diff --git hbase-client/src/main/java/org/apache/hadoop/hbase/HTableDescriptor.java hbase-client/src/main/java/org/apache/hadoop/hbase/HTableDescriptor.java index 08d0b6d..93827a5 100644 --- hbase-client/src/main/java/org/apache/hadoop/hbase/HTableDescriptor.java +++ hbase-client/src/main/java/org/apache/hadoop/hbase/HTableDescriptor.java @@ -49,6 +49,7 @@ import org.apache.hadoop.hbase.protobuf.generated.HBaseProtos.NameStringPair; import org.apache.hadoop.hbase.protobuf.generated.HBaseProtos.TableSchema; import org.apache.hadoop.hbase.regionserver.BloomType; import org.apache.hadoop.hbase.security.User; +import org.apache.hadoop.hbase.security.visibility.VisibilityConstants; import org.apache.hadoop.hbase.util.Bytes; import org.apache.hadoop.hbase.util.Writables; import org.apache.hadoop.io.WritableComparable; @@ -1521,4 +1522,24 @@ public class HTableDescriptor implements WritableComparable { public void removeConfiguration(final String key) { configuration.remove(key); } + + /** + * Used with visibility expression. Setting this property to true would mean + * that for every mutation issued, the labels in the visibility expressions + * are validated against the set of labels associated with the user issuing + * the mutation. If not found then the mutation would fail. + * + * @param setCheckAuths + */ + public void setCheckAuthsForMutation(boolean setCheckAuths) { + setValue(VisibilityConstants.CHECK_AUTHS_FOR_MUTATION_KEY, Boolean.toString(setCheckAuths)); + } + + public boolean getCheckAuthsForMutation() { + byte[] value = getValue(VisibilityConstants.CHECK_AUTHS_FOR_MUTATION_KEY); + if (value != null) { + return Boolean.parseBoolean(Bytes.toString(value)); + } + return true; + } } diff --git hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityConstants.java hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityConstants.java index bc84207..c4e9047 100644 --- hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityConstants.java +++ hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityConstants.java @@ -20,6 +20,7 @@ package org.apache.hadoop.hbase.security.visibility; import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.hbase.NamespaceDescriptor; import org.apache.hadoop.hbase.TableName; +import org.apache.hadoop.hbase.io.ImmutableBytesWritable; import org.apache.hadoop.hbase.util.Bytes; @InterfaceAudience.Private @@ -49,4 +50,10 @@ public final class VisibilityConstants { public static final byte[] SORTED_ORDINAL_SERIALIZATION_FORMAT = Bytes .toBytes(VISIBILITY_SERIALIZATION_VERSION); + /** + * Checks if the mutation has to be checked with the auths associated with the user + */ + public static final String CHECK_AUTHS_FOR_MUTATION = "CHECK_AUTHS_FOR_MUTATION"; + public static final ImmutableBytesWritable CHECK_AUTHS_FOR_MUTATION_KEY = + new ImmutableBytesWritable(Bytes.toBytes(CHECK_AUTHS_FOR_MUTATION)); } diff --git hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java index 39f65db..13b1baf 100644 --- hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java +++ hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java @@ -52,11 +52,11 @@ import org.apache.hadoop.hbase.HTableDescriptor; import org.apache.hadoop.hbase.KeyValue; import org.apache.hadoop.hbase.KeyValue.Type; import org.apache.hadoop.hbase.KeyValueUtil; +import org.apache.hadoop.hbase.MetaTableAccessor; import org.apache.hadoop.hbase.NamespaceDescriptor; import org.apache.hadoop.hbase.ServerName; import org.apache.hadoop.hbase.TableName; import org.apache.hadoop.hbase.Tag; -import org.apache.hadoop.hbase.MetaTableAccessor; import org.apache.hadoop.hbase.client.Append; import org.apache.hadoop.hbase.client.Delete; import org.apache.hadoop.hbase.client.Get; @@ -690,8 +690,14 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb if (c.getEnvironment().getRegion().getRegionInfo().getTable().isSystemTable()) { return; } + boolean checkAuths = c.getEnvironment().getRegion().getTableDesc().getCheckAuthsForMutation(); // TODO this can be made as a global LRU cache at HRS level? Map> labelCache = new HashMap>(); + List auths = null; + User user = getActiveUser(); + if (checkAuths && user != null && user.getShortName() != null) { + auths = this.visibilityManager.getAuthsAsOrdinals(user.getShortName()); + } for (int i = 0; i < miniBatchOp.size(); i++) { Mutation m = miniBatchOp.getOperation(i); CellVisibility cellVisibility = null; @@ -717,7 +723,7 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb List visibilityTags = labelCache.get(labelsExp); if (visibilityTags == null) { try { - visibilityTags = createVisibilityTags(labelsExp, true); + visibilityTags = createVisibilityTags(labelsExp, true, auths, user.getShortName()); } catch (ParseException e) { miniBatchOp.setOperationStatus(i, new OperationStatus(SANITY_CHECK_FAILURE, e.getMessage())); @@ -777,7 +783,7 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb if (cellVisibility != null) { String labelsExp = cellVisibility.getExpression(); try { - visibilityTags = createVisibilityTags(labelsExp, false); + visibilityTags = createVisibilityTags(labelsExp, false, null, null); } catch (ParseException e) { throw new IOException("Invalid cell visibility expression " + labelsExp, e); } catch (InvalidLabelException e) { @@ -911,7 +917,8 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb return true; } - private List createVisibilityTags(String visibilityLabelsExp, boolean addSerializationTag) + private List createVisibilityTags(String visibilityLabelsExp, boolean addSerializationTag, + List auths, String userName) throws IOException, ParseException, InvalidLabelException { ExpressionNode node = null; node = this.expressionParser.parse(visibilityLabelsExp); @@ -926,7 +933,7 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb tags.add(VisibilityUtils.VIS_SERIALIZATION_TAG); } if (node.isSingleNode()) { - getLabelOrdinals(node, labelOrdinals); + getLabelOrdinals(node, labelOrdinals, auths, userName); writeLabelOrdinalsToStream(labelOrdinals, dos); tags.add(new Tag(VisibilityUtils.VISIBILITY_TAG_TYPE, baos.toByteArray())); baos.reset(); @@ -934,14 +941,14 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb NonLeafExpressionNode nlNode = (NonLeafExpressionNode) node; if (nlNode.getOperator() == Operator.OR) { for (ExpressionNode child : nlNode.getChildExps()) { - getLabelOrdinals(child, labelOrdinals); + getLabelOrdinals(child, labelOrdinals, auths, userName); writeLabelOrdinalsToStream(labelOrdinals, dos); tags.add(new Tag(VisibilityUtils.VISIBILITY_TAG_TYPE, baos.toByteArray())); baos.reset(); labelOrdinals.clear(); } } else { - getLabelOrdinals(nlNode, labelOrdinals); + getLabelOrdinals(nlNode, labelOrdinals, auths, userName); writeLabelOrdinalsToStream(labelOrdinals, dos); tags.add(new Tag(VisibilityUtils.VISIBILITY_TAG_TYPE, baos.toByteArray())); baos.reset(); @@ -958,7 +965,8 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb } } - private void getLabelOrdinals(ExpressionNode node, List labelOrdinals) + private void getLabelOrdinals(ExpressionNode node, List labelOrdinals, + List auths, String userName) throws IOException, InvalidLabelException { if (node.isSingleNode()) { String identifier = null; @@ -970,12 +978,14 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb LOG.trace("The identifier is "+identifier); } labelOrdinal = this.visibilityManager.getLabelOrdinal(identifier); + checkAuths(auths, userName, labelOrdinal, identifier); } else { // This is a NOT node. LeafExpressionNode lNode = (LeafExpressionNode) ((NonLeafExpressionNode) node) .getChildExps().get(0); identifier = lNode.getIdentifier(); labelOrdinal = this.visibilityManager.getLabelOrdinal(identifier); + checkAuths(auths, userName, labelOrdinal, identifier); labelOrdinal = -1 * labelOrdinal; // Store NOT node as -ve ordinal. } if (labelOrdinal == 0) { @@ -985,7 +995,18 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb } else { List childExps = ((NonLeafExpressionNode) node).getChildExps(); for (ExpressionNode child : childExps) { - getLabelOrdinals(child, labelOrdinals); + getLabelOrdinals(child, labelOrdinals, auths, userName); + } + } + } + + private void checkAuths(List auths, String userName, int labelOrdinal, + String identifier) throws InvalidLabelException, AccessDeniedException { + if (auths != null) { + if (!auths.contains(labelOrdinal)) { + throw new AccessDeniedException("Visibility label " + + identifier + " not associated with user " + + userName); } } } @@ -1241,7 +1262,7 @@ public class VisibilityController extends BaseRegionObserver implements MasterOb } } try { - tags.addAll(createVisibilityTags(cellVisibility.getExpression(), true)); + tags.addAll(createVisibilityTags(cellVisibility.getExpression(), true, null, null)); } catch (ParseException e) { throw new IOException(e); } diff --git hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelsManager.java hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelsManager.java index 7f1f278..773a9dd 100644 --- hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelsManager.java +++ hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityLabelsManager.java @@ -48,6 +48,7 @@ public class VisibilityLabelsManager { private static final Log LOG = LogFactory.getLog(VisibilityLabelsManager.class); private static final List EMPTY_LIST = new ArrayList(0); + private static final List EMPTY_INT_LIST = new ArrayList(0); private static VisibilityLabelsManager instance; private ZKVisibilityLabelWatcher zkVisibilityWatcher; @@ -173,6 +174,29 @@ public class VisibilityLabelsManager { } /** + * Returns the list of ordinals of authentications associated with the user + * + * @param user + * @return the list of ordinals + */ + public List getAuthsAsOrdinals(String user) { + List auths = EMPTY_INT_LIST; + this.lock.readLock().lock(); + try { + Set authOrdinals = userAuths.get(user); + if (authOrdinals != null) { + auths = new ArrayList(authOrdinals.size()); + for (Integer authOrdinal : authOrdinals) { + auths.add(authOrdinal); + } + } + } finally { + this.lock.readLock().unlock(); + } + return auths; + } + + /** * Writes the labels data to zookeeper node. * @param data * @param labelsOrUserAuths true for writing labels and false for user auths. diff --git hbase-server/src/test/java/org/apache/hadoop/hbase/mapreduce/TestImportTSVWithVisibilityLabels.java hbase-server/src/test/java/org/apache/hadoop/hbase/mapreduce/TestImportTSVWithVisibilityLabels.java index 0c483aa..e96e242 100644 --- hbase-server/src/test/java/org/apache/hadoop/hbase/mapreduce/TestImportTSVWithVisibilityLabels.java +++ hbase-server/src/test/java/org/apache/hadoop/hbase/mapreduce/TestImportTSVWithVisibilityLabels.java @@ -21,7 +21,6 @@ import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertTrue; import java.io.IOException; -import java.security.PrivilegedExceptionAction; import java.util.ArrayList; import java.util.Arrays; import java.util.HashSet; @@ -48,7 +47,6 @@ import org.apache.hadoop.hbase.client.HTable; import org.apache.hadoop.hbase.client.Result; import org.apache.hadoop.hbase.client.ResultScanner; import org.apache.hadoop.hbase.client.Scan; -import org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse; import org.apache.hadoop.hbase.security.User; import org.apache.hadoop.hbase.security.visibility.Authorizations; import org.apache.hadoop.hbase.security.visibility.CellVisibility; @@ -91,7 +89,6 @@ public class TestImportTSVWithVisibilityLabels implements Configurable { private final static String PRIVATE = "private"; private final static String CONFIDENTIAL = "confidential"; private final static String SECRET = "secret"; - private static User SUPERUSER; private static Configuration conf; @Override @@ -107,11 +104,11 @@ public class TestImportTSVWithVisibilityLabels implements Configurable { @BeforeClass public static void provisionCluster() throws Exception { conf = util.getConfiguration(); - SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" }); - conf.set("hbase.superuser", "admin,"+User.getCurrent().getName()); + conf.set("hbase.superuser", User.getCurrent().getShortName()); conf.setInt("hfile.format.version", 3); conf.set("hbase.coprocessor.master.classes", VisibilityController.class.getName()); conf.set("hbase.coprocessor.region.classes", VisibilityController.class.getName()); + conf.set("hbase.superuser", User.getCurrent().getName()); conf.setClass(VisibilityUtils.VISIBILITY_LABEL_GENERATOR_CLASS, SimpleScanLabelGenerator.class, ScanLabelGenerator.class); util.startMiniCluster(); @@ -123,22 +120,15 @@ public class TestImportTSVWithVisibilityLabels implements Configurable { } private static void createLabels() throws IOException, InterruptedException { - PrivilegedExceptionAction action = - new PrivilegedExceptionAction() { - @Override - public VisibilityLabelsResponse run() throws Exception { - String[] labels = { SECRET, TOPSECRET, CONFIDENTIAL, PUBLIC, PRIVATE }; - try { - VisibilityClient.addLabels(conf, labels); - LOG.info("Added labels "); - } catch (Throwable t) { - LOG.error("Error in adding labels" , t); - throw new IOException(t); - } - return null; - } - }; - SUPERUSER.runAs(action); + String[] labels = { SECRET, TOPSECRET, CONFIDENTIAL, PUBLIC, PRIVATE }; + try { + VisibilityClient.addLabels(conf, labels); + VisibilityClient.setAuths(util.getConfiguration(), labels, User.getCurrent().getName()); + LOG.info("Added labels"); + } catch (Throwable t) { + LOG.error("Error in adding labels" , t); + throw new IOException(t); + } } @AfterClass diff --git hbase-server/src/test/java/org/apache/hadoop/hbase/rest/TestScannersWithLabels.java hbase-server/src/test/java/org/apache/hadoop/hbase/rest/TestScannersWithLabels.java index e6845f7..5737202 100644 --- hbase-server/src/test/java/org/apache/hadoop/hbase/rest/TestScannersWithLabels.java +++ hbase-server/src/test/java/org/apache/hadoop/hbase/rest/TestScannersWithLabels.java @@ -86,24 +86,28 @@ public class TestScannersWithLabels { private static Unmarshaller unmarshaller; private static Configuration conf; - private static int insertData(String tableName, String column, double prob) throws IOException { + private static void insertData(final String tableName, final String column, double prob) throws IOException, + InterruptedException { Random rng = new Random(); - int count = 0; - HTable table = new HTable(TEST_UTIL.getConfiguration(), tableName); - byte[] k = new byte[3]; - byte[][] famAndQf = KeyValue.parseColumn(Bytes.toBytes(column)); - - for (int i = 0; i < 9; i++) { - Put put = new Put(Bytes.toBytes("row" + i)); - put.setDurability(Durability.SKIP_WAL); - put.add(famAndQf[0], famAndQf[1], k); - put.setCellVisibility(new CellVisibility("(" + SECRET + "|" + CONFIDENTIAL + ")" + "&" + "!" - + TOPSECRET)); - table.put(put); - count++; - } - table.flushCommits(); - return count; + PrivilegedExceptionAction action = new PrivilegedExceptionAction() { + public Void run() throws Exception { + HTable table = new HTable(TEST_UTIL.getConfiguration(), tableName); + byte[] k = new byte[3]; + byte[][] famAndQf = KeyValue.parseColumn(Bytes.toBytes(column)); + + for (int i = 0; i < 9; i++) { + Put put = new Put(Bytes.toBytes("row" + i)); + put.setDurability(Durability.SKIP_WAL); + put.add(famAndQf[0], famAndQf[1], k); + put.setCellVisibility(new CellVisibility("(" + SECRET + "|" + CONFIDENTIAL + ")" + "&" + + "!" + TOPSECRET)); + table.put(put); + } + table.flushCommits(); + return null; + } + }; + SUPERUSER.runAs(action); } private static int countCellSet(CellSetModel model) { @@ -135,7 +139,6 @@ public class TestScannersWithLabels { // Wait for the labels table to become available TEST_UTIL.waitTableEnabled(VisibilityConstants.LABELS_TABLE_NAME.getName(), 50000); createLabels(); - setAuths(); REST_TEST_UTIL.startServletContainer(conf); client = new Client(new Cluster().add("localhost", REST_TEST_UTIL.getServletPort())); context = JAXBContext.newInstance(CellModel.class, CellSetModel.class, RowModel.class, @@ -166,6 +169,7 @@ public class TestScannersWithLabels { String[] labels = { SECRET, CONFIDENTIAL, PRIVATE, PUBLIC, TOPSECRET }; try { VisibilityClient.addLabels(conf, labels); + VisibilityClient.setAuths(conf, labels, SUPERUSER.getShortName()); } catch (Throwable t) { throw new IOException(t); } @@ -174,14 +178,7 @@ public class TestScannersWithLabels { }; SUPERUSER.runAs(action); } - private static void setAuths() throws Exception { - String[] labels = { SECRET, CONFIDENTIAL, PRIVATE, PUBLIC, TOPSECRET }; - try { - VisibilityClient.setAuths(conf, labels, User.getCurrent().getShortName()); - } catch (Throwable t) { - throw new IOException(t); - } - } + @Test public void testSimpleScannerXMLWithLabelsThatReceivesNoData() throws IOException, JAXBException { final int BATCH_SIZE = 5; diff --git hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestEnforcingScanLabelGenerator.java hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestEnforcingScanLabelGenerator.java index ac418e3..bac3d59 100644 --- hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestEnforcingScanLabelGenerator.java +++ hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestEnforcingScanLabelGenerator.java @@ -18,7 +18,8 @@ package org.apache.hadoop.hbase.security.visibility; import static org.apache.hadoop.hbase.security.visibility.VisibilityConstants.LABELS_TABLE_NAME; -import static org.junit.Assert.*; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; import java.io.IOException; import java.security.PrivilegedExceptionAction; @@ -28,13 +29,12 @@ import org.apache.hadoop.hbase.HBaseTestingUtility; import org.apache.hadoop.hbase.HConstants; import org.apache.hadoop.hbase.MediumTests; import org.apache.hadoop.hbase.TableName; -import org.apache.hadoop.hbase.client.HTable; import org.apache.hadoop.hbase.client.Get; +import org.apache.hadoop.hbase.client.HTable; import org.apache.hadoop.hbase.client.Put; import org.apache.hadoop.hbase.client.Result; import org.apache.hadoop.hbase.security.User; import org.apache.hadoop.hbase.util.Bytes; - import org.junit.AfterClass; import org.junit.BeforeClass; import org.junit.Rule; @@ -84,6 +84,8 @@ public class TestEnforcingScanLabelGenerator { public Void run() throws Exception { try { VisibilityClient.addLabels(conf, new String[] { SECRET, CONFIDENTIAL }); + VisibilityClient.setAuths(conf, new String[] { SECRET, CONFIDENTIAL, }, + SUPERUSER.getShortName()); VisibilityClient.setAuths(conf, new String[] { CONFIDENTIAL, }, TESTUSER.getShortName()); } catch (Throwable t) { throw new IOException(t); diff --git hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabels.java hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabels.java index 86f5c98..edef196 100644 --- hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabels.java +++ hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabels.java @@ -96,7 +96,7 @@ public class TestVisibilityLabels { public static User SUPERUSER; @BeforeClass - public static void setupBeforeClass() throws Exception { + public static void setupBeforeClass() throws Throwable { // setup configuration conf = TEST_UTIL.getConfiguration(); conf.setBoolean(HConstants.DISTRIBUTED_LOG_REPLAY_KEY, false); @@ -128,8 +128,9 @@ public class TestVisibilityLabels { @Test public void testSimpleVisibilityLabels() throws Exception { TableName tableName = TableName.valueOf(TEST_NAME.getMethodName()); - HTable table = createTableAndWriteDataWithLabels(tableName, SECRET + "|" + CONFIDENTIAL, + createTableAndWriteDataWithLabels(tableName, SECRET + "|" + CONFIDENTIAL, PRIVATE + "|" + CONFIDENTIAL); + HTable table = new HTable(conf, TEST_NAME.getMethodName()); try { Scan s = new Scan(); s.setAuthorizations(new Authorizations(SECRET, CONFIDENTIAL, PRIVATE)); @@ -157,10 +158,11 @@ public class TestVisibilityLabels { @Test public void testVisibilityLabelsWithComplexLabels() throws Exception { TableName tableName = TableName.valueOf(TEST_NAME.getMethodName()); - HTable table = createTableAndWriteDataWithLabels(tableName, "(" + SECRET + "|" + CONFIDENTIAL + createTableAndWriteDataWithLabels(tableName, "(" + SECRET + "|" + CONFIDENTIAL + ")" + "&" + "!" + TOPSECRET, "(" + PRIVATE + "&" + CONFIDENTIAL + "&" + SECRET + ")", "(" + PRIVATE + "&" + CONFIDENTIAL + "&" + SECRET + ")", "(" + PRIVATE + "&" + CONFIDENTIAL + "&" + SECRET + ")"); + HTable table = new HTable(conf, TEST_NAME.getMethodName()); try { Scan s = new Scan(); s.setAuthorizations(new Authorizations(TOPSECRET, CONFIDENTIAL, PRIVATE, PUBLIC, SECRET)); @@ -192,8 +194,9 @@ public class TestVisibilityLabels { @Test public void testVisibilityLabelsThatDoesNotPassTheCriteria() throws Exception { TableName tableName = TableName.valueOf(TEST_NAME.getMethodName()); - HTable table = createTableAndWriteDataWithLabels(tableName, "(" + SECRET + "|" + CONFIDENTIAL + createTableAndWriteDataWithLabels(tableName, "(" + SECRET + "|" + CONFIDENTIAL + ")", PRIVATE); + HTable table = new HTable(conf, TEST_NAME.getMethodName()); try { Scan s = new Scan(); s.setAuthorizations(new Authorizations(PUBLIC)); @@ -220,8 +223,9 @@ public class TestVisibilityLabels { @Test public void testVisibilityLabelsInScanThatDoesNotMatchAnyDefinedLabels() throws Exception { TableName tableName = TableName.valueOf(TEST_NAME.getMethodName()); - HTable table = createTableAndWriteDataWithLabels(tableName, "(" + SECRET + "|" + CONFIDENTIAL + createTableAndWriteDataWithLabels(tableName, "(" + SECRET + "|" + CONFIDENTIAL + ")", PRIVATE); + HTable table = new HTable(conf, TEST_NAME.getMethodName()); try { Scan s = new Scan(); s.setAuthorizations(new Authorizations("SAMPLE")); @@ -238,8 +242,9 @@ public class TestVisibilityLabels { @Test public void testVisibilityLabelsWithGet() throws Exception { TableName tableName = TableName.valueOf(TEST_NAME.getMethodName()); - HTable table = createTableAndWriteDataWithLabels(tableName, SECRET + "&" + CONFIDENTIAL + "&!" + createTableAndWriteDataWithLabels(tableName, SECRET + "&" + CONFIDENTIAL + "&!" + PRIVATE, SECRET + "&" + CONFIDENTIAL + "&" + PRIVATE); + HTable table = new HTable(conf, TEST_NAME.getMethodName()); try { Get get = new Get(row1); get.setAuthorizations(new Authorizations(SECRET, CONFIDENTIAL)); @@ -339,8 +344,9 @@ public class TestVisibilityLabels { @Test(timeout = 60 * 1000) public void testVisibilityLabelsOnRSRestart() throws Exception { final TableName tableName = TableName.valueOf(TEST_NAME.getMethodName()); - HTable table = createTableAndWriteDataWithLabels(tableName, "(" + SECRET + "|" + CONFIDENTIAL + createTableAndWriteDataWithLabels(tableName, "(" + SECRET + "|" + CONFIDENTIAL + ")", PRIVATE); + HTable table = new HTable(conf, TEST_NAME.getMethodName()); List regionServerThreads = TEST_UTIL.getHBaseCluster() .getRegionServerThreads(); for (RegionServerThread rsThread : regionServerThreads) { @@ -433,8 +439,9 @@ public class TestVisibilityLabels { @Test public void testVisibilityLabelsInGetThatDoesNotMatchAnyDefinedLabels() throws Exception { TableName tableName = TableName.valueOf(TEST_NAME.getMethodName()); - HTable table = createTableAndWriteDataWithLabels(tableName, "(" + SECRET + "|" + CONFIDENTIAL + createTableAndWriteDataWithLabels(tableName, "(" + SECRET + "|" + CONFIDENTIAL + ")", PRIVATE); + HTable table = new HTable(conf, TEST_NAME.getMethodName()); try { Get get = new Get(row1); get.setAuthorizations(new Authorizations("SAMPLE")); @@ -631,17 +638,30 @@ public class TestVisibilityLabels { HTable table = null; try { table = TEST_UTIL.createTable(tableName, fam); - byte[] row1 = Bytes.toBytes("row1"); - Put put = new Put(row1); - put.add(fam, qual, HConstants.LATEST_TIMESTAMP, value); - put.setCellVisibility(new CellVisibility(SECRET + " & " + CONFIDENTIAL)); - table.checkAndPut(row1, fam, qual, null, put); - byte[] row2 = Bytes.toBytes("row2"); - put = new Put(row2); - put.add(fam, qual, HConstants.LATEST_TIMESTAMP, value); - put.setCellVisibility(new CellVisibility(SECRET)); - table.checkAndPut(row2, fam, qual, null, put); - + final byte[] row1 = Bytes.toBytes("row1"); + PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + HTable table = null; + try { + table = new HTable(conf, TEST_NAME.getMethodName()); + Put put = new Put(row1); + put.add(fam, qual, HConstants.LATEST_TIMESTAMP, value); + put.setCellVisibility(new CellVisibility(SECRET + " & " + CONFIDENTIAL)); + table.checkAndPut(row1, fam, qual, null, put); + byte[] row2 = Bytes.toBytes("row2"); + put = new Put(row2); + put.add(fam, qual, HConstants.LATEST_TIMESTAMP, value); + put.setCellVisibility(new CellVisibility(SECRET)); + table.checkAndPut(row2, fam, qual, null, put); + } catch (Throwable t) { + throw new IOException(t); + } finally { + table.close(); + } + return null; + } + }; + SUPERUSER.runAs(actiona); Scan scan = new Scan(); scan.setAuthorizations(new Authorizations(SECRET)); ResultScanner scanner = table.getScanner(scan); @@ -663,23 +683,65 @@ public class TestVisibilityLabels { HTable table = null; try { table = TEST_UTIL.createTable(tableName, fam); - byte[] row1 = Bytes.toBytes("row1"); - byte[] val = Bytes.toBytes(1L); - Put put = new Put(row1); - put.add(fam, qual, HConstants.LATEST_TIMESTAMP, val); - put.setCellVisibility(new CellVisibility(SECRET + " & " + CONFIDENTIAL)); - table.put(put); - Get get = new Get(row1); + final byte[] row1 = Bytes.toBytes("row1"); + final byte[] val = Bytes.toBytes(1L); + PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + HTable table = null; + try { + table = new HTable(conf, TEST_NAME.getMethodName()); + Put put = new Put(row1); + put.add(fam, qual, HConstants.LATEST_TIMESTAMP, val); + put.setCellVisibility(new CellVisibility(SECRET + " & " + CONFIDENTIAL)); + table.put(put); + } catch (Throwable t) { + throw new IOException(t); + } finally { + table.close(); + } + return null; + } + }; + SUPERUSER.runAs(actiona); + final Get get = new Get(row1); get.setAuthorizations(new Authorizations(SECRET)); Result result = table.get(get); assertTrue(result.isEmpty()); - table.incrementColumnValue(row1, fam, qual, 2L); + actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + HTable table = null; + try { + table = new HTable(conf, TEST_NAME.getMethodName()); + table.incrementColumnValue(row1, fam, qual, 2L); + } catch (Throwable t) { + throw new IOException(t); + } finally { + table.close(); + } + return null; + } + }; + SUPERUSER.runAs(actiona); result = table.get(get); assertTrue(result.isEmpty()); - Increment increment = new Increment(row1); - increment.addColumn(fam, qual, 2L); - increment.setCellVisibility(new CellVisibility(SECRET)); - table.increment(increment); + actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + HTable table = null; + try { + table = new HTable(conf, TEST_NAME.getMethodName()); + Increment increment = new Increment(row1); + increment.addColumn(fam, qual, 2L); + increment.setCellVisibility(new CellVisibility(SECRET)); + table.increment(increment); + } catch (Throwable t) { + throw new IOException(t); + } finally { + table.close(); + } + return null; + } + }; + SUPERUSER.runAs(actiona); result = table.get(get); assertTrue(!result.isEmpty()); } finally { @@ -695,25 +757,67 @@ public class TestVisibilityLabels { HTable table = null; try { table = TEST_UTIL.createTable(tableName, fam); - byte[] row1 = Bytes.toBytes("row1"); - byte[] val = Bytes.toBytes("a"); - Put put = new Put(row1); - put.add(fam, qual, HConstants.LATEST_TIMESTAMP, val); - put.setCellVisibility(new CellVisibility(SECRET + " & " + CONFIDENTIAL)); - table.put(put); - Get get = new Get(row1); + final byte[] row1 = Bytes.toBytes("row1"); + final byte[] val = Bytes.toBytes("a"); + PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + HTable table = null; + try { + table = new HTable(conf, TEST_NAME.getMethodName()); + Put put = new Put(row1); + put.add(fam, qual, HConstants.LATEST_TIMESTAMP, val); + put.setCellVisibility(new CellVisibility(SECRET + " & " + CONFIDENTIAL)); + table.put(put); + } catch (Throwable t) { + throw new IOException(t); + } finally { + table.close(); + } + return null; + } + }; + SUPERUSER.runAs(actiona); + final Get get = new Get(row1); get.setAuthorizations(new Authorizations(SECRET)); Result result = table.get(get); assertTrue(result.isEmpty()); - Append append = new Append(row1); - append.add(fam, qual, Bytes.toBytes("b")); - table.append(append); + actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + HTable table = null; + try { + table = new HTable(conf, TEST_NAME.getMethodName()); + Append append = new Append(row1); + append.add(fam, qual, Bytes.toBytes("b")); + table.append(append); + } catch (Throwable t) { + throw new IOException(t); + } finally { + table.close(); + } + return null; + } + }; + SUPERUSER.runAs(actiona); result = table.get(get); assertTrue(result.isEmpty()); - append = new Append(row1); - append.add(fam, qual, Bytes.toBytes("c")); - append.setCellVisibility(new CellVisibility(SECRET)); - table.append(append); + actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + HTable table = null; + try { + table = new HTable(conf, TEST_NAME.getMethodName()); + Append append = new Append(row1); + append.add(fam, qual, Bytes.toBytes("c")); + append.setCellVisibility(new CellVisibility(SECRET)); + table.append(append); + } catch (Throwable t) { + throw new IOException(t); + } finally { + table.close(); + } + return null; + } + }; + SUPERUSER.runAs(actiona); result = table.get(get); assertTrue(!result.isEmpty()); } finally { @@ -783,35 +887,49 @@ public class TestVisibilityLabels { HTable table = null; try { table = new HTable(TEST_UTIL.getConfiguration(), tableName); - Put put = new Put(r1); - put.add(fam, qual, 3l, v1); - put.add(fam, qual2, 3l, v1); - put.add(fam2, qual, 3l, v1); - put.add(fam2, qual2, 3l, v1); - put.setCellVisibility(new CellVisibility(SECRET)); - table.put(put); - put = new Put(r1); - put.add(fam, qual, 4l, v2); - put.add(fam, qual2, 4l, v2); - put.add(fam2, qual, 4l, v2); - put.add(fam2, qual2, 4l, v2); - put.setCellVisibility(new CellVisibility(PRIVATE)); - table.put(put); - - put = new Put(r2); - put.add(fam, qual, 3l, v1); - put.add(fam, qual2, 3l, v1); - put.add(fam2, qual, 3l, v1); - put.add(fam2, qual2, 3l, v1); - put.setCellVisibility(new CellVisibility(SECRET)); - table.put(put); - put = new Put(r2); - put.add(fam, qual, 4l, v2); - put.add(fam, qual2, 4l, v2); - put.add(fam2, qual, 4l, v2); - put.add(fam2, qual2, 4l, v2); - put.setCellVisibility(new CellVisibility(SECRET)); - table.put(put); + PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + HTable table = null; + try { + table = new HTable(conf, TEST_NAME.getMethodName()); + Put put = new Put(r1); + put.add(fam, qual, 3l, v1); + put.add(fam, qual2, 3l, v1); + put.add(fam2, qual, 3l, v1); + put.add(fam2, qual2, 3l, v1); + put.setCellVisibility(new CellVisibility(SECRET)); + table.put(put); + put = new Put(r1); + put.add(fam, qual, 4l, v2); + put.add(fam, qual2, 4l, v2); + put.add(fam2, qual, 4l, v2); + put.add(fam2, qual2, 4l, v2); + put.setCellVisibility(new CellVisibility(PRIVATE)); + table.put(put); + + put = new Put(r2); + put.add(fam, qual, 3l, v1); + put.add(fam, qual2, 3l, v1); + put.add(fam2, qual, 3l, v1); + put.add(fam2, qual2, 3l, v1); + put.setCellVisibility(new CellVisibility(SECRET)); + table.put(put); + put = new Put(r2); + put.add(fam, qual, 4l, v2); + put.add(fam, qual2, 4l, v2); + put.add(fam2, qual, 4l, v2); + put.add(fam2, qual2, 4l, v2); + put.setCellVisibility(new CellVisibility(SECRET)); + table.put(put); + } catch (Throwable t) { + throw new IOException(t); + } finally { + table.close(); + } + return null; + } + }; + SUPERUSER.runAs(actiona); Scan s = new Scan(); s.setMaxVersions(1); @@ -862,36 +980,43 @@ public class TestVisibilityLabels { } } - private static HTable createTableAndWriteDataWithLabels(TableName tableName, String... labelExps) - throws Exception { - HTable table = null; - try { - table = TEST_UTIL.createTable(tableName, fam); - int i = 1; - List puts = new ArrayList(); - for (String labelExp : labelExps) { - Put put = new Put(Bytes.toBytes("row" + i)); - put.add(fam, qual, HConstants.LATEST_TIMESTAMP, value); - put.setCellVisibility(new CellVisibility(labelExp)); - puts.add(put); - i++; - } - table.put(puts); - } finally { - if (table != null) { - table.flushCommits(); + private static HTable createTableAndWriteDataWithLabels(final TableName tableName, + final String... labelExps) throws Exception { + PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { + HTable table = null; + public Void run() throws Exception { + try { + table = TEST_UTIL.createTable(tableName, fam); + int i = 1; + List puts = new ArrayList(); + for (String labelExp : labelExps) { + Put put = new Put(Bytes.toBytes("row" + i)); + put.add(fam, qual, HConstants.LATEST_TIMESTAMP, value); + put.setCellVisibility(new CellVisibility(labelExp)); + puts.add(put); + i++; + } + table.put(puts); + } finally { + if (table != null) { + table.flushCommits(); + } + } + return null; } - } - return table; + }; + SUPERUSER.runAs(actiona); + return null; } - public static void addLabels() throws Exception { + public static void addLabels() throws Throwable { + final String[] labels = { SECRET, TOPSECRET, CONFIDENTIAL, PUBLIC, PRIVATE }; PrivilegedExceptionAction action = new PrivilegedExceptionAction() { public VisibilityLabelsResponse run() throws Exception { - String[] labels = { SECRET, TOPSECRET, CONFIDENTIAL, PUBLIC, PRIVATE }; try { VisibilityClient.addLabels(conf, labels); + VisibilityClient.setAuths(conf, labels, SUPERUSER.getName()); } catch (Throwable t) { throw new IOException(t); } diff --git hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithACL.java hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithACL.java index 15b3136..d5b5ee7 100644 --- hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithACL.java +++ hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithACL.java @@ -111,8 +111,10 @@ public class TestVisibilityLabelsWithACL { @Test public void testScanForUserWithFewerLabelAuthsThanLabelsInScanAuthorizations() throws Throwable { String[] auths = { SECRET }; + String[] labels = {SECRET, CONFIDENTIAL, PRIVATE}; String user = "user2"; VisibilityClient.setAuths(conf, auths, user); + VisibilityClient.setAuths(conf, labels, User.getCurrent().getName()); TableName tableName = TableName.valueOf(TEST_NAME.getMethodName()); final HTable table = createTableAndWriteDataWithLabels(tableName, SECRET + "&" + CONFIDENTIAL + "&!" + PRIVATE, SECRET + "&!" + PRIVATE); @@ -142,8 +144,10 @@ public class TestVisibilityLabelsWithACL { @Test public void testScanForSuperUserWithFewerLabelAuths() throws Throwable { String[] auths = { SECRET }; + String[] labels = {SECRET, CONFIDENTIAL, PRIVATE}; String user = "admin"; VisibilityClient.setAuths(conf, auths, user); + VisibilityClient.setAuths(conf, labels, User.getCurrent().getName()); TableName tableName = TableName.valueOf(TEST_NAME.getMethodName()); final HTable table = createTableAndWriteDataWithLabels(tableName, SECRET + "&" + CONFIDENTIAL + "&!" + PRIVATE, SECRET + "&!" + PRIVATE); @@ -168,8 +172,10 @@ public class TestVisibilityLabelsWithACL { @Test public void testGetForSuperUserWithFewerLabelAuths() throws Throwable { String[] auths = { SECRET }; + String[] labels = {SECRET, CONFIDENTIAL, PRIVATE}; String user = "admin"; VisibilityClient.setAuths(conf, auths, user); + VisibilityClient.setAuths(conf, labels, User.getCurrent().getName()); TableName tableName = TableName.valueOf(TEST_NAME.getMethodName()); final HTable table = createTableAndWriteDataWithLabels(tableName, SECRET + "&" + CONFIDENTIAL + "&!" + PRIVATE, SECRET + "&!" + PRIVATE); @@ -194,8 +200,10 @@ public class TestVisibilityLabelsWithACL { public void testVisibilityLabelsForUserWithNoAuths() throws Throwable { String user = "admin"; String[] auths = { SECRET }; + String[] labels = {SECRET, CONFIDENTIAL, PRIVATE}; VisibilityClient.clearAuths(conf, auths, user); // Removing all auths if any. VisibilityClient.setAuths(conf, auths, "user1"); + VisibilityClient.setAuths(conf, labels, User.getCurrent().getName()); TableName tableName = TableName.valueOf(TEST_NAME.getMethodName()); final HTable table = createTableAndWriteDataWithLabels(tableName, SECRET); SecureTestUtil.grantOnTable(TEST_UTIL, NORMAL_USER1.getShortName(), tableName, diff --git hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithDeletes.java hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithDeletes.java index d3df952..37bf13e 100644 --- hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithDeletes.java +++ hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithDeletes.java @@ -112,8 +112,8 @@ public class TestVisibilityLabelsWithDeletes { public void testVisibilityLabelsWithDeleteColumns() throws Throwable { setAuths(); TableName tableName = TableName.valueOf(TEST_NAME.getMethodName()); - final HTable table = createTableAndWriteDataWithLabels(tableName, SECRET + "&" + TOPSECRET, - SECRET); + createTableAndWriteDataWithLabels(tableName, SECRET + "&" + TOPSECRET, SECRET); + HTable table = null; try { PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { public Void run() throws Exception { @@ -135,6 +135,7 @@ public class TestVisibilityLabelsWithDeletes { SUPERUSER.runAs(actiona); TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); + table = new HTable(conf, TEST_NAME.getMethodName()); Scan s = new Scan(); s.setAuthorizations(new Authorizations(SECRET, PRIVATE, CONFIDENTIAL)); ResultScanner scanner = table.getScanner(s); @@ -157,26 +158,27 @@ public class TestVisibilityLabelsWithDeletes { public void testVisibilityLabelsWithDeleteFamily() throws Exception { setAuths(); TableName tableName = TableName.valueOf(TEST_NAME.getMethodName()); - final HTable table = createTableAndWriteDataWithLabels(tableName, SECRET, CONFIDENTIAL + "|" - + TOPSECRET); - try { - PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { - public Void run() throws Exception { - try { - HTable table = new HTable(conf, TEST_NAME.getMethodName()); - Delete d = new Delete(row2); - d.setCellVisibility(new CellVisibility(TOPSECRET + "|" + CONFIDENTIAL)); - d.deleteFamily(fam); - table.delete(d); - } catch (Throwable t) { - throw new IOException(t); - } - return null; + createTableAndWriteDataWithLabels(tableName, SECRET, CONFIDENTIAL + "|" + TOPSECRET); + PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + try { + HTable table = new HTable(conf, TEST_NAME.getMethodName()); + Delete d = new Delete(row2); + d.setCellVisibility(new CellVisibility(TOPSECRET + "|" + CONFIDENTIAL)); + d.deleteFamily(fam); + table.delete(d); + } catch (Throwable t) { + throw new IOException(t); } - }; - SUPERUSER.runAs(actiona); + return null; + } + }; + SUPERUSER.runAs(actiona); - TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); + TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); + HTable table = null; + try { + table = new HTable(conf, TEST_NAME.getMethodName()); Scan s = new Scan(); s.setAuthorizations(new Authorizations(SECRET, PRIVATE, CONFIDENTIAL)); ResultScanner scanner = table.getScanner(s); @@ -188,9 +190,7 @@ public class TestVisibilityLabelsWithDeletes { assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), current.getRowLength(), row1, 0, row1.length)); } finally { - if (table != null) { - table.close(); - } + table.close(); } } @@ -199,31 +199,32 @@ public class TestVisibilityLabelsWithDeletes { setAuths(); TableName tableName = TableName.valueOf(TEST_NAME.getMethodName()); long[] ts = new long[] { 123l, 125l }; - final HTable table = createTableAndWriteDataWithLabels(tableName, ts, CONFIDENTIAL + "|" - + TOPSECRET, SECRET); - try { - PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { - public Void run() throws Exception { - HTable table = null; - try { - table = new HTable(conf, TEST_NAME.getMethodName()); - Delete d = new Delete(row1); - d.setCellVisibility(new CellVisibility(TOPSECRET + "|" + CONFIDENTIAL)); - d.deleteFamilyVersion(fam, 123l); - table.delete(d); - } catch (Throwable t) { - throw new IOException(t); - } finally { - table.close(); - } - return null; + createTableAndWriteDataWithLabels(tableName, ts, CONFIDENTIAL + "|" + TOPSECRET, SECRET); + PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + HTable table = null; + try { + table = new HTable(conf, TEST_NAME.getMethodName()); + Delete d = new Delete(row1); + d.setCellVisibility(new CellVisibility(TOPSECRET + "|" + CONFIDENTIAL)); + d.deleteFamilyVersion(fam, 123l); + table.delete(d); + } catch (Throwable t) { + throw new IOException(t); + } finally { + table.close(); } - }; - SUPERUSER.runAs(actiona); + return null; + } + }; + SUPERUSER.runAs(actiona); - TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); - Scan s = new Scan(); - s.setAuthorizations(new Authorizations(SECRET, PRIVATE, CONFIDENTIAL)); + TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); + Scan s = new Scan(); + s.setAuthorizations(new Authorizations(SECRET, PRIVATE, CONFIDENTIAL)); + HTable table = null; + try { + table = new HTable(conf, TEST_NAME.getMethodName()); ResultScanner scanner = table.getScanner(s); Result[] next = scanner.next(3); assertTrue(next.length == 1); @@ -240,24 +241,41 @@ public class TestVisibilityLabelsWithDeletes { } @Test - public void testVisibilityLabelsWithDeleteColumnExactVersion() throws Exception { - setAuths(); + public void testVerifyAccessDeniedForInvalidUserAuths() throws Exception { + PrivilegedExceptionAction action = + new PrivilegedExceptionAction() { + public VisibilityLabelsResponse run() throws Exception { + try { + return VisibilityClient.setAuths(conf, new String[] { PRIVATE, SECRET, TOPSECRET }, + SUPERUSER.getShortName()); + } catch (Throwable e) { + } + return null; + } + }; + SUPERUSER.runAs(action); TableName tableName = TableName.valueOf(TEST_NAME.getMethodName()); - long[] ts = new long[] { 123l, 125l }; - final HTable table = createTableAndWriteDataWithLabels(tableName, ts, CONFIDENTIAL + "|" - + TOPSECRET, SECRET); + HBaseAdmin hBaseAdmin = TEST_UTIL.getHBaseAdmin(); + HColumnDescriptor colDesc = new HColumnDescriptor(fam); + colDesc.setMaxVersions(5); + HTableDescriptor desc = new HTableDescriptor(tableName); + desc.addFamily(colDesc); + hBaseAdmin.createTable(desc); + HTable table = null; try { + TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { public Void run() throws Exception { HTable table = null; try { table = new HTable(conf, TEST_NAME.getMethodName()); - Delete d = new Delete(row1); - d.setCellVisibility(new CellVisibility(TOPSECRET + "|" + CONFIDENTIAL)); - d.deleteColumn(fam, qual, 123l); - table.delete(d); + Put p = new Put(row1); + p.setCellVisibility(new CellVisibility("(" + PRIVATE + "&" + CONFIDENTIAL + ")|(" + + SECRET + "&" + TOPSECRET + ")")); + p.add(fam, qual, 125l, value); + table.put(p); } catch (Throwable t) { - throw new IOException(t); + assertTrue(t.getMessage().contains("AccessDeniedException")); } finally { table.close(); } @@ -265,10 +283,41 @@ public class TestVisibilityLabelsWithDeletes { } }; SUPERUSER.runAs(actiona); + } catch (Exception e) { + throw new IOException(e); + } + } + @Test + public void testVisibilityLabelsWithDeleteColumnExactVersion() throws Exception { + setAuths(); + TableName tableName = TableName.valueOf(TEST_NAME.getMethodName()); + long[] ts = new long[] { 123l, 125l }; + createTableAndWriteDataWithLabels(tableName, ts, CONFIDENTIAL + "|" + TOPSECRET, SECRET); + PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + HTable table = null; + try { + table = new HTable(conf, TEST_NAME.getMethodName()); + Delete d = new Delete(row1); + d.setCellVisibility(new CellVisibility(TOPSECRET + "|" + CONFIDENTIAL)); + d.deleteColumn(fam, qual, 123l); + table.delete(d); + } catch (Throwable t) { + throw new IOException(t); + } finally { + table.close(); + } + return null; + } + }; + SUPERUSER.runAs(actiona); - TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); - Scan s = new Scan(); - s.setAuthorizations(new Authorizations(SECRET, PRIVATE, CONFIDENTIAL)); + TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); + Scan s = new Scan(); + s.setAuthorizations(new Authorizations(SECRET, PRIVATE, CONFIDENTIAL)); + HTable table = null; + try { + table = new HTable(conf, TEST_NAME.getMethodName()); ResultScanner scanner = table.getScanner(s); Result[] next = scanner.next(3); assertTrue(next.length == 1); @@ -294,8 +343,9 @@ public class TestVisibilityLabelsWithDeletes { TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { public Void run() throws Exception { + HTable table = null; try { - HTable table = new HTable(conf, TEST_NAME.getMethodName()); + table = new HTable(conf, TEST_NAME.getMethodName()); Delete d = new Delete(row1); d.setCellVisibility(new CellVisibility("(" + PRIVATE + "&" + CONFIDENTIAL + ")|(" + SECRET + "&" + TOPSECRET+")")); @@ -303,6 +353,8 @@ public class TestVisibilityLabelsWithDeletes { table.delete(d); } catch (Throwable t) { throw new IOException(t); + } finally { + table.close(); } return null; } @@ -527,17 +579,31 @@ public class TestVisibilityLabelsWithDeletes { desc.addFamily(colDesc); hBaseAdmin.createTable(desc); table = new HTable(conf, tableName); - Put put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, value); - put.setCellVisibility(new CellVisibility(CONFIDENTIAL)); - table.put(put); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, value); - put.setCellVisibility(new CellVisibility(SECRET)); - table.put(put); - TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { public Void run() throws Exception { + HTable table = null; + try { + table = new HTable(conf, TEST_NAME.getMethodName()); + Put put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, value); + put.setCellVisibility(new CellVisibility(CONFIDENTIAL)); + table.put(put); + put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, value); + put.setCellVisibility(new CellVisibility(SECRET)); + table.put(put); + } catch (Throwable t) { + throw new IOException(t); + } finally { + table.close(); + } + return null; + } + }; + SUPERUSER.runAs(actiona); + TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); + actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { try { HTable table = new HTable(conf, TEST_NAME.getMethodName()); Delete d = new Delete(row1); @@ -558,10 +624,24 @@ public class TestVisibilityLabelsWithDeletes { ResultScanner scanner = table.getScanner(s); Result[] next = scanner.next(3); assertEquals(next.length, 1); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, value1); - put.setCellVisibility(new CellVisibility(CONFIDENTIAL)); - table.put(put); + actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + HTable table = null; + try { + table = new HTable(conf, TEST_NAME.getMethodName()); + Put put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, value1); + put.setCellVisibility(new CellVisibility(CONFIDENTIAL)); + table.put(put); + } catch (Throwable t) { + throw new IOException(t); + } finally { + table.close(); + } + return null; + } + }; + SUPERUSER.runAs(actiona); actiona = new PrivilegedExceptionAction() { public Void run() throws Exception { try { @@ -609,17 +689,30 @@ public class TestVisibilityLabelsWithDeletes { desc.addFamily(colDesc); hBaseAdmin.createTable(desc); table = new HTable(conf, tableName); - Put put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, value); - put.setCellVisibility(new CellVisibility(CONFIDENTIAL)); - table.put(put); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, value); - put.setCellVisibility(new CellVisibility(SECRET)); - table.put(put); - TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { public Void run() throws Exception { + HTable table = null; + try { + table = new HTable(conf, TEST_NAME.getMethodName()); + Put put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, value); + put.setCellVisibility(new CellVisibility(CONFIDENTIAL)); + table.put(put); + put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, value); + put.setCellVisibility(new CellVisibility(SECRET)); + table.put(put); + table.flushCommits(); + } catch (Throwable t) { + throw new IOException(t); + } + return null; + } + }; + SUPERUSER.runAs(actiona); + TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); + actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { try { HTable table = new HTable(conf, TEST_NAME.getMethodName()); Delete d = new Delete(row1); @@ -640,10 +733,25 @@ public class TestVisibilityLabelsWithDeletes { ResultScanner scanner = table.getScanner(s); Result[] next = scanner.next(3); assertEquals(next.length, 1); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, value1); - put.setCellVisibility(new CellVisibility(CONFIDENTIAL)); - table.put(put); + actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + HTable table = null; + try { + table = new HTable(conf, TEST_NAME.getMethodName()); + Put put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, value1); + put.setCellVisibility(new CellVisibility(CONFIDENTIAL)); + table.put(put); + table.flushCommits(); + } catch (Throwable t) { + throw new IOException(t); + } finally { + table.close(); + } + return null; + } + }; + SUPERUSER.runAs(actiona); actiona = new PrivilegedExceptionAction() { public Void run() throws Exception { try { @@ -691,17 +799,32 @@ public class TestVisibilityLabelsWithDeletes { desc.addFamily(colDesc); hBaseAdmin.createTable(desc); table = new HTable(conf, tableName); - Put put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 123l, value); - put.setCellVisibility(new CellVisibility(CONFIDENTIAL)); - table.put(put); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 124l, value1); - put.setCellVisibility(new CellVisibility(SECRET)); - table.put(put); - table.flushCommits(); PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { public Void run() throws Exception { + HTable table = null; + try { + table = new HTable(conf, TEST_NAME.getMethodName()); + Put put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 123l, value); + put.setCellVisibility(new CellVisibility(CONFIDENTIAL)); + table.put(put); + put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 124l, value1); + put.setCellVisibility(new CellVisibility(SECRET)); + table.put(put); + table.flushCommits(); + table.flushCommits(); + } catch (Throwable t) { + throw new IOException(t); + } finally { + table.close(); + } + return null; + } + }; + SUPERUSER.runAs(actiona); + actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { try { HTable table = new HTable(conf, TEST_NAME.getMethodName()); Delete d = new Delete(row1); @@ -737,6 +860,7 @@ public class TestVisibilityLabelsWithDeletes { @Test public void testVisibilityLabelsWithDeleteColumnWithSpecificVersionWithPutsReAppearing() throws Exception { + setAuths(); TableName tableName = TableName.valueOf(TEST_NAME.getMethodName()); HTable table = null; try { @@ -747,15 +871,29 @@ public class TestVisibilityLabelsWithDeletes { desc.addFamily(colDesc); hBaseAdmin.createTable(desc); table = new HTable(conf, tableName); - Put put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 123l, value); - put.setCellVisibility(new CellVisibility(CONFIDENTIAL)); - table.put(put); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 123l, value1); - put.setCellVisibility(new CellVisibility(SECRET)); - table.put(put); - table.flushCommits(); + PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + HTable table = null; + try { + table = new HTable(conf, TEST_NAME.getMethodName()); + Put put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 123l, value); + put.setCellVisibility(new CellVisibility(CONFIDENTIAL)); + table.put(put); + put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 123l, value1); + put.setCellVisibility(new CellVisibility(SECRET)); + table.put(put); + table.flushCommits(); + } catch (Throwable t) { + throw new IOException(t); + } finally { + table.close(); + } + return null; + } + }; + SUPERUSER.runAs(actiona); //TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); Scan s = new Scan(); s.setMaxVersions(5); @@ -763,7 +901,7 @@ public class TestVisibilityLabelsWithDeletes { ResultScanner scanner = table.getScanner(s); Result[] next = scanner.next(3); assertEquals(next.length, 1); - PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { + actiona = new PrivilegedExceptionAction() { public Void run() throws Exception { try { HTable table = new HTable(conf, TEST_NAME.getMethodName()); @@ -926,116 +1064,160 @@ public class TestVisibilityLabelsWithDeletes { } } - private HTable doPuts(TableName tableName) throws IOException, InterruptedIOException, + private HTable doPuts(final TableName tableName) throws IOException, InterruptedIOException, RetriesExhaustedWithDetailsException, InterruptedException { - HTable table; - HBaseAdmin hBaseAdmin = TEST_UTIL.getHBaseAdmin(); - HColumnDescriptor colDesc = new HColumnDescriptor(fam); - colDesc.setMaxVersions(5); - HTableDescriptor desc = new HTableDescriptor(tableName); - desc.addFamily(colDesc); - hBaseAdmin.createTable(desc); - table = new HTable(conf, tableName); - Put put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 123l, value); - put.setCellVisibility(new CellVisibility(CONFIDENTIAL)); - table.put(put); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 124l, value); - put.setCellVisibility(new CellVisibility("(" + CONFIDENTIAL + "&" + PRIVATE + ")|(" - + TOPSECRET + "&" + SECRET+")")); - table.put(put); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 125l, value); - put.setCellVisibility(new CellVisibility(SECRET + "&" + TOPSECRET)); - table.put(put); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 126l, value); - put.setCellVisibility(new CellVisibility("(" + CONFIDENTIAL + "&" + PRIVATE + ")|(" - + TOPSECRET + "&" + SECRET+")")); - table.put(put); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 127l, value); - put.setCellVisibility(new CellVisibility("(" + CONFIDENTIAL + "&" + PRIVATE + ")|(" - + TOPSECRET + "&" + SECRET+")")); - table.put(put); - TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); - put = new Put(Bytes.toBytes("row2")); - put.add(fam, qual, 127l, value); - put.setCellVisibility(new CellVisibility("(" + CONFIDENTIAL + "&" + PRIVATE + ")|(" + TOPSECRET - + "&" + SECRET + ")")); - table.put(put); - return table; + PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + HTable table = null; + try { + HBaseAdmin hBaseAdmin = TEST_UTIL.getHBaseAdmin(); + HColumnDescriptor colDesc = new HColumnDescriptor(fam); + colDesc.setMaxVersions(5); + HTableDescriptor desc = new HTableDescriptor(tableName); + desc.addFamily(colDesc); + hBaseAdmin.createTable(desc); + table = new HTable(conf, tableName); + Put put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 123l, value); + put.setCellVisibility(new CellVisibility(CONFIDENTIAL)); + table.put(put); + put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 124l, value); + put.setCellVisibility(new CellVisibility("(" + CONFIDENTIAL + "&" + PRIVATE + ")|(" + + TOPSECRET + "&" + SECRET+")")); + table.put(put); + put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 125l, value); + put.setCellVisibility(new CellVisibility(SECRET + "&" + TOPSECRET)); + table.put(put); + put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 126l, value); + put.setCellVisibility(new CellVisibility("(" + CONFIDENTIAL + "&" + PRIVATE + ")|(" + + TOPSECRET + "&" + SECRET+")")); + table.put(put); + put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 127l, value); + put.setCellVisibility(new CellVisibility("(" + CONFIDENTIAL + "&" + PRIVATE + ")|(" + + TOPSECRET + "&" + SECRET+")")); + table.put(put); + TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); + put = new Put(Bytes.toBytes("row2")); + put.add(fam, qual, 127l, value); + put.setCellVisibility + (new CellVisibility("(" + CONFIDENTIAL + "&" + PRIVATE + ")|(" + TOPSECRET + + "&" + SECRET + ")")); + table.put(put); + } catch (Throwable e) { + throw new IOException(e); + } finally { + if (table != null) { + table.close(); + } + } + return null; + } + }; + SUPERUSER.runAs(actiona); + + return new HTable(conf, tableName); } - private HTable doPutsWithDiffCols(TableName tableName) throws IOException, + private HTable doPutsWithDiffCols(final TableName tableName) throws IOException, InterruptedIOException, RetriesExhaustedWithDetailsException, InterruptedException { - HTable table; - HBaseAdmin hBaseAdmin = TEST_UTIL.getHBaseAdmin(); - HColumnDescriptor colDesc = new HColumnDescriptor(fam); - colDesc.setMaxVersions(5); - HTableDescriptor desc = new HTableDescriptor(tableName); - desc.addFamily(colDesc); - hBaseAdmin.createTable(desc); - table = new HTable(conf, tableName); - Put put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 123l, value); - put.setCellVisibility(new CellVisibility(CONFIDENTIAL)); - table.put(put); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 124l, value); - put.setCellVisibility(new CellVisibility("(" + CONFIDENTIAL + "&" + PRIVATE + ")|(" - + TOPSECRET + "&" + SECRET+")")); - table.put(put); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 125l, value); - put.setCellVisibility(new CellVisibility(SECRET + "&" + TOPSECRET)); - table.put(put); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual1, 126l, value); - put.setCellVisibility(new CellVisibility(SECRET + "&" + TOPSECRET)); - table.put(put); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual2, 127l, value); - put.setCellVisibility(new CellVisibility("(" + CONFIDENTIAL + "&" + PRIVATE + ")|(" - + TOPSECRET + "&" + SECRET+")")); - table.put(put); - return table; + PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + HTable table = null; + try { + HBaseAdmin hBaseAdmin = TEST_UTIL.getHBaseAdmin(); + HColumnDescriptor colDesc = new HColumnDescriptor(fam); + colDesc.setMaxVersions(5); + HTableDescriptor desc = new HTableDescriptor(tableName); + desc.addFamily(colDesc); + hBaseAdmin.createTable(desc); + table = new HTable(conf, tableName); + Put put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 123l, value); + put.setCellVisibility(new CellVisibility(CONFIDENTIAL)); + table.put(put); + put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 124l, value); + put.setCellVisibility(new CellVisibility("(" + CONFIDENTIAL + "&" + PRIVATE + ")|(" + + TOPSECRET + "&" + SECRET + ")")); + table.put(put); + put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 125l, value); + put.setCellVisibility(new CellVisibility(SECRET + "&" + TOPSECRET)); + table.put(put); + put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual1, 126l, value); + put.setCellVisibility(new CellVisibility(SECRET + "&" + TOPSECRET)); + table.put(put); + put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual2, 127l, value); + put.setCellVisibility(new CellVisibility("(" + CONFIDENTIAL + "&" + PRIVATE + ")|(" + + TOPSECRET + "&" + SECRET + ")")); + table.put(put); + } catch (Throwable e) { + throw new IOException(e); + } finally { + if (table != null) { + table.close(); + } + } + return null; + } + }; + SUPERUSER.runAs(actiona); + + return new HTable(conf, tableName); } - private HTable doPutsWithoutVisibility(TableName tableName) throws IOException, + private HTable doPutsWithoutVisibility(final TableName tableName) throws IOException, InterruptedIOException, RetriesExhaustedWithDetailsException, InterruptedException { - HTable table; - HBaseAdmin hBaseAdmin = TEST_UTIL.getHBaseAdmin(); - HColumnDescriptor colDesc = new HColumnDescriptor(fam); - colDesc.setMaxVersions(5); - HTableDescriptor desc = new HTableDescriptor(tableName); - desc.addFamily(colDesc); - hBaseAdmin.createTable(desc); - table = new HTable(conf, tableName); - Put put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 123l, value); - table.put(put); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 124l, value); - table.put(put); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 125l, value); - table.put(put); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 126l, value); - table.put(put); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 127l, value); - table.put(put); - TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); - put = new Put(Bytes.toBytes("row2")); - put.add(fam, qual, 127l, value); - table.put(put); - return table; + PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + HTable table = null; + try { + HBaseAdmin hBaseAdmin = TEST_UTIL.getHBaseAdmin(); + HColumnDescriptor colDesc = new HColumnDescriptor(fam); + colDesc.setMaxVersions(5); + HTableDescriptor desc = new HTableDescriptor(tableName); + desc.addFamily(colDesc); + hBaseAdmin.createTable(desc); + table = new HTable(conf, tableName); + Put put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 123l, value); + table.put(put); + put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 124l, value); + table.put(put); + put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 125l, value); + table.put(put); + put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 126l, value); + table.put(put); + put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 127l, value); + table.put(put); + TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); + put = new Put(Bytes.toBytes("row2")); + put.add(fam, qual, 127l, value); + table.put(put); + } catch (Throwable e) { + throw new IOException(e); + } finally { + if (table != null) { + table.close(); + } + } + return null; + } + }; + SUPERUSER.runAs(actiona); + return new HTable(conf, tableName); } - @Test public void testDeleteColumnWithSpecificTimeStampUsingMultipleVersionsUnMatchingVisExpression() throws Exception { @@ -1179,20 +1361,37 @@ public class TestVisibilityLabelsWithDeletes { try { table = doPuts(tableName); TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); - Put put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 128l, value); - put.setCellVisibility(new CellVisibility(TOPSECRET)); - table.put(put); PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { public Void run() throws Exception { + HTable table = null; try { - HTable table = new HTable(conf, TEST_NAME.getMethodName()); + table = new HTable(conf, TEST_NAME.getMethodName()); + Put put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 128l, value); + put.setCellVisibility(new CellVisibility(TOPSECRET)); + table.put(put); + } catch (Throwable t) { + throw new IOException(t); + } finally { + table.close(); + } + return null; + } + }; + SUPERUSER.runAs(actiona); + actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + HTable table = null; + try { + table = new HTable(conf, TEST_NAME.getMethodName()); Delete d = new Delete(row1); - d.setCellVisibility(new CellVisibility(SECRET )); + d.setCellVisibility(new CellVisibility(SECRET)); d.deleteColumn(fam, qual); table.delete(d); } catch (Throwable t) { throw new IOException(t); + } finally { + table.close(); } return null; } @@ -1237,11 +1436,24 @@ public class TestVisibilityLabelsWithDeletes { current = cellScanner.current(); assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), current.getRowLength(), row2, 0, row2.length)); - - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 129l, value); - put.setCellVisibility(new CellVisibility(SECRET)); - table.put(put); + actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + HTable table = null; + try { + table = new HTable(conf, TEST_NAME.getMethodName()); + Put put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 129l, value); + put.setCellVisibility(new CellVisibility(SECRET)); + table.put(put); + } catch (Throwable t) { + throw new IOException(t); + } finally { + table.close(); + } + return null; + } + }; + SUPERUSER.runAs(actiona); table.flushCommits(); TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); s = new Scan(); @@ -1273,24 +1485,41 @@ public class TestVisibilityLabelsWithDeletes { TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { public Void run() throws Exception { + HTable table = null; try { - HTable table = new HTable(conf, TEST_NAME.getMethodName()); + table = new HTable(conf, TEST_NAME.getMethodName()); Delete d = new Delete(row1); d.setCellVisibility(new CellVisibility(SECRET + "&" + TOPSECRET)); d.deleteColumn(fam, qual); table.delete(d); } catch (Throwable t) { throw new IOException(t); + } finally { + table.close(); } return null; } }; SUPERUSER.runAs(actiona); TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); - Put put = new Put(Bytes.toBytes("row3")); - put.add(fam, qual, 127l, value); - put.setCellVisibility(new CellVisibility(CONFIDENTIAL + "&" + PRIVATE)); - table.put(put); + actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + HTable table = null; + try { + table = new HTable(conf, TEST_NAME.getMethodName()); + Put put = new Put(Bytes.toBytes("row3")); + put.add(fam, qual, 127l, value); + put.setCellVisibility(new CellVisibility(CONFIDENTIAL + "&" + PRIVATE)); + table.put(put); + } catch (Throwable t) { + throw new IOException(t); + } finally { + table.close(); + } + return null; + } + }; + SUPERUSER.runAs(actiona); TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); TEST_UTIL.getHBaseAdmin().majorCompact(tableName.getNameAsString()); // Sleep to ensure compaction happens. Need to do it in a better way @@ -1344,14 +1573,17 @@ public class TestVisibilityLabelsWithDeletes { TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { public Void run() throws Exception { + HTable table = null; try { - HTable table = new HTable(conf, TEST_NAME.getMethodName()); + table = new HTable(conf, TEST_NAME.getMethodName()); Delete d = new Delete(row1); d.setCellVisibility(new CellVisibility(SECRET + "&" + TOPSECRET)); d.deleteFamily(fam); table.delete(d); } catch (Throwable t) { throw new IOException(t); + } finally { + table.close(); } return null; } @@ -1463,17 +1695,32 @@ public class TestVisibilityLabelsWithDeletes { desc.addFamily(colDesc); hBaseAdmin.createTable(desc); table = new HTable(conf, tableName); - Put put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual1, 125l, value); - put.setCellVisibility(new CellVisibility(CONFIDENTIAL)); - table.put(put); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual1, 126l, value); - put.setCellVisibility(new CellVisibility(SECRET)); - table.put(put); - TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { public Void run() throws Exception { + HTable table = null; + try { + table = new HTable(conf, TEST_NAME.getMethodName()); + Put put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual1, 125l, value); + put.setCellVisibility(new CellVisibility(CONFIDENTIAL)); + table.put(put); + put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual1, 126l, value); + put.setCellVisibility(new CellVisibility(SECRET)); + table.put(put); + table.flushCommits(); + } catch (Throwable t) { + throw new IOException(t); + } finally { + table.close(); + } + return null; + } + }; + SUPERUSER.runAs(actiona); + TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); + actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { try { HTable table = new HTable(conf, TEST_NAME.getMethodName()); Delete d = new Delete(row1); @@ -1516,19 +1763,30 @@ public class TestVisibilityLabelsWithDeletes { desc.addFamily(colDesc); hBaseAdmin.createTable(desc); table = new HTable(conf, tableName); - Put put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual1, 125l, value); - put.setCellVisibility(new CellVisibility(CONFIDENTIAL)); - table.put(put); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual1, 126l, value); - put.setCellVisibility(new CellVisibility(SECRET)); - table.put(put); - TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { public Void run() throws Exception { try { HTable table = new HTable(conf, TEST_NAME.getMethodName()); + Put put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual1, 125l, value); + put.setCellVisibility(new CellVisibility(CONFIDENTIAL)); + table.put(put); + put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual1, 126l, value); + put.setCellVisibility(new CellVisibility(SECRET)); + table.put(put); + } catch (Throwable t) { + throw new IOException(t); + } + return null; + } + }; + SUPERUSER.runAs(actiona); + TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); + actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + try { + HTable table = new HTable(conf, TEST_NAME.getMethodName()); Delete d = new Delete(row1); d.setCellVisibility(new CellVisibility(SECRET)); d.deleteColumns(fam, qual, 126l); @@ -1754,10 +2012,24 @@ public class TestVisibilityLabelsWithDeletes { SUPERUSER.runAs(actiona); TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); - Put put = new Put(Bytes.toBytes("row3")); - put.add(fam, qual, 127l, value); - put.setCellVisibility(new CellVisibility(CONFIDENTIAL + "&" + PRIVATE)); - table.put(put); + actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + HTable table = null; + try { + table = new HTable(conf, TEST_NAME.getMethodName()); + Put put = new Put(Bytes.toBytes("row3")); + put.add(fam, qual, 127l, value); + put.setCellVisibility(new CellVisibility(CONFIDENTIAL + "&" + PRIVATE)); + table.put(put); + } catch (Throwable t) { + throw new IOException(t); + } finally { + table.close(); + } + return null; + } + }; + SUPERUSER.runAs(actiona); TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); TEST_UTIL.getHBaseAdmin().compact(tableName.getNameAsString()); Thread.sleep(5000); @@ -2915,7 +3187,7 @@ public class TestVisibilityLabelsWithDeletes { @Test public void testVisibilityExpressionWithNotEqualORCondition() throws Exception { setAuths(); - TableName tableName = TableName.valueOf(TEST_NAME.getMethodName()); + final TableName tableName = TableName.valueOf(TEST_NAME.getMethodName()); HTable table = null; try { HBaseAdmin hBaseAdmin = TEST_UTIL.getHBaseAdmin(); @@ -2924,26 +3196,46 @@ public class TestVisibilityLabelsWithDeletes { HTableDescriptor desc = new HTableDescriptor(tableName); desc.addFamily(colDesc); hBaseAdmin.createTable(desc); - table = new HTable(conf, tableName); - Put put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 123l, value); - put.setCellVisibility(new CellVisibility(CONFIDENTIAL)); - table.put(put); - put = new Put(Bytes.toBytes("row1")); - put.add(fam, qual, 124l, value); - put.setCellVisibility(new CellVisibility(CONFIDENTIAL + "|" + PRIVATE)); - table.put(put); - TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { + HTable table = null; public Void run() throws Exception { try { - HTable table = new HTable(conf, TEST_NAME.getMethodName()); + table = new HTable(conf, tableName); + Put put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 123l, value); + put.setCellVisibility(new CellVisibility(CONFIDENTIAL)); + table.put(put); + put = new Put(Bytes.toBytes("row1")); + put.add(fam, qual, 124l, value); + put.setCellVisibility(new CellVisibility(CONFIDENTIAL + "|" + PRIVATE)); + table.put(put); + } catch (Throwable t) { + throw new IOException(t); + } finally { + if (table != null) { + table.close(); + } + } + return null; + } + }; + SUPERUSER.runAs(actiona); + TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); + actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + HTable table = null; + try { + table = new HTable(conf, TEST_NAME.getMethodName()); Delete d = new Delete(row1); d.deleteColumn(fam, qual, 124l); - d.setCellVisibility(new CellVisibility(PRIVATE )); + d.setCellVisibility(new CellVisibility(PRIVATE)); table.delete(d); } catch (Throwable t) { throw new IOException(t); + } finally { + if (table != null) { + table.close(); + } } return null; } @@ -2951,6 +3243,7 @@ public class TestVisibilityLabelsWithDeletes { SUPERUSER.runAs(actiona); TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); + table = new HTable(conf, TEST_NAME.getMethodName()); Scan s = new Scan(); s.setMaxVersions(5); s.setAuthorizations(new Authorizations(SECRET, PRIVATE, CONFIDENTIAL, TOPSECRET)); @@ -2975,40 +3268,62 @@ public class TestVisibilityLabelsWithDeletes { } } - public static HTable createTableAndWriteDataWithLabels(TableName tableName, String... labelExps) - throws Exception { - HTable table = null; - table = TEST_UTIL.createTable(tableName, fam); - int i = 1; - List puts = new ArrayList(); - for (String labelExp : labelExps) { - Put put = new Put(Bytes.toBytes("row" + i)); - put.add(fam, qual, HConstants.LATEST_TIMESTAMP, value); - put.setCellVisibility(new CellVisibility(labelExp)); - puts.add(put); - table.put(put); - i++; - } - // table.put(puts); - return table; + public static HTable createTableAndWriteDataWithLabels(final TableName tableName, + final String... labelExps) throws Exception { + PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { + HTable table = null; + public Void run() throws Exception { + try { + table = TEST_UTIL.createTable(tableName, fam); + int i = 1; + List puts = new ArrayList(); + for (String labelExp : labelExps) { + Put put = new Put(Bytes.toBytes("row" + i)); + put.add(fam, qual, HConstants.LATEST_TIMESTAMP, value); + put.setCellVisibility(new CellVisibility(labelExp)); + puts.add(put); + table.put(put); + i++; + } + } finally { + table.close(); + } + // table.put(puts); + return null; + } + }; + SUPERUSER.runAs(actiona); + return null; } - public static HTable createTableAndWriteDataWithLabels(TableName tableName, long[] timestamp, - String... labelExps) throws Exception { - HTable table = null; - table = TEST_UTIL.createTable(tableName, fam); - int i = 1; - List puts = new ArrayList(); - for (String labelExp : labelExps) { - Put put = new Put(Bytes.toBytes("row" + i)); - put.add(fam, qual, timestamp[i - 1], value); - put.setCellVisibility(new CellVisibility(labelExp)); - puts.add(put); - table.put(put); - TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); - i++; - } - return table; + public static HTable createTableAndWriteDataWithLabels(final TableName tableName, + final long[] timestamp, final String... labelExps) throws Exception { + PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { + HTable table = null; + + public Void run() throws Exception { + try { + table = TEST_UTIL.createTable(tableName, fam); + int i = 1; + List puts = new ArrayList(); + for (String labelExp : labelExps) { + Put put = new Put(Bytes.toBytes("row" + i)); + put.add(fam, qual, timestamp[i - 1], value); + put.setCellVisibility(new CellVisibility(labelExp)); + puts.add(put); + table.put(put); + TEST_UTIL.getHBaseAdmin().flush(tableName.getNameAsString()); + i++; + } + } finally { + table.close(); + } + // table.put(puts); + return null; + } + }; + SUPERUSER.runAs(actiona); + return null; } public static void addLabels() throws Exception { diff --git hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithDistributedLogReplay.java hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithDistributedLogReplay.java index 6c7fea5..29af133 100644 --- hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithDistributedLogReplay.java +++ hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithDistributedLogReplay.java @@ -22,7 +22,6 @@ import static org.apache.hadoop.hbase.security.visibility.VisibilityConstants.LA import org.apache.hadoop.hbase.HConstants; import org.apache.hadoop.hbase.MediumTests; import org.apache.hadoop.hbase.security.User; -import org.junit.AfterClass; import org.junit.BeforeClass; import org.junit.experimental.categories.Category; @@ -33,7 +32,7 @@ import org.junit.experimental.categories.Category; public class TestVisibilityLabelsWithDistributedLogReplay extends TestVisibilityLabels { @BeforeClass - public static void setupBeforeClass() throws Exception { + public static void setupBeforeClass() throws Throwable { // setup configuration conf = TEST_UTIL.getConfiguration(); conf.setBoolean(HConstants.DISTRIBUTED_LOG_REPLAY_KEY, true); diff --git hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithSLGStack.java hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithSLGStack.java index 4461519..01176f2 100644 --- hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithSLGStack.java +++ hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithSLGStack.java @@ -86,15 +86,28 @@ public class TestVisibilityLabelsWithSLGStack { HTable table = null; try { table = TEST_UTIL.createTable(tableName, CF); - Put put = new Put(ROW_1); - put.add(CF, Q1, HConstants.LATEST_TIMESTAMP, value); - put.setCellVisibility(new CellVisibility(SECRET)); - table.put(put); - put = new Put(ROW_1); - put.add(CF, Q2, HConstants.LATEST_TIMESTAMP, value); - put.setCellVisibility(new CellVisibility(CONFIDENTIAL)); - table.put(put); - + PrivilegedExceptionAction actiona = new PrivilegedExceptionAction() { + public Void run() throws Exception { + HTable table = null; + try { + table = new HTable(conf, TEST_NAME.getMethodName()); + Put put = new Put(ROW_1); + put.add(CF, Q1, HConstants.LATEST_TIMESTAMP, value); + put.setCellVisibility(new CellVisibility(SECRET)); + table.put(put); + put = new Put(ROW_1); + put.add(CF, Q2, HConstants.LATEST_TIMESTAMP, value); + put.setCellVisibility(new CellVisibility(CONFIDENTIAL)); + table.put(put); + } catch (Throwable t) { + throw new IOException(t); + } finally { + table.close(); + } + return null; + } + }; + SUPERUSER.runAs(actiona); LabelFilteringScanLabelGenerator.labelToFilter = CONFIDENTIAL; Scan s = new Scan(); s.setAuthorizations(new Authorizations(SECRET, CONFIDENTIAL)); @@ -116,6 +129,7 @@ public class TestVisibilityLabelsWithSLGStack { String[] labels = { SECRET, CONFIDENTIAL }; try { VisibilityClient.addLabels(conf, labels); + VisibilityClient.setAuths(conf, labels, SUPERUSER.getName()); } catch (Throwable t) { throw new IOException(t); }