROW).addColumn(TEST_FAMILY, Q1, value1),
+          new Put(TEST_ROW_2).addColumn(TEST_FAMILY, Q2, value2),
+          new Put(TEST_ROW_3).addColumn(TEST_FAMILY_2, Q1, value1)));
     }
 
     assertEquals(1, AccessControlLists.getTablePermissions(conf, tableName).size());
@@ -143,11 +135,11 @@ public class TestAccessController2 extends SecureTestUtil {
     } catch (Throwable e) {
       LOG.error("Error during call of AccessControlClient.getUserPermissions. ", e);
     }
-    // setupOperations();
   }
 
   @AfterClass
   public static void tearDownAfterClass() throws Exception {
+    systemUserConnection.close();
     TEST_UTIL.shutdownMiniCluster();
   }
 
@@ -160,7 +152,7 @@ public class TestAccessController2 extends SecureTestUtil {
       // Test deleted the table, no problem
       LOG.info("Test deleted table " + tableName);
     }
-    TEST_UTIL.getHBaseAdmin().deleteNamespace(namespace);
+    deleteNamespace(TEST_UTIL, namespace);
     // Verify all table/namespace permissions are erased
     assertEquals(0, AccessControlLists.getTablePermissions(conf, tableName).size());
     assertEquals(0, AccessControlLists.getNamespacePermissions(conf, namespace).size());
@@ -394,17 +386,17 @@ public class TestAccessController2 extends SecureTestUtil {
 
     // Verify user from a group which has table level access can read all the data and group
which
     // has no access can't read any data.
-    grantOnTable(TEST_UTIL, '@' + TESTGROUP_1, tableName, null, null, Permission.Action.READ);
+    grantOnTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, null, null, Action.READ);
     verifyAllowed(TESTGROUP1_USER1, scanTableActionForGroupWithTableLevelAccess);
     verifyDenied(TESTGROUP2_USER1, scanTableActionForGroupWithTableLevelAccess);
 
     // Verify user from a group whose table level access has been revoked can't read any
data.
-    revokeFromTable(TEST_UTIL, '@' + TESTGROUP_1, tableName, null, null);
+    revokeFromTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, null, null);
     verifyDenied(TESTGROUP1_USER1, scanTableActionForGroupWithTableLevelAccess);
 
     // Verify user from a group which has column family level access can read all the data
     // belonging to that family and group which has no access can't read any data.
-    grantOnTable(TEST_UTIL, '@' + TESTGROUP_1, tableName, TEST_FAMILY, null,
+    grantOnTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, null,
       Permission.Action.READ);
     verifyAllowed(TESTGROUP1_USER1, scanTableActionForGroupWithFamilyLevelAccess);
     verifyDenied(TESTGROUP1_USER1, scanFamilyActionForGroupWithFamilyLevelAccess);
@@ -413,12 +405,12 @@ public class TestAccessController2 extends SecureTestUtil {
 
     // Verify user from a group whose column family level access has been revoked can't read
any
     // data from that family.
-    revokeFromTable(TEST_UTIL, '@' + TESTGROUP_1, tableName, TEST_FAMILY, null);
+    revokeFromTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, null);
     verifyDenied(TESTGROUP1_USER1, scanTableActionForGroupWithFamilyLevelAccess);
 
     // Verify user from a group which has column qualifier level access can read data that
has this
     // family and qualifier, and group which has no access can't read any data.
-    grantOnTable(TEST_UTIL, '@' + TESTGROUP_1, tableName, TEST_FAMILY, Q1, Permission.Action.READ);
+    grantOnTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, Q1, Action.READ);
     verifyAllowed(TESTGROUP1_USER1, scanTableActionForGroupWithQualifierLevelAccess);
     verifyDenied(TESTGROUP1_USER1, scanFamilyActionForGroupWithQualifierLevelAccess);
     verifyDenied(TESTGROUP1_USER1, scanQualifierActionForGroupWithQualifierLevelAccess);
@@ -428,7 +420,38 @@ public class TestAccessController2 extends SecureTestUtil {
 
     // Verify user from a group whose column qualifier level access has been revoked can't
read the
     // data having this column family and qualifier.
-    revokeFromTable(TEST_UTIL, '@' + TESTGROUP_1, tableName, TEST_FAMILY, Q1);
+    revokeFromTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, Q1);
     verifyDenied(TESTGROUP1_USER1, scanTableActionForGroupWithQualifierLevelAccess);
   }
+
+  @Test
+  public void testACLZNodeDeletion() throws Exception {
+    String baseAclZNode = "/hbase/acl/";
+    String ns = "testACLZNodeDeletionNamespace";
+    NamespaceDescriptor desc = NamespaceDescriptor.create(ns).build();
+    createNamespace(TEST_UTIL, desc);
+
+    final TableName table = TableName.valueOf(ns, "testACLZNodeDeletionTable");
+    final byte[] family = Bytes.toBytes("f1");
+    HTableDescriptor htd = new HTableDescriptor(table);
+    htd.addFamily(new HColumnDescriptor(family));
+    createTable(TEST_UTIL, htd);
+
+    // Namespace needs this, as they follow the lazy creation of ACL znode.
+    grantOnNamespace(TEST_UTIL, TESTGROUP1_USER1.getShortName(), ns, Action.ADMIN);
+    ZooKeeperWatcher zkw = TEST_UTIL.getMiniHBaseCluster().getMaster().getZooKeeper();
+    assertTrue("The acl znode for table should exist",  ZKUtil.checkExists(zkw, baseAclZNode
+
+        table.getNameAsString()) != -1);
+    assertTrue("The acl znode for namespace should exist", ZKUtil.checkExists(zkw, baseAclZNode
+
+        convertToNamespace(ns)) != -1);
+
+    revokeFromNamespace(TEST_UTIL, TESTGROUP1_USER1.getShortName(), ns, Action.ADMIN);
+    deleteTable(TEST_UTIL, table);
+    deleteNamespace(TEST_UTIL, ns);
+
+    assertTrue("The acl znode for table should have been deleted",
+        ZKUtil.checkExists(zkw, baseAclZNode + table.getNameAsString()) == -1);
+    assertTrue( "The acl znode for namespace should have been deleted",
+        ZKUtil.checkExists(zkw, baseAclZNode + convertToNamespace(ns)) == -1);
+  }
 }


Mime
View raw message