001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.apache.hadoop.hbase.security.access;
019
020import static org.junit.Assert.assertEquals;
021
022import java.util.HashMap;
023import java.util.List;
024import java.util.Map;
025import org.apache.hadoop.conf.Configuration;
026import org.apache.hadoop.hbase.AuthUtil;
027import org.apache.hadoop.hbase.Cell;
028import org.apache.hadoop.hbase.Coprocessor;
029import org.apache.hadoop.hbase.HBaseClassTestRule;
030import org.apache.hadoop.hbase.HBaseTestingUtility;
031import org.apache.hadoop.hbase.HColumnDescriptor;
032import org.apache.hadoop.hbase.HConstants;
033import org.apache.hadoop.hbase.HTableDescriptor;
034import org.apache.hadoop.hbase.TableNameTestRule;
035import org.apache.hadoop.hbase.TableNotFoundException;
036import org.apache.hadoop.hbase.client.Admin;
037import org.apache.hadoop.hbase.client.Connection;
038import org.apache.hadoop.hbase.client.ConnectionFactory;
039import org.apache.hadoop.hbase.client.Delete;
040import org.apache.hadoop.hbase.client.Get;
041import org.apache.hadoop.hbase.client.Increment;
042import org.apache.hadoop.hbase.client.Put;
043import org.apache.hadoop.hbase.client.Result;
044import org.apache.hadoop.hbase.client.ResultScanner;
045import org.apache.hadoop.hbase.client.Scan;
046import org.apache.hadoop.hbase.client.Table;
047import org.apache.hadoop.hbase.master.MasterCoprocessorHost;
048import org.apache.hadoop.hbase.regionserver.RegionServerCoprocessorHost;
049import org.apache.hadoop.hbase.security.User;
050import org.apache.hadoop.hbase.security.access.Permission.Action;
051import org.apache.hadoop.hbase.testclassification.MediumTests;
052import org.apache.hadoop.hbase.testclassification.SecurityTests;
053import org.apache.hadoop.hbase.util.Bytes;
054import org.apache.hadoop.hbase.util.Threads;
055import org.junit.After;
056import org.junit.AfterClass;
057import org.junit.Before;
058import org.junit.BeforeClass;
059import org.junit.ClassRule;
060import org.junit.Rule;
061import org.junit.Test;
062import org.junit.experimental.categories.Category;
063import org.slf4j.Logger;
064import org.slf4j.LoggerFactory;
065
066import org.apache.hbase.thirdparty.com.google.common.collect.Lists;
067
068@Category({ SecurityTests.class, MediumTests.class })
069public class TestCellACLs extends SecureTestUtil {
070
071  @ClassRule
072  public static final HBaseClassTestRule CLASS_RULE =
073    HBaseClassTestRule.forClass(TestCellACLs.class);
074
075  private static final Logger LOG = LoggerFactory.getLogger(TestCellACLs.class);
076
077  @Rule
078  public TableNameTestRule testTable = new TableNameTestRule();
079  private static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();
080  private static final byte[] TEST_FAMILY = Bytes.toBytes("f1");
081  private static final byte[] TEST_ROW = Bytes.toBytes("cellpermtest");
082  private static final byte[] TEST_Q1 = Bytes.toBytes("q1");
083  private static final byte[] TEST_Q2 = Bytes.toBytes("q2");
084  private static final byte[] TEST_Q3 = Bytes.toBytes("q3");
085  private static final byte[] TEST_Q4 = Bytes.toBytes("q4");
086  private static final byte[] ZERO = Bytes.toBytes(0L);
087  private static final byte[] ONE = Bytes.toBytes(1L);
088
089  private static Configuration conf;
090
091  private static final String GROUP = "group";
092  private static User GROUP_USER;
093  private static User USER_OWNER;
094  private static User USER_OTHER;
095  private static String[] usersAndGroups;
096
097  @BeforeClass
098  public static void setupBeforeClass() throws Exception {
099    // setup configuration
100    conf = TEST_UTIL.getConfiguration();
101    conf.setInt(HConstants.REGION_SERVER_HIGH_PRIORITY_HANDLER_COUNT, 10);
102    // Enable security
103    enableSecurity(conf);
104    // Verify enableSecurity sets up what we require
105    verifyConfiguration(conf);
106
107    // We expect 0.98 cell ACL semantics
108    conf.setBoolean(AccessControlConstants.CF_ATTRIBUTE_EARLY_OUT, false);
109
110    TEST_UTIL.startMiniCluster();
111    MasterCoprocessorHost cpHost =
112      TEST_UTIL.getMiniHBaseCluster().getMaster().getMasterCoprocessorHost();
113    cpHost.load(AccessController.class, Coprocessor.PRIORITY_HIGHEST, conf);
114    AccessController ac = cpHost.findCoprocessor(AccessController.class);
115    cpHost.createEnvironment(ac, Coprocessor.PRIORITY_HIGHEST, 1, conf);
116    RegionServerCoprocessorHost rsHost =
117      TEST_UTIL.getMiniHBaseCluster().getRegionServer(0).getRegionServerCoprocessorHost();
118    rsHost.createEnvironment(ac, Coprocessor.PRIORITY_HIGHEST, 1, conf);
119
120    // Wait for the ACL table to become available
121    TEST_UTIL.waitTableEnabled(PermissionStorage.ACL_TABLE_NAME);
122
123    // create a set of test users
124    USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]);
125    USER_OTHER = User.createUserForTesting(conf, "other", new String[0]);
126    GROUP_USER = User.createUserForTesting(conf, "group_user", new String[] { GROUP });
127
128    usersAndGroups = new String[] { USER_OTHER.getShortName(), AuthUtil.toGroupEntry(GROUP) };
129  }
130
131  @AfterClass
132  public static void tearDownAfterClass() throws Exception {
133    TEST_UTIL.shutdownMiniCluster();
134  }
135
136  @Before
137  public void setUp() throws Exception {
138    // Create the test table (owner added to the _acl_ table)
139    Admin admin = TEST_UTIL.getAdmin();
140    HTableDescriptor htd = new HTableDescriptor(testTable.getTableName());
141    HColumnDescriptor hcd = new HColumnDescriptor(TEST_FAMILY);
142    hcd.setMaxVersions(4);
143    htd.setOwner(USER_OWNER);
144    htd.addFamily(hcd);
145    admin.createTable(htd, new byte[][] { Bytes.toBytes("s") });
146    TEST_UTIL.waitTableEnabled(testTable.getTableName());
147    LOG.info("Sleeping a second because of HBASE-12581");
148    Threads.sleep(1000);
149  }
150
151  @Test
152  public void testCellPermissions() throws Exception {
153    // store two sets of values, one store with a cell level ACL, and one without
154    verifyAllowed(new AccessTestAction() {
155      @Override
156      public Object run() throws Exception {
157        try (Connection connection = ConnectionFactory.createConnection(conf);
158          Table t = connection.getTable(testTable.getTableName())) {
159          Put p;
160          // with ro ACL
161          p = new Put(TEST_ROW).addColumn(TEST_FAMILY, TEST_Q1, ZERO);
162          p.setACL(prepareCellPermissions(usersAndGroups, Action.READ));
163          t.put(p);
164          // with rw ACL
165          p = new Put(TEST_ROW).addColumn(TEST_FAMILY, TEST_Q2, ZERO);
166          p.setACL(prepareCellPermissions(usersAndGroups, Action.READ, Action.WRITE));
167          t.put(p);
168          // no ACL
169          p = new Put(TEST_ROW).addColumn(TEST_FAMILY, TEST_Q3, ZERO).addColumn(TEST_FAMILY,
170            TEST_Q4, ZERO);
171          t.put(p);
172        }
173        return null;
174      }
175    }, USER_OWNER);
176
177    /* ---- Gets ---- */
178
179    AccessTestAction getQ1 = new AccessTestAction() {
180      @Override
181      public Object run() throws Exception {
182        Get get = new Get(TEST_ROW).addColumn(TEST_FAMILY, TEST_Q1);
183        try (Connection connection = ConnectionFactory.createConnection(conf);
184          Table t = connection.getTable(testTable.getTableName())) {
185          return t.get(get).listCells();
186        }
187      }
188    };
189
190    AccessTestAction getQ2 = new AccessTestAction() {
191      @Override
192      public Object run() throws Exception {
193        Get get = new Get(TEST_ROW).addColumn(TEST_FAMILY, TEST_Q2);
194        try (Connection connection = ConnectionFactory.createConnection(conf);
195          Table t = connection.getTable(testTable.getTableName())) {
196          return t.get(get).listCells();
197        }
198      }
199    };
200
201    AccessTestAction getQ3 = new AccessTestAction() {
202      @Override
203      public Object run() throws Exception {
204        Get get = new Get(TEST_ROW).addColumn(TEST_FAMILY, TEST_Q3);
205        try (Connection connection = ConnectionFactory.createConnection(conf);
206          Table t = connection.getTable(testTable.getTableName())) {
207          return t.get(get).listCells();
208        }
209      }
210    };
211
212    AccessTestAction getQ4 = new AccessTestAction() {
213      @Override
214      public Object run() throws Exception {
215        Get get = new Get(TEST_ROW).addColumn(TEST_FAMILY, TEST_Q4);
216        try (Connection connection = ConnectionFactory.createConnection(conf);
217          Table t = connection.getTable(testTable.getTableName())) {
218          return t.get(get).listCells();
219        }
220      }
221    };
222
223    // Confirm special read access set at cell level
224
225    verifyAllowed(getQ1, USER_OTHER, GROUP_USER);
226    verifyAllowed(getQ2, USER_OTHER, GROUP_USER);
227
228    // Confirm this access does not extend to other cells
229
230    verifyIfNull(getQ3, USER_OTHER, GROUP_USER);
231    verifyIfNull(getQ4, USER_OTHER, GROUP_USER);
232
233    /* ---- Scans ---- */
234
235    // check that a scan over the test data returns the expected number of KVs
236
237    final List<Cell> scanResults = Lists.newArrayList();
238
239    AccessTestAction scanAction = new AccessTestAction() {
240      @Override
241      public List<Cell> run() throws Exception {
242        Scan scan = new Scan();
243        scan.setStartRow(TEST_ROW);
244        scan.setStopRow(Bytes.add(TEST_ROW, new byte[] { 0 }));
245        scan.addFamily(TEST_FAMILY);
246        Connection connection = ConnectionFactory.createConnection(conf);
247        Table t = connection.getTable(testTable.getTableName());
248        try {
249          ResultScanner scanner = t.getScanner(scan);
250          Result result = null;
251          do {
252            result = scanner.next();
253            if (result != null) {
254              scanResults.addAll(result.listCells());
255            }
256          } while (result != null);
257        } finally {
258          t.close();
259          connection.close();
260        }
261        return scanResults;
262      }
263    };
264
265    // owner will see all values
266    scanResults.clear();
267    verifyAllowed(scanAction, USER_OWNER);
268    assertEquals(4, scanResults.size());
269
270    // other user will see 2 values
271    scanResults.clear();
272    verifyAllowed(scanAction, USER_OTHER);
273    assertEquals(2, scanResults.size());
274
275    scanResults.clear();
276    verifyAllowed(scanAction, GROUP_USER);
277    assertEquals(2, scanResults.size());
278
279    /* ---- Increments ---- */
280
281    AccessTestAction incrementQ1 = new AccessTestAction() {
282      @Override
283      public Object run() throws Exception {
284        Increment i = new Increment(TEST_ROW).addColumn(TEST_FAMILY, TEST_Q1, 1L);
285        try (Connection connection = ConnectionFactory.createConnection(conf);
286          Table t = connection.getTable(testTable.getTableName())) {
287          t.increment(i);
288        }
289        return null;
290      }
291    };
292
293    AccessTestAction incrementQ2 = new AccessTestAction() {
294      @Override
295      public Object run() throws Exception {
296        Increment i = new Increment(TEST_ROW).addColumn(TEST_FAMILY, TEST_Q2, 1L);
297        try (Connection connection = ConnectionFactory.createConnection(conf);
298          Table t = connection.getTable(testTable.getTableName())) {
299          t.increment(i);
300        }
301        return null;
302      }
303    };
304
305    AccessTestAction incrementQ2newDenyACL = new AccessTestAction() {
306      @Override
307      public Object run() throws Exception {
308        Increment i = new Increment(TEST_ROW).addColumn(TEST_FAMILY, TEST_Q2, 1L);
309        // Tag this increment with an ACL that denies write permissions to USER_OTHER and GROUP
310        i.setACL(prepareCellPermissions(usersAndGroups, Action.READ));
311        try (Connection connection = ConnectionFactory.createConnection(conf);
312          Table t = connection.getTable(testTable.getTableName())) {
313          t.increment(i);
314        }
315        return null;
316      }
317    };
318
319    AccessTestAction incrementQ3 = new AccessTestAction() {
320      @Override
321      public Object run() throws Exception {
322        Increment i = new Increment(TEST_ROW).addColumn(TEST_FAMILY, TEST_Q3, 1L);
323        try (Connection connection = ConnectionFactory.createConnection(conf);
324          Table t = connection.getTable(testTable.getTableName())) {
325          t.increment(i);
326        }
327        return null;
328      }
329    };
330
331    verifyDenied(incrementQ1, USER_OTHER, GROUP_USER);
332    verifyDenied(incrementQ3, USER_OTHER, GROUP_USER);
333
334    // We should be able to increment until the permissions are revoked (including the action in
335    // which permissions are revoked, the previous ACL will be carried forward)
336    verifyAllowed(incrementQ2, USER_OTHER, GROUP_USER);
337    verifyAllowed(incrementQ2newDenyACL, USER_OTHER);
338    // But not again after we denied ourselves write permission with an ACL
339    // update
340    verifyDenied(incrementQ2, USER_OTHER, GROUP_USER);
341
342    /* ---- Deletes ---- */
343
344    AccessTestAction deleteFamily = new AccessTestAction() {
345      @Override
346      public Object run() throws Exception {
347        Delete delete = new Delete(TEST_ROW).addFamily(TEST_FAMILY);
348        try (Connection connection = ConnectionFactory.createConnection(conf);
349          Table t = connection.getTable(testTable.getTableName())) {
350          t.delete(delete);
351        }
352        return null;
353      }
354    };
355
356    AccessTestAction deleteQ1 = new AccessTestAction() {
357      @Override
358      public Object run() throws Exception {
359        Delete delete = new Delete(TEST_ROW).addColumn(TEST_FAMILY, TEST_Q1);
360        try (Connection connection = ConnectionFactory.createConnection(conf);
361          Table t = connection.getTable(testTable.getTableName())) {
362          t.delete(delete);
363        }
364        return null;
365      }
366    };
367
368    verifyDenied(deleteFamily, USER_OTHER, GROUP_USER);
369    verifyDenied(deleteQ1, USER_OTHER, GROUP_USER);
370    verifyAllowed(deleteQ1, USER_OWNER);
371  }
372
373  /**
374   * Insure we are not granting access in the absence of any cells found when scanning for covered
375   * cells.
376   */
377  @Test
378  public void testCoveringCheck() throws Exception {
379    // Grant read access to USER_OTHER
380    grantOnTable(TEST_UTIL, USER_OTHER.getShortName(), testTable.getTableName(), TEST_FAMILY, null,
381      Action.READ);
382    // Grant read access to GROUP
383    grantOnTable(TEST_UTIL, AuthUtil.toGroupEntry(GROUP), testTable.getTableName(), TEST_FAMILY,
384      null, Action.READ);
385
386    // A write by USER_OTHER should be denied.
387    // This is where we could have a big problem if there is an error in the
388    // covering check logic.
389    verifyUserDeniedForWrite(USER_OTHER, ZERO);
390    // A write by GROUP_USER from group GROUP should be denied.
391    verifyUserDeniedForWrite(GROUP_USER, ZERO);
392
393    // Add the cell
394    verifyAllowed(new AccessTestAction() {
395      @Override
396      public Object run() throws Exception {
397        try (Connection connection = ConnectionFactory.createConnection(conf);
398          Table t = connection.getTable(testTable.getTableName())) {
399          Put p;
400          p = new Put(TEST_ROW).addColumn(TEST_FAMILY, TEST_Q1, ZERO);
401          t.put(p);
402        }
403        return null;
404      }
405    }, USER_OWNER);
406
407    // A write by USER_OTHER should still be denied, just to make sure
408    verifyUserDeniedForWrite(USER_OTHER, ONE);
409    // A write by GROUP_USER from group GROUP should still be denied
410    verifyUserDeniedForWrite(GROUP_USER, ONE);
411
412    // A read by USER_OTHER should be allowed, just to make sure
413    verifyUserAllowedForRead(USER_OTHER);
414    // A read by GROUP_USER from group GROUP should be allowed
415    verifyUserAllowedForRead(GROUP_USER);
416  }
417
418  private void verifyUserDeniedForWrite(final User user, final byte[] value) throws Exception {
419    verifyDenied(new AccessTestAction() {
420      @Override
421      public Object run() throws Exception {
422        try (Connection connection = ConnectionFactory.createConnection(conf);
423          Table t = connection.getTable(testTable.getTableName())) {
424          Put p;
425          p = new Put(TEST_ROW).addColumn(TEST_FAMILY, TEST_Q1, value);
426          t.put(p);
427        }
428        return null;
429      }
430    }, user);
431  }
432
433  private void verifyUserAllowedForRead(final User user) throws Exception {
434    verifyAllowed(new AccessTestAction() {
435      @Override
436      public Object run() throws Exception {
437        try (Connection connection = ConnectionFactory.createConnection(conf);
438          Table t = connection.getTable(testTable.getTableName())) {
439          return t.get(new Get(TEST_ROW).addColumn(TEST_FAMILY, TEST_Q1));
440        }
441      }
442    }, user);
443  }
444
445  private Map<String, Permission> prepareCellPermissions(String[] users, Action... action) {
446    Map<String, Permission> perms = new HashMap<>(2);
447    for (String user : users) {
448      perms.put(user, new Permission(action));
449    }
450    return perms;
451  }
452
453  @After
454  public void tearDown() throws Exception {
455    // Clean the _acl_ table
456    try {
457      TEST_UTIL.deleteTable(testTable.getTableName());
458    } catch (TableNotFoundException ex) {
459      // Test deleted the table, no problem
460      LOG.info("Test deleted table " + testTable.getTableName());
461    }
462    assertEquals(0, PermissionStorage.getTablePermissions(conf, testTable.getTableName()).size());
463  }
464}