hbase-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From apurt...@apache.org
Subject [4/5] hbase git commit: HBASE-13828 Add group permissions testing coverage to AC
Date Thu, 11 Jun 2015 04:39:45 GMT
HBASE-13828 Add group permissions testing coverage to AC

Signed-off-by: Andrew Purtell <apurtell@apache.org>

Conflicts:
	hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
	hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java


Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/904ec1e4
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/904ec1e4
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/904ec1e4

Branch: refs/heads/branch-1.0
Commit: 904ec1e4c3e7556b6ce290180c62f22469a8a608
Parents: b56dc3d
Author: Ashish Singhi <ashish.singhi@huawei.com>
Authored: Wed Jun 10 22:13:54 2015 +0530
Committer: Andrew Purtell <apurtell@apache.org>
Committed: Wed Jun 10 21:20:57 2015 -0700

----------------------------------------------------------------------
 .../security/access/TestAccessController.java   | 256 ++++++++++++-------
 .../security/access/TestAccessController2.java  | 136 +++++-----
 .../security/access/TestNamespaceCommands.java  | 197 +++++---------
 3 files changed, 305 insertions(+), 284 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hbase/blob/904ec1e4/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
index ce4aa68..2d78b74 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
@@ -156,6 +156,16 @@ public class TestAccessController extends SecureTestUtil {
   // user with admin rights on the column family
   private static User USER_ADMIN_CF;
 
+  private static final String GROUP_ADMIN = "group_admin";
+  private static final String GROUP_CREATE = "group_create";
+  private static final String GROUP_READ = "group_read";
+  private static final String GROUP_WRITE = "group_write";
+
+  private static User USER_GROUP_ADMIN;
+  private static User USER_GROUP_CREATE;
+  private static User USER_GROUP_READ;
+  private static User USER_GROUP_WRITE;
+
   // TODO: convert this test to cover the full matrix in
   // https://hbase.apache.org/book/appendix_acl_matrix.html
   // creating all Scope x Permission combinations
@@ -215,6 +225,15 @@ public class TestAccessController extends SecureTestUtil {
     USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]);
     USER_ADMIN_CF = User.createUserForTesting(conf, "col_family_admin", new String[0]);
 
+    USER_GROUP_ADMIN =
+        User.createUserForTesting(conf, "user_group_admin", new String[] { GROUP_ADMIN });
+    USER_GROUP_CREATE =
+        User.createUserForTesting(conf, "user_group_create", new String[] { GROUP_CREATE
});
+    USER_GROUP_READ =
+        User.createUserForTesting(conf, "user_group_read", new String[] { GROUP_READ });
+    USER_GROUP_WRITE =
+        User.createUserForTesting(conf, "user_group_write", new String[] { GROUP_WRITE });
+
     systemUserConnection = TEST_UTIL.getConnection();
     setUpTableAndUserPermissions();
   }
@@ -269,6 +288,11 @@ public class TestAccessController extends SecureTestUtil {
       TEST_TABLE, TEST_FAMILY,
       null, Permission.Action.ADMIN, Permission.Action.CREATE);
 
+    grantGlobal(TEST_UTIL, convertToGroup(GROUP_ADMIN), Permission.Action.ADMIN);
+    grantGlobal(TEST_UTIL, convertToGroup(GROUP_CREATE), Permission.Action.CREATE);
+    grantGlobal(TEST_UTIL, convertToGroup(GROUP_READ), Permission.Action.READ);
+    grantGlobal(TEST_UTIL, convertToGroup(GROUP_WRITE), Permission.Action.WRITE);
+
     assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size());
     try {
       assertEquals(5, AccessControlClient.getUserPermissions(systemUserConnection,
@@ -305,10 +329,11 @@ public class TestAccessController extends SecureTestUtil {
     };
 
     // verify that superuser can create tables
-    verifyAllowed(createTable, SUPERUSER, USER_ADMIN);
+    verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE);
 
     // all others should be denied
-    verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+    verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_ADMIN,
+      USER_GROUP_READ, USER_GROUP_WRITE);
   }
 
   @Test
@@ -325,8 +350,9 @@ public class TestAccessController extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(modifyTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
-    verifyDenied(modifyTable, USER_RW, USER_RO, USER_NONE);
+    verifyAllowed(modifyTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+      USER_GROUP_ADMIN);
+    verifyDenied(modifyTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
   }
 
   @Test
@@ -340,8 +366,9 @@ public class TestAccessController extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(deleteTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
-    verifyDenied(deleteTable, USER_RW, USER_RO, USER_NONE);
+    verifyAllowed(deleteTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+      USER_GROUP_ADMIN);
+    verifyDenied(deleteTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
   }
 
   @Test
@@ -356,8 +383,9 @@ public class TestAccessController extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
-    verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE);
+    verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+      USER_GROUP_ADMIN);
+    verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
   }
 
   @Test
@@ -372,8 +400,9 @@ public class TestAccessController extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
-    verifyDenied(action, USER_RW, USER_RO, USER_NONE);
+    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+      USER_GROUP_ADMIN);
+    verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
   }
 
   @Test
@@ -389,8 +418,9 @@ public class TestAccessController extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF);
-    verifyDenied(action, USER_RW, USER_RO, USER_NONE);
+    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF,
+      USER_GROUP_CREATE, USER_GROUP_ADMIN);
+    verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
   }
 
   @Test
@@ -404,8 +434,9 @@ public class TestAccessController extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF);
-    verifyDenied(action, USER_RW, USER_RO, USER_NONE);
+    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF,
+      USER_GROUP_CREATE, USER_GROUP_ADMIN);
+    verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
   }
 
   @Test
@@ -428,11 +459,13 @@ public class TestAccessController extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(disableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
-    verifyDenied(disableTable, USER_RW, USER_RO, USER_NONE);
+    verifyAllowed(disableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+      USER_GROUP_ADMIN);
+    verifyDenied(disableTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
 
     // No user should be allowed to disable _acl_ table
-    verifyDenied(disableAclTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW,
USER_RO);
+    verifyDenied(disableAclTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW,
USER_RO,
+      USER_GROUP_CREATE, USER_GROUP_ADMIN, USER_GROUP_READ, USER_GROUP_WRITE);
   }
 
   @Test
@@ -446,8 +479,9 @@ public class TestAccessController extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(enableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
-    verifyDenied(enableTable, USER_RW, USER_RO, USER_NONE);
+    verifyAllowed(enableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+      USER_GROUP_ADMIN);
+    verifyDenied(enableTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
   }
 
   @Test
@@ -468,8 +502,9 @@ public class TestAccessController extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
-    verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+    verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+      USER_GROUP_WRITE, USER_GROUP_CREATE);
   }
 
   @Test
@@ -488,8 +523,9 @@ public class TestAccessController extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
-    verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+    verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+      USER_GROUP_WRITE, USER_GROUP_CREATE);
   }
 
   @Test
@@ -508,8 +544,9 @@ public class TestAccessController extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
-    verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+    verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+      USER_GROUP_WRITE, USER_GROUP_CREATE);
   }
 
   @Test
@@ -528,8 +565,9 @@ public class TestAccessController extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
-    verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+    verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+      USER_GROUP_WRITE, USER_GROUP_CREATE);
   }
 
   @Test
@@ -542,8 +580,9 @@ public class TestAccessController extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(action, SUPERUSER, USER_ADMIN);
-    verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+    verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+      USER_GROUP_WRITE, USER_GROUP_CREATE);
   }
 
   @Test
@@ -556,8 +595,9 @@ public class TestAccessController extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(action, SUPERUSER, USER_ADMIN);
-    verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+    verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+      USER_GROUP_WRITE, USER_GROUP_CREATE);
   }
 
   @Test
@@ -570,8 +610,9 @@ public class TestAccessController extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(action, SUPERUSER, USER_ADMIN);
-    verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+    verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+      USER_GROUP_WRITE, USER_GROUP_CREATE);
   }
 
   @Test
@@ -584,13 +625,15 @@ public class TestAccessController extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(action, SUPERUSER, USER_ADMIN);
-    verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+    verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+      USER_GROUP_WRITE, USER_GROUP_CREATE);
   }
 
   private void verifyWrite(AccessTestAction action) throws Exception {
-    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW);
-    verifyDenied(action, USER_NONE, USER_RO);
+    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW,
+      USER_GROUP_WRITE);
+    verifyDenied(action, USER_NONE, USER_RO, USER_GROUP_ADMIN, USER_GROUP_READ, USER_GROUP_CREATE);
   }
 
   @Test
@@ -603,8 +646,9 @@ public class TestAccessController extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
-    verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+    verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+      USER_GROUP_WRITE, USER_GROUP_CREATE);
   }
 
   @Test
@@ -619,8 +663,9 @@ public class TestAccessController extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
-    verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+    verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+      USER_GROUP_WRITE, USER_GROUP_CREATE);
   }
 
   @Test
@@ -639,8 +684,9 @@ public class TestAccessController extends SecureTestUtil {
         }
       };
 
-      verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
-      verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+      verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+      verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+        USER_GROUP_WRITE, USER_GROUP_CREATE);
     } finally {
       TEST_UTIL.deleteTable(tname);
     }
@@ -656,8 +702,9 @@ public class TestAccessController extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE);
-    verifyDenied(action, USER_RW, USER_RO, USER_NONE);
+    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_GROUP_CREATE,
+      USER_GROUP_ADMIN);
+    verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
   }
 
   @Test
@@ -671,18 +718,21 @@ public class TestAccessController extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE);
-    verifyDenied(action, USER_RW, USER_RO, USER_NONE);
+    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_GROUP_CREATE,
+      USER_GROUP_ADMIN);
+    verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
   }
 
   private void verifyRead(AccessTestAction action) throws Exception {
-    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, USER_RO);
-    verifyDenied(action, USER_NONE);
+    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, USER_RO,
+      USER_GROUP_READ);
+    verifyDenied(action, USER_NONE, USER_GROUP_CREATE, USER_GROUP_ADMIN, USER_GROUP_WRITE);
   }
 
   private void verifyReadWrite(AccessTestAction action) throws Exception {
     verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW);
-    verifyDenied(action, USER_NONE, USER_RO);
+    verifyDenied(action, USER_NONE, USER_RO, USER_GROUP_ADMIN, USER_GROUP_CREATE, USER_GROUP_READ,
+      USER_GROUP_WRITE);
   }
 
   @Test
@@ -838,8 +888,10 @@ public class TestAccessController extends SecureTestUtil {
 
       // User performing bulk loads must have privilege to read table metadata
       // (ADMIN or CREATE)
-      verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE);
-      verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO);
+      verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE,
+        USER_GROUP_CREATE);
+      verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO, USER_GROUP_READ, USER_GROUP_WRITE,
+        USER_GROUP_ADMIN);
     } finally {
       // Reinit after the bulk upload
       TEST_UTIL.getHBaseAdmin().disableTable(TEST_TABLE);
@@ -943,8 +995,10 @@ public class TestAccessController extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(appendAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW);
-    verifyDenied(appendAction, USER_RO, USER_NONE);
+    verifyAllowed(appendAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW,
+      USER_GROUP_WRITE);
+    verifyDenied(appendAction, USER_RO, USER_NONE, USER_GROUP_CREATE, USER_GROUP_READ,
+      USER_GROUP_ADMIN);
   }
 
   @Test
@@ -1007,18 +1061,21 @@ public class TestAccessController extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER);
-    verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+    verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+    verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+      USER_GROUP_WRITE, USER_GROUP_CREATE);
     try {
-      verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER);
-      verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+      verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+      verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+        USER_GROUP_WRITE, USER_GROUP_CREATE);
 
-      verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER);
-      verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+      verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+      verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE,
+        USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
 
-      verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN);
+      verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
       verifyDenied(getGlobalPermissionsAction, USER_CREATE, USER_OWNER, USER_RW, USER_RO,
-        USER_NONE);
+        USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
     } finally {
       // Cleanup, Grant the revoked permission back to the user
       grantOnTable(TEST_UTIL, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null,
@@ -1531,8 +1588,8 @@ public class TestAccessController extends SecureTestUtil {
     }
     UserPermission adminPerm = new UserPermission(Bytes.toBytes(USER_ADMIN.getShortName()),
       AccessControlLists.ACL_TABLE_NAME, null, null, Bytes.toBytes("ACRW"));
-    assertTrue("Only user admin has permission on table _acl_ per setup",
-      perms.size() == 1 && hasFoundUserPermission(adminPerm, perms));
+    assertTrue("Only global users and user admin has permission on table _acl_ per setup",
+      perms.size() == 5 && hasFoundUserPermission(adminPerm, perms));
   }
 
   /** global operations */
@@ -1719,8 +1776,9 @@ public class TestAccessController extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(action, SUPERUSER, USER_ADMIN);
-    verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+    verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+      USER_GROUP_WRITE, USER_GROUP_CREATE);
   }
 
   @Test
@@ -1733,8 +1791,9 @@ public class TestAccessController extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(action, SUPERUSER, USER_ADMIN);
-    verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+    verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+      USER_GROUP_WRITE, USER_GROUP_CREATE);
   }
 
   @Test
@@ -1747,8 +1806,9 @@ public class TestAccessController extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(action, SUPERUSER, USER_ADMIN);
-    verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+    verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, USER_GROUP_CREATE,
+      USER_GROUP_READ, USER_GROUP_WRITE);
   }
 
   @Test
@@ -1761,8 +1821,9 @@ public class TestAccessController extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(action, SUPERUSER, USER_ADMIN);
-    verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+    verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, USER_GROUP_CREATE,
+      USER_GROUP_READ, USER_GROUP_WRITE);
   }
 
   @Test
@@ -1803,17 +1864,21 @@ public class TestAccessController extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN);
-    verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+    verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+    verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
+      USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
 
-    verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN);
-    verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+    verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+    verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
+      USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
 
-    verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN);
-    verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+    verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+    verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
+      USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
 
-    verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN);
-    verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+    verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+    verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
+      USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
   }
 
   @Test
@@ -1908,12 +1973,15 @@ public class TestAccessController extends SecureTestUtil {
         }
       };
 
-      verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN);
-      verifyIfEmptyList(listTablesAction, USER_RW, USER_RO, USER_NONE);
+      verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN,
+        USER_GROUP_CREATE, USER_GROUP_ADMIN);
+      verifyIfEmptyList(listTablesAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+        USER_GROUP_WRITE);
 
       verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER,
-        TABLE_ADMIN);
-      verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE);
+        TABLE_ADMIN, USER_GROUP_CREATE, USER_GROUP_ADMIN);
+      verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+        USER_GROUP_WRITE);
     } finally {
       // Cleanup, revoke TABLE ADMIN privs
       revokeFromTable(TEST_UTIL, TABLE_ADMIN.getShortName(), TEST_TABLE, null, null,
@@ -1938,8 +2006,8 @@ public class TestAccessController extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER,
-        USER_RW, USER_RO);
+    verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW,
+      USER_RO, USER_GROUP_CREATE, USER_GROUP_ADMIN, USER_GROUP_READ, USER_GROUP_WRITE);
     verifyIfEmptyList(listTablesAction, USER_NONE);
   }
 
@@ -1970,7 +2038,8 @@ public class TestAccessController extends SecureTestUtil {
       }
     };
 
-    verifyDenied(deleteTableAction, USER_RW, USER_RO, USER_NONE);
+    verifyDenied(deleteTableAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+      USER_GROUP_WRITE);
     verifyAllowed(deleteTableAction, TABLE_ADMIN);
   }
 
@@ -2355,7 +2424,7 @@ public class TestAccessController extends SecureTestUtil {
 
     // Verify that we can read sys-tables
     String aclTableName = AccessControlLists.ACL_TABLE_NAME.getNameAsString();
-    assertEquals(1, SUPERUSER.runAs(getPrivilegedAction(aclTableName)).size());
+    assertEquals(5, SUPERUSER.runAs(getPrivilegedAction(aclTableName)).size());
     assertEquals(0, testRegexHandler.runAs(getPrivilegedAction(aclTableName)).size());
 
     // Grant TABLE ADMIN privs to testUserPerms
@@ -2380,8 +2449,10 @@ public class TestAccessController extends SecureTestUtil {
   }
 
   private void verifyAnyCreate(AccessTestAction action) throws Exception {
-    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF);
-    verifyDenied(action, USER_NONE, USER_RO, USER_RW);
+    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF,
+      USER_GROUP_CREATE);
+    verifyDenied(action, USER_NONE, USER_RO, USER_RW, USER_GROUP_READ, USER_GROUP_WRITE,
+      USER_GROUP_ADMIN);
   }
 
   @Test
@@ -2419,7 +2490,8 @@ public class TestAccessController extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(replicateLogEntriesAction, SUPERUSER, USER_ADMIN);
-    verifyDenied(replicateLogEntriesAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+    verifyAllowed(replicateLogEntriesAction, SUPERUSER, USER_ADMIN, USER_GROUP_WRITE);
+    verifyDenied(replicateLogEntriesAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
+      USER_GROUP_READ, USER_GROUP_ADMIN, USER_GROUP_CREATE);
   }
 }

http://git-wip-us.apache.org/repos/asf/hbase/blob/904ec1e4/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
index 78a7ba9..d9fd8a8 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
@@ -94,6 +94,7 @@ public class TestAccessController2 extends SecureTestUtil {
   private String namespace = "testNamespace";
   private String tname = namespace + ":testtable1";
   private TableName tableName = TableName.valueOf(tname);
+  private static String TESTGROUP_1_NAME;
 
   @BeforeClass
   public static void setupBeforeClass() throws Exception {
@@ -106,6 +107,7 @@ public class TestAccessController2 extends SecureTestUtil {
     // Wait for the ACL table to become available
     TEST_UTIL.waitUntilAllRegionsAssigned(AccessControlLists.ACL_TABLE_NAME);
 
+    TESTGROUP_1_NAME = convertToGroup(TESTGROUP_1);
     TESTGROUP1_USER1 =
         User.createUserForTesting(conf, "testgroup1_user1", new String[] { TESTGROUP_1 });
     TESTGROUP2_USER1 =
@@ -192,23 +194,27 @@ public class TestAccessController2 extends SecureTestUtil {
 
   @Test
   public void testCreateTableWithGroupPermissions() throws Exception {
-    grantGlobal(TEST_UTIL, convertToGroup(TESTGROUP_1), Action.CREATE);
-    AccessTestAction createAction = new AccessTestAction() {
-      @Override
-      public Object run() throws Exception {
-        HTableDescriptor desc = new HTableDescriptor(TEST_TABLE.getTableName());
-        desc.addFamily(new HColumnDescriptor(TEST_FAMILY));
-        try (Connection connection = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()))
{
-          try (Admin admin = connection.getAdmin()) {
-            admin.createTable(desc);
+    grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.CREATE);
+    try {
+      AccessTestAction createAction = new AccessTestAction() {
+        @Override
+        public Object run() throws Exception {
+          HTableDescriptor desc = new HTableDescriptor(TEST_TABLE.getTableName());
+          desc.addFamily(new HColumnDescriptor(TEST_FAMILY));
+          try (Connection connection =
+              ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) {
+            try (Admin admin = connection.getAdmin()) {
+              admin.createTable(desc);
+            }
           }
+          return null;
         }
-        return null;
-      }
-    };
-    verifyAllowed(createAction, TESTGROUP1_USER1);
-    verifyDenied(createAction, TESTGROUP2_USER1);
-    revokeGlobal(TEST_UTIL, convertToGroup(TESTGROUP_1), Action.CREATE);
+      };
+      verifyAllowed(createAction, TESTGROUP1_USER1);
+      verifyDenied(createAction, TESTGROUP2_USER1);
+    } finally {
+      revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.CREATE);
+    }
   }
 
   @Test
@@ -256,54 +262,64 @@ public class TestAccessController2 extends SecureTestUtil {
     SecureTestUtil.grantOnTable(TEST_UTIL, tableAdmin.getShortName(),
       TEST_TABLE.getTableName(), null, null, Action.ADMIN);
 
-    // Write tests
-
-    AccessTestAction writeAction = new AccessTestAction() {
-      @Override
-      public Object run() throws Exception {
-        try(Connection conn = ConnectionFactory.createConnection(conf);
-            Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
-          t.put(new Put(TEST_ROW).add(AccessControlLists.ACL_LIST_FAMILY, TEST_QUALIFIER,
-            TEST_VALUE));
-          return null;
-        } finally {
+    grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.WRITE);
+    try {
+      // Write tests
+
+      AccessTestAction writeAction = new AccessTestAction() {
+        @Override
+        public Object run() throws Exception {
+          try (Connection conn = ConnectionFactory.createConnection(conf);
+              Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
+            t.put(new Put(TEST_ROW).addColumn(AccessControlLists.ACL_LIST_FAMILY, TEST_QUALIFIER,
+              TEST_VALUE));
+            return null;
+          } finally {
+          }
         }
-      }
-    };
+      };
 
-    // All writes to ACL table denied except for GLOBAL WRITE permission and superuser
+      // All writes to ACL table denied except for GLOBAL WRITE permission and superuser
 
-    verifyDenied(writeAction, globalAdmin, globalCreate, globalRead);
-    verifyDenied(writeAction, nsAdmin, nsCreate, nsRead, nsWrite);
-    verifyDenied(writeAction, tableAdmin, tableCreate, tableRead, tableWrite);
-    verifyAllowed(writeAction, superUser, globalWrite);
-
-    // Read tests
+      verifyDenied(writeAction, globalAdmin, globalCreate, globalRead, TESTGROUP2_USER1);
+      verifyDenied(writeAction, nsAdmin, nsCreate, nsRead, nsWrite);
+      verifyDenied(writeAction, tableAdmin, tableCreate, tableRead, tableWrite);
+      verifyAllowed(writeAction, superUser, globalWrite, TESTGROUP1_USER1);
+    } finally {
+      revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.WRITE);
+    }
 
-    AccessTestAction scanAction = new AccessTestAction() {
-      @Override
-      public Object run() throws Exception {
-        try(Connection conn = ConnectionFactory.createConnection(conf);
-            Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
-          ResultScanner s = t.getScanner(new Scan());
-          try {
-            for (Result r = s.next(); r != null; r = s.next()) {
-              // do nothing
+    grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.READ);
+    try {
+      // Read tests
+
+      AccessTestAction scanAction = new AccessTestAction() {
+        @Override
+        public Object run() throws Exception {
+          try (Connection conn = ConnectionFactory.createConnection(conf);
+              Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
+            ResultScanner s = t.getScanner(new Scan());
+            try {
+              for (Result r = s.next(); r != null; r = s.next()) {
+                // do nothing
+              }
+            } finally {
+              s.close();
             }
-          } finally {
-            s.close();
+            return null;
           }
-          return null;
         }
-      }
-    };
+      };
 
-    // All reads from ACL table denied except for GLOBAL READ and superuser
+      // All reads from ACL table denied except for GLOBAL READ and superuser
 
-    verifyDenied(scanAction, globalAdmin, globalCreate, globalWrite);
-    verifyDenied(scanAction, nsCreate, nsAdmin, nsRead, nsWrite);
-    verifyDenied(scanAction, tableCreate, tableAdmin, tableRead, tableWrite);
-    verifyAllowed(scanAction, superUser, globalRead);
+      verifyDenied(scanAction, globalAdmin, globalCreate, globalWrite, TESTGROUP2_USER1);
+      verifyDenied(scanAction, nsCreate, nsAdmin, nsRead, nsWrite);
+      verifyDenied(scanAction, tableCreate, tableAdmin, tableRead, tableWrite);
+      verifyAllowed(scanAction, superUser, globalRead, TESTGROUP1_USER1);
+    } finally {
+      revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.READ);
+    }
   }
 
   /*
@@ -403,17 +419,17 @@ public class TestAccessController2 extends SecureTestUtil {
 
     // Verify user from a group which has table level access can read all the data and group
which
     // has no access can't read any data.
-    grantOnTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, null, null, Action.READ);
+    grantOnTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, null, null, Action.READ);
     verifyAllowed(TESTGROUP1_USER1, scanTableActionForGroupWithTableLevelAccess);
     verifyDenied(TESTGROUP2_USER1, scanTableActionForGroupWithTableLevelAccess);
 
     // Verify user from a group whose table level access has been revoked can't read any
data.
-    revokeFromTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, null, null);
+    revokeFromTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, null, null);
     verifyDenied(TESTGROUP1_USER1, scanTableActionForGroupWithTableLevelAccess);
 
     // Verify user from a group which has column family level access can read all the data
     // belonging to that family and group which has no access can't read any data.
-    grantOnTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, null,
+    grantOnTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, TEST_FAMILY, null,
       Permission.Action.READ);
     verifyAllowed(TESTGROUP1_USER1, scanTableActionForGroupWithFamilyLevelAccess);
     verifyDenied(TESTGROUP1_USER1, scanFamilyActionForGroupWithFamilyLevelAccess);
@@ -422,12 +438,12 @@ public class TestAccessController2 extends SecureTestUtil {
 
     // Verify user from a group whose column family level access has been revoked can't read
any
     // data from that family.
-    revokeFromTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, null);
+    revokeFromTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, TEST_FAMILY, null);
     verifyDenied(TESTGROUP1_USER1, scanTableActionForGroupWithFamilyLevelAccess);
 
     // Verify user from a group which has column qualifier level access can read data that
has this
     // family and qualifier, and group which has no access can't read any data.
-    grantOnTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, Q1, Action.READ);
+    grantOnTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, TEST_FAMILY, Q1, Action.READ);
     verifyAllowed(TESTGROUP1_USER1, scanTableActionForGroupWithQualifierLevelAccess);
     verifyDenied(TESTGROUP1_USER1, scanFamilyActionForGroupWithQualifierLevelAccess);
     verifyDenied(TESTGROUP1_USER1, scanQualifierActionForGroupWithQualifierLevelAccess);
@@ -437,7 +453,7 @@ public class TestAccessController2 extends SecureTestUtil {
 
     // Verify user from a group whose column qualifier level access has been revoked can't
read the
     // data having this column family and qualifier.
-    revokeFromTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, Q1);
+    revokeFromTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, TEST_FAMILY, Q1);
     verifyDenied(TESTGROUP1_USER1, scanTableActionForGroupWithQualifierLevelAccess);
   }
 

http://git-wip-us.apache.org/repos/asf/hbase/blob/904ec1e4/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
index 2aabeed..bd174f3 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
@@ -91,6 +91,16 @@ public class TestNamespaceCommands extends SecureTestUtil {
   //user with create table permissions alone
   private static User USER_TABLE_CREATE; // TODO: WE DO NOT GIVE ANY PERMS TO THIS USER
 
+  private static final String GROUP_ADMIN = "group_admin";
+  private static final String GROUP_CREATE = "group_create";
+  private static final String GROUP_READ = "group_read";
+  private static final String GROUP_WRITE = "group_write";
+
+  private static User USER_GROUP_ADMIN;
+  private static User USER_GROUP_CREATE;
+  private static User USER_GROUP_READ;
+  private static User USER_GROUP_WRITE;
+
   private static String TEST_TABLE = TEST_NAMESPACE + ":testtable";
   private static byte[] TEST_FAMILY = Bytes.toBytes("f1");
 
@@ -115,6 +125,15 @@ public class TestNamespaceCommands extends SecureTestUtil {
 
     USER_TABLE_CREATE = User.createUserForTesting(conf, "table_create", new String[0]);
     USER_TABLE_WRITE = User.createUserForTesting(conf, "table_write", new String[0]);
+
+    USER_GROUP_ADMIN =
+        User.createUserForTesting(conf, "user_group_admin", new String[] { GROUP_ADMIN });
+    USER_GROUP_CREATE =
+        User.createUserForTesting(conf, "user_group_create", new String[] { GROUP_CREATE
});
+    USER_GROUP_READ =
+        User.createUserForTesting(conf, "user_group_read", new String[] { GROUP_READ });
+    USER_GROUP_WRITE =
+        User.createUserForTesting(conf, "user_group_write", new String[] { GROUP_WRITE });
     // TODO: other table perms
 
     UTIL.startMiniCluster();
@@ -143,6 +162,11 @@ public class TestNamespaceCommands extends SecureTestUtil {
     grantOnNamespace(UTIL, USER_NS_EXEC.getShortName(),   TEST_NAMESPACE, Permission.Action.EXEC);
 
     grantOnNamespace(UTIL, USER_NS_ADMIN.getShortName(), TEST_NAMESPACE2, Permission.Action.ADMIN);
+
+    grantGlobal(UTIL, convertToGroup(GROUP_ADMIN), Permission.Action.ADMIN);
+    grantGlobal(UTIL, convertToGroup(GROUP_CREATE), Permission.Action.CREATE);
+    grantGlobal(UTIL, convertToGroup(GROUP_READ), Permission.Action.READ);
+    grantGlobal(UTIL, convertToGroup(GROUP_WRITE), Permission.Action.WRITE);
   }
 
   @AfterClass
@@ -201,20 +225,10 @@ public class TestNamespaceCommands extends SecureTestUtil {
     };
 
     // modifyNamespace: superuser | global(A) | NS(A)
-    verifyAllowed(modifyNamespace,
-      SUPERUSER,
-      USER_GLOBAL_ADMIN);
-
-    verifyDenied(modifyNamespace,
-        USER_GLOBAL_CREATE,
-        USER_GLOBAL_WRITE,
-        USER_GLOBAL_READ,
-        USER_GLOBAL_EXEC,
-        USER_NS_ADMIN,
-        USER_NS_CREATE,
-        USER_NS_WRITE,
-        USER_NS_READ,
-        USER_NS_EXEC);
+    verifyAllowed(modifyNamespace, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
+    verifyDenied(modifyNamespace, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+      USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+      USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
   }
 
   @Test
@@ -238,41 +252,17 @@ public class TestNamespaceCommands extends SecureTestUtil {
     };
 
     // createNamespace: superuser | global(A)
-    verifyAllowed(createNamespace,
-      SUPERUSER,
-      USER_GLOBAL_ADMIN);
-
+    verifyAllowed(createNamespace, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
     // all others should be denied
-    verifyDenied(createNamespace,
-        USER_GLOBAL_CREATE,
-        USER_GLOBAL_WRITE,
-        USER_GLOBAL_READ,
-        USER_GLOBAL_EXEC,
-        USER_NS_ADMIN,
-        USER_NS_CREATE,
-        USER_NS_WRITE,
-        USER_NS_READ,
-        USER_NS_EXEC,
-        USER_TABLE_CREATE,
-        USER_TABLE_WRITE);
+    verifyDenied(createNamespace, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+      USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+      USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
 
     // deleteNamespace: superuser | global(A) | NS(A)
-    verifyAllowed(deleteNamespace,
-      SUPERUSER,
-      USER_GLOBAL_ADMIN);
-
-    verifyDenied(deleteNamespace,
-        USER_GLOBAL_CREATE,
-        USER_GLOBAL_WRITE,
-        USER_GLOBAL_READ,
-        USER_GLOBAL_EXEC,
-        USER_NS_ADMIN,
-        USER_NS_CREATE,
-        USER_NS_WRITE,
-        USER_NS_READ,
-        USER_NS_EXEC,
-        USER_TABLE_CREATE,
-        USER_TABLE_WRITE);
+    verifyAllowed(deleteNamespace, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
+    verifyDenied(deleteNamespace, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+      USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+      USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
   }
 
   @Test
@@ -286,22 +276,11 @@ public class TestNamespaceCommands extends SecureTestUtil {
       }
     };
     // getNamespaceDescriptor : superuser | global(A) | NS(A)
-    verifyAllowed(getNamespaceAction,
-      SUPERUSER,
-      USER_GLOBAL_ADMIN,
-      USER_NS_ADMIN);
-
-    verifyDenied(getNamespaceAction,
-        USER_GLOBAL_CREATE,
-        USER_GLOBAL_WRITE,
-        USER_GLOBAL_READ,
-        USER_GLOBAL_EXEC,
-        USER_NS_CREATE,
-        USER_NS_WRITE,
-        USER_NS_READ,
-        USER_NS_EXEC,
-        USER_TABLE_CREATE,
-        USER_TABLE_WRITE);
+    verifyAllowed(getNamespaceAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_NS_ADMIN,
+      USER_GROUP_ADMIN);
+    verifyDenied(getNamespaceAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+      USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+      USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
   }
 
   @Test
@@ -324,14 +303,12 @@ public class TestNamespaceCommands extends SecureTestUtil {
     // listNamespaces         : All access*
     // * Returned list will only show what you can call getNamespaceDescriptor()
 
-    verifyAllowed(listAction,
-      SUPERUSER,
-      USER_GLOBAL_ADMIN,
-      USER_NS_ADMIN);
+    verifyAllowed(listAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_NS_ADMIN, USER_GROUP_ADMIN);
 
     // we have 3 namespaces: [default, hbase, TEST_NAMESPACE, TEST_NAMESPACE2]
     assertEquals(4, ((List)SUPERUSER.runAs(listAction)).size());
     assertEquals(4, ((List)USER_GLOBAL_ADMIN.runAs(listAction)).size());
+    assertEquals(4, ((List)USER_GROUP_ADMIN.runAs(listAction)).size());
 
     assertEquals(2, ((List)USER_NS_ADMIN.runAs(listAction)).size());
 
@@ -345,6 +322,9 @@ public class TestNamespaceCommands extends SecureTestUtil {
     assertEquals(0, ((List)USER_NS_EXEC.runAs(listAction)).size());
     assertEquals(0, ((List)USER_TABLE_CREATE.runAs(listAction)).size());
     assertEquals(0, ((List)USER_TABLE_WRITE.runAs(listAction)).size());
+    assertEquals(0, ((List)USER_GROUP_CREATE.runAs(listAction)).size());
+    assertEquals(0, ((List)USER_GROUP_READ.runAs(listAction)).size());
+    assertEquals(0, ((List)USER_GROUP_WRITE.runAs(listAction)).size());
   }
 
   @Test
@@ -396,56 +376,21 @@ public class TestNamespaceCommands extends SecureTestUtil {
       }
     };
 
-    verifyAllowed(grantAction,
-      SUPERUSER,
-      USER_GLOBAL_ADMIN);
-
-    verifyDenied(grantAction,
-        USER_GLOBAL_CREATE,
-        USER_GLOBAL_WRITE,
-        USER_GLOBAL_READ,
-        USER_GLOBAL_EXEC,
-        USER_NS_ADMIN,
-        USER_NS_CREATE,
-        USER_NS_WRITE,
-        USER_NS_READ,
-        USER_NS_EXEC,
-        USER_TABLE_CREATE,
-        USER_TABLE_WRITE);
-
-    verifyAllowed(revokeAction,
-      SUPERUSER,
-      USER_GLOBAL_ADMIN);
-
-    verifyDenied(revokeAction,
-        USER_GLOBAL_CREATE,
-        USER_GLOBAL_WRITE,
-        USER_GLOBAL_READ,
-        USER_GLOBAL_EXEC,
-        USER_NS_ADMIN,
-        USER_NS_CREATE,
-        USER_NS_WRITE,
-        USER_NS_READ,
-        USER_NS_EXEC,
-        USER_TABLE_CREATE,
-        USER_TABLE_WRITE);
-
-    verifyAllowed(getPermissionsAction,
-      SUPERUSER,
-      USER_GLOBAL_ADMIN,
-      USER_NS_ADMIN);
-
-    verifyDenied(getPermissionsAction,
-        USER_GLOBAL_CREATE,
-        USER_GLOBAL_WRITE,
-        USER_GLOBAL_READ,
-        USER_GLOBAL_EXEC,
-        USER_NS_CREATE,
-        USER_NS_WRITE,
-        USER_NS_READ,
-        USER_NS_EXEC,
-        USER_TABLE_CREATE,
-        USER_TABLE_WRITE);
+    verifyAllowed(grantAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
+    verifyDenied(grantAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+      USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+      USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
+
+    verifyAllowed(revokeAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
+    verifyDenied(revokeAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+      USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+      USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
+
+    verifyAllowed(getPermissionsAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_NS_ADMIN,
+      USER_GROUP_ADMIN);
+    verifyDenied(getPermissionsAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+      USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+      USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
   }
 
   @Test
@@ -461,21 +406,9 @@ public class TestNamespaceCommands extends SecureTestUtil {
     };
 
     //createTable            : superuser | global(C) | NS(C)
-    verifyAllowed(createTable,
-      SUPERUSER,
-      USER_GLOBAL_CREATE,
-      USER_NS_CREATE);
-
-    verifyDenied(createTable,
-        USER_GLOBAL_ADMIN,
-        USER_GLOBAL_WRITE,
-        USER_GLOBAL_READ,
-        USER_GLOBAL_EXEC,
-        USER_NS_ADMIN,
-        USER_NS_WRITE,
-        USER_NS_READ,
-        USER_NS_EXEC,
-        USER_TABLE_CREATE,
-        USER_TABLE_WRITE);
+    verifyAllowed(createTable, SUPERUSER, USER_GLOBAL_CREATE, USER_NS_CREATE, USER_GROUP_CREATE);
+    verifyDenied(createTable, USER_GLOBAL_ADMIN, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+      USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+      USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_ADMIN);
   }
 }


Mime
View raw message