diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/DefaultScanLabelGenerator.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/DefaultScanLabelGenerator.java index f4bf87e..6f2e37c 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/DefaultScanLabelGenerator.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/DefaultScanLabelGenerator.java @@ -56,13 +56,13 @@ public class DefaultScanLabelGenerator implements ScanLabelGenerator { @Override public List getLabels(User user, Authorizations authorizations) { + String userName = user.getShortName(); + List auths = this.labelsCache.getAuths(userName); if (authorizations != null) { List labels = authorizations.getLabels(); - String userName = user.getShortName(); - List auths = this.labelsCache.getAuths(userName); return dropLabelsNotInUserAuths(labels, auths, userName); } - return null; + return auths; } private List dropLabelsNotInUserAuths(List labels, List auths, diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestDefaultScanLabelGenerator.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestDefaultScanLabelGenerator.java new file mode 100644 index 0000000..211e48d --- /dev/null +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/TestDefaultScanLabelGenerator.java @@ -0,0 +1,165 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hbase.security.visibility; + +import static org.apache.hadoop.hbase.security.visibility.VisibilityConstants.LABELS_TABLE_NAME; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; + +import java.io.IOException; +import java.security.PrivilegedExceptionAction; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.hbase.Cell; +import org.apache.hadoop.hbase.CellScanner; +import org.apache.hadoop.hbase.HBaseTestingUtility; +import org.apache.hadoop.hbase.HConstants; +import org.apache.hadoop.hbase.TableName; +import org.apache.hadoop.hbase.client.Get; +import org.apache.hadoop.hbase.client.HTable; +import org.apache.hadoop.hbase.client.Put; +import org.apache.hadoop.hbase.client.Result; +import org.apache.hadoop.hbase.client.ResultScanner; +import org.apache.hadoop.hbase.client.Scan; +import org.apache.hadoop.hbase.client.Table; +import org.apache.hadoop.hbase.security.User; +import org.apache.hadoop.hbase.testclassification.MediumTests; +import org.apache.hadoop.hbase.testclassification.SecurityTests; +import org.apache.hadoop.hbase.util.Bytes; +import org.junit.AfterClass; +import org.junit.BeforeClass; +import org.junit.Rule; +import org.junit.Test; +import org.junit.experimental.categories.Category; +import org.junit.rules.TestName; + +@Category({SecurityTests.class, MediumTests.class}) +public class TestDefaultScanLabelGenerator { + + public static final String CONFIDENTIAL = "confidential"; + private static final String SECRET = "secret"; + public static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility(); + private static final byte[] ROW_1 = Bytes.toBytes("row1"); + private final static byte[] CF = Bytes.toBytes("f"); + private final static byte[] Q1 = Bytes.toBytes("q1"); + private final static byte[] Q2 = Bytes.toBytes("q2"); + private final static byte[] Q3 = Bytes.toBytes("q3"); + private final static byte[] value1 = Bytes.toBytes("value1"); + private final static byte[] value2 = Bytes.toBytes("value2"); + private final static byte[] value3 = Bytes.toBytes("value3"); + public static Configuration conf; + + @Rule + public final TestName TEST_NAME = new TestName(); + public static User SUPERUSER; + public static User TESTUSER; + + @BeforeClass + public static void setupBeforeClass() throws Exception { + // setup configuration + conf = TEST_UTIL.getConfiguration(); + VisibilityTestUtil.enableVisiblityLabels(conf); + String classes = DefaultScanLabelGenerator.class.getCanonicalName(); + conf.setStrings(VisibilityUtils.VISIBILITY_LABEL_GENERATOR_CLASS, classes); + conf.set("hbase.superuser", "admin"); + TEST_UTIL.startMiniCluster(1); + SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" }); + TESTUSER = User.createUserForTesting(conf, "test", new String[] { }); + + // Wait for the labels table to become available + TEST_UTIL.waitTableEnabled(LABELS_TABLE_NAME.getName(), 50000); + + // Set up for the test + SUPERUSER.runAs(new PrivilegedExceptionAction() { + public Void run() throws Exception { + try { + VisibilityClient.addLabels(conf, new String[] { SECRET, CONFIDENTIAL }); + VisibilityClient.setAuths(conf, new String[] { CONFIDENTIAL }, TESTUSER.getShortName()); + } catch (Throwable t) { + throw new IOException(t); + } + return null; + } + }); + } + + @Test + public void testDefaultScanWithNoSetAuths() throws Exception { + final TableName tableName = TableName.valueOf(TEST_NAME.getMethodName()); + + SUPERUSER.runAs(new PrivilegedExceptionAction() { + public Void run() throws Exception { + Table table = TEST_UTIL.createTable(tableName, CF); + try { + Put put = new Put(ROW_1); + put.add(CF, Q1, HConstants.LATEST_TIMESTAMP, value1); + put.setCellVisibility(new CellVisibility(SECRET)); + table.put(put); + put = new Put(ROW_1); + put.add(CF, Q2, HConstants.LATEST_TIMESTAMP, value2); + put.setCellVisibility(new CellVisibility(CONFIDENTIAL)); + table.put(put); + put = new Put(ROW_1); + put.add(CF, Q3, HConstants.LATEST_TIMESTAMP, value3); + table.put(put); + return null; + } finally { + table.close(); + } + } + }); + + TESTUSER.runAs(new PrivilegedExceptionAction() { + public Void run() throws Exception { + Table table = new HTable(conf, tableName); + try { + // Test scan with no auth attributes + Scan s = new Scan(); + ResultScanner scanner = table.getScanner(s); + Result[] next = scanner.next(1); + + assertTrue(next.length == 1); + CellScanner cellScanner = next[0].cellScanner(); + cellScanner.advance(); + Cell current = cellScanner.current(); + // test user can see value2 (CONFIDENTIAL) and value3 (no label) + assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), + current.getRowLength(), ROW_1, 0, ROW_1.length)); + assertTrue(Bytes.equals(current.getQualifier(), Q2)); + assertTrue(Bytes.equals(current.getValue(), value2)); + cellScanner.advance(); + current = cellScanner.current(); + // test user can see value2 (CONFIDENTIAL) and value3 (no label) + assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), + current.getRowLength(), ROW_1, 0, ROW_1.length)); + assertTrue(Bytes.equals(current.getQualifier(), Q3)); + assertTrue(Bytes.equals(current.getValue(), value3)); + return null; + } finally { + table.close(); + } + } + }); + + } + + @AfterClass + public static void tearDownAfterClass() throws Exception { + TEST_UTIL.shutdownMiniCluster(); + } +}