From b1e9aeba23208fabe2a9e6be4a9a15ee2f287a6b Mon Sep 17 00:00:00 2001 From: Ashish Singhi Date: Fri, 8 May 2015 14:55:55 +0530 Subject: [PATCH] HBASE-13562 Expand AC testing coverage to include all combinations of scope and permissions of master interface --- .../security/access/TestAccessController.java | 332 +++++++++++++++------ .../security/access/TestNamespaceCommands.java | 37 --- 2 files changed, 238 insertions(+), 131 deletions(-) diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java index 11b9006..bb21449 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java @@ -25,6 +25,7 @@ import static org.junit.Assert.fail; import java.io.IOException; import java.security.PrivilegedAction; +import java.util.ArrayList; import java.util.Arrays; import java.util.List; @@ -138,6 +139,7 @@ public class TestAccessController extends SecureTestUtil { } @Rule public TestTableName TEST_TABLE = new TestTableName(); + private static String TEST_NAMESPACE = null; private static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility(); private static Configuration conf; @@ -149,8 +151,8 @@ public class TestAccessController extends SecureTestUtil { // user with all permissions private static User SUPERUSER; - // user granted with all global permission - private static User USER_ADMIN; + // global user with all the permissions + private static User USER_GLOBAL_ALL; // user with rw permissions on column family. private static User USER_RW; // user with read-only permissions @@ -163,6 +165,19 @@ public class TestAccessController extends SecureTestUtil { private static User USER_NONE; // user with admin rights on the column family private static User USER_ADMIN_CF; + // user with admin table permissions alone + private static User USER_ADMIN; + + // user with A permission on namespace + private static User USER_NS_ADMIN; + // user with C permission on namespace + private static User USER_NS_CREATE; + // user with W permission on namespace + private static User USER_NS_WRITE; + // user with R permission on namespace. + private static User USER_NS_READ; + // user with X permission on namespace. + private static User USER_NS_EXEC; // TODO: convert this test to cover the full matrix in // https://hbase.apache.org/book/appendix_acl_matrix.html @@ -210,14 +225,21 @@ public class TestAccessController extends SecureTestUtil { // create a set of test users SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" }); - USER_ADMIN = User.createUserForTesting(conf, "admin2", new String[0]); + USER_GLOBAL_ALL = User.createUserForTesting(conf, "admin2", new String[0]); USER_RW = User.createUserForTesting(conf, "rwuser", new String[0]); USER_RO = User.createUserForTesting(conf, "rouser", new String[0]); USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]); USER_CREATE = User.createUserForTesting(conf, "tbl_create", new String[0]); + USER_ADMIN = User.createUserForTesting(conf, "tbl_admin", new String[0]); USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]); USER_ADMIN_CF = User.createUserForTesting(conf, "col_family_admin", new String[0]); + USER_NS_ADMIN = User.createUserForTesting(conf, "namespace_admin", new String[0]); + USER_NS_CREATE = User.createUserForTesting(conf, "namespace_create", new String[0]); + USER_NS_WRITE = User.createUserForTesting(conf, "namespace_write", new String[0]); + USER_NS_READ = User.createUserForTesting(conf, "namespace_read", new String[0]); + USER_NS_EXEC = User.createUserForTesting(conf, "namespace_exec", new String[0]); + systemUserConnection = TEST_UTIL.getConnection(); } @@ -228,8 +250,6 @@ public class TestAccessController extends SecureTestUtil { @Before public void setUp() throws Exception { - // Create the test table (owner added to the _acl_ table) - Admin admin = TEST_UTIL.getHBaseAdmin(); HTableDescriptor htd = new HTableDescriptor(TEST_TABLE.getTableName()); HColumnDescriptor hcd = new HColumnDescriptor(TEST_FAMILY); hcd.setMaxVersions(100); @@ -242,9 +262,11 @@ public class TestAccessController extends SecureTestUtil { RCP_ENV = rcpHost.createEnvironment(AccessController.class, ACCESS_CONTROLLER, Coprocessor.PRIORITY_HIGHEST, 1, conf); + TEST_NAMESPACE = TEST_TABLE.getTableName().getNamespaceAsString(); + // Set up initial grants - grantGlobal(TEST_UTIL, USER_ADMIN.getShortName(), + grantGlobal(TEST_UTIL, USER_GLOBAL_ALL.getShortName(), Permission.Action.ADMIN, Permission.Action.CREATE, Permission.Action.READ, @@ -270,9 +292,25 @@ public class TestAccessController extends SecureTestUtil { TEST_TABLE.getTableName(), TEST_FAMILY, null, Permission.Action.ADMIN, Permission.Action.CREATE); - assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size()); + grantOnTable(TEST_UTIL, USER_ADMIN.getShortName(), TEST_TABLE.getTableName(), null, null, + Permission.Action.ADMIN); + + // grants on namespace + grantOnNamespace(TEST_UTIL, USER_NS_ADMIN.getShortName(), TEST_NAMESPACE, + Permission.Action.ADMIN); + grantOnNamespace(TEST_UTIL, USER_NS_CREATE.getShortName(), TEST_NAMESPACE, + Permission.Action.CREATE); + grantOnNamespace(TEST_UTIL, USER_NS_WRITE.getShortName(), TEST_NAMESPACE, + Permission.Action.WRITE); + grantOnNamespace(TEST_UTIL, USER_NS_READ.getShortName(), TEST_NAMESPACE, Permission.Action.READ); + grantOnNamespace(TEST_UTIL, USER_NS_EXEC.getShortName(), TEST_NAMESPACE, Permission.Action.EXEC); + + assertEquals(6, AccessControlLists.getTablePermissions(conf, + TEST_TABLE.getTableName()).size()); + assertEquals(5, AccessControlLists.getNamespacePermissions(conf, + TEST_NAMESPACE).size()); try { - assertEquals(5, AccessControlClient.getUserPermissions(systemUserConnection, + assertEquals(6, AccessControlClient.getUserPermissions(systemUserConnection, TEST_TABLE.toString()).size()); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.getUserPermissions. ", e); @@ -290,6 +328,18 @@ public class TestAccessController extends SecureTestUtil { } // Verify all table/namespace permissions are erased assertEquals(0, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size()); + + // revoking permissions explicitly as TEST_NAMESPACE i.e. default namespace cannot be deleted. + revokeFromNamespace(TEST_UTIL, USER_NS_ADMIN.getShortName(), TEST_NAMESPACE, + Permission.Action.ADMIN); + revokeFromNamespace(TEST_UTIL, USER_NS_CREATE.getShortName(), TEST_NAMESPACE, + Permission.Action.CREATE); + revokeFromNamespace(TEST_UTIL, USER_NS_WRITE.getShortName(), TEST_NAMESPACE, + Permission.Action.WRITE); + revokeFromNamespace(TEST_UTIL, USER_NS_READ.getShortName(), TEST_NAMESPACE, + Permission.Action.READ); + revokeFromNamespace(TEST_UTIL, USER_NS_EXEC.getShortName(), TEST_NAMESPACE, + Permission.Action.EXEC); assertEquals( 0, AccessControlLists.getNamespacePermissions(conf, @@ -301,18 +351,18 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction createTable = new AccessTestAction() { @Override public Object run() throws Exception { - HTableDescriptor htd = new HTableDescriptor(TableName.valueOf("testnewtable")); + HTableDescriptor htd = + new HTableDescriptor(TableName.valueOf(TEST_TABLE.getTableName().getNamespaceAsString() + + "testnewtable")); htd.addFamily(new HColumnDescriptor(TEST_FAMILY)); ACCESS_CONTROLLER.preCreateTable(ObserverContext.createAndPrepare(CP_ENV, null), htd, null); return null; } }; - // verify that superuser can create tables - verifyAllowed(createTable, SUPERUSER, USER_ADMIN); - - // all others should be denied - verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(createTable, SUPERUSER, USER_GLOBAL_ALL, USER_NS_CREATE); + verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_NS_ADMIN, + USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC); } @Test @@ -329,8 +379,10 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(modifyTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); - verifyDenied(modifyTable, USER_RW, USER_RO, USER_NONE); + verifyAllowed(modifyTable, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_CREATE, USER_OWNER, + USER_NS_ADMIN, USER_NS_CREATE); + verifyDenied(modifyTable, USER_RW, USER_RO, USER_NONE, USER_NS_WRITE, USER_NS_READ, + USER_NS_EXEC); } @Test @@ -344,8 +396,10 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(deleteTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); - verifyDenied(deleteTable, USER_RW, USER_RO, USER_NONE); + verifyAllowed(deleteTable, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_CREATE, USER_OWNER, + USER_NS_ADMIN, USER_NS_CREATE); + verifyDenied(deleteTable, USER_RW, USER_RO, USER_NONE, USER_NS_WRITE, USER_NS_READ, + USER_NS_EXEC); } @Test @@ -360,8 +414,10 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); - verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE); + verifyAllowed(truncateTable, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_CREATE, USER_OWNER, + USER_NS_ADMIN, USER_NS_CREATE); + verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE, USER_NS_WRITE, USER_NS_READ, + USER_NS_EXEC); } @Test @@ -376,8 +432,10 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); - verifyDenied(action, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_CREATE, USER_OWNER, + USER_NS_ADMIN, USER_NS_CREATE); + verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_NS_WRITE, USER_NS_READ, + USER_NS_EXEC); } @Test @@ -393,8 +451,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF); - verifyDenied(action, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_CREATE, USER_OWNER, + USER_ADMIN_CF, USER_NS_ADMIN, USER_NS_CREATE); + verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC); } @Test @@ -408,8 +467,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF); - verifyDenied(action, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_CREATE, USER_OWNER, + USER_ADMIN_CF, USER_NS_ADMIN, USER_NS_CREATE); + verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC); } @Test @@ -432,11 +492,14 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(disableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); - verifyDenied(disableTable, USER_RW, USER_RO, USER_NONE); + verifyAllowed(disableTable, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_CREATE, USER_OWNER, + USER_NS_ADMIN, USER_NS_CREATE); + verifyDenied(disableTable, USER_RW, USER_RO, USER_NONE, USER_NS_WRITE, USER_NS_READ, + USER_NS_EXEC); // No user should be allowed to disable _acl_ table - verifyDenied(disableAclTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW, USER_RO); + verifyDenied(disableAclTable, SUPERUSER, USER_GLOBAL_ALL, USER_CREATE, USER_OWNER, USER_RW, + USER_RO, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC); } @Test @@ -450,8 +513,27 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(enableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); - verifyDenied(enableTable, USER_RW, USER_RO, USER_NONE); + verifyAllowed(enableTable, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_CREATE, USER_OWNER, + USER_NS_ADMIN, USER_NS_CREATE); + verifyDenied(enableTable, USER_RW, USER_RO, USER_NONE, USER_NS_WRITE, USER_NS_READ, + USER_NS_EXEC); + } + + @Test + public void testTableFlush() throws Exception { + AccessTestAction tableFlushAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preTableFlush(ObserverContext.createAndPrepare(CP_ENV, null), + TEST_TABLE.getTableName()); + return null; + } + }; + + verifyAllowed(tableFlushAction, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_CREATE, + USER_OWNER, USER_NS_ADMIN, USER_NS_CREATE); + verifyDenied(tableFlushAction, USER_RW, USER_RO, USER_NONE, USER_NS_WRITE, USER_NS_READ, + USER_NS_EXEC); } @Test @@ -472,8 +554,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_OWNER, USER_NS_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_NS_CREATE, USER_NS_WRITE, + USER_NS_READ, USER_NS_EXEC); } @Test @@ -492,8 +575,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_OWNER, USER_NS_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_NS_CREATE, USER_NS_WRITE, + USER_NS_READ, USER_NS_EXEC); } @Test @@ -512,8 +596,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_OWNER, USER_NS_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_NS_CREATE, USER_NS_WRITE, + USER_NS_READ, USER_NS_EXEC); } @Test @@ -532,8 +617,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_OWNER, USER_NS_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_NS_CREATE, USER_NS_WRITE, + USER_NS_READ, USER_NS_EXEC); } @Test @@ -546,7 +632,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); } @@ -560,7 +646,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); } @@ -574,7 +660,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); } @@ -588,12 +674,12 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); } private void verifyWrite(AccessTestAction action) throws Exception { - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER, USER_CREATE, USER_RW); verifyDenied(action, USER_NONE, USER_RO); } @@ -607,7 +693,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER); verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); } @@ -623,7 +709,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER); verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); } @@ -642,7 +728,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER); verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); } @@ -656,7 +742,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER, USER_CREATE); verifyDenied(action, USER_RW, USER_RO, USER_NONE); } @@ -671,17 +757,17 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER, USER_CREATE); verifyDenied(action, USER_RW, USER_RO, USER_NONE); } private void verifyRead(AccessTestAction action) throws Exception { - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, USER_RO); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER, USER_CREATE, USER_RW, USER_RO); verifyDenied(action, USER_NONE); } private void verifyReadWrite(AccessTestAction action) throws Exception { - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER, USER_CREATE, USER_RW); verifyDenied(action, USER_NONE, USER_RO); } @@ -837,7 +923,7 @@ public class TestAccessController extends SecureTestUtil { // User performing bulk loads must have privilege to read table metadata // (ADMIN or CREATE) - verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE); + verifyAllowed(bulkLoadAction, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER, USER_CREATE); verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO); // Reinit after the bulk upload @@ -942,7 +1028,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(appendAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW); + verifyAllowed(appendAction, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER, USER_CREATE, USER_RW); verifyDenied(appendAction, USER_RO, USER_NONE); } @@ -1006,16 +1092,16 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(grantAction, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER); verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); - verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(revokeAction, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER); verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); - verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER); verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); - verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN); + verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(getGlobalPermissionsAction, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); } @@ -1524,7 +1610,7 @@ public class TestAccessController extends SecureTestUtil { } finally { acl.close(); } - UserPermission adminPerm = new UserPermission(Bytes.toBytes(USER_ADMIN.getShortName()), + UserPermission adminPerm = new UserPermission(Bytes.toBytes(USER_GLOBAL_ALL.getShortName()), AccessControlLists.ACL_TABLE_NAME, null, null, Bytes.toBytes("ACRW")); assertTrue("Only user admin has permission on table _acl_ per setup", perms.size() == 1 && hasFoundUserPermission(adminPerm, perms)); @@ -1707,7 +1793,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); } @@ -1721,7 +1807,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); } @@ -1735,7 +1821,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); } @@ -1749,7 +1835,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); } @@ -1770,6 +1856,15 @@ public class TestAccessController extends SecureTestUtil { } }; + AccessTestAction listAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preListSnapshot(ObserverContext.createAndPrepare(CP_ENV, null), + snapshot); + return null; + } + }; + AccessTestAction deleteAction = new AccessTestAction() { @Override public Object run() throws Exception { @@ -1797,17 +1892,26 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(snapshotAction, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_OWNER, + USER_NS_ADMIN); + verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_NS_CREATE, + USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC); - verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN); - verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + verifyAllowed(listAction, SUPERUSER, USER_GLOBAL_ALL); + verifyDenied(listAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, USER_NS_ADMIN, + USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC); - verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN); - verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + verifyAllowed(deleteAction, SUPERUSER, USER_GLOBAL_ALL); + verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, USER_NS_ADMIN, + USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC); - verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN); - verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + verifyAllowed(restoreAction, SUPERUSER, USER_GLOBAL_ALL); + verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, + USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC); + + verifyAllowed(cloneAction, SUPERUSER, USER_GLOBAL_ALL); + verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, USER_NS_ADMIN, + USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC); } @Test @@ -1827,9 +1931,20 @@ public class TestAccessController extends SecureTestUtil { return null; } }; - verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(snapshotAction, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_OWNER); verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + AccessTestAction listAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preListSnapshot(ObserverContext.createAndPrepare(CP_ENV, null), + snapshot); + return null; + } + }; + verifyAllowed(listAction, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER); + verifyDenied(listAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + AccessTestAction deleteAction = new AccessTestAction() { @Override public Object run() throws Exception { @@ -1838,7 +1953,7 @@ public class TestAccessController extends SecureTestUtil { return null; } }; - verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(deleteAction, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER); verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); AccessTestAction restoreAction = new AccessTestAction() { @@ -1849,7 +1964,7 @@ public class TestAccessController extends SecureTestUtil { return null; } }; - verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(restoreAction, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER); verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); AccessTestAction cloneAction = new AccessTestAction() { @@ -1862,7 +1977,7 @@ public class TestAccessController extends SecureTestUtil { }; // Clone by snapshot owner is not allowed , because clone operation creates a new table, // which needs global admin permission. - verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN); + verifyAllowed(cloneAction, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); } @@ -1934,7 +2049,7 @@ public class TestAccessController extends SecureTestUtil { return null; } }; - USER_ADMIN.runAs(putAction); + USER_GLOBAL_ALL.runAs(putAction); } } @@ -1967,10 +2082,12 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN); + verifyAllowed(listTablesAction, SUPERUSER, USER_GLOBAL_ALL, USER_CREATE, USER_OWNER, + TABLE_ADMIN); verifyIfEmptyList(listTablesAction, USER_RW, USER_RO, USER_NONE); - verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN); + verifyAllowed(getTableDescAction, SUPERUSER, USER_GLOBAL_ALL, USER_CREATE, USER_OWNER, + TABLE_ADMIN); verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE); } @@ -1991,7 +2108,7 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, + verifyAllowed(listTablesAction, SUPERUSER, USER_GLOBAL_ALL, USER_CREATE, USER_OWNER, USER_RW, USER_RO); verifyIfEmptyList(listTablesAction, USER_NONE); } @@ -2279,7 +2396,7 @@ public class TestAccessController extends SecureTestUtil { // Current user is superuser verifyAllowed(putWithReservedTag, User.getCurrent()); // No other user should be allowed - verifyDenied(putWithReservedTag, USER_OWNER, USER_ADMIN, USER_CREATE, USER_RW, USER_RO); + verifyDenied(putWithReservedTag, USER_OWNER, USER_GLOBAL_ALL, USER_CREATE, USER_RW, USER_RO); } @Test @@ -2329,20 +2446,27 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(setUserQuotaAction, SUPERUSER, USER_ADMIN); - verifyDenied(setUserQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + verifyAllowed(setUserQuotaAction, SUPERUSER, USER_GLOBAL_ALL); + verifyDenied(setUserQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, + USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC); - verifyAllowed(setUserTableQuotaAction, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(setUserTableQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(setUserTableQuotaAction, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_OWNER, + USER_NS_ADMIN); + verifyDenied(setUserTableQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_NS_CREATE, + USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC); - verifyAllowed(setUserNamespaceQuotaAction, SUPERUSER, USER_ADMIN); - verifyDenied(setUserNamespaceQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + verifyAllowed(setUserNamespaceQuotaAction, SUPERUSER, USER_GLOBAL_ALL); + verifyDenied(setUserNamespaceQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, + USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC); - verifyAllowed(setTableQuotaAction, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(setTableQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(setTableQuotaAction, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_OWNER, + USER_NS_ADMIN); + verifyDenied(setTableQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_NS_CREATE, + USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC); - verifyAllowed(setNamespaceQuotaAction, SUPERUSER, USER_ADMIN); - verifyDenied(setNamespaceQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + verifyAllowed(setNamespaceQuotaAction, SUPERUSER, USER_GLOBAL_ALL); + verifyDenied(setNamespaceQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, + USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC); } @Test @@ -2409,8 +2533,9 @@ public class TestAccessController extends SecureTestUtil { null, Action.ADMIN); List perms = testUserPerms.runAs(getPrivilegedAction(regex)); assertNotNull(perms); - // USER_ADMIN, USER_CREATE, USER_RW, USER_RO, testUserPerms, USER_ADMIN_CF has row each. - assertEquals(6, perms.size()); + // USER_GLOBAL_ALL, USER_ADMIN, USER_CREATE, USER_RW, USER_RO, testUserPerms, USER_ADMIN_CF has + // row each. + assertEquals(7, perms.size()); } @Test @@ -2449,7 +2574,7 @@ public class TestAccessController extends SecureTestUtil { grantOnTable(TEST_UTIL, testRegexHandler.getShortName(), table2, null, null, Action.ADMIN); assertEquals(4, testRegexHandler.runAs(getPrivilegedAction(REGEX_ALL_TABLES)).size()); - // USER_ADMIN, testUserPerms must have a row each. + // USER_GLOBAL_ALL, testUserPerms must have a row each. assertEquals(2, testRegexHandler.runAs(getPrivilegedAction(tableName)).size()); assertEquals(2, testRegexHandler.runAs(getPrivilegedAction( NamespaceDescriptor.DEFAULT_NAMESPACE_NAME_STR + TableName.NAMESPACE_DELIM + tableName) @@ -2464,7 +2589,7 @@ public class TestAccessController extends SecureTestUtil { } private void verifyAnyCreate(AccessTestAction action) throws Exception { - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF); + verifyAllowed(action, SUPERUSER, USER_GLOBAL_ALL, USER_OWNER, USER_CREATE, USER_ADMIN_CF); verifyDenied(action, USER_NONE, USER_RO, USER_RW); } @@ -2501,7 +2626,26 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(replicateLogEntriesAction, SUPERUSER, USER_ADMIN); + verifyAllowed(replicateLogEntriesAction, SUPERUSER, USER_GLOBAL_ALL); verifyDenied(replicateLogEntriesAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); } + + @Test + public void testGetTableDescriptors() throws Exception { + final List list = new ArrayList(); + list.add(TEST_TABLE.getTableName()); + AccessTestAction getTableDescriptorsAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preGetTableDescriptors(ObserverContext.createAndPrepare(CP_ENV, null), + list, null, null); + return null; + } + }; + + verifyAllowed(getTableDescriptorsAction, SUPERUSER, USER_GLOBAL_ALL, USER_ADMIN, USER_CREATE, + USER_OWNER, USER_NS_ADMIN, USER_NS_CREATE); + verifyDenied(getTableDescriptorsAction, USER_RW, USER_RO, USER_NONE, USER_NS_WRITE, + USER_NS_READ, USER_NS_EXEC); + } } diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java index 457bb3b..8b26658 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java @@ -25,11 +25,8 @@ import java.util.Arrays; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hbase.HBaseTestingUtility; -import org.apache.hadoop.hbase.HColumnDescriptor; import org.apache.hadoop.hbase.HConstants; -import org.apache.hadoop.hbase.HTableDescriptor; import org.apache.hadoop.hbase.NamespaceDescriptor; -import org.apache.hadoop.hbase.TableName; import org.apache.hadoop.hbase.client.Admin; import org.apache.hadoop.hbase.client.Connection; import org.apache.hadoop.hbase.client.ConnectionFactory; @@ -92,9 +89,6 @@ public class TestNamespaceCommands extends SecureTestUtil { //user with create table permissions alone private static User USER_TABLE_CREATE; // TODO: WE DO NOT GIVE ANY PERMS TO THIS USER - private static String TEST_TABLE = TEST_NAMESPACE + ":testtable"; - private static byte[] TEST_FAMILY = Bytes.toBytes("f1"); - @BeforeClass public static void beforeClass() throws Exception { conf = UTIL.getConfiguration(); @@ -462,35 +456,4 @@ public class TestNamespaceCommands extends SecureTestUtil { USER_TABLE_CREATE, USER_TABLE_WRITE); } - - @Test - public void testCreateTableWithNamespace() throws Exception { - AccessTestAction createTable = new AccessTestAction() { - @Override - public Object run() throws Exception { - HTableDescriptor htd = new HTableDescriptor(TableName.valueOf(TEST_TABLE)); - htd.addFamily(new HColumnDescriptor(TEST_FAMILY)); - ACCESS_CONTROLLER.preCreateTable(ObserverContext.createAndPrepare(CP_ENV, null), htd, null); - return null; - } - }; - - //createTable : superuser | global(C) | NS(C) - verifyAllowed(createTable, - SUPERUSER, - USER_GLOBAL_CREATE, - USER_NS_CREATE); - - verifyDenied(createTable, - USER_GLOBAL_ADMIN, - USER_GLOBAL_WRITE, - USER_GLOBAL_READ, - USER_GLOBAL_EXEC, - USER_NS_ADMIN, - USER_NS_WRITE, - USER_NS_READ, - USER_NS_EXEC, - USER_TABLE_CREATE, - USER_TABLE_WRITE); - } } -- 1.9.5.msysgit.0