hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ashish Singhi (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-13241) Add tests for group level grants
Date Wed, 18 Mar 2015 10:53:38 GMT

    [ https://issues.apache.org/jira/browse/HBASE-13241?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14366957#comment-14366957
] 

Ashish Singhi commented on HBASE-13241:
---------------------------------------

Thanks [~mbertozzi] for taking a look.
bq. I see only in one place the assert on the scan result
We have it at three different places with different values expected.
1. {code}
+         Scan s1 = new Scan();
+          try (ResultScanner scanner1 = table.getScanner(s1);) {
+            Result[] next1 = scanner1.next(5);
+            assertTrue(next1.length == 3);
+          }
{code}
2. {code}
+         Scan s1 = new Scan();
+          try (ResultScanner scanner1 = table.getScanner(s1);) {
+            Result[] next1 = scanner1.next(5);
+            assertTrue(next1.length == 2);
+          }
{code}
 3. {code}
+         Scan s1 = new Scan();
+          try (ResultScanner scanner1 = table.getScanner(s1);) {
+            Result[] next1 = scanner1.next(5);
+            assertTrue(next1.length == 1);
+          }
{code}

bq. all the other checks seem to just verify if the AccessDeniedException was received or
not, so verifyAllowed()/verifyDenied() should be enough. if not why?
I tried that way when [~srikanth235] offline suggested me, but here at each level we have
different results.
Like when we grant a group, table level access then a user from it can perform scan at family
level also but its not the same when we grant a group, access at qualifier level. So I will
have to create so many actions for it to have it in one test which I did some what in my first
patch but [~busbey] had some other thought and I felt it was reasonable, so I broke this test
at different levels. Also verifyAllowed() and verifyDenied() internally uses user.runAs api.

bq. what is the difference with the other scanAction we have already?
If you are pointing at scanAction in TestAccessController#testRead then here we are not asserting
scan result, we are checking whether user with READ access are able to scan the table or not.

> Add tests for group level grants
> --------------------------------
>
>                 Key: HBASE-13241
>                 URL: https://issues.apache.org/jira/browse/HBASE-13241
>             Project: HBase
>          Issue Type: Improvement
>          Components: security, test
>            Reporter: Sean Busbey
>            Assignee: Ashish Singhi
>            Priority: Critical
>         Attachments: HBASE-13241-v1.patch, HBASE-13241-v2.patch, HBASE-13241-v3.patch,
HBASE-13241-v4.patch, HBASE-13241-v5.patch, HBASE-13241.patch
>
>
> We need to have tests for group-level grants for various scopes. ref: HBASE-13239



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message