From 5878d80a50084533b57e0d41b5dd6b58e5e79a7f Mon Sep 17 00:00:00 2001 From: Ashish Singhi Date: Wed, 10 Jun 2015 22:36:23 +0530 Subject: [PATCH] HBASE-13828 Add group permissions testing coverage to AC --- .../security/access/TestAccessController.java | 235 ++++++++++++++------- .../security/access/TestAccessController2.java | 125 ++++++----- .../security/access/TestNamespaceCommands.java | 61 ++++-- 3 files changed, 269 insertions(+), 152 deletions(-) diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java index d4fe59b..56af4a3 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java @@ -146,6 +146,16 @@ public class TestAccessController extends SecureTestUtil { // user with admin rights on the column family private static User USER_ADMIN_CF; + private static final String GROUP_ADMIN = "group_admin"; + private static final String GROUP_CREATE = "group_create"; + private static final String GROUP_READ = "group_read"; + private static final String GROUP_WRITE = "group_write"; + + private static User USER_GROUP_ADMIN; + private static User USER_GROUP_CREATE; + private static User USER_GROUP_READ; + private static User USER_GROUP_WRITE; + // TODO: convert this test to cover the full matrix in // https://hbase.apache.org/book/appendix_acl_matrix.html // creating all Scope x Permission combinations @@ -203,6 +213,16 @@ public class TestAccessController extends SecureTestUtil { USER_CREATE = User.createUserForTesting(conf, "tbl_create", new String[0]); USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]); USER_ADMIN_CF = User.createUserForTesting(conf, "col_family_admin", new String[0]); + + USER_GROUP_ADMIN = + User.createUserForTesting(conf, "user_group_admin", new String[] { GROUP_ADMIN }); + USER_GROUP_CREATE = + User.createUserForTesting(conf, "user_group_create", new String[] { GROUP_CREATE }); + USER_GROUP_READ = + User.createUserForTesting(conf, "user_group_read", new String[] { GROUP_READ }); + USER_GROUP_WRITE = + User.createUserForTesting(conf, "user_group_write", new String[] { GROUP_WRITE }); + setUpTableAndUserPermissions(); } @@ -255,6 +275,11 @@ public class TestAccessController extends SecureTestUtil { TEST_TABLE, TEST_FAMILY, null, Permission.Action.ADMIN, Permission.Action.CREATE); + grantGlobal(TEST_UTIL, convertToGroup(GROUP_ADMIN), Permission.Action.ADMIN); + grantGlobal(TEST_UTIL, convertToGroup(GROUP_CREATE), Permission.Action.CREATE); + grantGlobal(TEST_UTIL, convertToGroup(GROUP_READ), Permission.Action.READ); + grantGlobal(TEST_UTIL, convertToGroup(GROUP_WRITE), Permission.Action.WRITE); + assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size()); try { assertEquals(5, AccessControlClient.getUserPermissions(conf, TEST_TABLE.toString()).size()); @@ -287,10 +312,11 @@ public class TestAccessController extends SecureTestUtil { }; // verify that superuser can create tables - verifyAllowed(createTable, SUPERUSER, USER_ADMIN); + verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE); // all others should be denied - verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_ADMIN, + USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -307,8 +333,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(modifyTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); - verifyDenied(modifyTable, USER_RW, USER_RO, USER_NONE); + verifyAllowed(modifyTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE, + USER_GROUP_ADMIN); + verifyDenied(modifyTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -322,8 +349,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(deleteTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); - verifyDenied(deleteTable, USER_RW, USER_RO, USER_NONE); + verifyAllowed(deleteTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE, + USER_GROUP_ADMIN); + verifyDenied(deleteTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -338,8 +366,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); - verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE); + verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE, + USER_GROUP_ADMIN); + verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -354,8 +383,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); - verifyDenied(action, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE, + USER_GROUP_ADMIN); + verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -371,8 +401,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF); - verifyDenied(action, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF, + USER_GROUP_CREATE, USER_GROUP_ADMIN); + verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -386,8 +417,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF); - verifyDenied(action, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF, + USER_GROUP_CREATE, USER_GROUP_ADMIN); + verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -410,11 +442,13 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(disableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); - verifyDenied(disableTable, USER_RW, USER_RO, USER_NONE); + verifyAllowed(disableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE, + USER_GROUP_ADMIN); + verifyDenied(disableTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); // No user should be allowed to disable _acl_ table - verifyDenied(disableAclTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW, USER_RO); + verifyDenied(disableAclTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW, USER_RO, + USER_GROUP_CREATE, USER_GROUP_ADMIN, USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -428,8 +462,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(enableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); - verifyDenied(enableTable, USER_RW, USER_RO, USER_NONE); + verifyAllowed(enableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE, + USER_GROUP_ADMIN); + verifyDenied(enableTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -452,8 +487,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -476,8 +512,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -500,8 +537,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -524,8 +562,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -538,8 +577,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); - verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -552,8 +592,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); - verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -566,8 +607,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); - verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -580,13 +622,15 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); - verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } private void verifyWrite(AccessTestAction action) throws Exception { - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW); - verifyDenied(action, USER_NONE, USER_RO); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, + USER_GROUP_WRITE); + verifyDenied(action, USER_NONE, USER_RO, USER_GROUP_ADMIN, USER_GROUP_READ, USER_GROUP_CREATE); } @Test @@ -599,8 +643,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -615,8 +660,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -635,8 +681,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } finally { TEST_UTIL.deleteTable(tname); } @@ -661,8 +708,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE); - verifyDenied(action, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_GROUP_CREATE, + USER_GROUP_ADMIN); + verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -676,18 +724,21 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE); - verifyDenied(action, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_GROUP_CREATE, + USER_GROUP_ADMIN); + verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); } private void verifyRead(AccessTestAction action) throws Exception { - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, USER_RO); - verifyDenied(action, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, USER_RO, + USER_GROUP_READ); + verifyDenied(action, USER_NONE, USER_GROUP_CREATE, USER_GROUP_ADMIN, USER_GROUP_WRITE); } private void verifyReadWrite(AccessTestAction action) throws Exception { verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW); - verifyDenied(action, USER_NONE, USER_RO); + verifyDenied(action, USER_NONE, USER_RO, USER_GROUP_ADMIN, USER_GROUP_CREATE, USER_GROUP_READ, + USER_GROUP_WRITE); } @Test @@ -859,8 +910,10 @@ public class TestAccessController extends SecureTestUtil { // User performing bulk loads must have privilege to read table metadata // (ADMIN or CREATE) - verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE); - verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO); + verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, + USER_GROUP_CREATE); + verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO, USER_GROUP_READ, USER_GROUP_WRITE, + USER_GROUP_ADMIN); } finally { // Reinit after the bulk upload @@ -970,8 +1023,10 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(appendAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW); - verifyDenied(appendAction, USER_RO, USER_NONE); + verifyAllowed(appendAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, + USER_GROUP_WRITE); + verifyDenied(appendAction, USER_RO, USER_NONE, USER_GROUP_CREATE, USER_GROUP_READ, + USER_GROUP_ADMIN); } @Test @@ -1042,17 +1097,21 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); try { - verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); - verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, + USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); - verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN); - verifyDenied(getGlobalPermissionsAction, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); + verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(getGlobalPermissionsAction, USER_CREATE, USER_OWNER, USER_RW, USER_RO, + USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); } finally { // Cleanup, Grant the revoked permission back to the user grantOnTable(TEST_UTIL, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null, @@ -1236,7 +1295,8 @@ public class TestAccessController extends SecureTestUtil { // grant table read permission grantGlobal(TEST_UTIL, gblUser.getShortName(), Permission.Action.READ); - grantOnTable(TEST_UTIL, tblUser.getShortName(), tableName, null, null, Permission.Action.READ); + grantOnTable(TEST_UTIL, tblUser.getShortName(), tableName, null, null, + Permission.Action.READ); // check verifyAllowed(tblUser, getActionAll, getAction1, getAction2); @@ -1602,8 +1662,8 @@ public class TestAccessController extends SecureTestUtil { } UserPermission adminPerm = new UserPermission(Bytes.toBytes(USER_ADMIN.getShortName()), AccessControlLists.ACL_TABLE_NAME, null, null, Bytes.toBytes("ACRW")); - assertTrue("Only user admin has permission on table _acl_ per setup", - perms.size() == 1 && hasFoundUserPermission(adminPerm, perms)); + assertTrue("Only global users and user admin has permission on table _acl_ per setup", + perms.size() == 5 && hasFoundUserPermission(adminPerm, perms)); } /** global operations */ @@ -1788,8 +1848,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); - verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -1802,8 +1863,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); - verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -1816,8 +1878,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, USER_GROUP_CREATE, + USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -1830,8 +1893,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, USER_GROUP_CREATE, + USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -1994,11 +2058,14 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN); - verifyDenied(listTablesAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, TABLE_ADMIN); + verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(listTablesAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, TABLE_ADMIN, + USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); - verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN); - verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE); + verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, + TABLE_ADMIN, USER_GROUP_ADMIN, USER_GROUP_CREATE); + verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE); } finally { // Cleanup, revoke TABLE ADMIN privs revokeFromTable(TEST_UTIL, TABLE_ADMIN.getShortName(), TEST_TABLE, null, null, @@ -2029,7 +2096,8 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyDenied(deleteTableAction, USER_RW, USER_RO, USER_NONE); + verifyDenied(deleteTableAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE); verifyAllowed(deleteTableAction, TABLE_ADMIN); } @@ -2352,8 +2420,10 @@ public class TestAccessController extends SecureTestUtil { } private void verifyAnyCreate(AccessTestAction action) throws Exception { - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF); - verifyDenied(action, USER_NONE, USER_RO, USER_RW); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF, + USER_GROUP_CREATE); + verifyDenied(action, USER_NONE, USER_RO, USER_RW, USER_GROUP_READ, USER_GROUP_WRITE, + USER_GROUP_ADMIN); } @Test @@ -2389,7 +2459,8 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(replicateLogEntriesAction, SUPERUSER, USER_ADMIN); - verifyDenied(replicateLogEntriesAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + verifyAllowed(replicateLogEntriesAction, SUPERUSER, USER_ADMIN, USER_GROUP_WRITE); + verifyDenied(replicateLogEntriesAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, + USER_GROUP_READ, USER_GROUP_ADMIN, USER_GROUP_CREATE); } } diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java index e8eb51b..a296d89 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java @@ -85,6 +85,7 @@ public class TestAccessController2 extends SecureTestUtil { private String namespace = "testNamespace"; private String tname = namespace + ":testtable1"; private byte[] tableName = Bytes.toBytes(tname); + private static String TESTGROUP_1_NAME; @BeforeClass public static void setupBeforeClass() throws Exception { @@ -97,6 +98,7 @@ public class TestAccessController2 extends SecureTestUtil { // Wait for the ACL table to become available TEST_UTIL.waitUntilAllRegionsAssigned(AccessControlLists.ACL_TABLE_NAME); + TESTGROUP_1_NAME = convertToGroup(TESTGROUP_1); TESTGROUP1_USER1 = User.createUserForTesting(conf, "testgroup1_user1", new String[] { TESTGROUP_1 }); TESTGROUP2_USER1 = @@ -189,24 +191,27 @@ public class TestAccessController2 extends SecureTestUtil { @Test public void testCreateTableWithGroupPermissions() throws Exception { - grantGlobal(TEST_UTIL, convertToGroup(TESTGROUP_1), Action.CREATE); - AccessTestAction createAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - HBaseAdmin admin = new HBaseAdmin(TEST_UTIL.getConfiguration()); - HTableDescriptor desc = new HTableDescriptor(TEST_TABLE.getTableName()); - desc.addFamily(new HColumnDescriptor(TEST_FAMILY)); - try { - admin.createTable(desc); - } finally { - admin.close(); + grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.CREATE); + try { + AccessTestAction createAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + HBaseAdmin admin = new HBaseAdmin(TEST_UTIL.getConfiguration()); + HTableDescriptor desc = new HTableDescriptor(TEST_TABLE.getTableName()); + desc.addFamily(new HColumnDescriptor(TEST_FAMILY)); + try { + admin.createTable(desc); + } finally { + admin.close(); + } + return null; } - return null; - } - }; - verifyAllowed(createAction, TESTGROUP1_USER1); - verifyDenied(createAction, TESTGROUP2_USER1); - revokeGlobal(TEST_UTIL, convertToGroup(TESTGROUP_1), Action.CREATE); + }; + verifyAllowed(createAction, TESTGROUP1_USER1); + verifyDenied(createAction, TESTGROUP2_USER1); + } finally { + revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.CREATE); + } } @Test @@ -254,57 +259,67 @@ public class TestAccessController2 extends SecureTestUtil { SecureTestUtil.grantOnTable(TEST_UTIL, tableAdmin.getShortName(), TEST_TABLE.getTableName(), null, null, Action.ADMIN); - // Write tests + grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.WRITE); + try { + // Write tests - AccessTestAction writeAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - HTable t = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); - try { - t.put(new Put(TEST_ROW).add(AccessControlLists.ACL_LIST_FAMILY, TEST_QUALIFIER, - TEST_VALUE)); - return null; - } finally { - t.close(); + AccessTestAction writeAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + HTable t = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); + try { + t.put(new Put(TEST_ROW).add(AccessControlLists.ACL_LIST_FAMILY, TEST_QUALIFIER, + TEST_VALUE)); + return null; + } finally { + t.close(); + } } - } - }; + }; - // All writes to ACL table denied except for GLOBAL WRITE permission and superuser + // All writes to ACL table denied except for GLOBAL WRITE permission and superuser - verifyDenied(writeAction, globalAdmin, globalCreate, globalRead); - verifyDenied(writeAction, nsAdmin, nsCreate, nsRead, nsWrite); - verifyDenied(writeAction, tableAdmin, tableCreate, tableRead, tableWrite); - verifyAllowed(writeAction, superUser, globalWrite); + verifyDenied(writeAction, globalAdmin, globalCreate, globalRead, TESTGROUP2_USER1); + verifyDenied(writeAction, nsAdmin, nsCreate, nsRead, nsWrite); + verifyDenied(writeAction, tableAdmin, tableCreate, tableRead, tableWrite); + verifyAllowed(writeAction, superUser, globalWrite, TESTGROUP1_USER1); + } finally { + revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.WRITE); + } - // Read tests + grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.READ); + try { + // Read tests - AccessTestAction scanAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - HTable t = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); - try { - ResultScanner s = t.getScanner(new Scan()); + AccessTestAction scanAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + HTable t = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); try { - for (Result r = s.next(); r != null; r = s.next()) { - // do nothing + ResultScanner s = t.getScanner(new Scan()); + try { + for (Result r = s.next(); r != null; r = s.next()) { + // do nothing + } + } finally { + s.close(); } + return null; } finally { - s.close(); + t.close(); } - return null; - } finally { - t.close(); } - } - }; + }; - // All reads from ACL table denied except for GLOBAL READ and superuser + // All reads from ACL table denied except for GLOBAL READ and superuser - verifyDenied(scanAction, globalAdmin, globalCreate, globalWrite); - verifyDenied(scanAction, nsCreate, nsAdmin, nsRead, nsWrite); - verifyDenied(scanAction, tableCreate, tableAdmin, tableRead, tableWrite); - verifyAllowed(scanAction, superUser, globalRead); + verifyDenied(scanAction, globalAdmin, globalCreate, globalWrite, TESTGROUP2_USER1); + verifyDenied(scanAction, nsCreate, nsAdmin, nsRead, nsWrite); + verifyDenied(scanAction, tableCreate, tableAdmin, tableRead, tableWrite); + verifyAllowed(scanAction, superUser, globalRead, TESTGROUP1_USER1); + } finally { + revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.READ); + } } /* diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java index 62a8935..b283afb 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java @@ -68,6 +68,16 @@ public class TestNamespaceCommands extends SecureTestUtil { // user with admin permission on namespace. private static User USER_NSP_ADMIN; + private static final String GROUP_ADMIN = "group_admin"; + private static final String GROUP_CREATE = "group_create"; + private static final String GROUP_READ = "group_read"; + private static final String GROUP_WRITE = "group_write"; + + private static User USER_GROUP_ADMIN; + private static User USER_GROUP_CREATE; + private static User USER_GROUP_READ; + private static User USER_GROUP_WRITE; + private static String TEST_TABLE = TEST_NAMESPACE + ":testtable"; private static byte[] TEST_FAMILY = Bytes.toBytes("f1"); @@ -82,6 +92,15 @@ public class TestNamespaceCommands extends SecureTestUtil { USER_NSP_WRITE = User.createUserForTesting(conf, "namespace_write", new String[0]); USER_NSP_ADMIN = User.createUserForTesting(conf, "namespace_admin", new String[0]); + USER_GROUP_ADMIN = + User.createUserForTesting(conf, "user_group_admin", new String[] { GROUP_ADMIN }); + USER_GROUP_CREATE = + User.createUserForTesting(conf, "user_group_create", new String[] { GROUP_CREATE }); + USER_GROUP_READ = + User.createUserForTesting(conf, "user_group_read", new String[] { GROUP_READ }); + USER_GROUP_WRITE = + User.createUserForTesting(conf, "user_group_write", new String[] { GROUP_WRITE }); + UTIL.startMiniCluster(); // Wait for the ACL table to become available UTIL.waitTableAvailable(AccessControlLists.ACL_TABLE_NAME.getName(), 30 * 1000); @@ -98,6 +117,11 @@ public class TestNamespaceCommands extends SecureTestUtil { grantOnNamespace(UTIL, USER_NSP_ADMIN.getShortName(), TEST_NAMESPACE, Permission.Action.ADMIN); grantOnNamespace(UTIL, USER_NSP_ADMIN.getShortName(), TEST_NAMESPACE2, Permission.Action.ADMIN); + + grantGlobal(UTIL, convertToGroup(GROUP_ADMIN), Permission.Action.ADMIN); + grantGlobal(UTIL, convertToGroup(GROUP_CREATE), Permission.Action.CREATE); + grantGlobal(UTIL, convertToGroup(GROUP_READ), Permission.Action.READ); + grantGlobal(UTIL, convertToGroup(GROUP_WRITE), Permission.Action.WRITE); } @AfterClass @@ -152,9 +176,10 @@ public class TestNamespaceCommands extends SecureTestUtil { } }; // verify that superuser or hbase admin can modify namespaces. - verifyAllowed(modifyNamespace, SUPERUSER, USER_NSP_ADMIN); + verifyAllowed(modifyNamespace, SUPERUSER, USER_NSP_ADMIN, USER_GROUP_ADMIN); // all others should be denied - verifyDenied(modifyNamespace, USER_NSP_WRITE, USER_CREATE, USER_RW); + verifyDenied(modifyNamespace, USER_NSP_WRITE, USER_CREATE, USER_RW, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -176,13 +201,15 @@ public class TestNamespaceCommands extends SecureTestUtil { }; // verify that only superuser can create namespaces. - verifyAllowed(createNamespace, SUPERUSER); - // verify that superuser or hbase admin can delete namespaces. - verifyAllowed(deleteNamespace, SUPERUSER, USER_NSP_ADMIN); + verifyAllowed(createNamespace, SUPERUSER, USER_GROUP_ADMIN); + // verify that superuser or hbase admin can delete namespaces. + verifyAllowed(deleteNamespace, SUPERUSER, USER_NSP_ADMIN, USER_GROUP_ADMIN); // all others should be denied - verifyDenied(createNamespace, USER_NSP_WRITE, USER_CREATE, USER_RW, USER_NSP_ADMIN); - verifyDenied(deleteNamespace, USER_NSP_WRITE, USER_CREATE, USER_RW); + verifyDenied(createNamespace, USER_NSP_WRITE, USER_CREATE, USER_RW, USER_NSP_ADMIN, + USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); + verifyDenied(deleteNamespace, USER_NSP_WRITE, USER_CREATE, USER_RW, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -241,14 +268,17 @@ public class TestNamespaceCommands extends SecureTestUtil { // Only HBase super user should be able to grant and revoke permissions to // namespaces - verifyAllowed(grantAction, SUPERUSER, USER_NSP_ADMIN); - verifyDenied(grantAction, USER_CREATE, USER_RW); - verifyAllowed(revokeAction, SUPERUSER, USER_NSP_ADMIN); - verifyDenied(revokeAction, USER_CREATE, USER_RW); + verifyAllowed(grantAction, SUPERUSER, USER_NSP_ADMIN, USER_GROUP_ADMIN); + verifyDenied(grantAction, USER_CREATE, USER_RW, USER_GROUP_READ, USER_GROUP_WRITE, + USER_GROUP_CREATE); + verifyAllowed(revokeAction, SUPERUSER, USER_NSP_ADMIN, USER_GROUP_ADMIN); + verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_GROUP_READ, USER_GROUP_WRITE, + USER_GROUP_CREATE); // Only an admin should be able to get the user permission - verifyAllowed(revokeAction, SUPERUSER, USER_NSP_ADMIN); - verifyDenied(revokeAction, USER_CREATE, USER_RW); + verifyAllowed(revokeAction, SUPERUSER, USER_NSP_ADMIN, USER_GROUP_ADMIN); + verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_GROUP_READ, USER_GROUP_WRITE, + USER_GROUP_CREATE); } @Test @@ -264,9 +294,10 @@ public class TestNamespaceCommands extends SecureTestUtil { }; // Only users with create permissions on namespace should be able to create a new table - verifyAllowed(createTable, SUPERUSER, USER_NSP_WRITE); + verifyAllowed(createTable, SUPERUSER, USER_NSP_WRITE, USER_GROUP_CREATE); // all others should be denied - verifyDenied(createTable, USER_CREATE, USER_RW); + verifyDenied(createTable, USER_CREATE, USER_RW, USER_GROUP_READ, USER_GROUP_WRITE, + USER_GROUP_ADMIN); } } -- 1.9.5.msysgit.0