From 763a449e675bb846f90449dcffad82d62a31fe91 Mon Sep 17 00:00:00 2001 From: Ashish Singhi Date: Fri, 22 May 2015 19:01:35 +0530 Subject: [PATCH] HBASE-13658 Improve the test run time for TestAccessController class --- .../security/access/TestAccessController.java | 1393 ++++++++++---------- 1 file changed, 718 insertions(+), 675 deletions(-) diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java index c77544e..d4fe59b 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java @@ -44,7 +44,6 @@ import org.apache.hadoop.hbase.HConstants; import org.apache.hadoop.hbase.HRegionInfo; import org.apache.hadoop.hbase.HTableDescriptor; import org.apache.hadoop.hbase.KeyValue; -import org.apache.hadoop.hbase.testclassification.LargeTests; import org.apache.hadoop.hbase.MiniHBaseCluster; import org.apache.hadoop.hbase.NamespaceDescriptor; import org.apache.hadoop.hbase.ServerName; @@ -96,16 +95,13 @@ import org.apache.hadoop.hbase.regionserver.RegionServerCoprocessorHost; import org.apache.hadoop.hbase.regionserver.ScanType; import org.apache.hadoop.hbase.security.User; import org.apache.hadoop.hbase.security.access.Permission.Action; +import org.apache.hadoop.hbase.testclassification.LargeTests; import org.apache.hadoop.hbase.util.Bytes; import org.apache.hadoop.hbase.util.JVMClusterUtil; -import org.apache.hadoop.hbase.util.TestTableName; import org.apache.log4j.Level; import org.apache.log4j.Logger; -import org.junit.After; import org.junit.AfterClass; -import org.junit.Before; import org.junit.BeforeClass; -import org.junit.Rule; import org.junit.Test; import org.junit.experimental.categories.Category; @@ -129,7 +125,7 @@ public class TestAccessController extends SecureTestUtil { Logger.getLogger(TableAuthManager.class).setLevel(Level.TRACE); } - @Rule public TestTableName TEST_TABLE = new TestTableName(); + private static TableName TEST_TABLE = TableName.valueOf("testtable1"); private static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility(); private static Configuration conf; @@ -162,7 +158,7 @@ public class TestAccessController extends SecureTestUtil { private static MasterCoprocessorEnvironment CP_ENV; private static AccessController ACCESS_CONTROLLER; private static RegionServerCoprocessorEnvironment RSCP_ENV; - private RegionCoprocessorEnvironment RCP_ENV; + private static RegionCoprocessorEnvironment RCP_ENV; @BeforeClass public static void setupBeforeClass() throws Exception { @@ -207,26 +203,26 @@ public class TestAccessController extends SecureTestUtil { USER_CREATE = User.createUserForTesting(conf, "tbl_create", new String[0]); USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]); USER_ADMIN_CF = User.createUserForTesting(conf, "col_family_admin", new String[0]); + setUpTableAndUserPermissions(); } @AfterClass public static void tearDownAfterClass() throws Exception { + cleanUp(); TEST_UTIL.shutdownMiniCluster(); } - @Before - public void setUp() throws Exception { - // Create the test table (owner added to the _acl_ table) + private static void setUpTableAndUserPermissions() throws Exception { HBaseAdmin admin = TEST_UTIL.getHBaseAdmin(); - HTableDescriptor htd = new HTableDescriptor(TEST_TABLE.getTableName()); + HTableDescriptor htd = new HTableDescriptor(TEST_TABLE); HColumnDescriptor hcd = new HColumnDescriptor(TEST_FAMILY); hcd.setMaxVersions(100); htd.addFamily(hcd); htd.setOwner(USER_OWNER); admin.createTable(htd, new byte[][] { Bytes.toBytes("s") }); - TEST_UTIL.waitUntilAllRegionsAssigned(TEST_TABLE.getTableName()); + TEST_UTIL.waitUntilAllRegionsAssigned(TEST_TABLE); - HRegion region = TEST_UTIL.getHBaseCluster().getRegions(TEST_TABLE.getTableName()).get(0); + HRegion region = TEST_UTIL.getHBaseCluster().getRegions(TEST_TABLE).get(0); RegionCoprocessorHost rcpHost = region.getCoprocessorHost(); RCP_ENV = rcpHost.createEnvironment(AccessController.class, ACCESS_CONTROLLER, Coprocessor.PRIORITY_HIGHEST, 1, conf); @@ -240,26 +236,26 @@ public class TestAccessController extends SecureTestUtil { Permission.Action.WRITE); grantOnTable(TEST_UTIL, USER_RW.getShortName(), - TEST_TABLE.getTableName(), TEST_FAMILY, null, + TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ, Permission.Action.WRITE); // USER_CREATE is USER_RW plus CREATE permissions grantOnTable(TEST_UTIL, USER_CREATE.getShortName(), - TEST_TABLE.getTableName(), null, null, + TEST_TABLE, null, null, Permission.Action.CREATE, Permission.Action.READ, Permission.Action.WRITE); grantOnTable(TEST_UTIL, USER_RO.getShortName(), - TEST_TABLE.getTableName(), TEST_FAMILY, null, + TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ); grantOnTable(TEST_UTIL, USER_ADMIN_CF.getShortName(), - TEST_TABLE.getTableName(), TEST_FAMILY, + TEST_TABLE, TEST_FAMILY, null, Permission.Action.ADMIN, Permission.Action.CREATE); - assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size()); + assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size()); try { assertEquals(5, AccessControlClient.getUserPermissions(conf, TEST_TABLE.toString()).size()); } catch (Throwable e) { @@ -267,16 +263,15 @@ public class TestAccessController extends SecureTestUtil { } } - @After - public void tearDown() throws Exception { + private static void cleanUp() throws Exception { // Clean the _acl_ table try { - TEST_UTIL.deleteTable(TEST_TABLE.getTableName()); + TEST_UTIL.deleteTable(TEST_TABLE); } catch (TableNotFoundException ex) { // Test deleted the table, no problem - LOG.info("Test deleted table " + TEST_TABLE.getTableName()); + LOG.info("Test deleted table " + TEST_TABLE); } - assertEquals(0, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size()); + assertEquals(0, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size()); } @Test @@ -303,11 +298,11 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction modifyTable = new AccessTestAction() { @Override public Object run() throws Exception { - HTableDescriptor htd = new HTableDescriptor(TEST_TABLE.getTableName()); + HTableDescriptor htd = new HTableDescriptor(TEST_TABLE); htd.addFamily(new HColumnDescriptor(TEST_FAMILY)); htd.addFamily(new HColumnDescriptor("fam_" + User.getCurrent().getShortName())); ACCESS_CONTROLLER.preModifyTable(ObserverContext.createAndPrepare(CP_ENV, null), - TEST_TABLE.getTableName(), htd); + TEST_TABLE, htd); return null; } }; @@ -322,7 +317,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER - .preDeleteTable(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE.getTableName()); + .preDeleteTable(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE); return null; } }; @@ -338,7 +333,7 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { ACCESS_CONTROLLER .preTruncateTable(ObserverContext.createAndPrepare(CP_ENV, null), - TEST_TABLE.getTableName()); + TEST_TABLE); return null; } }; @@ -353,7 +348,7 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction action = new AccessTestAction() { @Override public Object run() throws Exception { - ACCESS_CONTROLLER.preAddColumn(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE.getTableName(), + ACCESS_CONTROLLER.preAddColumn(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE, hcd); return null; } @@ -371,7 +366,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER.preModifyColumn(ObserverContext.createAndPrepare(CP_ENV, null), - TEST_TABLE.getTableName(), hcd); + TEST_TABLE, hcd); return null; } }; @@ -386,7 +381,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER.preDeleteColumn(ObserverContext.createAndPrepare(CP_ENV, null), - TEST_TABLE.getTableName(), TEST_FAMILY); + TEST_TABLE, TEST_FAMILY); return null; } }; @@ -401,7 +396,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER.preDisableTable(ObserverContext.createAndPrepare(CP_ENV, null), - TEST_TABLE.getTableName()); + TEST_TABLE); return null; } }; @@ -428,7 +423,7 @@ public class TestAccessController extends SecureTestUtil { @Override public Object run() throws Exception { ACCESS_CONTROLLER - .preEnableTable(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE.getTableName()); + .preEnableTable(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE); return null; } }; @@ -440,7 +435,7 @@ public class TestAccessController extends SecureTestUtil { @Test public void testMove() throws Exception { Map regions; - HTable table = new HTable(TEST_UTIL.getConfiguration(), TEST_TABLE.getTableName()); + HTable table = new HTable(TEST_UTIL.getConfiguration(), TEST_TABLE); try { regions = table.getRegionLocations(); } finally { @@ -464,7 +459,7 @@ public class TestAccessController extends SecureTestUtil { @Test public void testAssign() throws Exception { Map regions; - HTable table = new HTable(TEST_UTIL.getConfiguration(), TEST_TABLE.getTableName()); + HTable table = new HTable(TEST_UTIL.getConfiguration(), TEST_TABLE); try { regions = table.getRegionLocations(); } finally { @@ -488,7 +483,7 @@ public class TestAccessController extends SecureTestUtil { @Test public void testUnassign() throws Exception { Map regions; - HTable table = new HTable(TEST_UTIL.getConfiguration(), TEST_TABLE.getTableName()); + HTable table = new HTable(TEST_UTIL.getConfiguration(), TEST_TABLE); try { regions = table.getRegionLocations(); } finally { @@ -512,7 +507,7 @@ public class TestAccessController extends SecureTestUtil { @Test public void testRegionOffline() throws Exception { Map regions; - HTable table = new HTable(TEST_UTIL.getConfiguration(), TEST_TABLE.getTableName()); + HTable table = new HTable(TEST_UTIL.getConfiguration(), TEST_TABLE); try { regions = table.getRegionLocations(); } finally { @@ -626,21 +621,34 @@ public class TestAccessController extends SecureTestUtil { @Test public void testMergeRegions() throws Exception { + final TableName tname = TableName.valueOf("testMergeRegions"); + createTestTable(tname); + try { + final List regions = TEST_UTIL.getHBaseCluster().findRegionsForTable(TEST_TABLE); - final List regions = TEST_UTIL.getHBaseCluster().findRegionsForTable(TEST_TABLE.getTableName()); - - AccessTestAction action = new AccessTestAction() { - @Override - public Object run() throws Exception { - ACCESS_CONTROLLER.preMerge( - ObserverContext.createAndPrepare(RSCP_ENV, null), + AccessTestAction action = new AccessTestAction() { + @Override + public Object run() throws Exception { + ACCESS_CONTROLLER.preMerge(ObserverContext.createAndPrepare(RSCP_ENV, null), regions.get(0), regions.get(1)); - return null; - } - }; + return null; + } + }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + } finally { + TEST_UTIL.deleteTable(tname); + } + } + + private void createTestTable(TableName tname) throws Exception { + HTableDescriptor htd = new HTableDescriptor(tname); + HColumnDescriptor hcd = new HColumnDescriptor(TEST_FAMILY); + hcd.setMaxVersions(100); + htd.addFamily(hcd); + htd.setOwner(USER_OWNER); + TEST_UTIL.createTable(htd, new byte[][] { Bytes.toBytes("s") }); } @Test @@ -691,7 +699,7 @@ public class TestAccessController extends SecureTestUtil { Get g = new Get(TEST_ROW); g.addFamily(TEST_FAMILY); - HTable t = new HTable(conf, TEST_TABLE.getTableName()); + HTable t = new HTable(conf, TEST_TABLE); try { t.get(g); } finally { @@ -709,7 +717,7 @@ public class TestAccessController extends SecureTestUtil { Scan s = new Scan(); s.addFamily(TEST_FAMILY); - HTable table = new HTable(conf, TEST_TABLE.getTableName()); + HTable table = new HTable(conf, TEST_TABLE); try { ResultScanner scanner = table.getScanner(s); try { @@ -738,7 +746,7 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { Put p = new Put(TEST_ROW); p.add(TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes(1)); - HTable t = new HTable(conf, TEST_TABLE.getTableName()); + HTable t = new HTable(conf, TEST_TABLE); try { t.put(p); } finally { @@ -755,7 +763,7 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { Delete d = new Delete(TEST_ROW); d.deleteFamily(TEST_FAMILY); - HTable t = new HTable(conf, TEST_TABLE.getTableName()); + HTable t = new HTable(conf, TEST_TABLE); try { t.delete(d); } finally { @@ -772,7 +780,7 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { Increment inc = new Increment(TEST_ROW); inc.addColumn(TEST_FAMILY, TEST_QUALIFIER, 1); - HTable t = new HTable(conf, TEST_TABLE.getTableName()); + HTable t = new HTable(conf, TEST_TABLE); try { t.increment(inc); } finally { @@ -792,7 +800,7 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { Delete d = new Delete(TEST_ROW); d.deleteFamily(TEST_FAMILY); - HTable t = new HTable(conf, TEST_TABLE.getTableName()); + HTable t = new HTable(conf, TEST_TABLE); try { t.checkAndDelete(TEST_ROW, TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes("test_value"), d); @@ -810,7 +818,7 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { Put p = new Put(TEST_ROW); p.add(TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes(1)); - HTable t = new HTable(conf, TEST_TABLE.getTableName()); + HTable t = new HTable(conf, TEST_TABLE); try { t.checkAndPut(TEST_ROW, TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes("test_value"), p); @@ -825,37 +833,40 @@ public class TestAccessController extends SecureTestUtil { @Test public void testBulkLoad() throws Exception { - FileSystem fs = TEST_UTIL.getTestFileSystem(); - final Path dir = TEST_UTIL.getDataTestDirOnTestFS("testBulkLoad"); - fs.mkdirs(dir); - //need to make it globally writable - //so users creating HFiles have write permissions - fs.setPermission(dir, FsPermission.valueOf("-rwxrwxrwx")); - - AccessTestAction bulkLoadAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - int numRows = 3; + try { + FileSystem fs = TEST_UTIL.getTestFileSystem(); + final Path dir = TEST_UTIL.getDataTestDirOnTestFS("testBulkLoad"); + fs.mkdirs(dir); + // need to make it globally writable + // so users creating HFiles have write permissions + fs.setPermission(dir, FsPermission.valueOf("-rwxrwxrwx")); + + AccessTestAction bulkLoadAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + int numRows = 3; - //Making the assumption that the test table won't split between the range - byte[][][] hfileRanges = {{{(byte)0}, {(byte)9}}}; + // Making the assumption that the test table won't split between the range + byte[][][] hfileRanges = { { { (byte) 0 }, { (byte) 9 } } }; - Path bulkLoadBasePath = new Path(dir, new Path(User.getCurrent().getName())); - new BulkLoadHelper(bulkLoadBasePath) - .bulkLoadHFile(TEST_TABLE.getTableName(), TEST_FAMILY, TEST_QUALIFIER, hfileRanges, numRows); + Path bulkLoadBasePath = new Path(dir, new Path(User.getCurrent().getName())); + new BulkLoadHelper(bulkLoadBasePath).bulkLoadHFile(TEST_TABLE, TEST_FAMILY, + TEST_QUALIFIER, hfileRanges, numRows); - return null; - } - }; + return null; + } + }; - // User performing bulk loads must have privilege to read table metadata - // (ADMIN or CREATE) - verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE); - verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO); + // User performing bulk loads must have privilege to read table metadata + // (ADMIN or CREATE) + verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE); + verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO); - // Reinit after the bulk upload - TEST_UTIL.getHBaseAdmin().disableTable(TEST_TABLE.getTableName()); - TEST_UTIL.getHBaseAdmin().enableTable(TEST_TABLE.getTableName()); + } finally { + // Reinit after the bulk upload + TEST_UTIL.getHBaseAdmin().disableTable(TEST_TABLE); + TEST_UTIL.getHBaseAdmin().enableTable(TEST_TABLE); + } } public class BulkLoadHelper { @@ -948,7 +959,7 @@ public class TestAccessController extends SecureTestUtil { put.add(TEST_FAMILY, qualifier, Bytes.toBytes(1)); Append append = new Append(row); append.add(TEST_FAMILY, qualifier, Bytes.toBytes(2)); - HTable t = new HTable(conf, TEST_TABLE.getTableName()); + HTable t = new HTable(conf, TEST_TABLE); try { t.put(put); t.append(append); @@ -970,10 +981,10 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); try { - BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName()); + BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName()); AccessControlService.BlockingInterface protocol = AccessControlService.newBlockingStub(service); - ProtobufUtil.grant(protocol, USER_RO.getShortName(), TEST_TABLE.getTableName(), + ProtobufUtil.grant(protocol, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null, Action.READ); } finally { acl.close(); @@ -987,10 +998,10 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); try { - BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName()); + BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName()); AccessControlService.BlockingInterface protocol = AccessControlService.newBlockingStub(service); - ProtobufUtil.revoke(protocol, USER_RO.getShortName(), TEST_TABLE.getTableName(), + ProtobufUtil.revoke(protocol, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null, Action.READ); } finally { acl.close(); @@ -1004,10 +1015,10 @@ public class TestAccessController extends SecureTestUtil { public Object run() throws Exception { HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); try { - BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName()); + BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName()); AccessControlService.BlockingInterface protocol = AccessControlService.newBlockingStub(service); - ProtobufUtil.getUserPermissions(protocol, TEST_TABLE.getTableName()); + ProtobufUtil.getUserPermissions(protocol, TEST_TABLE); } finally { acl.close(); } @@ -1033,16 +1044,20 @@ public class TestAccessController extends SecureTestUtil { verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER); verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + try { + verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); - verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); - - verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); - verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN); - verifyDenied(getGlobalPermissionsAction, USER_CREATE, - USER_OWNER, USER_RW, USER_RO, USER_NONE); + verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN); + verifyDenied(getGlobalPermissionsAction, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); + } finally { + // Cleanup, Grant the revoked permission back to the user + grantOnTable(TEST_UTIL, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null, + Permission.Action.READ); + } } @Test @@ -1064,256 +1079,255 @@ public class TestAccessController extends SecureTestUtil { htd.addFamily(new HColumnDescriptor(family2)); admin.createTable(htd); TEST_UTIL.waitUntilAllRegionsAssigned(tableName); - - // create temp users - User tblUser = User - .createUserForTesting(TEST_UTIL.getConfiguration(), "tbluser", new String[0]); - User gblUser = User - .createUserForTesting(TEST_UTIL.getConfiguration(), "gbluser", new String[0]); - - // prepare actions: - AccessTestAction putActionAll = new AccessTestAction() { - @Override - public Object run() throws Exception { - Put p = new Put(Bytes.toBytes("a")); - p.add(family1, qualifier, Bytes.toBytes("v1")); - p.add(family2, qualifier, Bytes.toBytes("v2")); - HTable t = new HTable(conf, tableName); - try { - t.put(p); - } finally { - t.close(); + try { + // create temp users + User tblUser = + User.createUserForTesting(TEST_UTIL.getConfiguration(), "tbluser", new String[0]); + User gblUser = + User.createUserForTesting(TEST_UTIL.getConfiguration(), "gbluser", new String[0]); + + // prepare actions: + AccessTestAction putActionAll = new AccessTestAction() { + @Override + public Object run() throws Exception { + Put p = new Put(Bytes.toBytes("a")); + p.add(family1, qualifier, Bytes.toBytes("v1")); + p.add(family2, qualifier, Bytes.toBytes("v2")); + HTable t = new HTable(conf, tableName); + try { + t.put(p); + } finally { + t.close(); + } + return null; } - return null; - } - }; + }; - AccessTestAction putAction1 = new AccessTestAction() { - @Override - public Object run() throws Exception { - Put p = new Put(Bytes.toBytes("a")); - p.add(family1, qualifier, Bytes.toBytes("v1")); - HTable t = new HTable(conf, tableName); - try { - t.put(p); - } finally { - t.close(); + AccessTestAction putAction1 = new AccessTestAction() { + @Override + public Object run() throws Exception { + Put p = new Put(Bytes.toBytes("a")); + p.add(family1, qualifier, Bytes.toBytes("v1")); + HTable t = new HTable(conf, tableName); + try { + t.put(p); + } finally { + t.close(); + } + return null; } - return null; - } - }; + }; - AccessTestAction putAction2 = new AccessTestAction() { - @Override - public Object run() throws Exception { - Put p = new Put(Bytes.toBytes("a")); - p.add(family2, qualifier, Bytes.toBytes("v2")); - HTable t = new HTable(conf, tableName); - try { - t.put(p); - } finally { - t.close(); + AccessTestAction putAction2 = new AccessTestAction() { + @Override + public Object run() throws Exception { + Put p = new Put(Bytes.toBytes("a")); + p.add(family2, qualifier, Bytes.toBytes("v2")); + HTable t = new HTable(conf, tableName); + try { + t.put(p); + } finally { + t.close(); + } + return null; } - return null; - } - }; + }; - AccessTestAction getActionAll = new AccessTestAction() { - @Override - public Object run() throws Exception { - Get g = new Get(TEST_ROW); - g.addFamily(family1); - g.addFamily(family2); - HTable t = new HTable(conf, tableName); - try { - t.get(g); - } finally { - t.close(); + AccessTestAction getActionAll = new AccessTestAction() { + @Override + public Object run() throws Exception { + Get g = new Get(TEST_ROW); + g.addFamily(family1); + g.addFamily(family2); + HTable t = new HTable(conf, tableName); + try { + t.get(g); + } finally { + t.close(); + } + return null; } - return null; - } - }; + }; - AccessTestAction getAction1 = new AccessTestAction() { - @Override - public Object run() throws Exception { - Get g = new Get(TEST_ROW); - g.addFamily(family1); - HTable t = new HTable(conf, tableName); - try { - t.get(g); - } finally { - t.close(); + AccessTestAction getAction1 = new AccessTestAction() { + @Override + public Object run() throws Exception { + Get g = new Get(TEST_ROW); + g.addFamily(family1); + HTable t = new HTable(conf, tableName); + try { + t.get(g); + } finally { + t.close(); + } + return null; } - return null; - } - }; + }; - AccessTestAction getAction2 = new AccessTestAction() { - @Override - public Object run() throws Exception { - Get g = new Get(TEST_ROW); - g.addFamily(family2); - HTable t = new HTable(conf, tableName); - try { - t.get(g); - } finally { - t.close(); + AccessTestAction getAction2 = new AccessTestAction() { + @Override + public Object run() throws Exception { + Get g = new Get(TEST_ROW); + g.addFamily(family2); + HTable t = new HTable(conf, tableName); + try { + t.get(g); + } finally { + t.close(); + } + return null; } - return null; - } - }; + }; - AccessTestAction deleteActionAll = new AccessTestAction() { - @Override - public Object run() throws Exception { - Delete d = new Delete(TEST_ROW); - d.deleteFamily(family1); - d.deleteFamily(family2); - HTable t = new HTable(conf, tableName); - try { - t.delete(d); - } finally { - t.close(); + AccessTestAction deleteActionAll = new AccessTestAction() { + @Override + public Object run() throws Exception { + Delete d = new Delete(TEST_ROW); + d.deleteFamily(family1); + d.deleteFamily(family2); + HTable t = new HTable(conf, tableName); + try { + t.delete(d); + } finally { + t.close(); + } + return null; } - return null; - } - }; + }; - AccessTestAction deleteAction1 = new AccessTestAction() { - @Override - public Object run() throws Exception { - Delete d = new Delete(TEST_ROW); - d.deleteFamily(family1); - HTable t = new HTable(conf, tableName); - try { - t.delete(d); - } finally { - t.close(); + AccessTestAction deleteAction1 = new AccessTestAction() { + @Override + public Object run() throws Exception { + Delete d = new Delete(TEST_ROW); + d.deleteFamily(family1); + HTable t = new HTable(conf, tableName); + try { + t.delete(d); + } finally { + t.close(); + } + return null; } - return null; - } - }; + }; - AccessTestAction deleteAction2 = new AccessTestAction() { - @Override - public Object run() throws Exception { - Delete d = new Delete(TEST_ROW); - d.deleteFamily(family2); - HTable t = new HTable(conf, tableName); - try { - t.delete(d); - } finally { - t.close(); + AccessTestAction deleteAction2 = new AccessTestAction() { + @Override + public Object run() throws Exception { + Delete d = new Delete(TEST_ROW); + d.deleteFamily(family2); + HTable t = new HTable(conf, tableName); + try { + t.delete(d); + } finally { + t.close(); + } + return null; } - return null; - } - }; - - // initial check: - verifyDenied(tblUser, getActionAll, getAction1, getAction2); - verifyDenied(tblUser, putActionAll, putAction1, putAction2); - verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); - - verifyDenied(gblUser, getActionAll, getAction1, getAction2); - verifyDenied(gblUser, putActionAll, putAction1, putAction2); - verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); - - // grant table read permission - grantGlobal(TEST_UTIL, gblUser.getShortName(), - Permission.Action.READ); - grantOnTable(TEST_UTIL, tblUser.getShortName(), - tableName, null, null, - Permission.Action.READ); - - // check - verifyAllowed(tblUser, getActionAll, getAction1, getAction2); - verifyDenied(tblUser, putActionAll, putAction1, putAction2); - verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); - - verifyAllowed(gblUser, getActionAll, getAction1, getAction2); - verifyDenied(gblUser, putActionAll, putAction1, putAction2); - verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); + }; - // grant table write permission while revoking read permissions - grantGlobal(TEST_UTIL, gblUser.getShortName(), - Permission.Action.WRITE); - grantOnTable(TEST_UTIL, tblUser.getShortName(), - tableName, null, null, - Permission.Action.WRITE); + // initial check: + verifyDenied(tblUser, getActionAll, getAction1, getAction2); + verifyDenied(tblUser, putActionAll, putAction1, putAction2); + verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); - verifyDenied(tblUser, getActionAll, getAction1, getAction2); - verifyAllowed(tblUser, putActionAll, putAction1, putAction2); - verifyAllowed(tblUser, deleteActionAll, deleteAction1, deleteAction2); + verifyDenied(gblUser, getActionAll, getAction1, getAction2); + verifyDenied(gblUser, putActionAll, putAction1, putAction2); + verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); - verifyDenied(gblUser, getActionAll, getAction1, getAction2); - verifyAllowed(gblUser, putActionAll, putAction1, putAction2); - verifyAllowed(gblUser, deleteActionAll, deleteAction1, deleteAction2); + // grant table read permission + grantGlobal(TEST_UTIL, gblUser.getShortName(), Permission.Action.READ); + grantOnTable(TEST_UTIL, tblUser.getShortName(), tableName, null, null, Permission.Action.READ); - // revoke table permissions - revokeGlobal(TEST_UTIL, gblUser.getShortName()); - revokeFromTable(TEST_UTIL, tblUser.getShortName(), - tableName, null, null); + // check + verifyAllowed(tblUser, getActionAll, getAction1, getAction2); + verifyDenied(tblUser, putActionAll, putAction1, putAction2); + verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); - verifyDenied(tblUser, getActionAll, getAction1, getAction2); - verifyDenied(tblUser, putActionAll, putAction1, putAction2); - verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); + verifyAllowed(gblUser, getActionAll, getAction1, getAction2); + verifyDenied(gblUser, putActionAll, putAction1, putAction2); + verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); - verifyDenied(gblUser, getActionAll, getAction1, getAction2); - verifyDenied(gblUser, putActionAll, putAction1, putAction2); - verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); + // grant table write permission while revoking read permissions + grantGlobal(TEST_UTIL, gblUser.getShortName(), Permission.Action.WRITE); + grantOnTable(TEST_UTIL, tblUser.getShortName(), tableName, null, null, + Permission.Action.WRITE); - // grant column family read permission - grantGlobal(TEST_UTIL, gblUser.getShortName(), - Permission.Action.READ); - grantOnTable(TEST_UTIL, tblUser.getShortName(), - tableName, family1, null, Permission.Action.READ); + verifyDenied(tblUser, getActionAll, getAction1, getAction2); + verifyAllowed(tblUser, putActionAll, putAction1, putAction2); + verifyAllowed(tblUser, deleteActionAll, deleteAction1, deleteAction2); - // Access should be denied for family2 - verifyAllowed(tblUser, getActionAll, getAction1); - verifyDenied(tblUser, getAction2); - verifyDenied(tblUser, putActionAll, putAction1, putAction2); - verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); + verifyDenied(gblUser, getActionAll, getAction1, getAction2); + verifyAllowed(gblUser, putActionAll, putAction1, putAction2); + verifyAllowed(gblUser, deleteActionAll, deleteAction1, deleteAction2); - verifyAllowed(gblUser, getActionAll, getAction1, getAction2); - verifyDenied(gblUser, putActionAll, putAction1, putAction2); - verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); + // revoke table permissions + revokeGlobal(TEST_UTIL, gblUser.getShortName()); + revokeFromTable(TEST_UTIL, tblUser.getShortName(), tableName, null, null); - // grant column family write permission - grantGlobal(TEST_UTIL, gblUser.getShortName(), - Permission.Action.WRITE); - grantOnTable(TEST_UTIL, tblUser.getShortName(), - tableName, family2, null, Permission.Action.WRITE); + verifyDenied(tblUser, getActionAll, getAction1, getAction2); + verifyDenied(tblUser, putActionAll, putAction1, putAction2); + verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); - // READ from family1, WRITE to family2 are allowed - verifyAllowed(tblUser, getActionAll, getAction1); - verifyAllowed(tblUser, putAction2, deleteAction2); - verifyDenied(tblUser, getAction2); - verifyDenied(tblUser, putActionAll, putAction1); - verifyDenied(tblUser, deleteActionAll, deleteAction1); + verifyDenied(gblUser, getActionAll, getAction1, getAction2); + verifyDenied(gblUser, putActionAll, putAction1, putAction2); + verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); - verifyDenied(gblUser, getActionAll, getAction1, getAction2); - verifyAllowed(gblUser, putActionAll, putAction1, putAction2); - verifyAllowed(gblUser, deleteActionAll, deleteAction1, deleteAction2); + // grant column family read permission + grantGlobal(TEST_UTIL, gblUser.getShortName(), Permission.Action.READ); + grantOnTable(TEST_UTIL, tblUser.getShortName(), tableName, family1, null, + Permission.Action.READ); - // revoke column family permission - revokeGlobal(TEST_UTIL, gblUser.getShortName()); - revokeFromTable(TEST_UTIL, tblUser.getShortName(), tableName, family2, null); + // Access should be denied for family2 + verifyAllowed(tblUser, getActionAll, getAction1); + verifyDenied(tblUser, getAction2); + verifyDenied(tblUser, putActionAll, putAction1, putAction2); + verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); - // Revoke on family2 should not have impact on family1 permissions - verifyAllowed(tblUser, getActionAll, getAction1); - verifyDenied(tblUser, getAction2); - verifyDenied(tblUser, putActionAll, putAction1, putAction2); - verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); + verifyAllowed(gblUser, getActionAll, getAction1, getAction2); + verifyDenied(gblUser, putActionAll, putAction1, putAction2); + verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); - // Should not have access as global permissions are completely revoked - verifyDenied(gblUser, getActionAll, getAction1, getAction2); - verifyDenied(gblUser, putActionAll, putAction1, putAction2); - verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); + // grant column family write permission + grantGlobal(TEST_UTIL, gblUser.getShortName(), Permission.Action.WRITE); + grantOnTable(TEST_UTIL, tblUser.getShortName(), tableName, family2, null, + Permission.Action.WRITE); - // delete table - admin.disableTable(tableName); - admin.deleteTable(tableName); + // READ from family1, WRITE to family2 are allowed + verifyAllowed(tblUser, getActionAll, getAction1); + verifyAllowed(tblUser, putAction2, deleteAction2); + verifyDenied(tblUser, getAction2); + verifyDenied(tblUser, putActionAll, putAction1); + verifyDenied(tblUser, deleteActionAll, deleteAction1); + + verifyDenied(gblUser, getActionAll, getAction1, getAction2); + verifyAllowed(gblUser, putActionAll, putAction1, putAction2); + verifyAllowed(gblUser, deleteActionAll, deleteAction1, deleteAction2); + + // revoke column family permission + revokeGlobal(TEST_UTIL, gblUser.getShortName()); + revokeFromTable(TEST_UTIL, tblUser.getShortName(), tableName, family2, null); + + // Revoke on family2 should not have impact on family1 permissions + verifyAllowed(tblUser, getActionAll, getAction1); + verifyDenied(tblUser, getAction2); + verifyDenied(tblUser, putActionAll, putAction1, putAction2); + verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2); + + // Should not have access as global permissions are completely revoked + verifyDenied(gblUser, getActionAll, getAction1, getAction2); + verifyDenied(gblUser, putActionAll, putAction1, putAction2); + verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2); + + // delete table + admin.disableTable(tableName); + admin.deleteTable(tableName); + } finally { + try { + TEST_UTIL.deleteTable(tableName); + } catch (IOException ignore) { + LOG.debug("Failed to delete table in cleanup. May be already deleted."); + } + } } private boolean hasFoundUserPermission(UserPermission userPermission, List perms) { @@ -1339,100 +1353,104 @@ public class TestAccessController extends SecureTestUtil { htd.addFamily(new HColumnDescriptor(family2)); admin.createTable(htd); TEST_UTIL.waitUntilAllRegionsAssigned(tableName); + try { + // create temp users + User user = User.createUserForTesting(TEST_UTIL.getConfiguration(), "user", new String[0]); - // create temp users - User user = User.createUserForTesting(TEST_UTIL.getConfiguration(), "user", new String[0]); - - AccessTestAction getQualifierAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - Get g = new Get(TEST_ROW); - g.addColumn(family1, qualifier); - HTable t = new HTable(conf, tableName); - try { - t.get(g); - } finally { - t.close(); + AccessTestAction getQualifierAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + Get g = new Get(TEST_ROW); + g.addColumn(family1, qualifier); + HTable t = new HTable(conf, tableName); + try { + t.get(g); + } finally { + t.close(); + } + return null; } - return null; - } - }; + }; - AccessTestAction putQualifierAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - Put p = new Put(TEST_ROW); - p.add(family1, qualifier, Bytes.toBytes("v1")); - HTable t = new HTable(conf, tableName); - try { - t.put(p); - } finally { - t.close(); + AccessTestAction putQualifierAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + Put p = new Put(TEST_ROW); + p.add(family1, qualifier, Bytes.toBytes("v1")); + HTable t = new HTable(conf, tableName); + try { + t.put(p); + } finally { + t.close(); + } + return null; } - return null; - } - }; + }; - AccessTestAction deleteQualifierAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - Delete d = new Delete(TEST_ROW); - d.deleteColumn(family1, qualifier); - // d.deleteFamily(family1); - HTable t = new HTable(conf, tableName); - try { - t.delete(d); - } finally { - t.close(); + AccessTestAction deleteQualifierAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + Delete d = new Delete(TEST_ROW); + d.deleteColumn(family1, qualifier); + // d.deleteFamily(family1); + HTable t = new HTable(conf, tableName); + try { + t.delete(d); + } finally { + t.close(); + } + return null; } - return null; - } - }; + }; - revokeFromTable(TEST_UTIL, user.getShortName(), tableName, family1, null); + revokeFromTable(TEST_UTIL, user.getShortName(), tableName, family1, null); - verifyDenied(user, getQualifierAction); - verifyDenied(user, putQualifierAction); - verifyDenied(user, deleteQualifierAction); + verifyDenied(user, getQualifierAction); + verifyDenied(user, putQualifierAction); + verifyDenied(user, deleteQualifierAction); - grantOnTable(TEST_UTIL, user.getShortName(), - tableName, family1, qualifier, - Permission.Action.READ); + grantOnTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier, + Permission.Action.READ); - verifyAllowed(user, getQualifierAction); - verifyDenied(user, putQualifierAction); - verifyDenied(user, deleteQualifierAction); + verifyAllowed(user, getQualifierAction); + verifyDenied(user, putQualifierAction); + verifyDenied(user, deleteQualifierAction); - // only grant write permission - // TODO: comment this portion after HBASE-3583 - grantOnTable(TEST_UTIL, user.getShortName(), - tableName, family1, qualifier, - Permission.Action.WRITE); + // only grant write permission + // TODO: comment this portion after HBASE-3583 + grantOnTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier, + Permission.Action.WRITE); - verifyDenied(user, getQualifierAction); - verifyAllowed(user, putQualifierAction); - verifyAllowed(user, deleteQualifierAction); + verifyDenied(user, getQualifierAction); + verifyAllowed(user, putQualifierAction); + verifyAllowed(user, deleteQualifierAction); - // grant both read and write permission - grantOnTable(TEST_UTIL, user.getShortName(), - tableName, family1, qualifier, - Permission.Action.READ, Permission.Action.WRITE); + // grant both read and write permission + grantOnTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier, + Permission.Action.READ, Permission.Action.WRITE); - verifyAllowed(user, getQualifierAction); - verifyAllowed(user, putQualifierAction); - verifyAllowed(user, deleteQualifierAction); + verifyAllowed(user, getQualifierAction); + verifyAllowed(user, putQualifierAction); + verifyAllowed(user, deleteQualifierAction); - // revoke family level permission won't impact column level - revokeFromTable(TEST_UTIL, user.getShortName(), - tableName, family1, qualifier); + // revoke family level permission won't impact column level + revokeFromTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier); - verifyDenied(user, getQualifierAction); - verifyDenied(user, putQualifierAction); - verifyDenied(user, deleteQualifierAction); + verifyDenied(user, getQualifierAction); + verifyDenied(user, putQualifierAction); + verifyDenied(user, deleteQualifierAction); - // delete table - admin.disableTable(tableName); - admin.deleteTable(tableName); + // delete table + admin.disableTable(tableName); + admin.deleteTable(tableName); + } finally { + // delete table + try { + TEST_UTIL.deleteTable(tableName); + } catch (IOException ignore) { + LOG.debug("Failed to delete table in cleanup. May be already deleted."); + } + } } @Test @@ -1457,115 +1475,117 @@ public class TestAccessController extends SecureTestUtil { TEST_UTIL.waitUntilAllRegionsAssigned(tableName); List perms; - - HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); try { - BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); - AccessControlService.BlockingInterface protocol = - AccessControlService.newBlockingStub(service); - perms = ProtobufUtil.getUserPermissions(protocol, tableName); - } finally { - acl.close(); - } + HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + perms = ProtobufUtil.getUserPermissions(protocol, tableName); + } finally { + acl.close(); + } - UserPermission ownerperm = new UserPermission( - Bytes.toBytes(USER_OWNER.getName()), tableName, null, Action.values()); - assertTrue("Owner should have all permissions on table", + UserPermission ownerperm = + new UserPermission(Bytes.toBytes(USER_OWNER.getName()), tableName, null, Action.values()); + assertTrue("Owner should have all permissions on table", hasFoundUserPermission(ownerperm, perms)); - User user = User.createUserForTesting(TEST_UTIL.getConfiguration(), "user", new String[0]); - byte[] userName = Bytes.toBytes(user.getShortName()); + User user = User.createUserForTesting(TEST_UTIL.getConfiguration(), "user", new String[0]); + byte[] userName = Bytes.toBytes(user.getShortName()); - UserPermission up = new UserPermission(userName, - tableName, family1, qualifier, Permission.Action.READ); - assertFalse("User should not be granted permission: " + up.toString(), - hasFoundUserPermission(up, perms)); + UserPermission up = + new UserPermission(userName, tableName, family1, qualifier, Permission.Action.READ); + assertFalse("User should not be granted permission: " + up.toString(), + hasFoundUserPermission(up, perms)); - // grant read permission - grantOnTable(TEST_UTIL, user.getShortName(), - tableName, family1, qualifier, Permission.Action.READ); + // grant read permission + grantOnTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier, + Permission.Action.READ); - acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); - try { - BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); - AccessControlService.BlockingInterface protocol = - AccessControlService.newBlockingStub(service); - perms = ProtobufUtil.getUserPermissions(protocol, tableName); - } finally { - acl.close(); - } + acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + perms = ProtobufUtil.getUserPermissions(protocol, tableName); + } finally { + acl.close(); + } - UserPermission upToVerify = new UserPermission( - userName, tableName, family1, qualifier, Permission.Action.READ); - assertTrue("User should be granted permission: " + upToVerify.toString(), - hasFoundUserPermission(upToVerify, perms)); + UserPermission upToVerify = + new UserPermission(userName, tableName, family1, qualifier, Permission.Action.READ); + assertTrue("User should be granted permission: " + upToVerify.toString(), + hasFoundUserPermission(upToVerify, perms)); - upToVerify = new UserPermission( - userName, tableName, family1, qualifier, Permission.Action.WRITE); - assertFalse("User should not be granted permission: " + upToVerify.toString(), - hasFoundUserPermission(upToVerify, perms)); + upToVerify = + new UserPermission(userName, tableName, family1, qualifier, Permission.Action.WRITE); + assertFalse("User should not be granted permission: " + upToVerify.toString(), + hasFoundUserPermission(upToVerify, perms)); - // grant read+write - grantOnTable(TEST_UTIL, user.getShortName(), - tableName, family1, qualifier, - Permission.Action.WRITE, Permission.Action.READ); + // grant read+write + grantOnTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier, + Permission.Action.WRITE, Permission.Action.READ); - acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); - try { - BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); - AccessControlService.BlockingInterface protocol = - AccessControlService.newBlockingStub(service); - perms = ProtobufUtil.getUserPermissions(protocol, tableName); - } finally { - acl.close(); - } + acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + perms = ProtobufUtil.getUserPermissions(protocol, tableName); + } finally { + acl.close(); + } - upToVerify = new UserPermission(userName, tableName, family1, - qualifier, Permission.Action.WRITE, Permission.Action.READ); - assertTrue("User should be granted permission: " + upToVerify.toString(), - hasFoundUserPermission(upToVerify, perms)); + upToVerify = + new UserPermission(userName, tableName, family1, qualifier, Permission.Action.WRITE, + Permission.Action.READ); + assertTrue("User should be granted permission: " + upToVerify.toString(), + hasFoundUserPermission(upToVerify, perms)); - // revoke - revokeFromTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier, - Permission.Action.WRITE, Permission.Action.READ); + // revoke + revokeFromTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier, + Permission.Action.WRITE, Permission.Action.READ); - acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); - try { - BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); - AccessControlService.BlockingInterface protocol = - AccessControlService.newBlockingStub(service); - perms = ProtobufUtil.getUserPermissions(protocol, tableName); - } finally { - acl.close(); - } + acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + perms = ProtobufUtil.getUserPermissions(protocol, tableName); + } finally { + acl.close(); + } - assertFalse("User should not be granted permission: " + upToVerify.toString(), - hasFoundUserPermission(upToVerify, perms)); + assertFalse("User should not be granted permission: " + upToVerify.toString(), + hasFoundUserPermission(upToVerify, perms)); - // disable table before modification - admin.disableTable(tableName); + // disable table before modification + admin.disableTable(tableName); - User newOwner = User.createUserForTesting(conf, "new_owner", new String[] {}); - htd.setOwner(newOwner); - admin.modifyTable(tableName, htd); + User newOwner = User.createUserForTesting(conf, "new_owner", new String[] {}); + htd.setOwner(newOwner); + admin.modifyTable(tableName, htd); - acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); - try { - BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); - AccessControlService.BlockingInterface protocol = - AccessControlService.newBlockingStub(service); - perms = ProtobufUtil.getUserPermissions(protocol, tableName); - } finally { - acl.close(); - } + acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + try { + BlockingRpcChannel service = acl.coprocessorService(tableName.getName()); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(service); + perms = ProtobufUtil.getUserPermissions(protocol, tableName); + } finally { + acl.close(); + } - UserPermission newOwnerperm = new UserPermission( - Bytes.toBytes(newOwner.getName()), tableName, null, Action.values()); - assertTrue("New owner should have all permissions on table", + UserPermission newOwnerperm = + new UserPermission(Bytes.toBytes(newOwner.getName()), tableName, null, Action.values()); + assertTrue("New owner should have all permissions on table", hasFoundUserPermission(newOwnerperm, perms)); - // delete table - admin.deleteTable(tableName); + } finally { + // delete table + TEST_UTIL.deleteTable(tableName); + } } @Test @@ -1629,127 +1649,132 @@ public class TestAccessController extends SecureTestUtil { User userQualifier = User.createUserForTesting(conf, "user_check_perms_q", new String[0]); grantOnTable(TEST_UTIL, userTable.getShortName(), - TEST_TABLE.getTableName(), null, null, + TEST_TABLE, null, null, Permission.Action.READ); grantOnTable(TEST_UTIL, userColumn.getShortName(), - TEST_TABLE.getTableName(), TEST_FAMILY, null, + TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ); grantOnTable(TEST_UTIL, userQualifier.getShortName(), - TEST_TABLE.getTableName(), TEST_FAMILY, TEST_Q1, + TEST_TABLE, TEST_FAMILY, TEST_Q1, Permission.Action.READ); + try { + AccessTestAction tableRead = new AccessTestAction() { + @Override + public Void run() throws Exception { + checkTablePerms(TEST_UTIL, TEST_TABLE, null, null, Permission.Action.READ); + return null; + } + }; - AccessTestAction tableRead = new AccessTestAction() { - @Override - public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), null, null, - Permission.Action.READ); - return null; - } - }; - - AccessTestAction columnRead = new AccessTestAction() { - @Override - public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), TEST_FAMILY, null, - Permission.Action.READ); - return null; - } - }; - - AccessTestAction qualifierRead = new AccessTestAction() { - @Override - public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), TEST_FAMILY, TEST_Q1, - Permission.Action.READ); - return null; - } - }; + AccessTestAction columnRead = new AccessTestAction() { + @Override + public Void run() throws Exception { + checkTablePerms(TEST_UTIL, TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ); + return null; + } + }; - AccessTestAction multiQualifierRead = new AccessTestAction() { - @Override - public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), new Permission[] { - new TablePermission(TEST_TABLE.getTableName(), TEST_FAMILY, TEST_Q1, - Permission.Action.READ), - new TablePermission(TEST_TABLE.getTableName(), TEST_FAMILY, TEST_Q2, - Permission.Action.READ), }); - return null; - } - }; + AccessTestAction qualifierRead = new AccessTestAction() { + @Override + public Void run() throws Exception { + checkTablePerms(TEST_UTIL, TEST_TABLE, TEST_FAMILY, TEST_Q1, Permission.Action.READ); + return null; + } + }; - AccessTestAction globalAndTableRead = new AccessTestAction() { - @Override - public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), - new Permission[] { new Permission(Permission.Action.READ), - new TablePermission(TEST_TABLE.getTableName(), null, (byte[]) null, - Permission.Action.READ), }); - return null; - } - }; + AccessTestAction multiQualifierRead = new AccessTestAction() { + @Override + public Void run() throws Exception { + checkTablePerms(TEST_UTIL, TEST_TABLE, new Permission[] { + new TablePermission(TEST_TABLE, TEST_FAMILY, TEST_Q1, Permission.Action.READ), + new TablePermission(TEST_TABLE, TEST_FAMILY, TEST_Q2, Permission.Action.READ), }); + return null; + } + }; - AccessTestAction noCheck = new AccessTestAction() { - @Override - public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), new Permission[0]); - return null; - } - }; + AccessTestAction globalAndTableRead = new AccessTestAction() { + @Override + public Void run() throws Exception { + checkTablePerms(TEST_UTIL, TEST_TABLE, new Permission[] { + new Permission(Permission.Action.READ), + new TablePermission(TEST_TABLE, null, (byte[]) null, Permission.Action.READ), }); + return null; + } + }; - verifyAllowed(tableRead, SUPERUSER, userTable); - verifyDenied(tableRead, userColumn, userQualifier); + AccessTestAction noCheck = new AccessTestAction() { + @Override + public Void run() throws Exception { + checkTablePerms(TEST_UTIL, TEST_TABLE, new Permission[0]); + return null; + } + }; - verifyAllowed(columnRead, SUPERUSER, userTable, userColumn); - verifyDenied(columnRead, userQualifier); + verifyAllowed(tableRead, SUPERUSER, userTable); + verifyDenied(tableRead, userColumn, userQualifier); - verifyAllowed(qualifierRead, SUPERUSER, userTable, userColumn, userQualifier); + verifyAllowed(columnRead, SUPERUSER, userTable, userColumn); + verifyDenied(columnRead, userQualifier); - verifyAllowed(multiQualifierRead, SUPERUSER, userTable, userColumn); - verifyDenied(multiQualifierRead, userQualifier); + verifyAllowed(qualifierRead, SUPERUSER, userTable, userColumn, userQualifier); - verifyAllowed(globalAndTableRead, SUPERUSER); - verifyDenied(globalAndTableRead, userTable, userColumn, userQualifier); + verifyAllowed(multiQualifierRead, SUPERUSER, userTable, userColumn); + verifyDenied(multiQualifierRead, userQualifier); - verifyAllowed(noCheck, SUPERUSER, userTable, userColumn, userQualifier); + verifyAllowed(globalAndTableRead, SUPERUSER); + verifyDenied(globalAndTableRead, userTable, userColumn, userQualifier); - // -------------------------------------- - // test family level multiple permissions - AccessTestAction familyReadWrite = new AccessTestAction() { - @Override - public Void run() throws Exception { - checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), TEST_FAMILY, null, - Permission.Action.READ, Permission.Action.WRITE); - return null; - } - }; + verifyAllowed(noCheck, SUPERUSER, userTable, userColumn, userQualifier); - verifyAllowed(familyReadWrite, SUPERUSER, USER_OWNER, USER_CREATE, USER_RW); - verifyDenied(familyReadWrite, USER_NONE, USER_RO); + // -------------------------------------- + // test family level multiple permissions + AccessTestAction familyReadWrite = new AccessTestAction() { + @Override + public Void run() throws Exception { + checkTablePerms(TEST_UTIL, TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ, + Permission.Action.WRITE); + return null; + } + }; - // -------------------------------------- - // check for wrong table region - CheckPermissionsRequest checkRequest = CheckPermissionsRequest.newBuilder() - .addPermission(AccessControlProtos.Permission.newBuilder() - .setType(AccessControlProtos.Permission.Type.Table) - .setTablePermission( - AccessControlProtos.TablePermission.newBuilder() - .setTableName(ProtobufUtil.toProtoTableName(TEST_TABLE.getTableName())) - .addAction(AccessControlProtos.Permission.Action.CREATE)) - ).build(); - HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); - try { - BlockingRpcChannel channel = acl.coprocessorService(new byte[0]); - AccessControlService.BlockingInterface protocol = - AccessControlService.newBlockingStub(channel); + verifyAllowed(familyReadWrite, SUPERUSER, USER_OWNER, USER_CREATE, USER_RW); + verifyDenied(familyReadWrite, USER_NONE, USER_RO); + + // -------------------------------------- + // check for wrong table region + CheckPermissionsRequest checkRequest = + CheckPermissionsRequest + .newBuilder() + .addPermission( + AccessControlProtos.Permission + .newBuilder() + .setType(AccessControlProtos.Permission.Type.Table) + .setTablePermission( + AccessControlProtos.TablePermission.newBuilder() + .setTableName(ProtobufUtil.toProtoTableName(TEST_TABLE)) + .addAction(AccessControlProtos.Permission.Action.CREATE))).build(); + HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); try { - // but ask for TablePermissions for TEST_TABLE - protocol.checkPermissions(null, checkRequest); - fail("this should have thrown CoprocessorException"); - } catch (ServiceException ex) { - // expected + BlockingRpcChannel channel = acl.coprocessorService(new byte[0]); + AccessControlService.BlockingInterface protocol = + AccessControlService.newBlockingStub(channel); + try { + // but ask for TablePermissions for TEST_TABLE + protocol.checkPermissions(null, checkRequest); + fail("this should have thrown CoprocessorException"); + } catch (ServiceException ex) { + // expected + } + } finally { + acl.close(); } } finally { - acl.close(); + revokeFromTable(TEST_UTIL, userTable.getShortName(), TEST_TABLE, null, null, + Permission.Action.READ); + revokeFromTable(TEST_UTIL, userColumn.getShortName(), TEST_TABLE, TEST_FAMILY, null, + Permission.Action.READ); + revokeFromTable(TEST_UTIL, userQualifier.getShortName(), TEST_TABLE, TEST_FAMILY, TEST_Q1, + Permission.Action.READ); } } @@ -1940,58 +1965,63 @@ public class TestAccessController extends SecureTestUtil { // Grant TABLE ADMIN privs grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(), - TEST_TABLE.getTableName(), null, null, + TEST_TABLE, null, null, Permission.Action.ADMIN); - - AccessTestAction listTablesAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - HBaseAdmin admin = new HBaseAdmin(TEST_UTIL.getConfiguration()); - try { - admin.listTables(); - } finally { - admin.close(); + try { + AccessTestAction listTablesAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + HBaseAdmin admin = new HBaseAdmin(TEST_UTIL.getConfiguration()); + try { + admin.listTables(); + } finally { + admin.close(); + } + return null; } - return null; - } - }; + }; - AccessTestAction getTableDescAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - HBaseAdmin admin = new HBaseAdmin(TEST_UTIL.getConfiguration()); - try { - admin.getTableDescriptor(TEST_TABLE.getTableName()); - } finally { - admin.close(); + AccessTestAction getTableDescAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + HBaseAdmin admin = new HBaseAdmin(TEST_UTIL.getConfiguration()); + try { + admin.getTableDescriptor(TEST_TABLE); + } finally { + admin.close(); + } + return null; } - return null; - } - }; + }; - verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN); - verifyDenied(listTablesAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, TABLE_ADMIN); + verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN); + verifyDenied(listTablesAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, TABLE_ADMIN); - verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN); - verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE); + verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN); + verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE); + } finally { + // Cleanup, revoke TABLE ADMIN privs + revokeFromTable(TEST_UTIL, TABLE_ADMIN.getShortName(), TEST_TABLE, null, null, + Permission.Action.ADMIN); + } } @Test public void testTableDeletion() throws Exception { User TABLE_ADMIN = User.createUserForTesting(conf, "TestUser", new String[0]); + final TableName tname = TableName.valueOf("testTableDeletion"); + createTestTable(tname); // Grant TABLE ADMIN privs - grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(), - TEST_TABLE.getTableName(), null, null, - Permission.Action.ADMIN); + grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(), tname, null, null, Permission.Action.ADMIN); AccessTestAction deleteTableAction = new AccessTestAction() { @Override public Object run() throws Exception { HBaseAdmin admin = new HBaseAdmin(TEST_UTIL.getConfiguration()); try { - admin.disableTable(TEST_TABLE.getTableName()); - admin.deleteTable(TEST_TABLE.getTableName()); + admin.disableTable(tname); + admin.deleteTable(tname); } finally { admin.close(); } @@ -2008,7 +2038,7 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction getAction = new AccessTestAction() { @Override public Object run() throws Exception { - HTable t = new HTable(conf, TEST_TABLE.getTableName()); + HTable t = new HTable(conf, TEST_TABLE); try { return t.get(new Get(TEST_ROW)); } finally { @@ -2021,7 +2051,7 @@ public class TestAccessController extends SecureTestUtil { // Grant namespace READ to USER_NONE, this should supersede any table permissions grantOnNamespace(TEST_UTIL, USER_NONE.getShortName(), - TEST_TABLE.getTableName().getNamespaceAsString(), + TEST_TABLE.getNamespaceAsString(), Permission.Action.READ); // Now USER_NONE should be able to read also @@ -2035,7 +2065,7 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction getAction = new AccessTestAction() { @Override public Object run() throws Exception { - HTable t = new HTable(conf, TEST_TABLE.getTableName()); + HTable t = new HTable(conf, TEST_TABLE); try { return t.get(new Get(TEST_ROW)); } finally { @@ -2049,7 +2079,7 @@ public class TestAccessController extends SecureTestUtil { // Grant table READ permissions to testGrantRevoke. try { grantOnTableUsingAccessControlClient(TEST_UTIL, conf, testGrantRevoke.getShortName(), - TEST_TABLE.getTableName(), null, null, Permission.Action.READ); + TEST_TABLE, null, null, Permission.Action.READ); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.grant. " + e.getStackTrace()); } @@ -2060,7 +2090,7 @@ public class TestAccessController extends SecureTestUtil { // Revoke table READ permission to testGrantRevoke. try { revokeFromTableUsingAccessControlClient(TEST_UTIL, conf, testGrantRevoke.getShortName(), - TEST_TABLE.getTableName(), null, null, Permission.Action.READ); + TEST_TABLE, null, null, Permission.Action.READ); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.revoke " + e.getStackTrace()); } @@ -2077,7 +2107,7 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction getAction = new AccessTestAction() { @Override public Object run() throws Exception { - HTable t = new HTable(conf, TEST_TABLE.getTableName()); + HTable t = new HTable(conf, TEST_TABLE); try { return t.get(new Get(TEST_ROW)); } finally { @@ -2089,26 +2119,29 @@ public class TestAccessController extends SecureTestUtil { verifyDenied(getAction, testGlobalGrantRevoke); // Grant table READ permissions to testGlobalGrantRevoke. + String userName = testGlobalGrantRevoke.getShortName(); try { - grantGlobalUsingAccessControlClient(TEST_UTIL, conf, testGlobalGrantRevoke.getShortName(), + grantGlobalUsingAccessControlClient(TEST_UTIL, conf, userName, Permission.Action.READ); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.grant. ", e); } + try { + // Now testGlobalGrantRevoke should be able to read also + verifyAllowed(getAction, testGlobalGrantRevoke); - // Now testGlobalGrantRevoke should be able to read also - verifyAllowed(getAction, testGlobalGrantRevoke); + // Revoke table READ permission to testGlobalGrantRevoke. + try { + revokeGlobalUsingAccessControlClient(TEST_UTIL, conf, userName, Permission.Action.READ); + } catch (Throwable e) { + LOG.error("error during call of AccessControlClient.revoke ", e); + } - // Revoke table READ permission to testGlobalGrantRevoke. - try { - revokeGlobalUsingAccessControlClient(TEST_UTIL, conf, testGlobalGrantRevoke.getShortName(), - Permission.Action.READ); - } catch (Throwable e) { - LOG.error("error during call of AccessControlClient.revoke ", e); + // Now testGlobalGrantRevoke shouldn't be able read + verifyDenied(getAction, testGlobalGrantRevoke); + } finally { + revokeGlobal(TEST_UTIL, userName, Permission.Action.READ); } - - // Now testGlobalGrantRevoke shouldn't be able read - verifyDenied(getAction, testGlobalGrantRevoke); } @Test @@ -2118,7 +2151,7 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction getAction = new AccessTestAction() { @Override public Object run() throws Exception { - HTable t = new HTable(conf, TEST_TABLE.getTableName()); + HTable t = new HTable(conf, TEST_TABLE); try { return t.get(new Get(TEST_ROW)); } finally { @@ -2130,26 +2163,32 @@ public class TestAccessController extends SecureTestUtil { verifyDenied(getAction, testNS); // Grant namespace READ to testNS, this should supersede any table permissions + String userName = testNS.getShortName(); + String namespace = TEST_TABLE.getNamespaceAsString(); try { - grantOnNamespaceUsingAccessControlClient(TEST_UTIL, conf, testNS.getShortName(), - TEST_TABLE.getTableName().getNamespaceAsString(), Permission.Action.READ); + grantOnNamespaceUsingAccessControlClient(TEST_UTIL, conf, userName, + namespace, Permission.Action.READ); } catch (Throwable e) { LOG.error("error during call of AccessControlClient.grant. " + e.getStackTrace()); } - // Now testNS should be able to read also - verifyAllowed(getAction, testNS); - - // Revoke namespace READ to testNS, this should supersede any table permissions try { - revokeFromNamespaceUsingAccessControlClient(TEST_UTIL, conf, testNS.getShortName(), - TEST_TABLE.getTableName().getNamespaceAsString(), Permission.Action.READ); - } catch (Throwable e) { - LOG.error("error during call of AccessControlClient.revoke " + e.getStackTrace()); - } + // Now testNS should be able to read also + verifyAllowed(getAction, testNS); - // Now testNS shouldn't be able read - verifyDenied(getAction, testNS); + // Revoke namespace READ to testNS, this should supersede any table permissions + try { + revokeFromNamespaceUsingAccessControlClient(TEST_UTIL, conf, userName, namespace, + Permission.Action.READ); + } catch (Throwable e) { + LOG.error("error during call of AccessControlClient.revoke " + e.getStackTrace()); + } + + // Now testNS shouldn't be able read + verifyDenied(getAction, testNS); + } finally { + revokeFromNamespace(TEST_UTIL, userName, namespace, Permission.Action.READ); + } } @@ -2204,7 +2243,7 @@ public class TestAccessController extends SecureTestUtil { for (JVMClusterUtil.RegionServerThread thread: TEST_UTIL.getMiniHBaseCluster().getRegionServerThreads()) { HRegionServer rs = thread.getRegionServer(); - for (HRegion region: rs.getOnlineRegions(TEST_TABLE.getTableName())) { + for (HRegion region: rs.getOnlineRegions(TEST_TABLE)) { region.getCoprocessorHost().load(PingCoprocessor.class, Coprocessor.PRIORITY_USER, conf); } @@ -2216,35 +2255,39 @@ public class TestAccessController extends SecureTestUtil { User userB = User.createUserForTesting(conf, "UserB", new String[0]); grantOnTable(TEST_UTIL, userA.getShortName(), - TEST_TABLE.getTableName(), null, null, + TEST_TABLE, null, null, Permission.Action.EXEC); - - // Create an action for invoking our test endpoint - AccessTestAction execEndpointAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - HTable t = new HTable(conf, TEST_TABLE.getTableName()); - try { - BlockingRpcChannel service = t.coprocessorService(HConstants.EMPTY_BYTE_ARRAY); - PingCoprocessor.newBlockingStub(service).noop(null, NoopRequest.newBuilder().build()); - } finally { - t.close(); + try { + // Create an action for invoking our test endpoint + AccessTestAction execEndpointAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + HTable t = new HTable(conf, TEST_TABLE); + try { + BlockingRpcChannel service = t.coprocessorService(HConstants.EMPTY_BYTE_ARRAY); + PingCoprocessor.newBlockingStub(service).noop(null, NoopRequest.newBuilder().build()); + } finally { + t.close(); + } + return null; } - return null; - } - }; + }; - // Verify that EXEC permission is checked correctly - verifyDenied(execEndpointAction, userB); - verifyAllowed(execEndpointAction, userA); + // Verify that EXEC permission is checked correctly + verifyDenied(execEndpointAction, userB); + verifyAllowed(execEndpointAction, userA); - // Now grant EXEC to the entire namespace to user B - grantOnNamespace(TEST_UTIL, userB.getShortName(), - TEST_TABLE.getTableName().getNamespaceAsString(), - Permission.Action.EXEC); + // Now grant EXEC to the entire namespace to user B + grantOnNamespace(TEST_UTIL, userB.getShortName(), TEST_TABLE.getNamespaceAsString(), + Permission.Action.EXEC); - // User B should now be allowed also - verifyAllowed(execEndpointAction, userA, userB); + // User B should now be allowed also + verifyAllowed(execEndpointAction, userA, userB); + } finally { + // Cleanup, revoke the userA privileges + revokeFromTable(TEST_UTIL, userA.getShortName(), TEST_TABLE, null, null, + Permission.Action.EXEC); + } } @Test @@ -2252,7 +2295,7 @@ public class TestAccessController extends SecureTestUtil { AccessTestAction putWithReservedTag = new AccessTestAction() { @Override public Object run() throws Exception { - HTable t = new HTable(conf, TEST_TABLE.getTableName()); + HTable t = new HTable(conf, TEST_TABLE); try { KeyValue kv = new KeyValue(TEST_ROW, TEST_FAMILY, TEST_QUALIFIER, HConstants.LATEST_TIMESTAMP, HConstants.EMPTY_BYTE_ARRAY, @@ -2293,14 +2336,14 @@ public class TestAccessController extends SecureTestUtil { @Test public void testTruncatePerms() throws Exception { try { - List existingPerms = AccessControlClient.getUserPermissions(conf, TEST_TABLE - .getTableName().getNameAsString()); + List existingPerms = + AccessControlClient.getUserPermissions(conf, TEST_TABLE.getNameAsString()); assertTrue(existingPerms != null); assertTrue(existingPerms.size() > 1); - TEST_UTIL.getHBaseAdmin().disableTable(TEST_TABLE.getTableName()); - TEST_UTIL.getHBaseAdmin().truncateTable(TEST_TABLE.getTableName(), true); - List perms = AccessControlClient.getUserPermissions(conf, TEST_TABLE - .getTableName().getNameAsString()); + TEST_UTIL.getHBaseAdmin().disableTable(TEST_TABLE); + TEST_UTIL.getHBaseAdmin().truncateTable(TEST_TABLE, true); + List perms = + AccessControlClient.getUserPermissions(conf, TEST_TABLE.getNameAsString()); assertTrue(perms != null); assertEquals(existingPerms.size(), perms.size()); } catch (Throwable e) { -- 1.9.2.msysgit.0