From 27314e44d54290165a9f1c5192fe8fcb35841fb6 Mon Sep 17 00:00:00 2001 From: Ashish Singhi Date: Wed, 10 Jun 2015 23:12:42 +0530 Subject: [PATCH] HBASE-13828 Add group permissions testing coverage to AC --- .../security/access/TestAccessController.java | 258 +++++++++++++-------- .../security/access/TestAccessController2.java | 136 ++++++----- .../security/access/TestNamespaceCommands.java | 197 ++++++---------- 3 files changed, 306 insertions(+), 285 deletions(-) diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java index ce4aa68..147aadc 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java @@ -45,7 +45,6 @@ import org.apache.hadoop.hbase.HRegionInfo; import org.apache.hadoop.hbase.HRegionLocation; import org.apache.hadoop.hbase.HTableDescriptor; import org.apache.hadoop.hbase.KeyValue; -import org.apache.hadoop.hbase.testclassification.LargeTests; import org.apache.hadoop.hbase.MiniHBaseCluster; import org.apache.hadoop.hbase.NamespaceDescriptor; import org.apache.hadoop.hbase.ServerName; @@ -101,6 +100,7 @@ import org.apache.hadoop.hbase.regionserver.RegionServerCoprocessorHost; import org.apache.hadoop.hbase.regionserver.ScanType; import org.apache.hadoop.hbase.security.User; import org.apache.hadoop.hbase.security.access.Permission.Action; +import org.apache.hadoop.hbase.testclassification.LargeTests; import org.apache.hadoop.hbase.util.Bytes; import org.apache.hadoop.hbase.util.JVMClusterUtil; import org.apache.log4j.Level; @@ -156,6 +156,16 @@ public class TestAccessController extends SecureTestUtil { // user with admin rights on the column family private static User USER_ADMIN_CF; + private static final String GROUP_ADMIN = "group_admin"; + private static final String GROUP_CREATE = "group_create"; + private static final String GROUP_READ = "group_read"; + private static final String GROUP_WRITE = "group_write"; + + private static User USER_GROUP_ADMIN; + private static User USER_GROUP_CREATE; + private static User USER_GROUP_READ; + private static User USER_GROUP_WRITE; + // TODO: convert this test to cover the full matrix in // https://hbase.apache.org/book/appendix_acl_matrix.html // creating all Scope x Permission combinations @@ -215,6 +225,15 @@ public class TestAccessController extends SecureTestUtil { USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]); USER_ADMIN_CF = User.createUserForTesting(conf, "col_family_admin", new String[0]); + USER_GROUP_ADMIN = + User.createUserForTesting(conf, "user_group_admin", new String[] { GROUP_ADMIN }); + USER_GROUP_CREATE = + User.createUserForTesting(conf, "user_group_create", new String[] { GROUP_CREATE }); + USER_GROUP_READ = + User.createUserForTesting(conf, "user_group_read", new String[] { GROUP_READ }); + USER_GROUP_WRITE = + User.createUserForTesting(conf, "user_group_write", new String[] { GROUP_WRITE }); + systemUserConnection = TEST_UTIL.getConnection(); setUpTableAndUserPermissions(); } @@ -269,6 +288,11 @@ public class TestAccessController extends SecureTestUtil { TEST_TABLE, TEST_FAMILY, null, Permission.Action.ADMIN, Permission.Action.CREATE); + grantGlobal(TEST_UTIL, convertToGroup(GROUP_ADMIN), Permission.Action.ADMIN); + grantGlobal(TEST_UTIL, convertToGroup(GROUP_CREATE), Permission.Action.CREATE); + grantGlobal(TEST_UTIL, convertToGroup(GROUP_READ), Permission.Action.READ); + grantGlobal(TEST_UTIL, convertToGroup(GROUP_WRITE), Permission.Action.WRITE); + assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size()); try { assertEquals(5, AccessControlClient.getUserPermissions(systemUserConnection, @@ -305,10 +329,11 @@ public class TestAccessController extends SecureTestUtil { }; // verify that superuser can create tables - verifyAllowed(createTable, SUPERUSER, USER_ADMIN); + verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE); // all others should be denied - verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_ADMIN, + USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -325,8 +350,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(modifyTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); - verifyDenied(modifyTable, USER_RW, USER_RO, USER_NONE); + verifyAllowed(modifyTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE, + USER_GROUP_ADMIN); + verifyDenied(modifyTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -340,8 +366,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(deleteTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); - verifyDenied(deleteTable, USER_RW, USER_RO, USER_NONE); + verifyAllowed(deleteTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE, + USER_GROUP_ADMIN); + verifyDenied(deleteTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -356,8 +383,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); - verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE); + verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE, + USER_GROUP_ADMIN); + verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -372,8 +400,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); - verifyDenied(action, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE, + USER_GROUP_ADMIN); + verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -389,8 +418,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF); - verifyDenied(action, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF, + USER_GROUP_CREATE, USER_GROUP_ADMIN); + verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -404,8 +434,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF); - verifyDenied(action, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF, + USER_GROUP_CREATE, USER_GROUP_ADMIN); + verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -428,11 +459,13 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(disableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); - verifyDenied(disableTable, USER_RW, USER_RO, USER_NONE); + verifyAllowed(disableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE, + USER_GROUP_ADMIN); + verifyDenied(disableTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); // No user should be allowed to disable _acl_ table - verifyDenied(disableAclTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW, USER_RO); + verifyDenied(disableAclTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW, USER_RO, + USER_GROUP_CREATE, USER_GROUP_ADMIN, USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -446,8 +479,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(enableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER); - verifyDenied(enableTable, USER_RW, USER_RO, USER_NONE); + verifyAllowed(enableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE, + USER_GROUP_ADMIN); + verifyDenied(enableTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -468,8 +502,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -488,8 +523,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -508,8 +544,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -528,8 +565,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -542,8 +580,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); - verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -556,8 +595,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); - verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -570,8 +610,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); - verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -584,13 +625,15 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); - verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } private void verifyWrite(AccessTestAction action) throws Exception { - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW); - verifyDenied(action, USER_NONE, USER_RO); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, + USER_GROUP_WRITE); + verifyDenied(action, USER_NONE, USER_RO, USER_GROUP_ADMIN, USER_GROUP_READ, USER_GROUP_CREATE); } @Test @@ -603,8 +646,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -619,8 +663,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -639,8 +684,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } finally { TEST_UTIL.deleteTable(tname); } @@ -656,8 +702,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE); - verifyDenied(action, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_GROUP_CREATE, + USER_GROUP_ADMIN); + verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -671,18 +718,21 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE); - verifyDenied(action, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_GROUP_CREATE, + USER_GROUP_ADMIN); + verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE); } private void verifyRead(AccessTestAction action) throws Exception { - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, USER_RO); - verifyDenied(action, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, USER_RO, + USER_GROUP_READ); + verifyDenied(action, USER_NONE, USER_GROUP_CREATE, USER_GROUP_ADMIN, USER_GROUP_WRITE); } private void verifyReadWrite(AccessTestAction action) throws Exception { verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW); - verifyDenied(action, USER_NONE, USER_RO); + verifyDenied(action, USER_NONE, USER_RO, USER_GROUP_ADMIN, USER_GROUP_CREATE, USER_GROUP_READ, + USER_GROUP_WRITE); } @Test @@ -838,8 +888,10 @@ public class TestAccessController extends SecureTestUtil { // User performing bulk loads must have privilege to read table metadata // (ADMIN or CREATE) - verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE); - verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO); + verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, + USER_GROUP_CREATE); + verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO, USER_GROUP_READ, USER_GROUP_WRITE, + USER_GROUP_ADMIN); } finally { // Reinit after the bulk upload TEST_UTIL.getHBaseAdmin().disableTable(TEST_TABLE); @@ -943,8 +995,10 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(appendAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW); - verifyDenied(appendAction, USER_RO, USER_NONE); + verifyAllowed(appendAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, + USER_GROUP_WRITE); + verifyDenied(appendAction, USER_RO, USER_NONE, USER_GROUP_CREATE, USER_GROUP_READ, + USER_GROUP_ADMIN); } @Test @@ -1007,18 +1061,21 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); try { - verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); - verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER); - verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE); + verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN); + verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, + USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); - verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN); + verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); verifyDenied(getGlobalPermissionsAction, USER_CREATE, USER_OWNER, USER_RW, USER_RO, - USER_NONE); + USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); } finally { // Cleanup, Grant the revoked permission back to the user grantOnTable(TEST_UTIL, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null, @@ -1531,8 +1588,8 @@ public class TestAccessController extends SecureTestUtil { } UserPermission adminPerm = new UserPermission(Bytes.toBytes(USER_ADMIN.getShortName()), AccessControlLists.ACL_TABLE_NAME, null, null, Bytes.toBytes("ACRW")); - assertTrue("Only user admin has permission on table _acl_ per setup", - perms.size() == 1 && hasFoundUserPermission(adminPerm, perms)); + assertTrue("Only global users and user admin has permission on table _acl_ per setup", + perms.size() == 5 && hasFoundUserPermission(adminPerm, perms)); } /** global operations */ @@ -1719,8 +1776,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); - verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -1733,8 +1791,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); - verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -1747,8 +1806,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, USER_GROUP_CREATE, + USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -1761,8 +1821,9 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(action, SUPERUSER, USER_ADMIN); - verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, USER_GROUP_CREATE, + USER_GROUP_READ, USER_GROUP_WRITE); } @Test @@ -1803,17 +1864,21 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN); - verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, + USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); - verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN); - verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, + USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); - verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN); - verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, + USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); - verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN); - verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); + verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, + USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -1908,12 +1973,15 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN); - verifyIfEmptyList(listTablesAction, USER_RW, USER_RO, USER_NONE); + verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN, + USER_GROUP_CREATE, USER_GROUP_ADMIN); + verifyIfEmptyList(listTablesAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE); verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, - TABLE_ADMIN); - verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE); + TABLE_ADMIN, USER_GROUP_CREATE, USER_GROUP_ADMIN); + verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE); } finally { // Cleanup, revoke TABLE ADMIN privs revokeFromTable(TEST_UTIL, TABLE_ADMIN.getShortName(), TEST_TABLE, null, null, @@ -1938,8 +2006,8 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, - USER_RW, USER_RO); + verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW, + USER_RO, USER_GROUP_CREATE, USER_GROUP_ADMIN, USER_GROUP_READ, USER_GROUP_WRITE); verifyIfEmptyList(listTablesAction, USER_NONE); } @@ -1970,7 +2038,8 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyDenied(deleteTableAction, USER_RW, USER_RO, USER_NONE); + verifyDenied(deleteTableAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, + USER_GROUP_WRITE); verifyAllowed(deleteTableAction, TABLE_ADMIN); } @@ -2355,7 +2424,7 @@ public class TestAccessController extends SecureTestUtil { // Verify that we can read sys-tables String aclTableName = AccessControlLists.ACL_TABLE_NAME.getNameAsString(); - assertEquals(1, SUPERUSER.runAs(getPrivilegedAction(aclTableName)).size()); + assertEquals(5, SUPERUSER.runAs(getPrivilegedAction(aclTableName)).size()); assertEquals(0, testRegexHandler.runAs(getPrivilegedAction(aclTableName)).size()); // Grant TABLE ADMIN privs to testUserPerms @@ -2380,8 +2449,10 @@ public class TestAccessController extends SecureTestUtil { } private void verifyAnyCreate(AccessTestAction action) throws Exception { - verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF); - verifyDenied(action, USER_NONE, USER_RO, USER_RW); + verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF, + USER_GROUP_CREATE); + verifyDenied(action, USER_NONE, USER_RO, USER_RW, USER_GROUP_READ, USER_GROUP_WRITE, + USER_GROUP_ADMIN); } @Test @@ -2419,7 +2490,8 @@ public class TestAccessController extends SecureTestUtil { } }; - verifyAllowed(replicateLogEntriesAction, SUPERUSER, USER_ADMIN); - verifyDenied(replicateLogEntriesAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER); + verifyAllowed(replicateLogEntriesAction, SUPERUSER, USER_ADMIN, USER_GROUP_WRITE); + verifyDenied(replicateLogEntriesAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, + USER_GROUP_READ, USER_GROUP_ADMIN, USER_GROUP_CREATE); } } diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java index 78a7ba9..08408e2 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java @@ -94,6 +94,7 @@ public class TestAccessController2 extends SecureTestUtil { private String namespace = "testNamespace"; private String tname = namespace + ":testtable1"; private TableName tableName = TableName.valueOf(tname); + private static String TESTGROUP_1_NAME; @BeforeClass public static void setupBeforeClass() throws Exception { @@ -106,6 +107,7 @@ public class TestAccessController2 extends SecureTestUtil { // Wait for the ACL table to become available TEST_UTIL.waitUntilAllRegionsAssigned(AccessControlLists.ACL_TABLE_NAME); + TESTGROUP_1_NAME = convertToGroup(TESTGROUP_1); TESTGROUP1_USER1 = User.createUserForTesting(conf, "testgroup1_user1", new String[] { TESTGROUP_1 }); TESTGROUP2_USER1 = @@ -192,23 +194,27 @@ public class TestAccessController2 extends SecureTestUtil { @Test public void testCreateTableWithGroupPermissions() throws Exception { - grantGlobal(TEST_UTIL, convertToGroup(TESTGROUP_1), Action.CREATE); - AccessTestAction createAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - HTableDescriptor desc = new HTableDescriptor(TEST_TABLE.getTableName()); - desc.addFamily(new HColumnDescriptor(TEST_FAMILY)); - try (Connection connection = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) { - try (Admin admin = connection.getAdmin()) { - admin.createTable(desc); + grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.CREATE); + try { + AccessTestAction createAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + HTableDescriptor desc = new HTableDescriptor(TEST_TABLE.getTableName()); + desc.addFamily(new HColumnDescriptor(TEST_FAMILY)); + try (Connection connection = + ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) { + try (Admin admin = connection.getAdmin()) { + admin.createTable(desc); + } } + return null; } - return null; - } - }; - verifyAllowed(createAction, TESTGROUP1_USER1); - verifyDenied(createAction, TESTGROUP2_USER1); - revokeGlobal(TEST_UTIL, convertToGroup(TESTGROUP_1), Action.CREATE); + }; + verifyAllowed(createAction, TESTGROUP1_USER1); + verifyDenied(createAction, TESTGROUP2_USER1); + } finally { + revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.CREATE); + } } @Test @@ -255,55 +261,65 @@ public class TestAccessController2 extends SecureTestUtil { TEST_TABLE.getTableName(), null, null, Action.CREATE); SecureTestUtil.grantOnTable(TEST_UTIL, tableAdmin.getShortName(), TEST_TABLE.getTableName(), null, null, Action.ADMIN); + grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.WRITE); - // Write tests - - AccessTestAction writeAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) { - t.put(new Put(TEST_ROW).add(AccessControlLists.ACL_LIST_FAMILY, TEST_QUALIFIER, - TEST_VALUE)); - return null; - } finally { + try { + // Write tests + + AccessTestAction writeAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + try (Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) { + t.put(new Put(TEST_ROW).add(AccessControlLists.ACL_LIST_FAMILY, TEST_QUALIFIER, + TEST_VALUE)); + return null; + } finally { + } } - } - }; + }; - // All writes to ACL table denied except for GLOBAL WRITE permission and superuser + // All writes to ACL table denied except for GLOBAL WRITE permission and superuser - verifyDenied(writeAction, globalAdmin, globalCreate, globalRead); - verifyDenied(writeAction, nsAdmin, nsCreate, nsRead, nsWrite); - verifyDenied(writeAction, tableAdmin, tableCreate, tableRead, tableWrite); - verifyAllowed(writeAction, superUser, globalWrite); - - // Read tests + verifyDenied(writeAction, globalAdmin, globalCreate, globalRead, TESTGROUP2_USER1); + verifyDenied(writeAction, nsAdmin, nsCreate, nsRead, nsWrite); + verifyDenied(writeAction, tableAdmin, tableCreate, tableRead, tableWrite); + verifyAllowed(writeAction, superUser, globalWrite, TESTGROUP1_USER1); + } finally { + revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.WRITE); + } - AccessTestAction scanAction = new AccessTestAction() { - @Override - public Object run() throws Exception { - try(Connection conn = ConnectionFactory.createConnection(conf); - Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) { - ResultScanner s = t.getScanner(new Scan()); - try { - for (Result r = s.next(); r != null; r = s.next()) { - // do nothing + grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.READ); + try { + // Read tests + + AccessTestAction scanAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + try (Connection conn = ConnectionFactory.createConnection(conf); + Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) { + ResultScanner s = t.getScanner(new Scan()); + try { + for (Result r = s.next(); r != null; r = s.next()) { + // do nothing + } + } finally { + s.close(); } - } finally { - s.close(); + return null; } - return null; } - } - }; + }; - // All reads from ACL table denied except for GLOBAL READ and superuser + // All reads from ACL table denied except for GLOBAL READ and superuser - verifyDenied(scanAction, globalAdmin, globalCreate, globalWrite); - verifyDenied(scanAction, nsCreate, nsAdmin, nsRead, nsWrite); - verifyDenied(scanAction, tableCreate, tableAdmin, tableRead, tableWrite); - verifyAllowed(scanAction, superUser, globalRead); + verifyDenied(scanAction, globalAdmin, globalCreate, globalWrite, TESTGROUP2_USER1); + verifyDenied(scanAction, nsCreate, nsAdmin, nsRead, nsWrite); + verifyDenied(scanAction, tableCreate, tableAdmin, tableRead, tableWrite); + verifyAllowed(scanAction, superUser, globalRead, TESTGROUP1_USER1); + } finally { + revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.READ); + } } /* @@ -403,17 +419,17 @@ public class TestAccessController2 extends SecureTestUtil { // Verify user from a group which has table level access can read all the data and group which // has no access can't read any data. - grantOnTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, null, null, Action.READ); + grantOnTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, null, null, Action.READ); verifyAllowed(TESTGROUP1_USER1, scanTableActionForGroupWithTableLevelAccess); verifyDenied(TESTGROUP2_USER1, scanTableActionForGroupWithTableLevelAccess); // Verify user from a group whose table level access has been revoked can't read any data. - revokeFromTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, null, null); + revokeFromTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, null, null); verifyDenied(TESTGROUP1_USER1, scanTableActionForGroupWithTableLevelAccess); // Verify user from a group which has column family level access can read all the data // belonging to that family and group which has no access can't read any data. - grantOnTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, null, + grantOnTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, TEST_FAMILY, null, Permission.Action.READ); verifyAllowed(TESTGROUP1_USER1, scanTableActionForGroupWithFamilyLevelAccess); verifyDenied(TESTGROUP1_USER1, scanFamilyActionForGroupWithFamilyLevelAccess); @@ -422,12 +438,12 @@ public class TestAccessController2 extends SecureTestUtil { // Verify user from a group whose column family level access has been revoked can't read any // data from that family. - revokeFromTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, null); + revokeFromTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, TEST_FAMILY, null); verifyDenied(TESTGROUP1_USER1, scanTableActionForGroupWithFamilyLevelAccess); // Verify user from a group which has column qualifier level access can read data that has this // family and qualifier, and group which has no access can't read any data. - grantOnTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, Q1, Action.READ); + grantOnTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, TEST_FAMILY, Q1, Action.READ); verifyAllowed(TESTGROUP1_USER1, scanTableActionForGroupWithQualifierLevelAccess); verifyDenied(TESTGROUP1_USER1, scanFamilyActionForGroupWithQualifierLevelAccess); verifyDenied(TESTGROUP1_USER1, scanQualifierActionForGroupWithQualifierLevelAccess); @@ -437,7 +453,7 @@ public class TestAccessController2 extends SecureTestUtil { // Verify user from a group whose column qualifier level access has been revoked can't read the // data having this column family and qualifier. - revokeFromTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, Q1); + revokeFromTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, TEST_FAMILY, Q1); verifyDenied(TESTGROUP1_USER1, scanTableActionForGroupWithQualifierLevelAccess); } diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java index 2aabeed..bd174f3 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java @@ -91,6 +91,16 @@ public class TestNamespaceCommands extends SecureTestUtil { //user with create table permissions alone private static User USER_TABLE_CREATE; // TODO: WE DO NOT GIVE ANY PERMS TO THIS USER + private static final String GROUP_ADMIN = "group_admin"; + private static final String GROUP_CREATE = "group_create"; + private static final String GROUP_READ = "group_read"; + private static final String GROUP_WRITE = "group_write"; + + private static User USER_GROUP_ADMIN; + private static User USER_GROUP_CREATE; + private static User USER_GROUP_READ; + private static User USER_GROUP_WRITE; + private static String TEST_TABLE = TEST_NAMESPACE + ":testtable"; private static byte[] TEST_FAMILY = Bytes.toBytes("f1"); @@ -115,6 +125,15 @@ public class TestNamespaceCommands extends SecureTestUtil { USER_TABLE_CREATE = User.createUserForTesting(conf, "table_create", new String[0]); USER_TABLE_WRITE = User.createUserForTesting(conf, "table_write", new String[0]); + + USER_GROUP_ADMIN = + User.createUserForTesting(conf, "user_group_admin", new String[] { GROUP_ADMIN }); + USER_GROUP_CREATE = + User.createUserForTesting(conf, "user_group_create", new String[] { GROUP_CREATE }); + USER_GROUP_READ = + User.createUserForTesting(conf, "user_group_read", new String[] { GROUP_READ }); + USER_GROUP_WRITE = + User.createUserForTesting(conf, "user_group_write", new String[] { GROUP_WRITE }); // TODO: other table perms UTIL.startMiniCluster(); @@ -143,6 +162,11 @@ public class TestNamespaceCommands extends SecureTestUtil { grantOnNamespace(UTIL, USER_NS_EXEC.getShortName(), TEST_NAMESPACE, Permission.Action.EXEC); grantOnNamespace(UTIL, USER_NS_ADMIN.getShortName(), TEST_NAMESPACE2, Permission.Action.ADMIN); + + grantGlobal(UTIL, convertToGroup(GROUP_ADMIN), Permission.Action.ADMIN); + grantGlobal(UTIL, convertToGroup(GROUP_CREATE), Permission.Action.CREATE); + grantGlobal(UTIL, convertToGroup(GROUP_READ), Permission.Action.READ); + grantGlobal(UTIL, convertToGroup(GROUP_WRITE), Permission.Action.WRITE); } @AfterClass @@ -201,20 +225,10 @@ public class TestNamespaceCommands extends SecureTestUtil { }; // modifyNamespace: superuser | global(A) | NS(A) - verifyAllowed(modifyNamespace, - SUPERUSER, - USER_GLOBAL_ADMIN); - - verifyDenied(modifyNamespace, - USER_GLOBAL_CREATE, - USER_GLOBAL_WRITE, - USER_GLOBAL_READ, - USER_GLOBAL_EXEC, - USER_NS_ADMIN, - USER_NS_CREATE, - USER_NS_WRITE, - USER_NS_READ, - USER_NS_EXEC); + verifyAllowed(modifyNamespace, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN); + verifyDenied(modifyNamespace, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ, + USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, + USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -238,41 +252,17 @@ public class TestNamespaceCommands extends SecureTestUtil { }; // createNamespace: superuser | global(A) - verifyAllowed(createNamespace, - SUPERUSER, - USER_GLOBAL_ADMIN); - + verifyAllowed(createNamespace, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN); // all others should be denied - verifyDenied(createNamespace, - USER_GLOBAL_CREATE, - USER_GLOBAL_WRITE, - USER_GLOBAL_READ, - USER_GLOBAL_EXEC, - USER_NS_ADMIN, - USER_NS_CREATE, - USER_NS_WRITE, - USER_NS_READ, - USER_NS_EXEC, - USER_TABLE_CREATE, - USER_TABLE_WRITE); + verifyDenied(createNamespace, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ, + USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, + USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); // deleteNamespace: superuser | global(A) | NS(A) - verifyAllowed(deleteNamespace, - SUPERUSER, - USER_GLOBAL_ADMIN); - - verifyDenied(deleteNamespace, - USER_GLOBAL_CREATE, - USER_GLOBAL_WRITE, - USER_GLOBAL_READ, - USER_GLOBAL_EXEC, - USER_NS_ADMIN, - USER_NS_CREATE, - USER_NS_WRITE, - USER_NS_READ, - USER_NS_EXEC, - USER_TABLE_CREATE, - USER_TABLE_WRITE); + verifyAllowed(deleteNamespace, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN); + verifyDenied(deleteNamespace, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ, + USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, + USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -286,22 +276,11 @@ public class TestNamespaceCommands extends SecureTestUtil { } }; // getNamespaceDescriptor : superuser | global(A) | NS(A) - verifyAllowed(getNamespaceAction, - SUPERUSER, - USER_GLOBAL_ADMIN, - USER_NS_ADMIN); - - verifyDenied(getNamespaceAction, - USER_GLOBAL_CREATE, - USER_GLOBAL_WRITE, - USER_GLOBAL_READ, - USER_GLOBAL_EXEC, - USER_NS_CREATE, - USER_NS_WRITE, - USER_NS_READ, - USER_NS_EXEC, - USER_TABLE_CREATE, - USER_TABLE_WRITE); + verifyAllowed(getNamespaceAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_NS_ADMIN, + USER_GROUP_ADMIN); + verifyDenied(getNamespaceAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ, + USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, + USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -324,14 +303,12 @@ public class TestNamespaceCommands extends SecureTestUtil { // listNamespaces : All access* // * Returned list will only show what you can call getNamespaceDescriptor() - verifyAllowed(listAction, - SUPERUSER, - USER_GLOBAL_ADMIN, - USER_NS_ADMIN); + verifyAllowed(listAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_NS_ADMIN, USER_GROUP_ADMIN); // we have 3 namespaces: [default, hbase, TEST_NAMESPACE, TEST_NAMESPACE2] assertEquals(4, ((List)SUPERUSER.runAs(listAction)).size()); assertEquals(4, ((List)USER_GLOBAL_ADMIN.runAs(listAction)).size()); + assertEquals(4, ((List)USER_GROUP_ADMIN.runAs(listAction)).size()); assertEquals(2, ((List)USER_NS_ADMIN.runAs(listAction)).size()); @@ -345,6 +322,9 @@ public class TestNamespaceCommands extends SecureTestUtil { assertEquals(0, ((List)USER_NS_EXEC.runAs(listAction)).size()); assertEquals(0, ((List)USER_TABLE_CREATE.runAs(listAction)).size()); assertEquals(0, ((List)USER_TABLE_WRITE.runAs(listAction)).size()); + assertEquals(0, ((List)USER_GROUP_CREATE.runAs(listAction)).size()); + assertEquals(0, ((List)USER_GROUP_READ.runAs(listAction)).size()); + assertEquals(0, ((List)USER_GROUP_WRITE.runAs(listAction)).size()); } @Test @@ -396,56 +376,21 @@ public class TestNamespaceCommands extends SecureTestUtil { } }; - verifyAllowed(grantAction, - SUPERUSER, - USER_GLOBAL_ADMIN); - - verifyDenied(grantAction, - USER_GLOBAL_CREATE, - USER_GLOBAL_WRITE, - USER_GLOBAL_READ, - USER_GLOBAL_EXEC, - USER_NS_ADMIN, - USER_NS_CREATE, - USER_NS_WRITE, - USER_NS_READ, - USER_NS_EXEC, - USER_TABLE_CREATE, - USER_TABLE_WRITE); - - verifyAllowed(revokeAction, - SUPERUSER, - USER_GLOBAL_ADMIN); - - verifyDenied(revokeAction, - USER_GLOBAL_CREATE, - USER_GLOBAL_WRITE, - USER_GLOBAL_READ, - USER_GLOBAL_EXEC, - USER_NS_ADMIN, - USER_NS_CREATE, - USER_NS_WRITE, - USER_NS_READ, - USER_NS_EXEC, - USER_TABLE_CREATE, - USER_TABLE_WRITE); - - verifyAllowed(getPermissionsAction, - SUPERUSER, - USER_GLOBAL_ADMIN, - USER_NS_ADMIN); - - verifyDenied(getPermissionsAction, - USER_GLOBAL_CREATE, - USER_GLOBAL_WRITE, - USER_GLOBAL_READ, - USER_GLOBAL_EXEC, - USER_NS_CREATE, - USER_NS_WRITE, - USER_NS_READ, - USER_NS_EXEC, - USER_TABLE_CREATE, - USER_TABLE_WRITE); + verifyAllowed(grantAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN); + verifyDenied(grantAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ, + USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, + USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); + + verifyAllowed(revokeAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN); + verifyDenied(revokeAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ, + USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, + USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); + + verifyAllowed(getPermissionsAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_NS_ADMIN, + USER_GROUP_ADMIN); + verifyDenied(getPermissionsAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ, + USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, + USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE); } @Test @@ -461,21 +406,9 @@ public class TestNamespaceCommands extends SecureTestUtil { }; //createTable : superuser | global(C) | NS(C) - verifyAllowed(createTable, - SUPERUSER, - USER_GLOBAL_CREATE, - USER_NS_CREATE); - - verifyDenied(createTable, - USER_GLOBAL_ADMIN, - USER_GLOBAL_WRITE, - USER_GLOBAL_READ, - USER_GLOBAL_EXEC, - USER_NS_ADMIN, - USER_NS_WRITE, - USER_NS_READ, - USER_NS_EXEC, - USER_TABLE_CREATE, - USER_TABLE_WRITE); + verifyAllowed(createTable, SUPERUSER, USER_GLOBAL_CREATE, USER_NS_CREATE, USER_GROUP_CREATE); + verifyDenied(createTable, USER_GLOBAL_ADMIN, USER_GLOBAL_WRITE, USER_GLOBAL_READ, + USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC, + USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_ADMIN); } } -- 1.9.5.msysgit.0