use of org.apache.hadoop.hbase.client.Connection in project hbase by apache.
the class TestAccessController method testGrantRevoke.
@Test(timeout = 180000)
public void testGrantRevoke() throws Exception {
AccessTestAction grantAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf);
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName());
AccessControlService.BlockingInterface protocol = AccessControlService.newBlockingStub(service);
AccessControlUtil.grant(null, protocol, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null, false, Action.READ);
}
return null;
}
};
AccessTestAction revokeAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf);
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName());
AccessControlService.BlockingInterface protocol = AccessControlService.newBlockingStub(service);
AccessControlUtil.revoke(null, protocol, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null, Action.READ);
}
return null;
}
};
AccessTestAction getTablePermissionsAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf);
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName());
AccessControlService.BlockingInterface protocol = AccessControlService.newBlockingStub(service);
AccessControlUtil.getUserPermissions(null, protocol, TEST_TABLE);
}
return null;
}
};
AccessTestAction getGlobalPermissionsAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf);
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
AccessControlService.BlockingInterface protocol = AccessControlService.newBlockingStub(service);
AccessControlUtil.getUserPermissions(null, protocol);
}
return null;
}
};
verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
try {
verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
verifyDenied(getGlobalPermissionsAction, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
} finally {
// Cleanup, Grant the revoked permission back to the user
grantOnTable(TEST_UTIL, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ);
}
}
use of org.apache.hadoop.hbase.client.Connection in project hbase by apache.
the class TestAccessController2 method testACLTableAccess.
@Test(timeout = 180000)
public void testACLTableAccess() throws Exception {
final Configuration conf = TEST_UTIL.getConfiguration();
// Superuser
User superUser = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
// Global users
User globalRead = User.createUserForTesting(conf, "globalRead", new String[0]);
User globalWrite = User.createUserForTesting(conf, "globalWrite", new String[0]);
User globalCreate = User.createUserForTesting(conf, "globalCreate", new String[0]);
User globalAdmin = User.createUserForTesting(conf, "globalAdmin", new String[0]);
SecureTestUtil.grantGlobal(TEST_UTIL, globalRead.getShortName(), Action.READ);
SecureTestUtil.grantGlobal(TEST_UTIL, globalWrite.getShortName(), Action.WRITE);
SecureTestUtil.grantGlobal(TEST_UTIL, globalCreate.getShortName(), Action.CREATE);
SecureTestUtil.grantGlobal(TEST_UTIL, globalAdmin.getShortName(), Action.ADMIN);
// Namespace users
User nsRead = User.createUserForTesting(conf, "nsRead", new String[0]);
User nsWrite = User.createUserForTesting(conf, "nsWrite", new String[0]);
User nsCreate = User.createUserForTesting(conf, "nsCreate", new String[0]);
User nsAdmin = User.createUserForTesting(conf, "nsAdmin", new String[0]);
SecureTestUtil.grantOnNamespace(TEST_UTIL, nsRead.getShortName(), TEST_TABLE.getTableName().getNamespaceAsString(), Action.READ);
SecureTestUtil.grantOnNamespace(TEST_UTIL, nsWrite.getShortName(), TEST_TABLE.getTableName().getNamespaceAsString(), Action.WRITE);
SecureTestUtil.grantOnNamespace(TEST_UTIL, nsCreate.getShortName(), TEST_TABLE.getTableName().getNamespaceAsString(), Action.CREATE);
SecureTestUtil.grantOnNamespace(TEST_UTIL, nsAdmin.getShortName(), TEST_TABLE.getTableName().getNamespaceAsString(), Action.ADMIN);
// Table users
User tableRead = User.createUserForTesting(conf, "tableRead", new String[0]);
User tableWrite = User.createUserForTesting(conf, "tableWrite", new String[0]);
User tableCreate = User.createUserForTesting(conf, "tableCreate", new String[0]);
User tableAdmin = User.createUserForTesting(conf, "tableAdmin", new String[0]);
SecureTestUtil.grantOnTable(TEST_UTIL, tableRead.getShortName(), TEST_TABLE.getTableName(), null, null, Action.READ);
SecureTestUtil.grantOnTable(TEST_UTIL, tableWrite.getShortName(), TEST_TABLE.getTableName(), null, null, Action.WRITE);
SecureTestUtil.grantOnTable(TEST_UTIL, tableCreate.getShortName(), TEST_TABLE.getTableName(), null, null, Action.CREATE);
SecureTestUtil.grantOnTable(TEST_UTIL, tableAdmin.getShortName(), TEST_TABLE.getTableName(), null, null, Action.ADMIN);
grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.WRITE);
try {
// Write tests
AccessTestAction writeAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
t.put(new Put(TEST_ROW).addColumn(AccessControlLists.ACL_LIST_FAMILY, TEST_QUALIFIER, TEST_VALUE));
return null;
} finally {
}
}
};
// All writes to ACL table denied except for GLOBAL WRITE permission and superuser
verifyDenied(writeAction, globalAdmin, globalCreate, globalRead, TESTGROUP2_USER1);
verifyDenied(writeAction, nsAdmin, nsCreate, nsRead, nsWrite);
verifyDenied(writeAction, tableAdmin, tableCreate, tableRead, tableWrite);
verifyAllowed(writeAction, superUser, globalWrite, TESTGROUP1_USER1);
} finally {
revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.WRITE);
}
grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.READ);
try {
// Read tests
AccessTestAction scanAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf);
Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
ResultScanner s = t.getScanner(new Scan());
try {
for (Result r = s.next(); r != null; r = s.next()) {
// do nothing
}
} finally {
s.close();
}
return null;
}
}
};
// All reads from ACL table denied except for GLOBAL READ and superuser
verifyDenied(scanAction, globalAdmin, globalCreate, globalWrite, TESTGROUP2_USER1);
verifyDenied(scanAction, nsCreate, nsAdmin, nsRead, nsWrite);
verifyDenied(scanAction, tableCreate, tableAdmin, tableRead, tableWrite);
verifyAllowed(scanAction, superUser, globalRead, TESTGROUP1_USER1);
} finally {
revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.READ);
}
}
use of org.apache.hadoop.hbase.client.Connection in project hbase by apache.
the class TestAccessController2 method testCreateWithCorrectOwner.
@Test(timeout = 180000)
public void testCreateWithCorrectOwner() throws Exception {
// Create a test user
final User testUser = User.createUserForTesting(TEST_UTIL.getConfiguration(), "TestUser", new String[0]);
// Grant the test user the ability to create tables
SecureTestUtil.grantGlobal(TEST_UTIL, testUser.getShortName(), Action.CREATE);
verifyAllowed(new AccessTestAction() {
@Override
public Object run() throws Exception {
HTableDescriptor desc = new HTableDescriptor(TEST_TABLE.getTableName());
desc.addFamily(new HColumnDescriptor(TEST_FAMILY));
try (Connection connection = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration(), testUser)) {
try (Admin admin = connection.getAdmin()) {
createTable(TEST_UTIL, admin, desc);
}
}
return null;
}
}, testUser);
TEST_UTIL.waitTableAvailable(TEST_TABLE.getTableName());
// Verify that owner permissions have been granted to the test user on the
// table just created
List<TablePermission> perms = AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).get(testUser.getShortName());
assertNotNull(perms);
assertFalse(perms.isEmpty());
// Should be RWXCA
assertTrue(perms.get(0).implies(Permission.Action.READ));
assertTrue(perms.get(0).implies(Permission.Action.WRITE));
assertTrue(perms.get(0).implies(Permission.Action.EXEC));
assertTrue(perms.get(0).implies(Permission.Action.CREATE));
assertTrue(perms.get(0).implies(Permission.Action.ADMIN));
}
use of org.apache.hadoop.hbase.client.Connection in project hbase by apache.
the class ExpAsStringVisibilityLabelServiceImpl method getUserAuths.
@Override
public List<String> getUserAuths(byte[] user, boolean systemCall) throws IOException {
assert (labelsRegion != null || systemCall);
List<String> auths = new ArrayList<>();
Get get = new Get(user);
List<Cell> cells = null;
if (labelsRegion == null) {
Table table = null;
Connection connection = null;
try {
connection = ConnectionFactory.createConnection(conf);
table = connection.getTable(VisibilityConstants.LABELS_TABLE_NAME);
Result result = table.get(get);
cells = result.listCells();
} finally {
if (table != null) {
table.close();
}
if (connection != null) {
connection.close();
}
}
} else {
cells = this.labelsRegion.get(get, false);
}
if (cells != null) {
for (Cell cell : cells) {
String auth = Bytes.toString(cell.getQualifierArray(), cell.getQualifierOffset(), cell.getQualifierLength());
auths.add(auth);
}
}
return auths;
}
use of org.apache.hadoop.hbase.client.Connection in project hbase by apache.
the class TestDefaultScanLabelGeneratorStack method testDefaultScanLabelGeneratorStack.
@Test
public void testDefaultScanLabelGeneratorStack() throws Exception {
final TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf);
Table table = TEST_UTIL.createTable(tableName, CF)) {
Put put = new Put(ROW_1);
put.addColumn(CF, Q1, HConstants.LATEST_TIMESTAMP, value1);
put.setCellVisibility(new CellVisibility(SECRET));
table.put(put);
put = new Put(ROW_1);
put.addColumn(CF, Q2, HConstants.LATEST_TIMESTAMP, value2);
put.setCellVisibility(new CellVisibility(CONFIDENTIAL));
table.put(put);
put = new Put(ROW_1);
put.addColumn(CF, Q3, HConstants.LATEST_TIMESTAMP, value3);
table.put(put);
return null;
}
}
});
// Test that super user can see all the cells.
SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf);
Table table = connection.getTable(tableName)) {
Scan s = new Scan();
ResultScanner scanner = table.getScanner(s);
Result[] next = scanner.next(1);
// Test that super user can see all the cells.
assertTrue(next.length == 1);
CellScanner cellScanner = next[0].cellScanner();
cellScanner.advance();
Cell current = cellScanner.current();
assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), current.getRowLength(), ROW_1, 0, ROW_1.length));
assertTrue(Bytes.equals(current.getQualifierArray(), current.getQualifierOffset(), current.getQualifierLength(), Q1, 0, Q1.length));
assertTrue(Bytes.equals(current.getValueArray(), current.getValueOffset(), current.getValueLength(), value1, 0, value1.length));
cellScanner.advance();
current = cellScanner.current();
assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), current.getRowLength(), ROW_1, 0, ROW_1.length));
assertTrue(Bytes.equals(current.getQualifierArray(), current.getQualifierOffset(), current.getQualifierLength(), Q2, 0, Q2.length));
assertTrue(Bytes.equals(current.getValueArray(), current.getValueOffset(), current.getValueLength(), value2, 0, value2.length));
cellScanner.advance();
current = cellScanner.current();
assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), current.getRowLength(), ROW_1, 0, ROW_1.length));
assertTrue(Bytes.equals(current.getQualifierArray(), current.getQualifierOffset(), current.getQualifierLength(), Q3, 0, Q3.length));
assertTrue(Bytes.equals(current.getValueArray(), current.getValueOffset(), current.getValueLength(), value3, 0, value3.length));
return null;
}
}
});
TESTUSER.runAs(new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf);
Table table = connection.getTable(tableName)) {
// Test scan with no auth attribute
Scan s = new Scan();
ResultScanner scanner = table.getScanner(s);
Result[] next = scanner.next(1);
assertTrue(next.length == 1);
CellScanner cellScanner = next[0].cellScanner();
cellScanner.advance();
Cell current = cellScanner.current();
// test user can see value2 (CONFIDENTIAL) and value3 (no label)
assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), current.getRowLength(), ROW_1, 0, ROW_1.length));
assertTrue(Bytes.equals(current.getQualifierArray(), current.getQualifierOffset(), current.getQualifierLength(), Q2, 0, Q2.length));
assertTrue(Bytes.equals(current.getValueArray(), current.getValueOffset(), current.getValueLength(), value2, 0, value2.length));
cellScanner.advance();
current = cellScanner.current();
// test user can see value2 (CONFIDENTIAL) and value3 (no label)
assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), current.getRowLength(), ROW_1, 0, ROW_1.length));
assertTrue(Bytes.equals(current.getQualifierArray(), current.getQualifierOffset(), current.getQualifierLength(), Q3, 0, Q3.length));
assertTrue(Bytes.equals(current.getValueArray(), current.getValueOffset(), current.getValueLength(), value3, 0, value3.length));
// Test scan with correct auth attribute for test user
Scan s1 = new Scan();
// test user is entitled to 'CONFIDENTIAL'.
// If we set both labels in the scan, 'SECRET' will be dropped by the SLGs.
s1.setAuthorizations(new Authorizations(new String[] { SECRET, CONFIDENTIAL }));
ResultScanner scanner1 = table.getScanner(s1);
Result[] next1 = scanner1.next(1);
assertTrue(next1.length == 1);
CellScanner cellScanner1 = next1[0].cellScanner();
cellScanner1.advance();
Cell current1 = cellScanner1.current();
// test user can see value2 (CONFIDENTIAL) and value3 (no label)
assertTrue(Bytes.equals(current1.getRowArray(), current1.getRowOffset(), current1.getRowLength(), ROW_1, 0, ROW_1.length));
assertTrue(Bytes.equals(current1.getQualifierArray(), current1.getQualifierOffset(), current1.getQualifierLength(), Q2, 0, Q2.length));
assertTrue(Bytes.equals(current1.getValueArray(), current1.getValueOffset(), current1.getValueLength(), value2, 0, value2.length));
cellScanner1.advance();
current1 = cellScanner1.current();
// test user can see value2 (CONFIDENTIAL) and value3 (no label)
assertTrue(Bytes.equals(current1.getRowArray(), current1.getRowOffset(), current1.getRowLength(), ROW_1, 0, ROW_1.length));
assertTrue(Bytes.equals(current1.getQualifierArray(), current1.getQualifierOffset(), current1.getQualifierLength(), Q3, 0, Q3.length));
assertTrue(Bytes.equals(current1.getValueArray(), current1.getValueOffset(), current1.getValueLength(), value3, 0, value3.length));
// Test scan with incorrect auth attribute for test user
Scan s2 = new Scan();
// test user is entitled to 'CONFIDENTIAL'.
// If we set 'SECRET', it will be dropped by the SLGs.
s2.setAuthorizations(new Authorizations(new String[] { SECRET }));
ResultScanner scanner2 = table.getScanner(s2);
Result next2 = scanner2.next();
CellScanner cellScanner2 = next2.cellScanner();
cellScanner2.advance();
Cell current2 = cellScanner2.current();
// This scan will only see value3 (no label)
assertTrue(Bytes.equals(current2.getRowArray(), current2.getRowOffset(), current2.getRowLength(), ROW_1, 0, ROW_1.length));
assertTrue(Bytes.equals(current2.getQualifierArray(), current2.getQualifierOffset(), current2.getQualifierLength(), Q3, 0, Q3.length));
assertTrue(Bytes.equals(current2.getValueArray(), current2.getValueOffset(), current2.getValueLength(), value3, 0, value3.length));
assertFalse(cellScanner2.advance());
return null;
}
}
});
}
Aggregations