001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018package org.apache.hadoop.hbase.security.visibility; 019 020import static org.apache.hadoop.hbase.security.visibility.VisibilityConstants.LABELS_TABLE_NAME; 021import static org.junit.Assert.assertEquals; 022import static org.junit.Assert.assertTrue; 023 024import com.google.protobuf.ByteString; 025import java.io.IOException; 026import java.security.PrivilegedExceptionAction; 027import java.util.ArrayList; 028import java.util.List; 029import org.apache.hadoop.conf.Configuration; 030import org.apache.hadoop.hbase.HBaseClassTestRule; 031import org.apache.hadoop.hbase.HBaseTestingUtility; 032import org.apache.hadoop.hbase.client.Connection; 033import org.apache.hadoop.hbase.client.ConnectionFactory; 034import org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.GetAuthsResponse; 035import org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse; 036import org.apache.hadoop.hbase.security.User; 037import org.apache.hadoop.hbase.testclassification.MediumTests; 038import org.apache.hadoop.hbase.testclassification.SecurityTests; 039import org.apache.hadoop.hbase.util.Bytes; 040import org.junit.AfterClass; 041import org.junit.BeforeClass; 042import org.junit.ClassRule; 043import org.junit.Rule; 044import org.junit.Test; 045import org.junit.experimental.categories.Category; 046import org.junit.rules.TestName; 047 048@Category({ SecurityTests.class, MediumTests.class }) 049public class TestVisibilityLabelsOpWithDifferentUsersNoACL { 050 051 @ClassRule 052 public static final HBaseClassTestRule CLASS_RULE = 053 HBaseClassTestRule.forClass(TestVisibilityLabelsOpWithDifferentUsersNoACL.class); 054 055 private static final String PRIVATE = "private"; 056 private static final String CONFIDENTIAL = "confidential"; 057 private static final String SECRET = "secret"; 058 private static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility(); 059 private static Configuration conf; 060 061 @Rule 062 public final TestName TEST_NAME = new TestName(); 063 private static User SUPERUSER; 064 private static User NORMAL_USER; 065 private static User NORMAL_USER1; 066 067 @BeforeClass 068 public static void setupBeforeClass() throws Exception { 069 // setup configuration 070 conf = TEST_UTIL.getConfiguration(); 071 VisibilityTestUtil.enableVisiblityLabels(conf); 072 String currentUser = User.getCurrent().getName(); 073 conf.set("hbase.superuser", "admin," + currentUser); 074 TEST_UTIL.startMiniCluster(2); 075 076 // Wait for the labels table to become available 077 TEST_UTIL.waitTableEnabled(LABELS_TABLE_NAME.getName(), 50000); 078 SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" }); 079 NORMAL_USER = User.createUserForTesting(conf, "user1", new String[] {}); 080 NORMAL_USER1 = User.createUserForTesting(conf, "user2", new String[] {}); 081 addLabels(); 082 } 083 084 @AfterClass 085 public static void tearDownAfterClass() throws Exception { 086 TEST_UTIL.shutdownMiniCluster(); 087 } 088 089 @Test 090 public void testLabelsTableOpsWithDifferentUsers() throws Throwable { 091 PrivilegedExceptionAction<VisibilityLabelsResponse> action = 092 new PrivilegedExceptionAction<VisibilityLabelsResponse>() { 093 @Override 094 public VisibilityLabelsResponse run() throws Exception { 095 try (Connection conn = ConnectionFactory.createConnection(conf)) { 096 return VisibilityClient.setAuths(conn, new String[] { CONFIDENTIAL, PRIVATE }, "user1"); 097 } catch (Throwable e) { 098 } 099 return null; 100 } 101 }; 102 VisibilityLabelsResponse response = SUPERUSER.runAs(action); 103 assertTrue(response.getResult(0).getException().getValue().isEmpty()); 104 assertTrue(response.getResult(1).getException().getValue().isEmpty()); 105 106 // Ideally this should not be allowed. this operation should fail or do nothing. 107 action = new PrivilegedExceptionAction<VisibilityLabelsResponse>() { 108 @Override 109 public VisibilityLabelsResponse run() throws Exception { 110 try (Connection conn = ConnectionFactory.createConnection(conf)) { 111 return VisibilityClient.setAuths(conn, new String[] { CONFIDENTIAL, PRIVATE }, "user3"); 112 } catch (Throwable e) { 113 } 114 return null; 115 } 116 }; 117 response = NORMAL_USER1.runAs(action); 118 assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", 119 response.getResult(0).getException().getName()); 120 assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", 121 response.getResult(1).getException().getName()); 122 123 PrivilegedExceptionAction<GetAuthsResponse> action1 = 124 new PrivilegedExceptionAction<GetAuthsResponse>() { 125 @Override 126 public GetAuthsResponse run() throws Exception { 127 try (Connection conn = ConnectionFactory.createConnection(conf)) { 128 return VisibilityClient.getAuths(conn, "user1"); 129 } catch (Throwable e) { 130 } 131 return null; 132 } 133 }; 134 GetAuthsResponse authsResponse = NORMAL_USER.runAs(action1); 135 assertTrue(authsResponse.getAuthList().isEmpty()); 136 authsResponse = NORMAL_USER1.runAs(action1); 137 assertTrue(authsResponse.getAuthList().isEmpty()); 138 authsResponse = SUPERUSER.runAs(action1); 139 List<String> authsList = new ArrayList<>(authsResponse.getAuthList().size()); 140 for (ByteString authBS : authsResponse.getAuthList()) { 141 authsList.add(Bytes.toString(authBS.toByteArray())); 142 } 143 assertEquals(2, authsList.size()); 144 assertTrue(authsList.contains(CONFIDENTIAL)); 145 assertTrue(authsList.contains(PRIVATE)); 146 147 PrivilegedExceptionAction<VisibilityLabelsResponse> action2 = 148 new PrivilegedExceptionAction<VisibilityLabelsResponse>() { 149 @Override 150 public VisibilityLabelsResponse run() throws Exception { 151 try (Connection conn = ConnectionFactory.createConnection(conf)) { 152 return VisibilityClient.clearAuths(conn, new String[] { CONFIDENTIAL, PRIVATE }, 153 "user1"); 154 } catch (Throwable e) { 155 } 156 return null; 157 } 158 }; 159 response = NORMAL_USER1.runAs(action2); 160 assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", 161 response.getResult(0).getException().getName()); 162 assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", 163 response.getResult(1).getException().getName()); 164 response = SUPERUSER.runAs(action2); 165 assertTrue(response.getResult(0).getException().getValue().isEmpty()); 166 assertTrue(response.getResult(1).getException().getValue().isEmpty()); 167 authsResponse = SUPERUSER.runAs(action1); 168 assertTrue(authsResponse.getAuthList().isEmpty()); 169 } 170 171 private static void addLabels() throws Exception { 172 PrivilegedExceptionAction<VisibilityLabelsResponse> action = 173 new PrivilegedExceptionAction<VisibilityLabelsResponse>() { 174 @Override 175 public VisibilityLabelsResponse run() throws Exception { 176 String[] labels = { SECRET, CONFIDENTIAL, PRIVATE }; 177 try (Connection conn = ConnectionFactory.createConnection(conf)) { 178 VisibilityClient.addLabels(conn, labels); 179 } catch (Throwable t) { 180 throw new IOException(t); 181 } 182 return null; 183 } 184 }; 185 SUPERUSER.runAs(action); 186 } 187}