From d5ddd2066a6ac8e0594f7daee40ae4f732efa91e Mon Sep 17 00:00:00 2001 From: Ashish Singhi Date: Wed, 6 May 2015 14:47:47 +0530 Subject: [PATCH] HBASE-13562 Add testing coverage to AccessController for all combinations of scope and permissions for the master interface operations --- .../security/access/TestAccessController.java | 520 +++++++++++++-------- .../security/access/TestNamespaceCommands.java | 39 +- 2 files changed, 333 insertions(+), 226 deletions(-) diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java index 11b9006..8e5b13b 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java @@ -25,6 +25,7 @@ import static org.junit.Assert.fail; import java.io.IOException; import java.security.PrivilegedAction; +import java.util.ArrayList; import java.util.Arrays; import java.util.List; @@ -138,6 +139,8 @@ public class TestAccessController extends SecureTestUtil { } @Rule public TestTableName TEST_TABLE = new TestTableName(); + TableName tableName = null; + private static String TEST_NAMESPACE = null; private static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility(); private static Configuration conf; @@ -149,8 +152,8 @@ public class TestAccessController extends SecureTestUtil { // user with all permissions private static User SUPERUSER; - // user granted with all global permission - private static User USER_ADMIN; + // global user with all the permissions + private static User USER_GLOBAL_ALL; // user with rw permissions on column family. private static User USER_RW; // user with read-only permissions @@ -163,6 +166,19 @@ public class TestAccessController extends SecureTestUtil { private static User USER_NONE; // user with admin rights on the column family private static User USER_ADMIN_CF; + // user with admin table permissions alone + private static User USER_ADMIN; + + // user with A permission on namespace + private static User USER_NS_ADMIN; + // user with C permission on namespace + private static User USER_NS_CREATE; + // user with W permission on namespace + private static User USER_NS_WRITE; + // user with R permission on namespace. + private static User USER_NS_READ; + // user with X permission on namespace. + private static User USER_NS_EXEC; // TODO: convert this test to cover the full matrix in // https://hbase.apache.org/book/appendix_acl_matrix.html @@ -210,14 +226,21 @@ public class TestAccessController extends SecureTestUtil { // create a set of test users SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" }); - USER_ADMIN = User.createUserForTesting(conf, "admin2", new String[0]); + USER_GLOBAL_ALL = User.createUserForTesting(conf, "admin2", new String[0]); USER_RW = User.createUserForTesting(conf, "rwuser", new String[0]); USER_RO = User.createUserForTesting(conf, "rouser", new String[0]); USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]); USER_CREATE = User.createUserForTesting(conf, "tbl_create", new String[0]); + USER_ADMIN = User.createUserForTesting(conf, "tbl_admin", new String[0]); USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]); USER_ADMIN_CF = User.createUserForTesting(conf, "col_family_admin", new String[0]); + USER_NS_ADMIN = User.createUserForTesting(conf, "namespace_admin", new String[0]); + USER_NS_CREATE = User.createUserForTesting(conf, "namespace_create", new String[0]); + USER_NS_WRITE = User.createUserForTesting(conf, "namespace_write", new String[0]); + USER_NS_READ = User.createUserForTesting(conf, "namespace_read", new String[0]); + USER_NS_EXEC = User.createUserForTesting(conf, "namespace_exec", new String[0]); + systemUserConnection = TEST_UTIL.getConnection(); } @@ -228,51 +251,71 @@ public class TestAccessController extends SecureTestUtil { @Before public void setUp() throws Exception { + tableName = TEST_TABLE.getTableName(); // Create the test table (owner added to the _acl_ table) - Admin admin = TEST_UTIL.getHBaseAdmin(); - HTableDescriptor htd = new HTableDescriptor(TEST_TABLE.getTableName()); + HTableDescriptor htd = new HTableDescriptor(tableName); HColumnDescriptor hcd = new HColumnDescriptor(TEST_FAMILY); hcd.setMaxVersions(100); htd.addFamily(hcd); htd.setOwner(USER_OWNER); createTable(TEST_UTIL, htd, new byte[][] { Bytes.toBytes("s") }); - Region region = TEST_UTIL.getHBaseCluster().getRegions(TEST_TABLE.getTableName()).get(0); + Region region = TEST_UTIL.getHBaseCluster().getRegions(tableName).get(0); RegionCoprocessorHost rcpHost = region.getCoprocessorHost(); RCP_ENV = rcpHost.createEnvironment(AccessController.class, ACCESS_CONTROLLER, Coprocessor.PRIORITY_HIGHEST, 1, conf); + TEST_NAMESPACE = tableName.getNamespaceAsString(); + // Set up initial grants - grantGlobal(TEST_UTIL, USER_ADMIN.getShortName(), + grantGlobal(TEST_UTIL, USER_GLOBAL_ALL.getShortName(), Permission.Action.ADMIN, Permission.Action.CREATE, Permission.Action.READ, Permission.Action.WRITE); grantOnTable(TEST_UTIL, USER_RW.getShortName(), - TEST_TABLE.getTableName(), TEST_FAMILY, null, + tableName, TEST_FAMILY, null, Permission.Action.READ, Permission.Action.WRITE); // USER_CREATE is USER_RW plus CREATE permissions grantOnTable(TEST_UTIL, USER_CREATE.getShortName(), - TEST_TABLE.getTableName(), null, null, + tableName, null, null, Permission.Action.CREATE, Permission.Action.READ, Permission.Action.WRITE); grantOnTable(TEST_UTIL, USER_RO.getShortName(), - TEST_TABLE.getTableName(), TEST_FAMILY, null, + tableName, TEST_FAMILY, null, Permission.Action.READ); grantOnTable(TEST_UTIL, USER_ADMIN_CF.getShortName(), - TEST_TABLE.getTableName(), TEST_FAMILY, + tableName, TEST_FAMILY, null, Permission.Action.ADMIN, Permission.Action.CREATE); - assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size()); + grantOnTable(TEST_UTIL, USER_ADMIN.getShortName(), tableName, null, null, + Permission.Action.ADMIN); + + // grants on namespace + grantOnNamespace(TEST_UTIL, USER_NS_ADMIN.getShortName(), TEST_NAMESPACE, + Permission.Action.ADMIN); + grantOnNamespace(TEST_UTIL, USER_NS_CREATE.getShortName(), TEST_NAMESPACE, + Permission.Action.CREATE); + grantOnNamespace(TEST_UTIL, USER_NS_WRITE.getShortName(), TEST_NAMESPACE, + Permission.Action.WRITE); + grantOnNamespace(TEST_UTIL, USER_NS_READ.getShortName(), TEST_NAMESPACE, + Permission.Action.READ); + grantOnNamespace(TEST_UTIL, USER_NS_EXEC.getShortName(), TEST_NAMESPACE, + Permission.Action.EXEC); + + assertEquals(6, AccessControlLists.getTablePermissions(conf, + tableName).size()); + assertEquals(5, AccessControlLists.getNamespacePermissions(conf, + TEST_NAMESPACE).size()); try { - assertEquals(5, AccessControlClient.getUserPermissions(systemUserConnection, + assertEquals(6, AccessControlClient.getUserPermissions(systemUserConnection, TEST_TABLE.toString()).size()); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.getUserPermissions. ", e); @@ -283,17 +326,27 @@ public class TestAccessController extends SecureTestUtil { public void tearDown() throws Exception { // Clean the _acl_ table try { - deleteTable(TEST_UTIL, TEST_TABLE.getTableName()); + deleteTable(TEST_UTIL, tableName); } catch (TableNotFoundException ex) { // Test deleted the table, no problem - LOG.info("Test deleted table " + TEST_TABLE.getTableName()); + LOG.info("Test deleted table " + tableName); } // Verify all table/namespace permissions are erased - assertEquals(0, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size()); - assertEquals( - 0, - AccessControlLists.getNamespacePermissions(conf, - TEST_TABLE.getTableName().getNamespaceAsString()).size()); + assertEquals(0, AccessControlLists.getTablePermissions(conf, tableName).size()); + + // revoking permissions explicitly as TEST_NAMESPACE i.e. default namespace cannot be deleted. + revokeFromNamespace(TEST_UTIL, USER_NS_ADMIN.getShortName(), TEST_NAMESPACE, + Permission.Action.ADMIN); + revokeFromNamespace(TEST_UTIL, USER_NS_CREATE.getShortName(), TEST_NAMESPACE, + Permission.Action.CREATE); + revokeFromNamespace(TEST_UTIL, USER_NS_WRITE.getShortName(), TEST_NAMESPACE, + Permission.Action.WRITE); + revokeFromNamespace(TEST_UTIL, USER_NS_READ.getShortName(), TEST_NAMESPACE, + Permission.Action.READ); + revokeFromNamespace(TEST_UTIL, USER_NS_EXEC.getShortName(), TEST_NAMESPACE, + Permission.Action.EXEC); + assertEquals(0, + AccessControlLists.getNamespacePermissions(conf, tableName.getNamespaceAsString()).size()); } @Test @@ -301,18 +354,18 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction createTable = new AccessTestAction() { @Override public Object run() throws Exception { - HTableDescriptor htd = new HTableDescriptor(TableName.valueOf("testnewtable")); + HTableDescriptor htd = + new HTableDescriptor(TableName.valueOf(tableName.getNamespaceAsString() + + "testnewtable")); htd.addFamily(new HColumnDescriptor(TEST_FAMILY)); ACCESS_CONTROLLER.preCreateTable(ObserverContext.createAndPrepare(CP_ENV, null), htd, null); return null; } }; - // verify that superuser can create tables - verifyAllowed(createTable, SUPERUSER, USER_ADMIN); - - // all others should be denied - verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(createTable, SUPERUSER, USER_GLOBAL_ALL, USER_NS_CREATE); + verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_NS_ADMIN, + USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC); } @Test @@ -320,17 +373,19 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction modifyTable = new AccessTestAction() { @Override public Object run() throws Exception { - HTableDescriptor htd = new HTableDescriptor(TEST_TABLE.getTableName()); + HTableDescriptor htd = new HTableDescriptor(tableName); htd.addFamily(new HColumnDescriptor(TEST_FAMILY)); htd.addFamily(new HColumnDescriptor("fam_" + User.getCurrent().getShortName())); ACCESS_CONTROLLER.preModifyTable(ObserverContext.createAndPrepare(CP_ENV, null), - TEST_TABLE.getTableName(), htd); + tableName, htd); return null; } }; - verifyAllowed(modifyTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); - verifyDenied(modifyTable, USER_RW, USER_RO, USER_NONE); + verifyAllowed(modifyTable, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_CREATE, USER_OWNER, + USER_NS_ADMIN, USER_NS_CREATE); + verifyDenied(modifyTable, USER_RW, USER_RO, USER_NONE, USER_NS_WRITE, USER_NS_READ, + USER_NS_EXEC); } @Test @@ -338,14 +393,16 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction deleteTable = new AccessTestAction() { @Override public Object run() throws Exception { - ACCESS_CONTROLLER - .preDeleteTable(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE.getTableName()); + ACCESS_CONTROLLER.preDeleteTable(ObserverContext.createAndPrepare(CP_ENV, null), + tableName); return null; } }; - verifyAllowed(deleteTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); - verifyDenied(deleteTable, USER_RW, USER_RO, USER_NONE); + verifyAllowed(deleteTable, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_CREATE, USER_OWNER, + USER_NS_ADMIN, USER_NS_CREATE); + verifyDenied(deleteTable, USER_RW, USER_RO, USER_NONE, USER_NS_WRITE, USER_NS_READ, + USER_NS_EXEC); } @Test @@ -355,13 +412,15 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { ACCESS_CONTROLLER .preTruncateTable(ObserverContext.createAndPrepare(CP_ENV, null), - TEST_TABLE.getTableName()); + tableName); return null; } }; - verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); - verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE); + verifyAllowed(truncateTable, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_CREATE, USER_OWNER, + USER_NS_ADMIN, USER_NS_CREATE); + verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE, USER_NS_WRITE, USER_NS_READ, + USER_NS_EXEC); } @Test @@ -370,14 +429,16 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction action = new AccessTestAction() { @Override public Object run() throws Exception { - ACCESS_CONTROLLER.preAddColumn(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE.getTableName(), - hcd); + ACCESS_CONTROLLER.preAddColumn(ObserverContext.createAndPrepare(CP_ENV, null), + tableName, hcd); return null; } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); - verifyDenied(action, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_CREATE, USER_OWNER, + USER_NS_ADMIN, USER_NS_CREATE); + verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_NS_WRITE, USER_NS_READ, + USER_NS_EXEC); } @Test @@ -388,13 +449,14 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER.preModifyColumn(ObserverContext.createAndPrepare(CP_ENV, null), - TEST_TABLE.getTableName(), hcd); + tableName, hcd); return null; } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF); - verifyDenied(action, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_CREATE, USER_OWNER, + USER_ADMIN_CF, USER_NS_ADMIN, USER_NS_CREATE); + verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC); } @Test @@ -403,13 +465,14 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER.preDeleteColumn(ObserverContext.createAndPrepare(CP_ENV, null), - TEST_TABLE.getTableName(), TEST_FAMILY); + tableName, TEST_FAMILY); return null; } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF); - verifyDenied(action, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_CREATE, USER_OWNER, + USER_ADMIN_CF, USER_NS_ADMIN, USER_NS_CREATE); + verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC); } @Test @@ -418,7 +481,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER.preDisableTable(ObserverContext.createAndPrepare(CP_ENV, null), - TEST_TABLE.getTableName()); + tableName); return null; } }; @@ -432,11 +495,14 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(disableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); - verifyDenied(disableTable, USER_RW, USER_RO, USER_NONE); + verifyAllowed(disableTable, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_CREATE, USER_OWNER, + USER_NS_ADMIN, USER_NS_CREATE); + verifyDenied(disableTable, USER_RW, USER_RO, USER_NONE, USER_NS_WRITE, USER_NS_READ, + USER_NS_EXEC); // No user should be allowed to disable _acl_ table - verifyDenied(disableAclTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW, USER_RO); + verifyDenied(disableAclTable, SUPERUSER, USER_GLOBAL_ALL, USER_CREATE, USER_OWNER, USER_RW, + USER_RO, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC); } @Test @@ -444,20 +510,39 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction enableTable = new AccessTestAction() { @Override public Object run() throws Exception { - ACCESS_CONTROLLER - .preEnableTable(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE.getTableName()); + ACCESS_CONTROLLER.preEnableTable(ObserverContext.createAndPrepare(CP_ENV, null), + tableName); + return null; + } + }; + + verifyAllowed(enableTable, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_CREATE, USER_OWNER, + USER_NS_ADMIN, USER_NS_CREATE); + verifyDenied(enableTable, USER_RW, USER_RO, USER_NONE, USER_NS_WRITE, USER_NS_READ, + USER_NS_EXEC); + } + + @Test + public void testTableFlush() throws Exception { + AccessTestAction tableFlushAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preTableFlush(ObserverContext.createAndPrepare(CP_ENV, null), + tableName); return null; } }; - verifyAllowed(enableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); - verifyDenied(enableTable, USER_RW, USER_RO, USER_NONE); + verifyAllowed(tableFlushAction, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_CREATE, USER_OWNER, + USER_NS_ADMIN, USER_NS_CREATE); + verifyDenied(tableFlushAction, USER_RW, USER_RO, USER_NONE, USER_NS_WRITE, USER_NS_READ, + USER_NS_EXEC); } @Test public void testMove() throws Exception { List regions; - try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) { + try (RegionLocator locator = systemUserConnection.getRegionLocator(tableName)) { regions = locator.getAllRegionLocations(); } HRegionLocation location = regions.get(0); @@ -472,14 +557,15 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_OWNER, USER_NS_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_NS_CREATE, USER_NS_WRITE, + USER_NS_READ, USER_NS_EXEC); } @Test public void testAssign() throws Exception { List regions; - try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) { + try (RegionLocator locator = systemUserConnection.getRegionLocator(tableName)) { regions = locator.getAllRegionLocations(); } HRegionLocation location = regions.get(0); @@ -492,14 +578,15 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_OWNER, USER_NS_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_NS_CREATE, USER_NS_WRITE, + USER_NS_READ, USER_NS_EXEC); } @Test public void testUnassign() throws Exception { List regions; - try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) { + try (RegionLocator locator = systemUserConnection.getRegionLocator(tableName)) { regions = locator.getAllRegionLocations(); } HRegionLocation location = regions.get(0); @@ -512,14 +599,15 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_OWNER, USER_NS_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_NS_CREATE, USER_NS_WRITE, + USER_NS_READ, USER_NS_EXEC); } @Test public void testRegionOffline() throws Exception { List regions; - try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) { + try (RegionLocator locator = systemUserConnection.getRegionLocator(tableName)) { regions = locator.getAllRegionLocations(); } HRegionLocation location = regions.get(0); @@ -532,8 +620,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_OWNER, USER_NS_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_NS_CREATE, USER_NS_WRITE, + USER_NS_READ, USER_NS_EXEC); } @Test @@ -546,7 +635,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); } @@ -560,7 +649,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); } @@ -574,7 +663,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); } @@ -588,12 +677,12 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); } private void verifyWrite(AccessTestAction action) throws Exception { - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER, USER_CREATE, USER_RW); verifyDenied(action, USER_NONE, USER_RO); } @@ -607,7 +696,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER); verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); } @@ -623,13 +712,13 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER); verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); } @Test public void testMergeRegions() throws Exception { - final List regions = TEST_UTIL.getHBaseCluster().findRegionsForTable(TEST_TABLE.getTableName()); + final List regions = TEST_UTIL.getHBaseCluster().findRegionsForTable(tableName); assertTrue("not enough regions: " + regions.size(), regions.size() >= 2); AccessTestAction action = new AccessTestAction() { @@ -642,7 +731,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER); verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); } @@ -656,7 +745,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER, USER_CREATE); verifyDenied(action, USER_RW, USER_RO, USER_NONE); } @@ -671,17 +760,17 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER, USER_CREATE); verifyDenied(action, USER_RW, USER_RO, USER_NONE); } private void verifyRead(AccessTestAction action) throws Exception { - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, USER_RO); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER, USER_CREATE, USER_RW, USER_RO); verifyDenied(action, USER_NONE); } private void verifyReadWrite(AccessTestAction action) throws Exception { - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER, USER_CREATE, USER_RW); verifyDenied(action, USER_NONE, USER_RO); } @@ -694,7 +783,7 @@ public class TestAccessController extends SecureTestUtil { Get g = new Get(TEST_ROW); g.addFamily(TEST_FAMILY); try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName())) { + Table t = conn.getTable(tableName)) { t.get(g); } return null; @@ -709,7 +798,7 @@ public class TestAccessController extends SecureTestUtil { Scan s = new Scan(); s.addFamily(TEST_FAMILY); try(Connection conn = ConnectionFactory.createConnection(conf); - Table table = conn.getTable(TEST_TABLE.getTableName())) { + Table table = conn.getTable(tableName)) { ResultScanner scanner = table.getScanner(s); try { for (Result r = scanner.next(); r != null; r = scanner.next()) { @@ -736,7 +825,7 @@ public class TestAccessController extends SecureTestUtil { Put p = new Put(TEST_ROW); p.add(TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes(1)); try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName())) { + Table t = conn.getTable(tableName)) { t.put(p); } return null; @@ -751,7 +840,7 @@ public class TestAccessController extends SecureTestUtil { Delete d = new Delete(TEST_ROW); d.deleteFamily(TEST_FAMILY); try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName())) { + Table t = conn.getTable(tableName)) { t.delete(d); } return null; @@ -766,7 +855,7 @@ public class TestAccessController extends SecureTestUtil { Increment inc = new Increment(TEST_ROW); inc.addColumn(TEST_FAMILY, TEST_QUALIFIER, 1); try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName());) { + Table t = conn.getTable(tableName);) { t.increment(inc); } return null; @@ -784,7 +873,7 @@ public class TestAccessController extends SecureTestUtil { Delete d = new Delete(TEST_ROW); d.deleteFamily(TEST_FAMILY); try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName());) { + Table t = conn.getTable(tableName);) { t.checkAndDelete(TEST_ROW, TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes("test_value"), d); } @@ -800,7 +889,7 @@ public class TestAccessController extends SecureTestUtil { Put p = new Put(TEST_ROW); p.add(TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes(1)); try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName());) { + Table t = conn.getTable(tableName);) { t.checkAndPut(TEST_ROW, TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes("test_value"), p); } @@ -829,7 +918,7 @@ public class TestAccessController extends SecureTestUtil { Path bulkLoadBasePath = new Path(dir, new Path(User.getCurrent().getName())); new BulkLoadHelper(bulkLoadBasePath) - .bulkLoadHFile(TEST_TABLE.getTableName(), TEST_FAMILY, TEST_QUALIFIER, hfileRanges, numRows); + .bulkLoadHFile(tableName, TEST_FAMILY, TEST_QUALIFIER, hfileRanges, numRows); return null; } @@ -837,12 +926,12 @@ public class TestAccessController extends SecureTestUtil { // User performing bulk loads must have privilege to read table metadata // (ADMIN or CREATE) - verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE); + verifyAllowed(bulkLoadAction, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER, USER_CREATE); verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO); // Reinit after the bulk upload - TEST_UTIL.getHBaseAdmin().disableTable(TEST_TABLE.getTableName()); - TEST_UTIL.getHBaseAdmin().enableTable(TEST_TABLE.getTableName()); + TEST_UTIL.getHBaseAdmin().disableTable(tableName); + TEST_UTIL.getHBaseAdmin().enableTable(tableName); } public class BulkLoadHelper { @@ -934,7 +1023,7 @@ public class TestAccessController extends SecureTestUtil { Append append = new Append(row); append.add(TEST_FAMILY, qualifier, Bytes.toBytes(2)); try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName())) { + Table t = conn.getTable(tableName)) { t.put(put); t.append(append); } @@ -942,7 +1031,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(appendAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW); + verifyAllowed(appendAction, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER, USER_CREATE, USER_RW); verifyDenied(appendAction, USER_RO, USER_NONE); } @@ -953,10 +1042,10 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) { - BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName()); + BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); AccessControlService.BlockingInterface protocol = AccessControlService.newBlockingStub(service); - ProtobufUtil.grant(protocol, USER_RO.getShortName(), TEST_TABLE.getTableName(), + ProtobufUtil.grant(protocol, USER_RO.getShortName(), tableName, TEST_FAMILY, null, Action.READ); } return null; @@ -968,10 +1057,10 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) { - BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName()); + BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); AccessControlService.BlockingInterface protocol = AccessControlService.newBlockingStub(service); - ProtobufUtil.revoke(protocol, USER_RO.getShortName(), TEST_TABLE.getTableName(), + ProtobufUtil.revoke(protocol, USER_RO.getShortName(), tableName, TEST_FAMILY, null, Action.READ); } return null; @@ -983,10 +1072,10 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)){ - BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName()); + BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); AccessControlService.BlockingInterface protocol = AccessControlService.newBlockingStub(service); - ProtobufUtil.getUserPermissions(protocol, TEST_TABLE.getTableName()); + ProtobufUtil.getUserPermissions(protocol, tableName); } return null; } @@ -1006,16 +1095,16 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(grantAction, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER); verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); - verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(revokeAction, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER); verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); - verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER); verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); - verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN); + verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(getGlobalPermissionsAction, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); } @@ -1524,7 +1613,7 @@ public class TestAccessController extends SecureTestUtil { } finally { acl.close(); } - UserPermission adminPerm = new UserPermission(Bytes.toBytes(USER_ADMIN.getShortName()), + UserPermission adminPerm = new UserPermission(Bytes.toBytes(USER_GLOBAL_ALL.getShortName()), AccessControlLists.ACL_TABLE_NAME, null, null, Bytes.toBytes("ACRW")); assertTrue("Only user admin has permission on table _acl_ per setup", perms.size() == 1 && hasFoundUserPermission(adminPerm, perms)); @@ -1573,19 +1662,19 @@ public class TestAccessController extends SecureTestUtil { User userQualifier = User.createUserForTesting(conf, "user_check_perms_q", new String[0]); grantOnTable(TEST_UTIL, userTable.getShortName(), - TEST_TABLE.getTableName(), null, null, + tableName, null, null, Permission.Action.READ); grantOnTable(TEST_UTIL, userColumn.getShortName(), - TEST_TABLE.getTableName(), TEST_FAMILY, null, + tableName, TEST_FAMILY, null, Permission.Action.READ); grantOnTable(TEST_UTIL, userQualifier.getShortName(), - TEST_TABLE.getTableName(), TEST_FAMILY, TEST_Q1, + tableName, TEST_FAMILY, TEST_Q1, Permission.Action.READ); AccessTestAction tableRead = new AccessTestAction() { @Override public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), null, null, + checkTablePerms(TEST_UTIL, tableName, null, null, Permission.Action.READ); return null; } @@ -1594,7 +1683,7 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction columnRead = new AccessTestAction() { @Override public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), TEST_FAMILY, null, + checkTablePerms(TEST_UTIL, tableName, TEST_FAMILY, null, Permission.Action.READ); return null; } @@ -1603,7 +1692,7 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction qualifierRead = new AccessTestAction() { @Override public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), TEST_FAMILY, TEST_Q1, + checkTablePerms(TEST_UTIL, tableName, TEST_FAMILY, TEST_Q1, Permission.Action.READ); return null; } @@ -1612,10 +1701,10 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction multiQualifierRead = new AccessTestAction() { @Override public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), new Permission[] { - new TablePermission(TEST_TABLE.getTableName(), TEST_FAMILY, TEST_Q1, + checkTablePerms(TEST_UTIL, tableName, new Permission[] { + new TablePermission(tableName, TEST_FAMILY, TEST_Q1, Permission.Action.READ), - new TablePermission(TEST_TABLE.getTableName(), TEST_FAMILY, TEST_Q2, + new TablePermission(tableName, TEST_FAMILY, TEST_Q2, Permission.Action.READ), }); return null; } @@ -1624,9 +1713,9 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction globalAndTableRead = new AccessTestAction() { @Override public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), + checkTablePerms(TEST_UTIL, tableName, new Permission[] { new Permission(Permission.Action.READ), - new TablePermission(TEST_TABLE.getTableName(), null, (byte[]) null, + new TablePermission(tableName, null, (byte[]) null, Permission.Action.READ), }); return null; } @@ -1635,7 +1724,7 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction noCheck = new AccessTestAction() { @Override public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), new Permission[0]); + checkTablePerms(TEST_UTIL, tableName, new Permission[0]); return null; } }; @@ -1661,7 +1750,7 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction familyReadWrite = new AccessTestAction() { @Override public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), TEST_FAMILY, null, + checkTablePerms(TEST_UTIL, tableName, TEST_FAMILY, null, Permission.Action.READ, Permission.Action.WRITE); return null; } @@ -1677,7 +1766,7 @@ public class TestAccessController extends SecureTestUtil { .setType(AccessControlProtos.Permission.Type.Table) .setTablePermission( AccessControlProtos.TablePermission.newBuilder() - .setTableName(ProtobufUtil.toProtoTableName(TEST_TABLE.getTableName())) + .setTableName(ProtobufUtil.toProtoTableName(tableName)) .addAction(AccessControlProtos.Permission.Action.CREATE)) ).build(); Table acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); @@ -1707,7 +1796,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); } @@ -1721,7 +1810,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); } @@ -1735,7 +1824,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); } @@ -1749,17 +1838,17 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); } @Test public void testSnapshot() throws Exception { Admin admin = TEST_UTIL.getHBaseAdmin(); - final HTableDescriptor htd = admin.getTableDescriptor(TEST_TABLE.getTableName()); + final HTableDescriptor htd = admin.getTableDescriptor(tableName); SnapshotDescription.Builder builder = SnapshotDescription.newBuilder(); - builder.setName(TEST_TABLE.getTableName().getNameAsString() + "-snapshot"); - builder.setTable(TEST_TABLE.getTableName().getNameAsString()); + builder.setName(tableName.getNameAsString() + "-snapshot"); + builder.setTable(tableName.getNameAsString()); final SnapshotDescription snapshot = builder.build(); AccessTestAction snapshotAction = new AccessTestAction() { @Override @@ -1770,6 +1859,14 @@ public class TestAccessController extends SecureTestUtil { } }; + AccessTestAction listAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preListSnapshot(ObserverContext.createAndPrepare(CP_ENV, null), snapshot); + return null; + } + }; + AccessTestAction deleteAction = new AccessTestAction() { @Override public Object run() throws Exception { @@ -1797,26 +1894,35 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(snapshotAction, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_OWNER, + USER_NS_ADMIN); + verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_NS_CREATE, + USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC); - verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN); - verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + verifyAllowed(listAction, SUPERUSER, USER_GLOBAL_ALL); + verifyDenied(listAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, USER_NS_ADMIN, + USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC); - verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN); - verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + verifyAllowed(deleteAction, SUPERUSER, USER_GLOBAL_ALL); + verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, USER_NS_ADMIN, + USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC); - verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN); - verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + verifyAllowed(restoreAction, SUPERUSER, USER_GLOBAL_ALL); + verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, + USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC); + + verifyAllowed(cloneAction, SUPERUSER, USER_GLOBAL_ALL); + verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, USER_NS_ADMIN, + USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC); } @Test public void testSnapshotWithOwner() throws Exception { Admin admin = TEST_UTIL.getHBaseAdmin(); - final HTableDescriptor htd = admin.getTableDescriptor(TEST_TABLE.getTableName()); + final HTableDescriptor htd = admin.getTableDescriptor(tableName); SnapshotDescription.Builder builder = SnapshotDescription.newBuilder(); - builder.setName(TEST_TABLE.getTableName().getNameAsString() + "-snapshot"); - builder.setTable(TEST_TABLE.getTableName().getNameAsString()); + builder.setName(tableName.getNameAsString() + "-snapshot"); + builder.setTable(tableName.getNameAsString()); builder.setOwner(USER_OWNER.getName()); final SnapshotDescription snapshot = builder.build(); AccessTestAction snapshotAction = new AccessTestAction() { @@ -1827,9 +1933,20 @@ public class TestAccessController extends SecureTestUtil { return null; } }; - verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(snapshotAction, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_OWNER); verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + AccessTestAction listAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preListSnapshot(ObserverContext.createAndPrepare(CP_ENV, null), + snapshot); + return null; + } + }; + verifyAllowed(listAction, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER); + verifyDenied(listAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + AccessTestAction deleteAction = new AccessTestAction() { @Override public Object run() throws Exception { @@ -1838,7 +1955,7 @@ public class TestAccessController extends SecureTestUtil { return null; } }; - verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(deleteAction, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER); verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); AccessTestAction restoreAction = new AccessTestAction() { @@ -1849,7 +1966,7 @@ public class TestAccessController extends SecureTestUtil { return null; } }; - verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(restoreAction, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER); verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); AccessTestAction cloneAction = new AccessTestAction() { @@ -1862,7 +1979,7 @@ public class TestAccessController extends SecureTestUtil { }; // Clone by snapshot owner is not allowed , because clone operation creates a new table, // which needs global admin permission. - verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN); + verifyAllowed(cloneAction, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); } @@ -1934,7 +2051,7 @@ public class TestAccessController extends SecureTestUtil { return null; } }; - USER_ADMIN.runAs(putAction); + USER_GLOBAL_ALL.runAs(putAction); } } @@ -1944,7 +2061,7 @@ public class TestAccessController extends SecureTestUtil { // Grant TABLE ADMIN privs grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(), - TEST_TABLE.getTableName(), null, null, + tableName, null, null, Permission.Action.ADMIN); AccessTestAction listTablesAction = new AccessTestAction() { @@ -1962,15 +2079,15 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); Admin admin = conn.getAdmin();) { - return admin.getTableDescriptor(TEST_TABLE.getTableName()); + return admin.getTableDescriptor(tableName); } } }; - verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN); + verifyAllowed(listTablesAction, SUPERUSER, USER_GLOBAL_ALL, USER_CREATE, USER_OWNER, TABLE_ADMIN); verifyIfEmptyList(listTablesAction, USER_RW, USER_RO, USER_NONE); - verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN); + verifyAllowed(getTableDescAction, SUPERUSER, USER_GLOBAL_ALL, USER_CREATE, USER_OWNER, TABLE_ADMIN); verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE); } @@ -1991,7 +2108,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, + verifyAllowed(listTablesAction, SUPERUSER, USER_GLOBAL_ALL, USER_CREATE, USER_OWNER, USER_RW, USER_RO); verifyIfEmptyList(listTablesAction, USER_NONE); } @@ -2002,7 +2119,7 @@ public class TestAccessController extends SecureTestUtil { // Grant TABLE ADMIN privs grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(), - TEST_TABLE.getTableName(), null, null, + tableName, null, null, Permission.Action.ADMIN); AccessTestAction deleteTableAction = new AccessTestAction() { @@ -2011,7 +2128,7 @@ public class TestAccessController extends SecureTestUtil { Connection unmanagedConnection = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); Admin admin = unmanagedConnection.getAdmin(); try { - deleteTable(TEST_UTIL, admin, TEST_TABLE.getTableName()); + deleteTable(TEST_UTIL, admin, tableName); } finally { admin.close(); unmanagedConnection.close(); @@ -2030,13 +2147,13 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName());) { + Table t = conn.getTable(tableName);) { return t.get(new Get(TEST_ROW)); } } }; - String namespace = TEST_TABLE.getTableName().getNamespaceAsString(); + String namespace = tableName.getNamespaceAsString(); // Grant namespace READ to USER_NONE, this should supersede any table permissions grantOnNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ); @@ -2056,7 +2173,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName());) { + Table t = conn.getTable(tableName);) { return t.get(new Get(TEST_ROW)); } } @@ -2067,7 +2184,7 @@ public class TestAccessController extends SecureTestUtil { // Grant table READ permissions to testGrantRevoke. try { grantOnTableUsingAccessControlClient(TEST_UTIL, systemUserConnection, testGrantRevoke.getShortName(), - TEST_TABLE.getTableName(), null, null, Permission.Action.READ); + tableName, null, null, Permission.Action.READ); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.grant. ", e); } @@ -2078,7 +2195,7 @@ public class TestAccessController extends SecureTestUtil { // Revoke table READ permission to testGrantRevoke. try { revokeFromTableUsingAccessControlClient(TEST_UTIL, systemUserConnection, testGrantRevoke.getShortName(), - TEST_TABLE.getTableName(), null, null, Permission.Action.READ); + tableName, null, null, Permission.Action.READ); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.revoke ", e); } @@ -2096,7 +2213,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName())) { + Table t = conn.getTable(tableName)) { return t.get(new Get(TEST_ROW)); } } @@ -2135,7 +2252,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName());) { + Table t = conn.getTable(tableName);) { return t.get(new Get(TEST_ROW)); } } @@ -2146,7 +2263,7 @@ public class TestAccessController extends SecureTestUtil { // Grant namespace READ to testNS, this should supersede any table permissions try { grantOnNamespaceUsingAccessControlClient(TEST_UTIL, systemUserConnection, testNS.getShortName(), - TEST_TABLE.getTableName().getNamespaceAsString(), Permission.Action.READ); + tableName.getNamespaceAsString(), Permission.Action.READ); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.grant. ", e); } @@ -2157,7 +2274,7 @@ public class TestAccessController extends SecureTestUtil { // Revoke namespace READ to testNS, this should supersede any table permissions try { revokeFromNamespaceUsingAccessControlClient(TEST_UTIL, systemUserConnection, testNS.getShortName(), - TEST_TABLE.getTableName().getNamespaceAsString(), Permission.Action.READ); + tableName.getNamespaceAsString(), Permission.Action.READ); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.revoke ", e); } @@ -2218,7 +2335,7 @@ public class TestAccessController extends SecureTestUtil { for (JVMClusterUtil.RegionServerThread thread: TEST_UTIL.getMiniHBaseCluster().getRegionServerThreads()) { HRegionServer rs = thread.getRegionServer(); - for (Region region: rs.getOnlineRegions(TEST_TABLE.getTableName())) { + for (Region region: rs.getOnlineRegions(tableName)) { region.getCoprocessorHost().load(PingCoprocessor.class, Coprocessor.PRIORITY_USER, conf); } @@ -2230,7 +2347,7 @@ public class TestAccessController extends SecureTestUtil { User userB = User.createUserForTesting(conf, "UserB", new String[0]); grantOnTable(TEST_UTIL, userA.getShortName(), - TEST_TABLE.getTableName(), null, null, + tableName, null, null, Permission.Action.EXEC); // Create an action for invoking our test endpoint @@ -2238,7 +2355,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName());) { + Table t = conn.getTable(tableName);) { BlockingRpcChannel service = t.coprocessorService(HConstants.EMPTY_BYTE_ARRAY); PingCoprocessor.newBlockingStub(service).noop(null, NoopRequest.newBuilder().build()); } @@ -2246,7 +2363,7 @@ public class TestAccessController extends SecureTestUtil { } }; - String namespace = TEST_TABLE.getTableName().getNamespaceAsString(); + String namespace = tableName.getNamespaceAsString(); // Now grant EXEC to the entire namespace to user B grantOnNamespace(TEST_UTIL, userB.getShortName(), namespace, Permission.Action.EXEC); // User B should now be allowed also @@ -2264,7 +2381,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName());) { + Table t = conn.getTable(tableName);) { KeyValue kv = new KeyValue(TEST_ROW, TEST_FAMILY, TEST_QUALIFIER, HConstants.LATEST_TIMESTAMP, HConstants.EMPTY_BYTE_ARRAY, new Tag[] { new Tag(AccessControlLists.ACL_TAG_TYPE, @@ -2279,7 +2396,7 @@ public class TestAccessController extends SecureTestUtil { // Current user is superuser verifyAllowed(putWithReservedTag, User.getCurrent()); // No other user should be allowed - verifyDenied(putWithReservedTag, USER_OWNER, USER_ADMIN, USER_CREATE, USER_RW, USER_RO); + verifyDenied(putWithReservedTag, USER_OWNER, USER_GLOBAL_ALL, USER_CREATE, USER_RW, USER_RO); } @Test @@ -2297,7 +2414,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER.preSetUserQuota(ObserverContext.createAndPrepare(CP_ENV, null), - null, TEST_TABLE.getTableName(), null); + null, tableName, null); return null; } }; @@ -2315,7 +2432,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER.preSetTableQuota(ObserverContext.createAndPrepare(CP_ENV, null), - TEST_TABLE.getTableName(), null); + tableName, null); return null; } }; @@ -2329,20 +2446,27 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(setUserQuotaAction, SUPERUSER, USER_ADMIN); - verifyDenied(setUserQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + verifyAllowed(setUserQuotaAction, SUPERUSER, USER_GLOBAL_ALL); + verifyDenied(setUserQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, + USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC); - verifyAllowed(setUserTableQuotaAction, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(setUserTableQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(setUserTableQuotaAction, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_OWNER, + USER_NS_ADMIN); + verifyDenied(setUserTableQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_NS_CREATE, + USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC); - verifyAllowed(setUserNamespaceQuotaAction, SUPERUSER, USER_ADMIN); - verifyDenied(setUserNamespaceQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + verifyAllowed(setUserNamespaceQuotaAction, SUPERUSER, USER_GLOBAL_ALL); + verifyDenied(setUserNamespaceQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, + USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC); - verifyAllowed(setTableQuotaAction, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(setTableQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(setTableQuotaAction, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_OWNER, + USER_NS_ADMIN); + verifyDenied(setTableQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_NS_CREATE, + USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC); - verifyAllowed(setNamespaceQuotaAction, SUPERUSER, USER_ADMIN); - verifyDenied(setNamespaceQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + verifyAllowed(setNamespaceQuotaAction, SUPERUSER, USER_GLOBAL_ALL); + verifyDenied(setNamespaceQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, + USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC); } @Test @@ -2366,14 +2490,14 @@ public class TestAccessController extends SecureTestUtil { public void testTruncatePerms() throws Exception { try { List existingPerms = AccessControlClient.getUserPermissions( - systemUserConnection, TEST_TABLE.getTableName().getNameAsString()); + systemUserConnection, tableName.getNameAsString()); assertTrue(existingPerms != null); assertTrue(existingPerms.size() > 1); - TEST_UTIL.getHBaseAdmin().disableTable(TEST_TABLE.getTableName()); - TEST_UTIL.truncateTable(TEST_TABLE.getTableName()); - TEST_UTIL.waitTableAvailable(TEST_TABLE.getTableName()); + TEST_UTIL.getHBaseAdmin().disableTable(tableName); + TEST_UTIL.truncateTable(tableName); + TEST_UTIL.waitTableAvailable(tableName); List perms = AccessControlClient.getUserPermissions( - systemUserConnection, TEST_TABLE.getTableName().getNameAsString()); + systemUserConnection, tableName.getNameAsString()); assertTrue(perms != null); assertEquals(existingPerms.size(), perms.size()); } catch (Throwable e) { @@ -2399,18 +2523,19 @@ public class TestAccessController extends SecureTestUtil { public void testAccessControlClientUserPerms() throws Exception { // adding default prefix explicitly as it is not included in the table name. assertEquals(NamespaceDescriptor.DEFAULT_NAMESPACE_NAME_STR, - TEST_TABLE.getTableName().getNamespaceAsString()); + tableName.getNamespaceAsString()); final String regex = NamespaceDescriptor.DEFAULT_NAMESPACE_NAME_STR + - TableName.NAMESPACE_DELIM + TEST_TABLE.getTableName().getNameAsString(); + TableName.NAMESPACE_DELIM + tableName.getNameAsString(); User testUserPerms = User.createUserForTesting(conf, "testUserPerms", new String[0]); assertEquals(0, testUserPerms.runAs(getPrivilegedAction(regex)).size()); // Grant TABLE ADMIN privs to testUserPerms - grantOnTable(TEST_UTIL, testUserPerms.getShortName(), TEST_TABLE.getTableName(), null, + grantOnTable(TEST_UTIL, testUserPerms.getShortName(), tableName, null, null, Action.ADMIN); List perms = testUserPerms.runAs(getPrivilegedAction(regex)); assertNotNull(perms); - // USER_ADMIN, USER_CREATE, USER_RW, USER_RO, testUserPerms, USER_ADMIN_CF has row each. - assertEquals(6, perms.size()); + // USER_GLOBAL_ALL, USER_ADMIN, USER_CREATE, USER_RW, USER_RO, testUserPerms, USER_ADMIN_CF has + // row each. + assertEquals(7, perms.size()); } @Test @@ -2449,7 +2574,7 @@ public class TestAccessController extends SecureTestUtil { grantOnTable(TEST_UTIL, testRegexHandler.getShortName(), table2, null, null, Action.ADMIN); assertEquals(4, testRegexHandler.runAs(getPrivilegedAction(REGEX_ALL_TABLES)).size()); - // USER_ADMIN, testUserPerms must have a row each. + // USER_GLOBAL_ALL, testUserPerms must have a row each. assertEquals(2, testRegexHandler.runAs(getPrivilegedAction(tableName)).size()); assertEquals(2, testRegexHandler.runAs(getPrivilegedAction( NamespaceDescriptor.DEFAULT_NAMESPACE_NAME_STR + TableName.NAMESPACE_DELIM + tableName) @@ -2464,7 +2589,7 @@ public class TestAccessController extends SecureTestUtil { } private void verifyAnyCreate(AccessTestAction action) throws Exception { - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER, USER_CREATE, USER_ADMIN_CF); verifyDenied(action, USER_NONE, USER_RO, USER_RW); } @@ -2501,7 +2626,26 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(replicateLogEntriesAction, SUPERUSER, USER_ADMIN); + verifyAllowed(replicateLogEntriesAction, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(replicateLogEntriesAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); } + + @Test + public void testGetTableDescriptors() throws Exception { + final List list = new ArrayList(); + list.add(tableName); + AccessTestAction getTableDescriptorsAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preGetTableDescriptors(ObserverContext.createAndPrepare(CP_ENV, null), + list, null, null); + return null; + } + }; + + verifyAllowed(getTableDescriptorsAction, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_CREATE, + USER_OWNER, USER_NS_ADMIN, USER_NS_CREATE); + verifyDenied(getTableDescriptorsAction, USER_RW, USER_RO, USER_NONE, USER_NS_WRITE, + USER_NS_READ, USER_NS_EXEC); + } } diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java index 457bb3b..183b0c0 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java @@ -20,16 +20,13 @@ package org.apache.hadoop.hbase.security.access; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertTrue; -import java.util.List; import java.util.Arrays; +import java.util.List; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hbase.HBaseTestingUtility; -import org.apache.hadoop.hbase.HColumnDescriptor; import org.apache.hadoop.hbase.HConstants; -import org.apache.hadoop.hbase.HTableDescriptor; import org.apache.hadoop.hbase.NamespaceDescriptor; -import org.apache.hadoop.hbase.TableName; import org.apache.hadoop.hbase.client.Admin; import org.apache.hadoop.hbase.client.Connection; import org.apache.hadoop.hbase.client.ConnectionFactory; @@ -92,9 +89,6 @@ public class TestNamespaceCommands extends SecureTestUtil { //user with create table permissions alone private static User USER_TABLE_CREATE; // TODO: WE DO NOT GIVE ANY PERMS TO THIS USER - private static String TEST_TABLE = TEST_NAMESPACE + ":testtable"; - private static byte[] TEST_FAMILY = Bytes.toBytes("f1"); - @BeforeClass public static void beforeClass() throws Exception { conf = UTIL.getConfiguration(); @@ -462,35 +456,4 @@ public class TestNamespaceCommands extends SecureTestUtil { USER_TABLE_CREATE, USER_TABLE_WRITE); } - - @Test - public void testCreateTableWithNamespace() throws Exception { - AccessTestAction createTable = new AccessTestAction() { - @Override - public Object run() throws Exception { - HTableDescriptor htd = new HTableDescriptor(TableName.valueOf(TEST_TABLE)); - htd.addFamily(new HColumnDescriptor(TEST_FAMILY)); - ACCESS_CONTROLLER.preCreateTable(ObserverContext.createAndPrepare(CP_ENV, null), htd, null); - return null; - } - }; - - //createTable : superuser | global(C) | NS(C) - verifyAllowed(createTable, - SUPERUSER, - USER_GLOBAL_CREATE, - USER_NS_CREATE); - - verifyDenied(createTable, - USER_GLOBAL_ADMIN, - USER_GLOBAL_WRITE, - USER_GLOBAL_READ, - USER_GLOBAL_EXEC, - USER_NS_ADMIN, - USER_NS_WRITE, - USER_NS_READ, - USER_NS_EXEC, - USER_TABLE_CREATE, - USER_TABLE_WRITE); - } } -- 1.9.2.msysgit.0