hbase-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From apurt...@apache.org
Subject [1/6] hbase git commit: HBASE-14210 Create test for cell level ACLs involving user group
Date Wed, 19 Aug 2015 01:27:18 GMT
Repository: hbase
Updated Branches:
  refs/heads/0.98 6012dd69d -> 6361d19e8
  refs/heads/branch-1 2599ed710 -> 22d39c071
  refs/heads/branch-1.0 1f7bd0371 -> 7cde21a0a
  refs/heads/branch-1.1 0acbff24c -> 840684613
  refs/heads/branch-1.2 af8e6f7e5 -> 3c83de4ea
  refs/heads/master 3fa86a98a -> 1bb9e3ae9


HBASE-14210 Create test for cell level ACLs involving user group

Signed-off-by: Andrew Purtell <apurtell@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/1bb9e3ae
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/1bb9e3ae
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/1bb9e3ae

Branch: refs/heads/master
Commit: 1bb9e3ae966853db8c4138b4abbe14636d7592db
Parents: 3fa86a9
Author: Ashish Singhi <ashish.singhi@huawei.com>
Authored: Tue Aug 18 16:53:55 2015 -0700
Committer: Andrew Purtell <apurtell@apache.org>
Committed: Tue Aug 18 16:53:55 2015 -0700

----------------------------------------------------------------------
 .../access/TestCellACLWithMultipleVersions.java | 356 +++++++++++--------
 .../hbase/security/access/TestCellACLs.java     | 100 ++++--
 2 files changed, 279 insertions(+), 177 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hbase/blob/1bb9e3ae/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLWithMultipleVersions.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLWithMultipleVersions.java
b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLWithMultipleVersions.java
index c7c49cd..a98bfc3 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLWithMultipleVersions.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLWithMultipleVersions.java
@@ -20,6 +20,7 @@ package org.apache.hadoop.hbase.security.access;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.fail;
 
+import java.io.IOException;
 import java.security.PrivilegedExceptionAction;
 import java.util.HashMap;
 import java.util.Map;
@@ -27,6 +28,7 @@ import java.util.Map;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hbase.AuthUtil;
 import org.apache.hadoop.hbase.Coprocessor;
 import org.apache.hadoop.hbase.HBaseTestingUtility;
 import org.apache.hadoop.hbase.HColumnDescriptor;
@@ -43,6 +45,7 @@ import org.apache.hadoop.hbase.client.Table;
 import org.apache.hadoop.hbase.master.MasterCoprocessorHost;
 import org.apache.hadoop.hbase.regionserver.RegionServerCoprocessorHost;
 import org.apache.hadoop.hbase.security.User;
+import org.apache.hadoop.hbase.security.access.Permission.Action;
 import org.apache.hadoop.hbase.testclassification.MediumTests;
 import org.apache.hadoop.hbase.testclassification.SecurityTests;
 import org.apache.hadoop.hbase.util.Bytes;
@@ -83,10 +86,14 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
 
   private static Configuration conf;
 
+  private static final String GROUP = "group";
+  private static User GROUP_USER;
   private static User USER_OWNER;
   private static User USER_OTHER;
   private static User USER_OTHER2;
 
+  private static String[] usersAndGroups;
+
   @BeforeClass
   public static void setupBeforeClass() throws Exception {
     // setup configuration
@@ -117,6 +124,9 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
     USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]);
     USER_OTHER = User.createUserForTesting(conf, "other", new String[0]);
     USER_OTHER2 = User.createUserForTesting(conf, "other2", new String[0]);
+    GROUP_USER = User.createUserForTesting(conf, "group_user", new String[] { GROUP });
+
+    usersAndGroups = new String[] { USER_OTHER.getShortName(), AuthUtil.toGroupEntry(GROUP)
};
   }
 
   @AfterClass
@@ -150,6 +160,8 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
   public void testCellPermissionwithVersions() throws Exception {
     // store two sets of values, one store with a cell level ACL, and one
     // without
+    final Map<String, Permission> writePerms = prepareCellPermissions(usersAndGroups,
Action.WRITE);
+    final Map<String, Permission> readPerms = prepareCellPermissions(usersAndGroups,
Action.READ);
     verifyAllowed(new AccessTestAction() {
       @Override
       public Object run() throws Exception {
@@ -158,20 +170,20 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil
{
           Put p;
           // with ro ACL
           p = new Put(TEST_ROW).add(TEST_FAMILY1, TEST_Q1, ZERO);
-          p.setACL(USER_OTHER.getShortName(), new Permission(Permission.Action.WRITE));
+          p.setACL(writePerms);
           t.put(p);
           // with ro ACL
           p = new Put(TEST_ROW).add(TEST_FAMILY1, TEST_Q1, ZERO);
-          p.setACL(USER_OTHER.getShortName(), new Permission(Permission.Action.READ));
+          p.setACL(readPerms);
           t.put(p);
           p = new Put(TEST_ROW).add(TEST_FAMILY1, TEST_Q1, ZERO);
-          p.setACL(USER_OTHER.getShortName(), new Permission(Permission.Action.WRITE));
+          p.setACL(writePerms);
           t.put(p);
           p = new Put(TEST_ROW).add(TEST_FAMILY1, TEST_Q1, ZERO);
-          p.setACL(USER_OTHER.getShortName(), new Permission(Permission.Action.READ));
+          p.setACL(readPerms);
           t.put(p);
           p = new Put(TEST_ROW).add(TEST_FAMILY1, TEST_Q1, ZERO);
-          p.setACL(USER_OTHER.getShortName(), new Permission(Permission.Action.WRITE));
+          p.setACL(writePerms);
           t.put(p);
         }
         return null;
@@ -205,6 +217,7 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
     };
     // Confirm special read access set at cell level
 
+    verifyAllowed(GROUP_USER, getQ1, 2);
     verifyAllowed(USER_OTHER, getQ1, 2);
 
     // store two sets of values, one store with a cell level ACL, and one
@@ -216,13 +229,13 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil
{
             Table t = connection.getTable(TEST_TABLE.getTableName())) {
           Put p;
           p = new Put(TEST_ROW).add(TEST_FAMILY1, TEST_Q1, ZERO);
-          p.setACL(USER_OTHER.getShortName(), new Permission(Permission.Action.WRITE));
+          p.setACL(writePerms);
           t.put(p);
           p = new Put(TEST_ROW).add(TEST_FAMILY1, TEST_Q1, ZERO);
-          p.setACL(USER_OTHER.getShortName(), new Permission(Permission.Action.READ));
+          p.setACL(readPerms);
           t.put(p);
           p = new Put(TEST_ROW).add(TEST_FAMILY1, TEST_Q1, ZERO);
-          p.setACL(USER_OTHER.getShortName(), new Permission(Permission.Action.WRITE));
+          p.setACL(writePerms);
           t.put(p);
         }
         return null;
@@ -231,6 +244,15 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
     // Confirm special read access set at cell level
 
     verifyAllowed(USER_OTHER, get2, 1);
+    verifyAllowed(GROUP_USER, get2, 1);
+  }
+
+  private Map<String, Permission> prepareCellPermissions(String[] users, Action...
action) {
+    Map<String, Permission> perms = new HashMap<String, Permission>(2);
+    for (String user : users) {
+      perms.put(user, new Permission(action));
+    }
+    return perms;
   }
 
   @Test
@@ -276,18 +298,16 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil
{
       public Object run() throws Exception {
         try (Connection connection = ConnectionFactory.createConnection(conf)) {
           try (Table t = connection.getTable(TEST_TABLE.getTableName())) {
-            // with rw ACL for "user1" and "user2"
+            // with rw ACL for "user1", "user2" and "@group"
             Put p = new Put(TEST_ROW1);
             p.add(TEST_FAMILY1, TEST_Q1, ZERO);
             p.add(TEST_FAMILY1, TEST_Q2, ZERO);
-            Map<String, Permission> perms = new HashMap<String, Permission>();
-            perms.put(user1.getShortName(), new Permission(Permission.Action.READ,
-                Permission.Action.WRITE));
-            perms.put(user2.getShortName(), new Permission(Permission.Action.READ,
-                Permission.Action.WRITE));
+            Map<String, Permission> perms =
+                prepareCellPermissions(new String[] { user1.getShortName(), user2.getShortName(),
+                    AuthUtil.toGroupEntry(GROUP) }, Action.READ, Action.WRITE);
             p.setACL(perms);
             t.put(p);
-            // with rw ACL for "user1" and "user2"
+            // with rw ACL for "user1", "user2" and "@group"
             p = new Put(TEST_ROW2);
             p.add(TEST_FAMILY1, TEST_Q1, ZERO);
             p.add(TEST_FAMILY1, TEST_Q2, ZERO);
@@ -317,32 +337,42 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil
{
     });
     // user2 should not be allowed to delete TEST_ROW2 as he is having write permission only
on one
     // version of the cells.
-    user2.runAs(new PrivilegedExceptionAction<Void>() {
+    verifyUserDeniedForDeleteMultipleVersions(user2, TEST_ROW2, TEST_Q1, TEST_Q2);
+
+    // GROUP_USER should not be allowed to delete TEST_ROW2 as he is having write permission
only on
+    // one version of the cells.
+    verifyUserDeniedForDeleteMultipleVersions(GROUP_USER, TEST_ROW2, TEST_Q1, TEST_Q2);
+
+    // user1 should be allowed to delete the cf. (All data under cf for a row)
+    user1.runAs(new PrivilegedExceptionAction<Void>() {
       @Override
       public Void run() throws Exception {
         try (Connection connection = ConnectionFactory.createConnection(conf)) {
           try (Table t = connection.getTable(TEST_TABLE.getTableName())) {
             Delete d = new Delete(TEST_ROW2);
-            d.deleteColumns(TEST_FAMILY1, TEST_Q1);
-            d.deleteColumns(TEST_FAMILY1, TEST_Q2);
+            d.deleteFamily(TEST_FAMILY1);
             t.delete(d);
-            fail("user2 should not be allowed to delete the row");
-          } catch (Exception e) {
-
           }
         }
         return null;
       }
     });
-    // user1 should be allowed to delete the cf. (All data under cf for a row)
-    user1.runAs(new PrivilegedExceptionAction<Void>() {
+  }
+
+  private void verifyUserDeniedForDeleteMultipleVersions(final User user, final byte[] row,
+      final byte[] q1, final byte[] q2) throws IOException, InterruptedException {
+    user.runAs(new PrivilegedExceptionAction<Void>() {
       @Override
       public Void run() throws Exception {
         try (Connection connection = ConnectionFactory.createConnection(conf)) {
           try (Table t = connection.getTable(TEST_TABLE.getTableName())) {
-            Delete d = new Delete(TEST_ROW2);
-            d.deleteFamily(TEST_FAMILY1);
+            Delete d = new Delete(row);
+            d.addColumns(TEST_FAMILY1, q1);
+            d.addColumns(TEST_FAMILY1, q2);
             t.delete(d);
+            fail(user.getShortName() + " should not be allowed to delete the row");
+          } catch (Exception e) {
+
           }
         }
         return null;
@@ -362,14 +392,19 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil
{
           try (Table t = connection.getTable(TEST_TABLE.getTableName())) {
             // Store a read write ACL without a timestamp, server will use current time
             Put p = new Put(TEST_ROW).add(TEST_FAMILY1, TEST_Q2, ONE);
-            p.setACL(USER_OTHER.getShortName(), new Permission(Permission.Action.READ,
-                Permission.Action.WRITE));
+            Map<String, Permission> readAndWritePerms =
+                prepareCellPermissions(usersAndGroups, Action.READ, Action.WRITE);
+            p.setACL(readAndWritePerms);
+            t.put(p);
+            p = new Put(TEST_ROW).add(TEST_FAMILY2, TEST_Q2, ONE);
+            p.setACL(readAndWritePerms);
             t.put(p);
             LOG.info("Stored at current time");
             // Store read only ACL at a future time
             p = new Put(TEST_ROW).add(TEST_FAMILY1, TEST_Q1,
                 EnvironmentEdgeManager.currentTime() + 1000000, ZERO);
-            p.setACL(USER_OTHER.getShortName(), new Permission(Permission.Action.READ));
+            p.setACL(prepareCellPermissions(new String[]{ USER_OTHER.getShortName(),
+                AuthUtil.toGroupEntry(GROUP)}, Action.READ));
             t.put(p);
           }
         }
@@ -403,17 +438,32 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil
{
       }
     };
 
-    verifyAllowed(getQ1, USER_OWNER, USER_OTHER);
-    verifyAllowed(getQ2, USER_OWNER, USER_OTHER);
+    verifyAllowed(getQ1, USER_OWNER, USER_OTHER, GROUP_USER);
+    verifyAllowed(getQ2, USER_OWNER, USER_OTHER, GROUP_USER);
 
 
     // Issue a DELETE for the family, should succeed because the future ACL is
     // not considered
+    AccessTestAction deleteFamily1 = getDeleteFamilyAction(TEST_FAMILY1);
+    AccessTestAction deleteFamily2 = getDeleteFamilyAction(TEST_FAMILY2);
+
+    verifyAllowed(deleteFamily1, USER_OTHER);
+    verifyAllowed(deleteFamily2, GROUP_USER);
+
+    // The future put should still exist
+
+    verifyAllowed(getQ1, USER_OWNER, USER_OTHER,GROUP_USER);
+
+    // The other put should be covered by the tombstone
 
-    AccessTestAction deleteFamily = new AccessTestAction() {
+    verifyIfNull(getQ2, USER_OTHER, GROUP_USER);
+  }
+
+  private AccessTestAction getDeleteFamilyAction(final byte[] fam) {
+    AccessTestAction deleteFamilyAction = new AccessTestAction() {
       @Override
       public Object run() throws Exception {
-        Delete delete = new Delete(TEST_ROW).deleteFamily(TEST_FAMILY1);
+        Delete delete = new Delete(TEST_ROW).addFamily(fam);
         try (Connection connection = ConnectionFactory.createConnection(conf)) {
           try (Table t = connection.getTable(TEST_TABLE.getTableName())) {
             t.delete(delete);
@@ -422,16 +472,7 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
         return null;
       }
     };
-
-    verifyAllowed(deleteFamily, USER_OTHER);
-
-    // The future put should still exist
-    
-    verifyAllowed(getQ1, USER_OWNER, USER_OTHER);
-    
-    // The other put should be covered by the tombstone
-
-    verifyIfNull(getQ2, USER_OTHER);
+    return deleteFamilyAction;
   }
 
   @Test
@@ -445,32 +486,27 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil
{
             Put p = new Put(TEST_ROW);
             p.add(TEST_FAMILY1, TEST_Q1, 123L, ZERO);
             p.add(TEST_FAMILY1, TEST_Q2, 123L, ZERO);
-            Map<String, Permission> perms = new HashMap<String, Permission>();
-            perms.put(USER_OTHER.getShortName(), new Permission(Permission.Action.READ,
-                Permission.Action.WRITE));
-            perms.put(USER_OTHER2.getShortName(), new Permission(Permission.Action.READ,
-                Permission.Action.WRITE));
-            p.setACL(perms);
+            p.setACL(prepareCellPermissions(
+              new String[] { USER_OTHER.getShortName(), AuthUtil.toGroupEntry(GROUP),
+                  USER_OTHER2.getShortName() }, Permission.Action.READ, Permission.Action.WRITE));
             t.put(p);
 
             // This version (TS = 125) with rw ACL for USER_OTHER
             p = new Put(TEST_ROW);
             p.add(TEST_FAMILY1, TEST_Q1, 125L, ONE);
             p.add(TEST_FAMILY1, TEST_Q2, 125L, ONE);
-            perms = new HashMap<String, Permission>();
-            perms.put(USER_OTHER.getShortName(), new Permission(Permission.Action.READ,
-                Permission.Action.WRITE));
-            p.setACL(perms);
+            p.setACL(prepareCellPermissions(
+              new String[] { USER_OTHER.getShortName(), AuthUtil.toGroupEntry(GROUP) },
+              Action.READ, Action.WRITE));
             t.put(p);
 
             // This version (TS = 127) with rw ACL for USER_OTHER
             p = new Put(TEST_ROW);
             p.add(TEST_FAMILY1, TEST_Q1, 127L, TWO);
             p.add(TEST_FAMILY1, TEST_Q2, 127L, TWO);
-            perms = new HashMap<String, Permission>();
-            perms.put(USER_OTHER.getShortName(), new Permission(Permission.Action.READ,
-                Permission.Action.WRITE));
-            p.setACL(perms);
+            p.setACL(prepareCellPermissions(
+              new String[] { USER_OTHER.getShortName(), AuthUtil.toGroupEntry(GROUP) },
+              Action.READ, Action.WRITE));
             t.put(p);
 
             return null;
@@ -525,28 +561,26 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil
{
       public Object run() throws Exception {
         try (Connection connection = ConnectionFactory.createConnection(conf)) {
           try (Table t = connection.getTable(TEST_TABLE.getTableName())) {
-            Map<String, Permission> permsU1andOwner = new HashMap<String, Permission>();
-            permsU1andOwner.put(user1.getShortName(), new Permission(Permission.Action.READ,
-                Permission.Action.WRITE));
-            permsU1andOwner.put(USER_OWNER.getShortName(), new Permission(Permission.Action.READ,
-                Permission.Action.WRITE));
-            Map<String, Permission> permsU2andOwner = new HashMap<String, Permission>();
-            permsU2andOwner.put(user2.getShortName(), new Permission(Permission.Action.READ,
-                Permission.Action.WRITE));
-            permsU2andOwner.put(USER_OWNER.getShortName(), new Permission(Permission.Action.READ,
-                Permission.Action.WRITE));
+            Map<String, Permission> permsU1andOwner =
+                prepareCellPermissions(
+                  new String[] { user1.getShortName(), USER_OWNER.getShortName() }, Action.READ,
+                  Action.WRITE);
+            Map<String, Permission> permsU2andGUandOwner =
+                prepareCellPermissions(
+                  new String[] { user2.getShortName(), AuthUtil.toGroupEntry(GROUP),
+                      USER_OWNER.getShortName() }, Action.READ, Action.WRITE);
             Put p = new Put(TEST_ROW1);
             p.add(TEST_FAMILY1, TEST_Q1, 123, ZERO);
             p.setACL(permsU1andOwner);
             t.put(p);
             p = new Put(TEST_ROW1);
             p.add(TEST_FAMILY1, TEST_Q2, 123, ZERO);
-            p.setACL(permsU2andOwner);
+            p.setACL(permsU2andGUandOwner);
             t.put(p);
             p = new Put(TEST_ROW1);
             p.add(TEST_FAMILY2, TEST_Q1, 123, ZERO);
             p.add(TEST_FAMILY2, TEST_Q2, 123, ZERO);
-            p.setACL(permsU2andOwner);
+            p.setACL(permsU2andGUandOwner);
             t.put(p);
 
             p = new Put(TEST_ROW1);
@@ -557,7 +591,7 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
 
             p = new Put(TEST_ROW1);
             p.add(TEST_FAMILY1, TEST_Q1, 127, ZERO);
-            p.setACL(permsU2andOwner);
+            p.setACL(permsU2andGUandOwner);
             t.put(p);
             p = new Put(TEST_ROW1);
             p.add(TEST_FAMILY1, TEST_Q2, 127, ZERO);
@@ -592,17 +626,23 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil
{
       }
     });
 
-    user2.runAs(new PrivilegedExceptionAction<Void>() {
+    verifyUserDeniedForDeleteExactVersion(user2, TEST_ROW1, TEST_Q1, TEST_Q2);
+    verifyUserDeniedForDeleteExactVersion(GROUP_USER, TEST_ROW1, TEST_Q1, TEST_Q2);
+  }
+
+  private void verifyUserDeniedForDeleteExactVersion(final User user, final byte[] row,
+      final byte[] q1, final byte[] q2) throws IOException, InterruptedException {
+    user.runAs(new PrivilegedExceptionAction<Void>() {
       @Override
       public Void run() throws Exception {
         try (Connection connection = ConnectionFactory.createConnection(conf)) {
           try (Table t = connection.getTable(TEST_TABLE.getTableName())) {
-            Delete d = new Delete(TEST_ROW1, 127);
-            d.deleteColumns(TEST_FAMILY1, TEST_Q1);
-            d.deleteColumns(TEST_FAMILY1, TEST_Q2);
-            d.deleteFamily(TEST_FAMILY2, 129);
+            Delete d = new Delete(row, 127);
+            d.addColumns(TEST_FAMILY1, q1);
+            d.addColumns(TEST_FAMILY1, q2);
+            d.addFamily(TEST_FAMILY2, 129);
             t.delete(d);
-            fail("user2 can not do the delete");
+            fail(user.getShortName() + " can not do the delete");
           } catch (Exception e) {
 
           }
@@ -627,28 +667,26 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil
{
       public Object run() throws Exception {
         try (Connection connection = ConnectionFactory.createConnection(conf)) {
           try (Table t = connection.getTable(TEST_TABLE.getTableName())) {
-            Map<String, Permission> permsU1andOwner = new HashMap<String, Permission>();
-            permsU1andOwner.put(user1.getShortName(), new Permission(Permission.Action.READ,
-                Permission.Action.WRITE));
-            permsU1andOwner.put(USER_OWNER.getShortName(), new Permission(Permission.Action.READ,
-                Permission.Action.WRITE));
-            Map<String, Permission> permsU2andOwner = new HashMap<String, Permission>();
-            permsU2andOwner.put(user2.getShortName(), new Permission(Permission.Action.READ,
-                Permission.Action.WRITE));
-            permsU2andOwner.put(USER_OWNER.getShortName(), new Permission(Permission.Action.READ,
-                Permission.Action.WRITE));
+            Map<String, Permission> permsU1andOwner =
+                prepareCellPermissions(
+                  new String[] { user1.getShortName(), USER_OWNER.getShortName() }, Action.READ,
+                  Action.WRITE);
+            Map<String, Permission> permsU2andGUandOwner =
+                prepareCellPermissions(
+                  new String[] { user2.getShortName(), AuthUtil.toGroupEntry(GROUP),
+                      USER_OWNER.getShortName() }, Action.READ, Action.WRITE);
             Put p = new Put(TEST_ROW1);
             p.add(TEST_FAMILY1, TEST_Q1, 123, ZERO);
             p.setACL(permsU1andOwner);
             t.put(p);
             p = new Put(TEST_ROW1);
             p.add(TEST_FAMILY1, TEST_Q2, 123, ZERO);
-            p.setACL(permsU2andOwner);
+            p.setACL(permsU2andGUandOwner);
             t.put(p);
 
             p = new Put(TEST_ROW1);
             p.add(TEST_FAMILY1, TEST_Q1, 127, ZERO);
-            p.setACL(permsU2andOwner);
+            p.setACL(permsU2andGUandOwner);
             t.put(p);
             p = new Put(TEST_ROW1);
             p.add(TEST_FAMILY1, TEST_Q2, 127, ZERO);
@@ -677,16 +715,22 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil
{
       }
     });
 
-    user2.runAs(new PrivilegedExceptionAction<Void>() {
+    verifyUserDeniedForIncrementMultipleVersions(user2, TEST_ROW1, TEST_Q2);
+    verifyUserDeniedForIncrementMultipleVersions(GROUP_USER, TEST_ROW1, TEST_Q2);
+  }
+
+  private void verifyUserDeniedForIncrementMultipleVersions(final User user, final byte[]
row,
+      final byte[] q1) throws IOException, InterruptedException {
+    user.runAs(new PrivilegedExceptionAction<Void>() {
       @Override
       public Void run() throws Exception {
         try (Connection connection = ConnectionFactory.createConnection(conf)) {
           try (Table t = connection.getTable(TEST_TABLE.getTableName())) {
-            Increment inc = new Increment(TEST_ROW1);
+            Increment inc = new Increment(row);
             inc.setTimeRange(0, 127);
-            inc.addColumn(TEST_FAMILY1, TEST_Q2, 2L);
+            inc.addColumn(TEST_FAMILY1, q1, 2L);
             t.increment(inc);
-            fail();
+            fail(user.getShortName() + " cannot do the increment.");
           } catch (Exception e) {
 
           }
@@ -711,15 +755,17 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil
{
       public Object run() throws Exception {
         try (Connection connection = ConnectionFactory.createConnection(conf)) {
           try (Table t = connection.getTable(TEST_TABLE.getTableName())) {
-            Map<String, Permission> permsU1andOwner = new HashMap<String, Permission>();
-            permsU1andOwner.put(user1.getShortName(), new Permission(Permission.Action.READ,
-                Permission.Action.WRITE));
-            permsU1andOwner.put(USER_OWNER.getShortName(), new Permission(Permission.Action.READ,
-                Permission.Action.WRITE));
-            Map<String, Permission> permsU2andOwner = new HashMap<String, Permission>();
-            permsU2andOwner.put(user2.getShortName(), new Permission(Permission.Action.READ,
+            Map<String, Permission> permsU1andOwner =
+                prepareCellPermissions(
+                  new String[] { user1.getShortName(), USER_OWNER.getShortName() }, Action.READ,
+                  Action.WRITE);
+            Map<String, Permission> permsU2andGUandOwner =
+                prepareCellPermissions(
+                  new String[] { user1.getShortName(), AuthUtil.toGroupEntry(GROUP),
+                      USER_OWNER.getShortName() }, Action.READ, Action.WRITE);
+            permsU2andGUandOwner.put(user2.getShortName(), new Permission(Permission.Action.READ,
                 Permission.Action.WRITE));
-            permsU2andOwner.put(USER_OWNER.getShortName(), new Permission(Permission.Action.READ,
+            permsU2andGUandOwner.put(USER_OWNER.getShortName(), new Permission(Permission.Action.READ,
                 Permission.Action.WRITE));
             Put p = new Put(TEST_ROW1);
             p.add(TEST_FAMILY1, TEST_Q1, 123, ZERO);
@@ -727,12 +773,12 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil
{
             t.put(p);
             p = new Put(TEST_ROW1);
             p.add(TEST_FAMILY1, TEST_Q2, 123, ZERO);
-            p.setACL(permsU2andOwner);
+            p.setACL(permsU2andGUandOwner);
             t.put(p);
 
             p = new Put(TEST_ROW1);
             p.add(TEST_FAMILY1, TEST_Q1, 127, ZERO);
-            p.setACL(permsU2andOwner);
+            p.setACL(permsU2andGUandOwner);
             t.put(p);
             p = new Put(TEST_ROW1);
             p.add(TEST_FAMILY1, TEST_Q2, 127, ZERO);
@@ -764,18 +810,24 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil
{
       }
     });
 
-    // Should be denied.
-    user2.runAs(new PrivilegedExceptionAction<Void>() {
+    verifyUserDeniedForPutMultipleVersions(user2, TEST_ROW1, TEST_Q1, TEST_Q2, ZERO);
+    verifyUserDeniedForPutMultipleVersions(GROUP_USER, TEST_ROW1, TEST_Q1, TEST_Q2, ZERO);
+  }
+
+  private void verifyUserDeniedForPutMultipleVersions(final User user, final byte[] row,
+      final byte[] q1, final byte[] q2, final byte[] value) throws IOException,
+      InterruptedException {
+    user.runAs(new PrivilegedExceptionAction<Void>() {
       @Override
       public Void run() throws Exception {
         try (Connection connection = ConnectionFactory.createConnection(conf)) {
           try (Table t = connection.getTable(TEST_TABLE.getTableName())) {
-            Put p = new Put(TEST_ROW1);
+            Put p = new Put(row);
             // column Q1 covers version at 123 fr which user2 do not have permission
-            p.add(TEST_FAMILY1, TEST_Q1, 124, ZERO);
-            p.add(TEST_FAMILY1, TEST_Q2, ZERO);
+            p.addColumn(TEST_FAMILY1, q1, 124, value);
+            p.addColumn(TEST_FAMILY1, q2, value);
             t.put(p);
-            fail();
+            fail(user.getShortName() + " cannot do the put.");
           } catch (Exception e) {
 
           }
@@ -788,55 +840,57 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil
{
   @Test
   public void testCellPermissionsForCheckAndDelete() throws Exception {
     final byte[] TEST_ROW1 = Bytes.toBytes("r1");
+    final byte[] TEST_Q3 = Bytes.toBytes("q3");
     final byte[] ZERO = Bytes.toBytes(0L);
 
     final User user1 = User.createUserForTesting(conf, "user1", new String[0]);
     final User user2 = User.createUserForTesting(conf, "user2", new String[0]);
-    
+
     verifyAllowed(new AccessTestAction() {
       @Override
       public Object run() throws Exception {
         try (Connection connection = ConnectionFactory.createConnection(conf)) {
           try (Table t = connection.getTable(TEST_TABLE.getTableName())) {
-            Map<String, Permission> permsU1andOwner = new HashMap<String, Permission>();
-            permsU1andOwner.put(user1.getShortName(), new Permission(Permission.Action.READ,
-                Permission.Action.WRITE));
-            permsU1andOwner.put(USER_OWNER.getShortName(), new Permission(Permission.Action.READ,
-                Permission.Action.WRITE));
-            Map<String, Permission> permsU1andU2andOwner = new HashMap<String, Permission>();
-            permsU1andU2andOwner.put(user1.getShortName(), new Permission(Permission.Action.READ,
-                Permission.Action.WRITE));
-            permsU1andU2andOwner.put(user2.getShortName(), new Permission(Permission.Action.READ,
-                Permission.Action.WRITE));
-            permsU1andU2andOwner.put(USER_OWNER.getShortName(), new Permission(Permission.Action.READ,
-                Permission.Action.WRITE));
-            Map<String, Permission> permsU1andU2 = new HashMap<String, Permission>();
-            permsU1andU2.put(user1.getShortName(), new Permission(Permission.Action.READ,
-                Permission.Action.WRITE));
-            permsU1andU2.put(user2.getShortName(), new Permission(Permission.Action.READ,
-                Permission.Action.WRITE));
+            Map<String, Permission> permsU1andOwner =
+                prepareCellPermissions(
+                  new String[] { user1.getShortName(), USER_OWNER.getShortName() }, Action.READ,
+                  Action.WRITE);
+            Map<String, Permission> permsU1andU2andGUandOwner =
+                prepareCellPermissions(new String[] { user1.getShortName(), user2.getShortName(),
+                    AuthUtil.toGroupEntry(GROUP), USER_OWNER.getShortName() }, Action.READ,
+                  Action.WRITE);
+            Map<String, Permission> permsU1_U2andGU =
+                prepareCellPermissions(new String[] { user1.getShortName(), user2.getShortName(),
+                    AuthUtil.toGroupEntry(GROUP) }, Action.READ, Action.WRITE);
 
             Put p = new Put(TEST_ROW1);
             p.add(TEST_FAMILY1, TEST_Q1, 120, ZERO);
             p.add(TEST_FAMILY1, TEST_Q2, 120, ZERO);
-            p.setACL(permsU1andU2andOwner);
+            p.add(TEST_FAMILY1, TEST_Q3, 120, ZERO);
+            p.setACL(permsU1andU2andGUandOwner);
             t.put(p);
 
             p = new Put(TEST_ROW1);
             p.add(TEST_FAMILY1, TEST_Q1, 123, ZERO);
             p.add(TEST_FAMILY1, TEST_Q2, 123, ZERO);
+            p.add(TEST_FAMILY1, TEST_Q3, 123, ZERO);
             p.setACL(permsU1andOwner);
             t.put(p);
 
             p = new Put(TEST_ROW1);
             p.add(TEST_FAMILY1, TEST_Q1, 127, ZERO);
-            p.setACL(permsU1andU2);
+            p.setACL(permsU1_U2andGU);
             t.put(p);
 
             p = new Put(TEST_ROW1);
             p.add(TEST_FAMILY1, TEST_Q2, 127, ZERO);
             p.setACL(user2.getShortName(), new Permission(Permission.Action.READ));
             t.put(p);
+
+            p = new Put(TEST_ROW1);
+            p.addColumn(TEST_FAMILY1, TEST_Q3, 127, ZERO);
+            p.setACL(AuthUtil.toGroupEntry(GROUP), new Permission(Permission.Action.READ));
+            t.put(p);
           }
         }
         return null;
@@ -860,32 +914,54 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil
{
     });
     // user2 shouldn't be allowed to do the checkAndDelete. user2 having RW permission on
the latest
     // version cell but not on cell version TS=123
-    user2.runAs(new PrivilegedExceptionAction<Void>() {
+    verifyUserDeniedForCheckAndDelete(user2, TEST_ROW1, ZERO);
+
+    // GROUP_USER shouldn't be allowed to do the checkAndDelete. GROUP_USER having RW permission
on
+    // the latest
+    // version cell but not on cell version TS=123
+    verifyUserDeniedForCheckAndDelete(GROUP_USER, TEST_ROW1, ZERO);
+
+    // user2 should be allowed to do the checkAndDelete when delete tries to delete the old
version
+    // TS=120. user2 having R permission on the latest version(no W permission) cell
+    // and W permission on cell version TS=120.
+    verifyUserAllowedforCheckAndDelete(user2, TEST_ROW1, TEST_Q2, ZERO);
+
+    // GROUP_USER should be allowed to do the checkAndDelete when delete tries to delete
the old
+    // version
+    // TS=120. user2 having R permission on the latest version(no W permission) cell
+    // and W permission on cell version TS=120.
+    verifyUserAllowedforCheckAndDelete(GROUP_USER, TEST_ROW1, TEST_Q3, ZERO);
+  }
+
+  private void verifyUserAllowedforCheckAndDelete(final User user, final byte[] row,
+      final byte[] q1, final byte[] value) throws IOException, InterruptedException {
+    user.runAs(new PrivilegedExceptionAction<Void>() {
       @Override
       public Void run() throws Exception {
         try (Connection connection = ConnectionFactory.createConnection(conf)) {
           try (Table t = connection.getTable(TEST_TABLE.getTableName())) {
-            Delete d = new Delete(TEST_ROW1);
-            d.deleteColumns(TEST_FAMILY1, TEST_Q1);
-            t.checkAndDelete(TEST_ROW1, TEST_FAMILY1, TEST_Q1, ZERO, d);
-            fail("user2 should not be allowed to do checkAndDelete");
-          } catch (Exception e) {
+            Delete d = new Delete(row);
+            d.addColumn(TEST_FAMILY1, q1, 120);
+            t.checkAndDelete(row, TEST_FAMILY1, q1, value, d);
           }
         }
         return null;
       }
     });
-    // user2 should be allowed to do the checkAndDelete when delete tries to delete the old
version
-    // TS=120. user2 having R permission on the latest version(no W permission) cell
-    // and W permission on cell version TS=120.
-    user2.runAs(new PrivilegedExceptionAction<Void>() {
+  }
+
+  private void verifyUserDeniedForCheckAndDelete(final User user, final byte[] row,
+      final byte[] value) throws IOException, InterruptedException {
+    user.runAs(new PrivilegedExceptionAction<Void>() {
       @Override
       public Void run() throws Exception {
         try (Connection connection = ConnectionFactory.createConnection(conf)) {
           try (Table t = connection.getTable(TEST_TABLE.getTableName())) {
-            Delete d = new Delete(TEST_ROW1);
-            d.deleteColumn(TEST_FAMILY1, TEST_Q2, 120);
-            t.checkAndDelete(TEST_ROW1, TEST_FAMILY1, TEST_Q2, ZERO, d);
+            Delete d = new Delete(row);
+            d.addColumns(TEST_FAMILY1, TEST_Q1);
+            t.checkAndDelete(row, TEST_FAMILY1, TEST_Q1, value, d);
+            fail(user.getShortName() + " should not be allowed to do checkAndDelete");
+          } catch (Exception e) {
           }
         }
         return null;

http://git-wip-us.apache.org/repos/asf/hbase/blob/1bb9e3ae/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLs.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLs.java
b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLs.java
index aed9bc2..31345ca 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLs.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLs.java
@@ -19,11 +19,14 @@ package org.apache.hadoop.hbase.security.access;
 
 import static org.junit.Assert.assertEquals;
 
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hbase.AuthUtil;
 import org.apache.hadoop.hbase.Cell;
 import org.apache.hadoop.hbase.Coprocessor;
 import org.apache.hadoop.hbase.HBaseTestingUtility;
@@ -35,7 +38,6 @@ import org.apache.hadoop.hbase.client.Connection;
 import org.apache.hadoop.hbase.client.ConnectionFactory;
 import org.apache.hadoop.hbase.client.Delete;
 import org.apache.hadoop.hbase.client.Get;
-import org.apache.hadoop.hbase.client.HTable;
 import org.apache.hadoop.hbase.client.Increment;
 import org.apache.hadoop.hbase.client.Put;
 import org.apache.hadoop.hbase.client.Result;
@@ -87,8 +89,11 @@ public class TestCellACLs extends SecureTestUtil {
 
   private static Configuration conf;
 
+  private static final String GROUP = "group";
+  private static User GROUP_USER;
   private static User USER_OWNER;
   private static User USER_OTHER;
+  private static String[] usersAndGroups;
 
   @BeforeClass
   public static void setupBeforeClass() throws Exception {
@@ -119,6 +124,9 @@ public class TestCellACLs extends SecureTestUtil {
     // create a set of test users
     USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]);
     USER_OTHER = User.createUserForTesting(conf, "other", new String[0]);
+    GROUP_USER = User.createUserForTesting(conf, "group_user", new String[] { GROUP });
+
+    usersAndGroups = new String[] { USER_OTHER.getShortName(), AuthUtil.toGroupEntry(GROUP)
};
   }
 
   @AfterClass
@@ -152,11 +160,11 @@ public class TestCellACLs extends SecureTestUtil {
           Put p;
           // with ro ACL
           p = new Put(TEST_ROW).add(TEST_FAMILY, TEST_Q1, ZERO);
-          p.setACL(USER_OTHER.getShortName(), new Permission(Action.READ));
+          p.setACL(prepareCellPermissions(usersAndGroups, Action.READ));
           t.put(p);
           // with rw ACL
           p = new Put(TEST_ROW).add(TEST_FAMILY, TEST_Q2, ZERO);
-          p.setACL(USER_OTHER.getShortName(), new Permission(Action.READ, Action.WRITE));
+          p.setACL(prepareCellPermissions(usersAndGroups, Action.READ, Action.WRITE));
           t.put(p);
           // no ACL
           p = new Put(TEST_ROW)
@@ -216,13 +224,13 @@ public class TestCellACLs extends SecureTestUtil {
 
     // Confirm special read access set at cell level
 
-    verifyAllowed(getQ1, USER_OTHER);
-    verifyAllowed(getQ2, USER_OTHER);
+    verifyAllowed(getQ1, USER_OTHER, GROUP_USER);
+    verifyAllowed(getQ2, USER_OTHER, GROUP_USER);
 
     // Confirm this access does not extend to other cells
 
-    verifyIfNull(getQ3, USER_OTHER);
-    verifyIfNull(getQ4, USER_OTHER);
+    verifyIfNull(getQ3, USER_OTHER, GROUP_USER);
+    verifyIfNull(getQ4, USER_OTHER, GROUP_USER);
 
     /* ---- Scans ---- */
 
@@ -266,6 +274,10 @@ public class TestCellACLs extends SecureTestUtil {
     verifyAllowed(scanAction, USER_OTHER);
     assertEquals(2, scanResults.size());
 
+    scanResults.clear();
+    verifyAllowed(scanAction, GROUP_USER);
+    assertEquals(2, scanResults.size());
+
     /* ---- Increments ---- */
 
     AccessTestAction incrementQ1 = new AccessTestAction() {
@@ -296,8 +308,8 @@ public class TestCellACLs extends SecureTestUtil {
       @Override
       public Object run() throws Exception {
         Increment i = new Increment(TEST_ROW).addColumn(TEST_FAMILY, TEST_Q2, 1L);
-        // Tag this increment with an ACL that denies write permissions to USER_OTHER
-        i.setACL(USER_OTHER.getShortName(), new Permission(Action.READ));
+        // Tag this increment with an ACL that denies write permissions to USER_OTHER and
GROUP
+        i.setACL(prepareCellPermissions(usersAndGroups, Action.READ));
         try(Connection connection = ConnectionFactory.createConnection(conf);
             Table t = connection.getTable(TEST_TABLE.getTableName())) {
           t.increment(i);
@@ -318,16 +330,16 @@ public class TestCellACLs extends SecureTestUtil {
       }
     };
 
-    verifyDenied(incrementQ1, USER_OTHER);
-    verifyDenied(incrementQ3, USER_OTHER);
+    verifyDenied(incrementQ1, USER_OTHER, GROUP_USER);
+    verifyDenied(incrementQ3, USER_OTHER, GROUP_USER);
 
-    // We should be able to increment Q2 twice, the previous ACL will be
-    // carried forward
-    verifyAllowed(incrementQ2, USER_OTHER);
+    // We should be able to increment until the permissions are revoked (including the action
in
+    // which permissions are revoked, the previous ACL will be carried forward)
+    verifyAllowed(incrementQ2, USER_OTHER, GROUP_USER);
     verifyAllowed(incrementQ2newDenyACL, USER_OTHER);
     // But not again after we denied ourselves write permission with an ACL
     // update
-    verifyDenied(incrementQ2, USER_OTHER);
+    verifyDenied(incrementQ2, USER_OTHER, GROUP_USER);
 
     /* ---- Deletes ---- */
 
@@ -355,8 +367,8 @@ public class TestCellACLs extends SecureTestUtil {
       }
     };
 
-    verifyDenied(deleteFamily, USER_OTHER);
-    verifyDenied(deleteQ1, USER_OTHER);
+    verifyDenied(deleteFamily, USER_OTHER, GROUP_USER);
+    verifyDenied(deleteQ1, USER_OTHER, GROUP_USER);
     verifyAllowed(deleteQ1, USER_OWNER);
   }
 
@@ -367,24 +379,18 @@ public class TestCellACLs extends SecureTestUtil {
   @Test
   public void testCoveringCheck() throws Exception {
     // Grant read access to USER_OTHER
-    grantOnTable(TEST_UTIL, USER_OTHER.getShortName(), TEST_TABLE.getTableName(),
-      TEST_FAMILY, null, Action.READ);
+    grantOnTable(TEST_UTIL, USER_OTHER.getShortName(), TEST_TABLE.getTableName(), TEST_FAMILY,
+      null, Action.READ);
+    // Grant read access to GROUP
+    grantOnTable(TEST_UTIL, AuthUtil.toGroupEntry(GROUP), TEST_TABLE.getTableName(), TEST_FAMILY,
+      null, Action.READ);
 
     // A write by USER_OTHER should be denied.
     // This is where we could have a big problem if there is an error in the
     // covering check logic.
-    verifyDenied(new AccessTestAction() {
-      @Override
-      public Object run() throws Exception {
-        try(Connection connection = ConnectionFactory.createConnection(conf);
-            Table t = connection.getTable(TEST_TABLE.getTableName())) {
-          Put p;
-          p = new Put(TEST_ROW).add(TEST_FAMILY, TEST_Q1, ZERO);
-          t.put(p);
-        }
-        return null;
-      }
-    }, USER_OTHER);
+    verifyUserDeniedForWrite(USER_OTHER, ZERO);
+    // A write by GROUP_USER from group GROUP should be denied.
+    verifyUserDeniedForWrite(GROUP_USER, ZERO);
 
     // Add the cell
     verifyAllowed(new AccessTestAction() {
@@ -401,29 +407,49 @@ public class TestCellACLs extends SecureTestUtil {
     }, USER_OWNER);
 
     // A write by USER_OTHER should still be denied, just to make sure
+    verifyUserDeniedForWrite(USER_OTHER, ONE);
+    // A write by GROUP_USER from group GROUP should still be denied
+    verifyUserDeniedForWrite(GROUP_USER, ONE);
+
+    // A read by USER_OTHER should be allowed, just to make sure
+    verifyUserAllowedForRead(USER_OTHER);
+    // A read by GROUP_USER from group GROUP should be allowed
+    verifyUserAllowedForRead(GROUP_USER);
+  }
+
+  private void verifyUserDeniedForWrite(final User user, final byte[] value) throws Exception
{
     verifyDenied(new AccessTestAction() {
       @Override
       public Object run() throws Exception {
-        try(Connection connection = ConnectionFactory.createConnection(conf);
+        try (Connection connection = ConnectionFactory.createConnection(conf);
             Table t = connection.getTable(TEST_TABLE.getTableName())) {
           Put p;
-          p = new Put(TEST_ROW).add(TEST_FAMILY, TEST_Q1, ONE);
+          p = new Put(TEST_ROW).addColumn(TEST_FAMILY, TEST_Q1, value);
           t.put(p);
         }
         return null;
       }
-    }, USER_OTHER);
+    }, user);
+  }
 
-    // A read by USER_OTHER should be allowed, just to make sure
+  private void verifyUserAllowedForRead(final User user) throws Exception {
     verifyAllowed(new AccessTestAction() {
       @Override
       public Object run() throws Exception {
-        try(Connection connection = ConnectionFactory.createConnection(conf);
+        try (Connection connection = ConnectionFactory.createConnection(conf);
             Table t = connection.getTable(TEST_TABLE.getTableName())) {
           return t.get(new Get(TEST_ROW).addColumn(TEST_FAMILY, TEST_Q1));
         }
       }
-    }, USER_OTHER);
+    }, user);
+  }
+
+  private Map<String, Permission> prepareCellPermissions(String[] users, Action...
action) {
+    Map<String, Permission> perms = new HashMap<String, Permission>(2);
+    for (String user : users) {
+      perms.put(user, new Permission(action));
+    }
+    return perms;
   }
 
   @After


Mime
View raw message