001/** 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018package org.apache.hadoop.hbase.client; 019 020import java.io.IOException; 021import org.apache.hadoop.conf.Configuration; 022import org.apache.hadoop.hbase.Coprocessor; 023import org.apache.hadoop.hbase.HBaseTestingUtility; 024import org.apache.hadoop.hbase.TableName; 025import org.apache.hadoop.hbase.coprocessor.CoprocessorHost; 026import org.apache.hadoop.hbase.master.MasterCoprocessorHost; 027import org.apache.hadoop.hbase.security.User; 028import org.apache.hadoop.hbase.security.access.AccessControlConstants; 029import org.apache.hadoop.hbase.security.access.AccessControlLists; 030import org.apache.hadoop.hbase.security.access.AccessController; 031import org.apache.hadoop.hbase.security.access.Permission; 032import org.apache.hadoop.hbase.security.access.SecureTestUtil; 033import org.apache.hadoop.hbase.util.Bytes; 034import org.junit.AfterClass; 035import org.junit.Assert; 036import org.junit.Before; 037import org.junit.BeforeClass; 038import org.junit.Test; 039 040public abstract class SnapshotWithAclTestBase extends SecureTestUtil { 041 042 private TableName TEST_TABLE = TableName.valueOf(TEST_UTIL.getRandomUUID().toString()); 043 044 private static final int ROW_COUNT = 30000; 045 046 private static byte[] TEST_FAMILY = Bytes.toBytes("f1"); 047 private static byte[] TEST_QUALIFIER = Bytes.toBytes("cq"); 048 private static byte[] TEST_ROW = Bytes.toBytes(0); 049 050 protected static HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility(); 051 052 // user is table owner. will have all permissions on table 053 private static User USER_OWNER; 054 // user with rw permissions on column family. 055 private static User USER_RW; 056 // user with read-only permissions 057 private static User USER_RO; 058 // user with none permissions 059 private static User USER_NONE; 060 061 static class AccessReadAction implements AccessTestAction { 062 063 private TableName tableName; 064 065 public AccessReadAction(TableName tableName) { 066 this.tableName = tableName; 067 } 068 069 @Override 070 public Object run() throws Exception { 071 Get g = new Get(TEST_ROW); 072 g.addFamily(TEST_FAMILY); 073 try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); 074 Table t = conn.getTable(tableName)) { 075 t.get(g); 076 } 077 return null; 078 } 079 } 080 081 static class AccessWriteAction implements AccessTestAction { 082 private TableName tableName; 083 084 public AccessWriteAction(TableName tableName) { 085 this.tableName = tableName; 086 } 087 088 @Override 089 public Object run() throws Exception { 090 Put p = new Put(TEST_ROW); 091 p.addColumn(TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes(0)); 092 try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); 093 Table t = conn.getTable(tableName)) { 094 t.put(p); 095 } 096 return null; 097 } 098 } 099 100 @BeforeClass 101 public static void setupBeforeClass() throws Exception { 102 Configuration conf = TEST_UTIL.getConfiguration(); 103 // Enable security 104 enableSecurity(conf); 105 conf.set(CoprocessorHost.REGION_COPROCESSOR_CONF_KEY, AccessController.class.getName()); 106 // Verify enableSecurity sets up what we require 107 verifyConfiguration(conf); 108 // Enable EXEC permission checking 109 conf.setBoolean(AccessControlConstants.EXEC_PERMISSION_CHECKS_KEY, true); 110 TEST_UTIL.startMiniCluster(); 111 TEST_UTIL.waitUntilAllRegionsAssigned(AccessControlLists.ACL_TABLE_NAME); 112 MasterCoprocessorHost cpHost = 113 TEST_UTIL.getMiniHBaseCluster().getMaster().getMasterCoprocessorHost(); 114 cpHost.load(AccessController.class, Coprocessor.PRIORITY_HIGHEST, conf); 115 116 USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]); 117 USER_RW = User.createUserForTesting(conf, "rwuser", new String[0]); 118 USER_RO = User.createUserForTesting(conf, "rouser", new String[0]); 119 USER_NONE = User.createUserForTesting(conf, "usernone", new String[0]); 120 } 121 122 @Before 123 public void setUp() throws Exception { 124 TEST_UTIL.createTable(TableDescriptorBuilder.newBuilder(TEST_TABLE) 125 .setColumnFamily( 126 ColumnFamilyDescriptorBuilder.newBuilder(TEST_FAMILY).setMaxVersions(100).build()) 127 .setOwner(USER_OWNER).build(), new byte[][] { Bytes.toBytes("s") }); 128 TEST_UTIL.waitTableEnabled(TEST_TABLE); 129 130 grantOnTable(TEST_UTIL, USER_RW.getShortName(), TEST_TABLE, TEST_FAMILY, null, 131 Permission.Action.READ, Permission.Action.WRITE); 132 133 grantOnTable(TEST_UTIL, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null, 134 Permission.Action.READ); 135 } 136 137 private void loadData() throws IOException { 138 try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) { 139 try (Table t = conn.getTable(TEST_TABLE)) { 140 for (int i = 0; i < ROW_COUNT; i++) { 141 Put put = new Put(Bytes.toBytes(i)); 142 put.addColumn(TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes(i)); 143 t.put(put); 144 } 145 } 146 } 147 } 148 149 @AfterClass 150 public static void tearDownAfterClass() throws Exception { 151 TEST_UTIL.shutdownMiniCluster(); 152 } 153 154 private void verifyRows(TableName tableName) throws IOException { 155 try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); 156 Table t = conn.getTable(tableName); ResultScanner scanner = t.getScanner(new Scan())) { 157 Result result; 158 int rowCount = 0; 159 while ((result = scanner.next()) != null) { 160 byte[] value = result.getValue(TEST_FAMILY, TEST_QUALIFIER); 161 Assert.assertArrayEquals(value, Bytes.toBytes(rowCount++)); 162 } 163 Assert.assertEquals(ROW_COUNT, rowCount); 164 } 165 } 166 167 protected abstract void snapshot(String snapshotName, TableName tableName) throws Exception; 168 169 protected abstract void cloneSnapshot(String snapshotName, TableName tableName, 170 boolean restoreAcl) throws Exception; 171 172 protected abstract void restoreSnapshot(String snapshotName, boolean restoreAcl) throws Exception; 173 174 @Test 175 public void testRestoreSnapshot() throws Exception { 176 verifyAllowed(new AccessReadAction(TEST_TABLE), USER_OWNER, USER_RO, USER_RW); 177 verifyDenied(new AccessReadAction(TEST_TABLE), USER_NONE); 178 verifyAllowed(new AccessWriteAction(TEST_TABLE), USER_OWNER, USER_RW); 179 verifyDenied(new AccessWriteAction(TEST_TABLE), USER_RO, USER_NONE); 180 181 loadData(); 182 verifyRows(TEST_TABLE); 183 184 String snapshotName1 = TEST_UTIL.getRandomUUID().toString(); 185 snapshot(snapshotName1, TEST_TABLE); 186 187 // clone snapshot with restoreAcl true. 188 TableName tableName1 = TableName.valueOf(TEST_UTIL.getRandomUUID().toString()); 189 cloneSnapshot(snapshotName1, tableName1, true); 190 verifyRows(tableName1); 191 verifyAllowed(new AccessReadAction(tableName1), USER_OWNER, USER_RO, USER_RW); 192 verifyDenied(new AccessReadAction(tableName1), USER_NONE); 193 verifyAllowed(new AccessWriteAction(tableName1), USER_OWNER, USER_RW); 194 verifyDenied(new AccessWriteAction(tableName1), USER_RO, USER_NONE); 195 196 // clone snapshot with restoreAcl false. 197 TableName tableName2 = TableName.valueOf(TEST_UTIL.getRandomUUID().toString()); 198 cloneSnapshot(snapshotName1, tableName2, false); 199 verifyRows(tableName2); 200 verifyAllowed(new AccessReadAction(tableName2), USER_OWNER); 201 verifyDenied(new AccessReadAction(tableName2), USER_NONE, USER_RO, USER_RW); 202 verifyAllowed(new AccessWriteAction(tableName2), USER_OWNER); 203 verifyDenied(new AccessWriteAction(tableName2), USER_RO, USER_RW, USER_NONE); 204 205 // remove read permission for USER_RO. 206 revokeFromTable(TEST_UTIL, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null, 207 Permission.Action.READ); 208 verifyAllowed(new AccessReadAction(TEST_TABLE), USER_OWNER, USER_RW); 209 verifyDenied(new AccessReadAction(TEST_TABLE), USER_RO, USER_NONE); 210 verifyAllowed(new AccessWriteAction(TEST_TABLE), USER_OWNER, USER_RW); 211 verifyDenied(new AccessWriteAction(TEST_TABLE), USER_RO, USER_NONE); 212 213 // restore snapshot with restoreAcl false. 214 TEST_UTIL.getAdmin().disableTable(TEST_TABLE); 215 restoreSnapshot(snapshotName1, false); 216 TEST_UTIL.getAdmin().enableTable(TEST_TABLE); 217 verifyAllowed(new AccessReadAction(TEST_TABLE), USER_OWNER, USER_RW); 218 verifyDenied(new AccessReadAction(TEST_TABLE), USER_RO, USER_NONE); 219 verifyAllowed(new AccessWriteAction(TEST_TABLE), USER_OWNER, USER_RW); 220 verifyDenied(new AccessWriteAction(TEST_TABLE), USER_RO, USER_NONE); 221 222 // restore snapshot with restoreAcl true. 223 TEST_UTIL.getAdmin().disableTable(TEST_TABLE); 224 restoreSnapshot(snapshotName1, true); 225 TEST_UTIL.getAdmin().enableTable(TEST_TABLE); 226 verifyAllowed(new AccessReadAction(TEST_TABLE), USER_OWNER, USER_RO, USER_RW); 227 verifyDenied(new AccessReadAction(TEST_TABLE), USER_NONE); 228 verifyAllowed(new AccessWriteAction(TEST_TABLE), USER_OWNER, USER_RW); 229 verifyDenied(new AccessWriteAction(TEST_TABLE), USER_RO, USER_NONE); 230 } 231}