use of org.apache.hadoop.hbase.security.access.Permission in project hbase by apache.
the class TestSecureExport method testVisibilityLabels.
@Test
// See HBASE-23990
@org.junit.Ignore
public void testVisibilityLabels() throws IOException, Throwable {
final String exportTable = name.getMethodName() + "_export";
final String importTable = name.getMethodName() + "_import";
final TableDescriptor exportHtd = TableDescriptorBuilder.newBuilder(TableName.valueOf(exportTable)).setColumnFamily(ColumnFamilyDescriptorBuilder.of(FAMILYA)).build();
User owner = User.createUserForTesting(UTIL.getConfiguration(), USER_OWNER, new String[0]);
SecureTestUtil.createTable(UTIL, owner, exportHtd, new byte[][] { Bytes.toBytes("s") });
AccessTestAction putAction = () -> {
Put p1 = new Put(ROW1);
p1.addColumn(FAMILYA, QUAL, NOW, QUAL);
p1.setCellVisibility(new CellVisibility(SECRET));
Put p2 = new Put(ROW2);
p2.addColumn(FAMILYA, QUAL, NOW, QUAL);
p2.setCellVisibility(new CellVisibility(PRIVATE + " & " + CONFIDENTIAL));
Put p3 = new Put(ROW3);
p3.addColumn(FAMILYA, QUAL, NOW, QUAL);
p3.setCellVisibility(new CellVisibility("!" + CONFIDENTIAL + " & " + TOPSECRET));
try (Connection conn = ConnectionFactory.createConnection(UTIL.getConfiguration());
Table t = conn.getTable(TableName.valueOf(exportTable))) {
t.put(p1);
t.put(p2);
t.put(p3);
}
return null;
};
SecureTestUtil.verifyAllowed(putAction, getUserByLogin(USER_OWNER));
List<Pair<List<String>, Integer>> labelsAndRowCounts = new LinkedList<>();
labelsAndRowCounts.add(new Pair<>(Arrays.asList(SECRET), 1));
labelsAndRowCounts.add(new Pair<>(Arrays.asList(PRIVATE, CONFIDENTIAL), 1));
labelsAndRowCounts.add(new Pair<>(Arrays.asList(TOPSECRET), 1));
labelsAndRowCounts.add(new Pair<>(Arrays.asList(TOPSECRET, CONFIDENTIAL), 0));
labelsAndRowCounts.add(new Pair<>(Arrays.asList(TOPSECRET, CONFIDENTIAL, PRIVATE, SECRET), 2));
for (final Pair<List<String>, Integer> labelsAndRowCount : labelsAndRowCounts) {
final List<String> labels = labelsAndRowCount.getFirst();
final int rowCount = labelsAndRowCount.getSecond();
// create a open permission directory.
final Path openDir = new Path("testAccessCase");
final FileSystem fs = openDir.getFileSystem(UTIL.getConfiguration());
fs.mkdirs(openDir);
fs.setPermission(openDir, new FsPermission(FsAction.ALL, FsAction.ALL, FsAction.ALL));
final Path output = fs.makeQualified(new Path(openDir, "output"));
AccessTestAction exportAction = () -> {
StringBuilder buf = new StringBuilder();
labels.forEach(v -> buf.append(v).append(","));
buf.deleteCharAt(buf.length() - 1);
try {
String[] args = new String[] { "-D " + ExportUtils.EXPORT_VISIBILITY_LABELS + "=" + buf.toString(), exportTable, output.toString() };
Export.run(new Configuration(UTIL.getConfiguration()), args);
return null;
} catch (ServiceException | IOException ex) {
throw ex;
} catch (Throwable ex) {
throw new Exception(ex);
}
};
SecureTestUtil.verifyAllowed(exportAction, getUserByLogin(USER_OWNER));
final TableDescriptor importHtd = TableDescriptorBuilder.newBuilder(TableName.valueOf(importTable)).setColumnFamily(ColumnFamilyDescriptorBuilder.of(FAMILYB)).build();
SecureTestUtil.createTable(UTIL, owner, importHtd, new byte[][] { Bytes.toBytes("s") });
AccessTestAction importAction = () -> {
String[] args = new String[] { "-D" + Import.CF_RENAME_PROP + "=" + FAMILYA_STRING + ":" + FAMILYB_STRING, importTable, output.toString() };
assertEquals(0, ToolRunner.run(new Configuration(UTIL.getConfiguration()), new Import(), args));
return null;
};
SecureTestUtil.verifyAllowed(importAction, getUserByLogin(USER_OWNER));
AccessTestAction scanAction = () -> {
Scan scan = new Scan();
scan.setAuthorizations(new Authorizations(labels));
try (Connection conn = ConnectionFactory.createConnection(UTIL.getConfiguration());
Table table = conn.getTable(importHtd.getTableName());
ResultScanner scanner = table.getScanner(scan)) {
int count = 0;
for (Result r : scanner) {
++count;
}
assertEquals(rowCount, count);
}
return null;
};
SecureTestUtil.verifyAllowed(scanAction, getUserByLogin(USER_OWNER));
AccessTestAction deleteAction = () -> {
UTIL.deleteTable(importHtd.getTableName());
return null;
};
SecureTestUtil.verifyAllowed(deleteAction, getUserByLogin(USER_OWNER));
clearOutput(output);
}
AccessTestAction deleteAction = () -> {
UTIL.deleteTable(exportHtd.getTableName());
return null;
};
SecureTestUtil.verifyAllowed(deleteAction, getUserByLogin(USER_OWNER));
}
use of org.apache.hadoop.hbase.security.access.Permission in project hbase by apache.
the class TestGet method TestGetRowFromGetCopyConstructor.
@Test
public void TestGetRowFromGetCopyConstructor() throws Exception {
Get get = new Get(ROW);
get.setFilter(null);
get.setAuthorizations(new Authorizations("foo"));
get.setACL("u", new Permission(Permission.Action.READ));
get.setConsistency(Consistency.TIMELINE);
get.setReplicaId(2);
get.setIsolationLevel(IsolationLevel.READ_UNCOMMITTED);
get.setCheckExistenceOnly(true);
get.setTimeRange(3, 4);
get.readVersions(11);
get.setMaxResultsPerColumnFamily(10);
get.setRowOffsetPerColumnFamily(11);
get.setCacheBlocks(true);
Get copyGet = new Get(get);
assertEquals(0, Bytes.compareTo(get.getRow(), copyGet.getRow()));
// from OperationWithAttributes
assertEquals(get.getId(), copyGet.getId());
// from Query class
assertEquals(get.getFilter(), copyGet.getFilter());
assertTrue(get.getAuthorizations().toString().equals(copyGet.getAuthorizations().toString()));
assertTrue(Bytes.equals(get.getACL(), copyGet.getACL()));
assertEquals(get.getConsistency(), copyGet.getConsistency());
assertEquals(get.getReplicaId(), copyGet.getReplicaId());
assertEquals(get.getIsolationLevel(), copyGet.getIsolationLevel());
// from Get class
assertEquals(get.isCheckExistenceOnly(), copyGet.isCheckExistenceOnly());
assertTrue(get.getTimeRange().equals(copyGet.getTimeRange()));
assertEquals(get.getMaxVersions(), copyGet.getMaxVersions());
assertEquals(get.getMaxResultsPerColumnFamily(), copyGet.getMaxResultsPerColumnFamily());
assertEquals(get.getRowOffsetPerColumnFamily(), copyGet.getRowOffsetPerColumnFamily());
assertEquals(get.getCacheBlocks(), copyGet.getCacheBlocks());
assertEquals(get.getId(), copyGet.getId());
}
use of org.apache.hadoop.hbase.security.access.Permission in project hbase by apache.
the class TestImmutableScan method testScanCopyConstructor.
@Test
public void testScanCopyConstructor() throws Exception {
Scan scan = new Scan();
scan.addColumn(Bytes.toBytes("cf"), Bytes.toBytes("q")).setACL("test_user2", new Permission(Permission.Action.READ)).setAllowPartialResults(true).setAsyncPrefetch(false).setAttribute("test_key", Bytes.toBytes("test_value")).setAuthorizations(new Authorizations("test_label")).setBatch(10).setCacheBlocks(false).setCaching(10).setConsistency(Consistency.TIMELINE).setFilter(new FilterList()).setId("scan_copy_constructor").setIsolationLevel(IsolationLevel.READ_COMMITTED).setLimit(100).setLoadColumnFamiliesOnDemand(false).setMaxResultSize(100).setMaxResultsPerColumnFamily(1000).readVersions(9999).setMvccReadPoint(5).setNeedCursorResult(true).setPriority(1).setRaw(true).setReplicaId(3).setReversed(true).setRowOffsetPerColumnFamily(5).setRowPrefixFilter(Bytes.toBytes("row_")).setScanMetricsEnabled(true).setReadType(Scan.ReadType.STREAM).withStartRow(Bytes.toBytes("row_1")).withStopRow(Bytes.toBytes("row_2")).setTimeRange(0, 13);
// create a copy of existing scan object
Scan scanCopy = new ImmutableScan(scan);
// validate fields of copied scan object match with the original scan object
assertArrayEquals(scan.getACL(), scanCopy.getACL());
assertEquals(scan.getAllowPartialResults(), scanCopy.getAllowPartialResults());
assertArrayEquals(scan.getAttribute("test_key"), scanCopy.getAttribute("test_key"));
assertEquals(scan.getAttributeSize(), scanCopy.getAttributeSize());
assertEquals(scan.getAttributesMap(), scanCopy.getAttributesMap());
assertEquals(scan.getAuthorizations().getLabels(), scanCopy.getAuthorizations().getLabels());
assertEquals(scan.getBatch(), scanCopy.getBatch());
assertEquals(scan.getCacheBlocks(), scanCopy.getCacheBlocks());
assertEquals(scan.getCaching(), scanCopy.getCaching());
assertEquals(scan.getConsistency(), scanCopy.getConsistency());
assertEquals(scan.getFamilies().length, scanCopy.getFamilies().length);
assertArrayEquals(scan.getFamilies()[0], scanCopy.getFamilies()[0]);
assertEquals(scan.getFamilyMap(), scanCopy.getFamilyMap());
assertEquals(scan.getFilter(), scanCopy.getFilter());
assertEquals(scan.getId(), scanCopy.getId());
assertEquals(scan.getIsolationLevel(), scanCopy.getIsolationLevel());
assertEquals(scan.getLimit(), scanCopy.getLimit());
assertEquals(scan.getLoadColumnFamiliesOnDemandValue(), scanCopy.getLoadColumnFamiliesOnDemandValue());
assertEquals(scan.getMaxResultSize(), scanCopy.getMaxResultSize());
assertEquals(scan.getMaxResultsPerColumnFamily(), scanCopy.getMaxResultsPerColumnFamily());
assertEquals(scan.getMaxVersions(), scanCopy.getMaxVersions());
assertEquals(scan.getMvccReadPoint(), scanCopy.getMvccReadPoint());
assertEquals(scan.getPriority(), scanCopy.getPriority());
assertEquals(scan.getReadType(), scanCopy.getReadType());
assertEquals(scan.getReplicaId(), scanCopy.getReplicaId());
assertEquals(scan.getRowOffsetPerColumnFamily(), scanCopy.getRowOffsetPerColumnFamily());
assertArrayEquals(scan.getStartRow(), scanCopy.getStartRow());
assertArrayEquals(scan.getStopRow(), scanCopy.getStopRow());
assertEquals(scan.getTimeRange(), scanCopy.getTimeRange());
assertEquals(scan.getFingerprint(), scanCopy.getFingerprint());
assertEquals(scan.toMap(1), scanCopy.toMap(1));
assertEquals(scan.toString(2), scanCopy.toString(2));
assertEquals(scan.toJSON(2), scanCopy.toJSON(2));
LOG.debug("Compare all getters of scan and scanCopy.");
compareGetters(scan, scanCopy);
testUnmodifiableSetters(scanCopy);
}
use of org.apache.hadoop.hbase.security.access.Permission in project hbase by apache.
the class TestScan method testGetToScan.
@Test
public void testGetToScan() throws Exception {
Get get = new Get(Bytes.toBytes(1));
get.setCacheBlocks(true).setConsistency(Consistency.TIMELINE).setFilter(new FilterList()).setId("get").setIsolationLevel(IsolationLevel.READ_COMMITTED).setLoadColumnFamiliesOnDemand(false).setMaxResultsPerColumnFamily(1000).readVersions(9999).setRowOffsetPerColumnFamily(5).setTimeRange(0, 13).setAttribute("att_v0", Bytes.toBytes("att_v0")).setColumnFamilyTimeRange(Bytes.toBytes("cf"), 0, 123).setReplicaId(3).setACL("test_user", new Permission(Permission.Action.READ)).setAuthorizations(new Authorizations("test_label")).setPriority(3);
Scan scan = new Scan(get);
assertEquals(get.getCacheBlocks(), scan.getCacheBlocks());
assertEquals(get.getConsistency(), scan.getConsistency());
assertEquals(get.getFilter(), scan.getFilter());
assertEquals(get.getId(), scan.getId());
assertEquals(get.getIsolationLevel(), scan.getIsolationLevel());
assertEquals(get.getLoadColumnFamiliesOnDemandValue(), scan.getLoadColumnFamiliesOnDemandValue());
assertEquals(get.getMaxResultsPerColumnFamily(), scan.getMaxResultsPerColumnFamily());
assertEquals(get.getMaxVersions(), scan.getMaxVersions());
assertEquals(get.getRowOffsetPerColumnFamily(), scan.getRowOffsetPerColumnFamily());
assertEquals(get.getTimeRange().getMin(), scan.getTimeRange().getMin());
assertEquals(get.getTimeRange().getMax(), scan.getTimeRange().getMax());
assertTrue(Bytes.equals(get.getAttribute("att_v0"), scan.getAttribute("att_v0")));
assertEquals(get.getColumnFamilyTimeRange().get(Bytes.toBytes("cf")).getMin(), scan.getColumnFamilyTimeRange().get(Bytes.toBytes("cf")).getMin());
assertEquals(get.getColumnFamilyTimeRange().get(Bytes.toBytes("cf")).getMax(), scan.getColumnFamilyTimeRange().get(Bytes.toBytes("cf")).getMax());
assertEquals(get.getReplicaId(), scan.getReplicaId());
assertEquals(get.getACL(), scan.getACL());
assertEquals(get.getAuthorizations().getLabels(), scan.getAuthorizations().getLabels());
assertEquals(get.getPriority(), scan.getPriority());
}
use of org.apache.hadoop.hbase.security.access.Permission in project hbase by apache.
the class TestAsyncAccessControlAdminApi method test.
@Test
public void test() throws Exception {
TableName tableName = TableName.valueOf("test-table");
String userName1 = "user1";
String userName2 = "user2";
User user2 = User.createUserForTesting(TEST_UTIL.getConfiguration(), userName2, new String[0]);
Permission permission = Permission.newBuilder(tableName).withActions(Permission.Action.READ).build();
UserPermission userPermission = new UserPermission(userName1, permission);
// grant user1 table permission
admin.grant(userPermission, false).get();
// get table permissions
List<UserPermission> userPermissions = admin.getUserPermissions(GetUserPermissionsRequest.newBuilder(tableName).build()).get();
assertEquals(1, userPermissions.size());
assertEquals(userPermission, userPermissions.get(0));
// get table permissions
userPermissions = admin.getUserPermissions(GetUserPermissionsRequest.newBuilder(tableName).withUserName(userName1).build()).get();
assertEquals(1, userPermissions.size());
assertEquals(userPermission, userPermissions.get(0));
userPermissions = admin.getUserPermissions(GetUserPermissionsRequest.newBuilder(tableName).withUserName(userName2).build()).get();
assertEquals(0, userPermissions.size());
// has user permission
List<Permission> permissions = Lists.newArrayList(permission);
boolean hasPermission = admin.hasUserPermissions(userName1, permissions).get().get(0).booleanValue();
assertTrue(hasPermission);
hasPermission = admin.hasUserPermissions(userName2, permissions).get().get(0).booleanValue();
assertFalse(hasPermission);
AccessTestAction hasPermissionAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
try (AsyncConnection conn = ConnectionFactory.createAsyncConnection(TEST_UTIL.getConfiguration()).get()) {
return conn.getAdmin().hasUserPermissions(userName1, permissions).get().get(0);
}
}
};
try {
user2.runAs(hasPermissionAction);
fail("Should not come here");
} catch (Exception e) {
LOG.error("Call has permission error", e);
}
// check permission
admin.hasUserPermissions(permissions);
AccessTestAction checkPermissionsAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
try (AsyncConnection conn = ConnectionFactory.createAsyncConnection(TEST_UTIL.getConfiguration()).get()) {
return conn.getAdmin().hasUserPermissions(permissions).get().get(0);
}
}
};
assertFalse((Boolean) user2.runAs(checkPermissionsAction));
}
Aggregations