Example 11 with VisibilityLabelsResponse
use of org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse in project hbase by apache.
the class VisibilityController method addLabels.
/****************************** VisibilityEndpoint service related methods ******************************/
@Override
public synchronized void addLabels(RpcController controller, VisibilityLabelsRequest request, RpcCallback<VisibilityLabelsResponse> done) {
VisibilityLabelsResponse.Builder response = VisibilityLabelsResponse.newBuilder();
List<VisibilityLabel> visLabels = request.getVisLabelList();
if (!initialized) {
setExceptionResults(visLabels.size(), new VisibilityControllerNotReadyException("VisibilityController not yet initialized!"), response);
} else {
List<byte[]> labels = new ArrayList<>(visLabels.size());
try {
if (authorizationEnabled) {
checkCallingUserAuth();
}
RegionActionResult successResult = RegionActionResult.newBuilder().build();
for (VisibilityLabel visLabel : visLabels) {
byte[] label = visLabel.getLabel().toByteArray();
labels.add(label);
// Just mark as success. Later it will get reset
response.addResult(successResult);
// based on the result from
// visibilityLabelService.addLabels ()
}
if (!labels.isEmpty()) {
OperationStatus[] opStatus = this.visibilityLabelService.addLabels(labels);
logResult(true, "addLabels", "Adding labels allowed", null, labels, null);
int i = 0;
for (OperationStatus status : opStatus) {
while (response.getResult(i) != successResult) i++;
if (status.getOperationStatusCode() != SUCCESS) {
RegionActionResult.Builder failureResultBuilder = RegionActionResult.newBuilder();
failureResultBuilder.setException(buildException(new DoNotRetryIOException(status.getExceptionMsg())));
response.setResult(i, failureResultBuilder.build());
}
i++;
}
}
} catch (AccessDeniedException e) {
logResult(false, "addLabels", e.getMessage(), null, labels, null);
LOG.error("User is not having required permissions to add labels", e);
setExceptionResults(visLabels.size(), e, response);
} catch (IOException e) {
LOG.error(e);
setExceptionResults(visLabels.size(), e, response);
}
}
done.run(response.build());
}
Also used :
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
DoNotRetryIOException(org.apache.hadoop.hbase.DoNotRetryIOException)
ArrayList(java.util.ArrayList)
RegionActionResult(org.apache.hadoop.hbase.protobuf.generated.ClientProtos.RegionActionResult)
DoNotRetryIOException(org.apache.hadoop.hbase.DoNotRetryIOException)
IOException(java.io.IOException)
ReplicationEndpoint(org.apache.hadoop.hbase.replication.ReplicationEndpoint)
VisibilityLabel(org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabel)
OperationStatus(org.apache.hadoop.hbase.regionserver.OperationStatus)
VisibilityLabelsResponse(org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse)
Example 12 with VisibilityLabelsResponse
use of org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse in project hbase by apache.
the class VisibilityController method clearAuths.
@Override
public synchronized void clearAuths(RpcController controller, SetAuthsRequest request, RpcCallback<VisibilityLabelsResponse> done) {
VisibilityLabelsResponse.Builder response = VisibilityLabelsResponse.newBuilder();
List<ByteString> auths = request.getAuthList();
if (!initialized) {
setExceptionResults(auths.size(), new CoprocessorException("VisibilityController not yet initialized"), response);
} else {
byte[] requestUser = request.getUser().toByteArray();
List<byte[]> labelAuths = new ArrayList<>(auths.size());
try {
// When AC is ON, do AC based user auth check
if (authorizationEnabled && accessControllerAvailable && !isSystemOrSuperUser()) {
User user = VisibilityUtils.getActiveUser();
throw new AccessDeniedException("User '" + (user != null ? user.getShortName() : "null") + " is not authorized to perform this action.");
}
if (authorizationEnabled) {
// When AC is not in place the calling user should have
checkCallingUserAuth();
// SYSTEM_LABEL auth to do this action.
}
for (ByteString authBS : auths) {
labelAuths.add(authBS.toByteArray());
}
OperationStatus[] opStatus = this.visibilityLabelService.clearAuths(requestUser, labelAuths);
logResult(true, "clearAuths", "Removing authorization for labels allowed", requestUser, labelAuths, null);
RegionActionResult successResult = RegionActionResult.newBuilder().build();
for (OperationStatus status : opStatus) {
if (status.getOperationStatusCode() == SUCCESS) {
response.addResult(successResult);
} else {
RegionActionResult.Builder failureResultBuilder = RegionActionResult.newBuilder();
failureResultBuilder.setException(buildException(new DoNotRetryIOException(status.getExceptionMsg())));
response.addResult(failureResultBuilder.build());
}
}
} catch (AccessDeniedException e) {
logResult(false, "clearAuths", e.getMessage(), requestUser, labelAuths, null);
LOG.error("User is not having required permissions to clear authorization", e);
setExceptionResults(auths.size(), e, response);
} catch (IOException e) {
LOG.error(e);
setExceptionResults(auths.size(), e, response);
}
}
done.run(response.build());
}
Also used :
AccessDeniedException(org.apache.hadoop.hbase.security.AccessDeniedException)
User(org.apache.hadoop.hbase.security.User)
DoNotRetryIOException(org.apache.hadoop.hbase.DoNotRetryIOException)
ByteString(com.google.protobuf.ByteString)
ArrayList(java.util.ArrayList)
RegionActionResult(org.apache.hadoop.hbase.protobuf.generated.ClientProtos.RegionActionResult)
DoNotRetryIOException(org.apache.hadoop.hbase.DoNotRetryIOException)
IOException(java.io.IOException)
OperationStatus(org.apache.hadoop.hbase.regionserver.OperationStatus)
VisibilityLabelsResponse(org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse)
CoprocessorException(org.apache.hadoop.hbase.coprocessor.CoprocessorException)
Example 13 with VisibilityLabelsResponse
use of org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse in project hbase by apache.
the class TestImportTSVWithVisibilityLabels method createLabels.
private static void createLabels() throws IOException, InterruptedException {
PrivilegedExceptionAction<VisibilityLabelsResponse> action = new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
@Override
public VisibilityLabelsResponse run() throws Exception {
String[] labels = { SECRET, TOPSECRET, CONFIDENTIAL, PUBLIC, PRIVATE };
try (Connection conn = ConnectionFactory.createConnection(conf)) {
VisibilityClient.addLabels(conn, labels);
LOG.info("Added labels ");
} catch (Throwable t) {
LOG.error("Error in adding labels", t);
throw new IOException(t);
}
return null;
}
};
SUPERUSER.runAs(action);
}
Also used :
Connection(org.apache.hadoop.hbase.client.Connection)
PrivilegedExceptionAction(java.security.PrivilegedExceptionAction)
IOException(java.io.IOException)
VisibilityLabelsResponse(org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse)
Example 14 with VisibilityLabelsResponse
use of org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse in project hbase by apache.
the class TestVisibilityLabelsWithDeletes method testMultipleDeleteFamilyVersionWithDiffLabels.
@Test
public void testMultipleDeleteFamilyVersionWithDiffLabels() throws Exception {
PrivilegedExceptionAction<VisibilityLabelsResponse> action = new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
@Override
public VisibilityLabelsResponse run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf)) {
return VisibilityClient.setAuths(conn, new String[] { CONFIDENTIAL, PRIVATE, SECRET }, SUPERUSER.getShortName());
} catch (Throwable e) {
}
return null;
}
};
VisibilityLabelsResponse response = SUPERUSER.runAs(action);
final TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
try (Table table = doPuts(tableName)) {
PrivilegedExceptionAction<Void> actiona = new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf);
Table table = connection.getTable(tableName)) {
Delete d = new Delete(row1);
d.setCellVisibility(new CellVisibility(CONFIDENTIAL));
d.addFamilyVersion(fam, 123l);
table.delete(d);
d = new Delete(row1);
d.setCellVisibility(new CellVisibility(SECRET + "&" + TOPSECRET));
d.addFamilyVersion(fam, 125l);
table.delete(d);
} catch (Throwable t) {
throw new IOException(t);
}
return null;
}
};
SUPERUSER.runAs(actiona);
TEST_UTIL.getAdmin().flush(tableName);
Scan s = new Scan();
s.setMaxVersions(5);
s.setAuthorizations(new Authorizations(SECRET, PRIVATE, CONFIDENTIAL, TOPSECRET));
ResultScanner scanner = table.getScanner(s);
Result[] next = scanner.next(5);
assertTrue(next.length == 2);
CellScanner cellScanner = next[0].cellScanner();
cellScanner.advance();
Cell current = cellScanner.current();
assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), current.getRowLength(), row1, 0, row1.length));
assertEquals(current.getTimestamp(), 127l);
cellScanner.advance();
current = cellScanner.current();
assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), current.getRowLength(), row1, 0, row1.length));
assertEquals(current.getTimestamp(), 126l);
cellScanner.advance();
current = cellScanner.current();
assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), current.getRowLength(), row1, 0, row1.length));
assertEquals(current.getTimestamp(), 124l);
}
}
Also used :
Delete(org.apache.hadoop.hbase.client.Delete)
Table(org.apache.hadoop.hbase.client.Table)
ResultScanner(org.apache.hadoop.hbase.client.ResultScanner)
Connection(org.apache.hadoop.hbase.client.Connection)
PrivilegedExceptionAction(java.security.PrivilegedExceptionAction)
InterruptedIOException(java.io.InterruptedIOException)
IOException(java.io.IOException)
CellScanner(org.apache.hadoop.hbase.CellScanner)
Result(org.apache.hadoop.hbase.client.Result)
TableName(org.apache.hadoop.hbase.TableName)
Scan(org.apache.hadoop.hbase.client.Scan)
Cell(org.apache.hadoop.hbase.Cell)
VisibilityLabelsResponse(org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse)
Test(org.junit.Test)
Example 15 with VisibilityLabelsResponse
use of org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse in project hbase by apache.
the class TestVisibilityLablesWithGroups method testGroupAuths.
@Test
public void testGroupAuths() throws Exception {
final TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
// create the table
TEST_UTIL.createTable(tableName, CF);
// put the data.
SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf);
Table table = connection.getTable(tableName)) {
Put put = new Put(ROW_1);
put.addColumn(CF, Q1, HConstants.LATEST_TIMESTAMP, value1);
put.setCellVisibility(new CellVisibility(SECRET));
table.put(put);
put = new Put(ROW_1);
put.addColumn(CF, Q2, HConstants.LATEST_TIMESTAMP, value2);
put.setCellVisibility(new CellVisibility(CONFIDENTIAL));
table.put(put);
put = new Put(ROW_1);
put.addColumn(CF, Q3, HConstants.LATEST_TIMESTAMP, value3);
table.put(put);
}
return null;
}
});
// 'admin' user is part of 'supergroup', thus can see all the cells.
SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf);
Table table = connection.getTable(tableName)) {
Scan s = new Scan();
ResultScanner scanner = table.getScanner(s);
Result[] next = scanner.next(1);
// Test that super user can see all the cells.
assertTrue(next.length == 1);
CellScanner cellScanner = next[0].cellScanner();
cellScanner.advance();
Cell current = cellScanner.current();
assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), current.getRowLength(), ROW_1, 0, ROW_1.length));
assertTrue(Bytes.equals(current.getQualifierArray(), current.getQualifierOffset(), current.getQualifierLength(), Q1, 0, Q1.length));
assertTrue(Bytes.equals(current.getValueArray(), current.getValueOffset(), current.getValueLength(), value1, 0, value1.length));
cellScanner.advance();
current = cellScanner.current();
assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), current.getRowLength(), ROW_1, 0, ROW_1.length));
assertTrue(Bytes.equals(current.getQualifierArray(), current.getQualifierOffset(), current.getQualifierLength(), Q2, 0, Q2.length));
assertTrue(Bytes.equals(current.getValueArray(), current.getValueOffset(), current.getValueLength(), value2, 0, value2.length));
cellScanner.advance();
current = cellScanner.current();
assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), current.getRowLength(), ROW_1, 0, ROW_1.length));
assertTrue(Bytes.equals(current.getQualifierArray(), current.getQualifierOffset(), current.getQualifierLength(), Q3, 0, Q3.length));
assertTrue(Bytes.equals(current.getValueArray(), current.getValueOffset(), current.getValueLength(), value3, 0, value3.length));
}
return null;
}
});
// Get testgroup's labels.
SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
GetAuthsResponse authsResponse = null;
try (Connection conn = ConnectionFactory.createConnection(conf)) {
authsResponse = VisibilityClient.getAuths(conn, "@testgroup");
} catch (Throwable e) {
fail("Should not have failed");
}
List<String> authsList = new ArrayList<>(authsResponse.getAuthList().size());
for (ByteString authBS : authsResponse.getAuthList()) {
authsList.add(Bytes.toString(authBS.toByteArray()));
}
assertEquals(1, authsList.size());
assertTrue(authsList.contains(CONFIDENTIAL));
return null;
}
});
// Test that test user can see what 'testgroup' has been authorized to.
TESTUSER.runAs(new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf);
Table table = connection.getTable(tableName)) {
// Test scan with no auth attribute
Scan s = new Scan();
ResultScanner scanner = table.getScanner(s);
Result[] next = scanner.next(1);
assertTrue(next.length == 1);
CellScanner cellScanner = next[0].cellScanner();
cellScanner.advance();
Cell current = cellScanner.current();
// test user can see value2 (CONFIDENTIAL) and value3 (no label)
assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), current.getRowLength(), ROW_1, 0, ROW_1.length));
assertTrue(Bytes.equals(current.getQualifierArray(), current.getQualifierOffset(), current.getQualifierLength(), Q2, 0, Q2.length));
assertTrue(Bytes.equals(current.getValueArray(), current.getValueOffset(), current.getValueLength(), value2, 0, value2.length));
cellScanner.advance();
current = cellScanner.current();
// test user can see value2 (CONFIDENTIAL) and value3 (no label)
assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), current.getRowLength(), ROW_1, 0, ROW_1.length));
assertTrue(Bytes.equals(current.getQualifierArray(), current.getQualifierOffset(), current.getQualifierLength(), Q3, 0, Q3.length));
assertTrue(Bytes.equals(current.getValueArray(), current.getValueOffset(), current.getValueLength(), value3, 0, value3.length));
// Test scan with correct auth attribute for test user
Scan s1 = new Scan();
// test user is entitled to 'CONFIDENTIAL'.
// If we set both labels in the scan, 'SECRET' will be dropped by the SLGs.
s1.setAuthorizations(new Authorizations(new String[] { SECRET, CONFIDENTIAL }));
ResultScanner scanner1 = table.getScanner(s1);
Result[] next1 = scanner1.next(1);
assertTrue(next1.length == 1);
CellScanner cellScanner1 = next1[0].cellScanner();
cellScanner1.advance();
Cell current1 = cellScanner1.current();
// test user can see value2 (CONFIDENTIAL) and value3 (no label)
assertTrue(Bytes.equals(current1.getRowArray(), current1.getRowOffset(), current1.getRowLength(), ROW_1, 0, ROW_1.length));
assertTrue(Bytes.equals(current1.getQualifierArray(), current1.getQualifierOffset(), current1.getQualifierLength(), Q2, 0, Q2.length));
assertTrue(Bytes.equals(current1.getValueArray(), current1.getValueOffset(), current1.getValueLength(), value2, 0, value2.length));
cellScanner1.advance();
current1 = cellScanner1.current();
// test user can see value2 (CONFIDENTIAL) and value3 (no label)
assertTrue(Bytes.equals(current1.getRowArray(), current1.getRowOffset(), current1.getRowLength(), ROW_1, 0, ROW_1.length));
assertTrue(Bytes.equals(current1.getQualifierArray(), current1.getQualifierOffset(), current1.getQualifierLength(), Q3, 0, Q3.length));
assertTrue(Bytes.equals(current1.getValueArray(), current1.getValueOffset(), current1.getValueLength(), value3, 0, value3.length));
// Test scan with incorrect auth attribute for test user
Scan s2 = new Scan();
// test user is entitled to 'CONFIDENTIAL'.
// If we set 'SECRET', it will be dropped by the SLGs.
s2.setAuthorizations(new Authorizations(new String[] { SECRET }));
ResultScanner scanner2 = table.getScanner(s2);
Result next2 = scanner2.next();
CellScanner cellScanner2 = next2.cellScanner();
cellScanner2.advance();
Cell current2 = cellScanner2.current();
// This scan will only see value3 (no label)
assertTrue(Bytes.equals(current2.getRowArray(), current2.getRowOffset(), current2.getRowLength(), ROW_1, 0, ROW_1.length));
assertTrue(Bytes.equals(current2.getQualifierArray(), current2.getQualifierOffset(), current2.getQualifierLength(), Q3, 0, Q3.length));
assertTrue(Bytes.equals(current2.getValueArray(), current2.getValueOffset(), current2.getValueLength(), value3, 0, value3.length));
assertFalse(cellScanner2.advance());
}
return null;
}
});
// Clear 'testgroup' of CONFIDENTIAL label.
SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
VisibilityLabelsResponse response = null;
try (Connection conn = ConnectionFactory.createConnection(conf)) {
response = VisibilityClient.clearAuths(conn, new String[] { CONFIDENTIAL }, "@testgroup");
} catch (Throwable e) {
fail("Should not have failed");
}
return null;
}
});
// Get testgroup's labels. No label is returned.
SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
GetAuthsResponse authsResponse = null;
try (Connection conn = ConnectionFactory.createConnection(conf)) {
authsResponse = VisibilityClient.getAuths(conn, "@testgroup");
} catch (Throwable e) {
fail("Should not have failed");
}
List<String> authsList = new ArrayList<>(authsResponse.getAuthList().size());
for (ByteString authBS : authsResponse.getAuthList()) {
authsList.add(Bytes.toString(authBS.toByteArray()));
}
assertEquals(0, authsList.size());
return null;
}
});
// Test that test user cannot see the cells with the labels anymore.
TESTUSER.runAs(new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf);
Table table = connection.getTable(tableName)) {
Scan s1 = new Scan();
// test user is not entitled to 'CONFIDENTIAL' anymore since we dropped
// testgroup's label. test user has no auth labels now.
// scan's labels will be dropped on the server side.
s1.setAuthorizations(new Authorizations(new String[] { SECRET, CONFIDENTIAL }));
ResultScanner scanner1 = table.getScanner(s1);
Result[] next1 = scanner1.next(1);
assertTrue(next1.length == 1);
CellScanner cellScanner1 = next1[0].cellScanner();
cellScanner1.advance();
Cell current1 = cellScanner1.current();
// test user can only see value3 (no label)
assertTrue(Bytes.equals(current1.getRowArray(), current1.getRowOffset(), current1.getRowLength(), ROW_1, 0, ROW_1.length));
assertTrue(Bytes.equals(current1.getQualifierArray(), current1.getQualifierOffset(), current1.getQualifierLength(), Q3, 0, Q3.length));
assertTrue(Bytes.equals(current1.getValueArray(), current1.getValueOffset(), current1.getValueLength(), value3, 0, value3.length));
assertFalse(cellScanner1.advance());
}
return null;
}
});
}
Also used :
Table(org.apache.hadoop.hbase.client.Table)
ResultScanner(org.apache.hadoop.hbase.client.ResultScanner)
ByteString(com.google.protobuf.ByteString)
Connection(org.apache.hadoop.hbase.client.Connection)
CellScanner(org.apache.hadoop.hbase.CellScanner)
IOException(java.io.IOException)
Put(org.apache.hadoop.hbase.client.Put)
Result(org.apache.hadoop.hbase.client.Result)
TableName(org.apache.hadoop.hbase.TableName)
GetAuthsResponse(org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.GetAuthsResponse)
Scan(org.apache.hadoop.hbase.client.Scan)
ArrayList(java.util.ArrayList)
List(java.util.List)
Cell(org.apache.hadoop.hbase.Cell)
VisibilityLabelsResponse(org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse)
Test(org.junit.Test)
Aggregations
VisibilityLabelsResponse (org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse)26
IOException (java.io.IOException)21
Connection (org.apache.hadoop.hbase.client.Connection)21
PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)20
ByteString (com.google.protobuf.ByteString)12
Test (org.junit.Test)10
Table (org.apache.hadoop.hbase.client.Table)9
ArrayList (java.util.ArrayList)7
RegionActionResult (org.apache.hadoop.hbase.protobuf.generated.ClientProtos.RegionActionResult)6
TableName (org.apache.hadoop.hbase.TableName)5
Result (org.apache.hadoop.hbase.client.Result)5
ResultScanner (org.apache.hadoop.hbase.client.ResultScanner)5
Scan (org.apache.hadoop.hbase.client.Scan)5
GetAuthsResponse (org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.GetAuthsResponse)4
InterruptedIOException (java.io.InterruptedIOException)3
Cell (org.apache.hadoop.hbase.Cell)3
CellScanner (org.apache.hadoop.hbase.CellScanner)3
DoNotRetryIOException (org.apache.hadoop.hbase.DoNotRetryIOException)3
Put (org.apache.hadoop.hbase.client.Put)3
OperationStatus (org.apache.hadoop.hbase.regionserver.OperationStatus)3
