Examples with SystemPermission org.apache.accumulo.core.security.SystemPermission used on opensource projects

Search in sources :

Example 1 with SystemPermission

use of org.apache.accumulo.core.security.SystemPermission in project accumulo by apache.

the class UserPermissionsCommand method execute.

@Override
public int execute(final String fullCommand, final CommandLine cl, final Shell shellState) throws AccumuloException, AccumuloSecurityException, IOException {
    final String user = cl.getOptionValue(userOpt.getOpt(), shellState.getConnector().whoami());
    String delim = "";
    shellState.getReader().print("System permissions: ");
    for (SystemPermission p : SystemPermission.values()) {
        if (p != null && shellState.getConnector().securityOperations().hasSystemPermission(user, p)) {
            shellState.getReader().print(delim + "System." + p.name());
            delim = ", ";
        }
    }
    shellState.getReader().println();
    boolean runOnce = true;
    for (String n : shellState.getConnector().namespaceOperations().list()) {
        delim = "";
        for (NamespacePermission p : NamespacePermission.values()) {
            if (p != null && shellState.getConnector().securityOperations().hasNamespacePermission(user, n, p)) {
                if (runOnce) {
                    shellState.getReader().print("\nNamespace permissions (" + n + "): ");
                    runOnce = false;
                }
                shellState.getReader().print(delim + "Namespace." + p.name());
                delim = ", ";
            }
        }
        runOnce = true;
    }
    shellState.getReader().println();
    runOnce = true;
    for (String t : shellState.getConnector().tableOperations().list()) {
        delim = "";
        for (TablePermission p : TablePermission.values()) {
            if (shellState.getConnector().securityOperations().hasTablePermission(user, t, p) && p != null) {
                if (runOnce) {
                    shellState.getReader().print("\nTable permissions (" + t + "): ");
                    runOnce = false;
                }
                shellState.getReader().print(delim + "Table." + p.name());
                delim = ", ";
            }
        }
        runOnce = true;
    }
    shellState.getReader().println();
    return 0;
}
Also used : SystemPermission(org.apache.accumulo.core.security.SystemPermission) TablePermission(org.apache.accumulo.core.security.TablePermission) NamespacePermission(org.apache.accumulo.core.security.NamespacePermission)

Example 2 with SystemPermission

use of org.apache.accumulo.core.security.SystemPermission in project accumulo by apache.

the class ZKAuthenticatorTest method testSystemConversion.

public void testSystemConversion() {
    Set<SystemPermission> perms = new TreeSet<>();
    for (SystemPermission s : SystemPermission.values()) perms.add(s);
    Set<SystemPermission> converted = ZKSecurityTool.convertSystemPermissions(ZKSecurityTool.convertSystemPermissions(perms));
    assertTrue(perms.size() == converted.size());
    for (SystemPermission s : perms) assertTrue(converted.contains(s));
}
Also used : SystemPermission(org.apache.accumulo.core.security.SystemPermission) TreeSet(java.util.TreeSet)

Example 3 with SystemPermission

use of org.apache.accumulo.core.security.SystemPermission in project accumulo by apache.

the class KerberosIT method testUserPrivilegesForTable.

@Test
public void testUserPrivilegesForTable() throws Exception {
    String user1 = testName.getMethodName();
    final File user1Keytab = new File(kdc.getKeytabDir(), user1 + ".keytab");
    if (user1Keytab.exists() && !user1Keytab.delete()) {
        log.warn("Unable to delete {}", user1Keytab);
    }
    // Create some new users -- cannot contain realm
    kdc.createPrincipal(user1Keytab, user1);
    final String qualifiedUser1 = kdc.qualifyUser(user1);
    // Log in as user1
    UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(qualifiedUser1, user1Keytab.getAbsolutePath());
    log.info("Logged in as {}", user1);
    ugi.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            // Indirectly creates this user when we use it
            Connector conn = mac.getConnector(qualifiedUser1, new KerberosToken());
            log.info("Created connector as {}", qualifiedUser1);
            // The new user should have no system permissions
            for (SystemPermission perm : SystemPermission.values()) {
                assertFalse(conn.securityOperations().hasSystemPermission(qualifiedUser1, perm));
            }
            return null;
        }
    });
    final String table = testName.getMethodName() + "_user_table";
    final String viz = "viz";
    ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
    ugi.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            Connector conn = mac.getConnector(rootUser.getPrincipal(), new KerberosToken());
            conn.tableOperations().create(table);
            // Give our unprivileged user permission on the table we made for them
            conn.securityOperations().grantTablePermission(qualifiedUser1, table, TablePermission.READ);
            conn.securityOperations().grantTablePermission(qualifiedUser1, table, TablePermission.WRITE);
            conn.securityOperations().grantTablePermission(qualifiedUser1, table, TablePermission.ALTER_TABLE);
            conn.securityOperations().grantTablePermission(qualifiedUser1, table, TablePermission.DROP_TABLE);
            conn.securityOperations().changeUserAuthorizations(qualifiedUser1, new Authorizations(viz));
            return null;
        }
    });
    // Switch back to the original user
    ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(qualifiedUser1, user1Keytab.getAbsolutePath());
    ugi.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            Connector conn = mac.getConnector(qualifiedUser1, new KerberosToken());
            // Make sure we can actually use the table we made
            // Write data
            final long ts = 1000l;
            BatchWriter bw = conn.createBatchWriter(table, new BatchWriterConfig());
            Mutation m = new Mutation("a");
            m.put("b", "c", new ColumnVisibility(viz.getBytes()), ts, "d");
            bw.addMutation(m);
            bw.close();
            // Compact
            conn.tableOperations().compact(table, new CompactionConfig().setWait(true).setFlush(true));
            // Alter
            conn.tableOperations().setProperty(table, Property.TABLE_BLOOM_ENABLED.getKey(), "true");
            // Read (and proper authorizations)
            try (Scanner s = conn.createScanner(table, new Authorizations(viz))) {
                Iterator<Entry<Key, Value>> iter = s.iterator();
                assertTrue("No results from iterator", iter.hasNext());
                Entry<Key, Value> entry = iter.next();
                assertEquals(new Key("a", "b", "c", viz, ts), entry.getKey());
                assertEquals(new Value("d".getBytes()), entry.getValue());
                assertFalse("Had more results from iterator", iter.hasNext());
                return null;
            }
        }
    });
}
Also used : Connector(org.apache.accumulo.core.client.Connector) BatchScanner(org.apache.accumulo.core.client.BatchScanner) Scanner(org.apache.accumulo.core.client.Scanner) Authorizations(org.apache.accumulo.core.security.Authorizations) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) TableNotFoundException(org.apache.accumulo.core.client.TableNotFoundException) TableExistsException(org.apache.accumulo.core.client.TableExistsException) AccumuloSecurityException(org.apache.accumulo.core.client.AccumuloSecurityException) UndeclaredThrowableException(java.lang.reflect.UndeclaredThrowableException) AccumuloException(org.apache.accumulo.core.client.AccumuloException) SystemPermission(org.apache.accumulo.core.security.SystemPermission) Entry(java.util.Map.Entry) CompactionConfig(org.apache.accumulo.core.client.admin.CompactionConfig) Iterator(java.util.Iterator) Value(org.apache.accumulo.core.data.Value) BatchWriterConfig(org.apache.accumulo.core.client.BatchWriterConfig) BatchWriter(org.apache.accumulo.core.client.BatchWriter) Mutation(org.apache.accumulo.core.data.Mutation) ColumnVisibility(org.apache.accumulo.core.security.ColumnVisibility) File(java.io.File) Key(org.apache.accumulo.core.data.Key) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Example 4 with SystemPermission

use of org.apache.accumulo.core.security.SystemPermission in project accumulo by apache.

the class KerberosIT method testNewUser.

@Test
public void testNewUser() throws Exception {
    String newUser = testName.getMethodName();
    final File newUserKeytab = new File(kdc.getKeytabDir(), newUser + ".keytab");
    if (newUserKeytab.exists() && !newUserKeytab.delete()) {
        log.warn("Unable to delete {}", newUserKeytab);
    }
    // Create a new user
    kdc.createPrincipal(newUserKeytab, newUser);
    final String newQualifiedUser = kdc.qualifyUser(newUser);
    final HashSet<String> users = Sets.newHashSet(rootUser.getPrincipal());
    // Login as the "root" user
    UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
    log.info("Logged in as {}", rootUser.getPrincipal());
    ugi.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            Connector conn = mac.getConnector(rootUser.getPrincipal(), new KerberosToken());
            log.info("Created connector as {}", rootUser.getPrincipal());
            assertEquals(rootUser.getPrincipal(), conn.whoami());
            // Make sure the system user doesn't exist -- this will force some RPC to happen server-side
            createTableWithDataAndCompact(conn);
            assertEquals(users, conn.securityOperations().listLocalUsers());
            return null;
        }
    });
    // Switch to a new user
    ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(newQualifiedUser, newUserKeytab.getAbsolutePath());
    log.info("Logged in as {}", newQualifiedUser);
    ugi.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            Connector conn = mac.getConnector(newQualifiedUser, new KerberosToken());
            log.info("Created connector as {}", newQualifiedUser);
            assertEquals(newQualifiedUser, conn.whoami());
            // The new user should have no system permissions
            for (SystemPermission perm : SystemPermission.values()) {
                assertFalse(conn.securityOperations().hasSystemPermission(newQualifiedUser, perm));
            }
            users.add(newQualifiedUser);
            // Same users as before, plus the new user we just created
            assertEquals(users, conn.securityOperations().listLocalUsers());
            return null;
        }
    });
}
Also used : SystemPermission(org.apache.accumulo.core.security.SystemPermission) Connector(org.apache.accumulo.core.client.Connector) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) File(java.io.File) TableNotFoundException(org.apache.accumulo.core.client.TableNotFoundException) TableExistsException(org.apache.accumulo.core.client.TableExistsException) AccumuloSecurityException(org.apache.accumulo.core.client.AccumuloSecurityException) UndeclaredThrowableException(java.lang.reflect.UndeclaredThrowableException) AccumuloException(org.apache.accumulo.core.client.AccumuloException) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Example 5 with SystemPermission

use of org.apache.accumulo.core.security.SystemPermission in project accumulo by apache.

the class KerberosIT method testAdminUser.

@Test
public void testAdminUser() throws Exception {
    // Login as the client (provided to `accumulo init` as the "root" user)
    UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
    ugi.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            final Connector conn = mac.getConnector(rootUser.getPrincipal(), new KerberosToken());
            // The "root" user should have all system permissions
            for (SystemPermission perm : SystemPermission.values()) {
                assertTrue("Expected user to have permission: " + perm, conn.securityOperations().hasSystemPermission(conn.whoami(), perm));
            }
            // and the ability to modify the root and metadata tables
            for (String table : Arrays.asList(RootTable.NAME, MetadataTable.NAME)) {
                assertTrue(conn.securityOperations().hasTablePermission(conn.whoami(), table, TablePermission.ALTER_TABLE));
            }
            return null;
        }
    });
}
Also used : SystemPermission(org.apache.accumulo.core.security.SystemPermission) Connector(org.apache.accumulo.core.client.Connector) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) TableNotFoundException(org.apache.accumulo.core.client.TableNotFoundException) TableExistsException(org.apache.accumulo.core.client.TableExistsException) AccumuloSecurityException(org.apache.accumulo.core.client.AccumuloSecurityException) UndeclaredThrowableException(java.lang.reflect.UndeclaredThrowableException) AccumuloException(org.apache.accumulo.core.client.AccumuloException) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Aggregations

SystemPermission (org.apache.accumulo.core.security.SystemPermission)14 AccumuloSecurityException (org.apache.accumulo.core.client.AccumuloSecurityException)6 Connector (org.apache.accumulo.core.client.Connector)5 Test (org.junit.Test)5 File (java.io.File)4 UndeclaredThrowableException (java.lang.reflect.UndeclaredThrowableException)4 AccumuloException (org.apache.accumulo.core.client.AccumuloException)4 TableExistsException (org.apache.accumulo.core.client.TableExistsException)4 TableNotFoundException (org.apache.accumulo.core.client.TableNotFoundException)4 KerberosToken (org.apache.accumulo.core.client.security.tokens.KerberosToken)4 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)4 KeeperException (org.apache.zookeeper.KeeperException)4 TreeSet (java.util.TreeSet)3 IOException (java.io.IOException)2 HashMap (java.util.HashMap)2 Set (java.util.Set)2 BatchWriter (org.apache.accumulo.core.client.BatchWriter)2 BatchWriterConfig (org.apache.accumulo.core.client.BatchWriterConfig)2 CompactionConfig (org.apache.accumulo.core.client.admin.CompactionConfig)2 Mutation (org.apache.accumulo.core.data.Mutation)2
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial