View Javadoc

1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  package org.apache.hadoop.hbase.security.access;
19  
20  import static org.junit.Assert.*;
21  
22  import java.util.List;
23  
24  import org.apache.hadoop.conf.Configuration;
25  import org.apache.hadoop.hbase.HBaseTestingUtility;
26  import org.apache.hadoop.hbase.HColumnDescriptor;
27  import org.apache.hadoop.hbase.HTableDescriptor;
28  import org.apache.hadoop.hbase.testclassification.LargeTests;
29  import org.apache.hadoop.hbase.client.HBaseAdmin;
30  import org.apache.hadoop.hbase.client.HTable;
31  import org.apache.hadoop.hbase.client.Put;
32  import org.apache.hadoop.hbase.client.Result;
33  import org.apache.hadoop.hbase.client.ResultScanner;
34  import org.apache.hadoop.hbase.client.Scan;
35  import org.apache.hadoop.hbase.security.User;
36  import org.apache.hadoop.hbase.security.access.Permission.Action;
37  import org.apache.hadoop.hbase.util.Bytes;
38  import org.apache.hadoop.hbase.util.TestTableName;
39  import org.junit.AfterClass;
40  import org.junit.BeforeClass;
41  import org.junit.Rule;
42  import org.junit.Test;
43  import org.junit.experimental.categories.Category;
44  
45  @Category(LargeTests.class)
46  public class TestAccessController2 extends SecureTestUtil {
47  
48    private static final byte[] TEST_ROW = Bytes.toBytes("test");
49    private static final byte[] TEST_FAMILY = Bytes.toBytes("f");
50    private static final byte[] TEST_QUALIFIER = Bytes.toBytes("q");
51    private static final byte[] TEST_VALUE = Bytes.toBytes("value");
52  
53    private static HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();
54    private static Configuration conf;
55  
56    @Rule public TestTableName TEST_TABLE = new TestTableName();
57  
58    @BeforeClass
59    public static void setupBeforeClass() throws Exception {
60      conf = TEST_UTIL.getConfiguration();
61      // Enable security
62      enableSecurity(conf);
63      // Verify enableSecurity sets up what we require
64      verifyConfiguration(conf);
65      TEST_UTIL.startMiniCluster();
66      // Wait for the ACL table to become available
67      TEST_UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME.getName());
68    }
69  
70    @AfterClass
71    public static void tearDownAfterClass() throws Exception {
72      TEST_UTIL.shutdownMiniCluster();
73    }
74  
75    @Test
76    public void testCreateWithCorrectOwner() throws Exception {
77      // Create a test user
78      User testUser = User.createUserForTesting(TEST_UTIL.getConfiguration(), "TestUser",
79        new String[0]);
80      // Grant the test user the ability to create tables
81      SecureTestUtil.grantGlobal(TEST_UTIL, testUser.getShortName(), Action.CREATE);
82      verifyAllowed(new AccessTestAction() {
83        @Override
84        public Object run() throws Exception {
85          HTableDescriptor desc = new HTableDescriptor(TEST_TABLE.getTableName());
86          desc.addFamily(new HColumnDescriptor(TEST_FAMILY));
87          HBaseAdmin admin = new HBaseAdmin(conf);
88          try {
89            admin.createTable(desc);
90          } finally {
91            admin.close();
92          }
93          return null;
94        }
95      }, testUser);
96      TEST_UTIL.waitTableEnabled(TEST_TABLE.getTableName().getName());
97      // Verify that owner permissions have been granted to the test user on the
98      // table just created
99      List<TablePermission> perms = AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName())
100        .get(testUser.getShortName());
101     assertNotNull(perms);
102     assertFalse(perms.isEmpty());
103     // Should be RWXCA
104     assertTrue(perms.get(0).implies(Permission.Action.READ));
105     assertTrue(perms.get(0).implies(Permission.Action.WRITE));
106     assertTrue(perms.get(0).implies(Permission.Action.EXEC));
107     assertTrue(perms.get(0).implies(Permission.Action.CREATE));
108     assertTrue(perms.get(0).implies(Permission.Action.ADMIN));
109   }
110 
111   @Test
112   public void testACLTableAccess() throws Exception {
113     final Configuration conf = TEST_UTIL.getConfiguration();
114 
115     // Superuser
116     User superUser = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
117 
118     // Global users
119     User globalRead = User.createUserForTesting(conf, "globalRead", new String[0]);
120     User globalWrite = User.createUserForTesting(conf, "globalWrite", new String[0]);
121     User globalCreate = User.createUserForTesting(conf, "globalCreate", new String[0]);
122     User globalAdmin = User.createUserForTesting(conf, "globalAdmin", new String[0]);
123     SecureTestUtil.grantGlobal(TEST_UTIL, globalRead.getShortName(), Action.READ);
124     SecureTestUtil.grantGlobal(TEST_UTIL, globalWrite.getShortName(), Action.WRITE);
125     SecureTestUtil.grantGlobal(TEST_UTIL, globalCreate.getShortName(), Action.CREATE);
126     SecureTestUtil.grantGlobal(TEST_UTIL, globalAdmin.getShortName(), Action.ADMIN);
127 
128     // Namespace users
129     User nsRead = User.createUserForTesting(conf, "nsRead", new String[0]);
130     User nsWrite = User.createUserForTesting(conf, "nsWrite", new String[0]);
131     User nsCreate = User.createUserForTesting(conf, "nsCreate", new String[0]);
132     User nsAdmin = User.createUserForTesting(conf, "nsAdmin", new String[0]);
133     SecureTestUtil.grantOnNamespace(TEST_UTIL, nsRead.getShortName(),
134       TEST_TABLE.getTableName().getNamespaceAsString(), Action.READ);
135     SecureTestUtil.grantOnNamespace(TEST_UTIL, nsWrite.getShortName(),
136       TEST_TABLE.getTableName().getNamespaceAsString(), Action.WRITE);
137     SecureTestUtil.grantOnNamespace(TEST_UTIL, nsCreate.getShortName(),
138       TEST_TABLE.getTableName().getNamespaceAsString(), Action.CREATE);
139     SecureTestUtil.grantOnNamespace(TEST_UTIL, nsAdmin.getShortName(),
140       TEST_TABLE.getTableName().getNamespaceAsString(), Action.ADMIN);
141 
142     // Table users
143     User tableRead = User.createUserForTesting(conf, "tableRead", new String[0]);
144     User tableWrite = User.createUserForTesting(conf, "tableWrite", new String[0]);
145     User tableCreate = User.createUserForTesting(conf, "tableCreate", new String[0]);
146     User tableAdmin = User.createUserForTesting(conf, "tableAdmin", new String[0]);
147     SecureTestUtil.grantOnTable(TEST_UTIL, tableRead.getShortName(),
148       TEST_TABLE.getTableName(), null, null, Action.READ);
149     SecureTestUtil.grantOnTable(TEST_UTIL, tableWrite.getShortName(),
150       TEST_TABLE.getTableName(), null, null, Action.WRITE);
151     SecureTestUtil.grantOnTable(TEST_UTIL, tableCreate.getShortName(),
152       TEST_TABLE.getTableName(), null, null, Action.CREATE);
153     SecureTestUtil.grantOnTable(TEST_UTIL, tableAdmin.getShortName(),
154       TEST_TABLE.getTableName(), null, null, Action.ADMIN);
155 
156     // Write tests
157 
158     AccessTestAction writeAction = new AccessTestAction() {
159       @Override
160       public Object run() throws Exception {
161         HTable t = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
162         try {
163           t.put(new Put(TEST_ROW).add(AccessControlLists.ACL_LIST_FAMILY, TEST_QUALIFIER,
164             TEST_VALUE));
165           return null;
166         } finally {
167           t.close();
168         }
169       }
170     };
171 
172     // All writes to ACL table denied except for GLOBAL WRITE permission and superuser
173 
174     verifyDenied(writeAction, globalAdmin, globalCreate, globalRead);
175     verifyDenied(writeAction, nsAdmin, nsCreate, nsRead, nsWrite);
176     verifyDenied(writeAction, tableAdmin, tableCreate, tableRead, tableWrite);
177     verifyAllowed(writeAction, superUser, globalWrite);
178 
179     // Read tests
180 
181     AccessTestAction scanAction = new AccessTestAction() {
182       @Override
183       public Object run() throws Exception {
184         HTable t = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
185         try {
186           ResultScanner s = t.getScanner(new Scan());
187           try {
188             for (Result r = s.next(); r != null; r = s.next()) {
189               // do nothing
190             }
191           } finally {
192             s.close();
193           }
194           return null;
195         } finally {
196           t.close();
197         }
198       }
199     };
200 
201     // All reads from ACL table denied except for GLOBAL READ and superuser
202 
203     verifyDenied(scanAction, globalAdmin, globalCreate, globalWrite);
204     verifyDenied(scanAction, nsCreate, nsAdmin, nsRead, nsWrite);
205     verifyDenied(scanAction, tableCreate, tableAdmin, tableRead, tableWrite);
206     verifyAllowed(scanAction, superUser, globalRead);
207   }
208 
209 }