Source code

001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.apache.hadoop.hbase.rsgroup;
019
020import static org.apache.hadoop.hbase.AuthUtil.toGroupEntry;
021import static org.junit.jupiter.api.Assertions.assertEquals;
022import static org.junit.jupiter.api.Assertions.fail;
023
024import java.io.IOException;
025import java.util.Optional;
026import org.apache.hadoop.conf.Configuration;
027import org.apache.hadoop.hbase.HBaseTestingUtil;
028import org.apache.hadoop.hbase.TableName;
029import org.apache.hadoop.hbase.TableNotFoundException;
030import org.apache.hadoop.hbase.client.ColumnFamilyDescriptorBuilder;
031import org.apache.hadoop.hbase.client.Connection;
032import org.apache.hadoop.hbase.client.TableDescriptorBuilder;
033import org.apache.hadoop.hbase.ipc.RpcServer;
034import org.apache.hadoop.hbase.master.HMaster;
035import org.apache.hadoop.hbase.security.User;
036import org.apache.hadoop.hbase.security.UserProvider;
037import org.apache.hadoop.hbase.security.access.AccessChecker;
038import org.apache.hadoop.hbase.security.access.AccessControlClient;
039import org.apache.hadoop.hbase.security.access.Permission;
040import org.apache.hadoop.hbase.security.access.PermissionStorage;
041import org.apache.hadoop.hbase.security.access.SecureTestUtil;
042import org.apache.hadoop.hbase.testclassification.MediumTests;
043import org.apache.hadoop.hbase.testclassification.SecurityTests;
044import org.apache.hadoop.hbase.util.Bytes;
045import org.junit.jupiter.api.AfterAll;
046import org.junit.jupiter.api.BeforeAll;
047import org.junit.jupiter.api.Tag;
048import org.junit.jupiter.api.Test;
049import org.slf4j.Logger;
050import org.slf4j.LoggerFactory;
051
052/**
053 * Performs authorization checks for rsgroup operations, according to different levels of authorized
054 * users.
055 */
056@Tag(SecurityTests.TAG)
057@Tag(MediumTests.TAG)
058public class TestRSGroupsWithACL extends SecureTestUtil {
059
060  private static final Logger LOG = LoggerFactory.getLogger(TestRSGroupsWithACL.class);
061  private static TableName TEST_TABLE = TableName.valueOf("testtable1");
062  private static final HBaseTestingUtil TEST_UTIL = new HBaseTestingUtil();
063  private static Configuration conf;
064
065  private static Connection systemUserConnection;
066  // user with all permissions
067  private static User SUPERUSER;
068  // user granted with all global permission
069  private static User USER_ADMIN;
070  // user with rw permissions on column family.
071  private static User USER_RW;
072  // user with read-only permissions
073  private static User USER_RO;
074  // user is table owner. will have all permissions on table
075  private static User USER_OWNER;
076  // user with create table permissions alone
077  private static User USER_CREATE;
078  // user with no permissions
079  private static User USER_NONE;
080
081  private static final String GROUP_ADMIN = "group_admin";
082  private static final String GROUP_CREATE = "group_create";
083  private static final String GROUP_READ = "group_read";
084  private static final String GROUP_WRITE = "group_write";
085
086  private static User USER_GROUP_ADMIN;
087  private static User USER_GROUP_CREATE;
088  private static User USER_GROUP_READ;
089  private static User USER_GROUP_WRITE;
090
091  private static byte[] TEST_FAMILY = Bytes.toBytes("f1");
092  private static HMaster master;
093  private static AccessChecker accessChecker;
094  private static UserProvider userProvider;
095
096  @BeforeAll
097  public static void setupBeforeClass() throws Exception {
098    // setup configuration
099    conf = TEST_UTIL.getConfiguration();
100    // Enable security
101    enableSecurity(conf);
102    // Verify enableSecurity sets up what we require
103    verifyConfiguration(conf);
104    // Enable rsgroup
105    RSGroupUtil.enableRSGroup(conf);
106
107    TEST_UTIL.startMiniCluster();
108    // Wait for the ACL table to become available
109    TEST_UTIL.waitUntilAllRegionsAssigned(PermissionStorage.ACL_TABLE_NAME);
110    TEST_UTIL.waitUntilAllRegionsAssigned(RSGroupInfoManagerImpl.RSGROUP_TABLE_NAME);
111    TEST_UTIL.waitUntilNoRegionsInTransition();
112
113    // create a set of test users
114    SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
115    USER_ADMIN = User.createUserForTesting(conf, "admin2", new String[0]);
116    USER_RW = User.createUserForTesting(conf, "rwuser", new String[0]);
117    USER_RO = User.createUserForTesting(conf, "rouser", new String[0]);
118    USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]);
119    USER_CREATE = User.createUserForTesting(conf, "tbl_create", new String[0]);
120    USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]);
121
122    USER_GROUP_ADMIN =
123      User.createUserForTesting(conf, "user_group_admin", new String[] { GROUP_ADMIN });
124    USER_GROUP_CREATE =
125      User.createUserForTesting(conf, "user_group_create", new String[] { GROUP_CREATE });
126    USER_GROUP_READ =
127      User.createUserForTesting(conf, "user_group_read", new String[] { GROUP_READ });
128    USER_GROUP_WRITE =
129      User.createUserForTesting(conf, "user_group_write", new String[] { GROUP_WRITE });
130
131    // Grant table creation permission to USER_OWNER
132    grantGlobal(TEST_UTIL, USER_OWNER.getShortName(), Permission.Action.CREATE);
133
134    systemUserConnection = TEST_UTIL.getConnection();
135    setUpTableAndUserPermissions();
136    master = TEST_UTIL.getHBaseCluster().getMaster();
137    accessChecker = master.getAccessChecker();
138    userProvider = UserProvider.instantiate(TEST_UTIL.getConfiguration());
139  }
140
141  private void checkPermission(String request) throws IOException {
142    accessChecker.requirePermission(getActiveUser(), request, null, Permission.Action.ADMIN);
143  }
144
145  private User getActiveUser() throws IOException {
146    // for non-rpc handling, fallback to system user
147    Optional<User> optionalUser = RpcServer.getRequestUser();
148    if (optionalUser.isPresent()) {
149      return optionalUser.get();
150    }
151    return userProvider.getCurrent();
152  }
153
154  private static void setUpTableAndUserPermissions() throws Exception {
155    TableDescriptorBuilder tableBuilder = TableDescriptorBuilder.newBuilder(TEST_TABLE);
156    ColumnFamilyDescriptorBuilder cfd = ColumnFamilyDescriptorBuilder.newBuilder(TEST_FAMILY);
157    cfd.setMaxVersions(100);
158    tableBuilder.setColumnFamily(cfd.build());
159    createTable(TEST_UTIL, USER_OWNER, tableBuilder.build(), new byte[][] { Bytes.toBytes("s") });
160
161    // Set up initial grants
162    grantGlobal(TEST_UTIL, USER_ADMIN.getShortName(), Permission.Action.ADMIN,
163      Permission.Action.CREATE, Permission.Action.READ, Permission.Action.WRITE);
164
165    grantOnTable(TEST_UTIL, USER_RW.getShortName(), TEST_TABLE, TEST_FAMILY, null,
166      Permission.Action.READ, Permission.Action.WRITE);
167
168    // USER_CREATE is USER_RW plus CREATE permissions
169    grantOnTable(TEST_UTIL, USER_CREATE.getShortName(), TEST_TABLE, null, null,
170      Permission.Action.CREATE, Permission.Action.READ, Permission.Action.WRITE);
171
172    grantOnTable(TEST_UTIL, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null,
173      Permission.Action.READ);
174
175    grantGlobal(TEST_UTIL, toGroupEntry(GROUP_ADMIN), Permission.Action.ADMIN);
176    grantGlobal(TEST_UTIL, toGroupEntry(GROUP_CREATE), Permission.Action.CREATE);
177    grantGlobal(TEST_UTIL, toGroupEntry(GROUP_READ), Permission.Action.READ);
178    grantGlobal(TEST_UTIL, toGroupEntry(GROUP_WRITE), Permission.Action.WRITE);
179
180    assertEquals(4, PermissionStorage.getTablePermissions(conf, TEST_TABLE).size());
181    try {
182      assertEquals(4,
183        AccessControlClient.getUserPermissions(systemUserConnection, TEST_TABLE.toString()).size());
184    } catch (AssertionError e) {
185      fail(e.getMessage());
186    } catch (Throwable e) {
187      LOG.error("error during call of AccessControlClient.getUserPermissions. ", e);
188    }
189  }
190
191  private static void cleanUp() throws Exception {
192    // Clean the _acl_ table
193    try {
194      deleteTable(TEST_UTIL, TEST_TABLE);
195    } catch (TableNotFoundException ex) {
196      // Test deleted the table, no problem
197      LOG.info("Test deleted table " + TEST_TABLE);
198    }
199    // Verify all table/namespace permissions are erased
200    assertEquals(0, PermissionStorage.getTablePermissions(conf, TEST_TABLE).size());
201    assertEquals(0,
202      PermissionStorage.getNamespacePermissions(conf, TEST_TABLE.getNamespaceAsString()).size());
203  }
204
205  @AfterAll
206  public static void tearDownAfterClass() throws Exception {
207    cleanUp();
208    TEST_UTIL.shutdownMiniCluster();
209  }
210
211  @Test
212  public void testGetRSGroupInfo() throws Exception {
213    AccessTestAction action = () -> {
214      checkPermission("getRSGroupInfo");
215      return null;
216    };
217
218    validateAdminPermissions(action);
219  }
220
221  @Test
222  public void testGetRSGroupInfoOfTable() throws Exception {
223    AccessTestAction action = () -> {
224      checkPermission("getRSGroupInfoOfTable");
225      return null;
226    };
227
228    validateAdminPermissions(action);
229  }
230
231  @Test
232  public void testMoveServers() throws Exception {
233    AccessTestAction action = () -> {
234      checkPermission("moveServers");
235      return null;
236    };
237
238    validateAdminPermissions(action);
239  }
240
241  @Test
242  public void testMoveTables() throws Exception {
243    AccessTestAction action = () -> {
244      checkPermission("moveTables");
245      return null;
246    };
247
248    validateAdminPermissions(action);
249  }
250
251  @Test
252  public void testAddRSGroup() throws Exception {
253    AccessTestAction action = () -> {
254      checkPermission("addRSGroup");
255      return null;
256    };
257
258    validateAdminPermissions(action);
259  }
260
261  @Test
262  public void testRemoveRSGroup() throws Exception {
263    AccessTestAction action = () -> {
264      checkPermission("removeRSGroup");
265      return null;
266    };
267
268    validateAdminPermissions(action);
269  }
270
271  @Test
272  public void testBalanceRSGroup() throws Exception {
273    AccessTestAction action = () -> {
274      checkPermission("balanceRSGroup");
275      return null;
276    };
277
278    validateAdminPermissions(action);
279  }
280
281  @Test
282  public void testListRSGroup() throws Exception {
283    AccessTestAction action = () -> {
284      checkPermission("listRSGroup");
285      return null;
286    };
287
288    validateAdminPermissions(action);
289  }
290
291  @Test
292  public void testGetRSGroupInfoOfServer() throws Exception {
293    AccessTestAction action = () -> {
294      checkPermission("getRSGroupInfoOfServer");
295      return null;
296    };
297
298    validateAdminPermissions(action);
299  }
300
301  @Test
302  public void testMoveServersAndTables() throws Exception {
303    AccessTestAction action = () -> {
304      checkPermission("moveServersAndTables");
305      return null;
306    };
307
308    validateAdminPermissions(action);
309  }
310
311  @Test
312  public void testRemoveServers() throws Exception {
313    AccessTestAction action = () -> {
314      checkPermission("removeServers");
315      return null;
316    };
317
318    validateAdminPermissions(action);
319  }
320
321  @Test
322  public void testRenameRSGroup() throws Exception {
323    AccessTestAction action = () -> {
324      checkPermission("renameRSGroup");
325      return null;
326    };
327
328    validateAdminPermissions(action);
329  }
330
331  @Test
332  public void testUpdateRSGroupConfig() throws Exception {
333    AccessTestAction action = () -> {
334      checkPermission("updateRSGroupConfig");
335      return null;
336    };
337
338    validateAdminPermissions(action);
339  }
340
341  private void validateAdminPermissions(AccessTestAction action) throws Exception {
342    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
343    verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
344      USER_GROUP_WRITE, USER_GROUP_CREATE);
345  }
346}