1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18 package org.apache.hadoop.hbase.security.access;
19
20 import static org.junit.Assert.*;
21
22 import java.util.List;
23
24 import org.apache.hadoop.conf.Configuration;
25 import org.apache.hadoop.hbase.HBaseTestingUtility;
26 import org.apache.hadoop.hbase.HColumnDescriptor;
27 import org.apache.hadoop.hbase.HTableDescriptor;
28 import org.apache.hadoop.hbase.testclassification.LargeTests;
29 import org.apache.hadoop.hbase.client.HBaseAdmin;
30 import org.apache.hadoop.hbase.client.HTable;
31 import org.apache.hadoop.hbase.client.Put;
32 import org.apache.hadoop.hbase.client.Result;
33 import org.apache.hadoop.hbase.client.ResultScanner;
34 import org.apache.hadoop.hbase.client.Scan;
35 import org.apache.hadoop.hbase.security.User;
36 import org.apache.hadoop.hbase.security.access.Permission.Action;
37 import org.apache.hadoop.hbase.util.Bytes;
38 import org.apache.hadoop.hbase.util.TestTableName;
39 import org.junit.AfterClass;
40 import org.junit.BeforeClass;
41 import org.junit.Rule;
42 import org.junit.Test;
43 import org.junit.experimental.categories.Category;
44
45 @Category(LargeTests.class)
46 public class TestAccessController2 extends SecureTestUtil {
47
48 private static final byte[] TEST_ROW = Bytes.toBytes("test");
49 private static final byte[] TEST_FAMILY = Bytes.toBytes("f");
50 private static final byte[] TEST_QUALIFIER = Bytes.toBytes("q");
51 private static final byte[] TEST_VALUE = Bytes.toBytes("value");
52
53 private static HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();
54 private static Configuration conf;
55
56 @Rule public TestTableName TEST_TABLE = new TestTableName();
57
58 @BeforeClass
59 public static void setupBeforeClass() throws Exception {
60 conf = TEST_UTIL.getConfiguration();
61
62 enableSecurity(conf);
63
64 verifyConfiguration(conf);
65 TEST_UTIL.startMiniCluster();
66
67 TEST_UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME.getName());
68 }
69
70 @AfterClass
71 public static void tearDownAfterClass() throws Exception {
72 TEST_UTIL.shutdownMiniCluster();
73 }
74
75 @Test
76 public void testCreateWithCorrectOwner() throws Exception {
77
78 User testUser = User.createUserForTesting(TEST_UTIL.getConfiguration(), "TestUser",
79 new String[0]);
80
81 SecureTestUtil.grantGlobal(TEST_UTIL, testUser.getShortName(), Action.CREATE);
82 verifyAllowed(new AccessTestAction() {
83 @Override
84 public Object run() throws Exception {
85 HTableDescriptor desc = new HTableDescriptor(TEST_TABLE.getTableName());
86 desc.addFamily(new HColumnDescriptor(TEST_FAMILY));
87 HBaseAdmin admin = new HBaseAdmin(conf);
88 try {
89 admin.createTable(desc);
90 } finally {
91 admin.close();
92 }
93 return null;
94 }
95 }, testUser);
96 TEST_UTIL.waitTableEnabled(TEST_TABLE.getTableName().getName());
97
98
99 List<TablePermission> perms = AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName())
100 .get(testUser.getShortName());
101 assertNotNull(perms);
102 assertFalse(perms.isEmpty());
103
104 assertTrue(perms.get(0).implies(Permission.Action.READ));
105 assertTrue(perms.get(0).implies(Permission.Action.WRITE));
106 assertTrue(perms.get(0).implies(Permission.Action.EXEC));
107 assertTrue(perms.get(0).implies(Permission.Action.CREATE));
108 assertTrue(perms.get(0).implies(Permission.Action.ADMIN));
109 }
110
111 @Test
112 public void testACLTableAccess() throws Exception {
113 final Configuration conf = TEST_UTIL.getConfiguration();
114
115
116 User superUser = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
117
118
119 User globalRead = User.createUserForTesting(conf, "globalRead", new String[0]);
120 User globalWrite = User.createUserForTesting(conf, "globalWrite", new String[0]);
121 User globalCreate = User.createUserForTesting(conf, "globalCreate", new String[0]);
122 User globalAdmin = User.createUserForTesting(conf, "globalAdmin", new String[0]);
123 SecureTestUtil.grantGlobal(TEST_UTIL, globalRead.getShortName(), Action.READ);
124 SecureTestUtil.grantGlobal(TEST_UTIL, globalWrite.getShortName(), Action.WRITE);
125 SecureTestUtil.grantGlobal(TEST_UTIL, globalCreate.getShortName(), Action.CREATE);
126 SecureTestUtil.grantGlobal(TEST_UTIL, globalAdmin.getShortName(), Action.ADMIN);
127
128
129 User nsRead = User.createUserForTesting(conf, "nsRead", new String[0]);
130 User nsWrite = User.createUserForTesting(conf, "nsWrite", new String[0]);
131 User nsCreate = User.createUserForTesting(conf, "nsCreate", new String[0]);
132 User nsAdmin = User.createUserForTesting(conf, "nsAdmin", new String[0]);
133 SecureTestUtil.grantOnNamespace(TEST_UTIL, nsRead.getShortName(),
134 TEST_TABLE.getTableName().getNamespaceAsString(), Action.READ);
135 SecureTestUtil.grantOnNamespace(TEST_UTIL, nsWrite.getShortName(),
136 TEST_TABLE.getTableName().getNamespaceAsString(), Action.WRITE);
137 SecureTestUtil.grantOnNamespace(TEST_UTIL, nsCreate.getShortName(),
138 TEST_TABLE.getTableName().getNamespaceAsString(), Action.CREATE);
139 SecureTestUtil.grantOnNamespace(TEST_UTIL, nsAdmin.getShortName(),
140 TEST_TABLE.getTableName().getNamespaceAsString(), Action.ADMIN);
141
142
143 User tableRead = User.createUserForTesting(conf, "tableRead", new String[0]);
144 User tableWrite = User.createUserForTesting(conf, "tableWrite", new String[0]);
145 User tableCreate = User.createUserForTesting(conf, "tableCreate", new String[0]);
146 User tableAdmin = User.createUserForTesting(conf, "tableAdmin", new String[0]);
147 SecureTestUtil.grantOnTable(TEST_UTIL, tableRead.getShortName(),
148 TEST_TABLE.getTableName(), null, null, Action.READ);
149 SecureTestUtil.grantOnTable(TEST_UTIL, tableWrite.getShortName(),
150 TEST_TABLE.getTableName(), null, null, Action.WRITE);
151 SecureTestUtil.grantOnTable(TEST_UTIL, tableCreate.getShortName(),
152 TEST_TABLE.getTableName(), null, null, Action.CREATE);
153 SecureTestUtil.grantOnTable(TEST_UTIL, tableAdmin.getShortName(),
154 TEST_TABLE.getTableName(), null, null, Action.ADMIN);
155
156
157
158 AccessTestAction writeAction = new AccessTestAction() {
159 @Override
160 public Object run() throws Exception {
161 HTable t = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
162 try {
163 t.put(new Put(TEST_ROW).add(AccessControlLists.ACL_LIST_FAMILY, TEST_QUALIFIER,
164 TEST_VALUE));
165 return null;
166 } finally {
167 t.close();
168 }
169 }
170 };
171
172
173
174 verifyDenied(writeAction, globalAdmin, globalCreate, globalRead);
175 verifyDenied(writeAction, nsAdmin, nsCreate, nsRead, nsWrite);
176 verifyDenied(writeAction, tableAdmin, tableCreate, tableRead, tableWrite);
177 verifyAllowed(writeAction, superUser, globalWrite);
178
179
180
181 AccessTestAction scanAction = new AccessTestAction() {
182 @Override
183 public Object run() throws Exception {
184 HTable t = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
185 try {
186 ResultScanner s = t.getScanner(new Scan());
187 try {
188 for (Result r = s.next(); r != null; r = s.next()) {
189
190 }
191 } finally {
192 s.close();
193 }
194 return null;
195 } finally {
196 t.close();
197 }
198 }
199 };
200
201
202
203 verifyDenied(scanAction, globalAdmin, globalCreate, globalWrite);
204 verifyDenied(scanAction, nsCreate, nsAdmin, nsRead, nsWrite);
205 verifyDenied(scanAction, tableCreate, tableAdmin, tableRead, tableWrite);
206 verifyAllowed(scanAction, superUser, globalRead);
207 }
208
209 }