This is an automated email from the ASF dual-hosted git repository.
zghao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hbase.git
The following commit(s) were added to refs/heads/master by this push:
new 94d9dc1 HBASE-22084 Rename AccessControlLists to PermissionStorage
94d9dc1 is described below
commit 94d9dc1e84f57c722de60398f0fd7fc7f83726a0
Author: meiyi <myimeiyi@gamil.com>
AuthorDate: Wed Apr 10 16:49:11 2019 +0800
HBASE-22084 Rename AccessControlLists to PermissionStorage
Signed-off-by: Guanghao Zhang <zghao@apache.org>
---
.../hadoop/hbase/coprocessor/TestSecureExport.java | 10 +--
.../snapshot/TestMobSecureExportSnapshot.java | 5 +-
.../hbase/snapshot/TestSecureExportSnapshot.java | 4 +-
.../hadoop/hbase/rsgroup/TestRSGroupsWithACL.java | 12 ++--
.../hbase/tmpl/master/MasterStatusTmpl.jamon | 4 +-
.../hadoop/hbase/master/MasterRpcServices.java | 18 ++---
.../hbase/security/access/AccessController.java | 78 +++++++++++-----------
.../hadoop/hbase/security/access/AuthManager.java | 14 ++--
...essControlLists.java => PermissionStorage.java} | 56 ++++++++++------
.../hbase/security/access/ZKPermissionWatcher.java | 10 +--
.../hbase/snapshot/SnapshotDescriptionUtils.java | 6 +-
.../hadoop/hbase/TestJMXConnectorServer.java | 2 -
.../hbase/client/SnapshotWithAclTestBase.java | 4 +-
.../client/TestAsyncAccessControlAdminApi.java | 4 +-
.../hbase/security/access/SecureTestUtil.java | 2 +-
.../security/access/TestAccessControlFilter.java | 2 +-
.../security/access/TestAccessController.java | 29 ++++----
.../security/access/TestAccessController2.java | 21 +++---
.../security/access/TestAccessController3.java | 12 ++--
.../access/TestCellACLWithMultipleVersions.java | 4 +-
.../hadoop/hbase/security/access/TestCellACLs.java | 4 +-
.../security/access/TestNamespaceCommands.java | 14 ++--
.../hbase/security/access/TestRpcAccessChecks.java | 2 +-
.../security/access/TestScanEarlyTermination.java | 4 +-
.../security/access/TestTablePermissions.java | 56 ++++++++--------
.../access/TestWithDisabledAuthorization.java | 12 ++--
.../security/access/TestZKPermissionWatcher.java | 4 +-
.../visibility/TestVisibilityLabelsWithACL.java | 4 +-
.../tool/TestSecureLoadIncrementalHFiles.java | 4 +-
...stSecureLoadIncrementalHFilesSplitRecovery.java | 4 +-
hbase-shell/src/main/ruby/hbase/security.rb | 2 +-
src/main/asciidoc/_chapters/security.adoc | 23 ++-----
32 files changed, 210 insertions(+), 220 deletions(-)
diff --git a/hbase-endpoint/src/test/java/org/apache/hadoop/hbase/coprocessor/TestSecureExport.java b/hbase-endpoint/src/test/java/org/apache/hadoop/hbase/coprocessor/TestSecureExport.java
index 31bfd37..71175c4 100644
--- a/hbase-endpoint/src/test/java/org/apache/hadoop/hbase/coprocessor/TestSecureExport.java
+++ b/hbase-endpoint/src/test/java/org/apache/hadoop/hbase/coprocessor/TestSecureExport.java
@@ -54,8 +54,8 @@ import org.apache.hadoop.hbase.security.HadoopSecurityEnabledUserProviderForTest
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.UserProvider;
import org.apache.hadoop.hbase.security.access.AccessControlConstants;
-import org.apache.hadoop.hbase.security.access.AccessControlLists;
import org.apache.hadoop.hbase.security.access.Permission;
+import org.apache.hadoop.hbase.security.access.PermissionStorage;
import org.apache.hadoop.hbase.security.access.SecureTestUtil;
import org.apache.hadoop.hbase.security.access.SecureTestUtil.AccessTestAction;
import org.apache.hadoop.hbase.security.visibility.Authorizations;
@@ -204,9 +204,9 @@ public class TestSecureExport {
SecureTestUtil.verifyConfiguration(UTIL.getConfiguration());
setUpClusterKdc();
UTIL.startMiniCluster();
- UTIL.waitUntilAllRegionsAssigned(AccessControlLists.ACL_TABLE_NAME);
+ UTIL.waitUntilAllRegionsAssigned(PermissionStorage.ACL_TABLE_NAME);
UTIL.waitUntilAllRegionsAssigned(VisibilityConstants.LABELS_TABLE_NAME);
- UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME, 50000);
+ UTIL.waitTableEnabled(PermissionStorage.ACL_TABLE_NAME, 50000);
UTIL.waitTableEnabled(VisibilityConstants.LABELS_TABLE_NAME, 50000);
SecureTestUtil.grantGlobal(UTIL, USER_ADMIN,
Permission.Action.ADMIN,
@@ -249,8 +249,8 @@ public class TestSecureExport {
SecureTestUtil.grantOnTable(UTIL, USER_XO,
TableName.valueOf(exportTable), null, null,
Permission.Action.EXEC);
- assertEquals(4, AccessControlLists.getTablePermissions(UTIL.getConfiguration(),
- TableName.valueOf(exportTable)).size());
+ assertEquals(4, PermissionStorage
+ .getTablePermissions(UTIL.getConfiguration(), TableName.valueOf(exportTable)).size());
AccessTestAction putAction = () -> {
Put p = new Put(ROW1);
p.addColumn(FAMILYA, Bytes.toBytes("qual_0"), NOW, QUAL);
diff --git a/hbase-mapreduce/src/test/java/org/apache/hadoop/hbase/snapshot/TestMobSecureExportSnapshot.java b/hbase-mapreduce/src/test/java/org/apache/hadoop/hbase/snapshot/TestMobSecureExportSnapshot.java
index 1a5756b..484f88a 100644
--- a/hbase-mapreduce/src/test/java/org/apache/hadoop/hbase/snapshot/TestMobSecureExportSnapshot.java
+++ b/hbase-mapreduce/src/test/java/org/apache/hadoop/hbase/snapshot/TestMobSecureExportSnapshot.java
@@ -20,13 +20,12 @@ package org.apache.hadoop.hbase.snapshot;
import org.apache.hadoop.hbase.HBaseClassTestRule;
import org.apache.hadoop.hbase.security.HadoopSecurityEnabledUserProviderForTesting;
import org.apache.hadoop.hbase.security.UserProvider;
-import org.apache.hadoop.hbase.security.access.AccessControlLists;
+import org.apache.hadoop.hbase.security.access.PermissionStorage;
import org.apache.hadoop.hbase.security.access.SecureTestUtil;
import org.apache.hadoop.hbase.testclassification.LargeTests;
import org.apache.hadoop.hbase.testclassification.VerySlowRegionServerTests;
import org.junit.BeforeClass;
import org.junit.ClassRule;
-import org.junit.Ignore;
import org.junit.experimental.categories.Category;
/**
@@ -57,6 +56,6 @@ public class TestMobSecureExportSnapshot extends TestMobExportSnapshot {
TEST_UTIL.startMiniMapReduceCluster();
// Wait for the ACL table to become available
- TEST_UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME);
+ TEST_UTIL.waitTableEnabled(PermissionStorage.ACL_TABLE_NAME);
}
}
diff --git a/hbase-mapreduce/src/test/java/org/apache/hadoop/hbase/snapshot/TestSecureExportSnapshot.java b/hbase-mapreduce/src/test/java/org/apache/hadoop/hbase/snapshot/TestSecureExportSnapshot.java
index 77da0d5..ce1c4cb 100644
--- a/hbase-mapreduce/src/test/java/org/apache/hadoop/hbase/snapshot/TestSecureExportSnapshot.java
+++ b/hbase-mapreduce/src/test/java/org/apache/hadoop/hbase/snapshot/TestSecureExportSnapshot.java
@@ -20,7 +20,7 @@ package org.apache.hadoop.hbase.snapshot;
import org.apache.hadoop.hbase.HBaseClassTestRule;
import org.apache.hadoop.hbase.security.HadoopSecurityEnabledUserProviderForTesting;
import org.apache.hadoop.hbase.security.UserProvider;
-import org.apache.hadoop.hbase.security.access.AccessControlLists;
+import org.apache.hadoop.hbase.security.access.PermissionStorage;
import org.apache.hadoop.hbase.security.access.SecureTestUtil;
import org.apache.hadoop.hbase.testclassification.LargeTests;
import org.apache.hadoop.hbase.testclassification.VerySlowRegionServerTests;
@@ -56,6 +56,6 @@ public class TestSecureExportSnapshot extends TestExportSnapshot {
TEST_UTIL.startMiniMapReduceCluster();
// Wait for the ACL table to become available
- TEST_UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME);
+ TEST_UTIL.waitTableEnabled(PermissionStorage.ACL_TABLE_NAME);
}
}
diff --git a/hbase-rsgroup/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsWithACL.java b/hbase-rsgroup/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsWithACL.java
index 59e5601..4b23f18 100644
--- a/hbase-rsgroup/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsWithACL.java
+++ b/hbase-rsgroup/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsWithACL.java
@@ -34,9 +34,9 @@ import org.apache.hadoop.hbase.client.TableDescriptorBuilder;
import org.apache.hadoop.hbase.coprocessor.CoprocessorHost;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.access.AccessControlClient;
-import org.apache.hadoop.hbase.security.access.AccessControlLists;
import org.apache.hadoop.hbase.security.access.AuthManager;
import org.apache.hadoop.hbase.security.access.Permission;
+import org.apache.hadoop.hbase.security.access.PermissionStorage;
import org.apache.hadoop.hbase.security.access.SecureTestUtil;
import org.apache.hadoop.hbase.testclassification.MediumTests;
import org.apache.hadoop.hbase.testclassification.SecurityTests;
@@ -113,7 +113,7 @@ public class TestRSGroupsWithACL extends SecureTestUtil{
rsGroupAdminEndpoint = (RSGroupAdminEndpoint) TEST_UTIL.getMiniHBaseCluster().getMaster().
getMasterCoprocessorHost().findCoprocessor(RSGroupAdminEndpoint.class.getName());
// Wait for the ACL table to become available
- TEST_UTIL.waitUntilAllRegionsAssigned(AccessControlLists.ACL_TABLE_NAME);
+ TEST_UTIL.waitUntilAllRegionsAssigned(PermissionStorage.ACL_TABLE_NAME);
// create a set of test users
SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
@@ -174,7 +174,7 @@ public class TestRSGroupsWithACL extends SecureTestUtil{
grantGlobal(TEST_UTIL, toGroupEntry(GROUP_READ), Permission.Action.READ);
grantGlobal(TEST_UTIL, toGroupEntry(GROUP_WRITE), Permission.Action.WRITE);
- assertEquals(4, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size());
+ assertEquals(4, PermissionStorage.getTablePermissions(conf, TEST_TABLE).size());
try {
assertEquals(4, AccessControlClient.getUserPermissions(systemUserConnection,
TEST_TABLE.toString()).size());
@@ -194,9 +194,9 @@ public class TestRSGroupsWithACL extends SecureTestUtil{
LOG.info("Test deleted table " + TEST_TABLE);
}
// Verify all table/namespace permissions are erased
- assertEquals(0, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size());
- assertEquals(0, AccessControlLists.getNamespacePermissions(conf,
- TEST_TABLE.getNamespaceAsString()).size());
+ assertEquals(0, PermissionStorage.getTablePermissions(conf, TEST_TABLE).size());
+ assertEquals(0,
+ PermissionStorage.getNamespacePermissions(conf, TEST_TABLE.getNamespaceAsString()).size());
}
@AfterClass
diff --git a/hbase-server/src/main/jamon/org/apache/hadoop/hbase/tmpl/master/MasterStatusTmpl.jamon b/hbase-server/src/main/jamon/org/apache/hadoop/hbase/tmpl/master/MasterStatusTmpl.jamon
index f6ea764..06fe2c9 100644
--- a/hbase-server/src/main/jamon/org/apache/hadoop/hbase/tmpl/master/MasterStatusTmpl.jamon
+++ b/hbase-server/src/main/jamon/org/apache/hadoop/hbase/tmpl/master/MasterStatusTmpl.jamon
@@ -52,7 +52,7 @@ org.apache.hadoop.hbase.master.RegionState;
org.apache.hadoop.hbase.master.ServerManager;
org.apache.hadoop.hbase.protobuf.ProtobufUtil;
org.apache.hadoop.hbase.quotas.QuotaUtil;
-org.apache.hadoop.hbase.security.access.AccessControlLists;
+org.apache.hadoop.hbase.security.access.PermissionStorage;
org.apache.hadoop.hbase.security.visibility.VisibilityConstants;
org.apache.hadoop.hbase.shaded.protobuf.generated.SnapshotProtos.SnapshotDescription;
org.apache.hadoop.hbase.tool.Canary;
@@ -444,7 +444,7 @@ AssignmentManager assignmentManager = master.getAssignmentManager();
} else if (tableName.equals(Canary.DEFAULT_WRITE_TABLE_NAME)){
description = "The hbase:canary table is used to sniff the write availbility of"
+ " each regionserver.";
- } else if (tableName.equals(AccessControlLists.ACL_TABLE_NAME)){
+ } else if (tableName.equals(PermissionStorage.ACL_TABLE_NAME)){
description = "The hbase:acl table holds information about acl.";
} else if (tableName.equals(VisibilityConstants.LABELS_TABLE_NAME)){
description = "The hbase:labels table holds information about visibility labels.";
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
index 6a5b508..222a686 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
@@ -102,10 +102,10 @@ import org.apache.hadoop.hbase.security.Superusers;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.access.AccessChecker;
import org.apache.hadoop.hbase.security.access.AccessChecker.InputUser;
-import org.apache.hadoop.hbase.security.access.AccessControlLists;
import org.apache.hadoop.hbase.security.access.AccessController;
import org.apache.hadoop.hbase.security.access.Permission;
import org.apache.hadoop.hbase.security.access.Permission.Action;
+import org.apache.hadoop.hbase.security.access.PermissionStorage;
import org.apache.hadoop.hbase.security.access.ShadedAccessControlUtil;
import org.apache.hadoop.hbase.security.access.UserPermission;
import org.apache.hadoop.hbase.security.visibility.VisibilityController;
@@ -2712,8 +2712,8 @@ public class MasterRpcServices extends RSRpcServices
if (master.cpHost != null) {
master.cpHost.preGrant(perm, mergeExistingPermissions);
}
- try (Table table = master.getConnection().getTable(AccessControlLists.ACL_TABLE_NAME)) {
- AccessControlLists.addUserPermission(getConfiguration(), perm, table,
+ try (Table table = master.getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {
+ PermissionStorage.addUserPermission(getConfiguration(), perm, table,
mergeExistingPermissions);
}
if (master.cpHost != null) {
@@ -2734,8 +2734,8 @@ public class MasterRpcServices extends RSRpcServices
if (master.cpHost != null) {
master.cpHost.preRevoke(userPermission);
}
- try (Table table = master.getConnection().getTable(AccessControlLists.ACL_TABLE_NAME)) {
- AccessControlLists.removeUserPermission(master.getConfiguration(), userPermission, table);
+ try (Table table = master.getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {
+ PermissionStorage.removeUserPermission(master.getConfiguration(), userPermission, table);
}
if (master.cpHost != null) {
master.cpHost.postRevoke(userPermission);
@@ -2765,17 +2765,17 @@ public class MasterRpcServices extends RSRpcServices
List<UserPermission> perms = null;
if (permissionType == Type.Table) {
boolean filter = (cf != null || userName != null) ? true : false;
- perms = AccessControlLists.getUserTablePermissions(master.getConfiguration(), table, cf, cq,
+ perms = PermissionStorage.getUserTablePermissions(master.getConfiguration(), table, cf, cq,
userName, filter);
} else if (permissionType == Type.Namespace) {
- perms = AccessControlLists.getUserNamespacePermissions(master.getConfiguration(), namespace,
+ perms = PermissionStorage.getUserNamespacePermissions(master.getConfiguration(), namespace,
userName, userName != null ? true : false);
} else {
- perms = AccessControlLists.getUserPermissions(master.getConfiguration(), null, null, null,
+ perms = PermissionStorage.getUserPermissions(master.getConfiguration(), null, null, null,
userName, userName != null ? true : false);
// Skip super users when filter user is specified
if (userName == null) {
- // Adding superusers explicitly to the result set as AccessControlLists do not store
+ // Adding superusers explicitly to the result set as PermissionStorage do not store
// them. Also using acl as table name to be inline with the results of global admin and
// will help in avoiding any leakage of information about being superusers.
for (String user : Superusers.getSuperUsers()) {
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
index a5ee794..0949207 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
@@ -244,14 +244,14 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
private void initialize(RegionCoprocessorEnvironment e) throws IOException {
final Region region = e.getRegion();
Configuration conf = e.getConfiguration();
- Map<byte[], ListMultimap<String, UserPermission>> tables = AccessControlLists.loadAll(region);
+ Map<byte[], ListMultimap<String, UserPermission>> tables = PermissionStorage.loadAll(region);
// For each table, write out the table's permissions to the respective
// znode for that table.
for (Map.Entry<byte[], ListMultimap<String, UserPermission>> t:
tables.entrySet()) {
byte[] entry = t.getKey();
ListMultimap<String, UserPermission> perms = t.getValue();
- byte[] serialized = AccessControlLists.writePermissionsAsBytes(perms, conf);
+ byte[] serialized = PermissionStorage.writePermissionsAsBytes(perms, conf);
getAuthManager().getZKPermissionWatcher().writeToZookeeper(entry, serialized);
}
initialized = true;
@@ -268,7 +268,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
for (Map.Entry<byte[], List<Cell>> f : familyMap.entrySet()) {
List<Cell> cells = f.getValue();
for (Cell cell: cells) {
- if (CellUtil.matchingFamily(cell, AccessControlLists.ACL_LIST_FAMILY)) {
+ if (CellUtil.matchingFamily(cell, PermissionStorage.ACL_LIST_FAMILY)) {
entries.add(CellUtil.cloneRow(cell));
}
}
@@ -283,12 +283,12 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
// to and fro conversion overhead. get req is converted to PB req
// and results are converted to PB results 1st and then to POJOs
// again. We could have avoided such at least in ACL table context..
- try (Table t = e.getConnection().getTable(AccessControlLists.ACL_TABLE_NAME)) {
+ try (Table t = e.getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {
for (byte[] entry : entries) {
currentEntry = entry;
ListMultimap<String, UserPermission> perms =
- AccessControlLists.getPermissions(conf, entry, t, null, null, null, false);
- byte[] serialized = AccessControlLists.writePermissionsAsBytes(perms, conf);
+ PermissionStorage.getPermissions(conf, entry, t, null, null, null, false);
+ byte[] serialized = PermissionStorage.writePermissionsAsBytes(perms, conf);
zkw.writeToZookeeper(entry, serialized);
}
} catch(IOException ex) {
@@ -624,7 +624,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
for (Cell cell: e.getValue()) {
// Prepend the supplied perms in a new ACL tag to an update list of tags for the cell
List<Tag> tags = new ArrayList<>();
- tags.add(new ArrayBackedTag(AccessControlLists.ACL_TAG_TYPE, perms));
+ tags.add(new ArrayBackedTag(PermissionStorage.ACL_TAG_TYPE, perms));
Iterator<Tag> tagIterator = PrivateCellUtil.tagsIterator(cell);
while (tagIterator.hasNext()) {
tags.add(tagIterator.next());
@@ -656,7 +656,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
for (CellScanner cellScanner = m.cellScanner(); cellScanner.advance();) {
Iterator<Tag> tagsItr = PrivateCellUtil.tagsIterator(cellScanner.current());
while (tagsItr.hasNext()) {
- if (tagsItr.next().getType() == AccessControlLists.ACL_TAG_TYPE) {
+ if (tagsItr.next().getType() == PermissionStorage.ACL_TAG_TYPE) {
throw new AccessDeniedException("Mutation contains cell with reserved type tag");
}
}
@@ -786,12 +786,12 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
// creating acl table, getting delayed and by that time another table creation got over and
// this hook is getting called. In such a case, we will need a wait logic here which will
// wait till the acl table is created.
- if (AccessControlLists.isAclTable(desc)) {
+ if (PermissionStorage.isAclTable(desc)) {
this.aclTabAvailable = true;
} else {
if (!aclTabAvailable) {
LOG.warn("Not adding owner permission for table " + desc.getTableName() + ". "
- + AccessControlLists.ACL_TABLE_NAME + " is not yet created. "
+ + PermissionStorage.ACL_TABLE_NAME + " is not yet created. "
+ getClass().getSimpleName() + " should be configured as the first Coprocessor");
} else {
String owner = desc.getOwnerString();
@@ -804,9 +804,9 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
- try (Table table = c.getEnvironment().getConnection().
- getTable(AccessControlLists.ACL_TABLE_NAME)) {
- AccessControlLists.addUserPermission(c.getEnvironment().getConfiguration(),
+ try (Table table =
+ c.getEnvironment().getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {
+ PermissionStorage.addUserPermission(c.getEnvironment().getConfiguration(),
userPermission, table);
}
return null;
@@ -830,9 +830,9 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
- try (Table table = c.getEnvironment().getConnection().
- getTable(AccessControlLists.ACL_TABLE_NAME)) {
- AccessControlLists.removeTablePermissions(conf, tableName, table);
+ try (Table table =
+ c.getEnvironment().getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {
+ PermissionStorage.removeTablePermissions(conf, tableName, table);
}
return null;
}
@@ -851,7 +851,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
@Override
public Void run() throws Exception {
List<UserPermission> acls =
- AccessControlLists.getUserTablePermissions(conf, tableName, null, null, null, false);
+ PermissionStorage.getUserTablePermissions(conf, tableName, null, null, null, false);
if (acls != null) {
tableAcls.put(tableName, acls);
}
@@ -870,9 +870,9 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
List<UserPermission> perms = tableAcls.get(tableName);
if (perms != null) {
for (UserPermission perm : perms) {
- try (Table table = ctx.getEnvironment().getConnection().
- getTable(AccessControlLists.ACL_TABLE_NAME)) {
- AccessControlLists.addUserPermission(conf, perm, table);
+ try (Table table =
+ ctx.getEnvironment().getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {
+ PermissionStorage.addUserPermission(conf, perm, table);
}
}
}
@@ -903,9 +903,9 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
public Void run() throws Exception {
UserPermission userperm = new UserPermission(owner,
Permission.newBuilder(currentDesc.getTableName()).withActions(Action.values()).build());
- try (Table table = c.getEnvironment().getConnection().
- getTable(AccessControlLists.ACL_TABLE_NAME)) {
- AccessControlLists.addUserPermission(conf, userperm, table);
+ try (Table table =
+ c.getEnvironment().getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {
+ PermissionStorage.addUserPermission(conf, userperm, table);
}
return null;
}
@@ -922,13 +922,13 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
@Override
public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName)
throws IOException {
- if (Bytes.equals(tableName.getName(), AccessControlLists.ACL_GLOBAL_NAME)) {
+ if (Bytes.equals(tableName.getName(), PermissionStorage.ACL_GLOBAL_NAME)) {
// We have to unconditionally disallow disable of the ACL table when we are installed,
// even if not enforcing authorizations. We are still allowing grants and revocations,
// checking permissions and logging audit messages, etc. If the ACL table is not
// available we will fail random actions all over the place.
- throw new AccessDeniedException("Not allowed to disable "
- + AccessControlLists.ACL_TABLE_NAME + " table with AccessController installed");
+ throw new AccessDeniedException("Not allowed to disable " + PermissionStorage.ACL_TABLE_NAME
+ + " table with AccessController installed");
}
requirePermission(c, "disableTable",
tableName, null, null, Action.ADMIN, Action.CREATE);
@@ -1022,7 +1022,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
public void postStartMaster(ObserverContext<MasterCoprocessorEnvironment> ctx)
throws IOException {
try (Admin admin = ctx.getEnvironment().getConnection().getAdmin()) {
- if (!admin.tableExists(AccessControlLists.ACL_TABLE_NAME)) {
+ if (!admin.tableExists(PermissionStorage.ACL_TABLE_NAME)) {
createACLTable(admin);
} else {
this.aclTabAvailable = true;
@@ -1036,7 +1036,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
private static void createACLTable(Admin admin) throws IOException {
/** Table descriptor for ACL table */
ColumnFamilyDescriptor cfd =
- ColumnFamilyDescriptorBuilder.newBuilder(AccessControlLists.ACL_LIST_FAMILY).
+ ColumnFamilyDescriptorBuilder.newBuilder(PermissionStorage.ACL_LIST_FAMILY).
setMaxVersions(1).
setInMemory(true).
setBlockCacheEnabled(true).
@@ -1044,7 +1044,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
setBloomFilterType(BloomType.NONE).
setScope(HConstants.REPLICATION_SCOPE_LOCAL).build();
TableDescriptor td =
- TableDescriptorBuilder.newBuilder(AccessControlLists.ACL_TABLE_NAME).
+ TableDescriptorBuilder.newBuilder(PermissionStorage.ACL_TABLE_NAME).
setColumnFamily(cfd).build();
admin.createTable(td);
}
@@ -1140,15 +1140,15 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
- try (Table table = ctx.getEnvironment().getConnection().
- getTable(AccessControlLists.ACL_TABLE_NAME)) {
- AccessControlLists.removeNamespacePermissions(conf, namespace, table);
+ try (Table table =
+ ctx.getEnvironment().getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {
+ PermissionStorage.removeNamespacePermissions(conf, namespace, table);
}
return null;
}
});
getAuthManager().getZKPermissionWatcher().deleteNamespaceACLNode(namespace);
- LOG.info(namespace + " entry deleted in " + AccessControlLists.ACL_TABLE_NAME + " table.");
+ LOG.info(namespace + " entry deleted in " + PermissionStorage.ACL_TABLE_NAME + " table.");
}
@Override
@@ -1253,7 +1253,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
LOG.error("NULL region from RegionCoprocessorEnvironment in postOpen()");
return;
}
- if (AccessControlLists.isAclRegion(region)) {
+ if (PermissionStorage.isAclRegion(region)) {
aclRegion = true;
try {
initialize(env);
@@ -1798,7 +1798,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
Iterator<Tag> tagIterator = PrivateCellUtil.tagsIterator(oldCell);
while (tagIterator.hasNext()) {
Tag tag = tagIterator.next();
- if (tag.getType() != AccessControlLists.ACL_TAG_TYPE) {
+ if (tag.getType() != PermissionStorage.ACL_TAG_TYPE) {
// Not an ACL tag, just carry it through
if (LOG.isTraceEnabled()) {
LOG.trace("Carrying forward tag from " + oldCell + ": type " + tag.getType()
@@ -1815,7 +1815,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
byte[] aclBytes = mutation.getACL();
if (aclBytes != null) {
// Yes, use it
- tags.add(new ArrayBackedTag(AccessControlLists.ACL_TAG_TYPE, aclBytes));
+ tags.add(new ArrayBackedTag(PermissionStorage.ACL_TAG_TYPE, aclBytes));
} else {
// No, use what we carried forward
if (perms != null) {
@@ -1997,7 +1997,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
}
} else {
throw new CoprocessorException(AccessController.class, "This method "
- + "can only execute at " + AccessControlLists.ACL_TABLE_NAME + " table.");
+ + "can only execute at " + PermissionStorage.ACL_TABLE_NAME + " table.");
}
response = AccessControlProtos.GrantResponse.getDefaultInstance();
} catch (IOException ioe) {
@@ -2037,7 +2037,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
}
} else {
throw new CoprocessorException(AccessController.class, "This method "
- + "can only execute at " + AccessControlLists.ACL_TABLE_NAME + " table.");
+ + "can only execute at " + PermissionStorage.ACL_TABLE_NAME + " table.");
}
response = AccessControlProtos.RevokeResponse.getDefaultInstance();
} catch (IOException ioe) {
@@ -2089,7 +2089,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
response = AccessControlUtil.buildGetUserPermissionsResponse(perms);
} else {
throw new CoprocessorException(AccessController.class, "This method "
- + "can only execute at " + AccessControlLists.ACL_TABLE_NAME + " table.");
+ + "can only execute at " + PermissionStorage.ACL_TABLE_NAME + " table.");
}
} catch (IOException ioe) {
// pass exception back up
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AuthManager.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AuthManager.java
index 8719f62..e374a1b 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AuthManager.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AuthManager.java
@@ -147,10 +147,9 @@ public final class AuthManager implements Closeable {
public void refreshTableCacheFromWritable(TableName table, byte[] data) throws IOException {
if (data != null && data.length > 0) {
try {
- ListMultimap<String, Permission> perms =
- AccessControlLists.readPermissions(data, conf);
+ ListMultimap<String, Permission> perms = PermissionStorage.readPermissions(data, conf);
if (perms != null) {
- if (Bytes.equals(table.getName(), AccessControlLists.ACL_GLOBAL_NAME)) {
+ if (Bytes.equals(table.getName(), PermissionStorage.ACL_GLOBAL_NAME)) {
updateGlobalCache(perms);
} else {
updateTableCache(table, perms);
@@ -173,8 +172,7 @@ public final class AuthManager implements Closeable {
public void refreshNamespaceCacheFromWritable(String namespace, byte[] data) throws IOException {
if (data != null && data.length > 0) {
try {
- ListMultimap<String, Permission> perms =
- AccessControlLists.readPermissions(data, conf);
+ ListMultimap<String, Permission> perms = PermissionStorage.readPermissions(data, conf);
if (perms != null) {
updateNamespaceCache(namespace, perms);
}
@@ -324,7 +322,7 @@ public final class AuthManager implements Closeable {
return false;
}
if (table == null) {
- table = AccessControlLists.ACL_TABLE_NAME;
+ table = PermissionStorage.ACL_TABLE_NAME;
}
if (authorizeUserNamespace(user, table.getNamespaceAsString(), action)) {
return true;
@@ -393,7 +391,7 @@ public final class AuthManager implements Closeable {
return false;
}
if (table == null) {
- table = AccessControlLists.ACL_TABLE_NAME;
+ table = PermissionStorage.ACL_TABLE_NAME;
}
if (authorizeUserNamespace(user, table.getNamespaceAsString(), action)) {
return true;
@@ -473,7 +471,7 @@ public final class AuthManager implements Closeable {
*/
public boolean authorizeCell(User user, TableName table, Cell cell, Permission.Action action) {
try {
- List<Permission> perms = AccessControlLists.getCellPermissionsForUser(user, cell);
+ List<Permission> perms = PermissionStorage.getCellPermissionsForUser(user, cell);
if (LOG.isTraceEnabled()) {
LOG.trace("Perms for user {} in table {} in cell {}: {}",
user.getShortName(), table, cell, (perms != null ? perms : ""));
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlLists.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/PermissionStorage.java
similarity index 97%
rename from hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlLists.java
rename to hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/PermissionStorage.java
index 1182baa..bcf070a 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlLists.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/PermissionStorage.java
@@ -63,10 +63,6 @@ import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos;
import org.apache.hadoop.hbase.regionserver.InternalScanner;
import org.apache.hadoop.hbase.regionserver.Region;
import org.apache.hadoop.hbase.security.User;
-import org.apache.hbase.thirdparty.com.google.common.annotations.VisibleForTesting;
-import org.apache.hbase.thirdparty.com.google.common.collect.ArrayListMultimap;
-import org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap;
-import org.apache.hbase.thirdparty.com.google.common.collect.Lists;
import org.apache.hadoop.hbase.util.Bytes;
import org.apache.hadoop.hbase.util.Pair;
import org.apache.hadoop.io.Text;
@@ -77,6 +73,11 @@ import org.apache.yetus.audience.InterfaceAudience;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.apache.hbase.thirdparty.com.google.common.annotations.VisibleForTesting;
+import org.apache.hbase.thirdparty.com.google.common.collect.ArrayListMultimap;
+import org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap;
+import org.apache.hbase.thirdparty.com.google.common.collect.Lists;
+
/**
* Maintains lists of permission grants to users and groups to allow for
* authorization checks by {@link AccessController}.
@@ -102,7 +103,7 @@ import org.slf4j.LoggerFactory;
* </p>
*/
@InterfaceAudience.Private
-public class AccessControlLists {
+public final class PermissionStorage {
/** Internal storage table for access control lists */
public static final TableName ACL_TABLE_NAME =
TableName.valueOf(NamespaceDescriptor.SYSTEM_NAMESPACE_NAME_STR, "acl");
@@ -120,7 +121,10 @@ public class AccessControlLists {
* _acl_ table info: column keys */
public static final char ACL_KEY_DELIMITER = ',';
- private static final Logger LOG = LoggerFactory.getLogger(AccessControlLists.class);
+ private static final Logger LOG = LoggerFactory.getLogger(PermissionStorage.class);
+
+ private PermissionStorage() {
+ }
/**
* Stores a new user permission grant in the access control lists table.
@@ -177,10 +181,8 @@ public class AccessControlLists {
.setValue(value)
.build());
if (LOG.isDebugEnabled()) {
- LOG.debug("Writing permission with rowKey "+
- Bytes.toString(rowKey)+" "+
- Bytes.toString(key)+": "+Bytes.toStringBinary(value)
- );
+ LOG.debug("Writing permission with rowKey " + Bytes.toString(rowKey) + " "
+ + Bytes.toString(key) + ": " + Bytes.toStringBinary(value));
}
try {
t.put(p);
@@ -319,8 +321,12 @@ public class AccessControlLists {
table.delete(d);
}
} finally {
- if (scanner != null) scanner.close();
- if (closeTable) table.close();
+ if (scanner != null) {
+ scanner.close();
+ }
+ if (closeTable) {
+ table.close();
+ }
}
}
@@ -396,13 +402,12 @@ public class AccessControlLists {
* Loads all of the permission grants stored in a region of the {@code _acl_}
* table.
*
- * @param aclRegion
+ * @param aclRegion the acl region
* @return a map of the permissions for this table.
- * @throws IOException
+ * @throws IOException if an error occurs
*/
static Map<byte[], ListMultimap<String, UserPermission>> loadAll(Region aclRegion)
throws IOException {
-
if (!isAclRegion(aclRegion)) {
throw new IOException("Can only load permissions from "+ACL_TABLE_NAME);
}
@@ -479,7 +484,9 @@ public class AccessControlLists {
allPerms.put(row.getRow(), resultPerms);
}
} finally {
- if (scanner != null) scanner.close();
+ if (scanner != null) {
+ scanner.close();
+ }
}
}
}
@@ -504,12 +511,14 @@ public class AccessControlLists {
* Reads user permission assignments stored in the <code>l:</code> column family of the first
* table row in <code>_acl_</code>.
* <p>
- * See {@link AccessControlLists class documentation} for the key structure used for storage.
+ * See {@link PermissionStorage class documentation} for the key structure used for storage.
* </p>
*/
static ListMultimap<String, UserPermission> getPermissions(Configuration conf, byte[] entryName,
Table t, byte[] cf, byte[] cq, String user, boolean hasFilterUser) throws IOException {
- if (entryName == null) entryName = ACL_GLOBAL_NAME;
+ if (entryName == null) {
+ entryName = ACL_GLOBAL_NAME;
+ }
// for normal user tables, we just read the table row from _acl_
ListMultimap<String, UserPermission> perms = ArrayListMultimap.create();
Get get = new Get(entryName);
@@ -737,7 +746,8 @@ public class AccessControlLists {
*/
public static byte[] writePermissionsAsBytes(ListMultimap<String, UserPermission> perms,
Configuration conf) {
- return ProtobufUtil.prependPBMagic(AccessControlUtil.toUserTablePermissions(perms).toByteArray());
+ return ProtobufUtil
+ .prependPBMagic(AccessControlUtil.toUserTablePermissions(perms).toByteArray());
}
// This is part of the old HbaseObjectWritableFor96Migration.
@@ -845,8 +855,9 @@ public class AccessControlLists {
}
public static String fromNamespaceEntry(String namespace) {
- if(namespace.charAt(0) != NAMESPACE_PREFIX)
+ if (namespace.charAt(0) != NAMESPACE_PREFIX) {
throw new IllegalArgumentException("Argument is not a valid namespace entry");
+ }
return namespace.substring(1);
}
@@ -882,7 +893,8 @@ public class AccessControlLists {
AccessControlProtos.UsersAndPermissions.Builder builder =
AccessControlProtos.UsersAndPermissions.newBuilder();
if (tag.hasArray()) {
- ProtobufUtil.mergeFrom(builder, tag.getValueArray(), tag.getValueOffset(), tag.getValueLength());
+ ProtobufUtil.mergeFrom(builder, tag.getValueArray(), tag.getValueOffset(),
+ tag.getValueLength());
} else {
ProtobufUtil.mergeFrom(builder, Tag.cloneValue(tag));
}
@@ -894,7 +906,7 @@ public class AccessControlLists {
results.addAll(userPerms);
}
// Are there permissions for any of the groups this user belongs to?
- String groupNames[] = user.getGroupNames();
+ String[] groupNames = user.getGroupNames();
if (groupNames != null) {
for (String group : groupNames) {
List<Permission> groupPerms = kvPerms.get(AuthUtil.toGroupEntry(group));
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/ZKPermissionWatcher.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/ZKPermissionWatcher.java
index fa3c30f..b410719 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/ZKPermissionWatcher.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/ZKPermissionWatcher.java
@@ -146,7 +146,7 @@ public class ZKPermissionWatcher extends ZKListener implements Closeable {
@Override
public void run() {
String table = ZKUtil.getNodeName(path);
- if(AccessControlLists.isNamespaceEntry(table)) {
+ if (PermissionStorage.isNamespaceEntry(table)) {
authManager.removeNamespace(Bytes.toBytes(table));
} else {
authManager.removeTable(TableName.valueOf(table));
@@ -245,9 +245,9 @@ public class ZKPermissionWatcher extends ZKListener implements Closeable {
LOG.debug("Updating permissions cache from {} with data {}", entry,
Bytes.toStringBinary(nodeData));
}
- if(AccessControlLists.isNamespaceEntry(entry)) {
- authManager.refreshNamespaceCacheFromWritable(
- AccessControlLists.fromNamespaceEntry(entry), nodeData);
+ if (PermissionStorage.isNamespaceEntry(entry)) {
+ authManager.refreshNamespaceCacheFromWritable(PermissionStorage.fromNamespaceEntry(entry),
+ nodeData);
} else {
authManager.refreshTableCacheFromWritable(TableName.valueOf(entry), nodeData);
}
@@ -296,7 +296,7 @@ public class ZKPermissionWatcher extends ZKListener implements Closeable {
*/
public void deleteNamespaceACLNode(final String namespace) {
String zkNode = ZNodePaths.joinZNode(watcher.getZNodePaths().baseZNode, ACL_NODE);
- zkNode = ZNodePaths.joinZNode(zkNode, AccessControlLists.NAMESPACE_PREFIX + namespace);
+ zkNode = ZNodePaths.joinZNode(zkNode, PermissionStorage.NAMESPACE_PREFIX + namespace);
try {
ZKUtil.deleteNode(watcher, zkNode);
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/snapshot/SnapshotDescriptionUtils.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/snapshot/SnapshotDescriptionUtils.java
index 203a58b..5c25526 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/snapshot/SnapshotDescriptionUtils.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/snapshot/SnapshotDescriptionUtils.java
@@ -33,7 +33,7 @@ import org.apache.hadoop.hbase.client.Admin;
import org.apache.hadoop.hbase.client.Connection;
import org.apache.hadoop.hbase.client.ConnectionFactory;
import org.apache.hadoop.hbase.security.User;
-import org.apache.hadoop.hbase.security.access.AccessControlLists;
+import org.apache.hadoop.hbase.security.access.PermissionStorage;
import org.apache.hadoop.hbase.security.access.ShadedAccessControlUtil;
import org.apache.hadoop.hbase.security.access.UserPermission;
import org.apache.hadoop.hbase.util.EnvironmentEdgeManager;
@@ -418,7 +418,7 @@ public final class SnapshotDescriptionUtils {
public static boolean isSecurityAvailable(Configuration conf) throws IOException {
try (Connection conn = ConnectionFactory.createConnection(conf)) {
try (Admin admin = conn.getAdmin()) {
- return admin.tableExists(AccessControlLists.ACL_TABLE_NAME);
+ return admin.tableExists(PermissionStorage.ACL_TABLE_NAME);
}
}
}
@@ -429,7 +429,7 @@ public final class SnapshotDescriptionUtils {
User.runAsLoginUser(new PrivilegedExceptionAction<ListMultimap<String, UserPermission>>() {
@Override
public ListMultimap<String, UserPermission> run() throws Exception {
- return AccessControlLists.getTablePermissions(conf,
+ return PermissionStorage.getTablePermissions(conf,
TableName.valueOf(snapshot.getTable()));
}
});
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/TestJMXConnectorServer.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/TestJMXConnectorServer.java
index 4c48347..2b94b7f 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/TestJMXConnectorServer.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/TestJMXConnectorServer.java
@@ -28,11 +28,9 @@ import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment;
import org.apache.hadoop.hbase.coprocessor.ObserverContext;
import org.apache.hadoop.hbase.coprocessor.RegionServerCoprocessorEnvironment;
import org.apache.hadoop.hbase.security.AccessDeniedException;
-import org.apache.hadoop.hbase.security.access.AccessControlLists;
import org.apache.hadoop.hbase.security.access.AccessController;
import org.apache.hadoop.hbase.testclassification.MediumTests;
import org.apache.hadoop.hbase.testclassification.MiscTests;
-import org.apache.hadoop.hbase.util.Threads;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/client/SnapshotWithAclTestBase.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/client/SnapshotWithAclTestBase.java
index 9359fcc..98c84d5 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/client/SnapshotWithAclTestBase.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/client/SnapshotWithAclTestBase.java
@@ -26,9 +26,9 @@ import org.apache.hadoop.hbase.coprocessor.CoprocessorHost;
import org.apache.hadoop.hbase.master.MasterCoprocessorHost;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.access.AccessControlConstants;
-import org.apache.hadoop.hbase.security.access.AccessControlLists;
import org.apache.hadoop.hbase.security.access.AccessController;
import org.apache.hadoop.hbase.security.access.Permission;
+import org.apache.hadoop.hbase.security.access.PermissionStorage;
import org.apache.hadoop.hbase.security.access.SecureTestUtil;
import org.apache.hadoop.hbase.util.Bytes;
import org.junit.AfterClass;
@@ -108,7 +108,7 @@ public abstract class SnapshotWithAclTestBase extends SecureTestUtil {
// Enable EXEC permission checking
conf.setBoolean(AccessControlConstants.EXEC_PERMISSION_CHECKS_KEY, true);
TEST_UTIL.startMiniCluster();
- TEST_UTIL.waitUntilAllRegionsAssigned(AccessControlLists.ACL_TABLE_NAME);
+ TEST_UTIL.waitUntilAllRegionsAssigned(PermissionStorage.ACL_TABLE_NAME);
MasterCoprocessorHost cpHost =
TEST_UTIL.getMiniHBaseCluster().getMaster().getMasterCoprocessorHost();
cpHost.load(AccessController.class, Coprocessor.PRIORITY_HIGHEST, conf);
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/client/TestAsyncAccessControlAdminApi.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/client/TestAsyncAccessControlAdminApi.java
index fbb08c6..9182e6f 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/client/TestAsyncAccessControlAdminApi.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/client/TestAsyncAccessControlAdminApi.java
@@ -20,9 +20,9 @@ import java.util.List;
import org.apache.hadoop.hbase.HBaseClassTestRule;
import org.apache.hadoop.hbase.TableName;
import org.apache.hadoop.hbase.security.User;
-import org.apache.hadoop.hbase.security.access.AccessControlLists;
import org.apache.hadoop.hbase.security.access.GetUserPermissionsRequest;
import org.apache.hadoop.hbase.security.access.Permission;
+import org.apache.hadoop.hbase.security.access.PermissionStorage;
import org.apache.hadoop.hbase.security.access.SecureTestUtil;
import org.apache.hadoop.hbase.security.access.SecureTestUtil.AccessTestAction;
import org.apache.hadoop.hbase.security.access.UserPermission;
@@ -48,7 +48,7 @@ public class TestAsyncAccessControlAdminApi extends TestAsyncAdminBase {
public static void setUpBeforeClass() throws Exception {
SecureTestUtil.enableSecurity(TEST_UTIL.getConfiguration());
TEST_UTIL.startMiniCluster(1);
- TEST_UTIL.waitTableAvailable(AccessControlLists.ACL_TABLE_NAME);
+ TEST_UTIL.waitTableAvailable(PermissionStorage.ACL_TABLE_NAME);
ASYNC_CONN = ConnectionFactory.createAsyncConnection(TEST_UTIL.getConfiguration()).get();
}
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
index 341e7df..a84b492 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
@@ -808,7 +808,7 @@ public class SecureTestUtil {
}
public static String convertToNamespace(String namespace) {
- return AccessControlLists.NAMESPACE_PREFIX + namespace;
+ return PermissionStorage.NAMESPACE_PREFIX + namespace;
}
public static void checkGlobalPerms(HBaseTestingUtility testUtil, Permission.Action... actions)
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessControlFilter.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessControlFilter.java
index 3dc915b..ed38d91 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessControlFilter.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessControlFilter.java
@@ -86,7 +86,7 @@ public class TestAccessControlFilter extends SecureTestUtil {
conf.setBoolean(AccessControlConstants.CF_ATTRIBUTE_EARLY_OUT, false);
TEST_UTIL.startMiniCluster();
- TEST_UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME.getName(), 50000);
+ TEST_UTIL.waitTableEnabled(PermissionStorage.ACL_TABLE_NAME.getName(), 50000);
READER = User.createUserForTesting(conf, "reader", new String[0]);
LIMITED = User.createUserForTesting(conf, "limited", new String[0]);
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
index a5a8a04..a87a838 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
@@ -245,7 +245,7 @@ public class TestAccessController extends SecureTestUtil {
RSCP_ENV = rsCpHost.createEnvironment(ACCESS_CONTROLLER, Coprocessor.PRIORITY_HIGHEST, 1, conf);
// Wait for the ACL table to become available
- TEST_UTIL.waitUntilAllRegionsAssigned(AccessControlLists.ACL_TABLE_NAME);
+ TEST_UTIL.waitUntilAllRegionsAssigned(PermissionStorage.ACL_TABLE_NAME);
// create a set of test users
SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
@@ -323,7 +323,7 @@ public class TestAccessController extends SecureTestUtil {
grantGlobal(TEST_UTIL, toGroupEntry(GROUP_READ), Permission.Action.READ);
grantGlobal(TEST_UTIL, toGroupEntry(GROUP_WRITE), Permission.Action.WRITE);
- assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size());
+ assertEquals(5, PermissionStorage.getTablePermissions(conf, TEST_TABLE).size());
int size = 0;
try {
size = AccessControlClient.getUserPermissions(systemUserConnection, TEST_TABLE.toString())
@@ -344,11 +344,9 @@ public class TestAccessController extends SecureTestUtil {
LOG.info("Test deleted table " + TEST_TABLE);
}
// Verify all table/namespace permissions are erased
- assertEquals(0, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size());
- assertEquals(
- 0,
- AccessControlLists.getNamespacePermissions(conf,
- TEST_TABLE.getNamespaceAsString()).size());
+ assertEquals(0, PermissionStorage.getTablePermissions(conf, TEST_TABLE).size());
+ assertEquals(0,
+ PermissionStorage.getNamespacePermissions(conf, TEST_TABLE.getNamespaceAsString()).size());
}
@Test
@@ -477,7 +475,7 @@ public class TestAccessController extends SecureTestUtil {
@Override
public Object run() throws Exception {
ACCESS_CONTROLLER.preDisableTable(ObserverContextImpl.createAndPrepare(CP_ENV),
- AccessControlLists.ACL_TABLE_NAME);
+ PermissionStorage.ACL_TABLE_NAME);
return null;
}
};
@@ -1204,8 +1202,7 @@ public class TestAccessController extends SecureTestUtil {
AccessTestAction getGlobalPermissionsAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
- try (Connection conn = ConnectionFactory.createConnection(conf);
- Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
+ try (Connection conn = ConnectionFactory.createConnection(conf)) {
conn.getAdmin().getUserPermissions(GetUserPermissionsRequest.newBuilder().build());
}
return null;
@@ -1237,7 +1234,7 @@ public class TestAccessController extends SecureTestUtil {
@Override
public Object run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf);
- Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
+ Table acl = conn.getTable(PermissionStorage.ACL_TABLE_NAME)) {
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName());
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
@@ -1252,7 +1249,7 @@ public class TestAccessController extends SecureTestUtil {
@Override
public Object run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf);
- Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
+ Table acl = conn.getTable(PermissionStorage.ACL_TABLE_NAME)) {
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName());
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
@@ -1914,7 +1911,7 @@ public class TestAccessController extends SecureTestUtil {
AccessControlProtos.TablePermission.newBuilder()
.setTableName(ProtobufUtil.toProtoTableName(TEST_TABLE))
.addAction(AccessControlProtos.Permission.Action.CREATE))).build();
- Table acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
+ Table acl = systemUserConnection.getTable(PermissionStorage.ACL_TABLE_NAME);
try {
BlockingRpcChannel channel = acl.coprocessorService(new byte[0]);
AccessControlService.BlockingInterface protocol =
@@ -2770,7 +2767,7 @@ public class TestAccessController extends SecureTestUtil {
int expectedAmount, String expectedNamespace) throws HBaseException {
try {
List<UserPermission> namespacePermissions = AccessControlClient.getUserPermissions(
- systemUserConnection, AccessControlLists.toNamespaceEntry(namespaceRegexWithoutPrefix));
+ systemUserConnection, PermissionStorage.toNamespaceEntry(namespaceRegexWithoutPrefix));
assertTrue(namespacePermissions != null);
assertEquals(expectedAmount, namespacePermissions.size());
for (UserPermission namespacePermission : namespacePermissions) {
@@ -2862,7 +2859,7 @@ public class TestAccessController extends SecureTestUtil {
createTable(TEST_UTIL, htd);
// Verify that we can read sys-tables
- String aclTableName = AccessControlLists.ACL_TABLE_NAME.getNameAsString();
+ String aclTableName = PermissionStorage.ACL_TABLE_NAME.getNameAsString();
assertEquals(5, SUPERUSER.runAs(getPrivilegedAction(aclTableName)).size());
assertEquals(0, testRegexHandler.runAs(getPrivilegedAction(aclTableName)).size());
@@ -3336,7 +3333,7 @@ public class TestAccessController extends SecureTestUtil {
@Override
public Object run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf);
- Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
+ Table acl = conn.getTable(PermissionStorage.ACL_TABLE_NAME)) {
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName());
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
index eb2a5ac..dc8136c 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
@@ -122,7 +122,7 @@ public class TestAccessController2 extends SecureTestUtil {
verifyConfiguration(conf);
TEST_UTIL.startMiniCluster();
// Wait for the ACL table to become available
- TEST_UTIL.waitUntilAllRegionsAssigned(AccessControlLists.ACL_TABLE_NAME);
+ TEST_UTIL.waitUntilAllRegionsAssigned(PermissionStorage.ACL_TABLE_NAME);
TESTGROUP_1_NAME = toGroupEntry(TESTGROUP_1);
TESTGROUP1_USER1 =
@@ -146,7 +146,7 @@ public class TestAccessController2 extends SecureTestUtil {
new Put(TEST_ROW_3).addColumn(TEST_FAMILY_2, Q1, value1)));
}
- assertEquals(1, AccessControlLists.getTablePermissions(conf, tableName).size());
+ assertEquals(1, PermissionStorage.getTablePermissions(conf, tableName).size());
try {
assertEquals(1, AccessControlClient.getUserPermissions(systemUserConnection,
tableName.toString()).size());
@@ -173,8 +173,8 @@ public class TestAccessController2 extends SecureTestUtil {
}
deleteNamespace(TEST_UTIL, namespace);
// Verify all table/namespace permissions are erased
- assertEquals(0, AccessControlLists.getTablePermissions(conf, tableName).size());
- assertEquals(0, AccessControlLists.getNamespacePermissions(conf, namespace).size());
+ assertEquals(0, PermissionStorage.getTablePermissions(conf, tableName).size());
+ assertEquals(0, PermissionStorage.getNamespacePermissions(conf, namespace).size());
}
@Test
@@ -201,9 +201,8 @@ public class TestAccessController2 extends SecureTestUtil {
TEST_UTIL.waitTableAvailable(TEST_TABLE.getTableName());
// Verify that owner permissions have been granted to the test user on the
// table just created
- List<UserPermission> perms =
- AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName())
- .get(testUser.getShortName());
+ List<UserPermission> perms = PermissionStorage
+ .getTablePermissions(conf, TEST_TABLE.getTableName()).get(testUser.getShortName());
assertNotNull(perms);
assertFalse(perms.isEmpty());
// Should be RWXCA
@@ -293,9 +292,9 @@ public class TestAccessController2 extends SecureTestUtil {
public Object run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
- t.put(new Put(TEST_ROW).addColumn(AccessControlLists.ACL_LIST_FAMILY,
- TEST_QUALIFIER, TEST_VALUE));
+ Table t = conn.getTable(PermissionStorage.ACL_TABLE_NAME)) {
+ t.put(new Put(TEST_ROW).addColumn(PermissionStorage.ACL_LIST_FAMILY, TEST_QUALIFIER,
+ TEST_VALUE));
return null;
} finally {
}
@@ -320,7 +319,7 @@ public class TestAccessController2 extends SecureTestUtil {
@Override
public Object run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
+ Table t = conn.getTable(PermissionStorage.ACL_TABLE_NAME)) {
ResultScanner s = t.getScanner(new Scan());
try {
for (Result r = s.next(); r != null; r = s.next()) {
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController3.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController3.java
index 7b10e3f..864928c 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController3.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController3.java
@@ -168,7 +168,7 @@ public class TestAccessController3 extends SecureTestUtil {
RSCP_ENV = rsHost.createEnvironment(ACCESS_CONTROLLER, Coprocessor.PRIORITY_HIGHEST, 1, conf);
// Wait for the ACL table to become available
- TEST_UTIL.waitUntilAllRegionsAssigned(AccessControlLists.ACL_TABLE_NAME);
+ TEST_UTIL.waitUntilAllRegionsAssigned(PermissionStorage.ACL_TABLE_NAME);
// create a set of test users
SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
@@ -250,7 +250,7 @@ public class TestAccessController3 extends SecureTestUtil {
grantGlobal(TEST_UTIL, toGroupEntry(GROUP_READ), Permission.Action.READ);
grantGlobal(TEST_UTIL, toGroupEntry(GROUP_WRITE), Permission.Action.WRITE);
- assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size());
+ assertEquals(5, PermissionStorage.getTablePermissions(conf, TEST_TABLE).size());
try {
assertEquals(5, AccessControlClient.getUserPermissions(systemUserConnection,
TEST_TABLE.toString()).size());
@@ -271,11 +271,9 @@ public class TestAccessController3 extends SecureTestUtil {
LOG.info("Test deleted table " + TEST_TABLE);
}
// Verify all table/namespace permissions are erased
- assertEquals(0, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size());
- assertEquals(
- 0,
- AccessControlLists.getNamespacePermissions(conf,
- TEST_TABLE.getNamespaceAsString()).size());
+ assertEquals(0, PermissionStorage.getTablePermissions(conf, TEST_TABLE).size());
+ assertEquals(0,
+ PermissionStorage.getNamespacePermissions(conf, TEST_TABLE.getNamespaceAsString()).size());
}
@Test
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLWithMultipleVersions.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLWithMultipleVersions.java
index 88d0314..b4dd8c6 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLWithMultipleVersions.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLWithMultipleVersions.java
@@ -115,7 +115,7 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
rsHost.createEnvironment(ac, Coprocessor.PRIORITY_HIGHEST, 1, conf);
// Wait for the ACL table to become available
- TEST_UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME);
+ TEST_UTIL.waitTableEnabled(PermissionStorage.ACL_TABLE_NAME);
// create a set of test users
USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]);
@@ -976,6 +976,6 @@ public class TestCellACLWithMultipleVersions extends SecureTestUtil {
// Test deleted the table, no problem
LOG.info("Test deleted table " + TEST_TABLE.getTableName());
}
- assertEquals(0, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size());
+ assertEquals(0, PermissionStorage.getTablePermissions(conf, TEST_TABLE.getTableName()).size());
}
}
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLs.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLs.java
index ec741fb..24dbaee 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLs.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestCellACLs.java
@@ -118,7 +118,7 @@ public class TestCellACLs extends SecureTestUtil {
rsHost.createEnvironment(ac, Coprocessor.PRIORITY_HIGHEST, 1, conf);
// Wait for the ACL table to become available
- TEST_UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME);
+ TEST_UTIL.waitTableEnabled(PermissionStorage.ACL_TABLE_NAME);
// create a set of test users
USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]);
@@ -460,6 +460,6 @@ public class TestCellACLs extends SecureTestUtil {
// Test deleted the table, no problem
LOG.info("Test deleted table " + TEST_TABLE.getTableName());
}
- assertEquals(0, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size());
+ assertEquals(0, PermissionStorage.getTablePermissions(conf, TEST_TABLE.getTableName()).size());
}
}
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
index f6b018e..752b4be 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
@@ -156,7 +156,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
UTIL.getConfiguration().setInt(HConstants.HBASE_CLIENT_RETRIES_NUMBER, 2);
UTIL.startMiniCluster();
// Wait for the ACL table to become available
- UTIL.waitTableAvailable(AccessControlLists.ACL_TABLE_NAME.getName(), 30 * 1000);
+ UTIL.waitTableAvailable(PermissionStorage.ACL_TABLE_NAME.getName(), 30 * 1000);
// Find the Access Controller CP. Could be on master or if master is not serving regions, is
// on an arbitrary server.
@@ -204,10 +204,10 @@ public class TestNamespaceCommands extends SecureTestUtil {
@Test
public void testAclTableEntries() throws Exception {
String userTestNamespace = "userTestNsp";
- Table acl = UTIL.getConnection().getTable(AccessControlLists.ACL_TABLE_NAME);
+ Table acl = UTIL.getConnection().getTable(PermissionStorage.ACL_TABLE_NAME);
try {
ListMultimap<String, UserPermission> perms =
- AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE);
+ PermissionStorage.getNamespacePermissions(conf, TEST_NAMESPACE);
for (Map.Entry<String, UserPermission> entry : perms.entries()) {
LOG.debug(Objects.toString(entry));
}
@@ -219,7 +219,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
Result result = acl.get(new Get(Bytes.toBytes(userTestNamespace)));
assertTrue(result != null);
- perms = AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE);
+ perms = PermissionStorage.getNamespacePermissions(conf, TEST_NAMESPACE);
assertEquals(7, perms.size());
List<UserPermission> namespacePerms = perms.get(userTestNamespace);
assertTrue(perms.containsKey(userTestNamespace));
@@ -233,7 +233,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
revokeFromNamespace(UTIL, userTestNamespace, TEST_NAMESPACE,
Permission.Action.WRITE);
- perms = AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE);
+ perms = PermissionStorage.getNamespacePermissions(conf, TEST_NAMESPACE);
assertEquals(6, perms.size());
} finally {
acl.close();
@@ -438,7 +438,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
@Override
public Object run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf);
- Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME)) {
+ Table acl = connection.getTable(PermissionStorage.ACL_TABLE_NAME)) {
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
@@ -451,7 +451,7 @@ public class TestNamespaceCommands extends SecureTestUtil {
@Override
public Object run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf);
- Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME)) {
+ Table acl = connection.getTable(PermissionStorage.ACL_TABLE_NAME)) {
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestRpcAccessChecks.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestRpcAccessChecks.java
index b95c776..1b3712c 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestRpcAccessChecks.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestRpcAccessChecks.java
@@ -153,7 +153,7 @@ public class TestRpcAccessChecks {
TEST_UTIL.startMiniCluster();
// Wait for the ACL table to become available
- TEST_UTIL.waitUntilAllRegionsAssigned(AccessControlLists.ACL_TABLE_NAME);
+ TEST_UTIL.waitUntilAllRegionsAssigned(PermissionStorage.ACL_TABLE_NAME);
// Assign permissions to groups
SecureTestUtil.grantGlobal(TEST_UTIL, toGroupEntry(GROUP_ADMIN),
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestScanEarlyTermination.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestScanEarlyTermination.java
index 9284cc9..0e6c66a 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestScanEarlyTermination.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestScanEarlyTermination.java
@@ -101,7 +101,7 @@ public class TestScanEarlyTermination extends SecureTestUtil {
rsHost.createEnvironment(ac, Coprocessor.PRIORITY_HIGHEST, 1, conf);
// Wait for the ACL table to become available
- TEST_UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME);
+ TEST_UTIL.waitTableEnabled(PermissionStorage.ACL_TABLE_NAME);
// create a set of test users
USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]);
@@ -142,7 +142,7 @@ public class TestScanEarlyTermination extends SecureTestUtil {
// Test deleted the table, no problem
LOG.info("Test deleted table " + TEST_TABLE.getTableName());
}
- assertEquals(0, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size());
+ assertEquals(0, PermissionStorage.getTablePermissions(conf, TEST_TABLE.getTableName()).size());
}
@Test
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestTablePermissions.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestTablePermissions.java
index 8363665..962db9f 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestTablePermissions.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestTablePermissions.java
@@ -101,7 +101,7 @@ public class TestTablePermissions {
UTIL.startMiniCluster();
// Wait for the ACL table to become available
- UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME);
+ UTIL.waitTableEnabled(PermissionStorage.ACL_TABLE_NAME);
ZKW = new ZKWatcher(UTIL.getConfiguration(),
"TestTablePermissions", ABORTABLE);
@@ -119,19 +119,19 @@ public class TestTablePermissions {
public void tearDown() throws Exception {
Configuration conf = UTIL.getConfiguration();
try (Connection connection = ConnectionFactory.createConnection(conf);
- Table table = connection.getTable(AccessControlLists.ACL_TABLE_NAME)) {
- AccessControlLists.removeTablePermissions(conf, TEST_TABLE, table);
- AccessControlLists.removeTablePermissions(conf, TEST_TABLE2, table);
- AccessControlLists.removeTablePermissions(conf, AccessControlLists.ACL_TABLE_NAME, table);
+ Table table = connection.getTable(PermissionStorage.ACL_TABLE_NAME)) {
+ PermissionStorage.removeTablePermissions(conf, TEST_TABLE, table);
+ PermissionStorage.removeTablePermissions(conf, TEST_TABLE2, table);
+ PermissionStorage.removeTablePermissions(conf, PermissionStorage.ACL_TABLE_NAME, table);
}
}
/**
- * The AccessControlLists.addUserPermission may throw exception before closing the table.
+ * The PermissionStorage.addUserPermission may throw exception before closing the table.
*/
private void addUserPermission(Configuration conf, UserPermission userPerm, Table t) throws IOException {
try {
- AccessControlLists.addUserPermission(conf, userPerm, t);
+ PermissionStorage.addUserPermission(conf, userPerm, t);
} finally {
t.close();
}
@@ -146,20 +146,20 @@ public class TestTablePermissions {
new UserPermission("george",
Permission.newBuilder(TEST_TABLE)
.withActions(Permission.Action.READ, Permission.Action.WRITE).build()),
- connection.getTable(AccessControlLists.ACL_TABLE_NAME));
+ connection.getTable(PermissionStorage.ACL_TABLE_NAME));
addUserPermission(conf,
new UserPermission("hubert",
Permission.newBuilder(TEST_TABLE).withActions(Permission.Action.READ).build()),
- connection.getTable(AccessControlLists.ACL_TABLE_NAME));
+ connection.getTable(PermissionStorage.ACL_TABLE_NAME));
addUserPermission(conf,
new UserPermission("humphrey",
Permission.newBuilder(TEST_TABLE).withFamily(TEST_FAMILY).withQualifier(TEST_QUALIFIER)
.withActions(Permission.Action.READ).build()),
- connection.getTable(AccessControlLists.ACL_TABLE_NAME));
+ connection.getTable(PermissionStorage.ACL_TABLE_NAME));
}
// retrieve the same
ListMultimap<String, UserPermission> perms =
- AccessControlLists.getTablePermissions(conf, TEST_TABLE);
+ PermissionStorage.getTablePermissions(conf, TEST_TABLE);
List<UserPermission> userPerms = perms.get("george");
assertNotNull("Should have permissions for george", userPerms);
assertEquals("Should have 1 permission for george", 1, userPerms.size());
@@ -213,15 +213,14 @@ public class TestTablePermissions {
// table 2 permissions
try (Connection connection = ConnectionFactory.createConnection(conf);
- Table table = connection.getTable(AccessControlLists.ACL_TABLE_NAME)) {
- AccessControlLists.addUserPermission(conf,
+ Table table = connection.getTable(PermissionStorage.ACL_TABLE_NAME)) {
+ PermissionStorage.addUserPermission(conf,
new UserPermission("hubert", Permission.newBuilder(TEST_TABLE2)
.withActions(Permission.Action.READ, Permission.Action.WRITE).build()),
table);
}
// check full load
- Map<byte[], ListMultimap<String, UserPermission>> allPerms =
- AccessControlLists.loadAll(conf);
+ Map<byte[], ListMultimap<String, UserPermission>> allPerms = PermissionStorage.loadAll(conf);
assertEquals("Full permission map should have entries for both test tables",
2, allPerms.size());
@@ -253,26 +252,26 @@ public class TestTablePermissions {
addUserPermission(conf,
new UserPermission("albert",
Permission.newBuilder(TEST_TABLE).withActions(Permission.Action.READ).build()),
- connection.getTable(AccessControlLists.ACL_TABLE_NAME));
+ connection.getTable(PermissionStorage.ACL_TABLE_NAME));
addUserPermission(conf,
new UserPermission("betty",
Permission.newBuilder(TEST_TABLE)
.withActions(Permission.Action.READ, Permission.Action.WRITE).build()),
- connection.getTable(AccessControlLists.ACL_TABLE_NAME));
+ connection.getTable(PermissionStorage.ACL_TABLE_NAME));
addUserPermission(conf,
new UserPermission("clark",
Permission.newBuilder(TEST_TABLE).withFamily(TEST_FAMILY)
.withActions(Permission.Action.READ).build()),
- connection.getTable(AccessControlLists.ACL_TABLE_NAME));
+ connection.getTable(PermissionStorage.ACL_TABLE_NAME));
addUserPermission(conf,
new UserPermission("dwight",
Permission.newBuilder(TEST_TABLE).withFamily(TEST_FAMILY).withQualifier(TEST_QUALIFIER)
.withActions(Permission.Action.WRITE).build()),
- connection.getTable(AccessControlLists.ACL_TABLE_NAME));
+ connection.getTable(PermissionStorage.ACL_TABLE_NAME));
}
// verify permissions survive changes in table metadata
ListMultimap<String, UserPermission> preperms =
- AccessControlLists.getTablePermissions(conf, TEST_TABLE);
+ PermissionStorage.getTablePermissions(conf, TEST_TABLE);
Table table = UTIL.getConnection().getTable(TEST_TABLE);
table.put(
@@ -295,7 +294,7 @@ public class TestTablePermissions {
Thread.sleep(10000);
ListMultimap<String, UserPermission> postperms =
- AccessControlLists.getTablePermissions(conf, TEST_TABLE);
+ PermissionStorage.getTablePermissions(conf, TEST_TABLE);
checkMultimapEqual(preperms, postperms);
}
@@ -304,10 +303,10 @@ public class TestTablePermissions {
public void testSerialization() throws Exception {
Configuration conf = UTIL.getConfiguration();
ListMultimap<String, UserPermission> permissions = createPermissions();
- byte[] permsData = AccessControlLists.writePermissionsAsBytes(permissions, conf);
+ byte[] permsData = PermissionStorage.writePermissionsAsBytes(permissions, conf);
ListMultimap<String, UserPermission> copy =
- AccessControlLists.readUserPermission(permsData, conf);
+ PermissionStorage.readUserPermission(permsData, conf);
checkMultimapEqual(permissions, copy);
}
@@ -410,21 +409,20 @@ public class TestTablePermissions {
addUserPermission(conf,
new UserPermission("user1", Permission.newBuilder()
.withActions(Permission.Action.READ, Permission.Action.WRITE).build()),
- connection.getTable(AccessControlLists.ACL_TABLE_NAME));
+ connection.getTable(PermissionStorage.ACL_TABLE_NAME));
addUserPermission(conf,
new UserPermission("user2",
Permission.newBuilder().withActions(Permission.Action.CREATE).build()),
- connection.getTable(AccessControlLists.ACL_TABLE_NAME));
+ connection.getTable(PermissionStorage.ACL_TABLE_NAME));
addUserPermission(conf,
new UserPermission("user3",
Permission.newBuilder()
.withActions(Permission.Action.ADMIN, Permission.Action.READ,
Permission.Action.CREATE)
.build()),
- connection.getTable(AccessControlLists.ACL_TABLE_NAME));
+ connection.getTable(PermissionStorage.ACL_TABLE_NAME));
}
- ListMultimap<String, UserPermission> perms =
- AccessControlLists.getTablePermissions(conf, null);
+ ListMultimap<String, UserPermission> perms = PermissionStorage.getTablePermissions(conf, null);
List<UserPermission> user1Perms = perms.get("user1");
assertEquals("Should have 1 permission for user1", 1, user1Perms.size());
assertEquals("user1 should have WRITE permission",
@@ -465,7 +463,7 @@ public class TestTablePermissions {
.withActions(Permission.Action.ADMIN, Permission.Action.READ,
Permission.Action.WRITE)
.build()),
- connection.getTable(AccessControlLists.ACL_TABLE_NAME));
+ connection.getTable(PermissionStorage.ACL_TABLE_NAME));
// make sure the system user still shows as authorized
assertTrue("Failed current user auth check on iter "+i,
authManager.authorizeUserGlobal(currentUser, Permission.Action.ADMIN));
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestWithDisabledAuthorization.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestWithDisabledAuthorization.java
index 8bc5718..3e930c5 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestWithDisabledAuthorization.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestWithDisabledAuthorization.java
@@ -155,7 +155,7 @@ public class TestWithDisabledAuthorization extends SecureTestUtil {
RSCP_ENV = rsHost.createEnvironment(ACCESS_CONTROLLER, Coprocessor.PRIORITY_HIGHEST, 1, conf);
// Wait for the ACL table to become available
- TEST_UTIL.waitUntilAllRegionsAssigned(AccessControlLists.ACL_TABLE_NAME);
+ TEST_UTIL.waitUntilAllRegionsAssigned(PermissionStorage.ACL_TABLE_NAME);
// create a set of test users
SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
@@ -219,8 +219,8 @@ public class TestWithDisabledAuthorization extends SecureTestUtil {
Permission.Action.READ,
Permission.Action.WRITE);
- assertEquals(5, AccessControlLists.getTablePermissions(TEST_UTIL.getConfiguration(),
- TEST_TABLE.getTableName()).size());
+ assertEquals(5, PermissionStorage
+ .getTablePermissions(TEST_UTIL.getConfiguration(), TEST_TABLE.getTableName()).size());
}
@After
@@ -233,9 +233,9 @@ public class TestWithDisabledAuthorization extends SecureTestUtil {
LOG.info("Test deleted table " + TEST_TABLE.getTableName());
}
// Verify all table/namespace permissions are erased
- assertEquals(0, AccessControlLists.getTablePermissions(TEST_UTIL.getConfiguration(),
- TEST_TABLE.getTableName()).size());
- assertEquals(0, AccessControlLists.getNamespacePermissions(TEST_UTIL.getConfiguration(),
+ assertEquals(0, PermissionStorage
+ .getTablePermissions(TEST_UTIL.getConfiguration(), TEST_TABLE.getTableName()).size());
+ assertEquals(0, PermissionStorage.getNamespacePermissions(TEST_UTIL.getConfiguration(),
TEST_TABLE.getTableName().getNamespaceAsString()).size());
}
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestZKPermissionWatcher.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestZKPermissionWatcher.java
index 327c49d..3c182d8 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestZKPermissionWatcher.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestZKPermissionWatcher.java
@@ -117,7 +117,7 @@ public class TestZKPermissionWatcher {
.withActions(Permission.Action.READ, Permission.Action.WRITE).build()));
ListMultimap<String, UserPermission> multimap = ArrayListMultimap.create();
multimap.putAll(george.getShortName(), acl);
- byte[] serialized = AccessControlLists.writePermissionsAsBytes(multimap, conf);
+ byte[] serialized = PermissionStorage.writePermissionsAsBytes(multimap, conf);
AUTH_A.getZKPermissionWatcher().writeToZookeeper(TEST_TABLE.getName(), serialized);
final long mtimeB = AUTH_B.getMTime();
// Wait for the update to propagate
@@ -145,7 +145,7 @@ public class TestZKPermissionWatcher {
Permission.newBuilder(TEST_TABLE).withActions(TablePermission.Action.READ).build()));
final long mtimeA = AUTH_A.getMTime();
multimap.putAll(hubert.getShortName(), acl2);
- byte[] serialized2 = AccessControlLists.writePermissionsAsBytes(multimap, conf);
+ byte[] serialized2 = PermissionStorage.writePermissionsAsBytes(multimap, conf);
AUTH_B.getZKPermissionWatcher().writeToZookeeper(TEST_TABLE.getName(), serialized2);
// Wait for the update to propagate
UTIL.waitFor(10000, 100, new Predicate<Exception>() {
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithACL.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithACL.java
index e36e451..bb4ca21 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithACL.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithACL.java
@@ -43,9 +43,9 @@ import org.apache.hadoop.hbase.client.Table;
import org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.GetAuthsResponse;
import org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse;
import org.apache.hadoop.hbase.security.User;
-import org.apache.hadoop.hbase.security.access.AccessControlLists;
import org.apache.hadoop.hbase.security.access.AccessController;
import org.apache.hadoop.hbase.security.access.Permission;
+import org.apache.hadoop.hbase.security.access.PermissionStorage;
import org.apache.hadoop.hbase.security.access.SecureTestUtil;
import org.apache.hadoop.hbase.testclassification.MediumTests;
import org.apache.hadoop.hbase.testclassification.SecurityTests;
@@ -92,7 +92,7 @@ public class TestVisibilityLabelsWithACL {
+ VisibilityController.class.getName());
TEST_UTIL.startMiniCluster(2);
- TEST_UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME.getName(), 50000);
+ TEST_UTIL.waitTableEnabled(PermissionStorage.ACL_TABLE_NAME.getName(), 50000);
// Wait for the labels table to become available
TEST_UTIL.waitTableEnabled(LABELS_TABLE_NAME.getName(), 50000);
addLabels();
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/tool/TestSecureLoadIncrementalHFiles.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/tool/TestSecureLoadIncrementalHFiles.java
index 4e10f01..e09b9ac 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/tool/TestSecureLoadIncrementalHFiles.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/tool/TestSecureLoadIncrementalHFiles.java
@@ -22,7 +22,7 @@ import org.apache.hadoop.hbase.HConstants;
import org.apache.hadoop.hbase.codec.KeyValueCodecWithTags;
import org.apache.hadoop.hbase.security.HadoopSecurityEnabledUserProviderForTesting;
import org.apache.hadoop.hbase.security.UserProvider;
-import org.apache.hadoop.hbase.security.access.AccessControlLists;
+import org.apache.hadoop.hbase.security.access.PermissionStorage;
import org.apache.hadoop.hbase.security.access.SecureTestUtil;
import org.apache.hadoop.hbase.testclassification.LargeTests;
import org.apache.hadoop.hbase.testclassification.MiscTests;
@@ -62,7 +62,7 @@ public class TestSecureLoadIncrementalHFiles extends TestLoadIncrementalHFiles {
util.startMiniCluster();
// Wait for the ACL table to become available
- util.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME);
+ util.waitTableEnabled(PermissionStorage.ACL_TABLE_NAME);
setupNamespace();
}
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/tool/TestSecureLoadIncrementalHFilesSplitRecovery.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/tool/TestSecureLoadIncrementalHFilesSplitRecovery.java
index 7fe79a9..03b9380 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/tool/TestSecureLoadIncrementalHFilesSplitRecovery.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/tool/TestSecureLoadIncrementalHFilesSplitRecovery.java
@@ -21,7 +21,7 @@ import org.apache.hadoop.hbase.HBaseClassTestRule;
import org.apache.hadoop.hbase.HBaseTestingUtility;
import org.apache.hadoop.hbase.security.HadoopSecurityEnabledUserProviderForTesting;
import org.apache.hadoop.hbase.security.UserProvider;
-import org.apache.hadoop.hbase.security.access.AccessControlLists;
+import org.apache.hadoop.hbase.security.access.PermissionStorage;
import org.apache.hadoop.hbase.security.access.SecureTestUtil;
import org.apache.hadoop.hbase.testclassification.LargeTests;
import org.apache.hadoop.hbase.testclassification.MiscTests;
@@ -61,7 +61,7 @@ public class TestSecureLoadIncrementalHFilesSplitRecovery
util.startMiniCluster();
// Wait for the ACL table to become available
- util.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME);
+ util.waitTableEnabled(PermissionStorage.ACL_TABLE_NAME);
}
// Disabling this test as it does not work in secure mode
diff --git a/hbase-shell/src/main/ruby/hbase/security.rb b/hbase-shell/src/main/ruby/hbase/security.rb
index 4639c71..f07eaa3 100644
--- a/hbase-shell/src/main/ruby/hbase/security.rb
+++ b/hbase-shell/src/main/ruby/hbase/security.rb
@@ -202,7 +202,7 @@ module Hbase
# If we are unable to use getSecurityCapabilities, fall back with a check for
# deployment of the ACL table
raise(ArgumentError, 'DISABLED: Security features are not available') unless \
- exists?(org.apache.hadoop.hbase.security.access.AccessControlLists::ACL_TABLE_NAME.getNameAsString)
+ exists?(org.apache.hadoop.hbase.security.access.PermissionStorage::ACL_TABLE_NAME.getNameAsString)
return
end
raise(ArgumentError, 'DISABLED: Security features are not available') unless \
diff --git a/src/main/asciidoc/_chapters/security.adoc b/src/main/asciidoc/_chapters/security.adoc
index 56f6566..2c76285 100644
--- a/src/main/asciidoc/_chapters/security.adoc
+++ b/src/main/asciidoc/_chapters/security.adoc
@@ -1036,12 +1036,10 @@ public static void grantOnTable(final HBaseTestingUtility util, final String use
SecureTestUtil.updateACLs(util, new Callable<Void>() {
@Override
public Void call() throws Exception {
- try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration());
- Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME)) {
- BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
- AccessControlService.BlockingInterface protocol =
- AccessControlService.newBlockingStub(service);
- AccessControlUtil.grant(null, protocol, user, table, family, qualifier, false, actions);
+ try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
+ connection.getAdmin().grant(new UserPermission(user, Permission.newBuilder(table)
+ .withFamily(family).withQualifier(qualifier).withActions(actions).build()),
+ false);
}
return null;
}
@@ -1084,16 +1082,9 @@ public static void revokeFromTable(final HBaseTestingUtility util, final String
SecureTestUtil.updateACLs(util, new Callable<Void>() {
@Override
public Void call() throws Exception {
- Configuration conf = HBaseConfiguration.create();
- Connection connection = ConnectionFactory.createConnection(conf);
- Table acl = connection.getTable(util.getConfiguration(), AccessControlLists.ACL_TABLE_NAME);
- try {
- BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
- AccessControlService.BlockingInterface protocol =
- AccessControlService.newBlockingStub(service);
- ProtobufUtil.revoke(protocol, user, table, family, qualifier, actions);
- } finally {
- acl.close();
+ try (Connection connection = ConnectionFactory.createConnection(util.getConfiguration())) {
+ connection.getAdmin().revoke(new UserPermission(user, Permission.newBuilder(table)
+ .withFamily(family).withQualifier(qualifier).withActions(actions).build()));
}
return null;
}
|