001/**
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.apache.hadoop.hbase.security.visibility;
019
020import static org.apache.hadoop.hbase.security.visibility.VisibilityConstants.LABELS_TABLE_NAME;
021import static org.apache.hadoop.hbase.security.visibility.VisibilityUtils.SYSTEM_LABEL;
022import static org.junit.Assert.assertEquals;
023import static org.junit.Assert.assertFalse;
024import static org.junit.Assert.assertTrue;
025
026import java.io.IOException;
027import java.security.PrivilegedExceptionAction;
028import java.util.List;
029import java.util.concurrent.atomic.AtomicBoolean;
030import org.apache.hadoop.hbase.HBaseClassTestRule;
031import org.apache.hadoop.hbase.TableName;
032import org.apache.hadoop.hbase.client.Connection;
033import org.apache.hadoop.hbase.client.ConnectionFactory;
034import org.apache.hadoop.hbase.client.Result;
035import org.apache.hadoop.hbase.client.ResultScanner;
036import org.apache.hadoop.hbase.client.Scan;
037import org.apache.hadoop.hbase.client.Table;
038import org.apache.hadoop.hbase.security.User;
039import org.apache.hadoop.hbase.testclassification.MediumTests;
040import org.apache.hadoop.hbase.testclassification.SecurityTests;
041import org.apache.hadoop.hbase.util.Bytes;
042import org.apache.hadoop.hbase.util.JVMClusterUtil.RegionServerThread;
043import org.apache.hadoop.hbase.util.Threads;
044import org.junit.Assert;
045import org.junit.BeforeClass;
046import org.junit.ClassRule;
047import org.junit.Test;
048import org.junit.experimental.categories.Category;
049import org.slf4j.Logger;
050import org.slf4j.LoggerFactory;
051
052import org.apache.hbase.thirdparty.com.google.protobuf.ByteString;
053
054import org.apache.hadoop.hbase.shaded.protobuf.ProtobufUtil;
055import org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos.RegionActionResult;
056import org.apache.hadoop.hbase.shaded.protobuf.generated.HBaseProtos.NameBytesPair;
057import org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos.ListLabelsResponse;
058import org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse;
059
060@Category({SecurityTests.class, MediumTests.class})
061public class TestVisibilityLabelsWithDefaultVisLabelService extends TestVisibilityLabels {
062
063  @ClassRule
064  public static final HBaseClassTestRule CLASS_RULE =
065      HBaseClassTestRule.forClass(TestVisibilityLabelsWithDefaultVisLabelService.class);
066
067  private static final Logger LOG = LoggerFactory.getLogger(
068    TestVisibilityLabelsWithDefaultVisLabelService.class);
069
070  @BeforeClass
071  public static void setupBeforeClass() throws Exception {
072    // setup configuration
073    conf = TEST_UTIL.getConfiguration();
074    VisibilityTestUtil.enableVisiblityLabels(conf);
075    conf.setClass(VisibilityUtils.VISIBILITY_LABEL_GENERATOR_CLASS, SimpleScanLabelGenerator.class,
076        ScanLabelGenerator.class);
077    conf.set("hbase.superuser", "admin");
078    TEST_UTIL.startMiniCluster(2);
079    SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
080    USER1 = User.createUserForTesting(conf, "user1", new String[] {});
081
082    // Wait for the labels table to become available
083    TEST_UTIL.waitTableEnabled(LABELS_TABLE_NAME.getName(), 50000);
084    addLabels();
085  }
086
087  @Test
088  public void testAddLabels() throws Throwable {
089    PrivilegedExceptionAction<VisibilityLabelsResponse> action =
090        new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
091      @Override
092      public VisibilityLabelsResponse run() throws Exception {
093        String[] labels = { "L1", SECRET, "L2", "invalid~", "L3" };
094        VisibilityLabelsResponse response = null;
095        try (Connection conn = ConnectionFactory.createConnection(conf)) {
096          response = VisibilityClient.addLabels(conn, labels);
097        } catch (Throwable e) {
098          throw new IOException(e);
099        }
100        List<RegionActionResult> resultList = response.getResultList();
101        assertEquals(5, resultList.size());
102        assertTrue(resultList.get(0).getException().getValue().isEmpty());
103        assertEquals("org.apache.hadoop.hbase.DoNotRetryIOException", resultList.get(1)
104            .getException().getName());
105        assertTrue(Bytes.toString(resultList.get(1).getException().getValue().toByteArray())
106            .contains(
107                "org.apache.hadoop.hbase.security.visibility.LabelAlreadyExistsException: "
108                    + "Label 'secret' already exists"));
109        assertTrue(resultList.get(2).getException().getValue().isEmpty());
110        assertTrue(resultList.get(3).getException().getValue().isEmpty());
111        assertTrue(resultList.get(4).getException().getValue().isEmpty());
112        return null;
113      }
114    };
115    SUPERUSER.runAs(action);
116  }
117
118  @Test
119  public void testAddVisibilityLabelsOnRSRestart() throws Exception {
120    List<RegionServerThread> regionServerThreads = TEST_UTIL.getHBaseCluster()
121        .getRegionServerThreads();
122    for (RegionServerThread rsThread : regionServerThreads) {
123      rsThread.getRegionServer().abort("Aborting ");
124    }
125    // Start one new RS
126    RegionServerThread rs = TEST_UTIL.getHBaseCluster().startRegionServer();
127    waitForLabelsRegionAvailability(rs.getRegionServer());
128    final AtomicBoolean vcInitialized = new AtomicBoolean(true);
129    do {
130      PrivilegedExceptionAction<VisibilityLabelsResponse> action =
131          new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
132        @Override
133        public VisibilityLabelsResponse run() throws Exception {
134          String[] labels = { SECRET, CONFIDENTIAL, PRIVATE, "ABC", "XYZ" };
135          try (Connection conn = ConnectionFactory.createConnection(conf)) {
136            VisibilityLabelsResponse resp = VisibilityClient.addLabels(conn, labels);
137            List<RegionActionResult> results = resp.getResultList();
138            if (results.get(0).hasException()) {
139              NameBytesPair pair = results.get(0).getException();
140              Throwable t = ProtobufUtil.toException(pair);
141              LOG.debug("Got exception writing labels", t);
142              if (t instanceof VisibilityControllerNotReadyException) {
143                vcInitialized.set(false);
144                LOG.warn("VisibilityController was not yet initialized");
145                Threads.sleep(10);
146              } else {
147                vcInitialized.set(true);
148              }
149            } else LOG.debug("new labels added: " + resp);
150          } catch (Throwable t) {
151            throw new IOException(t);
152          }
153          return null;
154        }
155      };
156      SUPERUSER.runAs(action);
157    } while (!vcInitialized.get());
158    // Scan the visibility label
159    Scan s = new Scan();
160    s.setAuthorizations(new Authorizations(VisibilityUtils.SYSTEM_LABEL));
161
162    int i = 0;
163    try (Table ht = TEST_UTIL.getConnection().getTable(LABELS_TABLE_NAME);
164         ResultScanner scanner = ht.getScanner(s)) {
165      while (true) {
166        Result next = scanner.next();
167        if (next == null) {
168          break;
169        }
170        i++;
171      }
172    }
173    // One label is the "system" label.
174    Assert.assertEquals("The count should be 13", 13, i);
175  }
176
177  @Test
178  public void testListLabels() throws Throwable {
179    PrivilegedExceptionAction<ListLabelsResponse> action =
180        new PrivilegedExceptionAction<ListLabelsResponse>() {
181      @Override
182      public ListLabelsResponse run() throws Exception {
183        ListLabelsResponse response = null;
184        try (Connection conn = ConnectionFactory.createConnection(conf)) {
185          response = VisibilityClient.listLabels(conn, null);
186        } catch (Throwable e) {
187          throw new IOException(e);
188        }
189        // The addLabels() in setup added:
190        // { SECRET, TOPSECRET, CONFIDENTIAL, PUBLIC, PRIVATE, COPYRIGHT, ACCENT,
191        //  UNICODE_VIS_TAG, UC1, UC2 };
192        // The previous tests added 2 more labels: ABC, XYZ
193        // The 'system' label is excluded.
194        List<ByteString> labels = response.getLabelList();
195        assertEquals(12, labels.size());
196        assertTrue(labels.contains(ByteString.copyFrom(Bytes.toBytes(SECRET))));
197        assertTrue(labels.contains(ByteString.copyFrom(Bytes.toBytes(TOPSECRET))));
198        assertTrue(labels.contains(ByteString.copyFrom(Bytes.toBytes(CONFIDENTIAL))));
199        assertTrue(labels.contains(ByteString.copyFrom(Bytes.toBytes("ABC"))));
200        assertTrue(labels.contains(ByteString.copyFrom(Bytes.toBytes("XYZ"))));
201        assertFalse(labels.contains(ByteString.copyFrom(Bytes.toBytes(SYSTEM_LABEL))));
202        return null;
203      }
204    };
205    SUPERUSER.runAs(action);
206  }
207
208  @Test
209  public void testListLabelsWithRegEx() throws Throwable {
210    PrivilegedExceptionAction<ListLabelsResponse> action =
211        new PrivilegedExceptionAction<ListLabelsResponse>() {
212      @Override
213      public ListLabelsResponse run() throws Exception {
214        ListLabelsResponse response = null;
215        try (Connection conn = ConnectionFactory.createConnection(conf)) {
216          response = VisibilityClient.listLabels(conn, ".*secret");
217        } catch (Throwable e) {
218          throw new IOException(e);
219        }
220        // Only return the labels that end with 'secret'
221        List<ByteString> labels = response.getLabelList();
222        assertEquals(2, labels.size());
223        assertTrue(labels.contains(ByteString.copyFrom(Bytes.toBytes(SECRET))));
224        assertTrue(labels.contains(ByteString.copyFrom(Bytes.toBytes(TOPSECRET))));
225        return null;
226      }
227    };
228    SUPERUSER.runAs(action);
229  }
230
231  @Test
232  public void testVisibilityLabelsOnWALReplay() throws Exception {
233    final TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
234    try (Table table = createTableAndWriteDataWithLabels(tableName,
235        "(" + SECRET + "|" + CONFIDENTIAL + ")", PRIVATE)) {
236      List<RegionServerThread> regionServerThreads = TEST_UTIL.getHBaseCluster()
237          .getRegionServerThreads();
238      for (RegionServerThread rsThread : regionServerThreads) {
239        rsThread.getRegionServer().abort("Aborting ");
240      }
241      // Start one new RS
242      RegionServerThread rs = TEST_UTIL.getHBaseCluster().startRegionServer();
243      waitForLabelsRegionAvailability(rs.getRegionServer());
244      Scan s = new Scan();
245      s.setAuthorizations(new Authorizations(SECRET));
246      ResultScanner scanner = table.getScanner(s);
247      Result[] next = scanner.next(3);
248      assertTrue(next.length == 1);
249    }
250  }
251}