Source code

001/**
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.apache.hadoop.hbase.security.access;
019
020import static org.junit.Assert.assertFalse;
021import static org.junit.Assert.assertTrue;
022
023import java.util.ArrayList;
024import java.util.List;
025import java.util.concurrent.atomic.AtomicBoolean;
026import org.apache.hadoop.conf.Configuration;
027import org.apache.hadoop.hbase.Abortable;
028import org.apache.hadoop.hbase.HBaseClassTestRule;
029import org.apache.hadoop.hbase.HBaseTestingUtility;
030import org.apache.hadoop.hbase.TableName;
031import org.apache.hadoop.hbase.Waiter.Predicate;
032import org.apache.hadoop.hbase.security.User;
033import org.apache.hadoop.hbase.testclassification.LargeTests;
034import org.apache.hadoop.hbase.testclassification.SecurityTests;
035import org.apache.hadoop.hbase.zookeeper.ZKWatcher;
036import org.junit.AfterClass;
037import org.junit.BeforeClass;
038import org.junit.ClassRule;
039import org.junit.Test;
040import org.junit.experimental.categories.Category;
041import org.slf4j.Logger;
042import org.slf4j.LoggerFactory;
043
044import org.apache.hbase.thirdparty.com.google.common.collect.ArrayListMultimap;
045import org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap;
046
047/**
048 * Test the reading and writing of access permissions to and from zookeeper.
049 */
050@Category({SecurityTests.class, LargeTests.class})
051public class TestZKPermissionWatcher {
052
053  @ClassRule
054  public static final HBaseClassTestRule CLASS_RULE =
055      HBaseClassTestRule.forClass(TestZKPermissionWatcher.class);
056
057  private static final Logger LOG = LoggerFactory.getLogger(TestZKPermissionWatcher.class);
058  private static final HBaseTestingUtility UTIL = new HBaseTestingUtility();
059  private static AuthManager AUTH_A;
060  private static AuthManager AUTH_B;
061  private final static Abortable ABORTABLE = new Abortable() {
062    private final AtomicBoolean abort = new AtomicBoolean(false);
063
064    @Override
065    public void abort(String why, Throwable e) {
066      LOG.info(why, e);
067      abort.set(true);
068    }
069
070    @Override
071    public boolean isAborted() {
072      return abort.get();
073    }
074  };
075
076  private static TableName TEST_TABLE =
077      TableName.valueOf("perms_test");
078
079  @BeforeClass
080  public static void beforeClass() throws Exception {
081    // setup configuration
082    Configuration conf = UTIL.getConfiguration();
083    SecureTestUtil.enableSecurity(conf);
084
085    // start minicluster
086    UTIL.startMiniCluster();
087    AUTH_A = AuthManager.getOrCreate(new ZKWatcher(conf,
088      "TestZKPermissionsWatcher_1", ABORTABLE), conf);
089    AUTH_B = AuthManager.getOrCreate(new ZKWatcher(conf,
090      "TestZKPermissionsWatcher_2", ABORTABLE), conf);
091  }
092
093  @AfterClass
094  public static void afterClass() throws Exception {
095    UTIL.shutdownMiniCluster();
096  }
097
098  @Test
099  public void testPermissionsWatcher() throws Exception {
100    Configuration conf = UTIL.getConfiguration();
101    User george = User.createUserForTesting(conf, "george", new String[] { });
102    User hubert = User.createUserForTesting(conf, "hubert", new String[] { });
103
104    assertFalse(AUTH_A.authorizeUserTable(george, TEST_TABLE, Permission.Action.READ));
105    assertFalse(AUTH_A.authorizeUserTable(george, TEST_TABLE, Permission.Action.WRITE));
106    assertFalse(AUTH_A.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.READ));
107    assertFalse(AUTH_A.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.WRITE));
108
109    assertFalse(AUTH_B.authorizeUserTable(george, TEST_TABLE, Permission.Action.READ));
110    assertFalse(AUTH_B.authorizeUserTable(george, TEST_TABLE, Permission.Action.WRITE));
111    assertFalse(AUTH_B.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.READ));
112    assertFalse(AUTH_B.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.WRITE));
113
114    // update ACL: george RW
115    List<UserPermission> acl = new ArrayList<>(1);
116    acl.add(new UserPermission(george.getShortName(), Permission.newBuilder(TEST_TABLE)
117        .withActions(Permission.Action.READ, Permission.Action.WRITE).build()));
118    ListMultimap<String, UserPermission> multimap = ArrayListMultimap.create();
119    multimap.putAll(george.getShortName(), acl);
120    byte[] serialized = AccessControlLists.writePermissionsAsBytes(multimap, conf);
121    AUTH_A.getZKPermissionWatcher().writeToZookeeper(TEST_TABLE.getName(), serialized);
122    final long mtimeB = AUTH_B.getMTime();
123    // Wait for the update to propagate
124    UTIL.waitFor(10000, 100, new Predicate<Exception>() {
125      @Override
126      public boolean evaluate() throws Exception {
127        return AUTH_B.getMTime() > mtimeB;
128      }
129    });
130    Thread.sleep(1000);
131
132    // check it
133    assertTrue(AUTH_A.authorizeUserTable(george, TEST_TABLE, Permission.Action.READ));
134    assertTrue(AUTH_A.authorizeUserTable(george, TEST_TABLE, Permission.Action.WRITE));
135    assertTrue(AUTH_B.authorizeUserTable(george, TEST_TABLE, Permission.Action.READ));
136    assertTrue(AUTH_B.authorizeUserTable(george, TEST_TABLE, Permission.Action.WRITE));
137    assertFalse(AUTH_A.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.READ));
138    assertFalse(AUTH_A.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.WRITE));
139    assertFalse(AUTH_B.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.READ));
140    assertFalse(AUTH_B.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.WRITE));
141
142    // update ACL: hubert R
143    List<UserPermission> acl2 = new ArrayList<>(1);
144    acl2.add(new UserPermission(hubert.getShortName(),
145        Permission.newBuilder(TEST_TABLE).withActions(TablePermission.Action.READ).build()));
146    final long mtimeA = AUTH_A.getMTime();
147    multimap.putAll(hubert.getShortName(), acl2);
148    byte[] serialized2 = AccessControlLists.writePermissionsAsBytes(multimap, conf);
149    AUTH_B.getZKPermissionWatcher().writeToZookeeper(TEST_TABLE.getName(), serialized2);
150    // Wait for the update to propagate
151    UTIL.waitFor(10000, 100, new Predicate<Exception>() {
152      @Override
153      public boolean evaluate() throws Exception {
154        return AUTH_A.getMTime() > mtimeA;
155      }
156    });
157    Thread.sleep(1000);
158
159    // check it
160    assertTrue(AUTH_A.authorizeUserTable(george, TEST_TABLE, Permission.Action.READ));
161    assertTrue(AUTH_A.authorizeUserTable(george, TEST_TABLE, Permission.Action.WRITE));
162    assertTrue(AUTH_B.authorizeUserTable(george, TEST_TABLE, Permission.Action.READ));
163    assertTrue(AUTH_B.authorizeUserTable(george, TEST_TABLE, Permission.Action.WRITE));
164    assertTrue(AUTH_A.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.READ));
165    assertFalse(AUTH_A.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.WRITE));
166    assertTrue(AUTH_B.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.READ));
167    assertFalse(AUTH_B.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.WRITE));
168  }
169}