use of org.apache.hadoop.hbase.client.Connection in project hbase by apache.
the class TestCellACLWithMultipleVersions method testCellPermissionsForCheckAndDelete.
@Test
public void testCellPermissionsForCheckAndDelete() throws Exception {
final byte[] TEST_ROW1 = Bytes.toBytes("r1");
final byte[] TEST_Q3 = Bytes.toBytes("q3");
final byte[] ZERO = Bytes.toBytes(0L);
final User user1 = User.createUserForTesting(conf, "user1", new String[0]);
final User user2 = User.createUserForTesting(conf, "user2", new String[0]);
verifyAllowed(new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf)) {
try (Table t = connection.getTable(TEST_TABLE.getTableName())) {
Map<String, Permission> permsU1andOwner = prepareCellPermissions(new String[] { user1.getShortName(), USER_OWNER.getShortName() }, Action.READ, Action.WRITE);
Map<String, Permission> permsU1andU2andGUandOwner = prepareCellPermissions(new String[] { user1.getShortName(), user2.getShortName(), AuthUtil.toGroupEntry(GROUP), USER_OWNER.getShortName() }, Action.READ, Action.WRITE);
Map<String, Permission> permsU1_U2andGU = prepareCellPermissions(new String[] { user1.getShortName(), user2.getShortName(), AuthUtil.toGroupEntry(GROUP) }, Action.READ, Action.WRITE);
Put p = new Put(TEST_ROW1);
p.addColumn(TEST_FAMILY1, TEST_Q1, (long) 120, ZERO);
p.addColumn(TEST_FAMILY1, TEST_Q2, (long) 120, ZERO);
p.addColumn(TEST_FAMILY1, TEST_Q3, (long) 120, ZERO);
p.setACL(permsU1andU2andGUandOwner);
t.put(p);
p = new Put(TEST_ROW1);
p.addColumn(TEST_FAMILY1, TEST_Q1, (long) 123, ZERO);
p.addColumn(TEST_FAMILY1, TEST_Q2, (long) 123, ZERO);
p.addColumn(TEST_FAMILY1, TEST_Q3, (long) 123, ZERO);
p.setACL(permsU1andOwner);
t.put(p);
p = new Put(TEST_ROW1);
p.addColumn(TEST_FAMILY1, TEST_Q1, (long) 127, ZERO);
p.setACL(permsU1_U2andGU);
t.put(p);
p = new Put(TEST_ROW1);
p.addColumn(TEST_FAMILY1, TEST_Q2, (long) 127, ZERO);
p.setACL(user2.getShortName(), new Permission(Permission.Action.READ));
t.put(p);
p = new Put(TEST_ROW1);
p.addColumn(TEST_FAMILY1, TEST_Q3, 127, ZERO);
p.setACL(AuthUtil.toGroupEntry(GROUP), new Permission(Permission.Action.READ));
t.put(p);
}
}
return null;
}
}, USER_OWNER);
// user1 should be allowed to do the checkAndDelete. user1 having read permission on the latest
// version cell and write permission on all versions
user1.runAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf)) {
try (Table t = connection.getTable(TEST_TABLE.getTableName())) {
Delete d = new Delete(TEST_ROW1);
d.addColumns(TEST_FAMILY1, TEST_Q1, 120);
t.checkAndDelete(TEST_ROW1, TEST_FAMILY1, TEST_Q1, ZERO, d);
}
}
return null;
}
});
// user2 shouldn't be allowed to do the checkAndDelete. user2 having RW permission on the latest
// version cell but not on cell version TS=123
verifyUserDeniedForCheckAndDelete(user2, TEST_ROW1, ZERO);
// GROUP_USER shouldn't be allowed to do the checkAndDelete. GROUP_USER having RW permission on
// the latest
// version cell but not on cell version TS=123
verifyUserDeniedForCheckAndDelete(GROUP_USER, TEST_ROW1, ZERO);
// user2 should be allowed to do the checkAndDelete when delete tries to delete the old version
// TS=120. user2 having R permission on the latest version(no W permission) cell
// and W permission on cell version TS=120.
verifyUserAllowedforCheckAndDelete(user2, TEST_ROW1, TEST_Q2, ZERO);
// GROUP_USER should be allowed to do the checkAndDelete when delete tries to delete the old
// version
// TS=120. user2 having R permission on the latest version(no W permission) cell
// and W permission on cell version TS=120.
verifyUserAllowedforCheckAndDelete(GROUP_USER, TEST_ROW1, TEST_Q3, ZERO);
}
use of org.apache.hadoop.hbase.client.Connection in project hbase by apache.
the class TestCellACLWithMultipleVersions method testCellPermissionsWithDeleteWithUserTs.
@Test
public void testCellPermissionsWithDeleteWithUserTs() throws Exception {
USER_OWNER.runAs(new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf)) {
try (Table t = connection.getTable(TEST_TABLE.getTableName())) {
// This version (TS = 123) with rw ACL for USER_OTHER and USER_OTHER2
Put p = new Put(TEST_ROW);
p.addColumn(TEST_FAMILY1, TEST_Q1, 123L, ZERO);
p.addColumn(TEST_FAMILY1, TEST_Q2, 123L, ZERO);
p.setACL(prepareCellPermissions(new String[] { USER_OTHER.getShortName(), AuthUtil.toGroupEntry(GROUP), USER_OTHER2.getShortName() }, Permission.Action.READ, Permission.Action.WRITE));
t.put(p);
// This version (TS = 125) with rw ACL for USER_OTHER
p = new Put(TEST_ROW);
p.addColumn(TEST_FAMILY1, TEST_Q1, 125L, ONE);
p.addColumn(TEST_FAMILY1, TEST_Q2, 125L, ONE);
p.setACL(prepareCellPermissions(new String[] { USER_OTHER.getShortName(), AuthUtil.toGroupEntry(GROUP) }, Action.READ, Action.WRITE));
t.put(p);
// This version (TS = 127) with rw ACL for USER_OTHER
p = new Put(TEST_ROW);
p.addColumn(TEST_FAMILY1, TEST_Q1, 127L, TWO);
p.addColumn(TEST_FAMILY1, TEST_Q2, 127L, TWO);
p.setACL(prepareCellPermissions(new String[] { USER_OTHER.getShortName(), AuthUtil.toGroupEntry(GROUP) }, Action.READ, Action.WRITE));
t.put(p);
return null;
}
}
}
});
// USER_OTHER2 should be allowed to delete the column f1:q1 versions older than TS 124L
USER_OTHER2.runAs(new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf)) {
try (Table t = connection.getTable(TEST_TABLE.getTableName())) {
Delete d = new Delete(TEST_ROW, 124L);
d.addColumns(TEST_FAMILY1, TEST_Q1);
t.delete(d);
}
}
return null;
}
});
// USER_OTHER2 should be allowed to delete the column f1:q2 versions older than TS 124L
USER_OTHER2.runAs(new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf)) {
try (Table t = connection.getTable(TEST_TABLE.getTableName())) {
Delete d = new Delete(TEST_ROW);
d.addColumns(TEST_FAMILY1, TEST_Q2, 124L);
t.delete(d);
}
}
return null;
}
});
}
use of org.apache.hadoop.hbase.client.Connection in project hbase by apache.
the class TestCellACLWithMultipleVersions method testDeleteWithFutureTimestamp.
@Test
public void testDeleteWithFutureTimestamp() throws Exception {
// Store two values, one in the future
verifyAllowed(new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf)) {
try (Table t = connection.getTable(TEST_TABLE.getTableName())) {
// Store a read write ACL without a timestamp, server will use current time
Put p = new Put(TEST_ROW).addColumn(TEST_FAMILY1, TEST_Q2, ONE);
Map<String, Permission> readAndWritePerms = prepareCellPermissions(usersAndGroups, Action.READ, Action.WRITE);
p.setACL(readAndWritePerms);
t.put(p);
p = new Put(TEST_ROW).addColumn(TEST_FAMILY2, TEST_Q2, ONE);
p.setACL(readAndWritePerms);
t.put(p);
LOG.info("Stored at current time");
// Store read only ACL at a future time
p = new Put(TEST_ROW).addColumn(TEST_FAMILY1, TEST_Q1, EnvironmentEdgeManager.currentTime() + 1000000, ZERO);
p.setACL(prepareCellPermissions(new String[] { USER_OTHER.getShortName(), AuthUtil.toGroupEntry(GROUP) }, Action.READ));
t.put(p);
}
}
return null;
}
}, USER_OWNER);
// Confirm stores are visible
AccessTestAction getQ1 = new AccessTestAction() {
@Override
public Object run() throws Exception {
Get get = new Get(TEST_ROW).addColumn(TEST_FAMILY1, TEST_Q1);
try (Connection connection = ConnectionFactory.createConnection(conf)) {
try (Table t = connection.getTable(TEST_TABLE.getTableName())) {
return t.get(get).listCells();
}
}
}
};
AccessTestAction getQ2 = new AccessTestAction() {
@Override
public Object run() throws Exception {
Get get = new Get(TEST_ROW).addColumn(TEST_FAMILY1, TEST_Q2);
try (Connection connection = ConnectionFactory.createConnection(conf)) {
try (Table t = connection.getTable(TEST_TABLE.getTableName())) {
return t.get(get).listCells();
}
}
}
};
verifyAllowed(getQ1, USER_OWNER, USER_OTHER, GROUP_USER);
verifyAllowed(getQ2, USER_OWNER, USER_OTHER, GROUP_USER);
// Issue a DELETE for the family, should succeed because the future ACL is
// not considered
AccessTestAction deleteFamily1 = getDeleteFamilyAction(TEST_FAMILY1);
AccessTestAction deleteFamily2 = getDeleteFamilyAction(TEST_FAMILY2);
verifyAllowed(deleteFamily1, USER_OTHER);
verifyAllowed(deleteFamily2, GROUP_USER);
// The future put should still exist
verifyAllowed(getQ1, USER_OWNER, USER_OTHER, GROUP_USER);
// The other put should be covered by the tombstone
verifyIfNull(getQ2, USER_OTHER, GROUP_USER);
}
use of org.apache.hadoop.hbase.client.Connection in project hbase by apache.
the class TestCellACLWithMultipleVersions method testCellPermissionsWithDeleteExactVersion.
@Test
public void testCellPermissionsWithDeleteExactVersion() throws Exception {
final byte[] TEST_ROW1 = Bytes.toBytes("r1");
final byte[] TEST_Q1 = Bytes.toBytes("q1");
final byte[] TEST_Q2 = Bytes.toBytes("q2");
final byte[] ZERO = Bytes.toBytes(0L);
final User user1 = User.createUserForTesting(conf, "user1", new String[0]);
final User user2 = User.createUserForTesting(conf, "user2", new String[0]);
verifyAllowed(new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf)) {
try (Table t = connection.getTable(TEST_TABLE.getTableName())) {
Map<String, Permission> permsU1andOwner = prepareCellPermissions(new String[] { user1.getShortName(), USER_OWNER.getShortName() }, Action.READ, Action.WRITE);
Map<String, Permission> permsU2andGUandOwner = prepareCellPermissions(new String[] { user2.getShortName(), AuthUtil.toGroupEntry(GROUP), USER_OWNER.getShortName() }, Action.READ, Action.WRITE);
Put p = new Put(TEST_ROW1);
p.addColumn(TEST_FAMILY1, TEST_Q1, (long) 123, ZERO);
p.setACL(permsU1andOwner);
t.put(p);
p = new Put(TEST_ROW1);
p.addColumn(TEST_FAMILY1, TEST_Q2, (long) 123, ZERO);
p.setACL(permsU2andGUandOwner);
t.put(p);
p = new Put(TEST_ROW1);
p.addColumn(TEST_FAMILY2, TEST_Q1, (long) 123, ZERO);
p.addColumn(TEST_FAMILY2, TEST_Q2, (long) 123, ZERO);
p.setACL(permsU2andGUandOwner);
t.put(p);
p = new Put(TEST_ROW1);
p.addColumn(TEST_FAMILY2, TEST_Q1, (long) 125, ZERO);
p.addColumn(TEST_FAMILY2, TEST_Q2, (long) 125, ZERO);
p.setACL(permsU1andOwner);
t.put(p);
p = new Put(TEST_ROW1);
p.addColumn(TEST_FAMILY1, TEST_Q1, (long) 127, ZERO);
p.setACL(permsU2andGUandOwner);
t.put(p);
p = new Put(TEST_ROW1);
p.addColumn(TEST_FAMILY1, TEST_Q2, (long) 127, ZERO);
p.setACL(permsU1andOwner);
t.put(p);
p = new Put(TEST_ROW1);
p.addColumn(TEST_FAMILY2, TEST_Q1, (long) 129, ZERO);
p.addColumn(TEST_FAMILY2, TEST_Q2, (long) 129, ZERO);
p.setACL(permsU1andOwner);
t.put(p);
}
}
return null;
}
}, USER_OWNER);
// user1 should be allowed to delete TEST_ROW1 as he is having write permission on both
// versions of the cells
user1.runAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf)) {
try (Table t = connection.getTable(TEST_TABLE.getTableName())) {
Delete d = new Delete(TEST_ROW1);
d.addColumn(TEST_FAMILY1, TEST_Q1, 123);
d.addColumn(TEST_FAMILY1, TEST_Q2);
d.addFamilyVersion(TEST_FAMILY2, 125);
t.delete(d);
}
}
return null;
}
});
verifyUserDeniedForDeleteExactVersion(user2, TEST_ROW1, TEST_Q1, TEST_Q2);
verifyUserDeniedForDeleteExactVersion(GROUP_USER, TEST_ROW1, TEST_Q1, TEST_Q2);
}
use of org.apache.hadoop.hbase.client.Connection in project hbase by apache.
the class TestCellACLWithMultipleVersions method testCellPermissionsForPutWithMultipleVersions.
@Test
public void testCellPermissionsForPutWithMultipleVersions() throws Exception {
final byte[] TEST_ROW1 = Bytes.toBytes("r1");
final byte[] TEST_Q1 = Bytes.toBytes("q1");
final byte[] TEST_Q2 = Bytes.toBytes("q2");
final byte[] ZERO = Bytes.toBytes(0L);
final User user1 = User.createUserForTesting(conf, "user1", new String[0]);
final User user2 = User.createUserForTesting(conf, "user2", new String[0]);
verifyAllowed(new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf)) {
try (Table t = connection.getTable(TEST_TABLE.getTableName())) {
Map<String, Permission> permsU1andOwner = prepareCellPermissions(new String[] { user1.getShortName(), USER_OWNER.getShortName() }, Action.READ, Action.WRITE);
Map<String, Permission> permsU2andGUandOwner = prepareCellPermissions(new String[] { user1.getShortName(), AuthUtil.toGroupEntry(GROUP), USER_OWNER.getShortName() }, Action.READ, Action.WRITE);
permsU2andGUandOwner.put(user2.getShortName(), new Permission(Permission.Action.READ, Permission.Action.WRITE));
permsU2andGUandOwner.put(USER_OWNER.getShortName(), new Permission(Permission.Action.READ, Permission.Action.WRITE));
Put p = new Put(TEST_ROW1);
p.addColumn(TEST_FAMILY1, TEST_Q1, (long) 123, ZERO);
p.setACL(permsU1andOwner);
t.put(p);
p = new Put(TEST_ROW1);
p.addColumn(TEST_FAMILY1, TEST_Q2, (long) 123, ZERO);
p.setACL(permsU2andGUandOwner);
t.put(p);
p = new Put(TEST_ROW1);
p.addColumn(TEST_FAMILY1, TEST_Q1, (long) 127, ZERO);
p.setACL(permsU2andGUandOwner);
t.put(p);
p = new Put(TEST_ROW1);
p.addColumn(TEST_FAMILY1, TEST_Q2, (long) 127, ZERO);
p.setACL(permsU1andOwner);
t.put(p);
}
}
return null;
}
}, USER_OWNER);
// new Put with TEST_Q1 column having TS=125. This covers old cell with TS 123 and user1 is
// having RW permission. While TEST_Q2 is with latest TS and so it covers old cell with TS 127.
// User1 is having RW permission on that too.
user1.runAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf)) {
try (Table t = connection.getTable(TEST_TABLE.getTableName())) {
Put p = new Put(TEST_ROW1);
p.addColumn(TEST_FAMILY1, TEST_Q1, (long) 125, ZERO);
p.addColumn(TEST_FAMILY1, TEST_Q2, ZERO);
p.setACL(user2.getShortName(), new Permission(Permission.Action.READ, Permission.Action.WRITE));
t.put(p);
}
}
return null;
}
});
verifyUserDeniedForPutMultipleVersions(user2, TEST_ROW1, TEST_Q1, TEST_Q2, ZERO);
verifyUserDeniedForPutMultipleVersions(GROUP_USER, TEST_ROW1, TEST_Q1, TEST_Q2, ZERO);
}
Aggregations