001/** 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018package org.apache.hadoop.hbase.security.access; 019 020import static org.apache.hadoop.hbase.AuthUtil.toGroupEntry; 021import static org.junit.Assert.assertArrayEquals; 022import static org.junit.Assert.assertEquals; 023import static org.junit.Assert.assertFalse; 024import static org.junit.Assert.assertNotNull; 025import static org.junit.Assert.assertTrue; 026import static org.junit.Assert.fail; 027 028import com.google.protobuf.BlockingRpcChannel; 029import com.google.protobuf.RpcCallback; 030import com.google.protobuf.RpcController; 031import com.google.protobuf.Service; 032import com.google.protobuf.ServiceException; 033import java.io.IOException; 034import java.security.PrivilegedAction; 035import java.util.ArrayList; 036import java.util.Arrays; 037import java.util.Collection; 038import java.util.Collections; 039import java.util.List; 040import org.apache.hadoop.conf.Configuration; 041import org.apache.hadoop.fs.CommonConfigurationKeys; 042import org.apache.hadoop.fs.FileStatus; 043import org.apache.hadoop.fs.FileSystem; 044import org.apache.hadoop.fs.Path; 045import org.apache.hadoop.fs.permission.FsPermission; 046import org.apache.hadoop.hbase.Coprocessor; 047import org.apache.hadoop.hbase.CoprocessorEnvironment; 048import org.apache.hadoop.hbase.HBaseClassTestRule; 049import org.apache.hadoop.hbase.HBaseIOException; 050import org.apache.hadoop.hbase.HBaseTestingUtility; 051import org.apache.hadoop.hbase.HColumnDescriptor; 052import org.apache.hadoop.hbase.HConstants; 053import org.apache.hadoop.hbase.HRegionInfo; 054import org.apache.hadoop.hbase.HRegionLocation; 055import org.apache.hadoop.hbase.HTableDescriptor; 056import org.apache.hadoop.hbase.KeyValue; 057import org.apache.hadoop.hbase.MiniHBaseCluster; 058import org.apache.hadoop.hbase.NamespaceDescriptor; 059import org.apache.hadoop.hbase.ServerName; 060import org.apache.hadoop.hbase.TableName; 061import org.apache.hadoop.hbase.TableNotFoundException; 062import org.apache.hadoop.hbase.client.Admin; 063import org.apache.hadoop.hbase.client.Append; 064import org.apache.hadoop.hbase.client.Connection; 065import org.apache.hadoop.hbase.client.ConnectionFactory; 066import org.apache.hadoop.hbase.client.Delete; 067import org.apache.hadoop.hbase.client.Get; 068import org.apache.hadoop.hbase.client.Increment; 069import org.apache.hadoop.hbase.client.MasterSwitchType; 070import org.apache.hadoop.hbase.client.Put; 071import org.apache.hadoop.hbase.client.RegionLocator; 072import org.apache.hadoop.hbase.client.Result; 073import org.apache.hadoop.hbase.client.ResultScanner; 074import org.apache.hadoop.hbase.client.Scan; 075import org.apache.hadoop.hbase.client.SnapshotDescription; 076import org.apache.hadoop.hbase.client.Table; 077import org.apache.hadoop.hbase.client.security.SecurityCapability; 078import org.apache.hadoop.hbase.coprocessor.CoprocessorHost; 079import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment; 080import org.apache.hadoop.hbase.coprocessor.ObserverContextImpl; 081import org.apache.hadoop.hbase.coprocessor.RegionCoprocessor; 082import org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment; 083import org.apache.hadoop.hbase.coprocessor.RegionServerCoprocessorEnvironment; 084import org.apache.hadoop.hbase.coprocessor.protobuf.generated.PingProtos.CountRequest; 085import org.apache.hadoop.hbase.coprocessor.protobuf.generated.PingProtos.CountResponse; 086import org.apache.hadoop.hbase.coprocessor.protobuf.generated.PingProtos.HelloRequest; 087import org.apache.hadoop.hbase.coprocessor.protobuf.generated.PingProtos.HelloResponse; 088import org.apache.hadoop.hbase.coprocessor.protobuf.generated.PingProtos.IncrementCountRequest; 089import org.apache.hadoop.hbase.coprocessor.protobuf.generated.PingProtos.IncrementCountResponse; 090import org.apache.hadoop.hbase.coprocessor.protobuf.generated.PingProtos.NoopRequest; 091import org.apache.hadoop.hbase.coprocessor.protobuf.generated.PingProtos.NoopResponse; 092import org.apache.hadoop.hbase.coprocessor.protobuf.generated.PingProtos.PingRequest; 093import org.apache.hadoop.hbase.coprocessor.protobuf.generated.PingProtos.PingResponse; 094import org.apache.hadoop.hbase.coprocessor.protobuf.generated.PingProtos.PingService; 095import org.apache.hadoop.hbase.exceptions.HBaseException; 096import org.apache.hadoop.hbase.io.hfile.CacheConfig; 097import org.apache.hadoop.hbase.io.hfile.HFile; 098import org.apache.hadoop.hbase.io.hfile.HFileContext; 099import org.apache.hadoop.hbase.io.hfile.HFileContextBuilder; 100import org.apache.hadoop.hbase.master.HMaster; 101import org.apache.hadoop.hbase.master.MasterCoprocessorHost; 102import org.apache.hadoop.hbase.master.locking.LockProcedure; 103import org.apache.hadoop.hbase.master.procedure.MasterProcedureEnv; 104import org.apache.hadoop.hbase.master.procedure.TableProcedureInterface; 105import org.apache.hadoop.hbase.procedure2.LockType; 106import org.apache.hadoop.hbase.procedure2.Procedure; 107import org.apache.hadoop.hbase.procedure2.ProcedureExecutor; 108import org.apache.hadoop.hbase.procedure2.ProcedureStateSerializer; 109import org.apache.hadoop.hbase.procedure2.ProcedureYieldException; 110import org.apache.hadoop.hbase.protobuf.ProtobufUtil; 111import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos; 112import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessControlService; 113import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.CheckPermissionsRequest; 114import org.apache.hadoop.hbase.regionserver.FlushLifeCycleTracker; 115import org.apache.hadoop.hbase.regionserver.HRegion; 116import org.apache.hadoop.hbase.regionserver.HRegionServer; 117import org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost; 118import org.apache.hadoop.hbase.regionserver.RegionServerCoprocessorHost; 119import org.apache.hadoop.hbase.regionserver.ScanType; 120import org.apache.hadoop.hbase.replication.ReplicationPeerConfig; 121import org.apache.hadoop.hbase.security.Superusers; 122import org.apache.hadoop.hbase.security.User; 123import org.apache.hadoop.hbase.security.access.Permission.Action; 124import org.apache.hadoop.hbase.testclassification.LargeTests; 125import org.apache.hadoop.hbase.testclassification.SecurityTests; 126import org.apache.hadoop.hbase.tool.LoadIncrementalHFiles; 127import org.apache.hadoop.hbase.util.Bytes; 128import org.apache.hadoop.hbase.util.JVMClusterUtil; 129import org.apache.hadoop.hbase.util.Threads; 130import org.apache.hadoop.security.GroupMappingServiceProvider; 131import org.apache.hadoop.security.ShellBasedUnixGroupsMapping; 132import org.apache.hadoop.security.UserGroupInformation; 133import org.junit.AfterClass; 134import org.junit.BeforeClass; 135import org.junit.ClassRule; 136import org.junit.Rule; 137import org.junit.Test; 138import org.junit.experimental.categories.Category; 139import org.junit.rules.TestName; 140import org.slf4j.Logger; 141import org.slf4j.LoggerFactory; 142 143import org.apache.hadoop.hbase.shaded.ipc.protobuf.generated.TestProcedureProtos; 144import org.apache.hadoop.hbase.shaded.protobuf.generated.ProcedureProtos.ProcedureState; 145 146/** 147 * Performs authorization checks for common operations, according to different 148 * levels of authorized users. 149 */ 150@Category({SecurityTests.class, LargeTests.class}) 151public class TestAccessController extends SecureTestUtil { 152 153 @ClassRule 154 public static final HBaseClassTestRule CLASS_RULE = 155 HBaseClassTestRule.forClass(TestAccessController.class); 156 157 private static final FsPermission FS_PERMISSION_ALL = FsPermission.valueOf("-rwxrwxrwx"); 158 private static final Logger LOG = LoggerFactory.getLogger(TestAccessController.class); 159 private static TableName TEST_TABLE = TableName.valueOf("testtable1"); 160 private static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility(); 161 private static Configuration conf; 162 163 /** The systemUserConnection created here is tied to the system user. In case, you are planning 164 * to create AccessTestAction, DON'T use this systemUserConnection as the 'doAs' user 165 * gets eclipsed by the system user. */ 166 private static Connection systemUserConnection; 167 168 169 // user with all permissions 170 private static User SUPERUSER; 171 // user granted with all global permission 172 private static User USER_ADMIN; 173 // user with rw permissions on column family. 174 private static User USER_RW; 175 // user with read-only permissions 176 private static User USER_RO; 177 // user is table owner. will have all permissions on table 178 private static User USER_OWNER; 179 // user with create table permissions alone 180 private static User USER_CREATE; 181 // user with no permissions 182 private static User USER_NONE; 183 // user with admin rights on the column family 184 private static User USER_ADMIN_CF; 185 186 private static final String GROUP_ADMIN = "group_admin"; 187 private static final String GROUP_CREATE = "group_create"; 188 private static final String GROUP_READ = "group_read"; 189 private static final String GROUP_WRITE = "group_write"; 190 191 private static User USER_GROUP_ADMIN; 192 private static User USER_GROUP_CREATE; 193 private static User USER_GROUP_READ; 194 private static User USER_GROUP_WRITE; 195 196 // TODO: convert this test to cover the full matrix in 197 // https://hbase.apache.org/book/appendix_acl_matrix.html 198 // creating all Scope x Permission combinations 199 200 private static TableName TEST_TABLE2 = TableName.valueOf("testtable2"); 201 private static byte[] TEST_FAMILY = Bytes.toBytes("f1"); 202 private static byte[] TEST_QUALIFIER = Bytes.toBytes("q1"); 203 private static byte[] TEST_ROW = Bytes.toBytes("r1"); 204 205 private static MasterCoprocessorEnvironment CP_ENV; 206 private static AccessController ACCESS_CONTROLLER; 207 private static RegionServerCoprocessorEnvironment RSCP_ENV; 208 private static RegionCoprocessorEnvironment RCP_ENV; 209 210 @Rule 211 public TestName name = new TestName(); 212 213 @BeforeClass 214 public static void setupBeforeClass() throws Exception { 215 // setup configuration 216 conf = TEST_UTIL.getConfiguration(); 217 // Up the handlers; this test needs more than usual. 218 conf.setInt(HConstants.REGION_SERVER_HIGH_PRIORITY_HANDLER_COUNT, 10); 219 220 conf.set(CommonConfigurationKeys.HADOOP_SECURITY_GROUP_MAPPING, 221 MyShellBasedUnixGroupsMapping.class.getName()); 222 UserGroupInformation.setConfiguration(conf); 223 224 // Enable security 225 enableSecurity(conf); 226 // In this particular test case, we can't use SecureBulkLoadEndpoint because its doAs will fail 227 // to move a file for a random user 228 conf.set(CoprocessorHost.REGION_COPROCESSOR_CONF_KEY, AccessController.class.getName()); 229 // Verify enableSecurity sets up what we require 230 verifyConfiguration(conf); 231 232 // Enable EXEC permission checking 233 conf.setBoolean(AccessControlConstants.EXEC_PERMISSION_CHECKS_KEY, true); 234 235 TEST_UTIL.startMiniCluster(); 236 MasterCoprocessorHost masterCpHost = 237 TEST_UTIL.getMiniHBaseCluster().getMaster().getMasterCoprocessorHost(); 238 masterCpHost.load(AccessController.class, Coprocessor.PRIORITY_HIGHEST, conf); 239 ACCESS_CONTROLLER = masterCpHost.findCoprocessor(AccessController.class); 240 CP_ENV = masterCpHost.createEnvironment( 241 ACCESS_CONTROLLER, Coprocessor.PRIORITY_HIGHEST, 1, conf); 242 RegionServerCoprocessorHost rsCpHost = TEST_UTIL.getMiniHBaseCluster().getRegionServer(0) 243 .getRegionServerCoprocessorHost(); 244 RSCP_ENV = rsCpHost.createEnvironment(ACCESS_CONTROLLER, Coprocessor.PRIORITY_HIGHEST, 1, conf); 245 246 // Wait for the ACL table to become available 247 TEST_UTIL.waitUntilAllRegionsAssigned(PermissionStorage.ACL_TABLE_NAME); 248 249 // create a set of test users 250 SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" }); 251 USER_ADMIN = User.createUserForTesting(conf, "admin2", new String[0]); 252 USER_RW = User.createUserForTesting(conf, "rwuser", new String[0]); 253 USER_RO = User.createUserForTesting(conf, "rouser", new String[0]); 254 USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]); 255 USER_CREATE = User.createUserForTesting(conf, "tbl_create", new String[0]); 256 USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]); 257 USER_ADMIN_CF = User.createUserForTesting(conf, "col_family_admin", new String[0]); 258 259 USER_GROUP_ADMIN = 260 User.createUserForTesting(conf, "user_group_admin", new String[] { GROUP_ADMIN }); 261 USER_GROUP_CREATE = 262 User.createUserForTesting(conf, "user_group_create", new String[] { GROUP_CREATE }); 263 USER_GROUP_READ = 264 User.createUserForTesting(conf, "user_group_read", new String[] { GROUP_READ }); 265 USER_GROUP_WRITE = 266 User.createUserForTesting(conf, "user_group_write", new String[] { GROUP_WRITE }); 267 268 systemUserConnection = TEST_UTIL.getConnection(); 269 setUpTableAndUserPermissions(); 270 } 271 272 @AfterClass 273 public static void tearDownAfterClass() throws Exception { 274 cleanUp(); 275 TEST_UTIL.shutdownMiniCluster(); 276 } 277 278 private static void setUpTableAndUserPermissions() throws Exception { 279 HTableDescriptor htd = new HTableDescriptor(TEST_TABLE); 280 HColumnDescriptor hcd = new HColumnDescriptor(TEST_FAMILY); 281 hcd.setMaxVersions(100); 282 htd.addFamily(hcd); 283 htd.setOwner(USER_OWNER); 284 createTable(TEST_UTIL, htd, new byte[][] { Bytes.toBytes("s") }); 285 286 HRegion region = TEST_UTIL.getHBaseCluster().getRegions(TEST_TABLE).get(0); 287 RegionCoprocessorHost rcpHost = region.getCoprocessorHost(); 288 RCP_ENV = rcpHost.createEnvironment(ACCESS_CONTROLLER, Coprocessor.PRIORITY_HIGHEST, 1, conf); 289 290 // Set up initial grants 291 292 grantGlobal(TEST_UTIL, USER_ADMIN.getShortName(), 293 Permission.Action.ADMIN, 294 Permission.Action.CREATE, 295 Permission.Action.READ, 296 Permission.Action.WRITE); 297 298 grantOnTable(TEST_UTIL, USER_RW.getShortName(), 299 TEST_TABLE, TEST_FAMILY, null, 300 Permission.Action.READ, 301 Permission.Action.WRITE); 302 303 // USER_CREATE is USER_RW plus CREATE permissions 304 grantOnTable(TEST_UTIL, USER_CREATE.getShortName(), 305 TEST_TABLE, null, null, 306 Permission.Action.CREATE, 307 Permission.Action.READ, 308 Permission.Action.WRITE); 309 310 grantOnTable(TEST_UTIL, USER_RO.getShortName(), 311 TEST_TABLE, TEST_FAMILY, null, 312 Permission.Action.READ); 313 314 grantOnTable(TEST_UTIL, USER_ADMIN_CF.getShortName(), 315 TEST_TABLE, TEST_FAMILY, 316 null, Permission.Action.ADMIN, Permission.Action.CREATE); 317 318 grantGlobal(TEST_UTIL, toGroupEntry(GROUP_ADMIN), Permission.Action.ADMIN); 319 grantGlobal(TEST_UTIL, toGroupEntry(GROUP_CREATE), Permission.Action.CREATE); 320 grantGlobal(TEST_UTIL, toGroupEntry(GROUP_READ), Permission.Action.READ); 321 grantGlobal(TEST_UTIL, toGroupEntry(GROUP_WRITE), Permission.Action.WRITE); 322 323 assertEquals(5, PermissionStorage.getTablePermissions(conf, TEST_TABLE).size()); 324 int size = 0; 325 try { 326 size = AccessControlClient.getUserPermissions(systemUserConnection, TEST_TABLE.toString()) 327 .size(); 328 } catch (Throwable e) { 329 LOG.error("error during call of AccessControlClient.getUserPermissions. ", e); 330 fail("error during call of AccessControlClient.getUserPermissions."); 331 } 332 assertEquals(5, size); 333 } 334 335 private static void cleanUp() throws Exception { 336 // Clean the _acl_ table 337 try { 338 deleteTable(TEST_UTIL, TEST_TABLE); 339 } catch (TableNotFoundException ex) { 340 // Test deleted the table, no problem 341 LOG.info("Test deleted table " + TEST_TABLE); 342 } 343 // Verify all table/namespace permissions are erased 344 assertEquals(0, PermissionStorage.getTablePermissions(conf, TEST_TABLE).size()); 345 assertEquals(0, 346 PermissionStorage.getNamespacePermissions(conf, TEST_TABLE.getNamespaceAsString()).size()); 347 } 348 349 @Test 350 public void testUnauthorizedShutdown() throws Exception { 351 AccessTestAction action = new AccessTestAction() { 352 @Override public Object run() throws Exception { 353 HMaster master = TEST_UTIL.getHBaseCluster().getMaster(); 354 master.shutdown(); 355 return null; 356 } 357 }; 358 verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, 359 USER_GROUP_WRITE, USER_GROUP_CREATE); 360 } 361 362 @Test 363 public void testUnauthorizedStopMaster() throws Exception { 364 AccessTestAction action = new AccessTestAction() { 365 @Override public Object run() throws Exception { 366 HMaster master = TEST_UTIL.getHBaseCluster().getMaster(); 367 master.stopMaster(); 368 return null; 369 } 370 }; 371 372 verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, 373 USER_GROUP_WRITE, USER_GROUP_CREATE); 374 } 375 376 @Test 377 public void testSecurityCapabilities() throws Exception { 378 List<SecurityCapability> capabilities = TEST_UTIL.getConnection().getAdmin() 379 .getSecurityCapabilities(); 380 assertTrue("AUTHORIZATION capability is missing", 381 capabilities.contains(SecurityCapability.AUTHORIZATION)); 382 assertTrue("CELL_AUTHORIZATION capability is missing", 383 capabilities.contains(SecurityCapability.CELL_AUTHORIZATION)); 384 } 385 386 @Test 387 public void testTableCreate() throws Exception { 388 AccessTestAction createTable = new AccessTestAction() { 389 @Override 390 public Object run() throws Exception { 391 HTableDescriptor htd = new HTableDescriptor(TableName.valueOf(name.getMethodName())); 392 htd.addFamily(new HColumnDescriptor(TEST_FAMILY)); 393 ACCESS_CONTROLLER.preCreateTable(ObserverContextImpl.createAndPrepare(CP_ENV), htd, null); 394 return null; 395 } 396 }; 397 398 // verify that superuser can create tables 399 verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE, USER_GROUP_ADMIN); 400 401 // all others should be denied 402 verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, 403 USER_GROUP_WRITE); 404 } 405 406 @Test 407 public void testTableModify() throws Exception { 408 AccessTestAction modifyTable = new AccessTestAction() { 409 @Override 410 public Object run() throws Exception { 411 HTableDescriptor htd = new HTableDescriptor(TEST_TABLE); 412 htd.addFamily(new HColumnDescriptor(TEST_FAMILY)); 413 htd.addFamily(new HColumnDescriptor("fam_" + User.getCurrent().getShortName())); 414 ACCESS_CONTROLLER.preModifyTable(ObserverContextImpl.createAndPrepare(CP_ENV), TEST_TABLE, 415 null, htd); 416 return null; 417 } 418 }; 419 420 verifyAllowed(modifyTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE, 421 USER_GROUP_ADMIN); 422 verifyDenied(modifyTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); 423 } 424 425 @Test 426 public void testTableDelete() throws Exception { 427 AccessTestAction deleteTable = new AccessTestAction() { 428 @Override 429 public Object run() throws Exception { 430 ACCESS_CONTROLLER 431 .preDeleteTable(ObserverContextImpl.createAndPrepare(CP_ENV), TEST_TABLE); 432 return null; 433 } 434 }; 435 436 verifyAllowed(deleteTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE, 437 USER_GROUP_ADMIN); 438 verifyDenied(deleteTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); 439 } 440 441 @Test 442 public void testTableTruncate() throws Exception { 443 AccessTestAction truncateTable = new AccessTestAction() { 444 @Override 445 public Object run() throws Exception { 446 ACCESS_CONTROLLER 447 .preTruncateTable(ObserverContextImpl.createAndPrepare(CP_ENV), 448 TEST_TABLE); 449 return null; 450 } 451 }; 452 453 verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE, 454 USER_GROUP_ADMIN); 455 verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); 456 } 457 458 @Test 459 public void testTableDisable() throws Exception { 460 AccessTestAction disableTable = new AccessTestAction() { 461 @Override 462 public Object run() throws Exception { 463 ACCESS_CONTROLLER.preDisableTable(ObserverContextImpl.createAndPrepare(CP_ENV), 464 TEST_TABLE); 465 return null; 466 } 467 }; 468 469 AccessTestAction disableAclTable = new AccessTestAction() { 470 @Override 471 public Object run() throws Exception { 472 ACCESS_CONTROLLER.preDisableTable(ObserverContextImpl.createAndPrepare(CP_ENV), 473 PermissionStorage.ACL_TABLE_NAME); 474 return null; 475 } 476 }; 477 478 verifyAllowed(disableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE, 479 USER_GROUP_ADMIN); 480 verifyDenied(disableTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); 481 482 // No user should be allowed to disable _acl_ table 483 verifyDenied(disableAclTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW, USER_RO, 484 USER_GROUP_CREATE, USER_GROUP_ADMIN, USER_GROUP_READ, USER_GROUP_WRITE); 485 } 486 487 @Test 488 public void testTableEnable() throws Exception { 489 AccessTestAction enableTable = new AccessTestAction() { 490 @Override 491 public Object run() throws Exception { 492 ACCESS_CONTROLLER 493 .preEnableTable(ObserverContextImpl.createAndPrepare(CP_ENV), TEST_TABLE); 494 return null; 495 } 496 }; 497 498 verifyAllowed(enableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE, 499 USER_GROUP_ADMIN); 500 verifyDenied(enableTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); 501 } 502 503 public static class TestTableDDLProcedure extends Procedure<MasterProcedureEnv> 504 implements TableProcedureInterface { 505 private TableName tableName; 506 507 public TestTableDDLProcedure() { 508 } 509 510 public TestTableDDLProcedure(final MasterProcedureEnv env, final TableName tableName) 511 throws IOException { 512 this.tableName = tableName; 513 this.setTimeout(180000); // Timeout in 3 minutes 514 this.setOwner(env.getRequestUser()); 515 } 516 517 @Override 518 public TableName getTableName() { 519 return tableName; 520 } 521 522 @Override 523 public TableOperationType getTableOperationType() { 524 return TableOperationType.EDIT; 525 } 526 527 @Override 528 protected boolean abort(MasterProcedureEnv env) { 529 return true; 530 } 531 532 @Override 533 protected void serializeStateData(ProcedureStateSerializer serializer) 534 throws IOException { 535 TestProcedureProtos.TestTableDDLStateData.Builder testTableDDLMsg = 536 TestProcedureProtos.TestTableDDLStateData.newBuilder() 537 .setTableName(tableName.getNameAsString()); 538 serializer.serialize(testTableDDLMsg.build()); 539 } 540 541 @Override 542 protected void deserializeStateData(ProcedureStateSerializer serializer) 543 throws IOException { 544 TestProcedureProtos.TestTableDDLStateData testTableDDLMsg = 545 serializer.deserialize(TestProcedureProtos.TestTableDDLStateData.class); 546 tableName = TableName.valueOf(testTableDDLMsg.getTableName()); 547 } 548 549 @Override 550 protected Procedure[] execute(MasterProcedureEnv env) throws ProcedureYieldException, 551 InterruptedException { 552 // Not letting the procedure to complete until timed out 553 setState(ProcedureState.WAITING_TIMEOUT); 554 return null; 555 } 556 557 @Override 558 protected void rollback(MasterProcedureEnv env) throws IOException, InterruptedException { 559 } 560 } 561 562 @Test 563 public void testAbortProcedure() throws Exception { 564 long procId = 1; 565 AccessTestAction abortProcedureAction = new AccessTestAction() { 566 @Override 567 public Object run() throws Exception { 568 ACCESS_CONTROLLER.preAbortProcedure(ObserverContextImpl.createAndPrepare(CP_ENV), procId); 569 return null; 570 } 571 }; 572 573 verifyAllowed(abortProcedureAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); 574 } 575 576 @Test 577 public void testGetProcedures() throws Exception { 578 final TableName tableName = TableName.valueOf(name.getMethodName()); 579 final ProcedureExecutor<MasterProcedureEnv> procExec = 580 TEST_UTIL.getHBaseCluster().getMaster().getMasterProcedureExecutor(); 581 Procedure proc = new TestTableDDLProcedure(procExec.getEnvironment(), tableName); 582 proc.setOwner(USER_OWNER); 583 procExec.submitProcedure(proc); 584 final List<Procedure<MasterProcedureEnv>> procList = procExec.getProcedures(); 585 586 AccessTestAction getProceduresAction = new AccessTestAction() { 587 @Override 588 public Object run() throws Exception { 589 ACCESS_CONTROLLER 590 .postGetProcedures(ObserverContextImpl.createAndPrepare(CP_ENV)); 591 return null; 592 } 593 }; 594 595 verifyAllowed(getProceduresAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); 596 verifyAllowed(getProceduresAction, USER_OWNER); 597 verifyIfNull( 598 getProceduresAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); 599 } 600 601 @Test 602 public void testGetLocks() throws Exception { 603 AccessTestAction action = new AccessTestAction() { 604 @Override 605 public Object run() throws Exception { 606 ACCESS_CONTROLLER.preGetLocks(ObserverContextImpl.createAndPrepare(CP_ENV)); 607 return null; 608 } 609 }; 610 611 verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); 612 verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, 613 USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); 614 } 615 616 @Test 617 public void testMove() throws Exception { 618 List<HRegionLocation> regions; 619 try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE)) { 620 regions = locator.getAllRegionLocations(); 621 } 622 HRegionLocation location = regions.get(0); 623 final HRegionInfo hri = location.getRegionInfo(); 624 final ServerName server = location.getServerName(); 625 AccessTestAction action = new AccessTestAction() { 626 @Override 627 public Object run() throws Exception { 628 ACCESS_CONTROLLER.preMove(ObserverContextImpl.createAndPrepare(CP_ENV), 629 hri, server, server); 630 return null; 631 } 632 }; 633 634 verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); 635 verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, 636 USER_GROUP_WRITE, USER_GROUP_CREATE); 637 } 638 639 @Test 640 public void testAssign() throws Exception { 641 List<HRegionLocation> regions; 642 try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE)) { 643 regions = locator.getAllRegionLocations(); 644 } 645 HRegionLocation location = regions.get(0); 646 final HRegionInfo hri = location.getRegionInfo(); 647 AccessTestAction action = new AccessTestAction() { 648 @Override 649 public Object run() throws Exception { 650 ACCESS_CONTROLLER.preAssign(ObserverContextImpl.createAndPrepare(CP_ENV), hri); 651 return null; 652 } 653 }; 654 655 verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); 656 verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, 657 USER_GROUP_WRITE, USER_GROUP_CREATE); 658 } 659 660 @Test 661 public void testUnassign() throws Exception { 662 List<HRegionLocation> regions; 663 try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE)) { 664 regions = locator.getAllRegionLocations(); 665 } 666 HRegionLocation location = regions.get(0); 667 final HRegionInfo hri = location.getRegionInfo(); 668 AccessTestAction action = new AccessTestAction() { 669 @Override 670 public Object run() throws Exception { 671 ACCESS_CONTROLLER.preUnassign(ObserverContextImpl.createAndPrepare(CP_ENV), hri); 672 return null; 673 } 674 }; 675 676 verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); 677 verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, 678 USER_GROUP_WRITE, USER_GROUP_CREATE); 679 } 680 681 @Test 682 public void testRegionOffline() throws Exception { 683 List<HRegionLocation> regions; 684 try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE)) { 685 regions = locator.getAllRegionLocations(); 686 } 687 HRegionLocation location = regions.get(0); 688 final HRegionInfo hri = location.getRegionInfo(); 689 AccessTestAction action = new AccessTestAction() { 690 @Override 691 public Object run() throws Exception { 692 ACCESS_CONTROLLER.preRegionOffline(ObserverContextImpl.createAndPrepare(CP_ENV), hri); 693 return null; 694 } 695 }; 696 697 verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); 698 verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, 699 USER_GROUP_WRITE, USER_GROUP_CREATE); 700 } 701 702 @Test 703 public void testSetSplitOrMergeEnabled() throws Exception { 704 AccessTestAction action = new AccessTestAction() { 705 @Override 706 public Object run() throws Exception { 707 ACCESS_CONTROLLER.preSetSplitOrMergeEnabled(ObserverContextImpl.createAndPrepare(CP_ENV), 708 true, MasterSwitchType.MERGE); 709 return null; 710 } 711 }; 712 713 verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); 714 verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, 715 USER_GROUP_WRITE, USER_GROUP_CREATE); 716 } 717 718 @Test 719 public void testBalance() throws Exception { 720 AccessTestAction action = new AccessTestAction() { 721 @Override 722 public Object run() throws Exception { 723 ACCESS_CONTROLLER.preBalance(ObserverContextImpl.createAndPrepare(CP_ENV)); 724 return null; 725 } 726 }; 727 728 verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); 729 verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, 730 USER_GROUP_WRITE, USER_GROUP_CREATE); 731 } 732 733 @Test 734 public void testBalanceSwitch() throws Exception { 735 AccessTestAction action = new AccessTestAction() { 736 @Override 737 public Object run() throws Exception { 738 ACCESS_CONTROLLER.preBalanceSwitch(ObserverContextImpl.createAndPrepare(CP_ENV), true); 739 return null; 740 } 741 }; 742 743 verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); 744 verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, 745 USER_GROUP_WRITE, USER_GROUP_CREATE); 746 } 747 748 @Test 749 public void testShutdown() throws Exception { 750 AccessTestAction action = new AccessTestAction() { 751 @Override 752 public Object run() throws Exception { 753 ACCESS_CONTROLLER.preShutdown(ObserverContextImpl.createAndPrepare(CP_ENV)); 754 return null; 755 } 756 }; 757 758 verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); 759 verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, 760 USER_GROUP_WRITE, USER_GROUP_CREATE); 761 } 762 763 @Test 764 public void testStopMaster() throws Exception { 765 AccessTestAction action = new AccessTestAction() { 766 @Override 767 public Object run() throws Exception { 768 ACCESS_CONTROLLER.preStopMaster(ObserverContextImpl.createAndPrepare(CP_ENV)); 769 return null; 770 } 771 }; 772 773 verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); 774 verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, 775 USER_GROUP_WRITE, USER_GROUP_CREATE); 776 } 777 778 private void verifyWrite(AccessTestAction action) throws Exception { 779 verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, 780 USER_GROUP_WRITE); 781 verifyDenied(action, USER_NONE, USER_RO, USER_GROUP_ADMIN, USER_GROUP_READ, USER_GROUP_CREATE); 782 } 783 784 @Test 785 public void testSplitWithSplitRow() throws Exception { 786 final TableName tableName = TableName.valueOf(name.getMethodName()); 787 createTestTable(tableName); 788 AccessTestAction action = new AccessTestAction() { 789 @Override 790 public Object run() throws Exception { 791 ACCESS_CONTROLLER.preSplitRegion( 792 ObserverContextImpl.createAndPrepare(CP_ENV), 793 tableName, 794 TEST_ROW); 795 return null; 796 } 797 }; 798 799 verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); 800 verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, 801 USER_GROUP_WRITE, USER_GROUP_CREATE); 802 } 803 804 @Test 805 public void testFlush() throws Exception { 806 AccessTestAction action = new AccessTestAction() { 807 @Override 808 public Object run() throws Exception { 809 ACCESS_CONTROLLER.preFlush(ObserverContextImpl.createAndPrepare(RCP_ENV), 810 FlushLifeCycleTracker.DUMMY); 811 return null; 812 } 813 }; 814 815 verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_GROUP_CREATE, 816 USER_GROUP_ADMIN); 817 verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); 818 } 819 820 @Test 821 public void testCompact() throws Exception { 822 AccessTestAction action = new AccessTestAction() { 823 @Override 824 public Object run() throws Exception { 825 ACCESS_CONTROLLER.preCompact(ObserverContextImpl.createAndPrepare(RCP_ENV), null, null, 826 ScanType.COMPACT_RETAIN_DELETES, null, null); 827 return null; 828 } 829 }; 830 831 verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_GROUP_CREATE, 832 USER_GROUP_ADMIN); 833 verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); 834 } 835 836 private void verifyRead(AccessTestAction action) throws Exception { 837 verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, USER_RO, 838 USER_GROUP_READ); 839 verifyDenied(action, USER_NONE, USER_GROUP_CREATE, USER_GROUP_ADMIN, USER_GROUP_WRITE); 840 } 841 842 private void verifyReadWrite(AccessTestAction action) throws Exception { 843 verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW); 844 verifyDenied(action, USER_NONE, USER_RO, USER_GROUP_ADMIN, USER_GROUP_CREATE, USER_GROUP_READ, 845 USER_GROUP_WRITE); 846 } 847 848 @Test 849 public void testRead() throws Exception { 850 // get action 851 AccessTestAction getAction = new AccessTestAction() { 852 @Override 853 public Object run() throws Exception { 854 Get g = new Get(TEST_ROW); 855 g.addFamily(TEST_FAMILY); 856 try(Connection conn = ConnectionFactory.createConnection(conf); 857 Table t = conn.getTable(TEST_TABLE)) { 858 t.get(g); 859 } 860 return null; 861 } 862 }; 863 verifyRead(getAction); 864 865 // action for scanning 866 AccessTestAction scanAction = new AccessTestAction() { 867 @Override 868 public Object run() throws Exception { 869 Scan s = new Scan(); 870 s.addFamily(TEST_FAMILY); 871 try(Connection conn = ConnectionFactory.createConnection(conf); 872 Table table = conn.getTable(TEST_TABLE)) { 873 ResultScanner scanner = table.getScanner(s); 874 try { 875 for (Result r = scanner.next(); r != null; r = scanner.next()) { 876 // do nothing 877 } 878 } finally { 879 scanner.close(); 880 } 881 } 882 return null; 883 } 884 }; 885 verifyRead(scanAction); 886 } 887 888 @Test 889 // test put, delete, increment 890 public void testWrite() throws Exception { 891 // put action 892 AccessTestAction putAction = new AccessTestAction() { 893 @Override 894 public Object run() throws Exception { 895 Put p = new Put(TEST_ROW); 896 p.addColumn(TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes(1)); 897 try(Connection conn = ConnectionFactory.createConnection(conf); 898 Table t = conn.getTable(TEST_TABLE)) { 899 t.put(p); 900 } 901 return null; 902 } 903 }; 904 verifyWrite(putAction); 905 906 // delete action 907 AccessTestAction deleteAction = new AccessTestAction() { 908 @Override 909 public Object run() throws Exception { 910 Delete d = new Delete(TEST_ROW); 911 d.addFamily(TEST_FAMILY); 912 try(Connection conn = ConnectionFactory.createConnection(conf); 913 Table t = conn.getTable(TEST_TABLE)) { 914 t.delete(d); 915 } 916 return null; 917 } 918 }; 919 verifyWrite(deleteAction); 920 921 // increment action 922 AccessTestAction incrementAction = new AccessTestAction() { 923 @Override 924 public Object run() throws Exception { 925 Increment inc = new Increment(TEST_ROW); 926 inc.addColumn(TEST_FAMILY, TEST_QUALIFIER, 1); 927 try(Connection conn = ConnectionFactory.createConnection(conf); 928 Table t = conn.getTable(TEST_TABLE);) { 929 t.increment(inc); 930 } 931 return null; 932 } 933 }; 934 verifyWrite(incrementAction); 935 } 936 937 @Test 938 public void testReadWrite() throws Exception { 939 // action for checkAndDelete 940 AccessTestAction checkAndDeleteAction = new AccessTestAction() { 941 @Override 942 public Object run() throws Exception { 943 Delete d = new Delete(TEST_ROW); 944 d.addFamily(TEST_FAMILY); 945 try(Connection conn = ConnectionFactory.createConnection(conf); 946 Table t = conn.getTable(TEST_TABLE);) { 947 t.checkAndMutate(TEST_ROW, TEST_FAMILY).qualifier(TEST_QUALIFIER) 948 .ifEquals(Bytes.toBytes("test_value")).thenDelete(d); 949 } 950 return null; 951 } 952 }; 953 verifyReadWrite(checkAndDeleteAction); 954 955 // action for checkAndPut() 956 AccessTestAction checkAndPut = new AccessTestAction() { 957 @Override 958 public Object run() throws Exception { 959 Put p = new Put(TEST_ROW); 960 p.addColumn(TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes(1)); 961 try(Connection conn = ConnectionFactory.createConnection(conf); 962 Table t = conn.getTable(TEST_TABLE)) { 963 t.checkAndMutate(TEST_ROW, TEST_FAMILY).qualifier(TEST_QUALIFIER) 964 .ifEquals(Bytes.toBytes("test_value")).thenPut(p); 965 } 966 return null; 967 } 968 }; 969 verifyReadWrite(checkAndPut); 970 } 971 972 @Test 973 public void testBulkLoad() throws Exception { 974 try { 975 FileSystem fs = TEST_UTIL.getTestFileSystem(); 976 final Path dir = TEST_UTIL.getDataTestDirOnTestFS("testBulkLoad"); 977 fs.mkdirs(dir); 978 // need to make it globally writable 979 // so users creating HFiles have write permissions 980 fs.setPermission(dir, FS_PERMISSION_ALL); 981 982 AccessTestAction bulkLoadAction = new AccessTestAction() { 983 @Override 984 public Object run() throws Exception { 985 int numRows = 3; 986 987 // Making the assumption that the test table won't split between the range 988 byte[][][] hfileRanges = { { { (byte) 0 }, { (byte) 9 } } }; 989 990 Path bulkLoadBasePath = new Path(dir, new Path(User.getCurrent().getName())); 991 new BulkLoadHelper(bulkLoadBasePath).initHFileData(TEST_FAMILY, TEST_QUALIFIER, 992 hfileRanges, numRows, FS_PERMISSION_ALL).bulkLoadHFile(TEST_TABLE); 993 return null; 994 } 995 }; 996 997 // User performing bulk loads must have privilege to read table metadata 998 // (ADMIN or CREATE) 999 verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, 1000 USER_GROUP_CREATE, USER_GROUP_ADMIN); 1001 verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO, USER_GROUP_READ, USER_GROUP_WRITE); 1002 } finally { 1003 // Reinit after the bulk upload 1004 TEST_UTIL.getAdmin().disableTable(TEST_TABLE); 1005 TEST_UTIL.getAdmin().enableTable(TEST_TABLE); 1006 } 1007 } 1008 1009 private class BulkLoadAccessTestAction implements AccessTestAction { 1010 private FsPermission filePermission; 1011 private Path testDataDir; 1012 1013 public BulkLoadAccessTestAction(FsPermission perm, Path testDataDir) { 1014 this.filePermission = perm; 1015 this.testDataDir = testDataDir; 1016 } 1017 1018 @Override 1019 public Object run() throws Exception { 1020 FileSystem fs = TEST_UTIL.getTestFileSystem(); 1021 fs.mkdirs(testDataDir); 1022 fs.setPermission(testDataDir, FS_PERMISSION_ALL); 1023 // Making the assumption that the test table won't split between the range 1024 byte[][][] hfileRanges = { { { (byte) 0 }, { (byte) 9 } } }; 1025 Path bulkLoadBasePath = new Path(testDataDir, new Path(User.getCurrent().getName())); 1026 new BulkLoadHelper(bulkLoadBasePath) 1027 .initHFileData(TEST_FAMILY, TEST_QUALIFIER, hfileRanges, 3, filePermission) 1028 .bulkLoadHFile(TEST_TABLE); 1029 return null; 1030 } 1031 } 1032 1033 @Test 1034 public void testBulkLoadWithoutWritePermission() throws Exception { 1035 // Use the USER_CREATE to initialize the source directory. 1036 Path testDataDir0 = TEST_UTIL.getDataTestDirOnTestFS("testBulkLoadWithoutWritePermission0"); 1037 Path testDataDir1 = TEST_UTIL.getDataTestDirOnTestFS("testBulkLoadWithoutWritePermission1"); 1038 AccessTestAction bulkLoadAction1 = 1039 new BulkLoadAccessTestAction(FsPermission.valueOf("-r-xr-xr-x"), testDataDir0); 1040 AccessTestAction bulkLoadAction2 = 1041 new BulkLoadAccessTestAction(FS_PERMISSION_ALL, testDataDir1); 1042 // Test the incorrect case. 1043 BulkLoadHelper.setPermission(TEST_UTIL.getTestFileSystem(), 1044 TEST_UTIL.getTestFileSystem().getWorkingDirectory(), FS_PERMISSION_ALL); 1045 try { 1046 USER_CREATE.runAs(bulkLoadAction1); 1047 fail("Should fail because the hbase user has no write permission on hfiles."); 1048 } catch (IOException e) { 1049 } 1050 // Ensure the correct case. 1051 USER_CREATE.runAs(bulkLoadAction2); 1052 } 1053 1054 public static class BulkLoadHelper { 1055 private final FileSystem fs; 1056 private final Path loadPath; 1057 private final Configuration conf; 1058 1059 public BulkLoadHelper(Path loadPath) throws IOException { 1060 fs = TEST_UTIL.getTestFileSystem(); 1061 conf = TEST_UTIL.getConfiguration(); 1062 loadPath = loadPath.makeQualified(fs); 1063 this.loadPath = loadPath; 1064 } 1065 1066 private void createHFile(Path path, 1067 byte[] family, byte[] qualifier, 1068 byte[] startKey, byte[] endKey, int numRows) throws IOException { 1069 HFile.Writer writer = null; 1070 long now = System.currentTimeMillis(); 1071 try { 1072 HFileContext context = new HFileContextBuilder().build(); 1073 writer = HFile.getWriterFactory(conf, new CacheConfig(conf)).withPath(fs, path) 1074 .withFileContext(context).create(); 1075 // subtract 2 since numRows doesn't include boundary keys 1076 for (byte[] key : Bytes.iterateOnSplits(startKey, endKey, true, numRows - 2)) { 1077 KeyValue kv = new KeyValue(key, family, qualifier, now, key); 1078 writer.append(kv); 1079 } 1080 } finally { 1081 if (writer != null) { 1082 writer.close(); 1083 } 1084 } 1085 } 1086 1087 private BulkLoadHelper initHFileData(byte[] family, byte[] qualifier, byte[][][] hfileRanges, 1088 int numRowsPerRange, FsPermission filePermission) throws Exception { 1089 Path familyDir = new Path(loadPath, Bytes.toString(family)); 1090 fs.mkdirs(familyDir); 1091 int hfileIdx = 0; 1092 List<Path> hfiles = new ArrayList<>(); 1093 for (byte[][] range : hfileRanges) { 1094 byte[] from = range[0]; 1095 byte[] to = range[1]; 1096 Path hfile = new Path(familyDir, "hfile_" + (hfileIdx++)); 1097 hfiles.add(hfile); 1098 createHFile(hfile, family, qualifier, from, to, numRowsPerRange); 1099 } 1100 // set global read so RegionServer can move it 1101 setPermission(fs, loadPath, FS_PERMISSION_ALL); 1102 // Ensure the file permission as requested. 1103 for (Path hfile : hfiles) { 1104 setPermission(fs, hfile, filePermission); 1105 } 1106 return this; 1107 } 1108 1109 private void bulkLoadHFile(TableName tableName) throws Exception { 1110 try (Connection conn = ConnectionFactory.createConnection(conf); 1111 Admin admin = conn.getAdmin(); 1112 RegionLocator locator = conn.getRegionLocator(tableName); 1113 Table table = conn.getTable(tableName)) { 1114 TEST_UTIL.waitUntilAllRegionsAssigned(tableName); 1115 LoadIncrementalHFiles loader = new LoadIncrementalHFiles(conf); 1116 loader.doBulkLoad(loadPath, admin, table, locator); 1117 } 1118 } 1119 1120 private static void setPermission(FileSystem fs, Path dir, FsPermission perm) 1121 throws IOException { 1122 if (!fs.getFileStatus(dir).isDirectory()) { 1123 fs.setPermission(dir, perm); 1124 } else { 1125 for (FileStatus el : fs.listStatus(dir)) { 1126 fs.setPermission(el.getPath(), perm); 1127 setPermission(fs, el.getPath(), perm); 1128 } 1129 } 1130 } 1131 } 1132 1133 @Test 1134 public void testAppend() throws Exception { 1135 1136 AccessTestAction appendAction = new AccessTestAction() { 1137 @Override 1138 public Object run() throws Exception { 1139 byte[] row = TEST_ROW; 1140 byte[] qualifier = TEST_QUALIFIER; 1141 Put put = new Put(row); 1142 put.addColumn(TEST_FAMILY, qualifier, Bytes.toBytes(1)); 1143 Append append = new Append(row); 1144 append.addColumn(TEST_FAMILY, qualifier, Bytes.toBytes(2)); 1145 try(Connection conn = ConnectionFactory.createConnection(conf); 1146 Table t = conn.getTable(TEST_TABLE)) { 1147 t.put(put); 1148 t.append(append); 1149 } 1150 return null; 1151 } 1152 }; 1153 1154 verifyAllowed(appendAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, 1155 USER_GROUP_WRITE); 1156 verifyDenied(appendAction, USER_RO, USER_NONE, USER_GROUP_CREATE, USER_GROUP_READ, 1157 USER_GROUP_ADMIN); 1158 } 1159 1160 @Test 1161 public void testGrantRevoke() throws Exception { 1162 AccessTestAction grantAction = new AccessTestAction() { 1163 @Override 1164 public Object run() throws Exception { 1165 try (Connection conn = ConnectionFactory.createConnection(conf)) { 1166 conn.getAdmin().grant(new UserPermission(USER_RO.getShortName(), Permission 1167 .newBuilder(TEST_TABLE).withFamily(TEST_FAMILY).withActions(Action.READ).build()), 1168 false); 1169 } 1170 return null; 1171 } 1172 }; 1173 1174 AccessTestAction revokeAction = new AccessTestAction() { 1175 @Override 1176 public Object run() throws Exception { 1177 try (Connection conn = ConnectionFactory.createConnection(conf)) { 1178 conn.getAdmin().revoke(new UserPermission(USER_RO.getShortName(), Permission 1179 .newBuilder(TEST_TABLE).withFamily(TEST_FAMILY).withActions(Action.READ).build())); 1180 } 1181 return null; 1182 } 1183 }; 1184 1185 AccessTestAction getTablePermissionsAction = new AccessTestAction() { 1186 @Override 1187 public Object run() throws Exception { 1188 try (Connection conn = ConnectionFactory.createConnection(conf)) { 1189 conn.getAdmin() 1190 .getUserPermissions(GetUserPermissionsRequest.newBuilder(TEST_TABLE).build()); 1191 } 1192 return null; 1193 } 1194 }; 1195 1196 AccessTestAction getGlobalPermissionsAction = new AccessTestAction() { 1197 @Override 1198 public Object run() throws Exception { 1199 try (Connection conn = ConnectionFactory.createConnection(conf)) { 1200 conn.getAdmin().getUserPermissions(GetUserPermissionsRequest.newBuilder().build()); 1201 } 1202 return null; 1203 } 1204 }; 1205 1206 AccessTestAction preGrantAction = new AccessTestAction() { 1207 @Override 1208 public Object run() throws Exception { 1209 ACCESS_CONTROLLER.preGrant(ObserverContextImpl.createAndPrepare(CP_ENV), 1210 new UserPermission(USER_RO.getShortName(), Permission.newBuilder(TEST_TABLE) 1211 .withFamily(TEST_FAMILY).withActions(Action.READ).build()), 1212 false); 1213 return null; 1214 } 1215 }; 1216 1217 AccessTestAction preRevokeAction = new AccessTestAction() { 1218 @Override 1219 public Object run() throws Exception { 1220 ACCESS_CONTROLLER.preRevoke(ObserverContextImpl.createAndPrepare(CP_ENV), 1221 new UserPermission(USER_RO.getShortName(), Permission.newBuilder(TEST_TABLE) 1222 .withFamily(TEST_FAMILY).withActions(Action.READ).build())); 1223 return null; 1224 } 1225 }; 1226 1227 AccessTestAction grantCPAction = new AccessTestAction() { 1228 @Override 1229 public Object run() throws Exception { 1230 try (Connection conn = ConnectionFactory.createConnection(conf); 1231 Table acl = conn.getTable(PermissionStorage.ACL_TABLE_NAME)) { 1232 BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName()); 1233 AccessControlService.BlockingInterface protocol = 1234 AccessControlService.newBlockingStub(service); 1235 AccessControlUtil.grant(null, protocol, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, 1236 null, false, Action.READ); 1237 } 1238 return null; 1239 } 1240 }; 1241 1242 AccessTestAction revokeCPAction = new AccessTestAction() { 1243 @Override 1244 public Object run() throws Exception { 1245 try (Connection conn = ConnectionFactory.createConnection(conf); 1246 Table acl = conn.getTable(PermissionStorage.ACL_TABLE_NAME)) { 1247 BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName()); 1248 AccessControlService.BlockingInterface protocol = 1249 AccessControlService.newBlockingStub(service); 1250 AccessControlUtil.revoke(null, protocol, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, 1251 null, Action.READ); 1252 } 1253 return null; 1254 } 1255 }; 1256 1257 verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); 1258 verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, 1259 USER_GROUP_WRITE, USER_GROUP_CREATE); 1260 try { 1261 verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); 1262 verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, 1263 USER_GROUP_WRITE, USER_GROUP_CREATE); 1264 1265 verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); 1266 verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, 1267 USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); 1268 1269 verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); 1270 verifyDenied(getGlobalPermissionsAction, USER_CREATE, USER_OWNER, USER_RW, USER_RO, 1271 USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); 1272 1273 verifyAllowed(preGrantAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); 1274 verifyDenied(preGrantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, 1275 USER_GROUP_WRITE, USER_GROUP_CREATE); 1276 1277 verifyAllowed(preRevokeAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); 1278 verifyDenied(preRevokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, 1279 USER_GROUP_WRITE, USER_GROUP_CREATE); 1280 1281 verifyAllowed(grantCPAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); 1282 verifyDenied(grantCPAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, 1283 USER_GROUP_WRITE, USER_GROUP_CREATE); 1284 1285 verifyAllowed(revokeCPAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); 1286 verifyDenied(revokeCPAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, 1287 USER_GROUP_WRITE, USER_GROUP_CREATE); 1288 } finally { 1289 // Cleanup, Grant the revoked permission back to the user 1290 grantOnTable(TEST_UTIL, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null, 1291 Permission.Action.READ); 1292 } 1293 } 1294 1295 @Test 1296 public void testPostGrantRevoke() throws Exception { 1297 final TableName tableName = 1298 TableName.valueOf("TempTable"); 1299 final byte[] family1 = Bytes.toBytes("f1"); 1300 final byte[] family2 = Bytes.toBytes("f2"); 1301 final byte[] qualifier = Bytes.toBytes("q"); 1302 1303 // create table 1304 Admin admin = TEST_UTIL.getAdmin(); 1305 if (admin.tableExists(tableName)) { 1306 deleteTable(TEST_UTIL, tableName); 1307 } 1308 HTableDescriptor htd = new HTableDescriptor(tableName); 1309 htd.addFamily(new HColumnDescriptor(family1)); 1310 htd.addFamily(new HColumnDescriptor(family2)); 1311 createTable(TEST_UTIL, htd); 1312 try { 1313 // create temp users 1314 User tblUser = 1315 User.createUserForTesting(TEST_UTIL.getConfiguration(), "tbluser", new String[0]); 1316 User gblUser = 1317 User.createUserForTesting(TEST_UTIL.getConfiguration(), "gbluser", new String[0]); 1318 1319 // prepare actions: 1320 AccessTestAction putActionAll = new AccessTestAction() { 1321 @Override 1322 public Object run() throws Exception { 1323 Put p = new Put(Bytes.toBytes("a")); 1324 p.addColumn(family1, qualifier, Bytes.toBytes("v1")); 1325 p.addColumn(family2, qualifier, Bytes.toBytes("v2")); 1326 1327 try (Connection conn = ConnectionFactory.createConnection(conf); 1328 Table t = conn.getTable(tableName);) { 1329 t.put(p); 1330 } 1331 return null; 1332 } 1333 }; 1334 1335 AccessTestAction putAction1 = new AccessTestAction() { 1336 @Override 1337 public Object run() throws Exception { 1338 Put p = new Put(Bytes.toBytes("a")); 1339 p.addColumn(family1, qualifier, Bytes.toBytes("v1")); 1340 1341 try (Connection conn = ConnectionFactory.createConnection(conf); 1342 Table t = conn.getTable(tableName)) { 1343 t.put(p); 1344 } 1345 return null; 1346 } 1347 }; 1348 1349 AccessTestAction putAction2 = new AccessTestAction() { 1350 @Override 1351 public Object run() throws Exception { 1352 Put p = new Put(Bytes.toBytes("a")); 1353 p.addColumn(family2, qualifier, Bytes.toBytes("v2")); 1354 try (Connection conn = ConnectionFactory.createConnection(conf); 1355 Table t = conn.getTable(tableName);) { 1356 t.put(p); 1357 } 1358 return null; 1359 } 1360 }; 1361 1362 AccessTestAction getActionAll = new AccessTestAction() { 1363 @Override 1364 public Object run() throws Exception { 1365 Get g = new Get(TEST_ROW); 1366 g.addFamily(family1); 1367 g.addFamily(family2); 1368 try (Connection conn = ConnectionFactory.createConnection(conf); 1369 Table t = conn.getTable(tableName);) { 1370 t.get(g); 1371 } 1372 return null; 1373 } 1374 }; 1375 1376 AccessTestAction getAction1 = new AccessTestAction() { 1377 @Override 1378 public Object run() throws Exception { 1379 Get g = new Get(TEST_ROW); 1380 g.addFamily(family1); 1381 try (Connection conn = ConnectionFactory.createConnection(conf); 1382 Table t = conn.getTable(tableName)) { 1383 t.get(g); 1384 } 1385 return null; 1386 } 1387 }; 1388 1389 AccessTestAction getAction2 = new AccessTestAction() { 1390 @Override 1391 public Object run() throws Exception { 1392 Get g = new Get(TEST_ROW); 1393 g.addFamily(family2); 1394 try (Connection conn = ConnectionFactory.createConnection(conf); 1395 Table t = conn.getTable(tableName)) { 1396 t.get(g); 1397 } 1398 return null; 1399 } 1400 }; 1401 1402 AccessTestAction deleteActionAll = new AccessTestAction() { 1403 @Override 1404 public Object run() throws Exception { 1405 Delete d = new Delete(TEST_ROW); 1406 d.addFamily(family1); 1407 d.addFamily(family2); 1408 try (Connection conn = ConnectionFactory.createConnection(conf); 1409 Table t = conn.getTable(tableName)) { 1410 t.delete(d); 1411 } 1412 return null; 1413 } 1414 }; 1415 1416 AccessTestAction deleteAction1 = new AccessTestAction() { 1417 @Override 1418 public Object run() throws Exception { 1419 Delete d = new Delete(TEST_ROW); 1420 d.addFamily(family1); 1421 try (Connection conn = ConnectionFactory.createConnection(conf); 1422 Table t = conn.getTable(tableName)) { 1423 t.delete(d); 1424 } 1425 return null; 1426 } 1427 }; 1428 1429 AccessTestAction deleteAction2 = new AccessTestAction() { 1430 @Override 1431 public Object run() throws Exception { 1432 Delete d = new Delete(TEST_ROW); 1433 d.addFamily(family2); 1434 try (Connection conn = ConnectionFactory.createConnection(conf); 1435 Table t = conn.getTable(tableName)) { 1436 t.delete(d); 1437 } 1438 return null; 1439 } 1440 }; 1441 1442 // initial check: 1443 verifyDenied(tblUser, getActionAll, getAction1, getAction2); 1444 verifyDenied(tblUser, putActionAll, putAction1, putAction2); 1445 verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); 1446 1447 verifyDenied(gblUser, getActionAll, getAction1, getAction2); 1448 verifyDenied(gblUser, putActionAll, putAction1, putAction2); 1449 verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); 1450 1451 // grant table read permission 1452 grantGlobal(TEST_UTIL, gblUser.getShortName(), Permission.Action.READ); 1453 grantOnTable(TEST_UTIL, tblUser.getShortName(), tableName, null, null, Permission.Action.READ); 1454 1455 // check 1456 verifyAllowed(tblUser, getActionAll, getAction1, getAction2); 1457 verifyDenied(tblUser, putActionAll, putAction1, putAction2); 1458 verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); 1459 1460 verifyAllowed(gblUser, getActionAll, getAction1, getAction2); 1461 verifyDenied(gblUser, putActionAll, putAction1, putAction2); 1462 verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); 1463 1464 // grant table write permission while revoking read permissions 1465 grantGlobal(TEST_UTIL, gblUser.getShortName(), Permission.Action.WRITE); 1466 grantOnTable(TEST_UTIL, tblUser.getShortName(), tableName, null, null, 1467 Permission.Action.WRITE); 1468 1469 verifyDenied(tblUser, getActionAll, getAction1, getAction2); 1470 verifyAllowed(tblUser, putActionAll, putAction1, putAction2); 1471 verifyAllowed(tblUser, deleteActionAll, deleteAction1, deleteAction2); 1472 1473 verifyDenied(gblUser, getActionAll, getAction1, getAction2); 1474 verifyAllowed(gblUser, putActionAll, putAction1, putAction2); 1475 verifyAllowed(gblUser, deleteActionAll, deleteAction1, deleteAction2); 1476 1477 // revoke table permissions 1478 revokeGlobal(TEST_UTIL, gblUser.getShortName()); 1479 revokeFromTable(TEST_UTIL, tblUser.getShortName(), tableName, null, null); 1480 1481 verifyDenied(tblUser, getActionAll, getAction1, getAction2); 1482 verifyDenied(tblUser, putActionAll, putAction1, putAction2); 1483 verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); 1484 1485 verifyDenied(gblUser, getActionAll, getAction1, getAction2); 1486 verifyDenied(gblUser, putActionAll, putAction1, putAction2); 1487 verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); 1488 1489 // grant column family read permission 1490 grantGlobal(TEST_UTIL, gblUser.getShortName(), Permission.Action.READ); 1491 grantOnTable(TEST_UTIL, tblUser.getShortName(), tableName, family1, null, 1492 Permission.Action.READ); 1493 1494 // Access should be denied for family2 1495 verifyAllowed(tblUser, getActionAll, getAction1); 1496 verifyDenied(tblUser, getAction2); 1497 verifyDenied(tblUser, putActionAll, putAction1, putAction2); 1498 verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); 1499 1500 verifyAllowed(gblUser, getActionAll, getAction1, getAction2); 1501 verifyDenied(gblUser, putActionAll, putAction1, putAction2); 1502 verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); 1503 1504 // grant column family write permission 1505 grantGlobal(TEST_UTIL, gblUser.getShortName(), Permission.Action.WRITE); 1506 grantOnTable(TEST_UTIL, tblUser.getShortName(), tableName, family2, null, 1507 Permission.Action.WRITE); 1508 1509 // READ from family1, WRITE to family2 are allowed 1510 verifyAllowed(tblUser, getActionAll, getAction1); 1511 verifyAllowed(tblUser, putAction2, deleteAction2); 1512 verifyDenied(tblUser, getAction2); 1513 verifyDenied(tblUser, putActionAll, putAction1); 1514 verifyDenied(tblUser, deleteActionAll, deleteAction1); 1515 1516 verifyDenied(gblUser, getActionAll, getAction1, getAction2); 1517 verifyAllowed(gblUser, putActionAll, putAction1, putAction2); 1518 verifyAllowed(gblUser, deleteActionAll, deleteAction1, deleteAction2); 1519 1520 // revoke column family permission 1521 revokeGlobal(TEST_UTIL, gblUser.getShortName()); 1522 revokeFromTable(TEST_UTIL, tblUser.getShortName(), tableName, family2, null); 1523 1524 // Revoke on family2 should not have impact on family1 permissions 1525 verifyAllowed(tblUser, getActionAll, getAction1); 1526 verifyDenied(tblUser, getAction2); 1527 verifyDenied(tblUser, putActionAll, putAction1, putAction2); 1528 verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); 1529 1530 // Should not have access as global permissions are completely revoked 1531 verifyDenied(gblUser, getActionAll, getAction1, getAction2); 1532 verifyDenied(gblUser, putActionAll, putAction1, putAction2); 1533 verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); 1534 } finally { 1535 // delete table 1536 deleteTable(TEST_UTIL, tableName); 1537 } 1538 } 1539 1540 private boolean hasFoundUserPermission(List<UserPermission> userPermissions, 1541 List<UserPermission> perms) { 1542 return perms.containsAll(userPermissions); 1543 } 1544 1545 private boolean hasFoundUserPermission(UserPermission userPermission, List<UserPermission> perms) { 1546 return perms.contains(userPermission); 1547 } 1548 1549 @Test 1550 public void testPostGrantRevokeAtQualifierLevel() throws Exception { 1551 final TableName tableName = TableName.valueOf(name.getMethodName()); 1552 final byte[] family1 = Bytes.toBytes("f1"); 1553 final byte[] family2 = Bytes.toBytes("f2"); 1554 final byte[] qualifier = Bytes.toBytes("q"); 1555 1556 // create table 1557 Admin admin = TEST_UTIL.getAdmin(); 1558 if (admin.tableExists(tableName)) { 1559 deleteTable(TEST_UTIL, tableName); 1560 } 1561 HTableDescriptor htd = new HTableDescriptor(tableName); 1562 htd.addFamily(new HColumnDescriptor(family1)); 1563 htd.addFamily(new HColumnDescriptor(family2)); 1564 createTable(TEST_UTIL, htd); 1565 1566 try { 1567 // create temp users 1568 User user = User.createUserForTesting(TEST_UTIL.getConfiguration(), "user", new String[0]); 1569 1570 AccessTestAction getQualifierAction = new AccessTestAction() { 1571 @Override 1572 public Object run() throws Exception { 1573 Get g = new Get(TEST_ROW); 1574 g.addColumn(family1, qualifier); 1575 try (Connection conn = ConnectionFactory.createConnection(conf); 1576 Table t = conn.getTable(tableName)) { 1577 t.get(g); 1578 } 1579 return null; 1580 } 1581 }; 1582 1583 AccessTestAction putQualifierAction = new AccessTestAction() { 1584 @Override 1585 public Object run() throws Exception { 1586 Put p = new Put(TEST_ROW); 1587 p.addColumn(family1, qualifier, Bytes.toBytes("v1")); 1588 try (Connection conn = ConnectionFactory.createConnection(conf); 1589 Table t = conn.getTable(tableName)) { 1590 t.put(p); 1591 } 1592 return null; 1593 } 1594 }; 1595 1596 AccessTestAction deleteQualifierAction = new AccessTestAction() { 1597 @Override 1598 public Object run() throws Exception { 1599 Delete d = new Delete(TEST_ROW); 1600 d.addColumn(family1, qualifier); 1601 // d.deleteFamily(family1); 1602 try (Connection conn = ConnectionFactory.createConnection(conf); 1603 Table t = conn.getTable(tableName)) { 1604 t.delete(d); 1605 } 1606 return null; 1607 } 1608 }; 1609 1610 revokeFromTable(TEST_UTIL, user.getShortName(), tableName, family1, null); 1611 1612 verifyDenied(user, getQualifierAction); 1613 verifyDenied(user, putQualifierAction); 1614 verifyDenied(user, deleteQualifierAction); 1615 1616 grantOnTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier, 1617 Permission.Action.READ); 1618 1619 verifyAllowed(user, getQualifierAction); 1620 verifyDenied(user, putQualifierAction); 1621 verifyDenied(user, deleteQualifierAction); 1622 1623 // only grant write permission 1624 // TODO: comment this portion after HBASE-3583 1625 grantOnTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier, 1626 Permission.Action.WRITE); 1627 1628 verifyDenied(user, getQualifierAction); 1629 verifyAllowed(user, putQualifierAction); 1630 verifyAllowed(user, deleteQualifierAction); 1631 1632 // grant both read and write permission 1633 grantOnTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier, 1634 Permission.Action.READ, Permission.Action.WRITE); 1635 1636 verifyAllowed(user, getQualifierAction); 1637 verifyAllowed(user, putQualifierAction); 1638 verifyAllowed(user, deleteQualifierAction); 1639 1640 // revoke family level permission won't impact column level 1641 revokeFromTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier); 1642 1643 verifyDenied(user, getQualifierAction); 1644 verifyDenied(user, putQualifierAction); 1645 verifyDenied(user, deleteQualifierAction); 1646 } finally { 1647 // delete table 1648 deleteTable(TEST_UTIL, tableName); 1649 } 1650 } 1651 1652 @Test 1653 public void testPermissionList() throws Exception { 1654 final TableName tableName = TableName.valueOf(name.getMethodName()); 1655 final byte[] family1 = Bytes.toBytes("f1"); 1656 final byte[] family2 = Bytes.toBytes("f2"); 1657 final byte[] qualifier = Bytes.toBytes("q"); 1658 1659 // create table 1660 Admin admin = TEST_UTIL.getAdmin(); 1661 if (admin.tableExists(tableName)) { 1662 deleteTable(TEST_UTIL, tableName); 1663 } 1664 HTableDescriptor htd = new HTableDescriptor(tableName); 1665 htd.addFamily(new HColumnDescriptor(family1)); 1666 htd.addFamily(new HColumnDescriptor(family2)); 1667 htd.setOwner(USER_OWNER); 1668 createTable(TEST_UTIL, htd); 1669 try { 1670 List<UserPermission> perms = 1671 admin.getUserPermissions(GetUserPermissionsRequest.newBuilder(tableName).build()); 1672 UserPermission ownerperm = new UserPermission(USER_OWNER.getName(), 1673 Permission.newBuilder(tableName).withActions(Action.values()).build()); 1674 assertTrue("Owner should have all permissions on table", 1675 hasFoundUserPermission(ownerperm, perms)); 1676 1677 User user = User.createUserForTesting(TEST_UTIL.getConfiguration(), "user", new String[0]); 1678 String userName = user.getShortName(); 1679 1680 UserPermission up = 1681 new UserPermission(userName, Permission.newBuilder(tableName).withFamily(family1) 1682 .withQualifier(qualifier).withActions(Permission.Action.READ).build()); 1683 assertFalse("User should not be granted permission: " + up.toString(), 1684 hasFoundUserPermission(up, perms)); 1685 1686 // grant read permission 1687 grantOnTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier, 1688 Permission.Action.READ); 1689 1690 perms = admin.getUserPermissions(GetUserPermissionsRequest.newBuilder(tableName).build()); 1691 UserPermission upToVerify = 1692 new UserPermission(userName, Permission.newBuilder(tableName).withFamily(family1) 1693 .withQualifier(qualifier).withActions(Permission.Action.READ).build()); 1694 assertTrue("User should be granted permission: " + upToVerify.toString(), 1695 hasFoundUserPermission(upToVerify, perms)); 1696 1697 upToVerify = new UserPermission(userName, Permission.newBuilder(tableName).withFamily(family1) 1698 .withQualifier(qualifier).withActions(Permission.Action.WRITE).build()); 1699 assertFalse("User should not be granted permission: " + upToVerify.toString(), 1700 hasFoundUserPermission(upToVerify, perms)); 1701 1702 // grant read+write 1703 grantOnTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier, 1704 Permission.Action.WRITE, Permission.Action.READ); 1705 1706 perms = admin.getUserPermissions(GetUserPermissionsRequest.newBuilder(tableName).build()); 1707 upToVerify = new UserPermission(userName, 1708 Permission.newBuilder(tableName).withFamily(family1).withQualifier(qualifier) 1709 .withActions(Permission.Action.WRITE, Permission.Action.READ).build()); 1710 assertTrue("User should be granted permission: " + upToVerify.toString(), 1711 hasFoundUserPermission(upToVerify, perms)); 1712 1713 // revoke 1714 revokeFromTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier, 1715 Permission.Action.WRITE, Permission.Action.READ); 1716 1717 perms = admin.getUserPermissions(GetUserPermissionsRequest.newBuilder(tableName).build()); 1718 assertFalse("User should not be granted permission: " + upToVerify.toString(), 1719 hasFoundUserPermission(upToVerify, perms)); 1720 1721 // disable table before modification 1722 admin.disableTable(tableName); 1723 1724 User newOwner = User.createUserForTesting(conf, "new_owner", new String[] {}); 1725 htd.setOwner(newOwner); 1726 admin.modifyTable(tableName, htd); 1727 1728 perms = admin.getUserPermissions(GetUserPermissionsRequest.newBuilder(tableName).build()); 1729 UserPermission newOwnerperm = new UserPermission(newOwner.getName(), 1730 Permission.newBuilder(tableName).withActions(Action.values()).build()); 1731 assertTrue("New owner should have all permissions on table", 1732 hasFoundUserPermission(newOwnerperm, perms)); 1733 } finally { 1734 // delete table 1735 deleteTable(TEST_UTIL, tableName); 1736 } 1737 } 1738 1739 @Test 1740 public void testGlobalPermissionList() throws Exception { 1741 List<UserPermission> perms = systemUserConnection.getAdmin() 1742 .getUserPermissions(GetUserPermissionsRequest.newBuilder().build()); 1743 1744 Collection<String> superUsers = Superusers.getSuperUsers(); 1745 List<UserPermission> adminPerms = new ArrayList<>(superUsers.size() + 1); 1746 adminPerms.add(new UserPermission(USER_ADMIN.getShortName(), Permission.newBuilder() 1747 .withActions(Action.ADMIN, Action.CREATE, Action.READ, Action.WRITE).build())); 1748 for (String user : superUsers) { 1749 // Global permission 1750 adminPerms.add( 1751 new UserPermission(user, Permission.newBuilder().withActions(Action.values()).build())); 1752 } 1753 assertTrue("Only super users, global users and user admin has permission on table hbase:acl " + 1754 "per setup", perms.size() == 5 + superUsers.size() && 1755 hasFoundUserPermission(adminPerms, perms)); 1756 } 1757 1758 /** global operations */ 1759 private void verifyGlobal(AccessTestAction action) throws Exception { 1760 verifyAllowed(action, SUPERUSER); 1761 1762 verifyDenied(action, USER_CREATE, USER_RW, USER_NONE, USER_RO); 1763 } 1764 1765 @Test 1766 public void testCheckPermissions() throws Exception { 1767 // -------------------------------------- 1768 // test global permissions 1769 AccessTestAction globalAdmin = new AccessTestAction() { 1770 @Override 1771 public Void run() throws Exception { 1772 checkGlobalPerms(TEST_UTIL, Permission.Action.ADMIN); 1773 return null; 1774 } 1775 }; 1776 // verify that only superuser can admin 1777 verifyGlobal(globalAdmin); 1778 1779 // -------------------------------------- 1780 // test multiple permissions 1781 AccessTestAction globalReadWrite = new AccessTestAction() { 1782 @Override 1783 public Void run() throws Exception { 1784 checkGlobalPerms(TEST_UTIL, Permission.Action.READ, Permission.Action.WRITE); 1785 return null; 1786 } 1787 }; 1788 1789 verifyGlobal(globalReadWrite); 1790 1791 // -------------------------------------- 1792 // table/column/qualifier level permissions 1793 final byte[] TEST_Q1 = Bytes.toBytes("q1"); 1794 final byte[] TEST_Q2 = Bytes.toBytes("q2"); 1795 1796 User userTable = User.createUserForTesting(conf, "user_check_perms_table", new String[0]); 1797 User userColumn = User.createUserForTesting(conf, "user_check_perms_family", new String[0]); 1798 User userQualifier = User.createUserForTesting(conf, "user_check_perms_q", new String[0]); 1799 1800 grantOnTable(TEST_UTIL, userTable.getShortName(), 1801 TEST_TABLE, null, null, 1802 Permission.Action.READ); 1803 grantOnTable(TEST_UTIL, userColumn.getShortName(), 1804 TEST_TABLE, TEST_FAMILY, null, 1805 Permission.Action.READ); 1806 grantOnTable(TEST_UTIL, userQualifier.getShortName(), 1807 TEST_TABLE, TEST_FAMILY, TEST_Q1, 1808 Permission.Action.READ); 1809 1810 try { 1811 AccessTestAction tableRead = new AccessTestAction() { 1812 @Override 1813 public Void run() throws Exception { 1814 checkTablePerms(TEST_UTIL, TEST_TABLE, null, null, Permission.Action.READ); 1815 return null; 1816 } 1817 }; 1818 1819 AccessTestAction columnRead = new AccessTestAction() { 1820 @Override 1821 public Void run() throws Exception { 1822 checkTablePerms(TEST_UTIL, TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ); 1823 return null; 1824 } 1825 }; 1826 1827 AccessTestAction qualifierRead = new AccessTestAction() { 1828 @Override 1829 public Void run() throws Exception { 1830 checkTablePerms(TEST_UTIL, TEST_TABLE, TEST_FAMILY, TEST_Q1, Permission.Action.READ); 1831 return null; 1832 } 1833 }; 1834 1835 AccessTestAction multiQualifierRead = new AccessTestAction() { 1836 @Override 1837 public Void run() throws Exception { 1838 checkTablePerms(TEST_UTIL, 1839 new Permission[] { 1840 Permission.newBuilder(TEST_TABLE).withFamily(TEST_FAMILY).withQualifier(TEST_Q1) 1841 .withActions(Permission.Action.READ).build(), 1842 Permission.newBuilder(TEST_TABLE).withFamily(TEST_FAMILY).withQualifier(TEST_Q2) 1843 .withActions(Permission.Action.READ).build(), }); 1844 return null; 1845 } 1846 }; 1847 1848 AccessTestAction globalAndTableRead = new AccessTestAction() { 1849 @Override 1850 public Void run() throws Exception { 1851 checkTablePerms(TEST_UTIL, new Permission[] { new Permission(Permission.Action.READ), 1852 Permission.newBuilder(TEST_TABLE).withActions(Permission.Action.READ).build() }); 1853 return null; 1854 } 1855 }; 1856 1857 AccessTestAction noCheck = new AccessTestAction() { 1858 @Override 1859 public Void run() throws Exception { 1860 checkTablePerms(TEST_UTIL, new Permission[0]); 1861 return null; 1862 } 1863 }; 1864 1865 verifyAllowed(tableRead, SUPERUSER, userTable); 1866 verifyDenied(tableRead, userColumn, userQualifier); 1867 1868 verifyAllowed(columnRead, SUPERUSER, userTable, userColumn); 1869 verifyDenied(columnRead, userQualifier); 1870 1871 verifyAllowed(qualifierRead, SUPERUSER, userTable, userColumn, userQualifier); 1872 1873 verifyAllowed(multiQualifierRead, SUPERUSER, userTable, userColumn); 1874 verifyDenied(multiQualifierRead, userQualifier); 1875 1876 verifyAllowed(globalAndTableRead, SUPERUSER); 1877 verifyDenied(globalAndTableRead, userTable, userColumn, userQualifier); 1878 1879 verifyAllowed(noCheck, SUPERUSER, userTable, userColumn, userQualifier); 1880 1881 // -------------------------------------- 1882 // test family level multiple permissions 1883 AccessTestAction familyReadWrite = new AccessTestAction() { 1884 @Override 1885 public Void run() throws Exception { 1886 checkTablePerms(TEST_UTIL, TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ, 1887 Permission.Action.WRITE); 1888 return null; 1889 } 1890 }; 1891 1892 verifyAllowed(familyReadWrite, SUPERUSER, USER_OWNER, USER_CREATE, USER_RW); 1893 verifyDenied(familyReadWrite, USER_NONE, USER_RO); 1894 1895 // -------------------------------------- 1896 // check for wrong table region 1897 CheckPermissionsRequest checkRequest = 1898 CheckPermissionsRequest 1899 .newBuilder() 1900 .addPermission( 1901 AccessControlProtos.Permission 1902 .newBuilder() 1903 .setType(AccessControlProtos.Permission.Type.Table) 1904 .setTablePermission( 1905 AccessControlProtos.TablePermission.newBuilder() 1906 .setTableName(ProtobufUtil.toProtoTableName(TEST_TABLE)) 1907 .addAction(AccessControlProtos.Permission.Action.CREATE))).build(); 1908 Table acl = systemUserConnection.getTable(PermissionStorage.ACL_TABLE_NAME); 1909 try { 1910 BlockingRpcChannel channel = acl.coprocessorService(new byte[0]); 1911 AccessControlService.BlockingInterface protocol = 1912 AccessControlService.newBlockingStub(channel); 1913 try { 1914 // but ask for TablePermissions for TEST_TABLE 1915 protocol.checkPermissions(null, checkRequest); 1916 fail("this should have thrown CoprocessorException"); 1917 } catch (ServiceException ex) { 1918 // expected 1919 } 1920 } finally { 1921 acl.close(); 1922 } 1923 1924 } finally { 1925 revokeFromTable(TEST_UTIL, userTable.getShortName(), TEST_TABLE, null, null, 1926 Permission.Action.READ); 1927 revokeFromTable(TEST_UTIL, userColumn.getShortName(), TEST_TABLE, TEST_FAMILY, null, 1928 Permission.Action.READ); 1929 revokeFromTable(TEST_UTIL, userQualifier.getShortName(), TEST_TABLE, TEST_FAMILY, TEST_Q1, 1930 Permission.Action.READ); 1931 } 1932 } 1933 1934 @Test 1935 public void testStopRegionServer() throws Exception { 1936 AccessTestAction action = new AccessTestAction() { 1937 @Override 1938 public Object run() throws Exception { 1939 ACCESS_CONTROLLER.preStopRegionServer(ObserverContextImpl.createAndPrepare(RSCP_ENV)); 1940 return null; 1941 } 1942 }; 1943 1944 verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); 1945 verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, 1946 USER_GROUP_WRITE, USER_GROUP_CREATE); 1947 } 1948 1949 @Test 1950 public void testRollWALWriterRequest() throws Exception { 1951 AccessTestAction action = new AccessTestAction() { 1952 @Override 1953 public Object run() throws Exception { 1954 ACCESS_CONTROLLER.preRollWALWriterRequest(ObserverContextImpl.createAndPrepare(RSCP_ENV)); 1955 return null; 1956 } 1957 }; 1958 1959 verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); 1960 verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, 1961 USER_GROUP_WRITE, USER_GROUP_CREATE); 1962 } 1963 1964 @Test 1965 public void testOpenRegion() throws Exception { 1966 AccessTestAction action = new AccessTestAction() { 1967 @Override 1968 public Object run() throws Exception { 1969 ACCESS_CONTROLLER.preOpen(ObserverContextImpl.createAndPrepare(RCP_ENV)); 1970 return null; 1971 } 1972 }; 1973 1974 verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); 1975 verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, USER_GROUP_CREATE, 1976 USER_GROUP_READ, USER_GROUP_WRITE); 1977 } 1978 1979 @Test 1980 public void testCloseRegion() throws Exception { 1981 AccessTestAction action = new AccessTestAction() { 1982 @Override 1983 public Object run() throws Exception { 1984 ACCESS_CONTROLLER.preClose(ObserverContextImpl.createAndPrepare(RCP_ENV), false); 1985 return null; 1986 } 1987 }; 1988 1989 verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); 1990 verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, USER_GROUP_CREATE, 1991 USER_GROUP_READ, USER_GROUP_WRITE); 1992 } 1993 1994 @Test 1995 public void testSnapshot() throws Exception { 1996 Admin admin = TEST_UTIL.getAdmin(); 1997 final HTableDescriptor htd = admin.getTableDescriptor(TEST_TABLE); 1998 final SnapshotDescription snapshot = new SnapshotDescription( 1999 TEST_TABLE.getNameAsString() + "-snapshot", TEST_TABLE); 2000 AccessTestAction snapshotAction = new AccessTestAction() { 2001 @Override 2002 public Object run() throws Exception { 2003 ACCESS_CONTROLLER.preSnapshot(ObserverContextImpl.createAndPrepare(CP_ENV), 2004 snapshot, htd); 2005 return null; 2006 } 2007 }; 2008 2009 AccessTestAction deleteAction = new AccessTestAction() { 2010 @Override 2011 public Object run() throws Exception { 2012 ACCESS_CONTROLLER.preDeleteSnapshot(ObserverContextImpl.createAndPrepare(CP_ENV), 2013 snapshot); 2014 return null; 2015 } 2016 }; 2017 2018 AccessTestAction restoreAction = new AccessTestAction() { 2019 @Override 2020 public Object run() throws Exception { 2021 ACCESS_CONTROLLER.preRestoreSnapshot(ObserverContextImpl.createAndPrepare(CP_ENV), 2022 snapshot, htd); 2023 return null; 2024 } 2025 }; 2026 2027 AccessTestAction cloneAction = new AccessTestAction() { 2028 @Override 2029 public Object run() throws Exception { 2030 ACCESS_CONTROLLER.preCloneSnapshot(ObserverContextImpl.createAndPrepare(CP_ENV), 2031 snapshot, null); 2032 return null; 2033 } 2034 }; 2035 2036 verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); 2037 verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, 2038 USER_GROUP_WRITE, USER_GROUP_CREATE); 2039 2040 verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); 2041 verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, 2042 USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); 2043 2044 verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); 2045 verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, 2046 USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); 2047 2048 verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); 2049 verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, 2050 USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); 2051 } 2052 2053 @Test 2054 public void testSnapshotWithOwner() throws Exception { 2055 Admin admin = TEST_UTIL.getAdmin(); 2056 final HTableDescriptor htd = admin.getTableDescriptor(TEST_TABLE); 2057 final SnapshotDescription snapshot = new SnapshotDescription( 2058 TEST_TABLE.getNameAsString() + "-snapshot", TEST_TABLE, null, USER_OWNER.getName()); 2059 2060 AccessTestAction snapshotAction = new AccessTestAction() { 2061 @Override 2062 public Object run() throws Exception { 2063 ACCESS_CONTROLLER.preSnapshot(ObserverContextImpl.createAndPrepare(CP_ENV), 2064 snapshot, htd); 2065 return null; 2066 } 2067 }; 2068 verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); 2069 verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, 2070 USER_GROUP_WRITE, USER_GROUP_CREATE); 2071 2072 AccessTestAction deleteAction = new AccessTestAction() { 2073 @Override 2074 public Object run() throws Exception { 2075 ACCESS_CONTROLLER.preDeleteSnapshot(ObserverContextImpl.createAndPrepare(CP_ENV), 2076 snapshot); 2077 return null; 2078 } 2079 }; 2080 verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); 2081 verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, 2082 USER_GROUP_WRITE, USER_GROUP_CREATE); 2083 2084 AccessTestAction restoreAction = new AccessTestAction() { 2085 @Override 2086 public Object run() throws Exception { 2087 ACCESS_CONTROLLER.preRestoreSnapshot(ObserverContextImpl.createAndPrepare(CP_ENV), 2088 snapshot, htd); 2089 return null; 2090 } 2091 }; 2092 verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); 2093 verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, 2094 USER_GROUP_WRITE, USER_GROUP_CREATE); 2095 2096 AccessTestAction cloneAction = new AccessTestAction() { 2097 @Override 2098 public Object run() throws Exception { 2099 ACCESS_CONTROLLER.preCloneSnapshot(ObserverContextImpl.createAndPrepare(CP_ENV), 2100 snapshot, htd); 2101 return null; 2102 } 2103 }; 2104 verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN, USER_OWNER); 2105 verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, 2106 USER_GROUP_WRITE, USER_GROUP_CREATE); 2107 } 2108 2109 @Test 2110 public void testGlobalAuthorizationForNewRegisteredRS() throws Exception { 2111 LOG.debug("Test for global authorization for a new registered RegionServer."); 2112 MiniHBaseCluster hbaseCluster = TEST_UTIL.getHBaseCluster(); 2113 2114 final Admin admin = TEST_UTIL.getAdmin(); 2115 HTableDescriptor htd = new HTableDescriptor(TEST_TABLE2); 2116 htd.addFamily(new HColumnDescriptor(TEST_FAMILY)); 2117 createTable(TEST_UTIL, htd); 2118 2119 // Starting a new RegionServer. 2120 JVMClusterUtil.RegionServerThread newRsThread = hbaseCluster 2121 .startRegionServer(); 2122 final HRegionServer newRs = newRsThread.getRegionServer(); 2123 2124 // Move region to the new RegionServer. 2125 List<HRegionLocation> regions; 2126 try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE2)) { 2127 regions = locator.getAllRegionLocations(); 2128 } 2129 HRegionLocation location = regions.get(0); 2130 final HRegionInfo hri = location.getRegionInfo(); 2131 final ServerName server = location.getServerName(); 2132 try (Table table = systemUserConnection.getTable(TEST_TABLE2)) { 2133 AccessTestAction moveAction = new AccessTestAction() { 2134 @Override 2135 public Object run() throws Exception { 2136 admin.move(hri.getEncodedNameAsBytes(), newRs.getServerName()); 2137 return null; 2138 } 2139 }; 2140 SUPERUSER.runAs(moveAction); 2141 2142 final int RETRIES_LIMIT = 10; 2143 int retries = 0; 2144 while (newRs.getRegions(TEST_TABLE2).size() < 1 && retries < RETRIES_LIMIT) { 2145 LOG.debug("Waiting for region to be opened. Already retried " + retries 2146 + " times."); 2147 try { 2148 Thread.sleep(1000); 2149 } catch (InterruptedException e) { 2150 } 2151 retries++; 2152 if (retries == RETRIES_LIMIT - 1) { 2153 fail("Retry exhaust for waiting region to be opened."); 2154 } 2155 } 2156 // Verify write permission for user "admin2" who has the global 2157 // permissions. 2158 AccessTestAction putAction = new AccessTestAction() { 2159 @Override 2160 public Object run() throws Exception { 2161 Put put = new Put(Bytes.toBytes("test")); 2162 put.addColumn(TEST_FAMILY, Bytes.toBytes("qual"), Bytes.toBytes("value")); 2163 table.put(put); 2164 return null; 2165 } 2166 }; 2167 USER_ADMIN.runAs(putAction); 2168 } 2169 } 2170 2171 @Test 2172 public void testTableDescriptorsEnumeration() throws Exception { 2173 User TABLE_ADMIN = User.createUserForTesting(conf, "UserA", new String[0]); 2174 2175 // Grant TABLE ADMIN privs 2176 grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(), TEST_TABLE, null, null, 2177 Permission.Action.ADMIN); 2178 try { 2179 AccessTestAction listTablesAction = new AccessTestAction() { 2180 @Override 2181 public Object run() throws Exception { 2182 try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); 2183 Admin admin = conn.getAdmin()) { 2184 return Arrays.asList(admin.listTables()); 2185 } 2186 } 2187 }; 2188 2189 AccessTestAction getTableDescAction = new AccessTestAction() { 2190 @Override 2191 public Object run() throws Exception { 2192 try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); 2193 Admin admin = conn.getAdmin();) { 2194 return admin.getTableDescriptor(TEST_TABLE); 2195 } 2196 } 2197 }; 2198 2199 verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN, 2200 USER_GROUP_CREATE, USER_GROUP_ADMIN); 2201 verifyIfEmptyList(listTablesAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, 2202 USER_GROUP_WRITE); 2203 2204 verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, 2205 TABLE_ADMIN, USER_GROUP_CREATE, USER_GROUP_ADMIN); 2206 verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, 2207 USER_GROUP_WRITE); 2208 } finally { 2209 // Cleanup, revoke TABLE ADMIN privs 2210 revokeFromTable(TEST_UTIL, TABLE_ADMIN.getShortName(), TEST_TABLE, null, null, 2211 Permission.Action.ADMIN); 2212 } 2213 } 2214 2215 @Test 2216 public void testTableNameEnumeration() throws Exception { 2217 AccessTestAction listTablesAction = new AccessTestAction() { 2218 @Override 2219 public Object run() throws Exception { 2220 Connection unmanagedConnection = 2221 ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); 2222 Admin admin = unmanagedConnection.getAdmin(); 2223 try { 2224 return Arrays.asList(admin.listTableNames()); 2225 } finally { 2226 admin.close(); 2227 unmanagedConnection.close(); 2228 } 2229 } 2230 }; 2231 2232 verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW, 2233 USER_RO, USER_GROUP_CREATE, USER_GROUP_ADMIN, USER_GROUP_READ, USER_GROUP_WRITE); 2234 verifyIfEmptyList(listTablesAction, USER_NONE); 2235 } 2236 2237 @Test 2238 public void testTableDeletion() throws Exception { 2239 User TABLE_ADMIN = User.createUserForTesting(conf, "TestUser", new String[0]); 2240 final TableName tableName = TableName.valueOf(name.getMethodName()); 2241 createTestTable(tableName); 2242 2243 // Grant TABLE ADMIN privs 2244 grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(), tableName, null, null, Permission.Action.ADMIN); 2245 2246 AccessTestAction deleteTableAction = new AccessTestAction() { 2247 @Override 2248 public Object run() throws Exception { 2249 Connection unmanagedConnection = 2250 ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); 2251 Admin admin = unmanagedConnection.getAdmin(); 2252 try { 2253 deleteTable(TEST_UTIL, admin, tableName); 2254 } finally { 2255 admin.close(); 2256 unmanagedConnection.close(); 2257 } 2258 return null; 2259 } 2260 }; 2261 2262 verifyDenied(deleteTableAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, 2263 USER_GROUP_WRITE); 2264 verifyAllowed(deleteTableAction, TABLE_ADMIN); 2265 } 2266 2267 private void createTestTable(TableName tname) throws Exception { 2268 createTestTable(tname, TEST_FAMILY); 2269 } 2270 2271 private void createTestTable(TableName tname, byte[] cf) throws Exception { 2272 HTableDescriptor htd = new HTableDescriptor(tname); 2273 HColumnDescriptor hcd = new HColumnDescriptor(cf); 2274 hcd.setMaxVersions(100); 2275 htd.addFamily(hcd); 2276 htd.setOwner(USER_OWNER); 2277 createTable(TEST_UTIL, htd, new byte[][] { Bytes.toBytes("s") }); 2278 } 2279 2280 @Test 2281 public void testNamespaceUserGrant() throws Exception { 2282 AccessTestAction getAction = new AccessTestAction() { 2283 @Override 2284 public Object run() throws Exception { 2285 try(Connection conn = ConnectionFactory.createConnection(conf); 2286 Table t = conn.getTable(TEST_TABLE);) { 2287 return t.get(new Get(TEST_ROW)); 2288 } 2289 } 2290 }; 2291 2292 String namespace = TEST_TABLE.getNamespaceAsString(); 2293 2294 // Grant namespace READ to USER_NONE, this should supersede any table permissions 2295 grantOnNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ); 2296 // Now USER_NONE should be able to read 2297 verifyAllowed(getAction, USER_NONE); 2298 2299 // Revoke namespace READ to USER_NONE 2300 revokeFromNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ); 2301 verifyDenied(getAction, USER_NONE); 2302 } 2303 2304 @Test 2305 public void testAccessControlClientGrantRevoke() throws Exception { 2306 // Create user for testing, who has no READ privileges by default. 2307 User testGrantRevoke = User.createUserForTesting(conf, "testGrantRevoke", new String[0]); 2308 AccessTestAction getAction = new AccessTestAction() { 2309 @Override 2310 public Object run() throws Exception { 2311 try(Connection conn = ConnectionFactory.createConnection(conf); 2312 Table t = conn.getTable(TEST_TABLE);) { 2313 return t.get(new Get(TEST_ROW)); 2314 } 2315 } 2316 }; 2317 2318 verifyDenied(getAction, testGrantRevoke); 2319 2320 // Grant table READ permissions to testGrantRevoke. 2321 try { 2322 grantOnTableUsingAccessControlClient(TEST_UTIL, systemUserConnection, 2323 testGrantRevoke.getShortName(), TEST_TABLE, null, null, Permission.Action.READ); 2324 } catch (Throwable e) { 2325 LOG.error("error during call of AccessControlClient.grant. ", e); 2326 } 2327 2328 // Now testGrantRevoke should be able to read also 2329 verifyAllowed(getAction, testGrantRevoke); 2330 2331 // Revoke table READ permission to testGrantRevoke. 2332 try { 2333 revokeFromTableUsingAccessControlClient(TEST_UTIL, systemUserConnection, 2334 testGrantRevoke.getShortName(), TEST_TABLE, null, null, Permission.Action.READ); 2335 } catch (Throwable e) { 2336 LOG.error("error during call of AccessControlClient.revoke ", e); 2337 } 2338 2339 // Now testGrantRevoke shouldn't be able read 2340 verifyDenied(getAction, testGrantRevoke); 2341 } 2342 2343 @Test 2344 public void testAccessControlClientGlobalGrantRevoke() throws Exception { 2345 // Create user for testing, who has no READ privileges by default. 2346 User testGlobalGrantRevoke = User.createUserForTesting(conf, 2347 "testGlobalGrantRevoke", new String[0]); 2348 AccessTestAction getAction = new AccessTestAction() { 2349 @Override 2350 public Object run() throws Exception { 2351 try(Connection conn = ConnectionFactory.createConnection(conf); 2352 Table t = conn.getTable(TEST_TABLE)) { 2353 return t.get(new Get(TEST_ROW)); 2354 } 2355 } 2356 }; 2357 2358 verifyDenied(getAction, testGlobalGrantRevoke); 2359 2360 // Grant table READ permissions to testGlobalGrantRevoke. 2361 String userName = testGlobalGrantRevoke.getShortName(); 2362 try { 2363 grantGlobalUsingAccessControlClient(TEST_UTIL, systemUserConnection, userName, 2364 Permission.Action.READ); 2365 } catch (Throwable e) { 2366 LOG.error("error during call of AccessControlClient.grant. ", e); 2367 } 2368 try { 2369 // Now testGlobalGrantRevoke should be able to read also 2370 verifyAllowed(getAction, testGlobalGrantRevoke); 2371 } catch (Exception e) { 2372 revokeGlobal(TEST_UTIL, userName, Permission.Action.READ); 2373 throw e; 2374 } 2375 2376 // Revoke table READ permission to testGlobalGrantRevoke. 2377 try { 2378 revokeGlobalUsingAccessControlClient(TEST_UTIL, systemUserConnection, userName, 2379 Permission.Action.READ); 2380 } catch (Throwable e) { 2381 LOG.error("error during call of AccessControlClient.revoke ", e); 2382 } 2383 2384 // Now testGlobalGrantRevoke shouldn't be able read 2385 verifyDenied(getAction, testGlobalGrantRevoke); 2386 2387 } 2388 2389 @Test 2390 public void testAccessControlClientMultiGrantRevoke() throws Exception { 2391 User testGrantRevoke = 2392 User.createUserForTesting(conf, "testGrantRevoke", new String[0]); 2393 AccessTestAction getAction = new AccessTestAction() { 2394 @Override 2395 public Object run() throws Exception { 2396 try(Connection conn = ConnectionFactory.createConnection(conf); 2397 Table t = conn.getTable(TEST_TABLE)) { 2398 return t.get(new Get(TEST_ROW)); 2399 } 2400 } 2401 }; 2402 2403 AccessTestAction putAction = new AccessTestAction() { 2404 @Override 2405 public Object run() throws Exception { 2406 Put p = new Put(TEST_ROW); 2407 p.addColumn(TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes(1)); 2408 try(Connection conn = ConnectionFactory.createConnection(conf); 2409 Table t = conn.getTable(TEST_TABLE)) { 2410 t.put(p); 2411 return null; 2412 } 2413 } 2414 }; 2415 2416 verifyDenied(getAction, testGrantRevoke); 2417 verifyDenied(putAction, testGrantRevoke); 2418 2419 // Grant global READ permissions to testGrantRevoke. 2420 String userName = testGrantRevoke.getShortName(); 2421 try { 2422 grantGlobalUsingAccessControlClient(TEST_UTIL, systemUserConnection, userName, 2423 Permission.Action.READ); 2424 } catch (Throwable e) { 2425 LOG.error("error during call of AccessControlClient.grant. ", e); 2426 } 2427 verifyAllowed(getAction, testGrantRevoke); 2428 verifyDenied(putAction, testGrantRevoke); 2429 2430 // Grant global WRITE permissions to testGrantRevoke. 2431 try { 2432 grantGlobalUsingAccessControlClient(TEST_UTIL, systemUserConnection, userName, 2433 Permission.Action.WRITE); 2434 } catch (Throwable e) { 2435 LOG.error("error during call of AccessControlClient.grant. ", e); 2436 } 2437 verifyAllowed(getAction, testGrantRevoke); 2438 verifyAllowed(putAction, testGrantRevoke); 2439 2440 // Revoke global READ permission to testGrantRevoke. 2441 try { 2442 revokeGlobalUsingAccessControlClient(TEST_UTIL, systemUserConnection, userName, 2443 Permission.Action.READ, Permission.Action.WRITE); 2444 } catch (Throwable e) { 2445 LOG.error("error during call of AccessControlClient.revoke ", e); 2446 } 2447 verifyDenied(getAction, testGrantRevoke); 2448 verifyDenied(putAction, testGrantRevoke); 2449 2450 // Grant table READ & WRITE permissions to testGrantRevoke 2451 try { 2452 grantOnTableUsingAccessControlClient(TEST_UTIL, systemUserConnection, userName, TEST_TABLE, 2453 null, null, Permission.Action.READ); 2454 } catch (Throwable e) { 2455 LOG.error("error during call of AccessControlClient.grant. ", e); 2456 } 2457 verifyAllowed(getAction, testGrantRevoke); 2458 verifyDenied(putAction, testGrantRevoke); 2459 2460 // Grant table WRITE permissions to testGrantRevoke 2461 try { 2462 grantOnTableUsingAccessControlClient(TEST_UTIL, systemUserConnection, userName, TEST_TABLE, 2463 null, null, Action.WRITE); 2464 } catch (Throwable e) { 2465 LOG.error("error during call of AccessControlClient.grant. ", e); 2466 } 2467 verifyAllowed(getAction, testGrantRevoke); 2468 verifyAllowed(putAction, testGrantRevoke); 2469 2470 // Revoke table READ & WRITE permission to testGrantRevoke. 2471 try { 2472 revokeFromTableUsingAccessControlClient(TEST_UTIL, systemUserConnection, userName, TEST_TABLE, null, null, 2473 Permission.Action.READ, Permission.Action.WRITE); 2474 } catch (Throwable e) { 2475 LOG.error("error during call of AccessControlClient.revoke ", e); 2476 } 2477 verifyDenied(getAction, testGrantRevoke); 2478 verifyDenied(putAction, testGrantRevoke); 2479 2480 // Grant Namespace READ permissions to testGrantRevoke 2481 String namespace = TEST_TABLE.getNamespaceAsString(); 2482 try { 2483 grantOnNamespaceUsingAccessControlClient(TEST_UTIL, systemUserConnection, userName, 2484 namespace, Permission.Action.READ); 2485 } catch (Throwable e) { 2486 LOG.error("error during call of AccessControlClient.grant. ", e); 2487 } 2488 verifyAllowed(getAction, testGrantRevoke); 2489 verifyDenied(putAction, testGrantRevoke); 2490 2491 // Grant Namespace WRITE permissions to testGrantRevoke 2492 try { 2493 grantOnNamespaceUsingAccessControlClient(TEST_UTIL, systemUserConnection, userName, 2494 namespace, Permission.Action.WRITE); 2495 } catch (Throwable e) { 2496 LOG.error("error during call of AccessControlClient.grant. ", e); 2497 } 2498 verifyAllowed(getAction, testGrantRevoke); 2499 verifyAllowed(putAction, testGrantRevoke); 2500 2501 // Revoke table READ & WRITE permission to testGrantRevoke. 2502 try { 2503 revokeFromNamespaceUsingAccessControlClient(TEST_UTIL, systemUserConnection, userName, 2504 TEST_TABLE.getNamespaceAsString(), Permission.Action.READ, Permission.Action.WRITE); 2505 } catch (Throwable e) { 2506 LOG.error("error during call of AccessControlClient.revoke ", e); 2507 } 2508 verifyDenied(getAction, testGrantRevoke); 2509 verifyDenied(putAction, testGrantRevoke); 2510 } 2511 2512 @Test 2513 public void testAccessControlClientGrantRevokeOnNamespace() throws Exception { 2514 // Create user for testing, who has no READ privileges by default. 2515 User testNS = User.createUserForTesting(conf, "testNS", new String[0]); 2516 AccessTestAction getAction = new AccessTestAction() { 2517 @Override 2518 public Object run() throws Exception { 2519 try(Connection conn = ConnectionFactory.createConnection(conf); 2520 Table t = conn.getTable(TEST_TABLE);) { 2521 return t.get(new Get(TEST_ROW)); 2522 } 2523 } 2524 }; 2525 2526 verifyDenied(getAction, testNS); 2527 2528 String userName = testNS.getShortName(); 2529 String namespace = TEST_TABLE.getNamespaceAsString(); 2530 // Grant namespace READ to testNS, this should supersede any table permissions 2531 try { 2532 grantOnNamespaceUsingAccessControlClient(TEST_UTIL, systemUserConnection, userName, namespace, 2533 Permission.Action.READ); 2534 } catch (Throwable e) { 2535 LOG.error("error during call of AccessControlClient.grant. ", e); 2536 } 2537 try { 2538 // Now testNS should be able to read also 2539 verifyAllowed(getAction, testNS); 2540 } catch (Exception e) { 2541 revokeFromNamespace(TEST_UTIL, userName, namespace, Permission.Action.READ); 2542 throw e; 2543 } 2544 2545 // Revoke namespace READ to testNS, this should supersede any table permissions 2546 try { 2547 revokeFromNamespaceUsingAccessControlClient(TEST_UTIL, systemUserConnection, userName, 2548 namespace, Permission.Action.READ); 2549 } catch (Throwable e) { 2550 LOG.error("error during call of AccessControlClient.revoke ", e); 2551 } 2552 2553 // Now testNS shouldn't be able read 2554 verifyDenied(getAction, testNS); 2555 } 2556 2557 2558 public static class PingCoprocessor extends PingService implements RegionCoprocessor { 2559 2560 @Override 2561 public void start(CoprocessorEnvironment env) throws IOException { } 2562 2563 @Override 2564 public void stop(CoprocessorEnvironment env) throws IOException { } 2565 2566 @Override 2567 public Iterable<Service> getServices() { 2568 return Collections.singleton(this); 2569 } 2570 2571 @Override 2572 public void ping(RpcController controller, PingRequest request, 2573 RpcCallback<PingResponse> callback) { 2574 callback.run(PingResponse.newBuilder().setPong("Pong!").build()); 2575 } 2576 2577 @Override 2578 public void count(RpcController controller, CountRequest request, 2579 RpcCallback<CountResponse> callback) { 2580 callback.run(CountResponse.newBuilder().build()); 2581 } 2582 2583 @Override 2584 public void increment(RpcController controller, IncrementCountRequest requet, 2585 RpcCallback<IncrementCountResponse> callback) { 2586 callback.run(IncrementCountResponse.newBuilder().build()); 2587 } 2588 2589 @Override 2590 public void hello(RpcController controller, HelloRequest request, 2591 RpcCallback<HelloResponse> callback) { 2592 callback.run(HelloResponse.newBuilder().setResponse("Hello!").build()); 2593 } 2594 2595 @Override 2596 public void noop(RpcController controller, NoopRequest request, 2597 RpcCallback<NoopResponse> callback) { 2598 callback.run(NoopResponse.newBuilder().build()); 2599 } 2600 } 2601 2602 @Test 2603 public void testCoprocessorExec() throws Exception { 2604 // Set up our ping endpoint service on all regions of our test table 2605 for (JVMClusterUtil.RegionServerThread thread: 2606 TEST_UTIL.getMiniHBaseCluster().getRegionServerThreads()) { 2607 HRegionServer rs = thread.getRegionServer(); 2608 for (HRegion region: rs.getRegions(TEST_TABLE)) { 2609 region.getCoprocessorHost().load(PingCoprocessor.class, 2610 Coprocessor.PRIORITY_USER, conf); 2611 } 2612 } 2613 2614 // Create users for testing, and grant EXEC privileges on our test table 2615 // only to user A 2616 User userA = User.createUserForTesting(conf, "UserA", new String[0]); 2617 User userB = User.createUserForTesting(conf, "UserB", new String[0]); 2618 2619 grantOnTable(TEST_UTIL, userA.getShortName(), 2620 TEST_TABLE, null, null, 2621 Permission.Action.EXEC); 2622 try { 2623 // Create an action for invoking our test endpoint 2624 AccessTestAction execEndpointAction = new AccessTestAction() { 2625 @Override 2626 public Object run() throws Exception { 2627 try (Connection conn = ConnectionFactory.createConnection(conf); 2628 Table t = conn.getTable(TEST_TABLE);) { 2629 BlockingRpcChannel service = t.coprocessorService(HConstants.EMPTY_BYTE_ARRAY); 2630 PingCoprocessor.newBlockingStub(service).noop(null, NoopRequest.newBuilder().build()); 2631 } 2632 return null; 2633 } 2634 }; 2635 2636 String namespace = TEST_TABLE.getNamespaceAsString(); 2637 // Now grant EXEC to the entire namespace to user B 2638 grantOnNamespace(TEST_UTIL, userB.getShortName(), namespace, Permission.Action.EXEC); 2639 // User B should now be allowed also 2640 verifyAllowed(execEndpointAction, userA, userB); 2641 2642 revokeFromNamespace(TEST_UTIL, userB.getShortName(), namespace, Permission.Action.EXEC); 2643 // Verify that EXEC permission is checked correctly 2644 verifyDenied(execEndpointAction, userB); 2645 verifyAllowed(execEndpointAction, userA); 2646 } finally { 2647 // Cleanup, revoke the userA privileges 2648 revokeFromTable(TEST_UTIL, userA.getShortName(), TEST_TABLE, null, null, 2649 Permission.Action.EXEC); 2650 } 2651 } 2652 2653 @Test 2654 public void testSetQuota() throws Exception { 2655 AccessTestAction setUserQuotaAction = new AccessTestAction() { 2656 @Override 2657 public Object run() throws Exception { 2658 ACCESS_CONTROLLER.preSetUserQuota(ObserverContextImpl.createAndPrepare(CP_ENV), 2659 null, null); 2660 return null; 2661 } 2662 }; 2663 2664 AccessTestAction setUserTableQuotaAction = new AccessTestAction() { 2665 @Override 2666 public Object run() throws Exception { 2667 ACCESS_CONTROLLER.preSetUserQuota(ObserverContextImpl.createAndPrepare(CP_ENV), null, 2668 TEST_TABLE, null); 2669 return null; 2670 } 2671 }; 2672 2673 AccessTestAction setUserNamespaceQuotaAction = new AccessTestAction() { 2674 @Override 2675 public Object run() throws Exception { 2676 ACCESS_CONTROLLER.preSetUserQuota(ObserverContextImpl.createAndPrepare(CP_ENV), 2677 null, (String)null, null); 2678 return null; 2679 } 2680 }; 2681 2682 AccessTestAction setTableQuotaAction = new AccessTestAction() { 2683 @Override 2684 public Object run() throws Exception { 2685 ACCESS_CONTROLLER.preSetTableQuota(ObserverContextImpl.createAndPrepare(CP_ENV), 2686 TEST_TABLE, null); 2687 return null; 2688 } 2689 }; 2690 2691 AccessTestAction setNamespaceQuotaAction = new AccessTestAction() { 2692 @Override 2693 public Object run() throws Exception { 2694 ACCESS_CONTROLLER.preSetNamespaceQuota(ObserverContextImpl.createAndPrepare(CP_ENV), 2695 null, null); 2696 return null; 2697 } 2698 }; 2699 2700 AccessTestAction setRegionServerQuotaAction = new AccessTestAction() { 2701 @Override 2702 public Object run() throws Exception { 2703 ACCESS_CONTROLLER.preSetRegionServerQuota(ObserverContextImpl.createAndPrepare(CP_ENV), 2704 null, null); 2705 return null; 2706 } 2707 }; 2708 2709 verifyAllowed(setUserQuotaAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); 2710 verifyDenied(setUserQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, 2711 USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); 2712 2713 verifyAllowed(setUserTableQuotaAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); 2714 verifyDenied(setUserTableQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, 2715 USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); 2716 2717 verifyAllowed(setUserNamespaceQuotaAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); 2718 verifyDenied(setUserNamespaceQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, 2719 USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); 2720 2721 verifyAllowed(setTableQuotaAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); 2722 verifyDenied(setTableQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); 2723 2724 verifyAllowed(setNamespaceQuotaAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); 2725 verifyDenied(setNamespaceQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, 2726 USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); 2727 2728 verifyAllowed(setRegionServerQuotaAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); 2729 verifyDenied(setRegionServerQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, 2730 USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); 2731 } 2732 2733 @Test 2734 public void testGetNamespacePermission() throws Exception { 2735 String namespace = "testGetNamespacePermission"; 2736 NamespaceDescriptor desc = NamespaceDescriptor.create(namespace).build(); 2737 createNamespace(TEST_UTIL, desc); 2738 grantOnNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ); 2739 2740 // Test 1: A specific namespace 2741 getNamespacePermissionsAndVerify(namespace, 1, namespace); 2742 2743 // Test 2: '@.*' 2744 getNamespacePermissionsAndVerify(".*", 1, namespace); 2745 2746 // Test 3: A more complex regex 2747 getNamespacePermissionsAndVerify("^test[a-zA-Z]*", 1, namespace); 2748 2749 deleteNamespace(TEST_UTIL, namespace); 2750 } 2751 2752 /** 2753 * List all user permissions match the given regular expression for namespace 2754 * and verify each of them. 2755 * @param namespaceRegexWithoutPrefix the regualar expression for namespace, without NAMESPACE_PREFIX 2756 * @param expectedAmount the expected amount of user permissions returned 2757 * @param expectedNamespace the expected namespace of each user permission returned 2758 * @throws HBaseException in the case of any HBase exception when accessing hbase:acl table 2759 */ 2760 private void getNamespacePermissionsAndVerify(String namespaceRegexWithoutPrefix, 2761 int expectedAmount, String expectedNamespace) throws HBaseException { 2762 try { 2763 List<UserPermission> namespacePermissions = AccessControlClient.getUserPermissions( 2764 systemUserConnection, PermissionStorage.toNamespaceEntry(namespaceRegexWithoutPrefix)); 2765 assertTrue(namespacePermissions != null); 2766 assertEquals(expectedAmount, namespacePermissions.size()); 2767 for (UserPermission namespacePermission : namespacePermissions) { 2768 // Verify it is not a global user permission 2769 assertFalse(namespacePermission.getAccessScope() == Permission.Scope.GLOBAL); 2770 // Verify namespace is set 2771 NamespacePermission nsPerm = (NamespacePermission) namespacePermission.getPermission(); 2772 assertEquals(expectedNamespace, nsPerm.getNamespace()); 2773 } 2774 } catch (Throwable thw) { 2775 throw new HBaseException(thw); 2776 } 2777 } 2778 2779 @Test 2780 public void testTruncatePerms() throws Exception { 2781 try { 2782 List<UserPermission> existingPerms = AccessControlClient.getUserPermissions( 2783 systemUserConnection, TEST_TABLE.getNameAsString()); 2784 assertTrue(existingPerms != null); 2785 assertTrue(existingPerms.size() > 1); 2786 TEST_UTIL.getAdmin().disableTable(TEST_TABLE); 2787 TEST_UTIL.truncateTable(TEST_TABLE); 2788 TEST_UTIL.waitTableAvailable(TEST_TABLE); 2789 List<UserPermission> perms = AccessControlClient.getUserPermissions( 2790 systemUserConnection, TEST_TABLE.getNameAsString()); 2791 assertTrue(perms != null); 2792 assertEquals(existingPerms.size(), perms.size()); 2793 } catch (Throwable e) { 2794 throw new HBaseIOException(e); 2795 } 2796 } 2797 2798 private PrivilegedAction<List<UserPermission>> getPrivilegedAction(final String regex) { 2799 return new PrivilegedAction<List<UserPermission>>() { 2800 @Override 2801 public List<UserPermission> run() { 2802 try(Connection conn = ConnectionFactory.createConnection(conf);) { 2803 return AccessControlClient.getUserPermissions(conn, regex); 2804 } catch (Throwable e) { 2805 LOG.error("error during call of AccessControlClient.getUserPermissions.", e); 2806 return null; 2807 } 2808 } 2809 }; 2810 } 2811 2812 @Test 2813 public void testAccessControlClientUserPerms() throws Exception { 2814 final TableName tableName = TableName.valueOf(name.getMethodName()); 2815 createTestTable(tableName); 2816 try { 2817 final String regex = tableName.getNameWithNamespaceInclAsString(); 2818 User testUserPerms = User.createUserForTesting(conf, "testUserPerms", new String[0]); 2819 assertEquals(0, testUserPerms.runAs(getPrivilegedAction(regex)).size()); 2820 // Grant TABLE ADMIN privs to testUserPerms 2821 grantOnTable(TEST_UTIL, testUserPerms.getShortName(), tableName, null, null, Action.ADMIN); 2822 List<UserPermission> perms = testUserPerms.runAs(getPrivilegedAction(regex)); 2823 assertNotNull(perms); 2824 // Superuser, testUserPerms 2825 assertEquals(2, perms.size()); 2826 } finally { 2827 deleteTable(TEST_UTIL, tableName); 2828 } 2829 } 2830 2831 @Test 2832 public void testAccessControllerUserPermsRegexHandling() throws Exception { 2833 User testRegexHandler = User.createUserForTesting(conf, "testRegexHandling", new String[0]); 2834 2835 final String REGEX_ALL_TABLES = ".*"; 2836 final String tableName = name.getMethodName(); 2837 final TableName table1 = TableName.valueOf(tableName); 2838 final byte[] family = Bytes.toBytes("f1"); 2839 2840 // create table in default ns 2841 Admin admin = TEST_UTIL.getAdmin(); 2842 HTableDescriptor htd = new HTableDescriptor(table1); 2843 htd.addFamily(new HColumnDescriptor(family)); 2844 createTable(TEST_UTIL, htd); 2845 2846 // creating the ns and table in it 2847 String ns = "testNamespace"; 2848 NamespaceDescriptor desc = NamespaceDescriptor.create(ns).build(); 2849 final TableName table2 = TableName.valueOf(ns, tableName); 2850 createNamespace(TEST_UTIL, desc); 2851 htd = new HTableDescriptor(table2); 2852 htd.addFamily(new HColumnDescriptor(family)); 2853 createTable(TEST_UTIL, htd); 2854 2855 // Verify that we can read sys-tables 2856 String aclTableName = PermissionStorage.ACL_TABLE_NAME.getNameAsString(); 2857 assertEquals(5, SUPERUSER.runAs(getPrivilegedAction(aclTableName)).size()); 2858 assertEquals(0, testRegexHandler.runAs(getPrivilegedAction(aclTableName)).size()); 2859 2860 // Grant TABLE ADMIN privs to testUserPerms 2861 assertEquals(0, testRegexHandler.runAs(getPrivilegedAction(REGEX_ALL_TABLES)).size()); 2862 grantOnTable(TEST_UTIL, testRegexHandler.getShortName(), table1, null, null, Action.ADMIN); 2863 assertEquals(2, testRegexHandler.runAs(getPrivilegedAction(REGEX_ALL_TABLES)).size()); 2864 grantOnTable(TEST_UTIL, testRegexHandler.getShortName(), table2, null, null, Action.ADMIN); 2865 assertEquals(4, testRegexHandler.runAs(getPrivilegedAction(REGEX_ALL_TABLES)).size()); 2866 2867 // USER_ADMIN, testUserPerms must have a row each. 2868 assertEquals(2, testRegexHandler.runAs(getPrivilegedAction(tableName)).size()); 2869 assertEquals(2, testRegexHandler.runAs(getPrivilegedAction( 2870 NamespaceDescriptor.DEFAULT_NAMESPACE_NAME_STR + TableName.NAMESPACE_DELIM + tableName) 2871 ).size()); 2872 assertEquals(2, testRegexHandler.runAs(getPrivilegedAction( 2873 ns + TableName.NAMESPACE_DELIM + tableName)).size()); 2874 assertEquals(0, testRegexHandler.runAs(getPrivilegedAction("notMatchingAny")).size()); 2875 2876 deleteTable(TEST_UTIL, table1); 2877 deleteTable(TEST_UTIL, table2); 2878 deleteNamespace(TEST_UTIL, ns); 2879 } 2880 2881 private void verifyAnyCreate(AccessTestAction action) throws Exception { 2882 verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF, 2883 USER_GROUP_CREATE, USER_GROUP_ADMIN); 2884 verifyDenied(action, USER_NONE, USER_RO, USER_RW, USER_GROUP_READ, USER_GROUP_WRITE); 2885 } 2886 2887 @Test 2888 public void testPrepareAndCleanBulkLoad() throws Exception { 2889 AccessTestAction prepareBulkLoadAction = new AccessTestAction() { 2890 @Override 2891 public Object run() throws Exception { 2892 ACCESS_CONTROLLER.prePrepareBulkLoad(ObserverContextImpl.createAndPrepare(RCP_ENV)); 2893 return null; 2894 } 2895 }; 2896 AccessTestAction cleanupBulkLoadAction = new AccessTestAction() { 2897 @Override 2898 public Object run() throws Exception { 2899 ACCESS_CONTROLLER.preCleanupBulkLoad(ObserverContextImpl.createAndPrepare(RCP_ENV)); 2900 return null; 2901 } 2902 }; 2903 verifyAnyCreate(prepareBulkLoadAction); 2904 verifyAnyCreate(cleanupBulkLoadAction); 2905 } 2906 2907 @Test 2908 public void testReplicateLogEntries() throws Exception { 2909 AccessTestAction replicateLogEntriesAction = new AccessTestAction() { 2910 @Override 2911 public Object run() throws Exception { 2912 ACCESS_CONTROLLER.preReplicateLogEntries(ObserverContextImpl.createAndPrepare(RSCP_ENV)); 2913 ACCESS_CONTROLLER.postReplicateLogEntries(ObserverContextImpl.createAndPrepare(RSCP_ENV)); 2914 return null; 2915 } 2916 }; 2917 2918 verifyAllowed(replicateLogEntriesAction, SUPERUSER, USER_ADMIN, USER_GROUP_WRITE); 2919 verifyDenied(replicateLogEntriesAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, 2920 USER_GROUP_READ, USER_GROUP_ADMIN, USER_GROUP_CREATE); 2921 } 2922 2923 @Test 2924 public void testAddReplicationPeer() throws Exception { 2925 AccessTestAction action = new AccessTestAction() { 2926 @Override 2927 public Object run() throws Exception { 2928 ACCESS_CONTROLLER.preAddReplicationPeer(ObserverContextImpl.createAndPrepare(CP_ENV), 2929 "test", null); 2930 return null; 2931 } 2932 }; 2933 2934 verifyAllowed(action, SUPERUSER, USER_ADMIN); 2935 verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); 2936 } 2937 2938 @Test 2939 public void testRemoveReplicationPeer() throws Exception { 2940 AccessTestAction action = new AccessTestAction() { 2941 @Override 2942 public Object run() throws Exception { 2943 ACCESS_CONTROLLER.preRemoveReplicationPeer(ObserverContextImpl.createAndPrepare(CP_ENV), 2944 "test"); 2945 return null; 2946 } 2947 }; 2948 2949 verifyAllowed(action, SUPERUSER, USER_ADMIN); 2950 verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); 2951 } 2952 2953 @Test 2954 public void testEnableReplicationPeer() throws Exception { 2955 AccessTestAction action = new AccessTestAction() { 2956 @Override 2957 public Object run() throws Exception { 2958 ACCESS_CONTROLLER.preEnableReplicationPeer(ObserverContextImpl.createAndPrepare(CP_ENV), 2959 "test"); 2960 return null; 2961 } 2962 }; 2963 2964 verifyAllowed(action, SUPERUSER, USER_ADMIN); 2965 verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); 2966 } 2967 2968 @Test 2969 public void testDisableReplicationPeer() throws Exception { 2970 AccessTestAction action = new AccessTestAction() { 2971 @Override 2972 public Object run() throws Exception { 2973 ACCESS_CONTROLLER.preDisableReplicationPeer(ObserverContextImpl.createAndPrepare(CP_ENV), 2974 "test"); 2975 return null; 2976 } 2977 }; 2978 2979 verifyAllowed(action, SUPERUSER, USER_ADMIN); 2980 verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); 2981 } 2982 2983 @Test 2984 public void testGetReplicationPeerConfig() throws Exception { 2985 AccessTestAction action = new AccessTestAction() { 2986 @Override 2987 public Object run() throws Exception { 2988 ACCESS_CONTROLLER.preGetReplicationPeerConfig( 2989 ObserverContextImpl.createAndPrepare(CP_ENV), "test"); 2990 return null; 2991 } 2992 }; 2993 2994 verifyAllowed(action, SUPERUSER, USER_ADMIN); 2995 verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); 2996 } 2997 2998 @Test 2999 public void testUpdateReplicationPeerConfig() throws Exception { 3000 AccessTestAction action = new AccessTestAction() { 3001 @Override 3002 public Object run() throws Exception { 3003 ACCESS_CONTROLLER.preUpdateReplicationPeerConfig( 3004 ObserverContextImpl.createAndPrepare(CP_ENV), "test", new ReplicationPeerConfig()); 3005 return null; 3006 } 3007 }; 3008 3009 verifyAllowed(action, SUPERUSER, USER_ADMIN); 3010 verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); 3011 } 3012 3013 @Test 3014 public void testListReplicationPeers() throws Exception { 3015 AccessTestAction action = new AccessTestAction() { 3016 @Override 3017 public Object run() throws Exception { 3018 ACCESS_CONTROLLER.preListReplicationPeers(ObserverContextImpl.createAndPrepare(CP_ENV), 3019 "test"); 3020 return null; 3021 } 3022 }; 3023 3024 verifyAllowed(action, SUPERUSER, USER_ADMIN); 3025 verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); 3026 } 3027 3028 @Test 3029 public void testRemoteLocks() throws Exception { 3030 String namespace = "preQueueNs"; 3031 final TableName tableName = TableName.valueOf(namespace, name.getMethodName()); 3032 HRegionInfo[] regionInfos = new HRegionInfo[] {new HRegionInfo(tableName)}; 3033 3034 // Setup Users 3035 // User will be granted ADMIN and CREATE on namespace. Should be denied before grant. 3036 User namespaceUser = User.createUserForTesting(conf, "qLNSUser", new String[0]); 3037 // User will be granted ADMIN and CREATE on table. Should be denied before grant. 3038 User tableACUser = User.createUserForTesting(conf, "qLTableACUser", new String[0]); 3039 // User will be granted READ, WRITE, EXECUTE on table. Should be denied. 3040 User tableRWXUser = User.createUserForTesting(conf, "qLTableRWXUser", new String[0]); 3041 grantOnTable(TEST_UTIL, tableRWXUser.getShortName(), tableName, null, null, 3042 Action.READ, Action.WRITE, Action.EXEC); 3043 // User with global READ, WRITE, EXECUTE should be denied lock access. 3044 User globalRWXUser = User.createUserForTesting(conf, "qLGlobalRWXUser", new String[0]); 3045 grantGlobal(TEST_UTIL, globalRWXUser.getShortName(), Action.READ, Action.WRITE, Action.EXEC); 3046 3047 AccessTestAction namespaceLockAction = new AccessTestAction() { 3048 @Override public Object run() throws Exception { 3049 ACCESS_CONTROLLER.preRequestLock(ObserverContextImpl.createAndPrepare(CP_ENV), namespace, 3050 null, null, null); 3051 return null; 3052 } 3053 }; 3054 verifyAllowed(namespaceLockAction, SUPERUSER, USER_ADMIN); 3055 verifyDenied(namespaceLockAction, globalRWXUser, tableACUser, namespaceUser, tableRWXUser); 3056 grantOnNamespace(TEST_UTIL, namespaceUser.getShortName(), namespace, Action.ADMIN); 3057 // Why I need this pause? I don't need it elsewhere. 3058 Threads.sleep(1000); 3059 verifyAllowed(namespaceLockAction, namespaceUser); 3060 3061 AccessTestAction tableLockAction = new AccessTestAction() { 3062 @Override public Object run() throws Exception { 3063 ACCESS_CONTROLLER.preRequestLock(ObserverContextImpl.createAndPrepare(CP_ENV), 3064 null, tableName, null, null); 3065 return null; 3066 } 3067 }; 3068 verifyAllowed(tableLockAction, SUPERUSER, USER_ADMIN, namespaceUser); 3069 verifyDenied(tableLockAction, globalRWXUser, tableACUser, tableRWXUser); 3070 grantOnTable(TEST_UTIL, tableACUser.getShortName(), tableName, null, null, 3071 Action.ADMIN, Action.CREATE); 3072 // See if this can fail (flakie) because grant hasn't propagated yet. 3073 for (int i = 0; i < 10; i++) { 3074 try { 3075 verifyAllowed(tableLockAction, tableACUser); 3076 } catch (AssertionError e) { 3077 LOG.warn("Retrying assertion error", e); 3078 Threads.sleep(1000); 3079 continue; 3080 } 3081 } 3082 3083 AccessTestAction regionsLockAction = new AccessTestAction() { 3084 @Override public Object run() throws Exception { 3085 ACCESS_CONTROLLER.preRequestLock(ObserverContextImpl.createAndPrepare(CP_ENV), 3086 null, null, regionInfos, null); 3087 return null; 3088 } 3089 }; 3090 verifyAllowed(regionsLockAction, SUPERUSER, USER_ADMIN, namespaceUser, tableACUser); 3091 verifyDenied(regionsLockAction, globalRWXUser, tableRWXUser); 3092 3093 // Test heartbeats 3094 // Create a lock procedure and try sending heartbeat to it. It doesn't matter how the lock 3095 // was created, we just need namespace from the lock's tablename. 3096 LockProcedure proc = new LockProcedure(conf, tableName, LockType.EXCLUSIVE, "test", null); 3097 AccessTestAction regionLockHeartbeatAction = new AccessTestAction() { 3098 @Override public Object run() throws Exception { 3099 ACCESS_CONTROLLER.preLockHeartbeat(ObserverContextImpl.createAndPrepare(CP_ENV), 3100 proc.getTableName(), proc.getDescription()); 3101 return null; 3102 } 3103 }; 3104 verifyAllowed(regionLockHeartbeatAction, SUPERUSER, USER_ADMIN, namespaceUser, tableACUser); 3105 verifyDenied(regionLockHeartbeatAction, globalRWXUser, tableRWXUser); 3106 } 3107 3108 @Test 3109 public void testAccessControlRevokeOnlyFewPermission() throws Throwable { 3110 TableName tname = TableName.valueOf("revoke"); 3111 try { 3112 TEST_UTIL.createTable(tname, TEST_FAMILY); 3113 User testUserPerms = User.createUserForTesting(conf, "revokePerms", new String[0]); 3114 Permission.Action[] actions = { Action.READ, Action.WRITE }; 3115 AccessControlClient.grant(TEST_UTIL.getConnection(), tname, testUserPerms.getShortName(), 3116 null, null, actions); 3117 3118 List<UserPermission> userPermissions = AccessControlClient 3119 .getUserPermissions(TEST_UTIL.getConnection(), tname.getNameAsString()); 3120 assertEquals(2, userPermissions.size()); 3121 3122 AccessControlClient.revoke(TEST_UTIL.getConnection(), tname, testUserPerms.getShortName(), 3123 null, null, Action.WRITE); 3124 3125 userPermissions = AccessControlClient.getUserPermissions(TEST_UTIL.getConnection(), 3126 tname.getNameAsString()); 3127 assertEquals(2, userPermissions.size()); 3128 3129 Permission.Action[] expectedAction = { Action.READ }; 3130 boolean userFound = false; 3131 for (UserPermission p : userPermissions) { 3132 if (testUserPerms.getShortName().equals(p.getUser())) { 3133 assertArrayEquals(expectedAction, p.getPermission().getActions()); 3134 userFound = true; 3135 break; 3136 } 3137 } 3138 assertTrue(userFound); 3139 } finally { 3140 TEST_UTIL.deleteTable(tname); 3141 } 3142 } 3143 3144 @Test 3145 public void testGetClusterStatus() throws Exception { 3146 AccessTestAction action = new AccessTestAction() { 3147 @Override 3148 public Object run() throws Exception { 3149 ACCESS_CONTROLLER.preGetClusterMetrics(ObserverContextImpl.createAndPrepare(CP_ENV)); 3150 return null; 3151 } 3152 }; 3153 3154 verifyAllowed( 3155 action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); 3156 } 3157 3158 @Test 3159 public void testExecuteProcedures() throws Exception { 3160 AccessTestAction action = new AccessTestAction() { 3161 @Override 3162 public Object run() throws Exception { 3163 ACCESS_CONTROLLER.preExecuteProcedures(ObserverContextImpl.createAndPrepare(RSCP_ENV)); 3164 return null; 3165 } 3166 }; 3167 3168 verifyAllowed(action, SUPERUSER); 3169 verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, USER_ADMIN); 3170 } 3171 3172 @Test 3173 public void testGetUserPermissions() throws Throwable { 3174 Connection conn = null; 3175 try { 3176 conn = ConnectionFactory.createConnection(conf); 3177 User nSUser1 = User.createUserForTesting(conf, "nsuser1", new String[0]); 3178 User nSUser2 = User.createUserForTesting(conf, "nsuser2", new String[0]); 3179 User nSUser3 = User.createUserForTesting(conf, "nsuser3", new String[0]); 3180 3181 // Global access groups 3182 User globalGroupUser1 = 3183 User.createUserForTesting(conf, "globalGroupUser1", new String[] { "group_admin" }); 3184 User globalGroupUser2 = User.createUserForTesting(conf, "globalGroupUser2", 3185 new String[] { "group_admin", "group_create" }); 3186 // Namespace access groups 3187 User nsGroupUser1 = 3188 User.createUserForTesting(conf, "nsGroupUser1", new String[] { "ns_group1" }); 3189 User nsGroupUser2 = 3190 User.createUserForTesting(conf, "nsGroupUser2", new String[] { "ns_group2" }); 3191 // table Access groups 3192 User tableGroupUser1 = 3193 User.createUserForTesting(conf, "tableGroupUser1", new String[] { "table_group1" }); 3194 User tableGroupUser2 = 3195 User.createUserForTesting(conf, "tableGroupUser2", new String[] { "table_group2" }); 3196 3197 // Create namespaces 3198 String nsPrefix = "testNS"; 3199 final String namespace1 = nsPrefix + "1"; 3200 NamespaceDescriptor desc1 = NamespaceDescriptor.create(namespace1).build(); 3201 createNamespace(TEST_UTIL, desc1); 3202 String namespace2 = nsPrefix + "2"; 3203 NamespaceDescriptor desc2 = NamespaceDescriptor.create(namespace2).build(); 3204 createNamespace(TEST_UTIL, desc2); 3205 3206 // Grant namespace permission 3207 grantOnNamespace(TEST_UTIL, nSUser1.getShortName(), namespace1, Permission.Action.ADMIN); 3208 grantOnNamespace(TEST_UTIL, nSUser3.getShortName(), namespace1, Permission.Action.READ); 3209 grantOnNamespace(TEST_UTIL, toGroupEntry("ns_group1"), namespace1, Permission.Action.ADMIN); 3210 grantOnNamespace(TEST_UTIL, nSUser2.getShortName(), namespace2, Permission.Action.ADMIN); 3211 grantOnNamespace(TEST_UTIL, nSUser3.getShortName(), namespace2, Permission.Action.ADMIN); 3212 grantOnNamespace(TEST_UTIL, toGroupEntry("ns_group2"), namespace2, Permission.Action.READ, 3213 Permission.Action.WRITE); 3214 3215 // Create tables 3216 TableName table1 = TableName.valueOf(namespace1 + TableName.NAMESPACE_DELIM + "t1"); 3217 TableName table2 = TableName.valueOf(namespace2 + TableName.NAMESPACE_DELIM + "t2"); 3218 byte[] TEST_FAMILY2 = Bytes.toBytes("f2"); 3219 byte[] TEST_QUALIFIER2 = Bytes.toBytes("q2"); 3220 createTestTable(table1, TEST_FAMILY); 3221 createTestTable(table2, TEST_FAMILY2); 3222 3223 // Grant table permissions 3224 grantOnTable(TEST_UTIL, toGroupEntry("table_group1"), table1, null, null, 3225 Permission.Action.ADMIN); 3226 grantOnTable(TEST_UTIL, USER_ADMIN.getShortName(), table1, null, null, 3227 Permission.Action.ADMIN); 3228 grantOnTable(TEST_UTIL, USER_ADMIN_CF.getShortName(), table1, TEST_FAMILY, null, 3229 Permission.Action.ADMIN); 3230 grantOnTable(TEST_UTIL, USER_RW.getShortName(), table1, TEST_FAMILY, TEST_QUALIFIER, 3231 Permission.Action.READ); 3232 grantOnTable(TEST_UTIL, USER_RW.getShortName(), table1, TEST_FAMILY, TEST_QUALIFIER2, 3233 Permission.Action.WRITE); 3234 3235 grantOnTable(TEST_UTIL, toGroupEntry("table_group2"), table2, null, null, 3236 Permission.Action.ADMIN); 3237 grantOnTable(TEST_UTIL, USER_ADMIN.getShortName(), table2, null, null, 3238 Permission.Action.ADMIN); 3239 grantOnTable(TEST_UTIL, USER_ADMIN_CF.getShortName(), table2, TEST_FAMILY2, null, 3240 Permission.Action.ADMIN); 3241 grantOnTable(TEST_UTIL, USER_RW.getShortName(), table2, TEST_FAMILY2, TEST_QUALIFIER, 3242 Permission.Action.READ); 3243 grantOnTable(TEST_UTIL, USER_RW.getShortName(), table2, TEST_FAMILY2, TEST_QUALIFIER2, 3244 Permission.Action.WRITE); 3245 3246 List<UserPermission> userPermissions = null; 3247 Collection<String> superUsers = Superusers.getSuperUsers(); 3248 int superUserCount = superUsers.size(); 3249 3250 // Global User ACL 3251 validateGlobalUserACLForGetUserPermissions(conn, nSUser1, globalGroupUser1, globalGroupUser2, 3252 superUsers, superUserCount); 3253 3254 // Namespace ACL 3255 validateNamespaceUserACLForGetUserPermissions(conn, nSUser1, nSUser3, nsGroupUser1, 3256 nsGroupUser2, nsPrefix, namespace1, namespace2); 3257 3258 // Table + Users 3259 validateTableACLForGetUserPermissions(conn, nSUser1, tableGroupUser1, tableGroupUser2, 3260 nsPrefix, table1, table2, TEST_QUALIFIER2, superUsers); 3261 3262 // exception scenarios 3263 3264 try { 3265 // test case with table name as null 3266 assertEquals(3, AccessControlClient.getUserPermissions(conn, null, TEST_FAMILY).size()); 3267 fail("this should have thrown IllegalArgumentException"); 3268 } catch (IllegalArgumentException ex) { 3269 // expected 3270 } 3271 try { 3272 // test case with table name as emplty 3273 assertEquals(3, AccessControlClient 3274 .getUserPermissions(conn, HConstants.EMPTY_STRING, TEST_FAMILY).size()); 3275 fail("this should have thrown IllegalArgumentException"); 3276 } catch (IllegalArgumentException ex) { 3277 // expected 3278 } 3279 try { 3280 // test case with table name as namespace name 3281 assertEquals(3, 3282 AccessControlClient.getUserPermissions(conn, "@" + namespace2, TEST_FAMILY).size()); 3283 fail("this should have thrown IllegalArgumentException"); 3284 } catch (IllegalArgumentException ex) { 3285 // expected 3286 } 3287 3288 // Clean the table and namespace 3289 deleteTable(TEST_UTIL, table1); 3290 deleteTable(TEST_UTIL, table2); 3291 deleteNamespace(TEST_UTIL, namespace1); 3292 deleteNamespace(TEST_UTIL, namespace2); 3293 } finally { 3294 if (conn != null) { 3295 conn.close(); 3296 } 3297 } 3298 } 3299 3300 @Test 3301 public void testHasPermission() throws Throwable { 3302 Connection conn = null; 3303 try { 3304 conn = ConnectionFactory.createConnection(conf); 3305 // Create user and set namespace ACL 3306 User user1 = User.createUserForTesting(conf, "testHasPermissionUser1", new String[0]); 3307 // Grant namespace permission 3308 grantOnNamespaceUsingAccessControlClient(TEST_UTIL, conn, user1.getShortName(), 3309 NamespaceDescriptor.DEFAULT_NAMESPACE.getName(), Permission.Action.ADMIN, 3310 Permission.Action.CREATE, Permission.Action.READ); 3311 3312 // Create user and set table ACL 3313 User user2 = User.createUserForTesting(conf, "testHasPermissionUser2", new String[0]); 3314 // Grant namespace permission 3315 grantOnTableUsingAccessControlClient(TEST_UTIL, conn, user2.getShortName(), TEST_TABLE, 3316 TEST_FAMILY, TEST_QUALIFIER, Permission.Action.READ, Permission.Action.WRITE); 3317 3318 // Verify action privilege 3319 AccessTestAction hasPermissionActionCP = new AccessTestAction() { 3320 @Override 3321 public Object run() throws Exception { 3322 try (Connection conn = ConnectionFactory.createConnection(conf); 3323 Table acl = conn.getTable(PermissionStorage.ACL_TABLE_NAME)) { 3324 BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName()); 3325 AccessControlService.BlockingInterface protocol = 3326 AccessControlService.newBlockingStub(service); 3327 Permission.Action[] actions = { Permission.Action.READ, Permission.Action.WRITE }; 3328 AccessControlUtil.hasPermission(null, protocol, TEST_TABLE, TEST_FAMILY, 3329 HConstants.EMPTY_BYTE_ARRAY, "dummy", actions); 3330 } 3331 return null; 3332 } 3333 }; 3334 AccessTestAction hasPermissionAction = new AccessTestAction() { 3335 @Override 3336 public Object run() throws Exception { 3337 try (Connection conn = ConnectionFactory.createConnection(conf)) { 3338 Permission.Action[] actions = { Permission.Action.READ, Permission.Action.WRITE }; 3339 conn.getAdmin().hasUserPermissions("dummy", 3340 Arrays.asList(Permission.newBuilder(TEST_TABLE).withFamily(TEST_FAMILY) 3341 .withQualifier(HConstants.EMPTY_BYTE_ARRAY).withActions(actions).build())); 3342 } 3343 return null; 3344 } 3345 }; 3346 verifyAllowed(hasPermissionActionCP, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN, USER_OWNER, 3347 USER_ADMIN_CF, user1); 3348 verifyDenied(hasPermissionActionCP, USER_CREATE, USER_RW, USER_RO, USER_NONE, user2); 3349 verifyAllowed(hasPermissionAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN, USER_OWNER, 3350 USER_ADMIN_CF, user1); 3351 verifyDenied(hasPermissionAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, user2); 3352 3353 // Check for global user 3354 assertTrue(AccessControlClient.hasPermission(conn, TEST_TABLE.getNameAsString(), 3355 HConstants.EMPTY_BYTE_ARRAY, HConstants.EMPTY_BYTE_ARRAY, USER_ADMIN.getShortName(), 3356 Permission.Action.READ, Permission.Action.WRITE, Permission.Action.CREATE, 3357 Permission.Action.ADMIN)); 3358 assertFalse(AccessControlClient.hasPermission(conn, TEST_TABLE.getNameAsString(), 3359 HConstants.EMPTY_BYTE_ARRAY, HConstants.EMPTY_BYTE_ARRAY, USER_ADMIN.getShortName(), 3360 Permission.Action.READ, Permission.Action.WRITE, Permission.Action.CREATE, 3361 Permission.Action.ADMIN, Permission.Action.EXEC)); 3362 3363 // Check for namespace access user 3364 assertTrue(AccessControlClient.hasPermission(conn, TEST_TABLE.getNameAsString(), 3365 HConstants.EMPTY_BYTE_ARRAY, HConstants.EMPTY_BYTE_ARRAY, user1.getShortName(), 3366 Permission.Action.ADMIN, Permission.Action.CREATE)); 3367 assertFalse(AccessControlClient.hasPermission(conn, TEST_TABLE.getNameAsString(), 3368 HConstants.EMPTY_BYTE_ARRAY, HConstants.EMPTY_BYTE_ARRAY, user1.getShortName(), 3369 Permission.Action.ADMIN, Permission.Action.READ, Permission.Action.EXEC)); 3370 3371 // Check for table owner 3372 assertTrue(AccessControlClient.hasPermission(conn, TEST_TABLE.getNameAsString(), 3373 HConstants.EMPTY_BYTE_ARRAY, HConstants.EMPTY_BYTE_ARRAY, USER_OWNER.getShortName(), 3374 Permission.Action.READ, Permission.Action.WRITE, Permission.Action.EXEC, 3375 Permission.Action.CREATE, Permission.Action.ADMIN)); 3376 3377 // Check for table user 3378 assertTrue(AccessControlClient.hasPermission(conn, TEST_TABLE.getNameAsString(), 3379 HConstants.EMPTY_BYTE_ARRAY, HConstants.EMPTY_BYTE_ARRAY, USER_CREATE.getShortName(), 3380 Permission.Action.READ, Permission.Action.WRITE)); 3381 assertFalse(AccessControlClient.hasPermission(conn, TEST_TABLE.getNameAsString(), 3382 HConstants.EMPTY_BYTE_ARRAY, HConstants.EMPTY_BYTE_ARRAY, USER_RO.getShortName(), 3383 Permission.Action.READ, Permission.Action.WRITE)); 3384 3385 // Check for family access user 3386 assertTrue(AccessControlClient.hasPermission(conn, TEST_TABLE.getNameAsString(), TEST_FAMILY, 3387 HConstants.EMPTY_BYTE_ARRAY, USER_RO.getShortName(), Permission.Action.READ)); 3388 assertTrue(AccessControlClient.hasPermission(conn, TEST_TABLE.getNameAsString(), TEST_FAMILY, 3389 HConstants.EMPTY_BYTE_ARRAY, USER_RW.getShortName(), Permission.Action.READ, 3390 Permission.Action.WRITE)); 3391 assertFalse(AccessControlClient.hasPermission(conn, TEST_TABLE.getNameAsString(), 3392 HConstants.EMPTY_BYTE_ARRAY, HConstants.EMPTY_BYTE_ARRAY, USER_ADMIN_CF.getShortName(), 3393 Permission.Action.ADMIN, Permission.Action.CREATE)); 3394 assertTrue(AccessControlClient.hasPermission(conn, TEST_TABLE.getNameAsString(), TEST_FAMILY, 3395 HConstants.EMPTY_BYTE_ARRAY, USER_ADMIN_CF.getShortName(), Permission.Action.ADMIN, 3396 Permission.Action.CREATE)); 3397 assertFalse(AccessControlClient.hasPermission(conn, TEST_TABLE.getNameAsString(), TEST_FAMILY, 3398 HConstants.EMPTY_BYTE_ARRAY, USER_ADMIN_CF.getShortName(), Permission.Action.READ)); 3399 3400 // Check for qualifier access user 3401 assertTrue(AccessControlClient.hasPermission(conn, TEST_TABLE.getNameAsString(), TEST_FAMILY, 3402 TEST_QUALIFIER, user2.getShortName(), Permission.Action.READ, Permission.Action.WRITE)); 3403 assertFalse(AccessControlClient.hasPermission(conn, TEST_TABLE.getNameAsString(), TEST_FAMILY, 3404 TEST_QUALIFIER, user2.getShortName(), Permission.Action.EXEC, Permission.Action.READ)); 3405 assertFalse(AccessControlClient.hasPermission(conn, TEST_TABLE.getNameAsString(), 3406 HConstants.EMPTY_BYTE_ARRAY, TEST_QUALIFIER, USER_RW.getShortName(), 3407 Permission.Action.WRITE, Permission.Action.READ)); 3408 3409 // exception scenarios 3410 try { 3411 // test case with table name as null 3412 assertTrue(AccessControlClient.hasPermission(conn, null, HConstants.EMPTY_BYTE_ARRAY, 3413 HConstants.EMPTY_BYTE_ARRAY, null, Permission.Action.READ)); 3414 fail("this should have thrown IllegalArgumentException"); 3415 } catch (IllegalArgumentException ex) { 3416 // expected 3417 } 3418 try { 3419 // test case with username as null 3420 assertTrue(AccessControlClient.hasPermission(conn, TEST_TABLE.getNameAsString(), 3421 HConstants.EMPTY_BYTE_ARRAY, HConstants.EMPTY_BYTE_ARRAY, null, Permission.Action.READ)); 3422 fail("this should have thrown IllegalArgumentException"); 3423 } catch (IllegalArgumentException ex) { 3424 // expected 3425 } 3426 3427 revokeFromNamespaceUsingAccessControlClient(TEST_UTIL, conn, user1.getShortName(), 3428 NamespaceDescriptor.DEFAULT_NAMESPACE.getName(), Permission.Action.ADMIN, 3429 Permission.Action.CREATE, Permission.Action.READ); 3430 revokeFromTableUsingAccessControlClient(TEST_UTIL, conn, user2.getShortName(), TEST_TABLE, 3431 TEST_FAMILY, TEST_QUALIFIER, Permission.Action.READ, Permission.Action.WRITE); 3432 } finally { 3433 if (conn != null) { 3434 conn.close(); 3435 } 3436 } 3437 } 3438 3439 @Test 3440 public void testSwitchRpcThrottle() throws Exception { 3441 AccessTestAction action = new AccessTestAction() { 3442 @Override 3443 public Object run() throws Exception { 3444 ACCESS_CONTROLLER.preSwitchRpcThrottle(ObserverContextImpl.createAndPrepare(CP_ENV), true); 3445 return null; 3446 } 3447 }; 3448 verifyAllowed(action, SUPERUSER, USER_ADMIN); 3449 verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); 3450 } 3451 3452 @Test 3453 public void testIsRpcThrottleEnabled() throws Exception { 3454 AccessTestAction action = new AccessTestAction() { 3455 @Override 3456 public Object run() throws Exception { 3457 ACCESS_CONTROLLER.preIsRpcThrottleEnabled(ObserverContextImpl.createAndPrepare(CP_ENV)); 3458 return null; 3459 } 3460 }; 3461 verifyAllowed(action, SUPERUSER, USER_ADMIN); 3462 verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); 3463 } 3464 3465 @Test 3466 public void testSwitchExceedThrottleQuota() throws Exception { 3467 AccessTestAction action = new AccessTestAction() { 3468 @Override 3469 public Object run() throws Exception { 3470 ACCESS_CONTROLLER.preSwitchExceedThrottleQuota(ObserverContextImpl.createAndPrepare(CP_ENV), 3471 true); 3472 return null; 3473 } 3474 }; 3475 verifyAllowed(action, SUPERUSER, USER_ADMIN); 3476 verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); 3477 } 3478 3479 /* 3480 * Validate Global User ACL 3481 */ 3482 private void validateGlobalUserACLForGetUserPermissions(final Connection conn, User nSUser1, 3483 User globalGroupUser1, User globalGroupUser2, Collection<String> superUsers, 3484 int superUserCount) throws Throwable { 3485 // Verify action privilege 3486 AccessTestAction globalUserPermissionAction = new AccessTestAction() { 3487 @Override 3488 public Object run() throws Exception { 3489 try (Connection conn = ConnectionFactory.createConnection(conf)) { 3490 conn.getAdmin().getUserPermissions( 3491 GetUserPermissionsRequest.newBuilder().withUserName("dummy").build()); 3492 } 3493 return null; 3494 } 3495 }; 3496 verifyAllowed(globalUserPermissionAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); 3497 verifyDenied(globalUserPermissionAction, USER_GROUP_CREATE, USER_GROUP_READ, USER_GROUP_WRITE); 3498 3499 // Validate global user permission 3500 List<UserPermission> userPermissions; 3501 assertEquals(5 + superUserCount, AccessControlClient.getUserPermissions(conn, null).size()); 3502 assertEquals(5 + superUserCount, 3503 AccessControlClient.getUserPermissions(conn, HConstants.EMPTY_STRING).size()); 3504 assertEquals(5 + superUserCount, 3505 AccessControlClient.getUserPermissions(conn, null, HConstants.EMPTY_STRING).size()); 3506 userPermissions = AccessControlClient.getUserPermissions(conn, null, USER_ADMIN.getName()); 3507 verifyGetUserPermissionResult(userPermissions, 1, null, null, USER_ADMIN.getName(), superUsers); 3508 assertEquals(0, AccessControlClient.getUserPermissions(conn, null, nSUser1.getName()).size()); 3509 // Global group user ACL 3510 assertEquals(1, 3511 AccessControlClient.getUserPermissions(conn, null, globalGroupUser1.getName()).size()); 3512 assertEquals(2, 3513 AccessControlClient.getUserPermissions(conn, null, globalGroupUser2.getName()).size()); 3514 } 3515 3516 /* 3517 * Validate Namespace User ACL 3518 */ 3519 private void validateNamespaceUserACLForGetUserPermissions(final Connection conn, User nSUser1, 3520 User nSUser3, User nsGroupUser1, User nsGroupUser2, String nsPrefix, final String namespace1, 3521 String namespace2) throws Throwable { 3522 AccessTestAction namespaceUserPermissionAction = new AccessTestAction() { 3523 @Override 3524 public Object run() throws Exception { 3525 try (Connection conn = ConnectionFactory.createConnection(conf)) { 3526 conn.getAdmin().getUserPermissions( 3527 GetUserPermissionsRequest.newBuilder(namespace1).withUserName("dummy").build()); 3528 } 3529 return null; 3530 } 3531 }; 3532 verifyAllowed(namespaceUserPermissionAction, SUPERUSER, USER_GROUP_ADMIN, USER_ADMIN, nSUser1, 3533 nsGroupUser1); 3534 verifyDenied(namespaceUserPermissionAction, USER_GROUP_CREATE, USER_GROUP_READ, 3535 USER_GROUP_WRITE, nSUser3, nsGroupUser2); 3536 3537 List<UserPermission> userPermissions; 3538 assertEquals(6, AccessControlClient.getUserPermissions(conn, "@" + nsPrefix + ".*").size()); 3539 assertEquals(3, AccessControlClient.getUserPermissions(conn, "@" + namespace1).size()); 3540 assertEquals(3, AccessControlClient 3541 .getUserPermissions(conn, "@" + namespace1, HConstants.EMPTY_STRING).size()); 3542 userPermissions = 3543 AccessControlClient.getUserPermissions(conn, "@" + namespace1, nSUser1.getName()); 3544 verifyGetUserPermissionResult(userPermissions, 1, null, null, nSUser1.getName(), null); 3545 userPermissions = 3546 AccessControlClient.getUserPermissions(conn, "@" + namespace1, nSUser3.getName()); 3547 verifyGetUserPermissionResult(userPermissions, 1, null, null, nSUser3.getName(), null); 3548 assertEquals(0, 3549 AccessControlClient.getUserPermissions(conn, "@" + namespace1, USER_ADMIN.getName()).size()); 3550 // Namespace group user ACL 3551 assertEquals(1, AccessControlClient 3552 .getUserPermissions(conn, "@" + namespace1, nsGroupUser1.getName()).size()); 3553 assertEquals(1, AccessControlClient 3554 .getUserPermissions(conn, "@" + namespace2, nsGroupUser2.getName()).size()); 3555 } 3556 3557 /* 3558 * Validate Table User ACL 3559 */ 3560 private void validateTableACLForGetUserPermissions(final Connection conn, User nSUser1, 3561 User tableGroupUser1, User tableGroupUser2, String nsPrefix, TableName table1, 3562 TableName table2, byte[] TEST_QUALIFIER2, Collection<String> superUsers) throws Throwable { 3563 AccessTestAction tableUserPermissionAction = new AccessTestAction() { 3564 @Override 3565 public Object run() throws Exception { 3566 try (Connection conn = ConnectionFactory.createConnection(conf)) { 3567 conn.getAdmin().getUserPermissions(GetUserPermissionsRequest.newBuilder(TEST_TABLE) 3568 .withFamily(TEST_FAMILY).withQualifier(TEST_QUALIFIER).withUserName("dummy").build()); 3569 } 3570 return null; 3571 } 3572 }; 3573 verifyAllowed(tableUserPermissionAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_ADMIN_CF); 3574 verifyDenied(tableUserPermissionAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_CREATE); 3575 3576 List<UserPermission> userPermissions; 3577 assertEquals(12, AccessControlClient.getUserPermissions(conn, nsPrefix + ".*").size()); 3578 assertEquals(6, AccessControlClient.getUserPermissions(conn, table1.getNameAsString()).size()); 3579 assertEquals(6, AccessControlClient 3580 .getUserPermissions(conn, table1.getNameAsString(), HConstants.EMPTY_STRING).size()); 3581 userPermissions = AccessControlClient.getUserPermissions(conn, table1.getNameAsString(), 3582 USER_ADMIN_CF.getName()); 3583 verifyGetUserPermissionResult(userPermissions, 1, null, null, USER_ADMIN_CF.getName(), null); 3584 assertEquals(0, AccessControlClient 3585 .getUserPermissions(conn, table1.getNameAsString(), nSUser1.getName()).size()); 3586 // Table group user ACL 3587 assertEquals(1, AccessControlClient 3588 .getUserPermissions(conn, table1.getNameAsString(), tableGroupUser1.getName()).size()); 3589 assertEquals(1, AccessControlClient 3590 .getUserPermissions(conn, table2.getNameAsString(), tableGroupUser2.getName()).size()); 3591 3592 // Table Users + CF 3593 assertEquals(12, AccessControlClient 3594 .getUserPermissions(conn, nsPrefix + ".*", HConstants.EMPTY_BYTE_ARRAY).size()); 3595 userPermissions = AccessControlClient.getUserPermissions(conn, nsPrefix + ".*", TEST_FAMILY); 3596 verifyGetUserPermissionResult(userPermissions, 3, TEST_FAMILY, null, null, null); 3597 assertEquals(0, AccessControlClient 3598 .getUserPermissions(conn, table1.getNameAsString(), Bytes.toBytes("dummmyCF")).size()); 3599 3600 // Table Users + CF + User 3601 assertEquals(3, 3602 AccessControlClient 3603 .getUserPermissions(conn, table1.getNameAsString(), TEST_FAMILY, HConstants.EMPTY_STRING) 3604 .size()); 3605 userPermissions = AccessControlClient.getUserPermissions(conn, table1.getNameAsString(), 3606 TEST_FAMILY, USER_ADMIN_CF.getName()); 3607 verifyGetUserPermissionResult(userPermissions, 1, null, null, USER_ADMIN_CF.getName(), 3608 superUsers); 3609 assertEquals(0, AccessControlClient 3610 .getUserPermissions(conn, table1.getNameAsString(), TEST_FAMILY, nSUser1.getName()).size()); 3611 3612 // Table Users + CF + CQ 3613 assertEquals(3, AccessControlClient.getUserPermissions(conn, table1.getNameAsString(), 3614 TEST_FAMILY, HConstants.EMPTY_BYTE_ARRAY).size()); 3615 assertEquals(1, AccessControlClient 3616 .getUserPermissions(conn, table1.getNameAsString(), TEST_FAMILY, TEST_QUALIFIER).size()); 3617 assertEquals(1, AccessControlClient 3618 .getUserPermissions(conn, table1.getNameAsString(), TEST_FAMILY, TEST_QUALIFIER2).size()); 3619 assertEquals(2, AccessControlClient.getUserPermissions(conn, table1.getNameAsString(), 3620 HConstants.EMPTY_BYTE_ARRAY, HConstants.EMPTY_BYTE_ARRAY, USER_RW.getName()).size()); 3621 assertEquals(0, AccessControlClient 3622 .getUserPermissions(conn, table1.getNameAsString(), TEST_FAMILY, Bytes.toBytes("dummmyCQ")) 3623 .size()); 3624 3625 // Table Users + CF + CQ + User 3626 assertEquals(3, AccessControlClient.getUserPermissions(conn, table1.getNameAsString(), 3627 TEST_FAMILY, HConstants.EMPTY_BYTE_ARRAY, HConstants.EMPTY_STRING).size()); 3628 assertEquals(1, AccessControlClient.getUserPermissions(conn, table1.getNameAsString(), 3629 TEST_FAMILY, TEST_QUALIFIER, USER_RW.getName()).size()); 3630 assertEquals(1, AccessControlClient.getUserPermissions(conn, table1.getNameAsString(), 3631 TEST_FAMILY, TEST_QUALIFIER2, USER_RW.getName()).size()); 3632 assertEquals(0, AccessControlClient.getUserPermissions(conn, table1.getNameAsString(), 3633 TEST_FAMILY, TEST_QUALIFIER2, nSUser1.getName()).size()); 3634 } 3635 3636 /* 3637 * Validate the user permission against the specified column family, column qualifier and user 3638 * name. 3639 */ 3640 private void verifyGetUserPermissionResult(List<UserPermission> userPermissions, int resultCount, 3641 byte[] cf, byte[] cq, String userName, Collection<String> superUsers) { 3642 assertEquals(resultCount, userPermissions.size()); 3643 3644 for (UserPermission perm : userPermissions) { 3645 if (perm.getPermission() instanceof TablePermission) { 3646 TablePermission tablePerm = (TablePermission) perm.getPermission(); 3647 if (cf != null) { 3648 assertTrue(Bytes.equals(cf, tablePerm.getFamily())); 3649 } 3650 if (cq != null) { 3651 assertTrue(Bytes.equals(cq, tablePerm.getQualifier())); 3652 } 3653 if (userName != null 3654 && (superUsers == null || !superUsers.contains(perm.getUser()))) { 3655 assertTrue(userName.equals(perm.getUser())); 3656 } 3657 } else if (perm.getPermission() instanceof NamespacePermission || 3658 perm.getPermission() instanceof GlobalPermission) { 3659 if (userName != null && 3660 (superUsers == null || !superUsers.contains(perm.getUser()))) { 3661 assertTrue(userName.equals(perm.getUser())); 3662 } 3663 } 3664 } 3665 } 3666 3667 /* 3668 * Dummy ShellBasedUnixGroupsMapping class to retrieve the groups for the test users. 3669 */ 3670 public static class MyShellBasedUnixGroupsMapping extends ShellBasedUnixGroupsMapping 3671 implements GroupMappingServiceProvider { 3672 @Override 3673 public List<String> getGroups(String user) throws IOException { 3674 if (user.equals("globalGroupUser1")) { 3675 return Arrays.asList(new String[] { "group_admin" }); 3676 } else if (user.equals("globalGroupUser2")) { 3677 return Arrays.asList(new String[] { "group_admin", "group_create" }); 3678 } else if (user.equals("nsGroupUser1")) { 3679 return Arrays.asList(new String[] { "ns_group1" }); 3680 } else if (user.equals("nsGroupUser2")) { 3681 return Arrays.asList(new String[] { "ns_group2" }); 3682 } else if (user.equals("tableGroupUser1")) { 3683 return Arrays.asList(new String[] { "table_group1" }); 3684 } else if (user.equals("tableGroupUser2")) { 3685 return Arrays.asList(new String[] { "table_group2" }); 3686 } else { 3687 return super.getGroups(user); 3688 } 3689 } 3690 } 3691}