001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018package org.apache.hadoop.hbase.security.access; 019 020import static org.junit.Assert.assertFalse; 021import static org.junit.Assert.assertTrue; 022 023import java.util.ArrayList; 024import java.util.List; 025import java.util.concurrent.atomic.AtomicBoolean; 026import org.apache.hadoop.conf.Configuration; 027import org.apache.hadoop.hbase.Abortable; 028import org.apache.hadoop.hbase.HBaseClassTestRule; 029import org.apache.hadoop.hbase.HBaseTestingUtility; 030import org.apache.hadoop.hbase.TableName; 031import org.apache.hadoop.hbase.Waiter.Predicate; 032import org.apache.hadoop.hbase.security.User; 033import org.apache.hadoop.hbase.testclassification.MediumTests; 034import org.apache.hadoop.hbase.testclassification.SecurityTests; 035import org.apache.hadoop.hbase.zookeeper.ZKWatcher; 036import org.junit.AfterClass; 037import org.junit.BeforeClass; 038import org.junit.ClassRule; 039import org.junit.Test; 040import org.junit.experimental.categories.Category; 041import org.slf4j.Logger; 042import org.slf4j.LoggerFactory; 043 044import org.apache.hbase.thirdparty.com.google.common.collect.ArrayListMultimap; 045import org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap; 046 047/** 048 * Test the reading and writing of access permissions to and from zookeeper. 049 */ 050@Category({ SecurityTests.class, MediumTests.class }) 051public class TestZKPermissionWatcher { 052 053 @ClassRule 054 public static final HBaseClassTestRule CLASS_RULE = 055 HBaseClassTestRule.forClass(TestZKPermissionWatcher.class); 056 057 private static final Logger LOG = LoggerFactory.getLogger(TestZKPermissionWatcher.class); 058 private static final HBaseTestingUtility UTIL = new HBaseTestingUtility(); 059 private static AuthManager AUTH_A; 060 private static AuthManager AUTH_B; 061 private static ZKPermissionWatcher WATCHER_A; 062 private static ZKPermissionWatcher WATCHER_B; 063 private final static Abortable ABORTABLE = new Abortable() { 064 private final AtomicBoolean abort = new AtomicBoolean(false); 065 066 @Override 067 public void abort(String why, Throwable e) { 068 LOG.info(why, e); 069 abort.set(true); 070 } 071 072 @Override 073 public boolean isAborted() { 074 return abort.get(); 075 } 076 }; 077 078 private static TableName TEST_TABLE = TableName.valueOf("perms_test"); 079 080 @BeforeClass 081 public static void beforeClass() throws Exception { 082 // setup configuration 083 Configuration conf = UTIL.getConfiguration(); 084 SecureTestUtil.enableSecurity(conf); 085 086 // start minicluster 087 UTIL.startMiniCluster(); 088 AUTH_A = new AuthManager(conf); 089 AUTH_B = new AuthManager(conf); 090 WATCHER_A = new ZKPermissionWatcher( 091 new ZKWatcher(conf, "TestZKPermissionsWatcher_1", ABORTABLE), AUTH_A, conf); 092 WATCHER_B = new ZKPermissionWatcher( 093 new ZKWatcher(conf, "TestZKPermissionsWatcher_2", ABORTABLE), AUTH_B, conf); 094 WATCHER_A.start(); 095 WATCHER_B.start(); 096 } 097 098 @AfterClass 099 public static void afterClass() throws Exception { 100 WATCHER_A.close(); 101 WATCHER_B.close(); 102 UTIL.shutdownMiniCluster(); 103 } 104 105 @Test 106 public void testPermissionsWatcher() throws Exception { 107 Configuration conf = UTIL.getConfiguration(); 108 User george = User.createUserForTesting(conf, "george", new String[] {}); 109 User hubert = User.createUserForTesting(conf, "hubert", new String[] {}); 110 111 assertFalse(AUTH_A.authorizeUserTable(george, TEST_TABLE, Permission.Action.READ)); 112 assertFalse(AUTH_A.authorizeUserTable(george, TEST_TABLE, Permission.Action.WRITE)); 113 assertFalse(AUTH_A.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.READ)); 114 assertFalse(AUTH_A.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.WRITE)); 115 116 assertFalse(AUTH_B.authorizeUserTable(george, TEST_TABLE, Permission.Action.READ)); 117 assertFalse(AUTH_B.authorizeUserTable(george, TEST_TABLE, Permission.Action.WRITE)); 118 assertFalse(AUTH_B.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.READ)); 119 assertFalse(AUTH_B.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.WRITE)); 120 121 // update ACL: george RW 122 List<UserPermission> acl = new ArrayList<>(1); 123 acl.add(new UserPermission(george.getShortName(), Permission.newBuilder(TEST_TABLE) 124 .withActions(Permission.Action.READ, Permission.Action.WRITE).build())); 125 ListMultimap<String, UserPermission> multimap = ArrayListMultimap.create(); 126 multimap.putAll(george.getShortName(), acl); 127 byte[] serialized = PermissionStorage.writePermissionsAsBytes(multimap, conf); 128 WATCHER_A.writeToZookeeper(TEST_TABLE.getName(), serialized); 129 final long mtimeB = AUTH_B.getMTime(); 130 // Wait for the update to propagate 131 UTIL.waitFor(10000, 100, new Predicate<Exception>() { 132 @Override 133 public boolean evaluate() throws Exception { 134 return AUTH_B.getMTime() > mtimeB; 135 } 136 }); 137 Thread.sleep(1000); 138 139 // check it 140 assertTrue(AUTH_A.authorizeUserTable(george, TEST_TABLE, Permission.Action.READ)); 141 assertTrue(AUTH_A.authorizeUserTable(george, TEST_TABLE, Permission.Action.WRITE)); 142 assertTrue(AUTH_B.authorizeUserTable(george, TEST_TABLE, Permission.Action.READ)); 143 assertTrue(AUTH_B.authorizeUserTable(george, TEST_TABLE, Permission.Action.WRITE)); 144 assertFalse(AUTH_A.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.READ)); 145 assertFalse(AUTH_A.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.WRITE)); 146 assertFalse(AUTH_B.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.READ)); 147 assertFalse(AUTH_B.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.WRITE)); 148 149 // update ACL: hubert R 150 List<UserPermission> acl2 = new ArrayList<>(1); 151 acl2.add(new UserPermission(hubert.getShortName(), 152 Permission.newBuilder(TEST_TABLE).withActions(TablePermission.Action.READ).build())); 153 final long mtimeA = AUTH_A.getMTime(); 154 multimap.putAll(hubert.getShortName(), acl2); 155 byte[] serialized2 = PermissionStorage.writePermissionsAsBytes(multimap, conf); 156 WATCHER_B.writeToZookeeper(TEST_TABLE.getName(), serialized2); 157 // Wait for the update to propagate 158 UTIL.waitFor(10000, 100, new Predicate<Exception>() { 159 @Override 160 public boolean evaluate() throws Exception { 161 return AUTH_A.getMTime() > mtimeA; 162 } 163 }); 164 Thread.sleep(1000); 165 166 // check it 167 assertTrue(AUTH_A.authorizeUserTable(george, TEST_TABLE, Permission.Action.READ)); 168 assertTrue(AUTH_A.authorizeUserTable(george, TEST_TABLE, Permission.Action.WRITE)); 169 assertTrue(AUTH_B.authorizeUserTable(george, TEST_TABLE, Permission.Action.READ)); 170 assertTrue(AUTH_B.authorizeUserTable(george, TEST_TABLE, Permission.Action.WRITE)); 171 assertTrue(AUTH_A.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.READ)); 172 assertFalse(AUTH_A.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.WRITE)); 173 assertTrue(AUTH_B.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.READ)); 174 assertFalse(AUTH_B.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.WRITE)); 175 } 176}