diff --git hbase-client/src/main/java/org/apache/hadoop/hbase/HTableDescriptor.java hbase-client/src/main/java/org/apache/hadoop/hbase/HTableDescriptor.java index c1add47..c0f3ef9 100644 --- hbase-client/src/main/java/org/apache/hadoop/hbase/HTableDescriptor.java +++ hbase-client/src/main/java/org/apache/hadoop/hbase/HTableDescriptor.java @@ -49,6 +49,7 @@ import org.apache.hadoop.hbase.protobuf.generated.HBaseProtos.NameStringPair; import org.apache.hadoop.hbase.protobuf.generated.HBaseProtos.TableSchema; import org.apache.hadoop.hbase.regionserver.BloomType; import org.apache.hadoop.hbase.security.User; +import org.apache.hadoop.hbase.security.visibility.VisibilityConstants; import org.apache.hadoop.hbase.util.Bytes; import org.apache.hadoop.hbase.util.Writables; import org.apache.hadoop.io.WritableComparable; @@ -1491,4 +1492,25 @@ public class HTableDescriptor implements WritableComparable { public void removeConfiguration(final String key) { configuration.remove(key); } + + /** + * Used with visibility expression. Setting this would mean that for every + * mutation the labels in the visibility expressions are validated against the + * labels associated with the user issuing the mutation. If not found then the + * mutation would be failed. + * + * @param setCheckAuths + */ + public void setCheckAuthsForMutation(boolean setCheckAuths) { + setValue(VisibilityConstants.CHECK_AUTHS_FOR_MUTATION_KEY, Boolean.toString(setCheckAuths)); + } + + public boolean getCheckAuthsForMutation() { + byte[] value = getValue(VisibilityConstants.CHECK_AUTHS_FOR_MUTATION_KEY); + if (value != null) { + return Boolean.parseBoolean(Bytes.toString(value)); + } + return true; + } + } diff --git hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityConstants.java hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityConstants.java index bc84207..060c2ee 100644 --- hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityConstants.java +++ hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityConstants.java @@ -20,6 +20,7 @@ package org.apache.hadoop.hbase.security.visibility; import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.hbase.NamespaceDescriptor; import org.apache.hadoop.hbase.TableName; +import org.apache.hadoop.hbase.io.ImmutableBytesWritable; import org.apache.hadoop.hbase.util.Bytes; @InterfaceAudience.Private @@ -49,4 +50,11 @@ public final class VisibilityConstants { public static final byte[] SORTED_ORDINAL_SERIALIZATION_FORMAT = Bytes .toBytes(VISIBILITY_SERIALIZATION_VERSION); + /** + * Checks if the mutation has to be checked with the auths associated with the user + */ + public static final String CHECK_AUTHS_FOR_MUTATION = "CHECK_AUTHS_FOR_MUTATION"; + public static final ImmutableBytesWritable CHECK_AUTHS_FOR_MUTATION_KEY = new ImmutableBytesWritable( + Bytes.toBytes(CHECK_AUTHS_FOR_MUTATION)); + } diff --git hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java index 6f7b118..71b6045 100644 --- hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java +++ hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java @@ -678,8 +678,14 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb if (c.getEnvironment().getRegion().getRegionInfo().getTable().isSystemTable()) { return; } + boolean checkAuths = c.getEnvironment().getRegion().getTableDesc().getCheckAuthsForMutation(); // TODO this can be made as a global LRU cache at HRS level? Map> labelCache = new HashMap>(); + List auths = null; + User user = getActiveUser(); + if (checkAuths && user != null && user.getShortName() != null) { + auths = this.visibilityManager.getAuthsAsOrdinals(user.getShortName()); + } for (int i = 0; i < miniBatchOp.size(); i++) { Mutation m = miniBatchOp.getOperation(i); CellVisibility cellVisibility = null; @@ -705,7 +711,7 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb List visibilityTags = labelCache.get(labelsExp); if (visibilityTags == null) { try { - visibilityTags = createVisibilityTags(labelsExp); + visibilityTags = createVisibilityTags(labelsExp, auths, user.getShortName()); } catch (ParseException e) { miniBatchOp.setOperationStatus(i, new OperationStatus(SANITY_CHECK_FAILURE, e.getMessage())); @@ -765,7 +771,7 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb if (cellVisibility != null) { String labelsExp = cellVisibility.getExpression(); try { - visibilityTags = createVisibilityTags(labelsExp); + visibilityTags = createVisibilityTags(labelsExp, null, null); } catch (ParseException e) { throw new IOException("Invalid cell visibility expression " + labelsExp, e); } catch (InvalidLabelException e) { @@ -893,8 +899,8 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb return true; } - private List createVisibilityTags(String visibilityLabelsExp) throws IOException, - ParseException, InvalidLabelException { + private List createVisibilityTags(String visibilityLabelsExp, List auths, String userName) + throws IOException, ParseException, InvalidLabelException { ExpressionNode node = null; node = this.expressionParser.parse(visibilityLabelsExp); node = this.expressionExpander.expand(node); @@ -906,7 +912,7 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb // tag indicates we are supporting deletes with cell visibility tags.add(VisibilityUtils.VIS_SERIALIZATION_TAG); if (node.isSingleNode()) { - getLabelOrdinals(node, labelOrdinals); + getLabelOrdinals(node, labelOrdinals, auths, userName); writeLabelOrdinalsToStream(labelOrdinals, dos); tags.add(new Tag(VisibilityUtils.VISIBILITY_TAG_TYPE, baos.toByteArray())); baos.reset(); @@ -914,14 +920,14 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb NonLeafExpressionNode nlNode = (NonLeafExpressionNode) node; if (nlNode.getOperator() == Operator.OR) { for (ExpressionNode child : nlNode.getChildExps()) { - getLabelOrdinals(child, labelOrdinals); + getLabelOrdinals(child, labelOrdinals, auths, userName); writeLabelOrdinalsToStream(labelOrdinals, dos); tags.add(new Tag(VisibilityUtils.VISIBILITY_TAG_TYPE, baos.toByteArray())); baos.reset(); labelOrdinals.clear(); } } else { - getLabelOrdinals(nlNode, labelOrdinals); + getLabelOrdinals(nlNode, labelOrdinals, auths, userName); writeLabelOrdinalsToStream(labelOrdinals, dos); tags.add(new Tag(VisibilityUtils.VISIBILITY_TAG_TYPE, baos.toByteArray())); baos.reset(); @@ -938,7 +944,8 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb } } - private void getLabelOrdinals(ExpressionNode node, List labelOrdinals) + private void getLabelOrdinals(ExpressionNode node, List labelOrdinals, + List auths, String userName) throws IOException, InvalidLabelException { if (node.isSingleNode()) { String identifier = null; @@ -950,12 +957,14 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb LOG.trace("The identifier is "+identifier); } labelOrdinal = this.visibilityManager.getLabelOrdinal(identifier); + checkAuths(auths, userName, labelOrdinal, identifier); } else { // This is a NOT node. LeafExpressionNode lNode = (LeafExpressionNode) ((NonLeafExpressionNode) node) .getChildExps().get(0); identifier = lNode.getIdentifier(); labelOrdinal = this.visibilityManager.getLabelOrdinal(identifier); + checkAuths(auths, userName, labelOrdinal, identifier); labelOrdinal = -1 * labelOrdinal; // Store NOT node as -ve ordinal. } if (labelOrdinal == 0) { @@ -965,7 +974,18 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb } else { List childExps = ((NonLeafExpressionNode) node).getChildExps(); for (ExpressionNode child : childExps) { - getLabelOrdinals(child, labelOrdinals); + getLabelOrdinals(child, labelOrdinals, auths, userName); + } + } + } + + private void checkAuths(List auths, String userName, int labelOrdinal, + String identifier) throws InvalidLabelException { + if (auths != null) { + if (!auths.contains(labelOrdinal)) { + throw new InvalidLabelException("Visibility label " + + identifier + " not associated with user " + + userName); } } } @@ -1198,7 +1218,7 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb } } try { - tags.addAll(createVisibilityTags(cellVisibility.getExpression())); + tags.addAll(createVisibilityTags(cellVisibility.getExpression(), null, null)); } catch (ParseException e) { throw new IOException(e); } diff --git hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelsManager.java hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelsManager.java index 7f1f278..773a9dd 100644 --- hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelsManager.java +++ hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelsManager.java @@ -48,6 +48,7 @@ public class VisibilityLabelsManager { private static final Log LOG = LogFactory.getLog(VisibilityLabelsManager.class); private static final List EMPTY_LIST = new ArrayList(0); + private static final List EMPTY_INT_LIST = new ArrayList(0); private static VisibilityLabelsManager instance; private ZKVisibilityLabelWatcher zkVisibilityWatcher; @@ -173,6 +174,29 @@ public class VisibilityLabelsManager { } /** + * Returns the list of ordinals of authentications associated with the user + * + * @param user + * @return the list of ordinals + */ + public List getAuthsAsOrdinals(String user) { + List auths = EMPTY_INT_LIST; + this.lock.readLock().lock(); + try { + Set authOrdinals = userAuths.get(user); + if (authOrdinals != null) { + auths = new ArrayList(authOrdinals.size()); + for (Integer authOrdinal : authOrdinals) { + auths.add(authOrdinal); + } + } + } finally { + this.lock.readLock().unlock(); + } + return auths; + } + + /** * Writes the labels data to zookeeper node. * @param data * @param labelsOrUserAuths true for writing labels and false for user auths. diff --git hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithDeletes.java hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithDeletes.java index 9b25344..45937a8 100644 --- hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithDeletes.java +++ hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithDeletes.java @@ -284,8 +284,9 @@ public class TestVisibilityLabelsWithDeletes { TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { public Void run() throws Exception { + HTable table = null; try { - HTable table = new HTable(conf, TEST_NAME.getMethodName()); + table = new HTable(conf, TEST_NAME.getMethodName()); Delete d = new Delete(row1); d.setCellVisibility(new CellVisibility("(" + PRIVATE + "&" + CONFIDENTIAL + ")|(" + SECRET + "&" + TOPSECRET+")")); @@ -293,6 +294,8 @@ public class TestVisibilityLabelsWithDeletes { table.delete(d); } catch (Throwable t) { throw new IOException(t); + } finally { + table.close(); } return null; } @@ -334,116 +337,159 @@ public class TestVisibilityLabelsWithDeletes { } } - private HTable doPuts(TableName tableName) throws IOException, InterruptedIOException, + private HTable doPuts(final TableName tableName) throws IOException, InterruptedIOException, RetriesExhaustedWithDetailsException, InterruptedException { - HTable table; - HBaseAdmin hBaseAdmin = TEST_UTIL.getHBaseAdmin(); - HColumnDescriptor colDesc = new HColumnDescriptor(fam); - colDesc.setMaxVersions(5); - HTableDescriptor desc = new HTableDescriptor(tableName); - desc.addFamily(colDesc); - hBaseAdmin.createTable(desc); - table = new HTable(conf, tableName); - Put put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 123l, value); - put.setCellVisibility(new CellVisibility(CONFIDENTIAL)); - table.put(put); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 124l, value); - put.setCellVisibility(new CellVisibility("(" + CONFIDENTIAL + "&" + PRIVATE + ")|(" - + TOPSECRET + "&" + SECRET+")")); - table.put(put); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 125l, value); - put.setCellVisibility(new CellVisibility(SECRET + "&" + TOPSECRET)); - table.put(put); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 126l, value); - put.setCellVisibility(new CellVisibility("(" + CONFIDENTIAL + "&" + PRIVATE + ")|(" - + TOPSECRET + "&" + SECRET+")")); - table.put(put); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 127l, value); - put.setCellVisibility(new CellVisibility("(" + CONFIDENTIAL + "&" + PRIVATE + ")|(" - + TOPSECRET + "&" + SECRET+")")); - table.put(put); - TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); - put = new Put(Bytes.toBytes("row2")); - put.add(fam, qual, 127l, value); - put.setCellVisibility(new CellVisibility("(" + CONFIDENTIAL + "&" + PRIVATE + ")|(" + TOPSECRET - + "&" + SECRET + ")")); - table.put(put); - return table; + PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + HTable table = null; + try { + HBaseAdmin hBaseAdmin = TEST_UTIL.getHBaseAdmin(); + HColumnDescriptor colDesc = new HColumnDescriptor(fam); + colDesc.setMaxVersions(5); + HTableDescriptor desc = new HTableDescriptor(tableName); + desc.addFamily(colDesc); + hBaseAdmin.createTable(desc); + table = new HTable(conf, tableName); + Put put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 123l, value); + put.setCellVisibility(new CellVisibility(CONFIDENTIAL)); + table.put(put); + put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 124l, value); + put.setCellVisibility(new CellVisibility("(" + CONFIDENTIAL + "&" + PRIVATE + ")|(" + + TOPSECRET + "&" + SECRET+")")); + table.put(put); + put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 125l, value); + put.setCellVisibility(new CellVisibility(SECRET + "&" + TOPSECRET)); + table.put(put); + put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 126l, value); + put.setCellVisibility(new CellVisibility("(" + CONFIDENTIAL + "&" + PRIVATE + ")|(" + + TOPSECRET + "&" + SECRET+")")); + table.put(put); + put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 127l, value); + put.setCellVisibility(new CellVisibility("(" + CONFIDENTIAL + "&" + PRIVATE + ")|(" + + TOPSECRET + "&" + SECRET+")")); + table.put(put); + TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); + put = new Put(Bytes.toBytes("row2")); + put.add(fam, qual, 127l, value); + put.setCellVisibility(new CellVisibility("(" + CONFIDENTIAL + "&" + PRIVATE + ")|(" + TOPSECRET + + "&" + SECRET + ")")); + table.put(put); + } catch (Throwable e) { + throw new IOException(e); + } finally { + if (table != null) { + table.close(); + } + } + return null; + } + }; + SUPERUSER.runAs(actiona); + + return new HTable(conf, tableName); } - private HTable doPutsWithDiffCols(TableName tableName) throws IOException, + private HTable doPutsWithDiffCols(final TableName tableName) throws IOException, InterruptedIOException, RetriesExhaustedWithDetailsException, InterruptedException { - HTable table; - HBaseAdmin hBaseAdmin = TEST_UTIL.getHBaseAdmin(); - HColumnDescriptor colDesc = new HColumnDescriptor(fam); - colDesc.setMaxVersions(5); - HTableDescriptor desc = new HTableDescriptor(tableName); - desc.addFamily(colDesc); - hBaseAdmin.createTable(desc); - table = new HTable(conf, tableName); - Put put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 123l, value); - put.setCellVisibility(new CellVisibility(CONFIDENTIAL)); - table.put(put); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 124l, value); - put.setCellVisibility(new CellVisibility("(" + CONFIDENTIAL + "&" + PRIVATE + ")|(" - + TOPSECRET + "&" + SECRET+")")); - table.put(put); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 125l, value); - put.setCellVisibility(new CellVisibility(SECRET + "&" + TOPSECRET)); - table.put(put); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual1, 126l, value); - put.setCellVisibility(new CellVisibility(SECRET + "&" + TOPSECRET)); - table.put(put); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual2, 127l, value); - put.setCellVisibility(new CellVisibility("(" + CONFIDENTIAL + "&" + PRIVATE + ")|(" - + TOPSECRET + "&" + SECRET+")")); - table.put(put); - return table; + PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + HTable table = null; + try { + HBaseAdmin hBaseAdmin = TEST_UTIL.getHBaseAdmin(); + HColumnDescriptor colDesc = new HColumnDescriptor(fam); + colDesc.setMaxVersions(5); + HTableDescriptor desc = new HTableDescriptor(tableName); + desc.addFamily(colDesc); + hBaseAdmin.createTable(desc); + table = new HTable(conf, tableName); + Put put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 123l, value); + put.setCellVisibility(new CellVisibility(CONFIDENTIAL)); + table.put(put); + put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 124l, value); + put.setCellVisibility(new CellVisibility("(" + CONFIDENTIAL + "&" + PRIVATE + ")|(" + + TOPSECRET + "&" + SECRET + ")")); + table.put(put); + put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 125l, value); + put.setCellVisibility(new CellVisibility(SECRET + "&" + TOPSECRET)); + table.put(put); + put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual1, 126l, value); + put.setCellVisibility(new CellVisibility(SECRET + "&" + TOPSECRET)); + table.put(put); + put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual2, 127l, value); + put.setCellVisibility(new CellVisibility("(" + CONFIDENTIAL + "&" + PRIVATE + ")|(" + + TOPSECRET + "&" + SECRET + ")")); + table.put(put); + } catch (Throwable e) { + throw new IOException(e); + } finally { + if (table != null) { + table.close(); + } + } + return null; + } + }; + SUPERUSER.runAs(actiona); + + return new HTable(conf, tableName); } - private HTable doPutsWithoutVisibility(TableName tableName) throws IOException, + private HTable doPutsWithoutVisibility(final TableName tableName) throws IOException, InterruptedIOException, RetriesExhaustedWithDetailsException, InterruptedException { - HTable table; - HBaseAdmin hBaseAdmin = TEST_UTIL.getHBaseAdmin(); - HColumnDescriptor colDesc = new HColumnDescriptor(fam); - colDesc.setMaxVersions(5); - HTableDescriptor desc = new HTableDescriptor(tableName); - desc.addFamily(colDesc); - hBaseAdmin.createTable(desc); - table = new HTable(conf, tableName); - Put put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 123l, value); - table.put(put); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 124l, value); - table.put(put); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 125l, value); - table.put(put); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 126l, value); - table.put(put); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 127l, value); - table.put(put); - TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); - put = new Put(Bytes.toBytes("row2")); - put.add(fam, qual, 127l, value); - table.put(put); - return table; + PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + HTable table = null; + try { + HBaseAdmin hBaseAdmin = TEST_UTIL.getHBaseAdmin(); + HColumnDescriptor colDesc = new HColumnDescriptor(fam); + colDesc.setMaxVersions(5); + HTableDescriptor desc = new HTableDescriptor(tableName); + desc.addFamily(colDesc); + hBaseAdmin.createTable(desc); + table = new HTable(conf, tableName); + Put put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 123l, value); + table.put(put); + put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 124l, value); + table.put(put); + put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 125l, value); + table.put(put); + put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 126l, value); + table.put(put); + put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 127l, value); + table.put(put); + TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); + put = new Put(Bytes.toBytes("row2")); + put.add(fam, qual, 127l, value); + table.put(put); + } catch (Throwable e) { + throw new IOException(e); + } finally { + if (table != null) { + table.close(); + } + } + return null; + } + }; + SUPERUSER.runAs(actiona); + return new HTable(conf, tableName); } - @Test public void testDeleteColumnWithSpecificTimeStampUsingMultipleVersionsUnMatchingVisExpression() throws Exception { @@ -587,20 +633,37 @@ public class TestVisibilityLabelsWithDeletes { try { table = doPuts(tableName); TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); - Put put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 128l, value); - put.setCellVisibility(new CellVisibility(TOPSECRET)); - table.put(put); PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { public Void run() throws Exception { + HTable table = null; try { - HTable table = new HTable(conf, TEST_NAME.getMethodName()); + table = new HTable(conf, TEST_NAME.getMethodName()); + Put put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 128l, value); + put.setCellVisibility(new CellVisibility(TOPSECRET)); + table.put(put); + } catch (Throwable t) { + throw new IOException(t); + } finally { + table.close(); + } + return null; + } + }; + SUPERUSER.runAs(actiona); + actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + HTable table = null; + try { + table = new HTable(conf, TEST_NAME.getMethodName()); Delete d = new Delete(row1); - d.setCellVisibility(new CellVisibility(SECRET )); + d.setCellVisibility(new CellVisibility(SECRET)); d.deleteColumn(fam, qual); table.delete(d); } catch (Throwable t) { throw new IOException(t); + } finally { + table.close(); } return null; } @@ -645,11 +708,24 @@ public class TestVisibilityLabelsWithDeletes { current = cellScanner.current(); assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), current.getRowLength(), row2, 0, row2.length)); - - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 129l, value); - put.setCellVisibility(new CellVisibility(SECRET)); - table.put(put); + actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + HTable table = null; + try { + table = new HTable(conf, TEST_NAME.getMethodName()); + Put put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 129l, value); + put.setCellVisibility(new CellVisibility(SECRET)); + table.put(put); + } catch (Throwable t) { + throw new IOException(t); + } finally { + table.close(); + } + return null; + } + }; + SUPERUSER.runAs(actiona); table.flushCommits(); TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); s = new Scan(); @@ -681,24 +757,41 @@ public class TestVisibilityLabelsWithDeletes { TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { public Void run() throws Exception { + HTable table = null; try { - HTable table = new HTable(conf, TEST_NAME.getMethodName()); + table = new HTable(conf, TEST_NAME.getMethodName()); Delete d = new Delete(row1); d.setCellVisibility(new CellVisibility(SECRET + "&" + TOPSECRET)); d.deleteColumn(fam, qual); table.delete(d); } catch (Throwable t) { throw new IOException(t); + } finally { + table.close(); } return null; } }; SUPERUSER.runAs(actiona); TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); - Put put = new Put(Bytes.toBytes("row3")); - put.add(fam, qual, 127l, value); - put.setCellVisibility(new CellVisibility(CONFIDENTIAL + "&" + PRIVATE)); - table.put(put); + actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + HTable table = null; + try { + table = new HTable(conf, TEST_NAME.getMethodName()); + Put put = new Put(Bytes.toBytes("row3")); + put.add(fam, qual, 127l, value); + put.setCellVisibility(new CellVisibility(CONFIDENTIAL + "&" + PRIVATE)); + table.put(put); + } catch (Throwable t) { + throw new IOException(t); + } finally { + table.close(); + } + return null; + } + }; + SUPERUSER.runAs(actiona); TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); TEST_UTIL.getHBaseAdmin().majorCompact(tableName.getNameAsString()); // Sleep to ensure compaction happens. Need to do it in a better way @@ -752,14 +845,17 @@ public class TestVisibilityLabelsWithDeletes { TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { public Void run() throws Exception { + HTable table = null; try { - HTable table = new HTable(conf, TEST_NAME.getMethodName()); + table = new HTable(conf, TEST_NAME.getMethodName()); Delete d = new Delete(row1); d.setCellVisibility(new CellVisibility(SECRET + "&" + TOPSECRET)); d.deleteFamily(fam); table.delete(d); } catch (Throwable t) { throw new IOException(t); + } finally { + table.close(); } return null; } @@ -1055,10 +1151,24 @@ public class TestVisibilityLabelsWithDeletes { SUPERUSER.runAs(actiona); TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); - Put put = new Put(Bytes.toBytes("row3")); - put.add(fam, qual, 127l, value); - put.setCellVisibility(new CellVisibility(CONFIDENTIAL + "&" + PRIVATE)); - table.put(put); + actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + HTable table = null; + try { + table = new HTable(conf, TEST_NAME.getMethodName()); + Put put = new Put(Bytes.toBytes("row3")); + put.add(fam, qual, 127l, value); + put.setCellVisibility(new CellVisibility(CONFIDENTIAL + "&" + PRIVATE)); + table.put(put); + } catch (Throwable t) { + throw new IOException(t); + } finally { + table.close(); + } + return null; + } + }; + SUPERUSER.runAs(actiona); TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); TEST_UTIL.getHBaseAdmin().compact(tableName.getNameAsString()); Thread.sleep(5000); @@ -2103,7 +2213,7 @@ public class TestVisibilityLabelsWithDeletes { @Test public void testVisibilityExpressionWithNotEqualORCondition() throws Exception { setAuths(); - TableName tableName = TableName.valueOf(TEST_NAME.getMethodName()); + final TableName tableName = TableName.valueOf(TEST_NAME.getMethodName()); HTable table = null; try { HBaseAdmin hBaseAdmin = TEST_UTIL.getHBaseAdmin(); @@ -2112,26 +2222,46 @@ public class TestVisibilityLabelsWithDeletes { HTableDescriptor desc = new HTableDescriptor(tableName); desc.addFamily(colDesc); hBaseAdmin.createTable(desc); - table = new HTable(conf, tableName); - Put put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 123l, value); - put.setCellVisibility(new CellVisibility(CONFIDENTIAL)); - table.put(put); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 124l, value); - put.setCellVisibility(new CellVisibility(CONFIDENTIAL + "|" + PRIVATE)); - table.put(put); - TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { + HTable table = null; public Void run() throws Exception { try { - HTable table = new HTable(conf, TEST_NAME.getMethodName()); + table = new HTable(conf, tableName); + Put put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 123l, value); + put.setCellVisibility(new CellVisibility(CONFIDENTIAL)); + table.put(put); + put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 124l, value); + put.setCellVisibility(new CellVisibility(CONFIDENTIAL + "|" + PRIVATE)); + table.put(put); + } catch (Throwable t) { + throw new IOException(t); + } finally { + if (table != null) { + table.close(); + } + } + return null; + } + }; + SUPERUSER.runAs(actiona); + TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); + actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + HTable table = null; + try { + table = new HTable(conf, TEST_NAME.getMethodName()); Delete d = new Delete(row1); d.deleteColumn(fam, qual, 124l); - d.setCellVisibility(new CellVisibility(PRIVATE )); + d.setCellVisibility(new CellVisibility(PRIVATE)); table.delete(d); } catch (Throwable t) { throw new IOException(t); + } finally { + if (table != null) { + table.close(); + } } return null; } @@ -2139,6 +2269,7 @@ public class TestVisibilityLabelsWithDeletes { SUPERUSER.runAs(actiona); TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); + table = new HTable(conf, TEST_NAME.getMethodName()); Scan s = new Scan(); s.setMaxVersions(5); s.setAuthorizations(new Authorizations(SECRET, PRIVATE, CONFIDENTIAL, TOPSECRET)); @@ -2163,22 +2294,38 @@ public class TestVisibilityLabelsWithDeletes { } } - public static HTable createTableAndWriteDataWithLabels(TableName tableName, String... labelExps) + public static HTable createTableAndWriteDataWithLabels(final TableName tableName, final String... labelExps) throws Exception { HTable table = null; try { table = TEST_UTIL.createTable(tableName, fam); - int i = 1; - List puts = new ArrayList(); - for (String labelExp : labelExps) { - Put put = new Put(Bytes.toBytes("row" + i)); - put.add(fam, qual, HConstants.LATEST_TIMESTAMP, value); - put.setCellVisibility(new CellVisibility(labelExp)); - puts.add(put); - table.put(put); - i++; - } - // table.put(puts); + PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + HTable table = null; + try { + table = new HTable(TEST_UTIL.getConfiguration(), tableName); + int i = 1; + List puts = new ArrayList(); + for (String labelExp : labelExps) { + Put put = new Put(Bytes.toBytes("row" + i)); + put.add(fam, qual, HConstants.LATEST_TIMESTAMP, value); + put.setCellVisibility(new CellVisibility(labelExp)); + puts.add(put); + table.put(put); + TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); + i++; + } + } catch (Throwable t) { + throw new IOException(t); + } finally { + if (table != null) { + table.close(); + } + } + return null; + } + }; + SUPERUSER.runAs(actiona); } finally { if (table != null) { table.close(); @@ -2187,22 +2334,38 @@ public class TestVisibilityLabelsWithDeletes { return table; } - public static HTable createTableAndWriteDataWithLabels(TableName tableName, long[] timestamp, - String... labelExps) throws Exception { + public static HTable createTableAndWriteDataWithLabels(final TableName tableName, + final long[] timestamp, final String... labelExps) throws Exception { HTable table = null; try { table = TEST_UTIL.createTable(tableName, fam); - int i = 1; - List puts = new ArrayList(); - for (String labelExp : labelExps) { - Put put = new Put(Bytes.toBytes("row" + i)); - put.add(fam, qual, timestamp[i - 1], value); - put.setCellVisibility(new CellVisibility(labelExp)); - puts.add(put); - table.put(put); - TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); - i++; - } + PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + HTable table = null; + try { + table = new HTable(TEST_UTIL.getConfiguration(), tableName); + int i = 1; + List puts = new ArrayList(); + for (String labelExp : labelExps) { + Put put = new Put(Bytes.toBytes("row" + i)); + put.add(fam, qual, timestamp[i - 1], value); + put.setCellVisibility(new CellVisibility(labelExp)); + puts.add(put); + table.put(put); + TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); + i++; + } + } catch (Throwable t) { + throw new IOException(t); + } finally { + if (table != null) { + table.close(); + } + } + return null; + } + }; + SUPERUSER.runAs(actiona); } finally { if (table != null) { table.close();