Return-Path: X-Original-To: apmail-hbase-commits-archive@www.apache.org Delivered-To: apmail-hbase-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D69D91782B for ; Thu, 4 Jun 2015 14:04:51 +0000 (UTC) Received: (qmail 95786 invoked by uid 500); 4 Jun 2015 14:04:51 -0000 Delivered-To: apmail-hbase-commits-archive@hbase.apache.org Received: (qmail 95750 invoked by uid 500); 4 Jun 2015 14:04:51 -0000 Mailing-List: contact commits-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@hbase.apache.org Delivered-To: mailing list commits@hbase.apache.org Received: (qmail 95534 invoked by uid 99); 4 Jun 2015 14:04:51 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 04 Jun 2015 14:04:51 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 61A20E04DC; Thu, 4 Jun 2015 14:04:51 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: ssrungarapu@apache.org To: commits@hbase.apache.org Date: Thu, 04 Jun 2015 14:04:52 -0000 Message-Id: In-Reply-To: <5c531a2b3e5d40439436affe7d8ad306@git.apache.org> References: <5c531a2b3e5d40439436affe7d8ad306@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [2/2] hbase git commit: HBASE-13658 Improve the test run time for TestAccessController class HBASE-13658 Improve the test run time for TestAccessController class Signed-off-by: Srikanth Srungarapu Project: http://git-wip-us.apache.org/repos/asf/hbase/repo Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/9046b37e Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/9046b37e Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/9046b37e Branch: refs/heads/branch-1.0 Commit: 9046b37ee6dfc2a276be2ff0eaebc445ee7cdc7c Parents: e1d177c Author: Ashish Singhi Authored: Wed Jun 3 15:39:15 2015 +0530 Committer: Srikanth Srungarapu Committed: Thu Jun 4 07:02:52 2015 -0700 ---------------------------------------------------------------------- .../security/access/TestAccessController.java | 1362 +++++++++--------- 1 file changed, 696 insertions(+), 666 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hbase/blob/9046b37e/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java index 4986d97..ce4aa68 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java @@ -103,14 +103,10 @@ import org.apache.hadoop.hbase.security.User; import org.apache.hadoop.hbase.security.access.Permission.Action; import org.apache.hadoop.hbase.util.Bytes; import org.apache.hadoop.hbase.util.JVMClusterUtil; -import org.apache.hadoop.hbase.util.TestTableName; import org.apache.log4j.Level; import org.apache.log4j.Logger; -import org.junit.After; import org.junit.AfterClass; -import org.junit.Before; import org.junit.BeforeClass; -import org.junit.Rule; import org.junit.Test; import org.junit.experimental.categories.Category; @@ -134,7 +130,7 @@ public class TestAccessController extends SecureTestUtil { Logger.getLogger(TableAuthManager.class).setLevel(Level.TRACE); } - @Rule public TestTableName TEST_TABLE = new TestTableName(); + private static TableName TEST_TABLE = TableName.valueOf("testtable1"); private static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility(); private static Configuration conf; @@ -172,7 +168,7 @@ public class TestAccessController extends SecureTestUtil { private static MasterCoprocessorEnvironment CP_ENV; private static AccessController ACCESS_CONTROLLER; private static RegionServerCoprocessorEnvironment RSCP_ENV; - private RegionCoprocessorEnvironment RCP_ENV; + private static RegionCoprocessorEnvironment RCP_ENV; @BeforeClass public static void setupBeforeClass() throws Exception { @@ -220,26 +216,27 @@ public class TestAccessController extends SecureTestUtil { USER_ADMIN_CF = User.createUserForTesting(conf, "col_family_admin", new String[0]); systemUserConnection = TEST_UTIL.getConnection(); + setUpTableAndUserPermissions(); } @AfterClass public static void tearDownAfterClass() throws Exception { + cleanUp(); TEST_UTIL.shutdownMiniCluster(); } - @Before - public void setUp() throws Exception { + private static void setUpTableAndUserPermissions() throws Exception { // Create the test table (owner added to the _acl_ table) Admin admin = TEST_UTIL.getHBaseAdmin(); - HTableDescriptor htd = new HTableDescriptor(TEST_TABLE.getTableName()); + HTableDescriptor htd = new HTableDescriptor(TEST_TABLE); HColumnDescriptor hcd = new HColumnDescriptor(TEST_FAMILY); hcd.setMaxVersions(100); htd.addFamily(hcd); htd.setOwner(USER_OWNER); admin.createTable(htd, new byte[][] { Bytes.toBytes("s") }); - TEST_UTIL.waitUntilAllRegionsAssigned(TEST_TABLE.getTableName()); + TEST_UTIL.waitUntilAllRegionsAssigned(TEST_TABLE); - HRegion region = TEST_UTIL.getHBaseCluster().getRegions(TEST_TABLE.getTableName()).get(0); + HRegion region = TEST_UTIL.getHBaseCluster().getRegions(TEST_TABLE).get(0); RegionCoprocessorHost rcpHost = region.getCoprocessorHost(); RCP_ENV = rcpHost.createEnvironment(AccessController.class, ACCESS_CONTROLLER, Coprocessor.PRIORITY_HIGHEST, 1, conf); @@ -253,26 +250,26 @@ public class TestAccessController extends SecureTestUtil { Permission.Action.WRITE); grantOnTable(TEST_UTIL, USER_RW.getShortName(), - TEST_TABLE.getTableName(), TEST_FAMILY, null, + TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ, Permission.Action.WRITE); // USER_CREATE is USER_RW plus CREATE permissions grantOnTable(TEST_UTIL, USER_CREATE.getShortName(), - TEST_TABLE.getTableName(), null, null, + TEST_TABLE, null, null, Permission.Action.CREATE, Permission.Action.READ, Permission.Action.WRITE); grantOnTable(TEST_UTIL, USER_RO.getShortName(), - TEST_TABLE.getTableName(), TEST_FAMILY, null, + TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ); grantOnTable(TEST_UTIL, USER_ADMIN_CF.getShortName(), - TEST_TABLE.getTableName(), TEST_FAMILY, + TEST_TABLE, TEST_FAMILY, null, Permission.Action.ADMIN, Permission.Action.CREATE); - assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size()); + assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size()); try { assertEquals(5, AccessControlClient.getUserPermissions(systemUserConnection, TEST_TABLE.toString()).size()); @@ -281,21 +278,18 @@ public class TestAccessController extends SecureTestUtil { } } - @After - public void tearDown() throws Exception { + private static void cleanUp() throws Exception { // Clean the _acl_ table try { - TEST_UTIL.deleteTable(TEST_TABLE.getTableName()); + TEST_UTIL.deleteTable(TEST_TABLE); } catch (TableNotFoundException ex) { // Test deleted the table, no problem - LOG.info("Test deleted table " + TEST_TABLE.getTableName()); + LOG.info("Test deleted table " + TEST_TABLE); } // Verify all table/namespace permissions are erased - assertEquals(0, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size()); - assertEquals( - 0, - AccessControlLists.getNamespacePermissions(conf, - TEST_TABLE.getTableName().getNamespaceAsString()).size()); + assertEquals(0, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size()); + assertEquals(0, + AccessControlLists.getNamespacePermissions(conf, TEST_TABLE.getNamespaceAsString()).size()); } @Test @@ -322,11 +316,11 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction modifyTable = new AccessTestAction() { @Override public Object run() throws Exception { - HTableDescriptor htd = new HTableDescriptor(TEST_TABLE.getTableName()); + HTableDescriptor htd = new HTableDescriptor(TEST_TABLE); htd.addFamily(new HColumnDescriptor(TEST_FAMILY)); htd.addFamily(new HColumnDescriptor("fam_" + User.getCurrent().getShortName())); ACCESS_CONTROLLER.preModifyTable(ObserverContext.createAndPrepare(CP_ENV, null), - TEST_TABLE.getTableName(), htd); + TEST_TABLE, htd); return null; } }; @@ -341,7 +335,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER - .preDeleteTable(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE.getTableName()); + .preDeleteTable(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE); return null; } }; @@ -357,7 +351,7 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { ACCESS_CONTROLLER .preTruncateTable(ObserverContext.createAndPrepare(CP_ENV, null), - TEST_TABLE.getTableName()); + TEST_TABLE); return null; } }; @@ -372,7 +366,7 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction action = new AccessTestAction() { @Override public Object run() throws Exception { - ACCESS_CONTROLLER.preAddColumn(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE.getTableName(), + ACCESS_CONTROLLER.preAddColumn(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE, hcd); return null; } @@ -390,7 +384,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER.preModifyColumn(ObserverContext.createAndPrepare(CP_ENV, null), - TEST_TABLE.getTableName(), hcd); + TEST_TABLE, hcd); return null; } }; @@ -405,7 +399,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER.preDeleteColumn(ObserverContext.createAndPrepare(CP_ENV, null), - TEST_TABLE.getTableName(), TEST_FAMILY); + TEST_TABLE, TEST_FAMILY); return null; } }; @@ -420,7 +414,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER.preDisableTable(ObserverContext.createAndPrepare(CP_ENV, null), - TEST_TABLE.getTableName()); + TEST_TABLE); return null; } }; @@ -447,7 +441,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER - .preEnableTable(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE.getTableName()); + .preEnableTable(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE); return null; } }; @@ -459,7 +453,7 @@ public class TestAccessController extends SecureTestUtil { @Test public void testMove() throws Exception { List regions; - try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) { + try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE)) { regions = locator.getAllRegionLocations(); } HRegionLocation location = regions.get(0); @@ -481,7 +475,7 @@ public class TestAccessController extends SecureTestUtil { @Test public void testAssign() throws Exception { List regions; - try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) { + try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE)) { regions = locator.getAllRegionLocations(); } HRegionLocation location = regions.get(0); @@ -501,7 +495,7 @@ public class TestAccessController extends SecureTestUtil { @Test public void testUnassign() throws Exception { List regions; - try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) { + try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE)) { regions = locator.getAllRegionLocations(); } HRegionLocation location = regions.get(0); @@ -521,7 +515,7 @@ public class TestAccessController extends SecureTestUtil { @Test public void testRegionOffline() throws Exception { List regions; - try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) { + try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE)) { regions = locator.getAllRegionLocations(); } HRegionLocation location = regions.get(0); @@ -631,21 +625,25 @@ public class TestAccessController extends SecureTestUtil { @Test public void testMergeRegions() throws Exception { + final TableName tname = TableName.valueOf("testMergeRegions"); + createTestTable(tname); + try { + final List regions = TEST_UTIL.getHBaseCluster().findRegionsForTable(tname); + assertTrue("not enough regions: " + regions.size(), regions.size() >= 2); + AccessTestAction action = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preMerge(ObserverContext.createAndPrepare(RSCP_ENV, null), + regions.get(0), regions.get(1)); + return null; + } + }; - final List regions = TEST_UTIL.getHBaseCluster().findRegionsForTable(TEST_TABLE.getTableName()); - - AccessTestAction action = new AccessTestAction() { - @Override - public Object run() throws Exception { - ACCESS_CONTROLLER.preMerge( - ObserverContext.createAndPrepare(RSCP_ENV, null), - regions.get(0),regions.get(1)); - return null; - } - }; - - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + } finally { + TEST_UTIL.deleteTable(tname); + } } @Test @@ -696,7 +694,7 @@ public class TestAccessController extends SecureTestUtil { Get g = new Get(TEST_ROW); g.addFamily(TEST_FAMILY); try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName())) { + Table t = conn.getTable(TEST_TABLE)) { t.get(g); } return null; @@ -711,7 +709,7 @@ public class TestAccessController extends SecureTestUtil { Scan s = new Scan(); s.addFamily(TEST_FAMILY); try(Connection conn = ConnectionFactory.createConnection(conf); - Table table = conn.getTable(TEST_TABLE.getTableName())) { + Table table = conn.getTable(TEST_TABLE)) { ResultScanner scanner = table.getScanner(s); try { for (Result r = scanner.next(); r != null; r = scanner.next()) { @@ -738,7 +736,7 @@ public class TestAccessController extends SecureTestUtil { Put p = new Put(TEST_ROW); p.add(TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes(1)); try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName())) { + Table t = conn.getTable(TEST_TABLE)) { t.put(p); } return null; @@ -753,7 +751,7 @@ public class TestAccessController extends SecureTestUtil { Delete d = new Delete(TEST_ROW); d.deleteFamily(TEST_FAMILY); try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName())) { + Table t = conn.getTable(TEST_TABLE)) { t.delete(d); } return null; @@ -768,7 +766,7 @@ public class TestAccessController extends SecureTestUtil { Increment inc = new Increment(TEST_ROW); inc.addColumn(TEST_FAMILY, TEST_QUALIFIER, 1); try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName());) { + Table t = conn.getTable(TEST_TABLE);) { t.increment(inc); } return null; @@ -786,7 +784,7 @@ public class TestAccessController extends SecureTestUtil { Delete d = new Delete(TEST_ROW); d.deleteFamily(TEST_FAMILY); try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName());) { + Table t = conn.getTable(TEST_TABLE);) { t.checkAndDelete(TEST_ROW, TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes("test_value"), d); } @@ -802,7 +800,7 @@ public class TestAccessController extends SecureTestUtil { Put p = new Put(TEST_ROW); p.add(TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes(1)); try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName());) { + Table t = conn.getTable(TEST_TABLE);) { t.checkAndPut(TEST_ROW, TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes("test_value"), p); } @@ -814,37 +812,39 @@ public class TestAccessController extends SecureTestUtil { @Test public void testBulkLoad() throws Exception { - FileSystem fs = TEST_UTIL.getTestFileSystem(); - final Path dir = TEST_UTIL.getDataTestDirOnTestFS("testBulkLoad"); - fs.mkdirs(dir); - //need to make it globally writable - //so users creating HFiles have write permissions - fs.setPermission(dir, FsPermission.valueOf("-rwxrwxrwx")); - - AccessTestAction bulkLoadAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - int numRows = 3; - - //Making the assumption that the test table won't split between the range - byte[][][] hfileRanges = {{{(byte)0}, {(byte)9}}}; + try { + FileSystem fs = TEST_UTIL.getTestFileSystem(); + final Path dir = TEST_UTIL.getDataTestDirOnTestFS("testBulkLoad"); + fs.mkdirs(dir); + // need to make it globally writable + // so users creating HFiles have write permissions + fs.setPermission(dir, FsPermission.valueOf("-rwxrwxrwx")); + + AccessTestAction bulkLoadAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + int numRows = 3; - Path bulkLoadBasePath = new Path(dir, new Path(User.getCurrent().getName())); - new BulkLoadHelper(bulkLoadBasePath) - .bulkLoadHFile(TEST_TABLE.getTableName(), TEST_FAMILY, TEST_QUALIFIER, hfileRanges, numRows); + // Making the assumption that the test table won't split between the range + byte[][][] hfileRanges = { { { (byte) 0 }, { (byte) 9 } } }; - return null; - } - }; + Path bulkLoadBasePath = new Path(dir, new Path(User.getCurrent().getName())); + new BulkLoadHelper(bulkLoadBasePath).bulkLoadHFile(TEST_TABLE, TEST_FAMILY, + TEST_QUALIFIER, hfileRanges, numRows); - // User performing bulk loads must have privilege to read table metadata - // (ADMIN or CREATE) - verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE); - verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO); + return null; + } + }; - // Reinit after the bulk upload - TEST_UTIL.getHBaseAdmin().disableTable(TEST_TABLE.getTableName()); - TEST_UTIL.getHBaseAdmin().enableTable(TEST_TABLE.getTableName()); + // User performing bulk loads must have privilege to read table metadata + // (ADMIN or CREATE) + verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE); + verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO); + } finally { + // Reinit after the bulk upload + TEST_UTIL.getHBaseAdmin().disableTable(TEST_TABLE); + TEST_UTIL.getHBaseAdmin().enableTable(TEST_TABLE); + } } public class BulkLoadHelper { @@ -935,7 +935,7 @@ public class TestAccessController extends SecureTestUtil { Append append = new Append(row); append.add(TEST_FAMILY, qualifier, Bytes.toBytes(2)); try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName())) { + Table t = conn.getTable(TEST_TABLE)) { t.put(put); t.append(append); } @@ -954,11 +954,11 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) { - BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName()); + BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName()); AccessControlService.BlockingInterface protocol = AccessControlService.newBlockingStub(service); - ProtobufUtil.grant(protocol, USER_RO.getShortName(), TEST_TABLE.getTableName(), - TEST_FAMILY, null, Action.READ); + ProtobufUtil.grant(protocol, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null, + Action.READ); } return null; } @@ -969,11 +969,11 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) { - BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName()); + BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName()); AccessControlService.BlockingInterface protocol = AccessControlService.newBlockingStub(service); - ProtobufUtil.revoke(protocol, USER_RO.getShortName(), TEST_TABLE.getTableName(), - TEST_FAMILY, null, Action.READ); + ProtobufUtil.revoke(protocol, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null, + Action.READ); } return null; } @@ -984,10 +984,10 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)){ - BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName()); + BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName()); AccessControlService.BlockingInterface protocol = - AccessControlService.newBlockingStub(service); - ProtobufUtil.getUserPermissions(protocol, TEST_TABLE.getTableName()); + AccessControlService.newBlockingStub(service); + ProtobufUtil.getUserPermissions(protocol, TEST_TABLE); } return null; } @@ -1009,16 +1009,21 @@ public class TestAccessController extends SecureTestUtil { verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER); verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + try { + verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); - verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); - - verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); - verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN); - verifyDenied(getGlobalPermissionsAction, USER_CREATE, - USER_OWNER, USER_RW, USER_RO, USER_NONE); + verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN); + verifyDenied(getGlobalPermissionsAction, USER_CREATE, USER_OWNER, USER_RW, USER_RO, + USER_NONE); + } finally { + // Cleanup, Grant the revoked permission back to the user + grantOnTable(TEST_UTIL, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null, + Permission.Action.READ); + } } @Test @@ -1040,238 +1045,232 @@ public class TestAccessController extends SecureTestUtil { htd.addFamily(new HColumnDescriptor(family2)); admin.createTable(htd); TEST_UTIL.waitUntilAllRegionsAssigned(tableName); - - // create temp users - User tblUser = User - .createUserForTesting(TEST_UTIL.getConfiguration(), "tbluser", new String[0]); - User gblUser = User - .createUserForTesting(TEST_UTIL.getConfiguration(), "gbluser", new String[0]); - - // prepare actions: - AccessTestAction putActionAll = new AccessTestAction() { - @Override - public Object run() throws Exception { - Put p = new Put(Bytes.toBytes("a")); - p.add(family1, qualifier, Bytes.toBytes("v1")); - p.add(family2, qualifier, Bytes.toBytes("v2")); - try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(tableName);) { - t.put(p); + try { + // create temp users + User tblUser = + User.createUserForTesting(TEST_UTIL.getConfiguration(), "tbluser", new String[0]); + User gblUser = + User.createUserForTesting(TEST_UTIL.getConfiguration(), "gbluser", new String[0]); + + // prepare actions: + AccessTestAction putActionAll = new AccessTestAction() { + @Override + public Object run() throws Exception { + Put p = new Put(Bytes.toBytes("a")); + p.add(family1, qualifier, Bytes.toBytes("v1")); + p.add(family2, qualifier, Bytes.toBytes("v2")); + try (Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName);) { + t.put(p); + } + return null; } - return null; - } - }; + }; - AccessTestAction putAction1 = new AccessTestAction() { - @Override - public Object run() throws Exception { - Put p = new Put(Bytes.toBytes("a")); - p.add(family1, qualifier, Bytes.toBytes("v1")); - try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(tableName)) { - t.put(p); + AccessTestAction putAction1 = new AccessTestAction() { + @Override + public Object run() throws Exception { + Put p = new Put(Bytes.toBytes("a")); + p.add(family1, qualifier, Bytes.toBytes("v1")); + try (Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName)) { + t.put(p); + } + return null; } - return null; - } - }; + }; - AccessTestAction putAction2 = new AccessTestAction() { - @Override - public Object run() throws Exception { - Put p = new Put(Bytes.toBytes("a")); - p.add(family2, qualifier, Bytes.toBytes("v2")); - try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(tableName);) { - t.put(p); + AccessTestAction putAction2 = new AccessTestAction() { + @Override + public Object run() throws Exception { + Put p = new Put(Bytes.toBytes("a")); + p.add(family2, qualifier, Bytes.toBytes("v2")); + try (Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName);) { + t.put(p); + } + return null; } - return null; - } - }; + }; - AccessTestAction getActionAll = new AccessTestAction() { - @Override - public Object run() throws Exception { - Get g = new Get(TEST_ROW); - g.addFamily(family1); - g.addFamily(family2); - try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(tableName);) { - t.get(g); + AccessTestAction getActionAll = new AccessTestAction() { + @Override + public Object run() throws Exception { + Get g = new Get(TEST_ROW); + g.addFamily(family1); + g.addFamily(family2); + try (Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName);) { + t.get(g); + } + return null; } - return null; - } - }; + }; - AccessTestAction getAction1 = new AccessTestAction() { - @Override - public Object run() throws Exception { - Get g = new Get(TEST_ROW); - g.addFamily(family1); - try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(tableName)) { - t.get(g); + AccessTestAction getAction1 = new AccessTestAction() { + @Override + public Object run() throws Exception { + Get g = new Get(TEST_ROW); + g.addFamily(family1); + try (Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName)) { + t.get(g); + } + return null; } - return null; - } - }; + }; - AccessTestAction getAction2 = new AccessTestAction() { - @Override - public Object run() throws Exception { - Get g = new Get(TEST_ROW); - g.addFamily(family2); - try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(tableName)) { - t.get(g); + AccessTestAction getAction2 = new AccessTestAction() { + @Override + public Object run() throws Exception { + Get g = new Get(TEST_ROW); + g.addFamily(family2); + try (Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName)) { + t.get(g); + } + return null; } - return null; - } - }; + }; - AccessTestAction deleteActionAll = new AccessTestAction() { - @Override - public Object run() throws Exception { - Delete d = new Delete(TEST_ROW); - d.deleteFamily(family1); - d.deleteFamily(family2); - try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(tableName)) { - t.delete(d); + AccessTestAction deleteActionAll = new AccessTestAction() { + @Override + public Object run() throws Exception { + Delete d = new Delete(TEST_ROW); + d.deleteFamily(family1); + d.deleteFamily(family2); + try (Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName)) { + t.delete(d); + } + return null; } - return null; - } - }; + }; - AccessTestAction deleteAction1 = new AccessTestAction() { - @Override - public Object run() throws Exception { - Delete d = new Delete(TEST_ROW); - d.deleteFamily(family1); - try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(tableName)) { - t.delete(d); + AccessTestAction deleteAction1 = new AccessTestAction() { + @Override + public Object run() throws Exception { + Delete d = new Delete(TEST_ROW); + d.deleteFamily(family1); + try (Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName)) { + t.delete(d); + } + return null; } - return null; - } - }; + }; - AccessTestAction deleteAction2 = new AccessTestAction() { - @Override - public Object run() throws Exception { - Delete d = new Delete(TEST_ROW); - d.deleteFamily(family2); - try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(tableName)) { - t.delete(d); + AccessTestAction deleteAction2 = new AccessTestAction() { + @Override + public Object run() throws Exception { + Delete d = new Delete(TEST_ROW); + d.deleteFamily(family2); + try (Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName)) { + t.delete(d); + } + return null; } - return null; - } - }; + }; - // initial check: - verifyDenied(tblUser, getActionAll, getAction1, getAction2); - verifyDenied(tblUser, putActionAll, putAction1, putAction2); - verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); + // initial check: + verifyDenied(tblUser, getActionAll, getAction1, getAction2); + verifyDenied(tblUser, putActionAll, putAction1, putAction2); + verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); - verifyDenied(gblUser, getActionAll, getAction1, getAction2); - verifyDenied(gblUser, putActionAll, putAction1, putAction2); - verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); + verifyDenied(gblUser, getActionAll, getAction1, getAction2); + verifyDenied(gblUser, putActionAll, putAction1, putAction2); + verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); - // grant table read permission - grantGlobal(TEST_UTIL, gblUser.getShortName(), - Permission.Action.READ); - grantOnTable(TEST_UTIL, tblUser.getShortName(), - tableName, null, null, - Permission.Action.READ); + // grant table read permission + grantGlobal(TEST_UTIL, gblUser.getShortName(), Permission.Action.READ); + grantOnTable(TEST_UTIL, tblUser.getShortName(), tableName, null, null, + Permission.Action.READ); - // check - verifyAllowed(tblUser, getActionAll, getAction1, getAction2); - verifyDenied(tblUser, putActionAll, putAction1, putAction2); - verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); + // check + verifyAllowed(tblUser, getActionAll, getAction1, getAction2); + verifyDenied(tblUser, putActionAll, putAction1, putAction2); + verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); - verifyAllowed(gblUser, getActionAll, getAction1, getAction2); - verifyDenied(gblUser, putActionAll, putAction1, putAction2); - verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); + verifyAllowed(gblUser, getActionAll, getAction1, getAction2); + verifyDenied(gblUser, putActionAll, putAction1, putAction2); + verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); - // grant table write permission while revoking read permissions - grantGlobal(TEST_UTIL, gblUser.getShortName(), - Permission.Action.WRITE); - grantOnTable(TEST_UTIL, tblUser.getShortName(), - tableName, null, null, - Permission.Action.WRITE); + // grant table write permission while revoking read permissions + grantGlobal(TEST_UTIL, gblUser.getShortName(), Permission.Action.WRITE); + grantOnTable(TEST_UTIL, tblUser.getShortName(), tableName, null, null, + Permission.Action.WRITE); - verifyDenied(tblUser, getActionAll, getAction1, getAction2); - verifyAllowed(tblUser, putActionAll, putAction1, putAction2); - verifyAllowed(tblUser, deleteActionAll, deleteAction1, deleteAction2); + verifyDenied(tblUser, getActionAll, getAction1, getAction2); + verifyAllowed(tblUser, putActionAll, putAction1, putAction2); + verifyAllowed(tblUser, deleteActionAll, deleteAction1, deleteAction2); - verifyDenied(gblUser, getActionAll, getAction1, getAction2); - verifyAllowed(gblUser, putActionAll, putAction1, putAction2); - verifyAllowed(gblUser, deleteActionAll, deleteAction1, deleteAction2); + verifyDenied(gblUser, getActionAll, getAction1, getAction2); + verifyAllowed(gblUser, putActionAll, putAction1, putAction2); + verifyAllowed(gblUser, deleteActionAll, deleteAction1, deleteAction2); - // revoke table permissions - revokeGlobal(TEST_UTIL, gblUser.getShortName()); - revokeFromTable(TEST_UTIL, tblUser.getShortName(), - tableName, null, null); + // revoke table permissions + revokeGlobal(TEST_UTIL, gblUser.getShortName()); + revokeFromTable(TEST_UTIL, tblUser.getShortName(), tableName, null, null); - verifyDenied(tblUser, getActionAll, getAction1, getAction2); - verifyDenied(tblUser, putActionAll, putAction1, putAction2); - verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); + verifyDenied(tblUser, getActionAll, getAction1, getAction2); + verifyDenied(tblUser, putActionAll, putAction1, putAction2); + verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); - verifyDenied(gblUser, getActionAll, getAction1, getAction2); - verifyDenied(gblUser, putActionAll, putAction1, putAction2); - verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); + verifyDenied(gblUser, getActionAll, getAction1, getAction2); + verifyDenied(gblUser, putActionAll, putAction1, putAction2); + verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); - // grant column family read permission - grantGlobal(TEST_UTIL, gblUser.getShortName(), - Permission.Action.READ); - grantOnTable(TEST_UTIL, tblUser.getShortName(), - tableName, family1, null, Permission.Action.READ); + // grant column family read permission + grantGlobal(TEST_UTIL, gblUser.getShortName(), Permission.Action.READ); + grantOnTable(TEST_UTIL, tblUser.getShortName(), tableName, family1, null, + Permission.Action.READ); - // Access should be denied for family2 - verifyAllowed(tblUser, getActionAll, getAction1); - verifyDenied(tblUser, getAction2); - verifyDenied(tblUser, putActionAll, putAction1, putAction2); - verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); + // Access should be denied for family2 + verifyAllowed(tblUser, getActionAll, getAction1); + verifyDenied(tblUser, getAction2); + verifyDenied(tblUser, putActionAll, putAction1, putAction2); + verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); - verifyAllowed(gblUser, getActionAll, getAction1, getAction2); - verifyDenied(gblUser, putActionAll, putAction1, putAction2); - verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); + verifyAllowed(gblUser, getActionAll, getAction1, getAction2); + verifyDenied(gblUser, putActionAll, putAction1, putAction2); + verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); - // grant column family write permission - grantGlobal(TEST_UTIL, gblUser.getShortName(), - Permission.Action.WRITE); - grantOnTable(TEST_UTIL, tblUser.getShortName(), - tableName, family2, null, Permission.Action.WRITE); + // grant column family write permission + grantGlobal(TEST_UTIL, gblUser.getShortName(), Permission.Action.WRITE); + grantOnTable(TEST_UTIL, tblUser.getShortName(), tableName, family2, null, + Permission.Action.WRITE); - // READ from family1, WRITE to family2 are allowed - verifyAllowed(tblUser, getActionAll, getAction1); - verifyAllowed(tblUser, putAction2, deleteAction2); - verifyDenied(tblUser, getAction2); - verifyDenied(tblUser, putActionAll, putAction1); - verifyDenied(tblUser, deleteActionAll, deleteAction1); + // READ from family1, WRITE to family2 are allowed + verifyAllowed(tblUser, getActionAll, getAction1); + verifyAllowed(tblUser, putAction2, deleteAction2); + verifyDenied(tblUser, getAction2); + verifyDenied(tblUser, putActionAll, putAction1); + verifyDenied(tblUser, deleteActionAll, deleteAction1); - verifyDenied(gblUser, getActionAll, getAction1, getAction2); - verifyAllowed(gblUser, putActionAll, putAction1, putAction2); - verifyAllowed(gblUser, deleteActionAll, deleteAction1, deleteAction2); + verifyDenied(gblUser, getActionAll, getAction1, getAction2); + verifyAllowed(gblUser, putActionAll, putAction1, putAction2); + verifyAllowed(gblUser, deleteActionAll, deleteAction1, deleteAction2); - // revoke column family permission - revokeGlobal(TEST_UTIL, gblUser.getShortName()); - revokeFromTable(TEST_UTIL, tblUser.getShortName(), tableName, family2, null); + // revoke column family permission + revokeGlobal(TEST_UTIL, gblUser.getShortName()); + revokeFromTable(TEST_UTIL, tblUser.getShortName(), tableName, family2, null); - // Revoke on family2 should not have impact on family1 permissions - verifyAllowed(tblUser, getActionAll, getAction1); - verifyDenied(tblUser, getAction2); - verifyDenied(tblUser, putActionAll, putAction1, putAction2); - verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); + // Revoke on family2 should not have impact on family1 permissions + verifyAllowed(tblUser, getActionAll, getAction1); + verifyDenied(tblUser, getAction2); + verifyDenied(tblUser, putActionAll, putAction1, putAction2); + verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); - // Should not have access as global permissions are completely revoked - verifyDenied(gblUser, getActionAll, getAction1, getAction2); - verifyDenied(gblUser, putActionAll, putAction1, putAction2); - verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); + // Should not have access as global permissions are completely revoked + verifyDenied(gblUser, getActionAll, getAction1, getAction2); + verifyDenied(gblUser, putActionAll, putAction1, putAction2); + verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); - // delete table - admin.disableTable(tableName); - admin.deleteTable(tableName); + } finally { + // delete table + TEST_UTIL.deleteTable(tableName); + } } private boolean hasFoundUserPermission(UserPermission userPermission, List perms) { @@ -1298,93 +1297,91 @@ public class TestAccessController extends SecureTestUtil { admin.createTable(htd); TEST_UTIL.waitUntilAllRegionsAssigned(tableName); - // create temp users - User user = User.createUserForTesting(TEST_UTIL.getConfiguration(), "user", new String[0]); + try { + // create temp users + User user = User.createUserForTesting(TEST_UTIL.getConfiguration(), "user", new String[0]); - AccessTestAction getQualifierAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - Get g = new Get(TEST_ROW); - g.addColumn(family1, qualifier); - try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(tableName)) { - t.get(g); + AccessTestAction getQualifierAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + Get g = new Get(TEST_ROW); + g.addColumn(family1, qualifier); + try (Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName)) { + t.get(g); + } + return null; } - return null; - } - }; + }; - AccessTestAction putQualifierAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - Put p = new Put(TEST_ROW); - p.add(family1, qualifier, Bytes.toBytes("v1")); - try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(tableName)) { - t.put(p); + AccessTestAction putQualifierAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + Put p = new Put(TEST_ROW); + p.add(family1, qualifier, Bytes.toBytes("v1")); + try (Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName)) { + t.put(p); + } + return null; } - return null; - } - }; + }; - AccessTestAction deleteQualifierAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - Delete d = new Delete(TEST_ROW); - d.deleteColumn(family1, qualifier); - // d.deleteFamily(family1); - try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(tableName)) { - t.delete(d); + AccessTestAction deleteQualifierAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + Delete d = new Delete(TEST_ROW); + d.deleteColumn(family1, qualifier); + // d.deleteFamily(family1); + try (Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(tableName)) { + t.delete(d); + } + return null; } - return null; - } - }; + }; - revokeFromTable(TEST_UTIL, user.getShortName(), tableName, family1, null); + revokeFromTable(TEST_UTIL, user.getShortName(), tableName, family1, null); - verifyDenied(user, getQualifierAction); - verifyDenied(user, putQualifierAction); - verifyDenied(user, deleteQualifierAction); + verifyDenied(user, getQualifierAction); + verifyDenied(user, putQualifierAction); + verifyDenied(user, deleteQualifierAction); - grantOnTable(TEST_UTIL, user.getShortName(), - tableName, family1, qualifier, - Permission.Action.READ); + grantOnTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier, + Permission.Action.READ); - verifyAllowed(user, getQualifierAction); - verifyDenied(user, putQualifierAction); - verifyDenied(user, deleteQualifierAction); + verifyAllowed(user, getQualifierAction); + verifyDenied(user, putQualifierAction); + verifyDenied(user, deleteQualifierAction); - // only grant write permission - // TODO: comment this portion after HBASE-3583 - grantOnTable(TEST_UTIL, user.getShortName(), - tableName, family1, qualifier, - Permission.Action.WRITE); + // only grant write permission + // TODO: comment this portion after HBASE-3583 + grantOnTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier, + Permission.Action.WRITE); - verifyDenied(user, getQualifierAction); - verifyAllowed(user, putQualifierAction); - verifyAllowed(user, deleteQualifierAction); + verifyDenied(user, getQualifierAction); + verifyAllowed(user, putQualifierAction); + verifyAllowed(user, deleteQualifierAction); - // grant both read and write permission - grantOnTable(TEST_UTIL, user.getShortName(), - tableName, family1, qualifier, - Permission.Action.READ, Permission.Action.WRITE); + // grant both read and write permission + grantOnTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier, + Permission.Action.READ, Permission.Action.WRITE); - verifyAllowed(user, getQualifierAction); - verifyAllowed(user, putQualifierAction); - verifyAllowed(user, deleteQualifierAction); + verifyAllowed(user, getQualifierAction); + verifyAllowed(user, putQualifierAction); + verifyAllowed(user, deleteQualifierAction); - // revoke family level permission won't impact column level - revokeFromTable(TEST_UTIL, user.getShortName(), - tableName, family1, qualifier); + // revoke family level permission won't impact column level + revokeFromTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier); - verifyDenied(user, getQualifierAction); - verifyDenied(user, putQualifierAction); - verifyDenied(user, deleteQualifierAction); + verifyDenied(user, getQualifierAction); + verifyDenied(user, putQualifierAction); + verifyDenied(user, deleteQualifierAction); - // delete table - admin.disableTable(tableName); - admin.deleteTable(tableName); + } finally { + // delete table + TEST_UTIL.deleteTable(tableName); + } } @Test @@ -1407,116 +1404,117 @@ public class TestAccessController extends SecureTestUtil { htd.setOwner(USER_OWNER); admin.createTable(htd); TEST_UTIL.waitUntilAllRegionsAssigned(tableName); - - List perms; - Table acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); try { - BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); - AccessControlService.BlockingInterface protocol = - AccessControlService.newBlockingStub(service); - perms = ProtobufUtil.getUserPermissions(protocol, tableName); - } finally { - acl.close(); - } + List perms; + Table acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + perms = ProtobufUtil.getUserPermissions(protocol, tableName); + } finally { + acl.close(); + } - UserPermission ownerperm = new UserPermission( - Bytes.toBytes(USER_OWNER.getName()), tableName, null, Action.values()); - assertTrue("Owner should have all permissions on table", + UserPermission ownerperm = + new UserPermission(Bytes.toBytes(USER_OWNER.getName()), tableName, null, Action.values()); + assertTrue("Owner should have all permissions on table", hasFoundUserPermission(ownerperm, perms)); - User user = User.createUserForTesting(TEST_UTIL.getConfiguration(), "user", new String[0]); - byte[] userName = Bytes.toBytes(user.getShortName()); + User user = User.createUserForTesting(TEST_UTIL.getConfiguration(), "user", new String[0]); + byte[] userName = Bytes.toBytes(user.getShortName()); - UserPermission up = new UserPermission(userName, - tableName, family1, qualifier, Permission.Action.READ); - assertFalse("User should not be granted permission: " + up.toString(), + UserPermission up = + new UserPermission(userName, tableName, family1, qualifier, Permission.Action.READ); + assertFalse("User should not be granted permission: " + up.toString(), hasFoundUserPermission(up, perms)); - // grant read permission - grantOnTable(TEST_UTIL, user.getShortName(), - tableName, family1, qualifier, Permission.Action.READ); + // grant read permission + grantOnTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier, + Permission.Action.READ); - acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); - try { - BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); - AccessControlService.BlockingInterface protocol = - AccessControlService.newBlockingStub(service); - perms = ProtobufUtil.getUserPermissions(protocol, tableName); - } finally { - acl.close(); - } + acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + perms = ProtobufUtil.getUserPermissions(protocol, tableName); + } finally { + acl.close(); + } - UserPermission upToVerify = new UserPermission( - userName, tableName, family1, qualifier, Permission.Action.READ); - assertTrue("User should be granted permission: " + upToVerify.toString(), + UserPermission upToVerify = + new UserPermission(userName, tableName, family1, qualifier, Permission.Action.READ); + assertTrue("User should be granted permission: " + upToVerify.toString(), hasFoundUserPermission(upToVerify, perms)); - upToVerify = new UserPermission( - userName, tableName, family1, qualifier, Permission.Action.WRITE); - assertFalse("User should not be granted permission: " + upToVerify.toString(), + upToVerify = + new UserPermission(userName, tableName, family1, qualifier, Permission.Action.WRITE); + assertFalse("User should not be granted permission: " + upToVerify.toString(), hasFoundUserPermission(upToVerify, perms)); - // grant read+write - grantOnTable(TEST_UTIL, user.getShortName(), - tableName, family1, qualifier, - Permission.Action.WRITE, Permission.Action.READ); + // grant read+write + grantOnTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier, + Permission.Action.WRITE, Permission.Action.READ); - acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); - try { - BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); - AccessControlService.BlockingInterface protocol = - AccessControlService.newBlockingStub(service); - perms = ProtobufUtil.getUserPermissions(protocol, tableName); - } finally { - acl.close(); - } + acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + perms = ProtobufUtil.getUserPermissions(protocol, tableName); + } finally { + acl.close(); + } - upToVerify = new UserPermission(userName, tableName, family1, - qualifier, Permission.Action.WRITE, Permission.Action.READ); - assertTrue("User should be granted permission: " + upToVerify.toString(), + upToVerify = + new UserPermission(userName, tableName, family1, qualifier, Permission.Action.WRITE, + Permission.Action.READ); + assertTrue("User should be granted permission: " + upToVerify.toString(), hasFoundUserPermission(upToVerify, perms)); - // revoke - revokeFromTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier, + // revoke + revokeFromTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier, Permission.Action.WRITE, Permission.Action.READ); - acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); - try { - BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); - AccessControlService.BlockingInterface protocol = - AccessControlService.newBlockingStub(service); - perms = ProtobufUtil.getUserPermissions(protocol, tableName); - } finally { - acl.close(); - } + acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + perms = ProtobufUtil.getUserPermissions(protocol, tableName); + } finally { + acl.close(); + } - assertFalse("User should not be granted permission: " + upToVerify.toString(), + assertFalse("User should not be granted permission: " + upToVerify.toString(), hasFoundUserPermission(upToVerify, perms)); - // disable table before modification - admin.disableTable(tableName); + // disable table before modification + admin.disableTable(tableName); - User newOwner = User.createUserForTesting(conf, "new_owner", new String[] {}); - htd.setOwner(newOwner); - admin.modifyTable(tableName, htd); + User newOwner = User.createUserForTesting(conf, "new_owner", new String[] {}); + htd.setOwner(newOwner); + admin.modifyTable(tableName, htd); - acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); - try { - BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); - AccessControlService.BlockingInterface protocol = - AccessControlService.newBlockingStub(service); - perms = ProtobufUtil.getUserPermissions(protocol, tableName); - } finally { - acl.close(); - } + acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + perms = ProtobufUtil.getUserPermissions(protocol, tableName); + } finally { + acl.close(); + } - UserPermission newOwnerperm = new UserPermission( - Bytes.toBytes(newOwner.getName()), tableName, null, Action.values()); - assertTrue("New owner should have all permissions on table", + UserPermission newOwnerperm = + new UserPermission(Bytes.toBytes(newOwner.getName()), tableName, null, Action.values()); + assertTrue("New owner should have all permissions on table", hasFoundUserPermission(newOwnerperm, perms)); - - // delete table - admin.deleteTable(tableName); + } finally { + // delete table + TEST_UTIL.deleteTable(tableName); + } } @Test @@ -1580,127 +1578,134 @@ public class TestAccessController extends SecureTestUtil { User userQualifier = User.createUserForTesting(conf, "user_check_perms_q", new String[0]); grantOnTable(TEST_UTIL, userTable.getShortName(), - TEST_TABLE.getTableName(), null, null, + TEST_TABLE, null, null, Permission.Action.READ); grantOnTable(TEST_UTIL, userColumn.getShortName(), - TEST_TABLE.getTableName(), TEST_FAMILY, null, + TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ); grantOnTable(TEST_UTIL, userQualifier.getShortName(), - TEST_TABLE.getTableName(), TEST_FAMILY, TEST_Q1, + TEST_TABLE, TEST_FAMILY, TEST_Q1, Permission.Action.READ); - AccessTestAction tableRead = new AccessTestAction() { - @Override - public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), null, null, - Permission.Action.READ); - return null; - } - }; - - AccessTestAction columnRead = new AccessTestAction() { - @Override - public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), TEST_FAMILY, null, - Permission.Action.READ); - return null; - } - }; + try { + AccessTestAction tableRead = new AccessTestAction() { + @Override + public Void run() throws Exception { + checkTablePerms(TEST_UTIL, TEST_TABLE, null, null, Permission.Action.READ); + return null; + } + }; - AccessTestAction qualifierRead = new AccessTestAction() { - @Override - public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), TEST_FAMILY, TEST_Q1, - Permission.Action.READ); - return null; - } - }; + AccessTestAction columnRead = new AccessTestAction() { + @Override + public Void run() throws Exception { + checkTablePerms(TEST_UTIL, TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ); + return null; + } + }; - AccessTestAction multiQualifierRead = new AccessTestAction() { - @Override - public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), new Permission[] { - new TablePermission(TEST_TABLE.getTableName(), TEST_FAMILY, TEST_Q1, - Permission.Action.READ), - new TablePermission(TEST_TABLE.getTableName(), TEST_FAMILY, TEST_Q2, - Permission.Action.READ), }); - return null; - } - }; + AccessTestAction qualifierRead = new AccessTestAction() { + @Override + public Void run() throws Exception { + checkTablePerms(TEST_UTIL, TEST_TABLE, TEST_FAMILY, TEST_Q1, Permission.Action.READ); + return null; + } + }; - AccessTestAction globalAndTableRead = new AccessTestAction() { - @Override - public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), - new Permission[] { new Permission(Permission.Action.READ), - new TablePermission(TEST_TABLE.getTableName(), null, (byte[]) null, - Permission.Action.READ), }); - return null; - } - }; + AccessTestAction multiQualifierRead = new AccessTestAction() { + @Override + public Void run() throws Exception { + checkTablePerms(TEST_UTIL, TEST_TABLE, new Permission[] { + new TablePermission(TEST_TABLE, TEST_FAMILY, TEST_Q1, Permission.Action.READ), + new TablePermission(TEST_TABLE, TEST_FAMILY, TEST_Q2, Permission.Action.READ), }); + return null; + } + }; - AccessTestAction noCheck = new AccessTestAction() { - @Override - public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), new Permission[0]); - return null; - } - }; + AccessTestAction globalAndTableRead = new AccessTestAction() { + @Override + public Void run() throws Exception { + checkTablePerms(TEST_UTIL, TEST_TABLE, new Permission[] { + new Permission(Permission.Action.READ), + new TablePermission(TEST_TABLE, null, (byte[]) null, Permission.Action.READ), }); + return null; + } + }; - verifyAllowed(tableRead, SUPERUSER, userTable); - verifyDenied(tableRead, userColumn, userQualifier); + AccessTestAction noCheck = new AccessTestAction() { + @Override + public Void run() throws Exception { + checkTablePerms(TEST_UTIL, TEST_TABLE, new Permission[0]); + return null; + } + }; - verifyAllowed(columnRead, SUPERUSER, userTable, userColumn); - verifyDenied(columnRead, userQualifier); + verifyAllowed(tableRead, SUPERUSER, userTable); + verifyDenied(tableRead, userColumn, userQualifier); - verifyAllowed(qualifierRead, SUPERUSER, userTable, userColumn, userQualifier); + verifyAllowed(columnRead, SUPERUSER, userTable, userColumn); + verifyDenied(columnRead, userQualifier); - verifyAllowed(multiQualifierRead, SUPERUSER, userTable, userColumn); - verifyDenied(multiQualifierRead, userQualifier); + verifyAllowed(qualifierRead, SUPERUSER, userTable, userColumn, userQualifier); - verifyAllowed(globalAndTableRead, SUPERUSER); - verifyDenied(globalAndTableRead, userTable, userColumn, userQualifier); + verifyAllowed(multiQualifierRead, SUPERUSER, userTable, userColumn); + verifyDenied(multiQualifierRead, userQualifier); - verifyAllowed(noCheck, SUPERUSER, userTable, userColumn, userQualifier); + verifyAllowed(globalAndTableRead, SUPERUSER); + verifyDenied(globalAndTableRead, userTable, userColumn, userQualifier); - // -------------------------------------- - // test family level multiple permissions - AccessTestAction familyReadWrite = new AccessTestAction() { - @Override - public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), TEST_FAMILY, null, - Permission.Action.READ, Permission.Action.WRITE); - return null; - } - }; + verifyAllowed(noCheck, SUPERUSER, userTable, userColumn, userQualifier); - verifyAllowed(familyReadWrite, SUPERUSER, USER_OWNER, USER_CREATE, USER_RW); - verifyDenied(familyReadWrite, USER_NONE, USER_RO); + // -------------------------------------- + // test family level multiple permissions + AccessTestAction familyReadWrite = new AccessTestAction() { + @Override + public Void run() throws Exception { + checkTablePerms(TEST_UTIL, TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ, + Permission.Action.WRITE); + return null; + } + }; - // -------------------------------------- - // check for wrong table region - CheckPermissionsRequest checkRequest = CheckPermissionsRequest.newBuilder() - .addPermission(AccessControlProtos.Permission.newBuilder() - .setType(AccessControlProtos.Permission.Type.Table) - .setTablePermission( - AccessControlProtos.TablePermission.newBuilder() - .setTableName(ProtobufUtil.toProtoTableName(TEST_TABLE.getTableName())) - .addAction(AccessControlProtos.Permission.Action.CREATE)) - ).build(); - Table acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); - try { - BlockingRpcChannel channel = acl.coprocessorService(new byte[0]); - AccessControlService.BlockingInterface protocol = - AccessControlService.newBlockingStub(channel); + verifyAllowed(familyReadWrite, SUPERUSER, USER_OWNER, USER_CREATE, USER_RW); + verifyDenied(familyReadWrite, USER_NONE, USER_RO); + + // -------------------------------------- + // check for wrong table region + CheckPermissionsRequest checkRequest = + CheckPermissionsRequest + .newBuilder() + .addPermission( + AccessControlProtos.Permission + .newBuilder() + .setType(AccessControlProtos.Permission.Type.Table) + .setTablePermission( + AccessControlProtos.TablePermission.newBuilder() + .setTableName(ProtobufUtil.toProtoTableName(TEST_TABLE)) + .addAction(AccessControlProtos.Permission.Action.CREATE))).build(); + Table acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); try { - // but ask for TablePermissions for TEST_TABLE - protocol.checkPermissions(null, checkRequest); - fail("this should have thrown CoprocessorException"); - } catch (ServiceException ex) { - // expected + BlockingRpcChannel channel = acl.coprocessorService(new byte[0]); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(channel); + try { + // but ask for TablePermissions for TEST_TABLE + protocol.checkPermissions(null, checkRequest); + fail("this should have thrown CoprocessorException"); + } catch (ServiceException ex) { + // expected + } + } finally { + acl.close(); } + } finally { - acl.close(); + revokeFromTable(TEST_UTIL, userTable.getShortName(), TEST_TABLE, null, null, + Permission.Action.READ); + revokeFromTable(TEST_UTIL, userColumn.getShortName(), TEST_TABLE, TEST_FAMILY, null, + Permission.Action.READ); + revokeFromTable(TEST_UTIL, userQualifier.getShortName(), TEST_TABLE, TEST_FAMILY, TEST_Q1, + Permission.Action.READ); } } @@ -1816,15 +1821,6 @@ public class TestAccessController extends SecureTestUtil { LOG.debug("Test for global authorization for a new registered RegionServer."); MiniHBaseCluster hbaseCluster = TEST_UTIL.getHBaseCluster(); - // Since each RegionServer running on different user, add global - // permissions for the new user. - String currentUser = User.getCurrent().getShortName(); - String activeUserForNewRs = currentUser + ".hfs." + - hbaseCluster.getLiveRegionServerThreads().size(); - grantGlobal(TEST_UTIL, activeUserForNewRs, - Permission.Action.ADMIN, Permission.Action.CREATE, Permission.Action.READ, - Permission.Action.WRITE); - final Admin admin = TEST_UTIL.getHBaseAdmin(); HTableDescriptor htd = new HTableDescriptor(TEST_TABLE2); htd.addFamily(new HColumnDescriptor(TEST_FAMILY)); @@ -1889,35 +1885,40 @@ public class TestAccessController extends SecureTestUtil { User TABLE_ADMIN = User.createUserForTesting(conf, "UserA", new String[0]); // Grant TABLE ADMIN privs - grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(), - TEST_TABLE.getTableName(), null, null, + grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(), TEST_TABLE, null, null, Permission.Action.ADMIN); - - AccessTestAction listTablesAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - try(Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); - Admin admin = conn.getAdmin()) { - return Arrays.asList(admin.listTables()); + try { + AccessTestAction listTablesAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); + Admin admin = conn.getAdmin()) { + return Arrays.asList(admin.listTables()); + } } - } - }; + }; - AccessTestAction getTableDescAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - try(Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); - Admin admin = conn.getAdmin();) { - return admin.getTableDescriptor(TEST_TABLE.getTableName()); + AccessTestAction getTableDescAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); + Admin admin = conn.getAdmin();) { + return admin.getTableDescriptor(TEST_TABLE); + } } - } - }; + }; - verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN); - verifyIfEmptyList(listTablesAction, USER_RW, USER_RO, USER_NONE); + verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN); + verifyIfEmptyList(listTablesAction, USER_RW, USER_RO, USER_NONE); - verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN); - verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE); + verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, + TABLE_ADMIN); + verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE); + } finally { + // Cleanup, revoke TABLE ADMIN privs + revokeFromTable(TEST_UTIL, TABLE_ADMIN.getShortName(), TEST_TABLE, null, null, + Permission.Action.ADMIN); + } } @Test @@ -1945,20 +1946,22 @@ public class TestAccessController extends SecureTestUtil { @Test public void testTableDeletion() throws Exception { User TABLE_ADMIN = User.createUserForTesting(conf, "TestUser", new String[0]); + final TableName tname = TableName.valueOf("testTableDeletion"); + createTestTable(tname); // Grant TABLE ADMIN privs - grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(), - TEST_TABLE.getTableName(), null, null, + grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(), tname, null, null, Permission.Action.ADMIN); AccessTestAction deleteTableAction = new AccessTestAction() { @Override public Object run() throws Exception { - Connection unmanagedConnection = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); + Connection unmanagedConnection = + ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); Admin admin = unmanagedConnection.getAdmin(); try { - admin.disableTable(TEST_TABLE.getTableName()); - admin.deleteTable(TEST_TABLE.getTableName()); + admin.disableTable(tname); + admin.deleteTable(tname); } finally { admin.close(); unmanagedConnection.close(); @@ -1971,19 +1974,28 @@ public class TestAccessController extends SecureTestUtil { verifyAllowed(deleteTableAction, TABLE_ADMIN); } + private void createTestTable(TableName tname) throws Exception { + HTableDescriptor htd = new HTableDescriptor(tname); + HColumnDescriptor hcd = new HColumnDescriptor(TEST_FAMILY); + hcd.setMaxVersions(100); + htd.addFamily(hcd); + htd.setOwner(USER_OWNER); + TEST_UTIL.createTable(htd, new byte[][] { Bytes.toBytes("s") }); + } + @Test public void testNamespaceUserGrant() throws Exception { AccessTestAction getAction = new AccessTestAction() { @Override public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName());) { + Table t = conn.getTable(TEST_TABLE);) { return t.get(new Get(TEST_ROW)); } } }; - String namespace = TEST_TABLE.getTableName().getNamespaceAsString(); + String namespace = TEST_TABLE.getNamespaceAsString(); // Grant namespace READ to USER_NONE, this should supersede any table permissions grantOnNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ); @@ -2003,7 +2015,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName());) { + Table t = conn.getTable(TEST_TABLE);) { return t.get(new Get(TEST_ROW)); } } @@ -2013,8 +2025,8 @@ public class TestAccessController extends SecureTestUtil { // Grant table READ permissions to testGrantRevoke. try { - grantOnTableUsingAccessControlClient(TEST_UTIL, systemUserConnection, testGrantRevoke.getShortName(), - TEST_TABLE.getTableName(), null, null, Permission.Action.READ); + grantOnTableUsingAccessControlClient(TEST_UTIL, systemUserConnection, + testGrantRevoke.getShortName(), TEST_TABLE, null, null, Permission.Action.READ); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.grant. ", e); } @@ -2024,8 +2036,8 @@ public class TestAccessController extends SecureTestUtil { // Revoke table READ permission to testGrantRevoke. try { - revokeFromTableUsingAccessControlClient(TEST_UTIL, systemUserConnection, testGrantRevoke.getShortName(), - TEST_TABLE.getTableName(), null, null, Permission.Action.READ); + revokeFromTableUsingAccessControlClient(TEST_UTIL, systemUserConnection, + testGrantRevoke.getShortName(), TEST_TABLE, null, null, Permission.Action.READ); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.revoke ", e); } @@ -2043,7 +2055,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName())) { + Table t = conn.getTable(TEST_TABLE)) { return t.get(new Get(TEST_ROW)); } } @@ -2052,26 +2064,30 @@ public class TestAccessController extends SecureTestUtil { verifyDenied(getAction, testGlobalGrantRevoke); // Grant table READ permissions to testGlobalGrantRevoke. + String userName = testGlobalGrantRevoke.getShortName(); try { grantGlobalUsingAccessControlClient(TEST_UTIL, systemUserConnection, - testGlobalGrantRevoke.getShortName(), Permission.Action.READ); + userName, Permission.Action.READ); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.grant. ", e); } + try { + // Now testGlobalGrantRevoke should be able to read also + verifyAllowed(getAction, testGlobalGrantRevoke); - // Now testGlobalGrantRevoke should be able to read also - verifyAllowed(getAction, testGlobalGrantRevoke); + // Revoke table READ permission to testGlobalGrantRevoke. + try { + revokeGlobalUsingAccessControlClient(TEST_UTIL, systemUserConnection, + userName, Permission.Action.READ); + } catch (Throwable e) { + LOG.error("error during call of AccessControlClient.revoke ", e); + } - // Revoke table READ permission to testGlobalGrantRevoke. - try { - revokeGlobalUsingAccessControlClient(TEST_UTIL, systemUserConnection, - testGlobalGrantRevoke.getShortName(), Permission.Action.READ); - } catch (Throwable e) { - LOG.error("error during call of AccessControlClient.revoke ", e); + // Now testGlobalGrantRevoke shouldn't be able read + verifyDenied(getAction, testGlobalGrantRevoke); + } finally { + revokeGlobal(TEST_UTIL, userName, Permission.Action.READ); } - - // Now testGlobalGrantRevoke shouldn't be able read - verifyDenied(getAction, testGlobalGrantRevoke); } @Test @@ -2082,7 +2098,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName());) { + Table t = conn.getTable(TEST_TABLE);) { return t.get(new Get(TEST_ROW)); } } @@ -2090,27 +2106,32 @@ public class TestAccessController extends SecureTestUtil { verifyDenied(getAction, testNS); + String userName = testNS.getShortName(); + String namespace = TEST_TABLE.getNamespaceAsString(); // Grant namespace READ to testNS, this should supersede any table permissions try { - grantOnNamespaceUsingAccessControlClient(TEST_UTIL, systemUserConnection, testNS.getShortName(), - TEST_TABLE.getTableName().getNamespaceAsString(), Permission.Action.READ); + grantOnNamespaceUsingAccessControlClient(TEST_UTIL, systemUserConnection, userName, + namespace, Permission.Action.READ); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.grant. ", e); } + try { + // Now testNS should be able to read also + verifyAllowed(getAction, testNS); - // Now testNS should be able to read also - verifyAllowed(getAction, testNS); + // Revoke namespace READ to testNS, this should supersede any table permissions + try { + revokeFromNamespaceUsingAccessControlClient(TEST_UTIL, systemUserConnection, userName, + namespace, Permission.Action.READ); + } catch (Throwable e) { + LOG.error("error during call of AccessControlClient.revoke ", e); + } - // Revoke namespace READ to testNS, this should supersede any table permissions - try { - revokeFromNamespaceUsingAccessControlClient(TEST_UTIL, systemUserConnection, testNS.getShortName(), - TEST_TABLE.getTableName().getNamespaceAsString(), Permission.Action.READ); - } catch (Throwable e) { - LOG.error("error during call of AccessControlClient.revoke ", e); + // Now testNS shouldn't be able read + verifyDenied(getAction, testNS); + } finally { + revokeFromNamespace(TEST_UTIL, userName, namespace, Permission.Action.READ); } - - // Now testNS shouldn't be able read - verifyDenied(getAction, testNS); } @@ -2165,7 +2186,7 @@ public class TestAccessController extends SecureTestUtil { for (JVMClusterUtil.RegionServerThread thread: TEST_UTIL.getMiniHBaseCluster().getRegionServerThreads()) { HRegionServer rs = thread.getRegionServer(); - for (HRegion region: rs.getOnlineRegions(TEST_TABLE.getTableName())) { + for (HRegion region: rs.getOnlineRegions(TEST_TABLE)) { region.getCoprocessorHost().load(PingCoprocessor.class, Coprocessor.PRIORITY_USER, conf); } @@ -2177,32 +2198,37 @@ public class TestAccessController extends SecureTestUtil { User userB = User.createUserForTesting(conf, "UserB", new String[0]); grantOnTable(TEST_UTIL, userA.getShortName(), - TEST_TABLE.getTableName(), null, null, + TEST_TABLE, null, null, Permission.Action.EXEC); - - // Create an action for invoking our test endpoint - AccessTestAction execEndpointAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName());) { - BlockingRpcChannel service = t.coprocessorService(HConstants.EMPTY_BYTE_ARRAY); - PingCoprocessor.newBlockingStub(service).noop(null, NoopRequest.newBuilder().build()); + try { + // Create an action for invoking our test endpoint + AccessTestAction execEndpointAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + try (Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(TEST_TABLE);) { + BlockingRpcChannel service = t.coprocessorService(HConstants.EMPTY_BYTE_ARRAY); + PingCoprocessor.newBlockingStub(service).noop(null, NoopRequest.newBuilder().build()); + } + return null; } - return null; - } - }; + }; - String namespace = TEST_TABLE.getTableName().getNamespaceAsString(); - // Now grant EXEC to the entire namespace to user B - grantOnNamespace(TEST_UTIL, userB.getShortName(), namespace, Permission.Action.EXEC); - // User B should now be allowed also - verifyAllowed(execEndpointAction, userA, userB); + String namespace = TEST_TABLE.getNamespaceAsString(); + // Now grant EXEC to the entire namespace to user B + grantOnNamespace(TEST_UTIL, userB.getShortName(), namespace, Permission.Action.EXEC); + // User B should now be allowed also + verifyAllowed(execEndpointAction, userA, userB); - revokeFromNamespace(TEST_UTIL, userB.getShortName(), namespace, Permission.Action.EXEC); - // Verify that EXEC permission is checked correctly - verifyDenied(execEndpointAction, userB); - verifyAllowed(execEndpointAction, userA); + revokeFromNamespace(TEST_UTIL, userB.getShortName(), namespace, Permission.Action.EXEC); + // Verify that EXEC permission is checked correctly + verifyDenied(execEndpointAction, userB); + verifyAllowed(execEndpointAction, userA); + } finally { + // Cleanup, revoke the userA privileges + revokeFromTable(TEST_UTIL, userA.getShortName(), TEST_TABLE, null, null, + Permission.Action.EXEC); + } } @Test @@ -2211,7 +2237,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName());) { + Table t = conn.getTable(TEST_TABLE);) { KeyValue kv = new KeyValue(TEST_ROW, TEST_FAMILY, TEST_QUALIFIER, HConstants.LATEST_TIMESTAMP, HConstants.EMPTY_BYTE_ARRAY, new Tag[] { new Tag(AccessControlLists.ACL_TAG_TYPE, @@ -2251,15 +2277,15 @@ public class TestAccessController extends SecureTestUtil { try (Connection connection = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) { List existingPerms = AccessControlClient.getUserPermissions(connection, - TEST_TABLE.getTableName().getNameAsString()); + TEST_TABLE.getNameAsString()); assertTrue(existingPerms != null); assertTrue(existingPerms.size() > 1); try (Admin admin = connection.getAdmin()) { - admin.disableTable(TEST_TABLE.getTableName()); - admin.truncateTable(TEST_TABLE.getTableName(), true); + admin.disableTable(TEST_TABLE); + admin.truncateTable(TEST_TABLE, true); } List perms = AccessControlClient.getUserPermissions(connection, - TEST_TABLE.getTableName().getNameAsString()); + TEST_TABLE.getNameAsString()); assertTrue(perms != null); assertEquals(existingPerms.size(), perms.size()); } catch (Throwable thw) { @@ -2283,20 +2309,22 @@ public class TestAccessController extends SecureTestUtil { @Test public void testAccessControlClientUserPerms() throws Exception { - // adding default prefix explicitly as it is not included in the table name. - assertEquals(NamespaceDescriptor.DEFAULT_NAMESPACE_NAME_STR, - TEST_TABLE.getTableName().getNamespaceAsString()); - final String regex = NamespaceDescriptor.DEFAULT_NAMESPACE_NAME_STR + - TableName.NAMESPACE_DELIM + TEST_TABLE.getTableName().getNameAsString(); - User testUserPerms = User.createUserForTesting(conf, "testUserPerms", new String[0]); - assertEquals(0, testUserPerms.runAs(getPrivilegedAction(regex)).size()); - // Grant TABLE ADMIN privs to testUserPerms - grantOnTable(TEST_UTIL, testUserPerms.getShortName(), TEST_TABLE.getTableName(), null, - null, Action.ADMIN); - List perms = testUserPerms.runAs(getPrivilegedAction(regex)); - assertNotNull(perms); - // USER_ADMIN, USER_CREATE, USER_RW, USER_RO, testUserPerms, USER_ADMIN_CF has row each. - assertEquals(6, perms.size()); + TableName tname = TableName.valueOf("testAccessControlClientUserPerms"); + createTestTable(tname); + try { + final String regex = NamespaceDescriptor.DEFAULT_NAMESPACE_NAME_STR + + TableName.NAMESPACE_DELIM + tname.getNameAsString(); + User testUserPerms = User.createUserForTesting(conf, "testUserPerms", new String[0]); + assertEquals(0, testUserPerms.runAs(getPrivilegedAction(regex)).size()); + // Grant TABLE ADMIN privs to testUserPerms + grantOnTable(TEST_UTIL, testUserPerms.getShortName(), tname, null, null, Action.ADMIN); + List perms = testUserPerms.runAs(getPrivilegedAction(regex)); + assertNotNull(perms); + // Superuser, testUserPerms + assertEquals(2, perms.size()); + } finally { + TEST_UTIL.deleteTable(tname); + } } @Test @@ -2361,14 +2389,16 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction prepareBulkLoadAction = new AccessTestAction() { @Override public Object run() throws Exception { - ACCESS_CONTROLLER.prePrepareBulkLoad(ObserverContext.createAndPrepare(RCP_ENV, null), null); + ACCESS_CONTROLLER.prePrepareBulkLoad(ObserverContext.createAndPrepare(RCP_ENV, null), + null); return null; } }; AccessTestAction cleanupBulkLoadAction = new AccessTestAction() { @Override public Object run() throws Exception { - ACCESS_CONTROLLER.preCleanupBulkLoad(ObserverContext.createAndPrepare(RCP_ENV, null), null); + ACCESS_CONTROLLER.preCleanupBulkLoad(ObserverContext.createAndPrepare(RCP_ENV, null), + null); return null; } };