Example 76 with Connection
use of org.apache.hadoop.hbase.client.Connection in project hbase by apache.
the class TestCellACLWithMultipleVersions method testCellPermissionwithVersions.
@Test
public void testCellPermissionwithVersions() throws Exception {
// store two sets of values, one store with a cell level ACL, and one
// without
final Map<String, Permission> writePerms = prepareCellPermissions(usersAndGroups, Action.WRITE);
final Map<String, Permission> readPerms = prepareCellPermissions(usersAndGroups, Action.READ);
verifyAllowed(new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf);
Table t = connection.getTable(TEST_TABLE.getTableName())) {
Put p;
// with ro ACL
p = new Put(TEST_ROW).addColumn(TEST_FAMILY1, TEST_Q1, ZERO);
p.setACL(writePerms);
t.put(p);
// with ro ACL
p = new Put(TEST_ROW).addColumn(TEST_FAMILY1, TEST_Q1, ZERO);
p.setACL(readPerms);
t.put(p);
p = new Put(TEST_ROW).addColumn(TEST_FAMILY1, TEST_Q1, ZERO);
p.setACL(writePerms);
t.put(p);
p = new Put(TEST_ROW).addColumn(TEST_FAMILY1, TEST_Q1, ZERO);
p.setACL(readPerms);
t.put(p);
p = new Put(TEST_ROW).addColumn(TEST_FAMILY1, TEST_Q1, ZERO);
p.setACL(writePerms);
t.put(p);
}
return null;
}
}, USER_OWNER);
/* ---- Gets ---- */
AccessTestAction getQ1 = new AccessTestAction() {
@Override
public Object run() throws Exception {
Get get = new Get(TEST_ROW);
get.setMaxVersions(10);
try (Connection connection = ConnectionFactory.createConnection(conf);
Table t = connection.getTable(TEST_TABLE.getTableName())) {
return t.get(get).listCells();
}
}
};
AccessTestAction get2 = new AccessTestAction() {
@Override
public Object run() throws Exception {
Get get = new Get(TEST_ROW);
get.setMaxVersions(10);
try (Connection connection = ConnectionFactory.createConnection(conf);
Table t = connection.getTable(TEST_TABLE.getTableName())) {
return t.get(get).listCells();
}
}
};
// Confirm special read access set at cell level
verifyAllowed(GROUP_USER, getQ1, 2);
verifyAllowed(USER_OTHER, getQ1, 2);
// store two sets of values, one store with a cell level ACL, and one
// without
verifyAllowed(new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf);
Table t = connection.getTable(TEST_TABLE.getTableName())) {
Put p;
p = new Put(TEST_ROW).addColumn(TEST_FAMILY1, TEST_Q1, ZERO);
p.setACL(writePerms);
t.put(p);
p = new Put(TEST_ROW).addColumn(TEST_FAMILY1, TEST_Q1, ZERO);
p.setACL(readPerms);
t.put(p);
p = new Put(TEST_ROW).addColumn(TEST_FAMILY1, TEST_Q1, ZERO);
p.setACL(writePerms);
t.put(p);
}
return null;
}
}, USER_OWNER);
// Confirm special read access set at cell level
verifyAllowed(USER_OTHER, get2, 1);
verifyAllowed(GROUP_USER, get2, 1);
}
Also used :
Table(org.apache.hadoop.hbase.client.Table)
Get(org.apache.hadoop.hbase.client.Get)
Connection(org.apache.hadoop.hbase.client.Connection)
TableNotFoundException(org.apache.hadoop.hbase.TableNotFoundException)
IOException(java.io.IOException)
Put(org.apache.hadoop.hbase.client.Put)
Test(org.junit.Test)
Example 77 with Connection
use of org.apache.hadoop.hbase.client.Connection in project hbase by apache.
the class TestCellACLWithMultipleVersions method testCellPermissionsWithDeleteMutipleVersions.
@Test
public void testCellPermissionsWithDeleteMutipleVersions() throws Exception {
// table/column/qualifier level permissions
final byte[] TEST_ROW1 = Bytes.toBytes("r1");
final byte[] TEST_ROW2 = Bytes.toBytes("r2");
final byte[] TEST_Q1 = Bytes.toBytes("q1");
final byte[] TEST_Q2 = Bytes.toBytes("q2");
final byte[] ZERO = Bytes.toBytes(0L);
// additional test user
final User user1 = User.createUserForTesting(conf, "user1", new String[0]);
final User user2 = User.createUserForTesting(conf, "user2", new String[0]);
verifyAllowed(new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf)) {
try (Table t = connection.getTable(TEST_TABLE.getTableName())) {
// with rw ACL for "user1"
Put p = new Put(TEST_ROW1);
p.addColumn(TEST_FAMILY1, TEST_Q1, ZERO);
p.addColumn(TEST_FAMILY1, TEST_Q2, ZERO);
p.setACL(user1.getShortName(), new Permission(Permission.Action.READ, Permission.Action.WRITE));
t.put(p);
// with rw ACL for "user1"
p = new Put(TEST_ROW2);
p.addColumn(TEST_FAMILY1, TEST_Q1, ZERO);
p.addColumn(TEST_FAMILY1, TEST_Q2, ZERO);
p.setACL(user1.getShortName(), new Permission(Permission.Action.READ, Permission.Action.WRITE));
t.put(p);
}
}
return null;
}
}, USER_OWNER);
verifyAllowed(new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf)) {
try (Table t = connection.getTable(TEST_TABLE.getTableName())) {
// with rw ACL for "user1", "user2" and "@group"
Put p = new Put(TEST_ROW1);
p.addColumn(TEST_FAMILY1, TEST_Q1, ZERO);
p.addColumn(TEST_FAMILY1, TEST_Q2, ZERO);
Map<String, Permission> perms = prepareCellPermissions(new String[] { user1.getShortName(), user2.getShortName(), AuthUtil.toGroupEntry(GROUP) }, Action.READ, Action.WRITE);
p.setACL(perms);
t.put(p);
// with rw ACL for "user1", "user2" and "@group"
p = new Put(TEST_ROW2);
p.addColumn(TEST_FAMILY1, TEST_Q1, ZERO);
p.addColumn(TEST_FAMILY1, TEST_Q2, ZERO);
p.setACL(perms);
t.put(p);
}
}
return null;
}
}, user1);
// user1 should be allowed to delete TEST_ROW1 as he is having write permission on both
// versions of the cells
user1.runAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf)) {
try (Table t = connection.getTable(TEST_TABLE.getTableName())) {
Delete d = new Delete(TEST_ROW1);
d.addColumns(TEST_FAMILY1, TEST_Q1);
d.addColumns(TEST_FAMILY1, TEST_Q2);
t.delete(d);
}
}
return null;
}
});
// user2 should not be allowed to delete TEST_ROW2 as he is having write permission only on one
// version of the cells.
verifyUserDeniedForDeleteMultipleVersions(user2, TEST_ROW2, TEST_Q1, TEST_Q2);
// GROUP_USER should not be allowed to delete TEST_ROW2 as he is having write permission only on
// one version of the cells.
verifyUserDeniedForDeleteMultipleVersions(GROUP_USER, TEST_ROW2, TEST_Q1, TEST_Q2);
// user1 should be allowed to delete the cf. (All data under cf for a row)
user1.runAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf)) {
try (Table t = connection.getTable(TEST_TABLE.getTableName())) {
Delete d = new Delete(TEST_ROW2);
d.addFamily(TEST_FAMILY1);
t.delete(d);
}
}
return null;
}
});
}
Also used :
Delete(org.apache.hadoop.hbase.client.Delete)
User(org.apache.hadoop.hbase.security.User)
Table(org.apache.hadoop.hbase.client.Table)
Connection(org.apache.hadoop.hbase.client.Connection)
TableNotFoundException(org.apache.hadoop.hbase.TableNotFoundException)
IOException(java.io.IOException)
Put(org.apache.hadoop.hbase.client.Put)
HashMap(java.util.HashMap)
Map(java.util.Map)
Test(org.junit.Test)
Example 78 with Connection
use of org.apache.hadoop.hbase.client.Connection in project hbase by apache.
the class TestCellACLs method testCoveringCheck.
/**
* Insure we are not granting access in the absence of any cells found
* when scanning for covered cells.
*/
@Test(timeout = 120000)
public void testCoveringCheck() throws Exception {
// Grant read access to USER_OTHER
grantOnTable(TEST_UTIL, USER_OTHER.getShortName(), TEST_TABLE.getTableName(), TEST_FAMILY, null, Action.READ);
// Grant read access to GROUP
grantOnTable(TEST_UTIL, AuthUtil.toGroupEntry(GROUP), TEST_TABLE.getTableName(), TEST_FAMILY, null, Action.READ);
// A write by USER_OTHER should be denied.
// This is where we could have a big problem if there is an error in the
// covering check logic.
verifyUserDeniedForWrite(USER_OTHER, ZERO);
// A write by GROUP_USER from group GROUP should be denied.
verifyUserDeniedForWrite(GROUP_USER, ZERO);
// Add the cell
verifyAllowed(new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf);
Table t = connection.getTable(TEST_TABLE.getTableName())) {
Put p;
p = new Put(TEST_ROW).addColumn(TEST_FAMILY, TEST_Q1, ZERO);
t.put(p);
}
return null;
}
}, USER_OWNER);
// A write by USER_OTHER should still be denied, just to make sure
verifyUserDeniedForWrite(USER_OTHER, ONE);
// A write by GROUP_USER from group GROUP should still be denied
verifyUserDeniedForWrite(GROUP_USER, ONE);
// A read by USER_OTHER should be allowed, just to make sure
verifyUserAllowedForRead(USER_OTHER);
// A read by GROUP_USER from group GROUP should be allowed
verifyUserAllowedForRead(GROUP_USER);
}
Also used :
Table(org.apache.hadoop.hbase.client.Table)
Connection(org.apache.hadoop.hbase.client.Connection)
TableNotFoundException(org.apache.hadoop.hbase.TableNotFoundException)
Put(org.apache.hadoop.hbase.client.Put)
Test(org.junit.Test)
Example 79 with Connection
use of org.apache.hadoop.hbase.client.Connection in project hbase by apache.
the class TestAccessController method testTableDescriptorsEnumeration.
@Test(timeout = 180000)
public void testTableDescriptorsEnumeration() throws Exception {
User TABLE_ADMIN = User.createUserForTesting(conf, "UserA", new String[0]);
// Grant TABLE ADMIN privs
grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(), TEST_TABLE, null, null, Permission.Action.ADMIN);
try {
AccessTestAction listTablesAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
Admin admin = conn.getAdmin()) {
return Arrays.asList(admin.listTables());
}
}
};
AccessTestAction getTableDescAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
Admin admin = conn.getAdmin()) {
return admin.getTableDescriptor(TEST_TABLE);
}
}
};
verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN, USER_GROUP_CREATE, USER_GROUP_ADMIN);
verifyIfEmptyList(listTablesAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN, USER_GROUP_CREATE, USER_GROUP_ADMIN);
verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
} finally {
// Cleanup, revoke TABLE ADMIN privs
revokeFromTable(TEST_UTIL, TABLE_ADMIN.getShortName(), TEST_TABLE, null, null, Permission.Action.ADMIN);
}
}
Also used :
User(org.apache.hadoop.hbase.security.User)
Connection(org.apache.hadoop.hbase.client.Connection)
Admin(org.apache.hadoop.hbase.client.Admin)
Test(org.junit.Test)
Example 80 with Connection
use of org.apache.hadoop.hbase.client.Connection in project hbase by apache.
the class TestAccessController method testPostGrantRevoke.
@Test(timeout = 180000)
public void testPostGrantRevoke() throws Exception {
final TableName tableName = TableName.valueOf("TempTable");
final byte[] family1 = Bytes.toBytes("f1");
final byte[] family2 = Bytes.toBytes("f2");
final byte[] qualifier = Bytes.toBytes("q");
// create table
Admin admin = TEST_UTIL.getAdmin();
if (admin.tableExists(tableName)) {
deleteTable(TEST_UTIL, tableName);
}
HTableDescriptor htd = new HTableDescriptor(tableName);
htd.addFamily(new HColumnDescriptor(family1));
htd.addFamily(new HColumnDescriptor(family2));
createTable(TEST_UTIL, htd);
try {
// create temp users
User tblUser = User.createUserForTesting(TEST_UTIL.getConfiguration(), "tbluser", new String[0]);
User gblUser = User.createUserForTesting(TEST_UTIL.getConfiguration(), "gbluser", new String[0]);
// prepare actions:
AccessTestAction putActionAll = new AccessTestAction() {
@Override
public Object run() throws Exception {
Put p = new Put(Bytes.toBytes("a"));
p.addColumn(family1, qualifier, Bytes.toBytes("v1"));
p.addColumn(family2, qualifier, Bytes.toBytes("v2"));
try (Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(tableName)) {
t.put(p);
}
return null;
}
};
AccessTestAction putAction1 = new AccessTestAction() {
@Override
public Object run() throws Exception {
Put p = new Put(Bytes.toBytes("a"));
p.addColumn(family1, qualifier, Bytes.toBytes("v1"));
try (Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(tableName)) {
t.put(p);
}
return null;
}
};
AccessTestAction putAction2 = new AccessTestAction() {
@Override
public Object run() throws Exception {
Put p = new Put(Bytes.toBytes("a"));
p.addColumn(family2, qualifier, Bytes.toBytes("v2"));
try (Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(tableName)) {
t.put(p);
}
return null;
}
};
AccessTestAction getActionAll = new AccessTestAction() {
@Override
public Object run() throws Exception {
Get g = new Get(TEST_ROW);
g.addFamily(family1);
g.addFamily(family2);
try (Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(tableName)) {
t.get(g);
}
return null;
}
};
AccessTestAction getAction1 = new AccessTestAction() {
@Override
public Object run() throws Exception {
Get g = new Get(TEST_ROW);
g.addFamily(family1);
try (Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(tableName)) {
t.get(g);
}
return null;
}
};
AccessTestAction getAction2 = new AccessTestAction() {
@Override
public Object run() throws Exception {
Get g = new Get(TEST_ROW);
g.addFamily(family2);
try (Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(tableName)) {
t.get(g);
}
return null;
}
};
AccessTestAction deleteActionAll = new AccessTestAction() {
@Override
public Object run() throws Exception {
Delete d = new Delete(TEST_ROW);
d.addFamily(family1);
d.addFamily(family2);
try (Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(tableName)) {
t.delete(d);
}
return null;
}
};
AccessTestAction deleteAction1 = new AccessTestAction() {
@Override
public Object run() throws Exception {
Delete d = new Delete(TEST_ROW);
d.addFamily(family1);
try (Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(tableName)) {
t.delete(d);
}
return null;
}
};
AccessTestAction deleteAction2 = new AccessTestAction() {
@Override
public Object run() throws Exception {
Delete d = new Delete(TEST_ROW);
d.addFamily(family2);
try (Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(tableName)) {
t.delete(d);
}
return null;
}
};
// initial check:
verifyDenied(tblUser, getActionAll, getAction1, getAction2);
verifyDenied(tblUser, putActionAll, putAction1, putAction2);
verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2);
verifyDenied(gblUser, getActionAll, getAction1, getAction2);
verifyDenied(gblUser, putActionAll, putAction1, putAction2);
verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);
// grant table read permission
grantGlobal(TEST_UTIL, gblUser.getShortName(), Permission.Action.READ);
grantOnTable(TEST_UTIL, tblUser.getShortName(), tableName, null, null, Permission.Action.READ);
// check
verifyAllowed(tblUser, getActionAll, getAction1, getAction2);
verifyDenied(tblUser, putActionAll, putAction1, putAction2);
verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2);
verifyAllowed(gblUser, getActionAll, getAction1, getAction2);
verifyDenied(gblUser, putActionAll, putAction1, putAction2);
verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);
// grant table write permission while revoking read permissions
grantGlobal(TEST_UTIL, gblUser.getShortName(), Permission.Action.WRITE);
grantOnTable(TEST_UTIL, tblUser.getShortName(), tableName, null, null, Permission.Action.WRITE);
verifyDenied(tblUser, getActionAll, getAction1, getAction2);
verifyAllowed(tblUser, putActionAll, putAction1, putAction2);
verifyAllowed(tblUser, deleteActionAll, deleteAction1, deleteAction2);
verifyDenied(gblUser, getActionAll, getAction1, getAction2);
verifyAllowed(gblUser, putActionAll, putAction1, putAction2);
verifyAllowed(gblUser, deleteActionAll, deleteAction1, deleteAction2);
// revoke table permissions
revokeGlobal(TEST_UTIL, gblUser.getShortName());
revokeFromTable(TEST_UTIL, tblUser.getShortName(), tableName, null, null);
verifyDenied(tblUser, getActionAll, getAction1, getAction2);
verifyDenied(tblUser, putActionAll, putAction1, putAction2);
verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2);
verifyDenied(gblUser, getActionAll, getAction1, getAction2);
verifyDenied(gblUser, putActionAll, putAction1, putAction2);
verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);
// grant column family read permission
grantGlobal(TEST_UTIL, gblUser.getShortName(), Permission.Action.READ);
grantOnTable(TEST_UTIL, tblUser.getShortName(), tableName, family1, null, Permission.Action.READ);
// Access should be denied for family2
verifyAllowed(tblUser, getActionAll, getAction1);
verifyDenied(tblUser, getAction2);
verifyDenied(tblUser, putActionAll, putAction1, putAction2);
verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2);
verifyAllowed(gblUser, getActionAll, getAction1, getAction2);
verifyDenied(gblUser, putActionAll, putAction1, putAction2);
verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);
// grant column family write permission
grantGlobal(TEST_UTIL, gblUser.getShortName(), Permission.Action.WRITE);
grantOnTable(TEST_UTIL, tblUser.getShortName(), tableName, family2, null, Permission.Action.WRITE);
// READ from family1, WRITE to family2 are allowed
verifyAllowed(tblUser, getActionAll, getAction1);
verifyAllowed(tblUser, putAction2, deleteAction2);
verifyDenied(tblUser, getAction2);
verifyDenied(tblUser, putActionAll, putAction1);
verifyDenied(tblUser, deleteActionAll, deleteAction1);
verifyDenied(gblUser, getActionAll, getAction1, getAction2);
verifyAllowed(gblUser, putActionAll, putAction1, putAction2);
verifyAllowed(gblUser, deleteActionAll, deleteAction1, deleteAction2);
// revoke column family permission
revokeGlobal(TEST_UTIL, gblUser.getShortName());
revokeFromTable(TEST_UTIL, tblUser.getShortName(), tableName, family2, null);
// Revoke on family2 should not have impact on family1 permissions
verifyAllowed(tblUser, getActionAll, getAction1);
verifyDenied(tblUser, getAction2);
verifyDenied(tblUser, putActionAll, putAction1, putAction2);
verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2);
// Should not have access as global permissions are completely revoked
verifyDenied(gblUser, getActionAll, getAction1, getAction2);
verifyDenied(gblUser, putActionAll, putAction1, putAction2);
verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);
} finally {
// delete table
deleteTable(TEST_UTIL, tableName);
}
}
Also used :
Delete(org.apache.hadoop.hbase.client.Delete)
TableName(org.apache.hadoop.hbase.TableName)
User(org.apache.hadoop.hbase.security.User)
Table(org.apache.hadoop.hbase.client.Table)
HColumnDescriptor(org.apache.hadoop.hbase.HColumnDescriptor)
Get(org.apache.hadoop.hbase.client.Get)
Connection(org.apache.hadoop.hbase.client.Connection)
Admin(org.apache.hadoop.hbase.client.Admin)
Put(org.apache.hadoop.hbase.client.Put)
HTableDescriptor(org.apache.hadoop.hbase.HTableDescriptor)
Test(org.junit.Test)
Aggregations
Connection (org.apache.hadoop.hbase.client.Connection)307
Table (org.apache.hadoop.hbase.client.Table)194
Test (org.junit.Test)174
IOException (java.io.IOException)117
TableName (org.apache.hadoop.hbase.TableName)103
Result (org.apache.hadoop.hbase.client.Result)102
Admin (org.apache.hadoop.hbase.client.Admin)90
Scan (org.apache.hadoop.hbase.client.Scan)81
ResultScanner (org.apache.hadoop.hbase.client.ResultScanner)77
PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)71
Put (org.apache.hadoop.hbase.client.Put)68
HTableDescriptor (org.apache.hadoop.hbase.HTableDescriptor)58
Delete (org.apache.hadoop.hbase.client.Delete)55
Configuration (org.apache.hadoop.conf.Configuration)54
HColumnDescriptor (org.apache.hadoop.hbase.HColumnDescriptor)52
Get (org.apache.hadoop.hbase.client.Get)48
InterruptedIOException (java.io.InterruptedIOException)45
Cell (org.apache.hadoop.hbase.Cell)41
CellScanner (org.apache.hadoop.hbase.CellScanner)34
ArrayList (java.util.ArrayList)26
