001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.apache.hadoop.hbase.client;
019
020import java.io.IOException;
021import java.util.List;
022import java.util.regex.Pattern;
023import org.apache.hadoop.conf.Configuration;
024import org.apache.hadoop.hbase.Coprocessor;
025import org.apache.hadoop.hbase.HBaseCommonTestingUtility;
026import org.apache.hadoop.hbase.HBaseTestingUtility;
027import org.apache.hadoop.hbase.TableName;
028import org.apache.hadoop.hbase.coprocessor.CoprocessorHost;
029import org.apache.hadoop.hbase.master.MasterCoprocessorHost;
030import org.apache.hadoop.hbase.security.User;
031import org.apache.hadoop.hbase.security.access.AccessControlConstants;
032import org.apache.hadoop.hbase.security.access.AccessController;
033import org.apache.hadoop.hbase.security.access.Permission;
034import org.apache.hadoop.hbase.security.access.PermissionStorage;
035import org.apache.hadoop.hbase.security.access.SecureTestUtil;
036import org.apache.hadoop.hbase.util.Bytes;
037import org.junit.AfterClass;
038import org.junit.Assert;
039import org.junit.Before;
040import org.junit.BeforeClass;
041import org.junit.Test;
042
043public abstract class SnapshotWithAclTestBase extends SecureTestUtil {
044
045  private TableName TEST_TABLE = TableName.valueOf(TEST_UTIL.getRandomUUID().toString());
046
047  private static final int ROW_COUNT = 30000;
048
049  private static byte[] TEST_FAMILY = Bytes.toBytes("f1");
050  private static byte[] TEST_QUALIFIER = Bytes.toBytes("cq");
051  private static byte[] TEST_ROW = Bytes.toBytes(0);
052
053  protected static HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();
054
055  // user is table owner. will have all permissions on table
056  private static User USER_OWNER;
057  // user with rw permissions on column family.
058  private static User USER_RW;
059  // user with read-only permissions
060  private static User USER_RO;
061  // user with none permissions
062  private static User USER_NONE;
063
064  static class AccessReadAction implements AccessTestAction {
065
066    private TableName tableName;
067
068    public AccessReadAction(TableName tableName) {
069      this.tableName = tableName;
070    }
071
072    @Override
073    public Object run() throws Exception {
074      Get g = new Get(TEST_ROW);
075      g.addFamily(TEST_FAMILY);
076      try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
077        Table t = conn.getTable(tableName)) {
078        t.get(g);
079      }
080      return null;
081    }
082  }
083
084  static class AccessWriteAction implements AccessTestAction {
085    private TableName tableName;
086
087    public AccessWriteAction(TableName tableName) {
088      this.tableName = tableName;
089    }
090
091    @Override
092    public Object run() throws Exception {
093      Put p = new Put(TEST_ROW);
094      p.addColumn(TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes(0));
095      try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
096        Table t = conn.getTable(tableName)) {
097        t.put(p);
098      }
099      return null;
100    }
101  }
102
103  @BeforeClass
104  public static void setupBeforeClass() throws Exception {
105    Configuration conf = TEST_UTIL.getConfiguration();
106    // Enable security
107    enableSecurity(conf);
108    conf.set(CoprocessorHost.REGION_COPROCESSOR_CONF_KEY, AccessController.class.getName());
109    // Verify enableSecurity sets up what we require
110    verifyConfiguration(conf);
111    // Enable EXEC permission checking
112    conf.setBoolean(AccessControlConstants.EXEC_PERMISSION_CHECKS_KEY, true);
113    TEST_UTIL.startMiniCluster();
114    TEST_UTIL.waitUntilAllRegionsAssigned(PermissionStorage.ACL_TABLE_NAME);
115    MasterCoprocessorHost cpHost =
116      TEST_UTIL.getMiniHBaseCluster().getMaster().getMasterCoprocessorHost();
117    cpHost.load(AccessController.class, Coprocessor.PRIORITY_HIGHEST, conf);
118
119    USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]);
120    USER_RW = User.createUserForTesting(conf, "rwuser", new String[0]);
121    USER_RO = User.createUserForTesting(conf, "rouser", new String[0]);
122    USER_NONE = User.createUserForTesting(conf, "usernone", new String[0]);
123  }
124
125  @Before
126  public void setUp() throws Exception {
127    TEST_UTIL.createTable(TableDescriptorBuilder.newBuilder(TEST_TABLE)
128      .setColumnFamily(
129        ColumnFamilyDescriptorBuilder.newBuilder(TEST_FAMILY).setMaxVersions(100).build())
130      .setOwner(USER_OWNER).build(), new byte[][] { Bytes.toBytes("s") });
131    TEST_UTIL.waitTableEnabled(TEST_TABLE);
132
133    grantOnTable(TEST_UTIL, USER_RW.getShortName(), TEST_TABLE, TEST_FAMILY, null,
134      Permission.Action.READ, Permission.Action.WRITE);
135
136    grantOnTable(TEST_UTIL, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null,
137      Permission.Action.READ);
138  }
139
140  private void loadData() throws IOException {
141    try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) {
142      try (Table t = conn.getTable(TEST_TABLE)) {
143        for (int i = 0; i < ROW_COUNT; i++) {
144          Put put = new Put(Bytes.toBytes(i));
145          put.addColumn(TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes(i));
146          t.put(put);
147        }
148      }
149    }
150  }
151
152  @AfterClass
153  public static void tearDownAfterClass() throws Exception {
154    TEST_UTIL.shutdownMiniCluster();
155  }
156
157  private void verifyRows(TableName tableName) throws IOException {
158    try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
159      Table t = conn.getTable(tableName); ResultScanner scanner = t.getScanner(new Scan())) {
160      Result result;
161      int rowCount = 0;
162      while ((result = scanner.next()) != null) {
163        byte[] value = result.getValue(TEST_FAMILY, TEST_QUALIFIER);
164        Assert.assertArrayEquals(value, Bytes.toBytes(rowCount++));
165      }
166      Assert.assertEquals(ROW_COUNT, rowCount);
167    }
168  }
169
170  protected abstract void snapshot(String snapshotName, TableName tableName) throws Exception;
171
172  protected abstract void cloneSnapshot(String snapshotName, TableName tableName,
173    boolean restoreAcl) throws Exception;
174
175  protected abstract void restoreSnapshot(String snapshotName, boolean restoreAcl) throws Exception;
176
177  @Test
178  public void testRestoreSnapshot() throws Exception {
179    verifyAllowed(new AccessReadAction(TEST_TABLE), USER_OWNER, USER_RO, USER_RW);
180    verifyDenied(new AccessReadAction(TEST_TABLE), USER_NONE);
181    verifyAllowed(new AccessWriteAction(TEST_TABLE), USER_OWNER, USER_RW);
182    verifyDenied(new AccessWriteAction(TEST_TABLE), USER_RO, USER_NONE);
183
184    loadData();
185    verifyRows(TEST_TABLE);
186
187    String snapshotName1 = TEST_UTIL.getRandomUUID().toString();
188    snapshot(snapshotName1, TEST_TABLE);
189
190    // clone snapshot with restoreAcl true.
191    TableName tableName1 = TableName.valueOf(TEST_UTIL.getRandomUUID().toString());
192    cloneSnapshot(snapshotName1, tableName1, true);
193    verifyRows(tableName1);
194    verifyAllowed(new AccessReadAction(tableName1), USER_OWNER, USER_RO, USER_RW);
195    verifyDenied(new AccessReadAction(tableName1), USER_NONE);
196    verifyAllowed(new AccessWriteAction(tableName1), USER_OWNER, USER_RW);
197    verifyDenied(new AccessWriteAction(tableName1), USER_RO, USER_NONE);
198
199    // clone snapshot with restoreAcl false.
200    TableName tableName2 = TableName.valueOf(TEST_UTIL.getRandomUUID().toString());
201    cloneSnapshot(snapshotName1, tableName2, false);
202    verifyRows(tableName2);
203    verifyAllowed(new AccessReadAction(tableName2), USER_OWNER);
204    verifyDenied(new AccessReadAction(tableName2), USER_NONE, USER_RO, USER_RW);
205    verifyAllowed(new AccessWriteAction(tableName2), USER_OWNER);
206    verifyDenied(new AccessWriteAction(tableName2), USER_RO, USER_RW, USER_NONE);
207
208    // remove read permission for USER_RO.
209    revokeFromTable(TEST_UTIL, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null,
210      Permission.Action.READ);
211    verifyAllowed(new AccessReadAction(TEST_TABLE), USER_OWNER, USER_RW);
212    verifyDenied(new AccessReadAction(TEST_TABLE), USER_RO, USER_NONE);
213    verifyAllowed(new AccessWriteAction(TEST_TABLE), USER_OWNER, USER_RW);
214    verifyDenied(new AccessWriteAction(TEST_TABLE), USER_RO, USER_NONE);
215
216    // restore snapshot with restoreAcl false.
217    TEST_UTIL.getAdmin().disableTable(TEST_TABLE);
218    restoreSnapshot(snapshotName1, false);
219    TEST_UTIL.getAdmin().enableTable(TEST_TABLE);
220    verifyAllowed(new AccessReadAction(TEST_TABLE), USER_OWNER, USER_RW);
221    verifyDenied(new AccessReadAction(TEST_TABLE), USER_RO, USER_NONE);
222    verifyAllowed(new AccessWriteAction(TEST_TABLE), USER_OWNER, USER_RW);
223    verifyDenied(new AccessWriteAction(TEST_TABLE), USER_RO, USER_NONE);
224
225    // restore snapshot with restoreAcl true.
226    TEST_UTIL.getAdmin().disableTable(TEST_TABLE);
227    restoreSnapshot(snapshotName1, true);
228    TEST_UTIL.getAdmin().enableTable(TEST_TABLE);
229    verifyAllowed(new AccessReadAction(TEST_TABLE), USER_OWNER, USER_RO, USER_RW);
230    verifyDenied(new AccessReadAction(TEST_TABLE), USER_NONE);
231    verifyAllowed(new AccessWriteAction(TEST_TABLE), USER_OWNER, USER_RW);
232    verifyDenied(new AccessWriteAction(TEST_TABLE), USER_RO, USER_NONE);
233  }
234
235  final class AccessSnapshotAction implements AccessTestAction {
236    private String snapshotName;
237
238    private AccessSnapshotAction(String snapshotName) {
239      this.snapshotName = snapshotName;
240    }
241
242    @Override
243    public Object run() throws Exception {
244      try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
245        Admin admin = conn.getAdmin()) {
246        admin.snapshot(this.snapshotName, TEST_TABLE);
247      }
248      return null;
249    }
250  }
251
252  @Test
253  public void testDeleteSnapshot() throws Exception {
254    String testSnapshotName = HBaseCommonTestingUtility.getRandomUUID().toString();
255    verifyAllowed(new AccessSnapshotAction(testSnapshotName), USER_OWNER);
256    verifyDenied(new AccessSnapshotAction(HBaseCommonTestingUtility.getRandomUUID().toString()),
257      USER_RO, USER_RW, USER_NONE);
258    List<SnapshotDescription> snapshotDescriptions =
259      TEST_UTIL.getAdmin().listSnapshots(Pattern.compile(testSnapshotName));
260    Assert.assertEquals(1, snapshotDescriptions.size());
261    Assert.assertEquals(USER_OWNER.getShortName(), snapshotDescriptions.get(0).getOwner());
262    AccessTestAction deleteSnapshotAction = () -> {
263      try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
264        Admin admin = conn.getAdmin()) {
265        admin.deleteSnapshot(testSnapshotName);
266      }
267      return null;
268    };
269    verifyDenied(deleteSnapshotAction, USER_RO, USER_RW, USER_NONE);
270    verifyAllowed(deleteSnapshotAction, USER_OWNER);
271
272    List<SnapshotDescription> snapshotsAfterDelete =
273      TEST_UTIL.getAdmin().listSnapshots(Pattern.compile(testSnapshotName));
274    Assert.assertEquals(0, snapshotsAfterDelete.size());
275  }
276}