Example 1 with Authorizations
use of org.apache.hadoop.hbase.security.visibility.Authorizations in project hbase by apache.
the class TestSecureExport method testVisibilityLabels.
@Test
// See HBASE-23990
@org.junit.Ignore
public void testVisibilityLabels() throws IOException, Throwable {
final String exportTable = name.getMethodName() + "_export";
final String importTable = name.getMethodName() + "_import";
final TableDescriptor exportHtd = TableDescriptorBuilder.newBuilder(TableName.valueOf(exportTable)).setColumnFamily(ColumnFamilyDescriptorBuilder.of(FAMILYA)).build();
User owner = User.createUserForTesting(UTIL.getConfiguration(), USER_OWNER, new String[0]);
SecureTestUtil.createTable(UTIL, owner, exportHtd, new byte[][] { Bytes.toBytes("s") });
AccessTestAction putAction = () -> {
Put p1 = new Put(ROW1);
p1.addColumn(FAMILYA, QUAL, NOW, QUAL);
p1.setCellVisibility(new CellVisibility(SECRET));
Put p2 = new Put(ROW2);
p2.addColumn(FAMILYA, QUAL, NOW, QUAL);
p2.setCellVisibility(new CellVisibility(PRIVATE + " & " + CONFIDENTIAL));
Put p3 = new Put(ROW3);
p3.addColumn(FAMILYA, QUAL, NOW, QUAL);
p3.setCellVisibility(new CellVisibility("!" + CONFIDENTIAL + " & " + TOPSECRET));
try (Connection conn = ConnectionFactory.createConnection(UTIL.getConfiguration());
Table t = conn.getTable(TableName.valueOf(exportTable))) {
t.put(p1);
t.put(p2);
t.put(p3);
}
return null;
};
SecureTestUtil.verifyAllowed(putAction, getUserByLogin(USER_OWNER));
List<Pair<List<String>, Integer>> labelsAndRowCounts = new LinkedList<>();
labelsAndRowCounts.add(new Pair<>(Arrays.asList(SECRET), 1));
labelsAndRowCounts.add(new Pair<>(Arrays.asList(PRIVATE, CONFIDENTIAL), 1));
labelsAndRowCounts.add(new Pair<>(Arrays.asList(TOPSECRET), 1));
labelsAndRowCounts.add(new Pair<>(Arrays.asList(TOPSECRET, CONFIDENTIAL), 0));
labelsAndRowCounts.add(new Pair<>(Arrays.asList(TOPSECRET, CONFIDENTIAL, PRIVATE, SECRET), 2));
for (final Pair<List<String>, Integer> labelsAndRowCount : labelsAndRowCounts) {
final List<String> labels = labelsAndRowCount.getFirst();
final int rowCount = labelsAndRowCount.getSecond();
// create a open permission directory.
final Path openDir = new Path("testAccessCase");
final FileSystem fs = openDir.getFileSystem(UTIL.getConfiguration());
fs.mkdirs(openDir);
fs.setPermission(openDir, new FsPermission(FsAction.ALL, FsAction.ALL, FsAction.ALL));
final Path output = fs.makeQualified(new Path(openDir, "output"));
AccessTestAction exportAction = () -> {
StringBuilder buf = new StringBuilder();
labels.forEach(v -> buf.append(v).append(","));
buf.deleteCharAt(buf.length() - 1);
try {
String[] args = new String[] { "-D " + ExportUtils.EXPORT_VISIBILITY_LABELS + "=" + buf.toString(), exportTable, output.toString() };
Export.run(new Configuration(UTIL.getConfiguration()), args);
return null;
} catch (ServiceException | IOException ex) {
throw ex;
} catch (Throwable ex) {
throw new Exception(ex);
}
};
SecureTestUtil.verifyAllowed(exportAction, getUserByLogin(USER_OWNER));
final TableDescriptor importHtd = TableDescriptorBuilder.newBuilder(TableName.valueOf(importTable)).setColumnFamily(ColumnFamilyDescriptorBuilder.of(FAMILYB)).build();
SecureTestUtil.createTable(UTIL, owner, importHtd, new byte[][] { Bytes.toBytes("s") });
AccessTestAction importAction = () -> {
String[] args = new String[] { "-D" + Import.CF_RENAME_PROP + "=" + FAMILYA_STRING + ":" + FAMILYB_STRING, importTable, output.toString() };
assertEquals(0, ToolRunner.run(new Configuration(UTIL.getConfiguration()), new Import(), args));
return null;
};
SecureTestUtil.verifyAllowed(importAction, getUserByLogin(USER_OWNER));
AccessTestAction scanAction = () -> {
Scan scan = new Scan();
scan.setAuthorizations(new Authorizations(labels));
try (Connection conn = ConnectionFactory.createConnection(UTIL.getConfiguration());
Table table = conn.getTable(importHtd.getTableName());
ResultScanner scanner = table.getScanner(scan)) {
int count = 0;
for (Result r : scanner) {
++count;
}
assertEquals(rowCount, count);
}
return null;
};
SecureTestUtil.verifyAllowed(scanAction, getUserByLogin(USER_OWNER));
AccessTestAction deleteAction = () -> {
UTIL.deleteTable(importHtd.getTableName());
return null;
};
SecureTestUtil.verifyAllowed(deleteAction, getUserByLogin(USER_OWNER));
clearOutput(output);
}
AccessTestAction deleteAction = () -> {
UTIL.deleteTable(exportHtd.getTableName());
return null;
};
SecureTestUtil.verifyAllowed(deleteAction, getUserByLogin(USER_OWNER));
}
Also used :
Arrays(java.util.Arrays)
UserProvider(org.apache.hadoop.hbase.security.UserProvider)
VisibilityConstants(org.apache.hadoop.hbase.security.visibility.VisibilityConstants)
Result(org.apache.hadoop.hbase.client.Result)
FileSystem(org.apache.hadoop.fs.FileSystem)
LoggerFactory(org.slf4j.LoggerFactory)
PermissionStorage(org.apache.hadoop.hbase.security.access.PermissionStorage)
FileStatus(org.apache.hadoop.fs.FileStatus)
FsPermission(org.apache.hadoop.fs.permission.FsPermission)
ServiceException(org.apache.hbase.thirdparty.com.google.protobuf.ServiceException)
AccessControlConstants(org.apache.hadoop.hbase.security.access.AccessControlConstants)
VisibilityLabelsProtos(org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos)
Map(java.util.Map)
Configuration(org.apache.hadoop.conf.Configuration)
After(org.junit.After)
Path(org.apache.hadoop.fs.Path)
HadoopSecurityEnabledUserProviderForTesting(org.apache.hadoop.hbase.security.HadoopSecurityEnabledUserProviderForTesting)
ClassRule(org.junit.ClassRule)
Pair(org.apache.hadoop.hbase.util.Pair)
AfterClass(org.junit.AfterClass)
HBaseTestingUtil(org.apache.hadoop.hbase.HBaseTestingUtil)
HBaseClassTestRule(org.apache.hadoop.hbase.HBaseClassTestRule)
PrivilegedExceptionAction(java.security.PrivilegedExceptionAction)
HBaseKerberosUtils(org.apache.hadoop.hbase.security.HBaseKerberosUtils)
Category(org.junit.experimental.categories.Category)
List(java.util.List)
ResultScanner(org.apache.hadoop.hbase.client.ResultScanner)
VisibilityClient(org.apache.hadoop.hbase.security.visibility.VisibilityClient)
EnvironmentEdgeManager(org.apache.hadoop.hbase.util.EnvironmentEdgeManager)
ExportUtils(org.apache.hadoop.hbase.mapreduce.ExportUtils)
TableDescriptor(org.apache.hadoop.hbase.client.TableDescriptor)
Permission(org.apache.hadoop.hbase.security.access.Permission)
AccessTestAction(org.apache.hadoop.hbase.security.access.SecureTestUtil.AccessTestAction)
BeforeClass(org.junit.BeforeClass)
FsAction(org.apache.hadoop.fs.permission.FsAction)
User(org.apache.hadoop.hbase.security.User)
TableDescriptorBuilder(org.apache.hadoop.hbase.client.TableDescriptorBuilder)
ColumnFamilyDescriptorBuilder(org.apache.hadoop.hbase.client.ColumnFamilyDescriptorBuilder)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
TestName(org.junit.rules.TestName)
LinkedList(java.util.LinkedList)
Bytes(org.apache.hadoop.hbase.util.Bytes)
Before(org.junit.Before)
TableName(org.apache.hadoop.hbase.TableName)
Logger(org.slf4j.Logger)
MediumTests(org.apache.hadoop.hbase.testclassification.MediumTests)
Put(org.apache.hadoop.hbase.client.Put)
Import(org.apache.hadoop.hbase.mapreduce.Import)
MiniKdc(org.apache.hadoop.minikdc.MiniKdc)
ToolRunner(org.apache.hadoop.util.ToolRunner)
IOException(java.io.IOException)
Test(org.junit.Test)
File(java.io.File)
ConnectionFactory(org.apache.hadoop.hbase.client.ConnectionFactory)
Scan(org.apache.hadoop.hbase.client.Scan)
Authorizations(org.apache.hadoop.hbase.security.visibility.Authorizations)
Rule(org.junit.Rule)
SecureTestUtil(org.apache.hadoop.hbase.security.access.SecureTestUtil)
VisibilityTestUtil(org.apache.hadoop.hbase.security.visibility.VisibilityTestUtil)
CellVisibility(org.apache.hadoop.hbase.security.visibility.CellVisibility)
Connection(org.apache.hadoop.hbase.client.Connection)
Table(org.apache.hadoop.hbase.client.Table)
Assert.assertEquals(org.junit.Assert.assertEquals)
User(org.apache.hadoop.hbase.security.User)
Import(org.apache.hadoop.hbase.mapreduce.Import)
Configuration(org.apache.hadoop.conf.Configuration)
AccessTestAction(org.apache.hadoop.hbase.security.access.SecureTestUtil.AccessTestAction)
CellVisibility(org.apache.hadoop.hbase.security.visibility.CellVisibility)
Result(org.apache.hadoop.hbase.client.Result)
FileSystem(org.apache.hadoop.fs.FileSystem)
List(java.util.List)
LinkedList(java.util.LinkedList)
FsPermission(org.apache.hadoop.fs.permission.FsPermission)
Pair(org.apache.hadoop.hbase.util.Pair)
Path(org.apache.hadoop.fs.Path)
Authorizations(org.apache.hadoop.hbase.security.visibility.Authorizations)
Table(org.apache.hadoop.hbase.client.Table)
ResultScanner(org.apache.hadoop.hbase.client.ResultScanner)
Connection(org.apache.hadoop.hbase.client.Connection)
TableDescriptor(org.apache.hadoop.hbase.client.TableDescriptor)
Put(org.apache.hadoop.hbase.client.Put)
LinkedList(java.util.LinkedList)
ServiceException(org.apache.hbase.thirdparty.com.google.protobuf.ServiceException)
IOException(java.io.IOException)
Scan(org.apache.hadoop.hbase.client.Scan)
Test(org.junit.Test)
Example 2 with Authorizations
use of org.apache.hadoop.hbase.security.visibility.Authorizations in project hbase by apache.
the class ProtobufUtil method toAuthorizations.
/**
* Convert a protocol buffer Authorizations bytes to a client Authorizations
*
* @param protoBytes
* @return the converted client Authorizations
* @throws DeserializationException
*/
public static Authorizations toAuthorizations(byte[] protoBytes) throws DeserializationException {
if (protoBytes == null)
return null;
ClientProtos.Authorizations.Builder builder = ClientProtos.Authorizations.newBuilder();
ClientProtos.Authorizations proto = null;
try {
ProtobufUtil.mergeFrom(builder, protoBytes);
proto = builder.build();
} catch (IOException e) {
throw new DeserializationException(e);
}
return toAuthorizations(proto);
}
Also used :
Authorizations(org.apache.hadoop.hbase.security.visibility.Authorizations)
IOException(java.io.IOException)
DoNotRetryIOException(org.apache.hadoop.hbase.DoNotRetryIOException)
HBaseIOException(org.apache.hadoop.hbase.HBaseIOException)
ClientProtos(org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos)
DeserializationException(org.apache.hadoop.hbase.exceptions.DeserializationException)
Example 3 with Authorizations
use of org.apache.hadoop.hbase.security.visibility.Authorizations in project hbase by apache.
the class TestImportTSVWithVisibilityLabels method issueDeleteAndVerifyData.
private void issueDeleteAndVerifyData(TableName tableName) throws IOException {
LOG.debug("Validating table after delete.");
Table table = util.getConnection().getTable(tableName);
boolean verified = false;
long pause = conf.getLong("hbase.client.pause", 5 * 1000);
int numRetries = conf.getInt(HConstants.HBASE_CLIENT_RETRIES_NUMBER, 5);
for (int i = 0; i < numRetries; i++) {
try {
Delete d = new Delete(Bytes.toBytes("KEY"));
d.addFamily(Bytes.toBytes(FAMILY));
d.setCellVisibility(new CellVisibility("private&secret"));
table.delete(d);
Scan scan = new Scan();
// Scan entire family.
scan.addFamily(Bytes.toBytes(FAMILY));
scan.setAuthorizations(new Authorizations("secret", "private"));
ResultScanner resScanner = table.getScanner(scan);
Result[] next = resScanner.next(5);
assertEquals(0, next.length);
verified = true;
break;
} catch (NullPointerException e) {
// If here, a cell was empty. Presume its because updates came in
// after the scanner had been opened. Wait a while and retry.
}
try {
Thread.sleep(pause);
} catch (InterruptedException e) {
// continue
}
}
table.close();
assertTrue(verified);
}
Also used :
Delete(org.apache.hadoop.hbase.client.Delete)
Authorizations(org.apache.hadoop.hbase.security.visibility.Authorizations)
Table(org.apache.hadoop.hbase.client.Table)
ResultScanner(org.apache.hadoop.hbase.client.ResultScanner)
CellVisibility(org.apache.hadoop.hbase.security.visibility.CellVisibility)
Result(org.apache.hadoop.hbase.client.Result)
Scan(org.apache.hadoop.hbase.client.Scan)
Example 4 with Authorizations
use of org.apache.hadoop.hbase.security.visibility.Authorizations in project hbase by apache.
the class TestGet method TestGetRowFromGetCopyConstructor.
@Test
public void TestGetRowFromGetCopyConstructor() throws Exception {
Get get = new Get(ROW);
get.setFilter(null);
get.setAuthorizations(new Authorizations("foo"));
get.setACL("u", new Permission(Permission.Action.READ));
get.setConsistency(Consistency.TIMELINE);
get.setReplicaId(2);
get.setIsolationLevel(IsolationLevel.READ_UNCOMMITTED);
get.setCheckExistenceOnly(true);
get.setTimeRange(3, 4);
get.readVersions(11);
get.setMaxResultsPerColumnFamily(10);
get.setRowOffsetPerColumnFamily(11);
get.setCacheBlocks(true);
Get copyGet = new Get(get);
assertEquals(0, Bytes.compareTo(get.getRow(), copyGet.getRow()));
// from OperationWithAttributes
assertEquals(get.getId(), copyGet.getId());
// from Query class
assertEquals(get.getFilter(), copyGet.getFilter());
assertTrue(get.getAuthorizations().toString().equals(copyGet.getAuthorizations().toString()));
assertTrue(Bytes.equals(get.getACL(), copyGet.getACL()));
assertEquals(get.getConsistency(), copyGet.getConsistency());
assertEquals(get.getReplicaId(), copyGet.getReplicaId());
assertEquals(get.getIsolationLevel(), copyGet.getIsolationLevel());
// from Get class
assertEquals(get.isCheckExistenceOnly(), copyGet.isCheckExistenceOnly());
assertTrue(get.getTimeRange().equals(copyGet.getTimeRange()));
assertEquals(get.getMaxVersions(), copyGet.getMaxVersions());
assertEquals(get.getMaxResultsPerColumnFamily(), copyGet.getMaxResultsPerColumnFamily());
assertEquals(get.getRowOffsetPerColumnFamily(), copyGet.getRowOffsetPerColumnFamily());
assertEquals(get.getCacheBlocks(), copyGet.getCacheBlocks());
assertEquals(get.getId(), copyGet.getId());
}
Also used :
Authorizations(org.apache.hadoop.hbase.security.visibility.Authorizations)
Permission(org.apache.hadoop.hbase.security.access.Permission)
Test(org.junit.Test)
Example 5 with Authorizations
use of org.apache.hadoop.hbase.security.visibility.Authorizations in project hbase by apache.
the class TestImmutableScan method testScanCopyConstructor.
@Test
public void testScanCopyConstructor() throws Exception {
Scan scan = new Scan();
scan.addColumn(Bytes.toBytes("cf"), Bytes.toBytes("q")).setACL("test_user2", new Permission(Permission.Action.READ)).setAllowPartialResults(true).setAsyncPrefetch(false).setAttribute("test_key", Bytes.toBytes("test_value")).setAuthorizations(new Authorizations("test_label")).setBatch(10).setCacheBlocks(false).setCaching(10).setConsistency(Consistency.TIMELINE).setFilter(new FilterList()).setId("scan_copy_constructor").setIsolationLevel(IsolationLevel.READ_COMMITTED).setLimit(100).setLoadColumnFamiliesOnDemand(false).setMaxResultSize(100).setMaxResultsPerColumnFamily(1000).readVersions(9999).setMvccReadPoint(5).setNeedCursorResult(true).setPriority(1).setRaw(true).setReplicaId(3).setReversed(true).setRowOffsetPerColumnFamily(5).setRowPrefixFilter(Bytes.toBytes("row_")).setScanMetricsEnabled(true).setReadType(Scan.ReadType.STREAM).withStartRow(Bytes.toBytes("row_1")).withStopRow(Bytes.toBytes("row_2")).setTimeRange(0, 13);
// create a copy of existing scan object
Scan scanCopy = new ImmutableScan(scan);
// validate fields of copied scan object match with the original scan object
assertArrayEquals(scan.getACL(), scanCopy.getACL());
assertEquals(scan.getAllowPartialResults(), scanCopy.getAllowPartialResults());
assertArrayEquals(scan.getAttribute("test_key"), scanCopy.getAttribute("test_key"));
assertEquals(scan.getAttributeSize(), scanCopy.getAttributeSize());
assertEquals(scan.getAttributesMap(), scanCopy.getAttributesMap());
assertEquals(scan.getAuthorizations().getLabels(), scanCopy.getAuthorizations().getLabels());
assertEquals(scan.getBatch(), scanCopy.getBatch());
assertEquals(scan.getCacheBlocks(), scanCopy.getCacheBlocks());
assertEquals(scan.getCaching(), scanCopy.getCaching());
assertEquals(scan.getConsistency(), scanCopy.getConsistency());
assertEquals(scan.getFamilies().length, scanCopy.getFamilies().length);
assertArrayEquals(scan.getFamilies()[0], scanCopy.getFamilies()[0]);
assertEquals(scan.getFamilyMap(), scanCopy.getFamilyMap());
assertEquals(scan.getFilter(), scanCopy.getFilter());
assertEquals(scan.getId(), scanCopy.getId());
assertEquals(scan.getIsolationLevel(), scanCopy.getIsolationLevel());
assertEquals(scan.getLimit(), scanCopy.getLimit());
assertEquals(scan.getLoadColumnFamiliesOnDemandValue(), scanCopy.getLoadColumnFamiliesOnDemandValue());
assertEquals(scan.getMaxResultSize(), scanCopy.getMaxResultSize());
assertEquals(scan.getMaxResultsPerColumnFamily(), scanCopy.getMaxResultsPerColumnFamily());
assertEquals(scan.getMaxVersions(), scanCopy.getMaxVersions());
assertEquals(scan.getMvccReadPoint(), scanCopy.getMvccReadPoint());
assertEquals(scan.getPriority(), scanCopy.getPriority());
assertEquals(scan.getReadType(), scanCopy.getReadType());
assertEquals(scan.getReplicaId(), scanCopy.getReplicaId());
assertEquals(scan.getRowOffsetPerColumnFamily(), scanCopy.getRowOffsetPerColumnFamily());
assertArrayEquals(scan.getStartRow(), scanCopy.getStartRow());
assertArrayEquals(scan.getStopRow(), scanCopy.getStopRow());
assertEquals(scan.getTimeRange(), scanCopy.getTimeRange());
assertEquals(scan.getFingerprint(), scanCopy.getFingerprint());
assertEquals(scan.toMap(1), scanCopy.toMap(1));
assertEquals(scan.toString(2), scanCopy.toString(2));
assertEquals(scan.toJSON(2), scanCopy.toJSON(2));
LOG.debug("Compare all getters of scan and scanCopy.");
compareGetters(scan, scanCopy);
testUnmodifiableSetters(scanCopy);
}
Also used :
Authorizations(org.apache.hadoop.hbase.security.visibility.Authorizations)
Permission(org.apache.hadoop.hbase.security.access.Permission)
FilterList(org.apache.hadoop.hbase.filter.FilterList)
Test(org.junit.Test)
Aggregations
Authorizations (org.apache.hadoop.hbase.security.visibility.Authorizations)19
Scan (org.apache.hadoop.hbase.client.Scan)9
IOException (java.io.IOException)6
Test (org.junit.Test)6
Map (java.util.Map)5
Result (org.apache.hadoop.hbase.client.Result)5
ResultScanner (org.apache.hadoop.hbase.client.ResultScanner)5
Table (org.apache.hadoop.hbase.client.Table)5
Permission (org.apache.hadoop.hbase.security.access.Permission)4
TColumn (org.apache.hadoop.hbase.thrift2.generated.TColumn)4
NavigableSet (java.util.NavigableSet)3
Path (org.apache.hadoop.fs.Path)3
Connection (org.apache.hadoop.hbase.client.Connection)3
DeserializationException (org.apache.hadoop.hbase.exceptions.DeserializationException)3
FilterList (org.apache.hadoop.hbase.filter.FilterList)3
Delete (org.apache.hadoop.hbase.client.Delete)2
Filter (org.apache.hadoop.hbase.filter.Filter)2
ParseFilter (org.apache.hadoop.hbase.filter.ParseFilter)2
PrefixFilter (org.apache.hadoop.hbase.filter.PrefixFilter)2
RowFilter (org.apache.hadoop.hbase.filter.RowFilter)2
