Search in sources :

Example 81 with Connection

use of org.apache.hadoop.hbase.client.Connection in project hbase by apache.

the class TestAccessController method testGrantRevoke.

@Test(timeout = 180000)
public void testGrantRevoke() throws Exception {
    AccessTestAction grantAction = new AccessTestAction() {

        @Override
        public Object run() throws Exception {
            try (Connection conn = ConnectionFactory.createConnection(conf);
                Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
                BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName());
                AccessControlService.BlockingInterface protocol = AccessControlService.newBlockingStub(service);
                AccessControlUtil.grant(null, protocol, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null, false, Action.READ);
            }
            return null;
        }
    };
    AccessTestAction revokeAction = new AccessTestAction() {

        @Override
        public Object run() throws Exception {
            try (Connection conn = ConnectionFactory.createConnection(conf);
                Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
                BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName());
                AccessControlService.BlockingInterface protocol = AccessControlService.newBlockingStub(service);
                AccessControlUtil.revoke(null, protocol, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null, Action.READ);
            }
            return null;
        }
    };
    AccessTestAction getTablePermissionsAction = new AccessTestAction() {

        @Override
        public Object run() throws Exception {
            try (Connection conn = ConnectionFactory.createConnection(conf);
                Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
                BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName());
                AccessControlService.BlockingInterface protocol = AccessControlService.newBlockingStub(service);
                AccessControlUtil.getUserPermissions(null, protocol, TEST_TABLE);
            }
            return null;
        }
    };
    AccessTestAction getGlobalPermissionsAction = new AccessTestAction() {

        @Override
        public Object run() throws Exception {
            try (Connection conn = ConnectionFactory.createConnection(conf);
                Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
                BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
                AccessControlService.BlockingInterface protocol = AccessControlService.newBlockingStub(service);
                AccessControlUtil.getUserPermissions(null, protocol);
            }
            return null;
        }
    };
    verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
    verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
    try {
        verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
        verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
        verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
        verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
        verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
        verifyDenied(getGlobalPermissionsAction, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
    } finally {
        // Cleanup, Grant the revoked permission back to the user
        grantOnTable(TEST_UTIL, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ);
    }
}
Also used : Table(org.apache.hadoop.hbase.client.Table) AccessControlService(org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessControlService) Connection(org.apache.hadoop.hbase.client.Connection) BlockingRpcChannel(com.google.protobuf.BlockingRpcChannel) Test(org.junit.Test)

Example 82 with Connection

use of org.apache.hadoop.hbase.client.Connection in project hbase by apache.

the class TestAccessController2 method testACLTableAccess.

@Test(timeout = 180000)
public void testACLTableAccess() throws Exception {
    final Configuration conf = TEST_UTIL.getConfiguration();
    // Superuser
    User superUser = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
    // Global users
    User globalRead = User.createUserForTesting(conf, "globalRead", new String[0]);
    User globalWrite = User.createUserForTesting(conf, "globalWrite", new String[0]);
    User globalCreate = User.createUserForTesting(conf, "globalCreate", new String[0]);
    User globalAdmin = User.createUserForTesting(conf, "globalAdmin", new String[0]);
    SecureTestUtil.grantGlobal(TEST_UTIL, globalRead.getShortName(), Action.READ);
    SecureTestUtil.grantGlobal(TEST_UTIL, globalWrite.getShortName(), Action.WRITE);
    SecureTestUtil.grantGlobal(TEST_UTIL, globalCreate.getShortName(), Action.CREATE);
    SecureTestUtil.grantGlobal(TEST_UTIL, globalAdmin.getShortName(), Action.ADMIN);
    // Namespace users
    User nsRead = User.createUserForTesting(conf, "nsRead", new String[0]);
    User nsWrite = User.createUserForTesting(conf, "nsWrite", new String[0]);
    User nsCreate = User.createUserForTesting(conf, "nsCreate", new String[0]);
    User nsAdmin = User.createUserForTesting(conf, "nsAdmin", new String[0]);
    SecureTestUtil.grantOnNamespace(TEST_UTIL, nsRead.getShortName(), TEST_TABLE.getTableName().getNamespaceAsString(), Action.READ);
    SecureTestUtil.grantOnNamespace(TEST_UTIL, nsWrite.getShortName(), TEST_TABLE.getTableName().getNamespaceAsString(), Action.WRITE);
    SecureTestUtil.grantOnNamespace(TEST_UTIL, nsCreate.getShortName(), TEST_TABLE.getTableName().getNamespaceAsString(), Action.CREATE);
    SecureTestUtil.grantOnNamespace(TEST_UTIL, nsAdmin.getShortName(), TEST_TABLE.getTableName().getNamespaceAsString(), Action.ADMIN);
    // Table users
    User tableRead = User.createUserForTesting(conf, "tableRead", new String[0]);
    User tableWrite = User.createUserForTesting(conf, "tableWrite", new String[0]);
    User tableCreate = User.createUserForTesting(conf, "tableCreate", new String[0]);
    User tableAdmin = User.createUserForTesting(conf, "tableAdmin", new String[0]);
    SecureTestUtil.grantOnTable(TEST_UTIL, tableRead.getShortName(), TEST_TABLE.getTableName(), null, null, Action.READ);
    SecureTestUtil.grantOnTable(TEST_UTIL, tableWrite.getShortName(), TEST_TABLE.getTableName(), null, null, Action.WRITE);
    SecureTestUtil.grantOnTable(TEST_UTIL, tableCreate.getShortName(), TEST_TABLE.getTableName(), null, null, Action.CREATE);
    SecureTestUtil.grantOnTable(TEST_UTIL, tableAdmin.getShortName(), TEST_TABLE.getTableName(), null, null, Action.ADMIN);
    grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.WRITE);
    try {
        // Write tests
        AccessTestAction writeAction = new AccessTestAction() {

            @Override
            public Object run() throws Exception {
                try (Connection conn = ConnectionFactory.createConnection(conf);
                    Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
                    t.put(new Put(TEST_ROW).addColumn(AccessControlLists.ACL_LIST_FAMILY, TEST_QUALIFIER, TEST_VALUE));
                    return null;
                } finally {
                }
            }
        };
        // All writes to ACL table denied except for GLOBAL WRITE permission and superuser
        verifyDenied(writeAction, globalAdmin, globalCreate, globalRead, TESTGROUP2_USER1);
        verifyDenied(writeAction, nsAdmin, nsCreate, nsRead, nsWrite);
        verifyDenied(writeAction, tableAdmin, tableCreate, tableRead, tableWrite);
        verifyAllowed(writeAction, superUser, globalWrite, TESTGROUP1_USER1);
    } finally {
        revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.WRITE);
    }
    grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.READ);
    try {
        // Read tests
        AccessTestAction scanAction = new AccessTestAction() {

            @Override
            public Object run() throws Exception {
                try (Connection conn = ConnectionFactory.createConnection(conf);
                    Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
                    ResultScanner s = t.getScanner(new Scan());
                    try {
                        for (Result r = s.next(); r != null; r = s.next()) {
                        // do nothing
                        }
                    } finally {
                        s.close();
                    }
                    return null;
                }
            }
        };
        // All reads from ACL table denied except for GLOBAL READ and superuser
        verifyDenied(scanAction, globalAdmin, globalCreate, globalWrite, TESTGROUP2_USER1);
        verifyDenied(scanAction, nsCreate, nsAdmin, nsRead, nsWrite);
        verifyDenied(scanAction, tableCreate, tableAdmin, tableRead, tableWrite);
        verifyAllowed(scanAction, superUser, globalRead, TESTGROUP1_USER1);
    } finally {
        revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.READ);
    }
}
Also used : User(org.apache.hadoop.hbase.security.User) Table(org.apache.hadoop.hbase.client.Table) ResultScanner(org.apache.hadoop.hbase.client.ResultScanner) Configuration(org.apache.hadoop.conf.Configuration) Connection(org.apache.hadoop.hbase.client.Connection) Scan(org.apache.hadoop.hbase.client.Scan) Put(org.apache.hadoop.hbase.client.Put) Result(org.apache.hadoop.hbase.client.Result) Test(org.junit.Test)

Example 83 with Connection

use of org.apache.hadoop.hbase.client.Connection in project hbase by apache.

the class TestAccessController2 method testCreateWithCorrectOwner.

@Test(timeout = 180000)
public void testCreateWithCorrectOwner() throws Exception {
    // Create a test user
    final User testUser = User.createUserForTesting(TEST_UTIL.getConfiguration(), "TestUser", new String[0]);
    // Grant the test user the ability to create tables
    SecureTestUtil.grantGlobal(TEST_UTIL, testUser.getShortName(), Action.CREATE);
    verifyAllowed(new AccessTestAction() {

        @Override
        public Object run() throws Exception {
            HTableDescriptor desc = new HTableDescriptor(TEST_TABLE.getTableName());
            desc.addFamily(new HColumnDescriptor(TEST_FAMILY));
            try (Connection connection = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration(), testUser)) {
                try (Admin admin = connection.getAdmin()) {
                    createTable(TEST_UTIL, admin, desc);
                }
            }
            return null;
        }
    }, testUser);
    TEST_UTIL.waitTableAvailable(TEST_TABLE.getTableName());
    // Verify that owner permissions have been granted to the test user on the
    // table just created
    List<TablePermission> perms = AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).get(testUser.getShortName());
    assertNotNull(perms);
    assertFalse(perms.isEmpty());
    // Should be RWXCA
    assertTrue(perms.get(0).implies(Permission.Action.READ));
    assertTrue(perms.get(0).implies(Permission.Action.WRITE));
    assertTrue(perms.get(0).implies(Permission.Action.EXEC));
    assertTrue(perms.get(0).implies(Permission.Action.CREATE));
    assertTrue(perms.get(0).implies(Permission.Action.ADMIN));
}
Also used : User(org.apache.hadoop.hbase.security.User) HColumnDescriptor(org.apache.hadoop.hbase.HColumnDescriptor) Connection(org.apache.hadoop.hbase.client.Connection) Admin(org.apache.hadoop.hbase.client.Admin) TableNotFoundException(org.apache.hadoop.hbase.TableNotFoundException) HTableDescriptor(org.apache.hadoop.hbase.HTableDescriptor) Test(org.junit.Test)

Example 84 with Connection

use of org.apache.hadoop.hbase.client.Connection in project hbase by apache.

the class ExpAsStringVisibilityLabelServiceImpl method getUserAuths.

@Override
public List<String> getUserAuths(byte[] user, boolean systemCall) throws IOException {
    assert (labelsRegion != null || systemCall);
    List<String> auths = new ArrayList<>();
    Get get = new Get(user);
    List<Cell> cells = null;
    if (labelsRegion == null) {
        Table table = null;
        Connection connection = null;
        try {
            connection = ConnectionFactory.createConnection(conf);
            table = connection.getTable(VisibilityConstants.LABELS_TABLE_NAME);
            Result result = table.get(get);
            cells = result.listCells();
        } finally {
            if (table != null) {
                table.close();
            }
            if (connection != null) {
                connection.close();
            }
        }
    } else {
        cells = this.labelsRegion.get(get, false);
    }
    if (cells != null) {
        for (Cell cell : cells) {
            String auth = Bytes.toString(cell.getQualifierArray(), cell.getQualifierOffset(), cell.getQualifierLength());
            auths.add(auth);
        }
    }
    return auths;
}
Also used : Table(org.apache.hadoop.hbase.client.Table) Get(org.apache.hadoop.hbase.client.Get) ArrayList(java.util.ArrayList) Connection(org.apache.hadoop.hbase.client.Connection) Cell(org.apache.hadoop.hbase.Cell) Result(org.apache.hadoop.hbase.client.Result)

Example 85 with Connection

use of org.apache.hadoop.hbase.client.Connection in project hbase by apache.

the class TestDefaultScanLabelGeneratorStack method testDefaultScanLabelGeneratorStack.

@Test
public void testDefaultScanLabelGeneratorStack() throws Exception {
    final TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
    SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() {

        public Void run() throws Exception {
            try (Connection connection = ConnectionFactory.createConnection(conf);
                Table table = TEST_UTIL.createTable(tableName, CF)) {
                Put put = new Put(ROW_1);
                put.addColumn(CF, Q1, HConstants.LATEST_TIMESTAMP, value1);
                put.setCellVisibility(new CellVisibility(SECRET));
                table.put(put);
                put = new Put(ROW_1);
                put.addColumn(CF, Q2, HConstants.LATEST_TIMESTAMP, value2);
                put.setCellVisibility(new CellVisibility(CONFIDENTIAL));
                table.put(put);
                put = new Put(ROW_1);
                put.addColumn(CF, Q3, HConstants.LATEST_TIMESTAMP, value3);
                table.put(put);
                return null;
            }
        }
    });
    // Test that super user can see all the cells.
    SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() {

        public Void run() throws Exception {
            try (Connection connection = ConnectionFactory.createConnection(conf);
                Table table = connection.getTable(tableName)) {
                Scan s = new Scan();
                ResultScanner scanner = table.getScanner(s);
                Result[] next = scanner.next(1);
                // Test that super user can see all the cells.
                assertTrue(next.length == 1);
                CellScanner cellScanner = next[0].cellScanner();
                cellScanner.advance();
                Cell current = cellScanner.current();
                assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), current.getRowLength(), ROW_1, 0, ROW_1.length));
                assertTrue(Bytes.equals(current.getQualifierArray(), current.getQualifierOffset(), current.getQualifierLength(), Q1, 0, Q1.length));
                assertTrue(Bytes.equals(current.getValueArray(), current.getValueOffset(), current.getValueLength(), value1, 0, value1.length));
                cellScanner.advance();
                current = cellScanner.current();
                assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), current.getRowLength(), ROW_1, 0, ROW_1.length));
                assertTrue(Bytes.equals(current.getQualifierArray(), current.getQualifierOffset(), current.getQualifierLength(), Q2, 0, Q2.length));
                assertTrue(Bytes.equals(current.getValueArray(), current.getValueOffset(), current.getValueLength(), value2, 0, value2.length));
                cellScanner.advance();
                current = cellScanner.current();
                assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), current.getRowLength(), ROW_1, 0, ROW_1.length));
                assertTrue(Bytes.equals(current.getQualifierArray(), current.getQualifierOffset(), current.getQualifierLength(), Q3, 0, Q3.length));
                assertTrue(Bytes.equals(current.getValueArray(), current.getValueOffset(), current.getValueLength(), value3, 0, value3.length));
                return null;
            }
        }
    });
    TESTUSER.runAs(new PrivilegedExceptionAction<Void>() {

        public Void run() throws Exception {
            try (Connection connection = ConnectionFactory.createConnection(conf);
                Table table = connection.getTable(tableName)) {
                // Test scan with no auth attribute
                Scan s = new Scan();
                ResultScanner scanner = table.getScanner(s);
                Result[] next = scanner.next(1);
                assertTrue(next.length == 1);
                CellScanner cellScanner = next[0].cellScanner();
                cellScanner.advance();
                Cell current = cellScanner.current();
                // test user can see value2 (CONFIDENTIAL) and value3 (no label)
                assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), current.getRowLength(), ROW_1, 0, ROW_1.length));
                assertTrue(Bytes.equals(current.getQualifierArray(), current.getQualifierOffset(), current.getQualifierLength(), Q2, 0, Q2.length));
                assertTrue(Bytes.equals(current.getValueArray(), current.getValueOffset(), current.getValueLength(), value2, 0, value2.length));
                cellScanner.advance();
                current = cellScanner.current();
                // test user can see value2 (CONFIDENTIAL) and value3 (no label)
                assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), current.getRowLength(), ROW_1, 0, ROW_1.length));
                assertTrue(Bytes.equals(current.getQualifierArray(), current.getQualifierOffset(), current.getQualifierLength(), Q3, 0, Q3.length));
                assertTrue(Bytes.equals(current.getValueArray(), current.getValueOffset(), current.getValueLength(), value3, 0, value3.length));
                // Test scan with correct auth attribute for test user
                Scan s1 = new Scan();
                // test user is entitled to 'CONFIDENTIAL'.
                // If we set both labels in the scan, 'SECRET' will be dropped by the SLGs.
                s1.setAuthorizations(new Authorizations(new String[] { SECRET, CONFIDENTIAL }));
                ResultScanner scanner1 = table.getScanner(s1);
                Result[] next1 = scanner1.next(1);
                assertTrue(next1.length == 1);
                CellScanner cellScanner1 = next1[0].cellScanner();
                cellScanner1.advance();
                Cell current1 = cellScanner1.current();
                // test user can see value2 (CONFIDENTIAL) and value3 (no label)
                assertTrue(Bytes.equals(current1.getRowArray(), current1.getRowOffset(), current1.getRowLength(), ROW_1, 0, ROW_1.length));
                assertTrue(Bytes.equals(current1.getQualifierArray(), current1.getQualifierOffset(), current1.getQualifierLength(), Q2, 0, Q2.length));
                assertTrue(Bytes.equals(current1.getValueArray(), current1.getValueOffset(), current1.getValueLength(), value2, 0, value2.length));
                cellScanner1.advance();
                current1 = cellScanner1.current();
                // test user can see value2 (CONFIDENTIAL) and value3 (no label)
                assertTrue(Bytes.equals(current1.getRowArray(), current1.getRowOffset(), current1.getRowLength(), ROW_1, 0, ROW_1.length));
                assertTrue(Bytes.equals(current1.getQualifierArray(), current1.getQualifierOffset(), current1.getQualifierLength(), Q3, 0, Q3.length));
                assertTrue(Bytes.equals(current1.getValueArray(), current1.getValueOffset(), current1.getValueLength(), value3, 0, value3.length));
                // Test scan with incorrect auth attribute for test user
                Scan s2 = new Scan();
                // test user is entitled to 'CONFIDENTIAL'.
                // If we set 'SECRET', it will be dropped by the SLGs.
                s2.setAuthorizations(new Authorizations(new String[] { SECRET }));
                ResultScanner scanner2 = table.getScanner(s2);
                Result next2 = scanner2.next();
                CellScanner cellScanner2 = next2.cellScanner();
                cellScanner2.advance();
                Cell current2 = cellScanner2.current();
                // This scan will only see value3 (no label)
                assertTrue(Bytes.equals(current2.getRowArray(), current2.getRowOffset(), current2.getRowLength(), ROW_1, 0, ROW_1.length));
                assertTrue(Bytes.equals(current2.getQualifierArray(), current2.getQualifierOffset(), current2.getQualifierLength(), Q3, 0, Q3.length));
                assertTrue(Bytes.equals(current2.getValueArray(), current2.getValueOffset(), current2.getValueLength(), value3, 0, value3.length));
                assertFalse(cellScanner2.advance());
                return null;
            }
        }
    });
}
Also used : Table(org.apache.hadoop.hbase.client.Table) ResultScanner(org.apache.hadoop.hbase.client.ResultScanner) Connection(org.apache.hadoop.hbase.client.Connection) CellScanner(org.apache.hadoop.hbase.CellScanner) IOException(java.io.IOException) Put(org.apache.hadoop.hbase.client.Put) Result(org.apache.hadoop.hbase.client.Result) TableName(org.apache.hadoop.hbase.TableName) Scan(org.apache.hadoop.hbase.client.Scan) Cell(org.apache.hadoop.hbase.Cell) Test(org.junit.Test)

Aggregations

Connection (org.apache.hadoop.hbase.client.Connection)307 Table (org.apache.hadoop.hbase.client.Table)194 Test (org.junit.Test)174 IOException (java.io.IOException)117 TableName (org.apache.hadoop.hbase.TableName)103 Result (org.apache.hadoop.hbase.client.Result)102 Admin (org.apache.hadoop.hbase.client.Admin)90 Scan (org.apache.hadoop.hbase.client.Scan)81 ResultScanner (org.apache.hadoop.hbase.client.ResultScanner)77 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)71 Put (org.apache.hadoop.hbase.client.Put)68 HTableDescriptor (org.apache.hadoop.hbase.HTableDescriptor)58 Delete (org.apache.hadoop.hbase.client.Delete)55 Configuration (org.apache.hadoop.conf.Configuration)54 HColumnDescriptor (org.apache.hadoop.hbase.HColumnDescriptor)52 Get (org.apache.hadoop.hbase.client.Get)48 InterruptedIOException (java.io.InterruptedIOException)45 Cell (org.apache.hadoop.hbase.Cell)41 CellScanner (org.apache.hadoop.hbase.CellScanner)34 ArrayList (java.util.ArrayList)26