Example 6 with GetAuthsResponse
use of org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos.GetAuthsResponse in project hbase by apache.
the class TestVisibilityLabelsOpWithDifferentUsersNoACL method testLabelsTableOpsWithDifferentUsers.
@Test
public void testLabelsTableOpsWithDifferentUsers() throws Throwable {
PrivilegedExceptionAction<VisibilityLabelsResponse> action = new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
@Override
public VisibilityLabelsResponse run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf)) {
return VisibilityClient.setAuths(conn, new String[] { CONFIDENTIAL, PRIVATE }, "user1");
} catch (Throwable e) {
}
return null;
}
};
VisibilityLabelsResponse response = SUPERUSER.runAs(action);
assertTrue(response.getResult(0).getException().getValue().isEmpty());
assertTrue(response.getResult(1).getException().getValue().isEmpty());
// Ideally this should not be allowed. this operation should fail or do nothing.
action = new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
@Override
public VisibilityLabelsResponse run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf)) {
return VisibilityClient.setAuths(conn, new String[] { CONFIDENTIAL, PRIVATE }, "user3");
} catch (Throwable e) {
}
return null;
}
};
response = NORMAL_USER1.runAs(action);
assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response.getResult(0).getException().getName());
assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response.getResult(1).getException().getName());
PrivilegedExceptionAction<GetAuthsResponse> action1 = new PrivilegedExceptionAction<GetAuthsResponse>() {
@Override
public GetAuthsResponse run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf)) {
return VisibilityClient.getAuths(conn, "user1");
} catch (Throwable e) {
}
return null;
}
};
GetAuthsResponse authsResponse = NORMAL_USER.runAs(action1);
assertTrue(authsResponse.getAuthList().isEmpty());
authsResponse = NORMAL_USER1.runAs(action1);
assertTrue(authsResponse.getAuthList().isEmpty());
authsResponse = SUPERUSER.runAs(action1);
List<String> authsList = new ArrayList<>(authsResponse.getAuthList().size());
for (ByteString authBS : authsResponse.getAuthList()) {
authsList.add(Bytes.toString(authBS.toByteArray()));
}
assertEquals(2, authsList.size());
assertTrue(authsList.contains(CONFIDENTIAL));
assertTrue(authsList.contains(PRIVATE));
PrivilegedExceptionAction<VisibilityLabelsResponse> action2 = new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
@Override
public VisibilityLabelsResponse run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf)) {
return VisibilityClient.clearAuths(conn, new String[] { CONFIDENTIAL, PRIVATE }, "user1");
} catch (Throwable e) {
}
return null;
}
};
response = NORMAL_USER1.runAs(action2);
assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response.getResult(0).getException().getName());
assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response.getResult(1).getException().getName());
response = SUPERUSER.runAs(action2);
assertTrue(response.getResult(0).getException().getValue().isEmpty());
assertTrue(response.getResult(1).getException().getValue().isEmpty());
authsResponse = SUPERUSER.runAs(action1);
assertTrue(authsResponse.getAuthList().isEmpty());
}
Also used :
ByteString(org.apache.hbase.thirdparty.com.google.protobuf.ByteString)
Connection(org.apache.hadoop.hbase.client.Connection)
ArrayList(java.util.ArrayList)
PrivilegedExceptionAction(java.security.PrivilegedExceptionAction)
ByteString(org.apache.hbase.thirdparty.com.google.protobuf.ByteString)
IOException(java.io.IOException)
GetAuthsResponse(org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos.GetAuthsResponse)
VisibilityLabelsResponse(org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse)
Test(org.junit.Test)
Example 7 with GetAuthsResponse
use of org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos.GetAuthsResponse in project hbase by apache.
the class TestVisibilityLabelsWithACL method testLabelsTableOpsWithDifferentUsers.
@Test
public void testLabelsTableOpsWithDifferentUsers() throws Throwable {
PrivilegedExceptionAction<VisibilityLabelsResponse> action = new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
@Override
public VisibilityLabelsResponse run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf)) {
return VisibilityClient.addLabels(conn, new String[] { "l1", "l2" });
} catch (Throwable e) {
}
return null;
}
};
VisibilityLabelsResponse response = NORMAL_USER1.runAs(action);
assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response.getResult(0).getException().getName());
assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response.getResult(1).getException().getName());
action = new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
@Override
public VisibilityLabelsResponse run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf)) {
return VisibilityClient.setAuths(conn, new String[] { CONFIDENTIAL, PRIVATE }, "user1");
} catch (Throwable e) {
}
return null;
}
};
response = NORMAL_USER1.runAs(action);
assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response.getResult(0).getException().getName());
assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response.getResult(1).getException().getName());
action = new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
@Override
public VisibilityLabelsResponse run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf)) {
return VisibilityClient.setAuths(conn, new String[] { CONFIDENTIAL, PRIVATE }, "user1");
} catch (Throwable e) {
}
return null;
}
};
response = SUPERUSER.runAs(action);
assertTrue(response.getResult(0).getException().getValue().isEmpty());
assertTrue(response.getResult(1).getException().getValue().isEmpty());
action = new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
@Override
public VisibilityLabelsResponse run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf)) {
return VisibilityClient.clearAuths(conn, new String[] { CONFIDENTIAL, PRIVATE }, "user1");
} catch (Throwable e) {
}
return null;
}
};
response = NORMAL_USER1.runAs(action);
assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response.getResult(0).getException().getName());
assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response.getResult(1).getException().getName());
response = VisibilityClient.clearAuths(TEST_UTIL.getConnection(), new String[] { CONFIDENTIAL, PRIVATE }, "user1");
assertTrue(response.getResult(0).getException().getValue().isEmpty());
assertTrue(response.getResult(1).getException().getValue().isEmpty());
VisibilityClient.setAuths(TEST_UTIL.getConnection(), new String[] { CONFIDENTIAL, PRIVATE }, "user3");
PrivilegedExceptionAction<GetAuthsResponse> action1 = new PrivilegedExceptionAction<GetAuthsResponse>() {
@Override
public GetAuthsResponse run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(conf)) {
return VisibilityClient.getAuths(conn, "user3");
} catch (Throwable e) {
}
return null;
}
};
GetAuthsResponse authsResponse = NORMAL_USER1.runAs(action1);
assertNull(authsResponse);
authsResponse = SUPERUSER.runAs(action1);
List<String> authsList = new ArrayList<>(authsResponse.getAuthList().size());
for (ByteString authBS : authsResponse.getAuthList()) {
authsList.add(Bytes.toString(authBS.toByteArray()));
}
assertEquals(2, authsList.size());
assertTrue(authsList.contains(CONFIDENTIAL));
assertTrue(authsList.contains(PRIVATE));
}
Also used :
ByteString(org.apache.hbase.thirdparty.com.google.protobuf.ByteString)
Connection(org.apache.hadoop.hbase.client.Connection)
ArrayList(java.util.ArrayList)
PrivilegedExceptionAction(java.security.PrivilegedExceptionAction)
ByteString(org.apache.hbase.thirdparty.com.google.protobuf.ByteString)
IOException(java.io.IOException)
GetAuthsResponse(org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos.GetAuthsResponse)
VisibilityLabelsResponse(org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse)
Test(org.junit.Test)
Example 8 with GetAuthsResponse
use of org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos.GetAuthsResponse in project hbase by apache.
the class TestVisibilityLablesWithGroups method testGroupAuths.
@Test
public void testGroupAuths() throws Exception {
final TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
// create the table
TEST_UTIL.createTable(tableName, CF);
// put the data.
SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf);
Table table = connection.getTable(tableName)) {
Put put = new Put(ROW_1);
put.addColumn(CF, Q1, HConstants.LATEST_TIMESTAMP, value1);
put.setCellVisibility(new CellVisibility(SECRET));
table.put(put);
put = new Put(ROW_1);
put.addColumn(CF, Q2, HConstants.LATEST_TIMESTAMP, value2);
put.setCellVisibility(new CellVisibility(CONFIDENTIAL));
table.put(put);
put = new Put(ROW_1);
put.addColumn(CF, Q3, HConstants.LATEST_TIMESTAMP, value3);
table.put(put);
}
return null;
}
});
// 'admin' user is part of 'supergroup', thus can see all the cells.
SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf);
Table table = connection.getTable(tableName)) {
Scan s = new Scan();
ResultScanner scanner = table.getScanner(s);
Result[] next = scanner.next(1);
// Test that super user can see all the cells.
assertTrue(next.length == 1);
CellScanner cellScanner = next[0].cellScanner();
cellScanner.advance();
Cell current = cellScanner.current();
assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), current.getRowLength(), ROW_1, 0, ROW_1.length));
assertTrue(Bytes.equals(current.getQualifierArray(), current.getQualifierOffset(), current.getQualifierLength(), Q1, 0, Q1.length));
assertTrue(Bytes.equals(current.getValueArray(), current.getValueOffset(), current.getValueLength(), value1, 0, value1.length));
cellScanner.advance();
current = cellScanner.current();
assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), current.getRowLength(), ROW_1, 0, ROW_1.length));
assertTrue(Bytes.equals(current.getQualifierArray(), current.getQualifierOffset(), current.getQualifierLength(), Q2, 0, Q2.length));
assertTrue(Bytes.equals(current.getValueArray(), current.getValueOffset(), current.getValueLength(), value2, 0, value2.length));
cellScanner.advance();
current = cellScanner.current();
assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), current.getRowLength(), ROW_1, 0, ROW_1.length));
assertTrue(Bytes.equals(current.getQualifierArray(), current.getQualifierOffset(), current.getQualifierLength(), Q3, 0, Q3.length));
assertTrue(Bytes.equals(current.getValueArray(), current.getValueOffset(), current.getValueLength(), value3, 0, value3.length));
}
return null;
}
});
// Get testgroup's labels.
SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
GetAuthsResponse authsResponse = null;
try (Connection conn = ConnectionFactory.createConnection(conf)) {
authsResponse = VisibilityClient.getAuths(conn, "@testgroup");
} catch (Throwable e) {
fail("Should not have failed");
}
List<String> authsList = new ArrayList<>(authsResponse.getAuthList().size());
for (ByteString authBS : authsResponse.getAuthList()) {
authsList.add(Bytes.toString(authBS.toByteArray()));
}
assertEquals(1, authsList.size());
assertTrue(authsList.contains(CONFIDENTIAL));
return null;
}
});
// Test that test user can see what 'testgroup' has been authorized to.
TESTUSER.runAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf);
Table table = connection.getTable(tableName)) {
// Test scan with no auth attribute
Scan s = new Scan();
ResultScanner scanner = table.getScanner(s);
Result[] next = scanner.next(1);
assertTrue(next.length == 1);
CellScanner cellScanner = next[0].cellScanner();
cellScanner.advance();
Cell current = cellScanner.current();
// test user can see value2 (CONFIDENTIAL) and value3 (no label)
assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), current.getRowLength(), ROW_1, 0, ROW_1.length));
assertTrue(Bytes.equals(current.getQualifierArray(), current.getQualifierOffset(), current.getQualifierLength(), Q2, 0, Q2.length));
assertTrue(Bytes.equals(current.getValueArray(), current.getValueOffset(), current.getValueLength(), value2, 0, value2.length));
cellScanner.advance();
current = cellScanner.current();
// test user can see value2 (CONFIDENTIAL) and value3 (no label)
assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), current.getRowLength(), ROW_1, 0, ROW_1.length));
assertTrue(Bytes.equals(current.getQualifierArray(), current.getQualifierOffset(), current.getQualifierLength(), Q3, 0, Q3.length));
assertTrue(Bytes.equals(current.getValueArray(), current.getValueOffset(), current.getValueLength(), value3, 0, value3.length));
// Test scan with correct auth attribute for test user
Scan s1 = new Scan();
// test user is entitled to 'CONFIDENTIAL'.
// If we set both labels in the scan, 'SECRET' will be dropped by the SLGs.
s1.setAuthorizations(new Authorizations(new String[] { SECRET, CONFIDENTIAL }));
ResultScanner scanner1 = table.getScanner(s1);
Result[] next1 = scanner1.next(1);
assertTrue(next1.length == 1);
CellScanner cellScanner1 = next1[0].cellScanner();
cellScanner1.advance();
Cell current1 = cellScanner1.current();
// test user can see value2 (CONFIDENTIAL) and value3 (no label)
assertTrue(Bytes.equals(current1.getRowArray(), current1.getRowOffset(), current1.getRowLength(), ROW_1, 0, ROW_1.length));
assertTrue(Bytes.equals(current1.getQualifierArray(), current1.getQualifierOffset(), current1.getQualifierLength(), Q2, 0, Q2.length));
assertTrue(Bytes.equals(current1.getValueArray(), current1.getValueOffset(), current1.getValueLength(), value2, 0, value2.length));
cellScanner1.advance();
current1 = cellScanner1.current();
// test user can see value2 (CONFIDENTIAL) and value3 (no label)
assertTrue(Bytes.equals(current1.getRowArray(), current1.getRowOffset(), current1.getRowLength(), ROW_1, 0, ROW_1.length));
assertTrue(Bytes.equals(current1.getQualifierArray(), current1.getQualifierOffset(), current1.getQualifierLength(), Q3, 0, Q3.length));
assertTrue(Bytes.equals(current1.getValueArray(), current1.getValueOffset(), current1.getValueLength(), value3, 0, value3.length));
// Test scan with incorrect auth attribute for test user
Scan s2 = new Scan();
// test user is entitled to 'CONFIDENTIAL'.
// If we set 'SECRET', it will be dropped by the SLGs.
s2.setAuthorizations(new Authorizations(new String[] { SECRET }));
ResultScanner scanner2 = table.getScanner(s2);
Result next2 = scanner2.next();
CellScanner cellScanner2 = next2.cellScanner();
cellScanner2.advance();
Cell current2 = cellScanner2.current();
// This scan will only see value3 (no label)
assertTrue(Bytes.equals(current2.getRowArray(), current2.getRowOffset(), current2.getRowLength(), ROW_1, 0, ROW_1.length));
assertTrue(Bytes.equals(current2.getQualifierArray(), current2.getQualifierOffset(), current2.getQualifierLength(), Q3, 0, Q3.length));
assertTrue(Bytes.equals(current2.getValueArray(), current2.getValueOffset(), current2.getValueLength(), value3, 0, value3.length));
assertFalse(cellScanner2.advance());
}
return null;
}
});
// Clear 'testgroup' of CONFIDENTIAL label.
SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
VisibilityLabelsResponse response = null;
try (Connection conn = ConnectionFactory.createConnection(conf)) {
response = VisibilityClient.clearAuths(conn, new String[] { CONFIDENTIAL }, "@testgroup");
} catch (Throwable e) {
fail("Should not have failed");
}
return null;
}
});
// Get testgroup's labels. No label is returned.
SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
GetAuthsResponse authsResponse = null;
try (Connection conn = ConnectionFactory.createConnection(conf)) {
authsResponse = VisibilityClient.getAuths(conn, "@testgroup");
} catch (Throwable e) {
fail("Should not have failed");
}
List<String> authsList = new ArrayList<>(authsResponse.getAuthList().size());
for (ByteString authBS : authsResponse.getAuthList()) {
authsList.add(Bytes.toString(authBS.toByteArray()));
}
assertEquals(0, authsList.size());
return null;
}
});
// Test that test user cannot see the cells with the labels anymore.
TESTUSER.runAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
try (Connection connection = ConnectionFactory.createConnection(conf);
Table table = connection.getTable(tableName)) {
Scan s1 = new Scan();
// test user is not entitled to 'CONFIDENTIAL' anymore since we dropped
// testgroup's label. test user has no auth labels now.
// scan's labels will be dropped on the server side.
s1.setAuthorizations(new Authorizations(new String[] { SECRET, CONFIDENTIAL }));
ResultScanner scanner1 = table.getScanner(s1);
Result[] next1 = scanner1.next(1);
assertTrue(next1.length == 1);
CellScanner cellScanner1 = next1[0].cellScanner();
cellScanner1.advance();
Cell current1 = cellScanner1.current();
// test user can only see value3 (no label)
assertTrue(Bytes.equals(current1.getRowArray(), current1.getRowOffset(), current1.getRowLength(), ROW_1, 0, ROW_1.length));
assertTrue(Bytes.equals(current1.getQualifierArray(), current1.getQualifierOffset(), current1.getQualifierLength(), Q3, 0, Q3.length));
assertTrue(Bytes.equals(current1.getValueArray(), current1.getValueOffset(), current1.getValueLength(), value3, 0, value3.length));
assertFalse(cellScanner1.advance());
}
return null;
}
});
}
Also used :
Table(org.apache.hadoop.hbase.client.Table)
ResultScanner(org.apache.hadoop.hbase.client.ResultScanner)
ByteString(org.apache.hbase.thirdparty.com.google.protobuf.ByteString)
Connection(org.apache.hadoop.hbase.client.Connection)
CellScanner(org.apache.hadoop.hbase.CellScanner)
IOException(java.io.IOException)
Put(org.apache.hadoop.hbase.client.Put)
Result(org.apache.hadoop.hbase.client.Result)
TableName(org.apache.hadoop.hbase.TableName)
GetAuthsResponse(org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos.GetAuthsResponse)
Scan(org.apache.hadoop.hbase.client.Scan)
ArrayList(java.util.ArrayList)
List(java.util.List)
Cell(org.apache.hadoop.hbase.Cell)
VisibilityLabelsResponse(org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse)
Test(org.junit.Test)
Aggregations
GetAuthsResponse (org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos.GetAuthsResponse)8
ByteString (org.apache.hbase.thirdparty.com.google.protobuf.ByteString)7
IOException (java.io.IOException)6
ArrayList (java.util.ArrayList)6
Connection (org.apache.hadoop.hbase.client.Connection)6
Test (org.junit.Test)6
PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)5
Table (org.apache.hadoop.hbase.client.Table)4
VisibilityLabelsResponse (org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse)4
List (java.util.List)3
Result (org.apache.hadoop.hbase.client.Result)3
ResultScanner (org.apache.hadoop.hbase.client.ResultScanner)3
Scan (org.apache.hadoop.hbase.client.Scan)3
RegionActionResult (org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos.RegionActionResult)2
Cell (org.apache.hadoop.hbase.Cell)1
CellScanner (org.apache.hadoop.hbase.CellScanner)1
DoNotRetryIOException (org.apache.hadoop.hbase.DoNotRetryIOException)1
TableName (org.apache.hadoop.hbase.TableName)1
Put (org.apache.hadoop.hbase.client.Put)1
Batch (org.apache.hadoop.hbase.client.coprocessor.Batch)1
