From 1a825f572039a4b2bd403a2f238cea2d0361aecf Mon Sep 17 00:00:00 2001 From: Ashish Singhi Date: Tue, 5 May 2015 18:42:00 +0530 Subject: [PATCH] HBASE-13562 Add testing coverage to AccessController for all combinations of scope and permissions. --- .../security/access/TestAccessController.java | 211 ++++++---- .../security/access/TestNamespaceCommands.java | 431 ++++++++++++++++++++- 2 files changed, 562 insertions(+), 80 deletions(-) diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java index 11b9006..09ae6df 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java @@ -25,6 +25,7 @@ import static org.junit.Assert.fail; import java.io.IOException; import java.security.PrivilegedAction; +import java.util.ArrayList; import java.util.Arrays; import java.util.List; @@ -149,8 +150,8 @@ public class TestAccessController extends SecureTestUtil { // user with all permissions private static User SUPERUSER; - // user granted with all global permission - private static User USER_ADMIN; + // global user with all the permissions + private static User USER_GLOBAL_ALL; // user with rw permissions on column family. private static User USER_RW; // user with read-only permissions @@ -163,6 +164,8 @@ public class TestAccessController extends SecureTestUtil { private static User USER_NONE; // user with admin rights on the column family private static User USER_ADMIN_CF; + // user with admin table permissions alone + private static User USER_ADMIN; // TODO: convert this test to cover the full matrix in // https://hbase.apache.org/book/appendix_acl_matrix.html @@ -210,11 +213,12 @@ public class TestAccessController extends SecureTestUtil { // create a set of test users SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" }); - USER_ADMIN = User.createUserForTesting(conf, "admin2", new String[0]); + USER_GLOBAL_ALL = User.createUserForTesting(conf, "admin2", new String[0]); USER_RW = User.createUserForTesting(conf, "rwuser", new String[0]); USER_RO = User.createUserForTesting(conf, "rouser", new String[0]); USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]); USER_CREATE = User.createUserForTesting(conf, "tbl_create", new String[0]); + USER_ADMIN = User.createUserForTesting(conf, "tbl_admin", new String[0]); USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]); USER_ADMIN_CF = User.createUserForTesting(conf, "col_family_admin", new String[0]); @@ -244,7 +248,7 @@ public class TestAccessController extends SecureTestUtil { // Set up initial grants - grantGlobal(TEST_UTIL, USER_ADMIN.getShortName(), + grantGlobal(TEST_UTIL, USER_GLOBAL_ALL.getShortName(), Permission.Action.ADMIN, Permission.Action.CREATE, Permission.Action.READ, @@ -270,9 +274,13 @@ public class TestAccessController extends SecureTestUtil { TEST_TABLE.getTableName(), TEST_FAMILY, null, Permission.Action.ADMIN, Permission.Action.CREATE); - assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size()); + grantOnTable(TEST_UTIL, USER_ADMIN.getShortName(), TEST_TABLE.getTableName(), null, null, + Permission.Action.ADMIN); + + assertEquals(6, AccessControlLists.getTablePermissions(conf, + TEST_TABLE.getTableName()).size()); try { - assertEquals(5, AccessControlClient.getUserPermissions(systemUserConnection, + assertEquals(6, AccessControlClient.getUserPermissions(systemUserConnection, TEST_TABLE.toString()).size()); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.getUserPermissions. ", e); @@ -309,7 +317,7 @@ public class TestAccessController extends SecureTestUtil { }; // verify that superuser can create tables - verifyAllowed(createTable, SUPERUSER, USER_ADMIN); + verifyAllowed(createTable, SUPERUSER, USER_GLOBAL_ALL); // all others should be denied verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE); @@ -329,7 +337,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(modifyTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); + verifyAllowed(modifyTable, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_CREATE, USER_OWNER); verifyDenied(modifyTable, USER_RW, USER_RO, USER_NONE); } @@ -338,13 +346,13 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction deleteTable = new AccessTestAction() { @Override public Object run() throws Exception { - ACCESS_CONTROLLER - .preDeleteTable(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE.getTableName()); + ACCESS_CONTROLLER.preDeleteTable(ObserverContext.createAndPrepare(CP_ENV, null), + TEST_TABLE.getTableName()); return null; } }; - verifyAllowed(deleteTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); + verifyAllowed(deleteTable, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_CREATE, USER_OWNER); verifyDenied(deleteTable, USER_RW, USER_RO, USER_NONE); } @@ -360,7 +368,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); + verifyAllowed(truncateTable, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_CREATE, USER_OWNER); verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE); } @@ -370,13 +378,13 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction action = new AccessTestAction() { @Override public Object run() throws Exception { - ACCESS_CONTROLLER.preAddColumn(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE.getTableName(), - hcd); + ACCESS_CONTROLLER.preAddColumn(ObserverContext.createAndPrepare(CP_ENV, null), + TEST_TABLE.getTableName(), hcd); return null; } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_CREATE, USER_OWNER); verifyDenied(action, USER_RW, USER_RO, USER_NONE); } @@ -393,7 +401,8 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_CREATE, USER_OWNER, + USER_ADMIN_CF); verifyDenied(action, USER_RW, USER_RO, USER_NONE); } @@ -408,7 +417,8 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_CREATE, USER_OWNER, + USER_ADMIN_CF); verifyDenied(action, USER_RW, USER_RO, USER_NONE); } @@ -432,11 +442,11 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(disableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); + verifyAllowed(disableTable, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_CREATE, USER_OWNER); verifyDenied(disableTable, USER_RW, USER_RO, USER_NONE); // No user should be allowed to disable _acl_ table - verifyDenied(disableAclTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW, USER_RO); + verifyDenied(disableAclTable, SUPERUSER, USER_GLOBAL_ALL, USER_CREATE, USER_OWNER, USER_RW, USER_RO); } @Test @@ -444,17 +454,33 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction enableTable = new AccessTestAction() { @Override public Object run() throws Exception { - ACCESS_CONTROLLER - .preEnableTable(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE.getTableName()); + ACCESS_CONTROLLER.preEnableTable(ObserverContext.createAndPrepare(CP_ENV, null), + TEST_TABLE.getTableName()); return null; } }; - verifyAllowed(enableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); + verifyAllowed(enableTable, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_CREATE, USER_OWNER); verifyDenied(enableTable, USER_RW, USER_RO, USER_NONE); } @Test + public void testTableFlush() throws Exception { + AccessTestAction tableFlushAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preTableFlush(ObserverContext.createAndPrepare(CP_ENV, null), + TEST_TABLE.getTableName()); + return null; + } + }; + + verifyAllowed(tableFlushAction, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_CREATE, + USER_OWNER); + verifyDenied(tableFlushAction, USER_RW, USER_RO, USER_NONE); + } + + @Test public void testMove() throws Exception { List regions; try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) { @@ -472,7 +498,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_OWNER); verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); } @@ -492,7 +518,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_OWNER); verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); } @@ -512,7 +538,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_OWNER); verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); } @@ -532,7 +558,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_OWNER); verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); } @@ -546,7 +572,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); } @@ -560,7 +586,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); } @@ -574,7 +600,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); } @@ -588,12 +614,12 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); } private void verifyWrite(AccessTestAction action) throws Exception { - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER, USER_CREATE, USER_RW); verifyDenied(action, USER_NONE, USER_RO); } @@ -607,7 +633,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER); verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); } @@ -623,7 +649,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER); verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); } @@ -642,7 +668,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER); verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); } @@ -656,7 +682,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER, USER_CREATE); verifyDenied(action, USER_RW, USER_RO, USER_NONE); } @@ -671,17 +697,17 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER, USER_CREATE); verifyDenied(action, USER_RW, USER_RO, USER_NONE); } private void verifyRead(AccessTestAction action) throws Exception { - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, USER_RO); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER, USER_CREATE, USER_RW, USER_RO); verifyDenied(action, USER_NONE); } private void verifyReadWrite(AccessTestAction action) throws Exception { - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER, USER_CREATE, USER_RW); verifyDenied(action, USER_NONE, USER_RO); } @@ -837,7 +863,7 @@ public class TestAccessController extends SecureTestUtil { // User performing bulk loads must have privilege to read table metadata // (ADMIN or CREATE) - verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE); + verifyAllowed(bulkLoadAction, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER, USER_CREATE); verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO); // Reinit after the bulk upload @@ -942,7 +968,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(appendAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW); + verifyAllowed(appendAction, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER, USER_CREATE, USER_RW); verifyDenied(appendAction, USER_RO, USER_NONE); } @@ -1006,16 +1032,16 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(grantAction, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER); verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); - verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(revokeAction, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER); verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); - verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER); verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); - verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN); + verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(getGlobalPermissionsAction, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); } @@ -1524,7 +1550,7 @@ public class TestAccessController extends SecureTestUtil { } finally { acl.close(); } - UserPermission adminPerm = new UserPermission(Bytes.toBytes(USER_ADMIN.getShortName()), + UserPermission adminPerm = new UserPermission(Bytes.toBytes(USER_GLOBAL_ALL.getShortName()), AccessControlLists.ACL_TABLE_NAME, null, null, Bytes.toBytes("ACRW")); assertTrue("Only user admin has permission on table _acl_ per setup", perms.size() == 1 && hasFoundUserPermission(adminPerm, perms)); @@ -1707,7 +1733,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); } @@ -1721,7 +1747,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); } @@ -1735,7 +1761,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); } @@ -1749,7 +1775,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); } @@ -1770,6 +1796,14 @@ public class TestAccessController extends SecureTestUtil { } }; + AccessTestAction listAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preListSnapshot(ObserverContext.createAndPrepare(CP_ENV, null), snapshot); + return null; + } + }; + AccessTestAction deleteAction = new AccessTestAction() { @Override public Object run() throws Exception { @@ -1797,16 +1831,19 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(snapshotAction, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_OWNER); verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); - verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN); + verifyAllowed(listAction, SUPERUSER, USER_GLOBAL_ALL); + verifyDenied(listAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + + verifyAllowed(deleteAction, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); - verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN); + verifyAllowed(restoreAction, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); - verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN); + verifyAllowed(cloneAction, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); } @@ -1827,9 +1864,20 @@ public class TestAccessController extends SecureTestUtil { return null; } }; - verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(snapshotAction, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_OWNER); verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + AccessTestAction listAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preListSnapshot(ObserverContext.createAndPrepare(CP_ENV, null), + snapshot); + return null; + } + }; + verifyAllowed(listAction, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER); + verifyDenied(listAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + AccessTestAction deleteAction = new AccessTestAction() { @Override public Object run() throws Exception { @@ -1838,7 +1886,7 @@ public class TestAccessController extends SecureTestUtil { return null; } }; - verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(deleteAction, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER); verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); AccessTestAction restoreAction = new AccessTestAction() { @@ -1849,7 +1897,7 @@ public class TestAccessController extends SecureTestUtil { return null; } }; - verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(restoreAction, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER); verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); AccessTestAction cloneAction = new AccessTestAction() { @@ -1862,7 +1910,7 @@ public class TestAccessController extends SecureTestUtil { }; // Clone by snapshot owner is not allowed , because clone operation creates a new table, // which needs global admin permission. - verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN); + verifyAllowed(cloneAction, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); } @@ -1934,7 +1982,7 @@ public class TestAccessController extends SecureTestUtil { return null; } }; - USER_ADMIN.runAs(putAction); + USER_GLOBAL_ALL.runAs(putAction); } } @@ -1967,10 +2015,10 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN); + verifyAllowed(listTablesAction, SUPERUSER, USER_GLOBAL_ALL, USER_CREATE, USER_OWNER, TABLE_ADMIN); verifyIfEmptyList(listTablesAction, USER_RW, USER_RO, USER_NONE); - verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN); + verifyAllowed(getTableDescAction, SUPERUSER, USER_GLOBAL_ALL, USER_CREATE, USER_OWNER, TABLE_ADMIN); verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE); } @@ -1991,7 +2039,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, + verifyAllowed(listTablesAction, SUPERUSER, USER_GLOBAL_ALL, USER_CREATE, USER_OWNER, USER_RW, USER_RO); verifyIfEmptyList(listTablesAction, USER_NONE); } @@ -2279,7 +2327,7 @@ public class TestAccessController extends SecureTestUtil { // Current user is superuser verifyAllowed(putWithReservedTag, User.getCurrent()); // No other user should be allowed - verifyDenied(putWithReservedTag, USER_OWNER, USER_ADMIN, USER_CREATE, USER_RW, USER_RO); + verifyDenied(putWithReservedTag, USER_OWNER, USER_GLOBAL_ALL, USER_CREATE, USER_RW, USER_RO); } @Test @@ -2329,19 +2377,19 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(setUserQuotaAction, SUPERUSER, USER_ADMIN); + verifyAllowed(setUserQuotaAction, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(setUserQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); - verifyAllowed(setUserTableQuotaAction, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(setUserTableQuotaAction, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_OWNER); verifyDenied(setUserTableQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); - verifyAllowed(setUserNamespaceQuotaAction, SUPERUSER, USER_ADMIN); + verifyAllowed(setUserNamespaceQuotaAction, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(setUserNamespaceQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); - verifyAllowed(setTableQuotaAction, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(setTableQuotaAction, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_OWNER); verifyDenied(setTableQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); - verifyAllowed(setNamespaceQuotaAction, SUPERUSER, USER_ADMIN); + verifyAllowed(setNamespaceQuotaAction, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(setNamespaceQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); } @@ -2409,8 +2457,9 @@ public class TestAccessController extends SecureTestUtil { null, Action.ADMIN); List perms = testUserPerms.runAs(getPrivilegedAction(regex)); assertNotNull(perms); - // USER_ADMIN, USER_CREATE, USER_RW, USER_RO, testUserPerms, USER_ADMIN_CF has row each. - assertEquals(6, perms.size()); + // USER_GLOBAL_ALL, USER_ADMIN, USER_CREATE, USER_RW, USER_RO, testUserPerms, USER_ADMIN_CF has + // row each. + assertEquals(7, perms.size()); } @Test @@ -2449,7 +2498,7 @@ public class TestAccessController extends SecureTestUtil { grantOnTable(TEST_UTIL, testRegexHandler.getShortName(), table2, null, null, Action.ADMIN); assertEquals(4, testRegexHandler.runAs(getPrivilegedAction(REGEX_ALL_TABLES)).size()); - // USER_ADMIN, testUserPerms must have a row each. + // USER_GLOBAL_ALL, testUserPerms must have a row each. assertEquals(2, testRegexHandler.runAs(getPrivilegedAction(tableName)).size()); assertEquals(2, testRegexHandler.runAs(getPrivilegedAction( NamespaceDescriptor.DEFAULT_NAMESPACE_NAME_STR + TableName.NAMESPACE_DELIM + tableName) @@ -2464,7 +2513,7 @@ public class TestAccessController extends SecureTestUtil { } private void verifyAnyCreate(AccessTestAction action) throws Exception { - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER, USER_CREATE, USER_ADMIN_CF); verifyDenied(action, USER_NONE, USER_RO, USER_RW); } @@ -2501,7 +2550,25 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(replicateLogEntriesAction, SUPERUSER, USER_ADMIN); + verifyAllowed(replicateLogEntriesAction, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(replicateLogEntriesAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); } + + @Test + public void testGetTableDescriptors() throws Exception { + final List list = new ArrayList(); + list.add(TEST_TABLE.getTableName()); + AccessTestAction getTableDescriptorsAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preGetTableDescriptors(ObserverContext.createAndPrepare(CP_ENV, null), + list, null, null); + return null; + } + }; + + verifyAllowed(getTableDescriptorsAction, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_CREATE, + USER_OWNER); + verifyDenied(getTableDescriptorsAction, USER_RW, USER_RO, USER_NONE); + } } diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java index 457bb3b..d39a92d 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java @@ -20,26 +20,36 @@ package org.apache.hadoop.hbase.security.access; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertTrue; -import java.util.List; +import java.util.ArrayList; import java.util.Arrays; +import java.util.List; import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.hbase.Coprocessor; import org.apache.hadoop.hbase.HBaseTestingUtility; import org.apache.hadoop.hbase.HColumnDescriptor; import org.apache.hadoop.hbase.HConstants; +import org.apache.hadoop.hbase.HRegionInfo; +import org.apache.hadoop.hbase.HRegionLocation; import org.apache.hadoop.hbase.HTableDescriptor; +import org.apache.hadoop.hbase.MiniHBaseCluster; import org.apache.hadoop.hbase.NamespaceDescriptor; +import org.apache.hadoop.hbase.ServerName; import org.apache.hadoop.hbase.TableName; import org.apache.hadoop.hbase.client.Admin; import org.apache.hadoop.hbase.client.Connection; import org.apache.hadoop.hbase.client.ConnectionFactory; import org.apache.hadoop.hbase.client.Get; +import org.apache.hadoop.hbase.client.HBaseAdmin; +import org.apache.hadoop.hbase.client.RegionLocator; import org.apache.hadoop.hbase.client.Result; import org.apache.hadoop.hbase.client.Table; import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment; import org.apache.hadoop.hbase.coprocessor.ObserverContext; +import org.apache.hadoop.hbase.master.MasterCoprocessorHost; import org.apache.hadoop.hbase.protobuf.ProtobufUtil; import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessControlService; +import org.apache.hadoop.hbase.protobuf.generated.HBaseProtos.SnapshotDescription; import org.apache.hadoop.hbase.security.User; import org.apache.hadoop.hbase.security.access.Permission.Action; import org.apache.hadoop.hbase.testclassification.MediumTests; @@ -62,6 +72,8 @@ public class TestNamespaceCommands extends SecureTestUtil { private static MasterCoprocessorEnvironment CP_ENV; private static AccessController ACCESS_CONTROLLER; + private static Connection systemUserConnection; + // user with all permissions private static User SUPERUSER; @@ -93,8 +105,11 @@ public class TestNamespaceCommands extends SecureTestUtil { private static User USER_TABLE_CREATE; // TODO: WE DO NOT GIVE ANY PERMS TO THIS USER private static String TEST_TABLE = TEST_NAMESPACE + ":testtable"; + private static TableName tableName = TableName.valueOf(TEST_TABLE); private static byte[] TEST_FAMILY = Bytes.toBytes("f1"); + private static HBaseAdmin ADMIN = null; + @BeforeClass public static void beforeClass() throws Exception { conf = UTIL.getConfiguration(); @@ -122,12 +137,22 @@ public class TestNamespaceCommands extends SecureTestUtil { // Wait for the ACL table to become available UTIL.waitTableAvailable(AccessControlLists.ACL_TABLE_NAME.getName(), 30 * 1000); - ACCESS_CONTROLLER = (AccessController) UTIL.getMiniHBaseCluster().getMaster() - .getRegionServerCoprocessorHost() - .findCoprocessor(AccessController.class.getName()); + MiniHBaseCluster cluster = UTIL.getMiniHBaseCluster(); + ACCESS_CONTROLLER = + (AccessController) cluster.getMaster().getRegionServerCoprocessorHost() + .findCoprocessor(AccessController.class.getName()); + MasterCoprocessorHost cpHost = cluster.getMaster().getMasterCoprocessorHost(); + cpHost.load(AccessController.class, Coprocessor.PRIORITY_HIGHEST, conf); + CP_ENV = + cpHost.createEnvironment(AccessController.class, ACCESS_CONTROLLER, + Coprocessor.PRIORITY_HIGHEST, 1, conf); - UTIL.getHBaseAdmin().createNamespace(NamespaceDescriptor.create(TEST_NAMESPACE).build()); - UTIL.getHBaseAdmin().createNamespace(NamespaceDescriptor.create(TEST_NAMESPACE2).build()); + ADMIN = UTIL.getHBaseAdmin(); + ADMIN.createNamespace(NamespaceDescriptor.create(TEST_NAMESPACE).build()); + ADMIN.createNamespace(NamespaceDescriptor.create(TEST_NAMESPACE2).build()); + + HTableDescriptor tableDescOne = new HTableDescriptor(tableName); + ADMIN.createTable(tableDescOne, Bytes.toBytes("AAA"), Bytes.toBytes("ZZZ"), 4); // grants on global grantGlobal(UTIL, USER_GLOBAL_ADMIN.getShortName(), Permission.Action.ADMIN); @@ -144,12 +169,16 @@ public class TestNamespaceCommands extends SecureTestUtil { grantOnNamespace(UTIL, USER_NS_EXEC.getShortName(), TEST_NAMESPACE, Permission.Action.EXEC); grantOnNamespace(UTIL, USER_NS_ADMIN.getShortName(), TEST_NAMESPACE2, Permission.Action.ADMIN); + + systemUserConnection = UTIL.getConnection(); } @AfterClass public static void afterClass() throws Exception { - UTIL.getHBaseAdmin().deleteNamespace(TEST_NAMESPACE); - UTIL.getHBaseAdmin().deleteNamespace(TEST_NAMESPACE2); + ADMIN.disableTable(tableName); + ADMIN.deleteTable(tableName); + ADMIN.deleteNamespace(TEST_NAMESPACE); + ADMIN.deleteNamespace(TEST_NAMESPACE2); UTIL.shutdownMiniCluster(); } @@ -493,4 +522,390 @@ public class TestNamespaceCommands extends SecureTestUtil { USER_TABLE_CREATE, USER_TABLE_WRITE); } + + @Test + public void testTableModify() throws Exception { + AccessTestAction modifyTable = new AccessTestAction() { + @Override + public Object run() throws Exception { + HTableDescriptor htd = new HTableDescriptor(tableName); + htd.addFamily(new HColumnDescriptor(TEST_FAMILY)); + htd.addFamily(new HColumnDescriptor("fam_" + User.getCurrent().getShortName())); + ACCESS_CONTROLLER.preModifyTable(ObserverContext.createAndPrepare(CP_ENV, null), tableName, + htd); + return null; + } + }; + + verifyAllowed(modifyTable, USER_GLOBAL_ADMIN, USER_GLOBAL_CREATE, USER_NS_ADMIN, + USER_NS_CREATE); + verifyDenied(modifyTable, USER_NS_READ, USER_NS_WRITE, USER_NS_EXEC); + } + + @Test + public void testTableDelete() throws Exception { + AccessTestAction deleteTable = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preDeleteTable(ObserverContext.createAndPrepare(CP_ENV, null), + tableName); + return null; + } + }; + + verifyAllowed(deleteTable, USER_GLOBAL_ADMIN, USER_GLOBAL_CREATE, USER_NS_ADMIN, + USER_NS_CREATE); + verifyDenied(deleteTable, USER_NS_READ, USER_NS_WRITE, USER_NS_EXEC); + } + + @Test + public void testTableTruncate() throws Exception { + AccessTestAction truncateTable = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preTruncateTable(ObserverContext.createAndPrepare(CP_ENV, null), + tableName); + return null; + } + }; + + verifyAllowed(truncateTable, USER_GLOBAL_ADMIN, USER_GLOBAL_CREATE, USER_NS_ADMIN, + USER_NS_CREATE); + verifyDenied(truncateTable, USER_NS_READ, USER_NS_WRITE, USER_NS_EXEC); + } + + @Test + public void testAddColumn() throws Exception { + final HColumnDescriptor hcd = new HColumnDescriptor("fam_new"); + AccessTestAction addColumnaction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preAddColumn(ObserverContext.createAndPrepare(CP_ENV, null), tableName, + hcd); + return null; + } + }; + + verifyAllowed(addColumnaction, USER_GLOBAL_ADMIN, USER_GLOBAL_CREATE, USER_NS_ADMIN, + USER_NS_CREATE); + verifyDenied(addColumnaction, USER_NS_READ, USER_NS_WRITE, USER_NS_EXEC); + } + + @Test + public void testModifyColumn() throws Exception { + final HColumnDescriptor hcd = new HColumnDescriptor(TEST_FAMILY); + hcd.setMaxVersions(10); + AccessTestAction modifyColumnAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preModifyColumn(ObserverContext.createAndPrepare(CP_ENV, null), + tableName, hcd); + return null; + } + }; + + verifyAllowed(modifyColumnAction, USER_GLOBAL_ADMIN, USER_GLOBAL_CREATE, USER_NS_ADMIN, + USER_NS_CREATE); + verifyDenied(modifyColumnAction, USER_NS_READ, USER_NS_WRITE, USER_NS_EXEC); + } + + @Test + public void testDeleteColumn() throws Exception { + AccessTestAction deleteColumnAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preDeleteColumn(ObserverContext.createAndPrepare(CP_ENV, null), + tableName, TEST_FAMILY); + return null; + } + }; + + verifyAllowed(deleteColumnAction, USER_GLOBAL_ADMIN, USER_GLOBAL_CREATE, USER_NS_ADMIN, + USER_NS_CREATE); + verifyDenied(deleteColumnAction, USER_NS_READ, USER_NS_WRITE, USER_NS_EXEC); + } + + @Test + public void testTableEnable() throws Exception { + AccessTestAction enableTableAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preEnableTable(ObserverContext.createAndPrepare(CP_ENV, null), + tableName); + return null; + } + }; + + verifyAllowed(enableTableAction, USER_GLOBAL_ADMIN, USER_GLOBAL_CREATE, USER_NS_ADMIN, + USER_NS_CREATE); + verifyDenied(enableTableAction, USER_NS_READ, USER_NS_WRITE, USER_NS_EXEC); + } + + @Test + public void testTableDisable() throws Exception { + AccessTestAction disableTableAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER + .preDisableTable(ObserverContext.createAndPrepare(CP_ENV, null), tableName); + return null; + } + }; + + AccessTestAction disableAclTableAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preDisableTable(ObserverContext.createAndPrepare(CP_ENV, null), + AccessControlLists.ACL_TABLE_NAME); + return null; + } + }; + + verifyAllowed(disableTableAction, USER_GLOBAL_ADMIN, USER_GLOBAL_CREATE, USER_NS_ADMIN, + USER_NS_CREATE); + verifyDenied(disableTableAction, USER_NS_READ, USER_NS_WRITE, USER_NS_EXEC); + + verifyDenied(disableAclTableAction, USER_GLOBAL_ADMIN, USER_GLOBAL_CREATE, USER_NS_ADMIN, + USER_NS_CREATE); + } + + @Test + public void testTableFlush() throws Exception { + AccessTestAction tableFlushAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preTableFlush(ObserverContext.createAndPrepare(CP_ENV, null), tableName); + return null; + } + }; + + verifyAllowed(tableFlushAction, USER_GLOBAL_ADMIN, USER_GLOBAL_CREATE, USER_NS_ADMIN, + USER_NS_CREATE); + verifyDenied(tableFlushAction, USER_NS_READ, USER_NS_WRITE, USER_NS_EXEC); + } + + @Test + public void testGetTableDescriptors() throws Exception { + final List list = new ArrayList(); + list.add(tableName); + AccessTestAction getTableDescriptorsAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preGetTableDescriptors(ObserverContext.createAndPrepare(CP_ENV, null), + list, null, null); + return null; + } + }; + + verifyAllowed(getTableDescriptorsAction, USER_GLOBAL_ADMIN, USER_GLOBAL_CREATE, USER_NS_ADMIN, + USER_NS_CREATE); + verifyDenied(getTableDescriptorsAction, USER_NS_READ, USER_NS_WRITE, USER_NS_EXEC); + } + + @Test + public void testMove() throws Exception { + List regions; + try (RegionLocator locator = systemUserConnection.getRegionLocator(tableName)) { + regions = locator.getAllRegionLocations(); + } + HRegionLocation location = regions.get(0); + final HRegionInfo hri = location.getRegionInfo(); + final ServerName server = location.getServerName(); + AccessTestAction moveAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preMove(ObserverContext.createAndPrepare(CP_ENV, null), hri, server, + server); + return null; + } + }; + + verifyAllowed(moveAction, USER_GLOBAL_ADMIN, USER_NS_ADMIN); + verifyDenied(moveAction, USER_GLOBAL_CREATE, USER_NS_CREATE); + } + + @Test + public void testAssign() throws Exception { + List regions; + try (RegionLocator locator = systemUserConnection.getRegionLocator(tableName)) { + regions = locator.getAllRegionLocations(); + } + HRegionLocation location = regions.get(0); + final HRegionInfo hri = location.getRegionInfo(); + AccessTestAction assignAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preAssign(ObserverContext.createAndPrepare(CP_ENV, null), hri); + return null; + } + }; + + verifyAllowed(assignAction, USER_GLOBAL_ADMIN, USER_NS_ADMIN); + verifyDenied(assignAction, USER_GLOBAL_CREATE, USER_NS_CREATE); + } + + @Test + public void testUnassign() throws Exception { + List regions; + try (RegionLocator locator = systemUserConnection.getRegionLocator(tableName)) { + regions = locator.getAllRegionLocations(); + } + HRegionLocation location = regions.get(0); + final HRegionInfo hri = location.getRegionInfo(); + AccessTestAction unassignAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preUnassign(ObserverContext.createAndPrepare(CP_ENV, null), hri, false); + return null; + } + }; + + verifyAllowed(unassignAction, USER_GLOBAL_ADMIN, USER_NS_ADMIN); + verifyDenied(unassignAction, USER_GLOBAL_CREATE, USER_NS_CREATE); + } + + @Test + public void testRegionOffline() throws Exception { + List regions; + try (RegionLocator locator = systemUserConnection.getRegionLocator(tableName)) { + regions = locator.getAllRegionLocations(); + } + HRegionLocation location = regions.get(0); + final HRegionInfo hri = location.getRegionInfo(); + AccessTestAction regionOfflineAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preRegionOffline(ObserverContext.createAndPrepare(CP_ENV, null), hri); + return null; + } + }; + + verifyAllowed(regionOfflineAction, USER_GLOBAL_ADMIN, USER_NS_ADMIN); + verifyDenied(regionOfflineAction, USER_GLOBAL_CREATE, USER_NS_CREATE); + } + + @Test + public void testSnapshot() throws Exception { + Admin admin = ADMIN; + final HTableDescriptor htd = admin.getTableDescriptor(tableName); + SnapshotDescription.Builder builder = SnapshotDescription.newBuilder(); + builder.setName(TEST_TABLE + "-snapshot"); + builder.setTable(TEST_TABLE); + final SnapshotDescription snapshot = builder.build(); + AccessTestAction snapshotAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER + .preSnapshot(ObserverContext.createAndPrepare(CP_ENV, null), snapshot, htd); + return null; + } + }; + + AccessTestAction listAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preListSnapshot(ObserverContext.createAndPrepare(CP_ENV, null), + snapshot); + return null; + } + }; + + AccessTestAction deleteAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preDeleteSnapshot(ObserverContext.createAndPrepare(CP_ENV, null), + snapshot); + return null; + } + }; + + AccessTestAction restoreAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preRestoreSnapshot(ObserverContext.createAndPrepare(CP_ENV, null), + snapshot, htd); + return null; + } + }; + + AccessTestAction cloneAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preCloneSnapshot(ObserverContext.createAndPrepare(CP_ENV, null), null, + null); + return null; + } + }; + + verifyAllowed(snapshotAction, USER_GLOBAL_ADMIN, USER_NS_ADMIN); + verifyDenied(snapshotAction, USER_GLOBAL_CREATE, USER_NS_CREATE); + + verifyDenied(listAction, USER_NS_ADMIN, USER_GLOBAL_CREATE, USER_NS_CREATE); + + verifyDenied(deleteAction, USER_NS_ADMIN, USER_GLOBAL_CREATE, USER_NS_CREATE); + + verifyDenied(cloneAction, USER_NS_ADMIN, USER_GLOBAL_CREATE, USER_NS_CREATE); + + verifyDenied(restoreAction, USER_NS_ADMIN, USER_GLOBAL_CREATE, USER_NS_CREATE); + } + + @Test + public void testSetQuota() throws Exception { + AccessTestAction setUserQuotaAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preSetUserQuota(ObserverContext.createAndPrepare(CP_ENV, null), null, + null); + return null; + } + }; + + AccessTestAction setUserTableQuotaAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preSetUserQuota(ObserverContext.createAndPrepare(CP_ENV, null), null, + tableName, null); + return null; + } + }; + + AccessTestAction setUserNamespaceQuotaAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preSetUserQuota(ObserverContext.createAndPrepare(CP_ENV, null), null, + (String) null, null); + return null; + } + }; + + AccessTestAction setTableQuotaAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preSetTableQuota(ObserverContext.createAndPrepare(CP_ENV, null), + tableName, null); + return null; + } + }; + + AccessTestAction setNamespaceQuotaAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preSetNamespaceQuota(ObserverContext.createAndPrepare(CP_ENV, null), + null, null); + return null; + } + }; + + verifyDenied(setUserQuotaAction, USER_NS_ADMIN, USER_GLOBAL_CREATE, USER_NS_CREATE); + + verifyAllowed(setUserTableQuotaAction, USER_GLOBAL_ADMIN, USER_NS_ADMIN); + verifyDenied(setUserTableQuotaAction, USER_GLOBAL_CREATE, USER_NS_CREATE); + + verifyDenied(setUserNamespaceQuotaAction, USER_NS_ADMIN, USER_GLOBAL_CREATE, USER_NS_CREATE); + + verifyAllowed(setTableQuotaAction, USER_GLOBAL_ADMIN, USER_NS_ADMIN); + verifyDenied(setTableQuotaAction, USER_GLOBAL_CREATE, USER_NS_CREATE); + + verifyDenied(setNamespaceQuotaAction, USER_NS_ADMIN, USER_GLOBAL_CREATE, USER_NS_CREATE); + } } -- 1.9.2.msysgit.0