Examples with AccessTestAction org.apache.hadoop.hbase.security.access.SecureTestUtil.AccessTestAction used on opensource projects

Search in sources :

Example 1 with AccessTestAction

use of org.apache.hadoop.hbase.security.access.SecureTestUtil.AccessTestAction in project hbase by apache.

the class TestSecureExport method testVisibilityLabels.

@Test
// See HBASE-23990
@org.junit.Ignore
public void testVisibilityLabels() throws IOException, Throwable {
    final String exportTable = name.getMethodName() + "_export";
    final String importTable = name.getMethodName() + "_import";
    final TableDescriptor exportHtd = TableDescriptorBuilder.newBuilder(TableName.valueOf(exportTable)).setColumnFamily(ColumnFamilyDescriptorBuilder.of(FAMILYA)).build();
    User owner = User.createUserForTesting(UTIL.getConfiguration(), USER_OWNER, new String[0]);
    SecureTestUtil.createTable(UTIL, owner, exportHtd, new byte[][] { Bytes.toBytes("s") });
    AccessTestAction putAction = () -> {
        Put p1 = new Put(ROW1);
        p1.addColumn(FAMILYA, QUAL, NOW, QUAL);
        p1.setCellVisibility(new CellVisibility(SECRET));
        Put p2 = new Put(ROW2);
        p2.addColumn(FAMILYA, QUAL, NOW, QUAL);
        p2.setCellVisibility(new CellVisibility(PRIVATE + " & " + CONFIDENTIAL));
        Put p3 = new Put(ROW3);
        p3.addColumn(FAMILYA, QUAL, NOW, QUAL);
        p3.setCellVisibility(new CellVisibility("!" + CONFIDENTIAL + " & " + TOPSECRET));
        try (Connection conn = ConnectionFactory.createConnection(UTIL.getConfiguration());
            Table t = conn.getTable(TableName.valueOf(exportTable))) {
            t.put(p1);
            t.put(p2);
            t.put(p3);
        }
        return null;
    };
    SecureTestUtil.verifyAllowed(putAction, getUserByLogin(USER_OWNER));
    List<Pair<List<String>, Integer>> labelsAndRowCounts = new LinkedList<>();
    labelsAndRowCounts.add(new Pair<>(Arrays.asList(SECRET), 1));
    labelsAndRowCounts.add(new Pair<>(Arrays.asList(PRIVATE, CONFIDENTIAL), 1));
    labelsAndRowCounts.add(new Pair<>(Arrays.asList(TOPSECRET), 1));
    labelsAndRowCounts.add(new Pair<>(Arrays.asList(TOPSECRET, CONFIDENTIAL), 0));
    labelsAndRowCounts.add(new Pair<>(Arrays.asList(TOPSECRET, CONFIDENTIAL, PRIVATE, SECRET), 2));
    for (final Pair<List<String>, Integer> labelsAndRowCount : labelsAndRowCounts) {
        final List<String> labels = labelsAndRowCount.getFirst();
        final int rowCount = labelsAndRowCount.getSecond();
        // create a open permission directory.
        final Path openDir = new Path("testAccessCase");
        final FileSystem fs = openDir.getFileSystem(UTIL.getConfiguration());
        fs.mkdirs(openDir);
        fs.setPermission(openDir, new FsPermission(FsAction.ALL, FsAction.ALL, FsAction.ALL));
        final Path output = fs.makeQualified(new Path(openDir, "output"));
        AccessTestAction exportAction = () -> {
            StringBuilder buf = new StringBuilder();
            labels.forEach(v -> buf.append(v).append(","));
            buf.deleteCharAt(buf.length() - 1);
            try {
                String[] args = new String[] { "-D " + ExportUtils.EXPORT_VISIBILITY_LABELS + "=" + buf.toString(), exportTable, output.toString() };
                Export.run(new Configuration(UTIL.getConfiguration()), args);
                return null;
            } catch (ServiceException | IOException ex) {
                throw ex;
            } catch (Throwable ex) {
                throw new Exception(ex);
            }
        };
        SecureTestUtil.verifyAllowed(exportAction, getUserByLogin(USER_OWNER));
        final TableDescriptor importHtd = TableDescriptorBuilder.newBuilder(TableName.valueOf(importTable)).setColumnFamily(ColumnFamilyDescriptorBuilder.of(FAMILYB)).build();
        SecureTestUtil.createTable(UTIL, owner, importHtd, new byte[][] { Bytes.toBytes("s") });
        AccessTestAction importAction = () -> {
            String[] args = new String[] { "-D" + Import.CF_RENAME_PROP + "=" + FAMILYA_STRING + ":" + FAMILYB_STRING, importTable, output.toString() };
            assertEquals(0, ToolRunner.run(new Configuration(UTIL.getConfiguration()), new Import(), args));
            return null;
        };
        SecureTestUtil.verifyAllowed(importAction, getUserByLogin(USER_OWNER));
        AccessTestAction scanAction = () -> {
            Scan scan = new Scan();
            scan.setAuthorizations(new Authorizations(labels));
            try (Connection conn = ConnectionFactory.createConnection(UTIL.getConfiguration());
                Table table = conn.getTable(importHtd.getTableName());
                ResultScanner scanner = table.getScanner(scan)) {
                int count = 0;
                for (Result r : scanner) {
                    ++count;
                }
                assertEquals(rowCount, count);
            }
            return null;
        };
        SecureTestUtil.verifyAllowed(scanAction, getUserByLogin(USER_OWNER));
        AccessTestAction deleteAction = () -> {
            UTIL.deleteTable(importHtd.getTableName());
            return null;
        };
        SecureTestUtil.verifyAllowed(deleteAction, getUserByLogin(USER_OWNER));
        clearOutput(output);
    }
    AccessTestAction deleteAction = () -> {
        UTIL.deleteTable(exportHtd.getTableName());
        return null;
    };
    SecureTestUtil.verifyAllowed(deleteAction, getUserByLogin(USER_OWNER));
}
Also used : Arrays(java.util.Arrays) UserProvider(org.apache.hadoop.hbase.security.UserProvider) VisibilityConstants(org.apache.hadoop.hbase.security.visibility.VisibilityConstants) Result(org.apache.hadoop.hbase.client.Result) FileSystem(org.apache.hadoop.fs.FileSystem) LoggerFactory(org.slf4j.LoggerFactory) PermissionStorage(org.apache.hadoop.hbase.security.access.PermissionStorage) FileStatus(org.apache.hadoop.fs.FileStatus) FsPermission(org.apache.hadoop.fs.permission.FsPermission) ServiceException(org.apache.hbase.thirdparty.com.google.protobuf.ServiceException) AccessControlConstants(org.apache.hadoop.hbase.security.access.AccessControlConstants) VisibilityLabelsProtos(org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos) Map(java.util.Map) Configuration(org.apache.hadoop.conf.Configuration) After(org.junit.After) Path(org.apache.hadoop.fs.Path) HadoopSecurityEnabledUserProviderForTesting(org.apache.hadoop.hbase.security.HadoopSecurityEnabledUserProviderForTesting) ClassRule(org.junit.ClassRule) Pair(org.apache.hadoop.hbase.util.Pair) AfterClass(org.junit.AfterClass) HBaseTestingUtil(org.apache.hadoop.hbase.HBaseTestingUtil) HBaseClassTestRule(org.apache.hadoop.hbase.HBaseClassTestRule) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) HBaseKerberosUtils(org.apache.hadoop.hbase.security.HBaseKerberosUtils) Category(org.junit.experimental.categories.Category) List(java.util.List) ResultScanner(org.apache.hadoop.hbase.client.ResultScanner) VisibilityClient(org.apache.hadoop.hbase.security.visibility.VisibilityClient) EnvironmentEdgeManager(org.apache.hadoop.hbase.util.EnvironmentEdgeManager) ExportUtils(org.apache.hadoop.hbase.mapreduce.ExportUtils) TableDescriptor(org.apache.hadoop.hbase.client.TableDescriptor) Permission(org.apache.hadoop.hbase.security.access.Permission) AccessTestAction(org.apache.hadoop.hbase.security.access.SecureTestUtil.AccessTestAction) BeforeClass(org.junit.BeforeClass) FsAction(org.apache.hadoop.fs.permission.FsAction) User(org.apache.hadoop.hbase.security.User) TableDescriptorBuilder(org.apache.hadoop.hbase.client.TableDescriptorBuilder) ColumnFamilyDescriptorBuilder(org.apache.hadoop.hbase.client.ColumnFamilyDescriptorBuilder) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) TestName(org.junit.rules.TestName) LinkedList(java.util.LinkedList) Bytes(org.apache.hadoop.hbase.util.Bytes) Before(org.junit.Before) TableName(org.apache.hadoop.hbase.TableName) Logger(org.slf4j.Logger) MediumTests(org.apache.hadoop.hbase.testclassification.MediumTests) Put(org.apache.hadoop.hbase.client.Put) Import(org.apache.hadoop.hbase.mapreduce.Import) MiniKdc(org.apache.hadoop.minikdc.MiniKdc) ToolRunner(org.apache.hadoop.util.ToolRunner) IOException(java.io.IOException) Test(org.junit.Test) File(java.io.File) ConnectionFactory(org.apache.hadoop.hbase.client.ConnectionFactory) Scan(org.apache.hadoop.hbase.client.Scan) Authorizations(org.apache.hadoop.hbase.security.visibility.Authorizations) Rule(org.junit.Rule) SecureTestUtil(org.apache.hadoop.hbase.security.access.SecureTestUtil) VisibilityTestUtil(org.apache.hadoop.hbase.security.visibility.VisibilityTestUtil) CellVisibility(org.apache.hadoop.hbase.security.visibility.CellVisibility) Connection(org.apache.hadoop.hbase.client.Connection) Table(org.apache.hadoop.hbase.client.Table) Assert.assertEquals(org.junit.Assert.assertEquals) User(org.apache.hadoop.hbase.security.User) Import(org.apache.hadoop.hbase.mapreduce.Import) Configuration(org.apache.hadoop.conf.Configuration) AccessTestAction(org.apache.hadoop.hbase.security.access.SecureTestUtil.AccessTestAction) CellVisibility(org.apache.hadoop.hbase.security.visibility.CellVisibility) Result(org.apache.hadoop.hbase.client.Result) FileSystem(org.apache.hadoop.fs.FileSystem) List(java.util.List) LinkedList(java.util.LinkedList) FsPermission(org.apache.hadoop.fs.permission.FsPermission) Pair(org.apache.hadoop.hbase.util.Pair) Path(org.apache.hadoop.fs.Path) Authorizations(org.apache.hadoop.hbase.security.visibility.Authorizations) Table(org.apache.hadoop.hbase.client.Table) ResultScanner(org.apache.hadoop.hbase.client.ResultScanner) Connection(org.apache.hadoop.hbase.client.Connection) TableDescriptor(org.apache.hadoop.hbase.client.TableDescriptor) Put(org.apache.hadoop.hbase.client.Put) LinkedList(java.util.LinkedList) ServiceException(org.apache.hbase.thirdparty.com.google.protobuf.ServiceException) IOException(java.io.IOException) Scan(org.apache.hadoop.hbase.client.Scan) Test(org.junit.Test)

Example 2 with AccessTestAction

use of org.apache.hadoop.hbase.security.access.SecureTestUtil.AccessTestAction in project hbase by apache.

the class TestAsyncAccessControlAdminApi method test.

@Test
public void test() throws Exception {
    TableName tableName = TableName.valueOf("test-table");
    String userName1 = "user1";
    String userName2 = "user2";
    User user2 = User.createUserForTesting(TEST_UTIL.getConfiguration(), userName2, new String[0]);
    Permission permission = Permission.newBuilder(tableName).withActions(Permission.Action.READ).build();
    UserPermission userPermission = new UserPermission(userName1, permission);
    // grant user1 table permission
    admin.grant(userPermission, false).get();
    // get table permissions
    List<UserPermission> userPermissions = admin.getUserPermissions(GetUserPermissionsRequest.newBuilder(tableName).build()).get();
    assertEquals(1, userPermissions.size());
    assertEquals(userPermission, userPermissions.get(0));
    // get table permissions
    userPermissions = admin.getUserPermissions(GetUserPermissionsRequest.newBuilder(tableName).withUserName(userName1).build()).get();
    assertEquals(1, userPermissions.size());
    assertEquals(userPermission, userPermissions.get(0));
    userPermissions = admin.getUserPermissions(GetUserPermissionsRequest.newBuilder(tableName).withUserName(userName2).build()).get();
    assertEquals(0, userPermissions.size());
    // has user permission
    List<Permission> permissions = Lists.newArrayList(permission);
    boolean hasPermission = admin.hasUserPermissions(userName1, permissions).get().get(0).booleanValue();
    assertTrue(hasPermission);
    hasPermission = admin.hasUserPermissions(userName2, permissions).get().get(0).booleanValue();
    assertFalse(hasPermission);
    AccessTestAction hasPermissionAction = new AccessTestAction() {

        @Override
        public Object run() throws Exception {
            try (AsyncConnection conn = ConnectionFactory.createAsyncConnection(TEST_UTIL.getConfiguration()).get()) {
                return conn.getAdmin().hasUserPermissions(userName1, permissions).get().get(0);
            }
        }
    };
    try {
        user2.runAs(hasPermissionAction);
        fail("Should not come here");
    } catch (Exception e) {
        LOG.error("Call has permission error", e);
    }
    // check permission
    admin.hasUserPermissions(permissions);
    AccessTestAction checkPermissionsAction = new AccessTestAction() {

        @Override
        public Object run() throws Exception {
            try (AsyncConnection conn = ConnectionFactory.createAsyncConnection(TEST_UTIL.getConfiguration()).get()) {
                return conn.getAdmin().hasUserPermissions(permissions).get().get(0);
            }
        }
    };
    assertFalse((Boolean) user2.runAs(checkPermissionsAction));
}
Also used : TableName(org.apache.hadoop.hbase.TableName) User(org.apache.hadoop.hbase.security.User) AccessTestAction(org.apache.hadoop.hbase.security.access.SecureTestUtil.AccessTestAction) UserPermission(org.apache.hadoop.hbase.security.access.UserPermission) Permission(org.apache.hadoop.hbase.security.access.Permission) UserPermission(org.apache.hadoop.hbase.security.access.UserPermission) Test(org.junit.Test)

Example 3 with AccessTestAction

use of org.apache.hadoop.hbase.security.access.SecureTestUtil.AccessTestAction in project hbase by apache.

the class TestSecureExport method testAccessCase.

/**
 * Test the ExportEndpoint's access levels. The {@link Export} test is ignored
 * since the access exceptions cannot be collected from the mappers.
 */
@Test
public void testAccessCase() throws Throwable {
    final String exportTable = name.getMethodName();
    TableDescriptor exportHtd = TableDescriptorBuilder.newBuilder(TableName.valueOf(exportTable)).setColumnFamily(ColumnFamilyDescriptorBuilder.of(FAMILYA)).build();
    User owner = User.createUserForTesting(UTIL.getConfiguration(), USER_OWNER, new String[0]);
    SecureTestUtil.createTable(UTIL, owner, exportHtd, new byte[][] { Bytes.toBytes("s") });
    SecureTestUtil.grantOnTable(UTIL, USER_RO, TableName.valueOf(exportTable), null, null, Permission.Action.READ);
    SecureTestUtil.grantOnTable(UTIL, USER_RX, TableName.valueOf(exportTable), null, null, Permission.Action.READ, Permission.Action.EXEC);
    SecureTestUtil.grantOnTable(UTIL, USER_XO, TableName.valueOf(exportTable), null, null, Permission.Action.EXEC);
    assertEquals(4, PermissionStorage.getTablePermissions(UTIL.getConfiguration(), TableName.valueOf(exportTable)).size());
    AccessTestAction putAction = () -> {
        Put p = new Put(ROW1);
        p.addColumn(FAMILYA, Bytes.toBytes("qual_0"), NOW, QUAL);
        p.addColumn(FAMILYA, Bytes.toBytes("qual_1"), NOW, QUAL);
        try (Connection conn = ConnectionFactory.createConnection(UTIL.getConfiguration());
            Table t = conn.getTable(TableName.valueOf(exportTable))) {
            t.put(p);
        }
        return null;
    };
    // no hdfs access.
    SecureTestUtil.verifyAllowed(putAction, getUserByLogin(USER_ADMIN), getUserByLogin(USER_OWNER));
    SecureTestUtil.verifyDenied(putAction, getUserByLogin(USER_RO), getUserByLogin(USER_XO), getUserByLogin(USER_RX), getUserByLogin(USER_NONE));
    final FileSystem fs = UTIL.getDFSCluster().getFileSystem();
    final Path openDir = fs.makeQualified(new Path("testAccessCase"));
    fs.mkdirs(openDir);
    fs.setPermission(openDir, new FsPermission(FsAction.ALL, FsAction.ALL, FsAction.ALL));
    final Path output = fs.makeQualified(new Path(openDir, "output"));
    AccessTestAction exportAction = () -> {
        try {
            String[] args = new String[] { exportTable, output.toString() };
            Map<byte[], Export.Response> result = Export.run(new Configuration(UTIL.getConfiguration()), args);
            long rowCount = 0;
            long cellCount = 0;
            for (Export.Response r : result.values()) {
                rowCount += r.getRowCount();
                cellCount += r.getCellCount();
            }
            assertEquals(1, rowCount);
            assertEquals(2, cellCount);
            return null;
        } catch (ServiceException | IOException ex) {
            throw ex;
        } catch (Throwable ex) {
            LOG.error(ex.toString(), ex);
            throw new Exception(ex);
        } finally {
            if (fs.exists(new Path(openDir, "output"))) {
                // if export completes successfully, every file under the output directory should be
                // owned by the current user, not the hbase service user.
                FileStatus outputDirFileStatus = fs.getFileStatus(new Path(openDir, "output"));
                String currentUserName = User.getCurrent().getShortName();
                assertEquals("Unexpected file owner", currentUserName, outputDirFileStatus.getOwner());
                FileStatus[] outputFileStatus = fs.listStatus(new Path(openDir, "output"));
                for (FileStatus fileStatus : outputFileStatus) {
                    assertEquals("Unexpected file owner", currentUserName, fileStatus.getOwner());
                }
            } else {
                LOG.info("output directory doesn't exist. Skip check");
            }
            clearOutput(output);
        }
    };
    SecureTestUtil.verifyDenied(exportAction, getUserByLogin(USER_RO), getUserByLogin(USER_XO), getUserByLogin(USER_NONE));
    SecureTestUtil.verifyAllowed(exportAction, getUserByLogin(USER_ADMIN), getUserByLogin(USER_OWNER), getUserByLogin(USER_RX));
    AccessTestAction deleteAction = () -> {
        UTIL.deleteTable(TableName.valueOf(exportTable));
        return null;
    };
    SecureTestUtil.verifyAllowed(deleteAction, getUserByLogin(USER_OWNER));
    fs.delete(openDir, true);
}
Also used : Path(org.apache.hadoop.fs.Path) User(org.apache.hadoop.hbase.security.User) Table(org.apache.hadoop.hbase.client.Table) FileStatus(org.apache.hadoop.fs.FileStatus) Configuration(org.apache.hadoop.conf.Configuration) AccessTestAction(org.apache.hadoop.hbase.security.access.SecureTestUtil.AccessTestAction) Connection(org.apache.hadoop.hbase.client.Connection) TableDescriptor(org.apache.hadoop.hbase.client.TableDescriptor) Put(org.apache.hadoop.hbase.client.Put) ServiceException(org.apache.hbase.thirdparty.com.google.protobuf.ServiceException) IOException(java.io.IOException) FileSystem(org.apache.hadoop.fs.FileSystem) FsPermission(org.apache.hadoop.fs.permission.FsPermission) Map(java.util.Map) Test(org.junit.Test)

Aggregations

User (org.apache.hadoop.hbase.security.User)3 AccessTestAction (org.apache.hadoop.hbase.security.access.SecureTestUtil.AccessTestAction)3 Test (org.junit.Test)3 IOException (java.io.IOException)2 Map (java.util.Map)2 Configuration (org.apache.hadoop.conf.Configuration)2 FileStatus (org.apache.hadoop.fs.FileStatus)2 FileSystem (org.apache.hadoop.fs.FileSystem)2 Path (org.apache.hadoop.fs.Path)2 FsPermission (org.apache.hadoop.fs.permission.FsPermission)2 TableName (org.apache.hadoop.hbase.TableName)2 Connection (org.apache.hadoop.hbase.client.Connection)2 Put (org.apache.hadoop.hbase.client.Put)2 Table (org.apache.hadoop.hbase.client.Table)2 TableDescriptor (org.apache.hadoop.hbase.client.TableDescriptor)2 Permission (org.apache.hadoop.hbase.security.access.Permission)2 File (java.io.File)1 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)1 Arrays (java.util.Arrays)1 LinkedList (java.util.LinkedList)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial