From d0d0e25cd813b3acf668a23560f3697ec6a302bf Mon Sep 17 00:00:00 2001 From: Ashish Singhi Date: Wed, 10 Jun 2015 22:13:54 +0530 Subject: [PATCH] HBASE-13828 Add group permissions testing coverage to AC --- .../security/access/TestAccessController.java | 299 +++++++++++++-------- .../security/access/TestAccessController2.java | 135 +++++----- .../security/access/TestNamespaceCommands.java | 197 +++++--------- 3 files changed, 329 insertions(+), 302 deletions(-) diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java index f2d3dff..2a9d126 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java @@ -160,6 +160,16 @@ public class TestAccessController extends SecureTestUtil { // user with admin rights on the column family private static User USER_ADMIN_CF; + private static final String GROUP_ADMIN = "group_admin"; + private static final String GROUP_CREATE = "group_create"; + private static final String GROUP_READ = "group_read"; + private static final String GROUP_WRITE = "group_write"; + + private static User USER_GROUP_ADMIN; + private static User USER_GROUP_CREATE; + private static User USER_GROUP_READ; + private static User USER_GROUP_WRITE; + // TODO: convert this test to cover the full matrix in // https://hbase.apache.org/book/appendix_acl_matrix.html // creating all Scope x Permission combinations @@ -214,6 +224,15 @@ public class TestAccessController extends SecureTestUtil { USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]); USER_ADMIN_CF = User.createUserForTesting(conf, "col_family_admin", new String[0]); + USER_GROUP_ADMIN = + User.createUserForTesting(conf, "user_group_admin", new String[] { GROUP_ADMIN }); + USER_GROUP_CREATE = + User.createUserForTesting(conf, "user_group_create", new String[] { GROUP_CREATE }); + USER_GROUP_READ = + User.createUserForTesting(conf, "user_group_read", new String[] { GROUP_READ }); + USER_GROUP_WRITE = + User.createUserForTesting(conf, "user_group_write", new String[] { GROUP_WRITE }); + systemUserConnection = TEST_UTIL.getConnection(); setUpTableAndUserPermissions(); } @@ -265,6 +284,11 @@ public class TestAccessController extends SecureTestUtil { TEST_TABLE, TEST_FAMILY, null, Permission.Action.ADMIN, Permission.Action.CREATE); + grantGlobal(TEST_UTIL, convertToGroup(GROUP_ADMIN), Permission.Action.ADMIN); + grantGlobal(TEST_UTIL, convertToGroup(GROUP_CREATE), Permission.Action.CREATE); + grantGlobal(TEST_UTIL, convertToGroup(GROUP_READ), Permission.Action.READ); + grantGlobal(TEST_UTIL, convertToGroup(GROUP_WRITE), Permission.Action.WRITE); + assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size()); try { assertEquals(5, AccessControlClient.getUserPermissions(systemUserConnection, @@ -303,10 +327,11 @@ public class TestAccessController extends SecureTestUtil { }; // verify that superuser can create tables - verifyAllowed(createTable, SUPERUSER, USER_ADMIN); + verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE); // all others should be denied - verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_ADMIN, + USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -323,8 +348,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(modifyTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); - verifyDenied(modifyTable, USER_RW, USER_RO, USER_NONE); + verifyAllowed(modifyTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE, + USER_GROUP_ADMIN); + verifyDenied(modifyTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -338,8 +364,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(deleteTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); - verifyDenied(deleteTable, USER_RW, USER_RO, USER_NONE); + verifyAllowed(deleteTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE, + USER_GROUP_ADMIN); + verifyDenied(deleteTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -354,8 +381,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); - verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE); + verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE, + USER_GROUP_ADMIN); + verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -370,8 +398,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); - verifyDenied(action, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE, + USER_GROUP_ADMIN); + verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -387,8 +416,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF); - verifyDenied(action, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF, + USER_GROUP_CREATE, USER_GROUP_ADMIN); + verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -402,8 +432,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF); - verifyDenied(action, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF, + USER_GROUP_CREATE, USER_GROUP_ADMIN); + verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -426,11 +457,13 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(disableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); - verifyDenied(disableTable, USER_RW, USER_RO, USER_NONE); + verifyAllowed(disableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE, + USER_GROUP_ADMIN); + verifyDenied(disableTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); // No user should be allowed to disable _acl_ table - verifyDenied(disableAclTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW, USER_RO); + verifyDenied(disableAclTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW, USER_RO, + USER_GROUP_CREATE, USER_GROUP_ADMIN, USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -444,8 +477,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(enableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); - verifyDenied(enableTable, USER_RW, USER_RO, USER_NONE); + verifyAllowed(enableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE, + USER_GROUP_ADMIN); + verifyDenied(enableTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -466,8 +500,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -486,8 +521,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -506,8 +542,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -526,8 +563,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -540,8 +578,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); - verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -554,8 +593,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); - verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -568,8 +608,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); - verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -582,13 +623,15 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); - verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } private void verifyWrite(AccessTestAction action) throws Exception { - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW); - verifyDenied(action, USER_NONE, USER_RO); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, + USER_GROUP_WRITE); + verifyDenied(action, USER_NONE, USER_RO, USER_GROUP_ADMIN, USER_GROUP_READ, USER_GROUP_CREATE); } @Test @@ -601,8 +644,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -617,8 +661,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -638,8 +683,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } finally { deleteTable(TEST_UTIL, tname); } @@ -655,8 +701,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE); - verifyDenied(action, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_GROUP_CREATE, + USER_GROUP_ADMIN); + verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -670,18 +717,21 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE); - verifyDenied(action, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_GROUP_CREATE, + USER_GROUP_ADMIN); + verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); } private void verifyRead(AccessTestAction action) throws Exception { - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, USER_RO); - verifyDenied(action, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, USER_RO, + USER_GROUP_READ); + verifyDenied(action, USER_NONE, USER_GROUP_CREATE, USER_GROUP_ADMIN, USER_GROUP_WRITE); } private void verifyReadWrite(AccessTestAction action) throws Exception { verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW); - verifyDenied(action, USER_NONE, USER_RO); + verifyDenied(action, USER_NONE, USER_RO, USER_GROUP_ADMIN, USER_GROUP_CREATE, USER_GROUP_READ, + USER_GROUP_WRITE); } @Test @@ -837,8 +887,10 @@ public class TestAccessController extends SecureTestUtil { // User performing bulk loads must have privilege to read table metadata // (ADMIN or CREATE) - verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE); - verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO); + verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, + USER_GROUP_CREATE); + verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO, USER_GROUP_READ, USER_GROUP_WRITE, + USER_GROUP_ADMIN); } finally { // Reinit after the bulk upload TEST_UTIL.getHBaseAdmin().disableTable(TEST_TABLE); @@ -943,8 +995,10 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(appendAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW); - verifyDenied(appendAction, USER_RO, USER_NONE); + verifyAllowed(appendAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, + USER_GROUP_WRITE); + verifyDenied(appendAction, USER_RO, USER_NONE, USER_GROUP_CREATE, USER_GROUP_READ, + USER_GROUP_ADMIN); } @Test @@ -1007,18 +1061,21 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); try { - verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); - verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, + USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); - verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN); + verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); verifyDenied(getGlobalPermissionsAction, USER_CREATE, USER_OWNER, USER_RW, USER_RO, - USER_NONE); + USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); } finally { // Cleanup, Grant the revoked permission back to the user grantOnTable(TEST_UTIL, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null, @@ -1524,8 +1581,8 @@ public class TestAccessController extends SecureTestUtil { } UserPermission adminPerm = new UserPermission(Bytes.toBytes(USER_ADMIN.getShortName()), AccessControlLists.ACL_TABLE_NAME, null, null, Bytes.toBytes("ACRW")); - assertTrue("Only user admin has permission on table _acl_ per setup", - perms.size() == 1 && hasFoundUserPermission(adminPerm, perms)); + assertTrue("Only global users and user admin has permission on table _acl_ per setup", + perms.size() == 5 && hasFoundUserPermission(adminPerm, perms)); } /** global operations */ @@ -1712,8 +1769,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); - verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -1726,8 +1784,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); - verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -1740,8 +1799,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, USER_GROUP_CREATE, + USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -1754,8 +1814,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, USER_GROUP_CREATE, + USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -1802,17 +1863,21 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); - verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN); - verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, + USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); - verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN); - verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, + USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); - verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN); - verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, + USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -1832,8 +1897,9 @@ public class TestAccessController extends SecureTestUtil { return null; } }; - verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); AccessTestAction deleteAction = new AccessTestAction() { @Override @@ -1843,8 +1909,9 @@ public class TestAccessController extends SecureTestUtil { return null; } }; - verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); AccessTestAction restoreAction = new AccessTestAction() { @Override @@ -1854,8 +1921,9 @@ public class TestAccessController extends SecureTestUtil { return null; } }; - verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); AccessTestAction cloneAction = new AccessTestAction() { @Override @@ -1867,8 +1935,9 @@ public class TestAccessController extends SecureTestUtil { }; // Clone by snapshot owner is not allowed , because clone operation creates a new table, // which needs global admin permission. - verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN); - verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, + USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -1962,12 +2031,15 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN); - verifyIfEmptyList(listTablesAction, USER_RW, USER_RO, USER_NONE); + verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN, + USER_GROUP_CREATE, USER_GROUP_ADMIN); + verifyIfEmptyList(listTablesAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE); verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, - TABLE_ADMIN); - verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE); + TABLE_ADMIN, USER_GROUP_CREATE, USER_GROUP_ADMIN); + verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE); } finally { // Cleanup, revoke TABLE ADMIN privs revokeFromTable(TEST_UTIL, TABLE_ADMIN.getShortName(), TEST_TABLE, null, null, @@ -1992,8 +2064,8 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, - USER_RW, USER_RO); + verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW, + USER_RO, USER_GROUP_CREATE, USER_GROUP_ADMIN, USER_GROUP_READ, USER_GROUP_WRITE); verifyIfEmptyList(listTablesAction, USER_NONE); } @@ -2022,7 +2094,8 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyDenied(deleteTableAction, USER_RW, USER_RO, USER_NONE); + verifyDenied(deleteTableAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE); verifyAllowed(deleteTableAction, TABLE_ADMIN); } @@ -2354,21 +2427,24 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(setUserQuotaAction, SUPERUSER, USER_ADMIN); - verifyDenied(setUserQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + verifyAllowed(setUserQuotaAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(setUserQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, + USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); - verifyAllowed(setUserTableQuotaAction, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(setUserTableQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(setUserTableQuotaAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(setUserTableQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, + USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); - verifyAllowed(setUserNamespaceQuotaAction, SUPERUSER, USER_ADMIN); - verifyDenied(setUserNamespaceQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, - USER_OWNER); + verifyAllowed(setUserNamespaceQuotaAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(setUserNamespaceQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, + USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); - verifyAllowed(setTableQuotaAction, SUPERUSER, USER_ADMIN, USER_OWNER); + verifyAllowed(setTableQuotaAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); verifyDenied(setTableQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); - verifyAllowed(setNamespaceQuotaAction, SUPERUSER, USER_ADMIN); - verifyDenied(setNamespaceQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + verifyAllowed(setNamespaceQuotaAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(setNamespaceQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, + USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -2466,7 +2542,7 @@ public class TestAccessController extends SecureTestUtil { // Verify that we can read sys-tables String aclTableName = AccessControlLists.ACL_TABLE_NAME.getNameAsString(); - assertEquals(1, SUPERUSER.runAs(getPrivilegedAction(aclTableName)).size()); + assertEquals(5, SUPERUSER.runAs(getPrivilegedAction(aclTableName)).size()); assertEquals(0, testRegexHandler.runAs(getPrivilegedAction(aclTableName)).size()); // Grant TABLE ADMIN privs to testUserPerms @@ -2491,8 +2567,10 @@ public class TestAccessController extends SecureTestUtil { } private void verifyAnyCreate(AccessTestAction action) throws Exception { - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF); - verifyDenied(action, USER_NONE, USER_RO, USER_RW); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF, + USER_GROUP_CREATE); + verifyDenied(action, USER_NONE, USER_RO, USER_RW, USER_GROUP_READ, USER_GROUP_WRITE, + USER_GROUP_ADMIN); } @Test @@ -2530,7 +2608,8 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(replicateLogEntriesAction, SUPERUSER, USER_ADMIN); - verifyDenied(replicateLogEntriesAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + verifyAllowed(replicateLogEntriesAction, SUPERUSER, USER_ADMIN, USER_GROUP_WRITE); + verifyDenied(replicateLogEntriesAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, + USER_GROUP_READ, USER_GROUP_ADMIN, USER_GROUP_CREATE); } } diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java index ecb3136..2685144 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java @@ -42,7 +42,6 @@ import org.apache.hadoop.hbase.client.Result; import org.apache.hadoop.hbase.client.ResultScanner; import org.apache.hadoop.hbase.client.Scan; import org.apache.hadoop.hbase.client.Table; -import org.apache.hadoop.hbase.master.HMaster; import org.apache.hadoop.hbase.security.User; import org.apache.hadoop.hbase.security.access.Permission.Action; import org.apache.hadoop.hbase.testclassification.LargeTests; @@ -97,6 +96,7 @@ public class TestAccessController2 extends SecureTestUtil { private String namespace = "testNamespace"; private String tname = namespace + ":testtable1"; private TableName tableName = TableName.valueOf(tname); + private static String TESTGROUP_1_NAME; @BeforeClass public static void setupBeforeClass() throws Exception { @@ -109,6 +109,7 @@ public class TestAccessController2 extends SecureTestUtil { // Wait for the ACL table to become available TEST_UTIL.waitUntilAllRegionsAssigned(AccessControlLists.ACL_TABLE_NAME); + TESTGROUP_1_NAME = convertToGroup(TESTGROUP_1); TESTGROUP1_USER1 = User.createUserForTesting(conf, "testgroup1_user1", new String[] { TESTGROUP_1 }); TESTGROUP2_USER1 = @@ -200,23 +201,27 @@ public class TestAccessController2 extends SecureTestUtil { @Test public void testCreateTableWithGroupPermissions() throws Exception { - grantGlobal(TEST_UTIL, convertToGroup(TESTGROUP_1), Action.CREATE); - AccessTestAction createAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - HTableDescriptor desc = new HTableDescriptor(TEST_TABLE.getTableName()); - desc.addFamily(new HColumnDescriptor(TEST_FAMILY)); - try (Connection connection = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) { - try (Admin admin = connection.getAdmin()) { - admin.createTable(desc); + grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.CREATE); + try { + AccessTestAction createAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + HTableDescriptor desc = new HTableDescriptor(TEST_TABLE.getTableName()); + desc.addFamily(new HColumnDescriptor(TEST_FAMILY)); + try (Connection connection = + ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) { + try (Admin admin = connection.getAdmin()) { + admin.createTable(desc); + } } + return null; } - return null; - } - }; - verifyAllowed(createAction, TESTGROUP1_USER1); - verifyDenied(createAction, TESTGROUP2_USER1); - revokeGlobal(TEST_UTIL, convertToGroup(TESTGROUP_1), Action.CREATE); + }; + verifyAllowed(createAction, TESTGROUP1_USER1); + verifyDenied(createAction, TESTGROUP2_USER1); + } finally { + revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.CREATE); + } } @Test @@ -264,55 +269,65 @@ public class TestAccessController2 extends SecureTestUtil { SecureTestUtil.grantOnTable(TEST_UTIL, tableAdmin.getShortName(), TEST_TABLE.getTableName(), null, null, Action.ADMIN); - // Write tests + grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.WRITE); + try { + // Write tests - AccessTestAction writeAction = new AccessTestAction() { - @Override - public Object run() throws Exception { + AccessTestAction writeAction = new AccessTestAction() { + @Override + public Object run() throws Exception { - try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) { - t.put(new Put(TEST_ROW).add(AccessControlLists.ACL_LIST_FAMILY, TEST_QUALIFIER, - TEST_VALUE)); - return null; - } finally { + try (Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) { + t.put(new Put(TEST_ROW).add(AccessControlLists.ACL_LIST_FAMILY, TEST_QUALIFIER, + TEST_VALUE)); + return null; + } finally { + } } - } - }; - - // All writes to ACL table denied except for GLOBAL WRITE permission and superuser + }; - verifyDenied(writeAction, globalAdmin, globalCreate, globalRead); - verifyDenied(writeAction, nsAdmin, nsCreate, nsRead, nsWrite); - verifyDenied(writeAction, tableAdmin, tableCreate, tableRead, tableWrite); - verifyAllowed(writeAction, superUser, globalWrite); + // All writes to ACL table denied except for GLOBAL WRITE permission and superuser - // Read tests + verifyDenied(writeAction, globalAdmin, globalCreate, globalRead, TESTGROUP2_USER1); + verifyDenied(writeAction, nsAdmin, nsCreate, nsRead, nsWrite); + verifyDenied(writeAction, tableAdmin, tableCreate, tableRead, tableWrite); + verifyAllowed(writeAction, superUser, globalWrite, TESTGROUP1_USER1); + } finally { + revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.WRITE); + } - AccessTestAction scanAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) { - ResultScanner s = t.getScanner(new Scan()); - try { - for (Result r = s.next(); r != null; r = s.next()) { - // do nothing + grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.READ); + try { + // Read tests + + AccessTestAction scanAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + try (Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) { + ResultScanner s = t.getScanner(new Scan()); + try { + for (Result r = s.next(); r != null; r = s.next()) { + // do nothing + } + } finally { + s.close(); } - } finally { - s.close(); + return null; } - return null; } - } - }; + }; - // All reads from ACL table denied except for GLOBAL READ and superuser + // All reads from ACL table denied except for GLOBAL READ and superuser - verifyDenied(scanAction, globalAdmin, globalCreate, globalWrite); - verifyDenied(scanAction, nsCreate, nsAdmin, nsRead, nsWrite); - verifyDenied(scanAction, tableCreate, tableAdmin, tableRead, tableWrite); - verifyAllowed(scanAction, superUser, globalRead); + verifyDenied(scanAction, globalAdmin, globalCreate, globalWrite, TESTGROUP2_USER1); + verifyDenied(scanAction, nsCreate, nsAdmin, nsRead, nsWrite); + verifyDenied(scanAction, tableCreate, tableAdmin, tableRead, tableWrite); + verifyAllowed(scanAction, superUser, globalRead, TESTGROUP1_USER1); + } finally { + revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.READ); + } } /* @@ -412,17 +427,17 @@ public class TestAccessController2 extends SecureTestUtil { // Verify user from a group which has table level access can read all the data and group which // has no access can't read any data. - grantOnTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, null, null, Action.READ); + grantOnTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, null, null, Action.READ); verifyAllowed(TESTGROUP1_USER1, scanTableActionForGroupWithTableLevelAccess); verifyDenied(TESTGROUP2_USER1, scanTableActionForGroupWithTableLevelAccess); // Verify user from a group whose table level access has been revoked can't read any data. - revokeFromTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, null, null); + revokeFromTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, null, null); verifyDenied(TESTGROUP1_USER1, scanTableActionForGroupWithTableLevelAccess); // Verify user from a group which has column family level access can read all the data // belonging to that family and group which has no access can't read any data. - grantOnTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, null, + grantOnTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, TEST_FAMILY, null, Permission.Action.READ); verifyAllowed(TESTGROUP1_USER1, scanTableActionForGroupWithFamilyLevelAccess); verifyDenied(TESTGROUP1_USER1, scanFamilyActionForGroupWithFamilyLevelAccess); @@ -431,12 +446,12 @@ public class TestAccessController2 extends SecureTestUtil { // Verify user from a group whose column family level access has been revoked can't read any // data from that family. - revokeFromTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, null); + revokeFromTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, TEST_FAMILY, null); verifyDenied(TESTGROUP1_USER1, scanTableActionForGroupWithFamilyLevelAccess); // Verify user from a group which has column qualifier level access can read data that has this // family and qualifier, and group which has no access can't read any data. - grantOnTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, Q1, Action.READ); + grantOnTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, TEST_FAMILY, Q1, Action.READ); verifyAllowed(TESTGROUP1_USER1, scanTableActionForGroupWithQualifierLevelAccess); verifyDenied(TESTGROUP1_USER1, scanFamilyActionForGroupWithQualifierLevelAccess); verifyDenied(TESTGROUP1_USER1, scanQualifierActionForGroupWithQualifierLevelAccess); @@ -446,7 +461,7 @@ public class TestAccessController2 extends SecureTestUtil { // Verify user from a group whose column qualifier level access has been revoked can't read the // data having this column family and qualifier. - revokeFromTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, Q1); + revokeFromTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, TEST_FAMILY, Q1); verifyDenied(TESTGROUP1_USER1, scanTableActionForGroupWithQualifierLevelAccess); } diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java index 457bb3b..bccd64f 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java @@ -92,6 +92,16 @@ public class TestNamespaceCommands extends SecureTestUtil { //user with create table permissions alone private static User USER_TABLE_CREATE; // TODO: WE DO NOT GIVE ANY PERMS TO THIS USER + private static final String GROUP_ADMIN = "group_admin"; + private static final String GROUP_CREATE = "group_create"; + private static final String GROUP_READ = "group_read"; + private static final String GROUP_WRITE = "group_write"; + + private static User USER_GROUP_ADMIN; + private static User USER_GROUP_CREATE; + private static User USER_GROUP_READ; + private static User USER_GROUP_WRITE; + private static String TEST_TABLE = TEST_NAMESPACE + ":testtable"; private static byte[] TEST_FAMILY = Bytes.toBytes("f1"); @@ -116,6 +126,15 @@ public class TestNamespaceCommands extends SecureTestUtil { USER_TABLE_CREATE = User.createUserForTesting(conf, "table_create", new String[0]); USER_TABLE_WRITE = User.createUserForTesting(conf, "table_write", new String[0]); + + USER_GROUP_ADMIN = + User.createUserForTesting(conf, "user_group_admin", new String[] { GROUP_ADMIN }); + USER_GROUP_CREATE = + User.createUserForTesting(conf, "user_group_create", new String[] { GROUP_CREATE }); + USER_GROUP_READ = + User.createUserForTesting(conf, "user_group_read", new String[] { GROUP_READ }); + USER_GROUP_WRITE = + User.createUserForTesting(conf, "user_group_write", new String[] { GROUP_WRITE }); // TODO: other table perms UTIL.startMiniCluster(); @@ -144,6 +163,11 @@ public class TestNamespaceCommands extends SecureTestUtil { grantOnNamespace(UTIL, USER_NS_EXEC.getShortName(), TEST_NAMESPACE, Permission.Action.EXEC); grantOnNamespace(UTIL, USER_NS_ADMIN.getShortName(), TEST_NAMESPACE2, Permission.Action.ADMIN); + + grantGlobal(UTIL, convertToGroup(GROUP_ADMIN), Permission.Action.ADMIN); + grantGlobal(UTIL, convertToGroup(GROUP_CREATE), Permission.Action.CREATE); + grantGlobal(UTIL, convertToGroup(GROUP_READ), Permission.Action.READ); + grantGlobal(UTIL, convertToGroup(GROUP_WRITE), Permission.Action.WRITE); } @AfterClass @@ -204,20 +228,10 @@ public class TestNamespaceCommands extends SecureTestUtil { }; // modifyNamespace: superuser | global(A) | NS(A) - verifyAllowed(modifyNamespace, - SUPERUSER, - USER_GLOBAL_ADMIN); - - verifyDenied(modifyNamespace, - USER_GLOBAL_CREATE, - USER_GLOBAL_WRITE, - USER_GLOBAL_READ, - USER_GLOBAL_EXEC, - USER_NS_ADMIN, - USER_NS_CREATE, - USER_NS_WRITE, - USER_NS_READ, - USER_NS_EXEC); + verifyAllowed(modifyNamespace, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN); + verifyDenied(modifyNamespace, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ, + USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, + USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -241,41 +255,17 @@ public class TestNamespaceCommands extends SecureTestUtil { }; // createNamespace: superuser | global(A) - verifyAllowed(createNamespace, - SUPERUSER, - USER_GLOBAL_ADMIN); - + verifyAllowed(createNamespace, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN); // all others should be denied - verifyDenied(createNamespace, - USER_GLOBAL_CREATE, - USER_GLOBAL_WRITE, - USER_GLOBAL_READ, - USER_GLOBAL_EXEC, - USER_NS_ADMIN, - USER_NS_CREATE, - USER_NS_WRITE, - USER_NS_READ, - USER_NS_EXEC, - USER_TABLE_CREATE, - USER_TABLE_WRITE); + verifyDenied(createNamespace, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ, + USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, + USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); // deleteNamespace: superuser | global(A) | NS(A) - verifyAllowed(deleteNamespace, - SUPERUSER, - USER_GLOBAL_ADMIN); - - verifyDenied(deleteNamespace, - USER_GLOBAL_CREATE, - USER_GLOBAL_WRITE, - USER_GLOBAL_READ, - USER_GLOBAL_EXEC, - USER_NS_ADMIN, - USER_NS_CREATE, - USER_NS_WRITE, - USER_NS_READ, - USER_NS_EXEC, - USER_TABLE_CREATE, - USER_TABLE_WRITE); + verifyAllowed(deleteNamespace, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN); + verifyDenied(deleteNamespace, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ, + USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, + USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -289,22 +279,11 @@ public class TestNamespaceCommands extends SecureTestUtil { } }; // getNamespaceDescriptor : superuser | global(A) | NS(A) - verifyAllowed(getNamespaceAction, - SUPERUSER, - USER_GLOBAL_ADMIN, - USER_NS_ADMIN); - - verifyDenied(getNamespaceAction, - USER_GLOBAL_CREATE, - USER_GLOBAL_WRITE, - USER_GLOBAL_READ, - USER_GLOBAL_EXEC, - USER_NS_CREATE, - USER_NS_WRITE, - USER_NS_READ, - USER_NS_EXEC, - USER_TABLE_CREATE, - USER_TABLE_WRITE); + verifyAllowed(getNamespaceAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_NS_ADMIN, + USER_GROUP_ADMIN); + verifyDenied(getNamespaceAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ, + USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, + USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -327,14 +306,12 @@ public class TestNamespaceCommands extends SecureTestUtil { // listNamespaces : All access* // * Returned list will only show what you can call getNamespaceDescriptor() - verifyAllowed(listAction, - SUPERUSER, - USER_GLOBAL_ADMIN, - USER_NS_ADMIN); + verifyAllowed(listAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_NS_ADMIN, USER_GROUP_ADMIN); // we have 3 namespaces: [default, hbase, TEST_NAMESPACE, TEST_NAMESPACE2] assertEquals(4, ((List)SUPERUSER.runAs(listAction)).size()); assertEquals(4, ((List)USER_GLOBAL_ADMIN.runAs(listAction)).size()); + assertEquals(4, ((List)USER_GROUP_ADMIN.runAs(listAction)).size()); assertEquals(2, ((List)USER_NS_ADMIN.runAs(listAction)).size()); @@ -348,6 +325,9 @@ public class TestNamespaceCommands extends SecureTestUtil { assertEquals(0, ((List)USER_NS_EXEC.runAs(listAction)).size()); assertEquals(0, ((List)USER_TABLE_CREATE.runAs(listAction)).size()); assertEquals(0, ((List)USER_TABLE_WRITE.runAs(listAction)).size()); + assertEquals(0, ((List)USER_GROUP_CREATE.runAs(listAction)).size()); + assertEquals(0, ((List)USER_GROUP_READ.runAs(listAction)).size()); + assertEquals(0, ((List)USER_GROUP_WRITE.runAs(listAction)).size()); } @Test @@ -411,56 +391,21 @@ public class TestNamespaceCommands extends SecureTestUtil { } }; - verifyAllowed(grantAction, - SUPERUSER, - USER_GLOBAL_ADMIN); - - verifyDenied(grantAction, - USER_GLOBAL_CREATE, - USER_GLOBAL_WRITE, - USER_GLOBAL_READ, - USER_GLOBAL_EXEC, - USER_NS_ADMIN, - USER_NS_CREATE, - USER_NS_WRITE, - USER_NS_READ, - USER_NS_EXEC, - USER_TABLE_CREATE, - USER_TABLE_WRITE); - - verifyAllowed(revokeAction, - SUPERUSER, - USER_GLOBAL_ADMIN); - - verifyDenied(revokeAction, - USER_GLOBAL_CREATE, - USER_GLOBAL_WRITE, - USER_GLOBAL_READ, - USER_GLOBAL_EXEC, - USER_NS_ADMIN, - USER_NS_CREATE, - USER_NS_WRITE, - USER_NS_READ, - USER_NS_EXEC, - USER_TABLE_CREATE, - USER_TABLE_WRITE); - - verifyAllowed(getPermissionsAction, - SUPERUSER, - USER_GLOBAL_ADMIN, - USER_NS_ADMIN); - - verifyDenied(getPermissionsAction, - USER_GLOBAL_CREATE, - USER_GLOBAL_WRITE, - USER_GLOBAL_READ, - USER_GLOBAL_EXEC, - USER_NS_CREATE, - USER_NS_WRITE, - USER_NS_READ, - USER_NS_EXEC, - USER_TABLE_CREATE, - USER_TABLE_WRITE); + verifyAllowed(grantAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN); + verifyDenied(grantAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ, + USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, + USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); + + verifyAllowed(revokeAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN); + verifyDenied(revokeAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ, + USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, + USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); + + verifyAllowed(getPermissionsAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_NS_ADMIN, + USER_GROUP_ADMIN); + verifyDenied(getPermissionsAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ, + USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, + USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -476,21 +421,9 @@ public class TestNamespaceCommands extends SecureTestUtil { }; //createTable : superuser | global(C) | NS(C) - verifyAllowed(createTable, - SUPERUSER, - USER_GLOBAL_CREATE, - USER_NS_CREATE); - - verifyDenied(createTable, - USER_GLOBAL_ADMIN, - USER_GLOBAL_WRITE, - USER_GLOBAL_READ, - USER_GLOBAL_EXEC, - USER_NS_ADMIN, - USER_NS_WRITE, - USER_NS_READ, - USER_NS_EXEC, - USER_TABLE_CREATE, - USER_TABLE_WRITE); + verifyAllowed(createTable, SUPERUSER, USER_GLOBAL_CREATE, USER_NS_CREATE, USER_GROUP_CREATE); + verifyDenied(createTable, USER_GLOBAL_ADMIN, USER_GLOBAL_WRITE, USER_GLOBAL_READ, + USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, + USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_ADMIN); } } -- 1.9.5.msysgit.0