From cb3ba2c2d3e0d2743593852e4d7636dbfda75f3f Mon Sep 17 00:00:00 2001 From: Ashish Singhi Date: Tue, 12 May 2015 13:56:11 +0530 Subject: [PATCH] HBASE-13658 Improve the test run time for TestAccessController class --- .../security/access/TestAccessController.java | 496 +++++++++++---------- 1 file changed, 258 insertions(+), 238 deletions(-) diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java index 11b9006..8439c1f 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java @@ -106,14 +106,10 @@ import org.apache.hadoop.hbase.testclassification.LargeTests; import org.apache.hadoop.hbase.testclassification.SecurityTests; import org.apache.hadoop.hbase.util.Bytes; import org.apache.hadoop.hbase.util.JVMClusterUtil; -import org.apache.hadoop.hbase.util.TestTableName; import org.apache.log4j.Level; import org.apache.log4j.Logger; -import org.junit.After; import org.junit.AfterClass; -import org.junit.Before; import org.junit.BeforeClass; -import org.junit.Rule; import org.junit.Test; import org.junit.experimental.categories.Category; @@ -137,7 +133,7 @@ public class TestAccessController extends SecureTestUtil { Logger.getLogger(TableAuthManager.class).setLevel(Level.TRACE); } - @Rule public TestTableName TEST_TABLE = new TestTableName(); + private static TableName TEST_TABLE = TableName.valueOf("testtable1"); private static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility(); private static Configuration conf; @@ -176,7 +172,7 @@ public class TestAccessController extends SecureTestUtil { private static MasterCoprocessorEnvironment CP_ENV; private static AccessController ACCESS_CONTROLLER; private static RegionServerCoprocessorEnvironment RSCP_ENV; - private RegionCoprocessorEnvironment RCP_ENV; + private static RegionCoprocessorEnvironment RCP_ENV; @BeforeClass public static void setupBeforeClass() throws Exception { @@ -219,25 +215,24 @@ public class TestAccessController extends SecureTestUtil { USER_ADMIN_CF = User.createUserForTesting(conf, "col_family_admin", new String[0]); systemUserConnection = TEST_UTIL.getConnection(); + setUpTableAndUserPermissions(); } @AfterClass public static void tearDownAfterClass() throws Exception { + cleanUp(); TEST_UTIL.shutdownMiniCluster(); } - @Before - public void setUp() throws Exception { - // Create the test table (owner added to the _acl_ table) - Admin admin = TEST_UTIL.getHBaseAdmin(); - HTableDescriptor htd = new HTableDescriptor(TEST_TABLE.getTableName()); + private static void setUpTableAndUserPermissions() throws Exception { + HTableDescriptor htd = new HTableDescriptor(TEST_TABLE); HColumnDescriptor hcd = new HColumnDescriptor(TEST_FAMILY); hcd.setMaxVersions(100); htd.addFamily(hcd); htd.setOwner(USER_OWNER); createTable(TEST_UTIL, htd, new byte[][] { Bytes.toBytes("s") }); - Region region = TEST_UTIL.getHBaseCluster().getRegions(TEST_TABLE.getTableName()).get(0); + Region region = TEST_UTIL.getHBaseCluster().getRegions(TEST_TABLE).get(0); RegionCoprocessorHost rcpHost = region.getCoprocessorHost(); RCP_ENV = rcpHost.createEnvironment(AccessController.class, ACCESS_CONTROLLER, Coprocessor.PRIORITY_HIGHEST, 1, conf); @@ -251,26 +246,26 @@ public class TestAccessController extends SecureTestUtil { Permission.Action.WRITE); grantOnTable(TEST_UTIL, USER_RW.getShortName(), - TEST_TABLE.getTableName(), TEST_FAMILY, null, + TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ, Permission.Action.WRITE); // USER_CREATE is USER_RW plus CREATE permissions grantOnTable(TEST_UTIL, USER_CREATE.getShortName(), - TEST_TABLE.getTableName(), null, null, + TEST_TABLE, null, null, Permission.Action.CREATE, Permission.Action.READ, Permission.Action.WRITE); grantOnTable(TEST_UTIL, USER_RO.getShortName(), - TEST_TABLE.getTableName(), TEST_FAMILY, null, + TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ); grantOnTable(TEST_UTIL, USER_ADMIN_CF.getShortName(), - TEST_TABLE.getTableName(), TEST_FAMILY, + TEST_TABLE, TEST_FAMILY, null, Permission.Action.ADMIN, Permission.Action.CREATE); - assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size()); + assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size()); try { assertEquals(5, AccessControlClient.getUserPermissions(systemUserConnection, TEST_TABLE.toString()).size()); @@ -279,21 +274,20 @@ public class TestAccessController extends SecureTestUtil { } } - @After - public void tearDown() throws Exception { + private static void cleanUp() throws Exception { // Clean the _acl_ table try { - deleteTable(TEST_UTIL, TEST_TABLE.getTableName()); + deleteTable(TEST_UTIL, TEST_TABLE); } catch (TableNotFoundException ex) { // Test deleted the table, no problem - LOG.info("Test deleted table " + TEST_TABLE.getTableName()); + LOG.info("Test deleted table " + TEST_TABLE); } // Verify all table/namespace permissions are erased - assertEquals(0, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size()); + assertEquals(0, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size()); assertEquals( 0, AccessControlLists.getNamespacePermissions(conf, - TEST_TABLE.getTableName().getNamespaceAsString()).size()); + TEST_TABLE.getNamespaceAsString()).size()); } @Test @@ -320,11 +314,11 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction modifyTable = new AccessTestAction() { @Override public Object run() throws Exception { - HTableDescriptor htd = new HTableDescriptor(TEST_TABLE.getTableName()); + HTableDescriptor htd = new HTableDescriptor(TEST_TABLE); htd.addFamily(new HColumnDescriptor(TEST_FAMILY)); htd.addFamily(new HColumnDescriptor("fam_" + User.getCurrent().getShortName())); ACCESS_CONTROLLER.preModifyTable(ObserverContext.createAndPrepare(CP_ENV, null), - TEST_TABLE.getTableName(), htd); + TEST_TABLE, htd); return null; } }; @@ -339,7 +333,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER - .preDeleteTable(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE.getTableName()); + .preDeleteTable(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE); return null; } }; @@ -355,7 +349,7 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { ACCESS_CONTROLLER .preTruncateTable(ObserverContext.createAndPrepare(CP_ENV, null), - TEST_TABLE.getTableName()); + TEST_TABLE); return null; } }; @@ -370,7 +364,7 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction action = new AccessTestAction() { @Override public Object run() throws Exception { - ACCESS_CONTROLLER.preAddColumn(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE.getTableName(), + ACCESS_CONTROLLER.preAddColumn(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE, hcd); return null; } @@ -388,7 +382,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER.preModifyColumn(ObserverContext.createAndPrepare(CP_ENV, null), - TEST_TABLE.getTableName(), hcd); + TEST_TABLE, hcd); return null; } }; @@ -403,7 +397,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER.preDeleteColumn(ObserverContext.createAndPrepare(CP_ENV, null), - TEST_TABLE.getTableName(), TEST_FAMILY); + TEST_TABLE, TEST_FAMILY); return null; } }; @@ -418,7 +412,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER.preDisableTable(ObserverContext.createAndPrepare(CP_ENV, null), - TEST_TABLE.getTableName()); + TEST_TABLE); return null; } }; @@ -445,7 +439,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER - .preEnableTable(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE.getTableName()); + .preEnableTable(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE); return null; } }; @@ -457,7 +451,7 @@ public class TestAccessController extends SecureTestUtil { @Test public void testMove() throws Exception { List regions; - try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) { + try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE)) { regions = locator.getAllRegionLocations(); } HRegionLocation location = regions.get(0); @@ -479,7 +473,7 @@ public class TestAccessController extends SecureTestUtil { @Test public void testAssign() throws Exception { List regions; - try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) { + try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE)) { regions = locator.getAllRegionLocations(); } HRegionLocation location = regions.get(0); @@ -499,7 +493,7 @@ public class TestAccessController extends SecureTestUtil { @Test public void testUnassign() throws Exception { List regions; - try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) { + try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE)) { regions = locator.getAllRegionLocations(); } HRegionLocation location = regions.get(0); @@ -519,7 +513,7 @@ public class TestAccessController extends SecureTestUtil { @Test public void testRegionOffline() throws Exception { List regions; - try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) { + try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE)) { regions = locator.getAllRegionLocations(); } HRegionLocation location = regions.get(0); @@ -629,7 +623,9 @@ public class TestAccessController extends SecureTestUtil { @Test public void testMergeRegions() throws Exception { - final List regions = TEST_UTIL.getHBaseCluster().findRegionsForTable(TEST_TABLE.getTableName()); + final TableName tname = TableName.valueOf("testMergeRegions"); + createTestTable(tname); + final List regions = TEST_UTIL.getHBaseCluster().findRegionsForTable(tname); assertTrue("not enough regions: " + regions.size(), regions.size() >= 2); AccessTestAction action = new AccessTestAction() { @@ -644,6 +640,9 @@ public class TestAccessController extends SecureTestUtil { verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + + // Cleanup + deleteTable(TEST_UTIL, tname); } @Test @@ -694,7 +693,7 @@ public class TestAccessController extends SecureTestUtil { Get g = new Get(TEST_ROW); g.addFamily(TEST_FAMILY); try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName())) { + Table t = conn.getTable(TEST_TABLE)) { t.get(g); } return null; @@ -709,7 +708,7 @@ public class TestAccessController extends SecureTestUtil { Scan s = new Scan(); s.addFamily(TEST_FAMILY); try(Connection conn = ConnectionFactory.createConnection(conf); - Table table = conn.getTable(TEST_TABLE.getTableName())) { + Table table = conn.getTable(TEST_TABLE)) { ResultScanner scanner = table.getScanner(s); try { for (Result r = scanner.next(); r != null; r = scanner.next()) { @@ -736,7 +735,7 @@ public class TestAccessController extends SecureTestUtil { Put p = new Put(TEST_ROW); p.add(TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes(1)); try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName())) { + Table t = conn.getTable(TEST_TABLE)) { t.put(p); } return null; @@ -751,7 +750,7 @@ public class TestAccessController extends SecureTestUtil { Delete d = new Delete(TEST_ROW); d.deleteFamily(TEST_FAMILY); try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName())) { + Table t = conn.getTable(TEST_TABLE)) { t.delete(d); } return null; @@ -766,7 +765,7 @@ public class TestAccessController extends SecureTestUtil { Increment inc = new Increment(TEST_ROW); inc.addColumn(TEST_FAMILY, TEST_QUALIFIER, 1); try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName());) { + Table t = conn.getTable(TEST_TABLE);) { t.increment(inc); } return null; @@ -784,7 +783,7 @@ public class TestAccessController extends SecureTestUtil { Delete d = new Delete(TEST_ROW); d.deleteFamily(TEST_FAMILY); try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName());) { + Table t = conn.getTable(TEST_TABLE);) { t.checkAndDelete(TEST_ROW, TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes("test_value"), d); } @@ -800,7 +799,7 @@ public class TestAccessController extends SecureTestUtil { Put p = new Put(TEST_ROW); p.add(TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes(1)); try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName());) { + Table t = conn.getTable(TEST_TABLE);) { t.checkAndPut(TEST_ROW, TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes("test_value"), p); } @@ -828,8 +827,8 @@ public class TestAccessController extends SecureTestUtil { byte[][][] hfileRanges = {{{(byte)0}, {(byte)9}}}; Path bulkLoadBasePath = new Path(dir, new Path(User.getCurrent().getName())); - new BulkLoadHelper(bulkLoadBasePath) - .bulkLoadHFile(TEST_TABLE.getTableName(), TEST_FAMILY, TEST_QUALIFIER, hfileRanges, numRows); + new BulkLoadHelper(bulkLoadBasePath).bulkLoadHFile(TEST_TABLE, TEST_FAMILY, TEST_QUALIFIER, + hfileRanges, numRows); return null; } @@ -841,8 +840,8 @@ public class TestAccessController extends SecureTestUtil { verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO); // Reinit after the bulk upload - TEST_UTIL.getHBaseAdmin().disableTable(TEST_TABLE.getTableName()); - TEST_UTIL.getHBaseAdmin().enableTable(TEST_TABLE.getTableName()); + TEST_UTIL.getHBaseAdmin().disableTable(TEST_TABLE); + TEST_UTIL.getHBaseAdmin().enableTable(TEST_TABLE); } public class BulkLoadHelper { @@ -934,7 +933,7 @@ public class TestAccessController extends SecureTestUtil { Append append = new Append(row); append.add(TEST_FAMILY, qualifier, Bytes.toBytes(2)); try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName())) { + Table t = conn.getTable(TEST_TABLE)) { t.put(put); t.append(append); } @@ -953,11 +952,11 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) { - BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName()); + BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName()); AccessControlService.BlockingInterface protocol = AccessControlService.newBlockingStub(service); - ProtobufUtil.grant(protocol, USER_RO.getShortName(), TEST_TABLE.getTableName(), - TEST_FAMILY, null, Action.READ); + ProtobufUtil.grant(protocol, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null, + Action.READ); } return null; } @@ -968,11 +967,11 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) { - BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName()); + BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName()); AccessControlService.BlockingInterface protocol = AccessControlService.newBlockingStub(service); - ProtobufUtil.revoke(protocol, USER_RO.getShortName(), TEST_TABLE.getTableName(), - TEST_FAMILY, null, Action.READ); + ProtobufUtil.revoke(protocol, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null, + Action.READ); } return null; } @@ -983,10 +982,10 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)){ - BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName()); + BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName()); AccessControlService.BlockingInterface protocol = - AccessControlService.newBlockingStub(service); - ProtobufUtil.getUserPermissions(protocol, TEST_TABLE.getTableName()); + AccessControlService.newBlockingStub(service); + ProtobufUtil.getUserPermissions(protocol, TEST_TABLE); } return null; } @@ -1018,6 +1017,10 @@ public class TestAccessController extends SecureTestUtil { verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN); verifyDenied(getGlobalPermissionsAction, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); + + // Cleanup, Grant the revoked permission back to the user + grantOnTable(TEST_UTIL, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null, + Permission.Action.READ); } @Test @@ -1573,127 +1576,134 @@ public class TestAccessController extends SecureTestUtil { User userQualifier = User.createUserForTesting(conf, "user_check_perms_q", new String[0]); grantOnTable(TEST_UTIL, userTable.getShortName(), - TEST_TABLE.getTableName(), null, null, + TEST_TABLE, null, null, Permission.Action.READ); grantOnTable(TEST_UTIL, userColumn.getShortName(), - TEST_TABLE.getTableName(), TEST_FAMILY, null, + TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ); grantOnTable(TEST_UTIL, userQualifier.getShortName(), - TEST_TABLE.getTableName(), TEST_FAMILY, TEST_Q1, + TEST_TABLE, TEST_FAMILY, TEST_Q1, Permission.Action.READ); - AccessTestAction tableRead = new AccessTestAction() { - @Override - public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), null, null, - Permission.Action.READ); - return null; - } - }; - - AccessTestAction columnRead = new AccessTestAction() { - @Override - public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), TEST_FAMILY, null, - Permission.Action.READ); - return null; - } - }; + try { + AccessTestAction tableRead = new AccessTestAction() { + @Override + public Void run() throws Exception { + checkTablePerms(TEST_UTIL, TEST_TABLE, null, null, Permission.Action.READ); + return null; + } + }; - AccessTestAction qualifierRead = new AccessTestAction() { - @Override - public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), TEST_FAMILY, TEST_Q1, - Permission.Action.READ); - return null; - } - }; + AccessTestAction columnRead = new AccessTestAction() { + @Override + public Void run() throws Exception { + checkTablePerms(TEST_UTIL, TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ); + return null; + } + }; - AccessTestAction multiQualifierRead = new AccessTestAction() { - @Override - public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), new Permission[] { - new TablePermission(TEST_TABLE.getTableName(), TEST_FAMILY, TEST_Q1, - Permission.Action.READ), - new TablePermission(TEST_TABLE.getTableName(), TEST_FAMILY, TEST_Q2, - Permission.Action.READ), }); - return null; - } - }; + AccessTestAction qualifierRead = new AccessTestAction() { + @Override + public Void run() throws Exception { + checkTablePerms(TEST_UTIL, TEST_TABLE, TEST_FAMILY, TEST_Q1, Permission.Action.READ); + return null; + } + }; - AccessTestAction globalAndTableRead = new AccessTestAction() { - @Override - public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), - new Permission[] { new Permission(Permission.Action.READ), - new TablePermission(TEST_TABLE.getTableName(), null, (byte[]) null, - Permission.Action.READ), }); - return null; - } - }; + AccessTestAction multiQualifierRead = new AccessTestAction() { + @Override + public Void run() throws Exception { + checkTablePerms(TEST_UTIL, TEST_TABLE, new Permission[] { + new TablePermission(TEST_TABLE, TEST_FAMILY, TEST_Q1, Permission.Action.READ), + new TablePermission(TEST_TABLE, TEST_FAMILY, TEST_Q2, Permission.Action.READ), }); + return null; + } + }; - AccessTestAction noCheck = new AccessTestAction() { - @Override - public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), new Permission[0]); - return null; - } - }; + AccessTestAction globalAndTableRead = new AccessTestAction() { + @Override + public Void run() throws Exception { + checkTablePerms(TEST_UTIL, TEST_TABLE, new Permission[] { + new Permission(Permission.Action.READ), + new TablePermission(TEST_TABLE, null, (byte[]) null, Permission.Action.READ), }); + return null; + } + }; - verifyAllowed(tableRead, SUPERUSER, userTable); - verifyDenied(tableRead, userColumn, userQualifier); + AccessTestAction noCheck = new AccessTestAction() { + @Override + public Void run() throws Exception { + checkTablePerms(TEST_UTIL, TEST_TABLE, new Permission[0]); + return null; + } + }; - verifyAllowed(columnRead, SUPERUSER, userTable, userColumn); - verifyDenied(columnRead, userQualifier); + verifyAllowed(tableRead, SUPERUSER, userTable); + verifyDenied(tableRead, userColumn, userQualifier); - verifyAllowed(qualifierRead, SUPERUSER, userTable, userColumn, userQualifier); + verifyAllowed(columnRead, SUPERUSER, userTable, userColumn); + verifyDenied(columnRead, userQualifier); - verifyAllowed(multiQualifierRead, SUPERUSER, userTable, userColumn); - verifyDenied(multiQualifierRead, userQualifier); + verifyAllowed(qualifierRead, SUPERUSER, userTable, userColumn, userQualifier); - verifyAllowed(globalAndTableRead, SUPERUSER); - verifyDenied(globalAndTableRead, userTable, userColumn, userQualifier); + verifyAllowed(multiQualifierRead, SUPERUSER, userTable, userColumn); + verifyDenied(multiQualifierRead, userQualifier); - verifyAllowed(noCheck, SUPERUSER, userTable, userColumn, userQualifier); + verifyAllowed(globalAndTableRead, SUPERUSER); + verifyDenied(globalAndTableRead, userTable, userColumn, userQualifier); - // -------------------------------------- - // test family level multiple permissions - AccessTestAction familyReadWrite = new AccessTestAction() { - @Override - public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), TEST_FAMILY, null, - Permission.Action.READ, Permission.Action.WRITE); - return null; - } - }; + verifyAllowed(noCheck, SUPERUSER, userTable, userColumn, userQualifier); - verifyAllowed(familyReadWrite, SUPERUSER, USER_OWNER, USER_CREATE, USER_RW); - verifyDenied(familyReadWrite, USER_NONE, USER_RO); + // -------------------------------------- + // test family level multiple permissions + AccessTestAction familyReadWrite = new AccessTestAction() { + @Override + public Void run() throws Exception { + checkTablePerms(TEST_UTIL, TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ, + Permission.Action.WRITE); + return null; + } + }; - // -------------------------------------- - // check for wrong table region - CheckPermissionsRequest checkRequest = CheckPermissionsRequest.newBuilder() - .addPermission(AccessControlProtos.Permission.newBuilder() - .setType(AccessControlProtos.Permission.Type.Table) - .setTablePermission( - AccessControlProtos.TablePermission.newBuilder() - .setTableName(ProtobufUtil.toProtoTableName(TEST_TABLE.getTableName())) - .addAction(AccessControlProtos.Permission.Action.CREATE)) - ).build(); - Table acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); - try { - BlockingRpcChannel channel = acl.coprocessorService(new byte[0]); - AccessControlService.BlockingInterface protocol = - AccessControlService.newBlockingStub(channel); + verifyAllowed(familyReadWrite, SUPERUSER, USER_OWNER, USER_CREATE, USER_RW); + verifyDenied(familyReadWrite, USER_NONE, USER_RO); + + // -------------------------------------- + // check for wrong table region + CheckPermissionsRequest checkRequest = + CheckPermissionsRequest + .newBuilder() + .addPermission( + AccessControlProtos.Permission + .newBuilder() + .setType(AccessControlProtos.Permission.Type.Table) + .setTablePermission( + AccessControlProtos.TablePermission.newBuilder() + .setTableName(ProtobufUtil.toProtoTableName(TEST_TABLE)) + .addAction(AccessControlProtos.Permission.Action.CREATE))).build(); + Table acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME); try { - // but ask for TablePermissions for TEST_TABLE - protocol.checkPermissions(null, checkRequest); - fail("this should have thrown CoprocessorException"); - } catch (ServiceException ex) { - // expected + BlockingRpcChannel channel = acl.coprocessorService(new byte[0]); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(channel); + try { + // but ask for TablePermissions for TEST_TABLE + protocol.checkPermissions(null, checkRequest); + fail("this should have thrown CoprocessorException"); + } catch (ServiceException ex) { + // expected + } + } finally { + acl.close(); } + } finally { - acl.close(); + revokeFromTable(TEST_UTIL, userTable.getShortName(), TEST_TABLE, null, null, + Permission.Action.READ); + revokeFromTable(TEST_UTIL, userColumn.getShortName(), TEST_TABLE, TEST_FAMILY, null, + Permission.Action.READ); + revokeFromTable(TEST_UTIL, userQualifier.getShortName(), TEST_TABLE, TEST_FAMILY, TEST_Q1, + Permission.Action.READ); } } @@ -1756,10 +1766,10 @@ public class TestAccessController extends SecureTestUtil { @Test public void testSnapshot() throws Exception { Admin admin = TEST_UTIL.getHBaseAdmin(); - final HTableDescriptor htd = admin.getTableDescriptor(TEST_TABLE.getTableName()); + final HTableDescriptor htd = admin.getTableDescriptor(TEST_TABLE); SnapshotDescription.Builder builder = SnapshotDescription.newBuilder(); - builder.setName(TEST_TABLE.getTableName().getNameAsString() + "-snapshot"); - builder.setTable(TEST_TABLE.getTableName().getNameAsString()); + builder.setName(TEST_TABLE.getNameAsString() + "-snapshot"); + builder.setTable(TEST_TABLE.getNameAsString()); final SnapshotDescription snapshot = builder.build(); AccessTestAction snapshotAction = new AccessTestAction() { @Override @@ -1813,10 +1823,10 @@ public class TestAccessController extends SecureTestUtil { @Test public void testSnapshotWithOwner() throws Exception { Admin admin = TEST_UTIL.getHBaseAdmin(); - final HTableDescriptor htd = admin.getTableDescriptor(TEST_TABLE.getTableName()); + final HTableDescriptor htd = admin.getTableDescriptor(TEST_TABLE); SnapshotDescription.Builder builder = SnapshotDescription.newBuilder(); - builder.setName(TEST_TABLE.getTableName().getNameAsString() + "-snapshot"); - builder.setTable(TEST_TABLE.getTableName().getNameAsString()); + builder.setName(TEST_TABLE.getNameAsString() + "-snapshot"); + builder.setTable(TEST_TABLE.getNameAsString()); builder.setOwner(USER_OWNER.getName()); final SnapshotDescription snapshot = builder.build(); AccessTestAction snapshotAction = new AccessTestAction() { @@ -1871,15 +1881,6 @@ public class TestAccessController extends SecureTestUtil { LOG.debug("Test for global authorization for a new registered RegionServer."); MiniHBaseCluster hbaseCluster = TEST_UTIL.getHBaseCluster(); - // Since each RegionServer running on different user, add global - // permissions for the new user. - String currentUser = User.getCurrent().getShortName(); - String activeUserForNewRs = currentUser + ".hfs." + - hbaseCluster.getLiveRegionServerThreads().size(); - grantGlobal(TEST_UTIL, activeUserForNewRs, - Permission.Action.ADMIN, Permission.Action.CREATE, Permission.Action.READ, - Permission.Action.WRITE); - final Admin admin = TEST_UTIL.getHBaseAdmin(); HTableDescriptor htd = new HTableDescriptor(TEST_TABLE2); htd.addFamily(new HColumnDescriptor(TEST_FAMILY)); @@ -1943,35 +1944,40 @@ public class TestAccessController extends SecureTestUtil { User TABLE_ADMIN = User.createUserForTesting(conf, "UserA", new String[0]); // Grant TABLE ADMIN privs - grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(), - TEST_TABLE.getTableName(), null, null, + grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(), TEST_TABLE, null, null, Permission.Action.ADMIN); - - AccessTestAction listTablesAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - try(Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); - Admin admin = conn.getAdmin()) { - return Arrays.asList(admin.listTables()); + try { + AccessTestAction listTablesAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); + Admin admin = conn.getAdmin()) { + return Arrays.asList(admin.listTables()); + } } - } - }; + }; - AccessTestAction getTableDescAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - try(Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); - Admin admin = conn.getAdmin();) { - return admin.getTableDescriptor(TEST_TABLE.getTableName()); + AccessTestAction getTableDescAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); + Admin admin = conn.getAdmin();) { + return admin.getTableDescriptor(TEST_TABLE); + } } - } - }; + }; - verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN); - verifyIfEmptyList(listTablesAction, USER_RW, USER_RO, USER_NONE); + verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN); + verifyIfEmptyList(listTablesAction, USER_RW, USER_RO, USER_NONE); - verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN); - verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE); + verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, + TABLE_ADMIN); + verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE); + } finally { + // Cleanup, revoke TABLE ADMIN privs + revokeFromTable(TEST_UTIL, TABLE_ADMIN.getShortName(), TEST_TABLE, null, null, + Permission.Action.ADMIN); + } } @Test @@ -1999,19 +2005,20 @@ public class TestAccessController extends SecureTestUtil { @Test public void testTableDeletion() throws Exception { User TABLE_ADMIN = User.createUserForTesting(conf, "TestUser", new String[0]); + final TableName tname = TableName.valueOf("testTableDeletion"); + createTestTable(tname); // Grant TABLE ADMIN privs - grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(), - TEST_TABLE.getTableName(), null, null, - Permission.Action.ADMIN); + grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(), tname, null, null, Permission.Action.ADMIN); AccessTestAction deleteTableAction = new AccessTestAction() { @Override public Object run() throws Exception { - Connection unmanagedConnection = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); + Connection unmanagedConnection = + ConnectionFactory.createConnection(TEST_UTIL.getConfiguration()); Admin admin = unmanagedConnection.getAdmin(); try { - deleteTable(TEST_UTIL, admin, TEST_TABLE.getTableName()); + deleteTable(TEST_UTIL, admin, tname); } finally { admin.close(); unmanagedConnection.close(); @@ -2024,19 +2031,28 @@ public class TestAccessController extends SecureTestUtil { verifyAllowed(deleteTableAction, TABLE_ADMIN); } + private void createTestTable(TableName tname) throws Exception { + HTableDescriptor htd = new HTableDescriptor(tname); + HColumnDescriptor hcd = new HColumnDescriptor(TEST_FAMILY); + hcd.setMaxVersions(100); + htd.addFamily(hcd); + htd.setOwner(USER_OWNER); + createTable(TEST_UTIL, htd, new byte[][] { Bytes.toBytes("s") }); + } + @Test public void testNamespaceUserGrant() throws Exception { AccessTestAction getAction = new AccessTestAction() { @Override public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName());) { + Table t = conn.getTable(TEST_TABLE);) { return t.get(new Get(TEST_ROW)); } } }; - String namespace = TEST_TABLE.getTableName().getNamespaceAsString(); + String namespace = TEST_TABLE.getNamespaceAsString(); // Grant namespace READ to USER_NONE, this should supersede any table permissions grantOnNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ); @@ -2056,7 +2072,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName());) { + Table t = conn.getTable(TEST_TABLE);) { return t.get(new Get(TEST_ROW)); } } @@ -2066,8 +2082,8 @@ public class TestAccessController extends SecureTestUtil { // Grant table READ permissions to testGrantRevoke. try { - grantOnTableUsingAccessControlClient(TEST_UTIL, systemUserConnection, testGrantRevoke.getShortName(), - TEST_TABLE.getTableName(), null, null, Permission.Action.READ); + grantOnTableUsingAccessControlClient(TEST_UTIL, systemUserConnection, + testGrantRevoke.getShortName(), TEST_TABLE, null, null, Permission.Action.READ); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.grant. ", e); } @@ -2077,8 +2093,8 @@ public class TestAccessController extends SecureTestUtil { // Revoke table READ permission to testGrantRevoke. try { - revokeFromTableUsingAccessControlClient(TEST_UTIL, systemUserConnection, testGrantRevoke.getShortName(), - TEST_TABLE.getTableName(), null, null, Permission.Action.READ); + revokeFromTableUsingAccessControlClient(TEST_UTIL, systemUserConnection, + testGrantRevoke.getShortName(), TEST_TABLE, null, null, Permission.Action.READ); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.revoke ", e); } @@ -2096,7 +2112,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName())) { + Table t = conn.getTable(TEST_TABLE)) { return t.get(new Get(TEST_ROW)); } } @@ -2135,7 +2151,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName());) { + Table t = conn.getTable(TEST_TABLE);) { return t.get(new Get(TEST_ROW)); } } @@ -2146,7 +2162,7 @@ public class TestAccessController extends SecureTestUtil { // Grant namespace READ to testNS, this should supersede any table permissions try { grantOnNamespaceUsingAccessControlClient(TEST_UTIL, systemUserConnection, testNS.getShortName(), - TEST_TABLE.getTableName().getNamespaceAsString(), Permission.Action.READ); + TEST_TABLE.getNamespaceAsString(), Permission.Action.READ); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.grant. ", e); } @@ -2157,7 +2173,7 @@ public class TestAccessController extends SecureTestUtil { // Revoke namespace READ to testNS, this should supersede any table permissions try { revokeFromNamespaceUsingAccessControlClient(TEST_UTIL, systemUserConnection, testNS.getShortName(), - TEST_TABLE.getTableName().getNamespaceAsString(), Permission.Action.READ); + TEST_TABLE.getNamespaceAsString(), Permission.Action.READ); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.revoke ", e); } @@ -2218,7 +2234,7 @@ public class TestAccessController extends SecureTestUtil { for (JVMClusterUtil.RegionServerThread thread: TEST_UTIL.getMiniHBaseCluster().getRegionServerThreads()) { HRegionServer rs = thread.getRegionServer(); - for (Region region: rs.getOnlineRegions(TEST_TABLE.getTableName())) { + for (Region region: rs.getOnlineRegions(TEST_TABLE)) { region.getCoprocessorHost().load(PingCoprocessor.class, Coprocessor.PRIORITY_USER, conf); } @@ -2230,7 +2246,7 @@ public class TestAccessController extends SecureTestUtil { User userB = User.createUserForTesting(conf, "UserB", new String[0]); grantOnTable(TEST_UTIL, userA.getShortName(), - TEST_TABLE.getTableName(), null, null, + TEST_TABLE, null, null, Permission.Action.EXEC); // Create an action for invoking our test endpoint @@ -2238,7 +2254,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName());) { + Table t = conn.getTable(TEST_TABLE);) { BlockingRpcChannel service = t.coprocessorService(HConstants.EMPTY_BYTE_ARRAY); PingCoprocessor.newBlockingStub(service).noop(null, NoopRequest.newBuilder().build()); } @@ -2246,7 +2262,7 @@ public class TestAccessController extends SecureTestUtil { } }; - String namespace = TEST_TABLE.getTableName().getNamespaceAsString(); + String namespace = TEST_TABLE.getNamespaceAsString(); // Now grant EXEC to the entire namespace to user B grantOnNamespace(TEST_UTIL, userB.getShortName(), namespace, Permission.Action.EXEC); // User B should now be allowed also @@ -2256,6 +2272,9 @@ public class TestAccessController extends SecureTestUtil { // Verify that EXEC permission is checked correctly verifyDenied(execEndpointAction, userB); verifyAllowed(execEndpointAction, userA); + + // Cleanup, revoke the userA privileges + revokeFromTable(TEST_UTIL, userA.getShortName(), TEST_TABLE, null, null, Permission.Action.EXEC); } @Test @@ -2264,7 +2283,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(TEST_TABLE.getTableName());) { + Table t = conn.getTable(TEST_TABLE);) { KeyValue kv = new KeyValue(TEST_ROW, TEST_FAMILY, TEST_QUALIFIER, HConstants.LATEST_TIMESTAMP, HConstants.EMPTY_BYTE_ARRAY, new Tag[] { new Tag(AccessControlLists.ACL_TAG_TYPE, @@ -2296,8 +2315,8 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction setUserTableQuotaAction = new AccessTestAction() { @Override public Object run() throws Exception { - ACCESS_CONTROLLER.preSetUserQuota(ObserverContext.createAndPrepare(CP_ENV, null), - null, TEST_TABLE.getTableName(), null); + ACCESS_CONTROLLER.preSetUserQuota(ObserverContext.createAndPrepare(CP_ENV, null), null, + TEST_TABLE, null); return null; } }; @@ -2315,7 +2334,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER.preSetTableQuota(ObserverContext.createAndPrepare(CP_ENV, null), - TEST_TABLE.getTableName(), null); + TEST_TABLE, null); return null; } }; @@ -2366,14 +2385,14 @@ public class TestAccessController extends SecureTestUtil { public void testTruncatePerms() throws Exception { try { List existingPerms = AccessControlClient.getUserPermissions( - systemUserConnection, TEST_TABLE.getTableName().getNameAsString()); + systemUserConnection, TEST_TABLE.getNameAsString()); assertTrue(existingPerms != null); assertTrue(existingPerms.size() > 1); - TEST_UTIL.getHBaseAdmin().disableTable(TEST_TABLE.getTableName()); - TEST_UTIL.truncateTable(TEST_TABLE.getTableName()); - TEST_UTIL.waitTableAvailable(TEST_TABLE.getTableName()); + TEST_UTIL.getHBaseAdmin().disableTable(TEST_TABLE); + TEST_UTIL.truncateTable(TEST_TABLE); + TEST_UTIL.waitTableAvailable(TEST_TABLE); List perms = AccessControlClient.getUserPermissions( - systemUserConnection, TEST_TABLE.getTableName().getNameAsString()); + systemUserConnection, TEST_TABLE.getNameAsString()); assertTrue(perms != null); assertEquals(existingPerms.size(), perms.size()); } catch (Throwable e) { @@ -2397,20 +2416,21 @@ public class TestAccessController extends SecureTestUtil { @Test public void testAccessControlClientUserPerms() throws Exception { - // adding default prefix explicitly as it is not included in the table name. - assertEquals(NamespaceDescriptor.DEFAULT_NAMESPACE_NAME_STR, - TEST_TABLE.getTableName().getNamespaceAsString()); - final String regex = NamespaceDescriptor.DEFAULT_NAMESPACE_NAME_STR + - TableName.NAMESPACE_DELIM + TEST_TABLE.getTableName().getNameAsString(); - User testUserPerms = User.createUserForTesting(conf, "testUserPerms", new String[0]); - assertEquals(0, testUserPerms.runAs(getPrivilegedAction(regex)).size()); - // Grant TABLE ADMIN privs to testUserPerms - grantOnTable(TEST_UTIL, testUserPerms.getShortName(), TEST_TABLE.getTableName(), null, - null, Action.ADMIN); - List perms = testUserPerms.runAs(getPrivilegedAction(regex)); - assertNotNull(perms); - // USER_ADMIN, USER_CREATE, USER_RW, USER_RO, testUserPerms, USER_ADMIN_CF has row each. - assertEquals(6, perms.size()); + TableName tname = TableName.valueOf("testAccessControlClientUserPerms"); + createTestTable(tname); + try { + final String regex = tname.getNameWithNamespaceInclAsString(); + User testUserPerms = User.createUserForTesting(conf, "testUserPerms", new String[0]); + assertEquals(0, testUserPerms.runAs(getPrivilegedAction(regex)).size()); + // Grant TABLE ADMIN privs to testUserPerms + grantOnTable(TEST_UTIL, testUserPerms.getShortName(), tname, null, null, Action.ADMIN); + List perms = testUserPerms.runAs(getPrivilegedAction(regex)); + assertNotNull(perms); + // Superuser, testUserPerms + assertEquals(2, perms.size()); + } finally { + deleteTable(TEST_UTIL, tname); + } } @Test -- 1.9.2.msysgit.0