Search in sources :

Example 6 with GetAuthsResponse

use of org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos.GetAuthsResponse in project hbase by apache.

the class TestVisibilityLabelsOpWithDifferentUsersNoACL method testLabelsTableOpsWithDifferentUsers.

@Test
public void testLabelsTableOpsWithDifferentUsers() throws Throwable {
    PrivilegedExceptionAction<VisibilityLabelsResponse> action = new PrivilegedExceptionAction<VisibilityLabelsResponse>() {

        @Override
        public VisibilityLabelsResponse run() throws Exception {
            try (Connection conn = ConnectionFactory.createConnection(conf)) {
                return VisibilityClient.setAuths(conn, new String[] { CONFIDENTIAL, PRIVATE }, "user1");
            } catch (Throwable e) {
            }
            return null;
        }
    };
    VisibilityLabelsResponse response = SUPERUSER.runAs(action);
    assertTrue(response.getResult(0).getException().getValue().isEmpty());
    assertTrue(response.getResult(1).getException().getValue().isEmpty());
    // Ideally this should not be allowed.  this operation should fail or do nothing.
    action = new PrivilegedExceptionAction<VisibilityLabelsResponse>() {

        @Override
        public VisibilityLabelsResponse run() throws Exception {
            try (Connection conn = ConnectionFactory.createConnection(conf)) {
                return VisibilityClient.setAuths(conn, new String[] { CONFIDENTIAL, PRIVATE }, "user3");
            } catch (Throwable e) {
            }
            return null;
        }
    };
    response = NORMAL_USER1.runAs(action);
    assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response.getResult(0).getException().getName());
    assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response.getResult(1).getException().getName());
    PrivilegedExceptionAction<GetAuthsResponse> action1 = new PrivilegedExceptionAction<GetAuthsResponse>() {

        @Override
        public GetAuthsResponse run() throws Exception {
            try (Connection conn = ConnectionFactory.createConnection(conf)) {
                return VisibilityClient.getAuths(conn, "user1");
            } catch (Throwable e) {
            }
            return null;
        }
    };
    GetAuthsResponse authsResponse = NORMAL_USER.runAs(action1);
    assertTrue(authsResponse.getAuthList().isEmpty());
    authsResponse = NORMAL_USER1.runAs(action1);
    assertTrue(authsResponse.getAuthList().isEmpty());
    authsResponse = SUPERUSER.runAs(action1);
    List<String> authsList = new ArrayList<>(authsResponse.getAuthList().size());
    for (ByteString authBS : authsResponse.getAuthList()) {
        authsList.add(Bytes.toString(authBS.toByteArray()));
    }
    assertEquals(2, authsList.size());
    assertTrue(authsList.contains(CONFIDENTIAL));
    assertTrue(authsList.contains(PRIVATE));
    PrivilegedExceptionAction<VisibilityLabelsResponse> action2 = new PrivilegedExceptionAction<VisibilityLabelsResponse>() {

        @Override
        public VisibilityLabelsResponse run() throws Exception {
            try (Connection conn = ConnectionFactory.createConnection(conf)) {
                return VisibilityClient.clearAuths(conn, new String[] { CONFIDENTIAL, PRIVATE }, "user1");
            } catch (Throwable e) {
            }
            return null;
        }
    };
    response = NORMAL_USER1.runAs(action2);
    assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response.getResult(0).getException().getName());
    assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response.getResult(1).getException().getName());
    response = SUPERUSER.runAs(action2);
    assertTrue(response.getResult(0).getException().getValue().isEmpty());
    assertTrue(response.getResult(1).getException().getValue().isEmpty());
    authsResponse = SUPERUSER.runAs(action1);
    assertTrue(authsResponse.getAuthList().isEmpty());
}
Also used : ByteString(org.apache.hbase.thirdparty.com.google.protobuf.ByteString) Connection(org.apache.hadoop.hbase.client.Connection) ArrayList(java.util.ArrayList) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) ByteString(org.apache.hbase.thirdparty.com.google.protobuf.ByteString) IOException(java.io.IOException) GetAuthsResponse(org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos.GetAuthsResponse) VisibilityLabelsResponse(org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse) Test(org.junit.Test)

Example 7 with GetAuthsResponse

use of org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos.GetAuthsResponse in project hbase by apache.

the class TestVisibilityLabelsWithACL method testLabelsTableOpsWithDifferentUsers.

@Test
public void testLabelsTableOpsWithDifferentUsers() throws Throwable {
    PrivilegedExceptionAction<VisibilityLabelsResponse> action = new PrivilegedExceptionAction<VisibilityLabelsResponse>() {

        @Override
        public VisibilityLabelsResponse run() throws Exception {
            try (Connection conn = ConnectionFactory.createConnection(conf)) {
                return VisibilityClient.addLabels(conn, new String[] { "l1", "l2" });
            } catch (Throwable e) {
            }
            return null;
        }
    };
    VisibilityLabelsResponse response = NORMAL_USER1.runAs(action);
    assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response.getResult(0).getException().getName());
    assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response.getResult(1).getException().getName());
    action = new PrivilegedExceptionAction<VisibilityLabelsResponse>() {

        @Override
        public VisibilityLabelsResponse run() throws Exception {
            try (Connection conn = ConnectionFactory.createConnection(conf)) {
                return VisibilityClient.setAuths(conn, new String[] { CONFIDENTIAL, PRIVATE }, "user1");
            } catch (Throwable e) {
            }
            return null;
        }
    };
    response = NORMAL_USER1.runAs(action);
    assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response.getResult(0).getException().getName());
    assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response.getResult(1).getException().getName());
    action = new PrivilegedExceptionAction<VisibilityLabelsResponse>() {

        @Override
        public VisibilityLabelsResponse run() throws Exception {
            try (Connection conn = ConnectionFactory.createConnection(conf)) {
                return VisibilityClient.setAuths(conn, new String[] { CONFIDENTIAL, PRIVATE }, "user1");
            } catch (Throwable e) {
            }
            return null;
        }
    };
    response = SUPERUSER.runAs(action);
    assertTrue(response.getResult(0).getException().getValue().isEmpty());
    assertTrue(response.getResult(1).getException().getValue().isEmpty());
    action = new PrivilegedExceptionAction<VisibilityLabelsResponse>() {

        @Override
        public VisibilityLabelsResponse run() throws Exception {
            try (Connection conn = ConnectionFactory.createConnection(conf)) {
                return VisibilityClient.clearAuths(conn, new String[] { CONFIDENTIAL, PRIVATE }, "user1");
            } catch (Throwable e) {
            }
            return null;
        }
    };
    response = NORMAL_USER1.runAs(action);
    assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response.getResult(0).getException().getName());
    assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response.getResult(1).getException().getName());
    response = VisibilityClient.clearAuths(TEST_UTIL.getConnection(), new String[] { CONFIDENTIAL, PRIVATE }, "user1");
    assertTrue(response.getResult(0).getException().getValue().isEmpty());
    assertTrue(response.getResult(1).getException().getValue().isEmpty());
    VisibilityClient.setAuths(TEST_UTIL.getConnection(), new String[] { CONFIDENTIAL, PRIVATE }, "user3");
    PrivilegedExceptionAction<GetAuthsResponse> action1 = new PrivilegedExceptionAction<GetAuthsResponse>() {

        @Override
        public GetAuthsResponse run() throws Exception {
            try (Connection conn = ConnectionFactory.createConnection(conf)) {
                return VisibilityClient.getAuths(conn, "user3");
            } catch (Throwable e) {
            }
            return null;
        }
    };
    GetAuthsResponse authsResponse = NORMAL_USER1.runAs(action1);
    assertNull(authsResponse);
    authsResponse = SUPERUSER.runAs(action1);
    List<String> authsList = new ArrayList<>(authsResponse.getAuthList().size());
    for (ByteString authBS : authsResponse.getAuthList()) {
        authsList.add(Bytes.toString(authBS.toByteArray()));
    }
    assertEquals(2, authsList.size());
    assertTrue(authsList.contains(CONFIDENTIAL));
    assertTrue(authsList.contains(PRIVATE));
}
Also used : ByteString(org.apache.hbase.thirdparty.com.google.protobuf.ByteString) Connection(org.apache.hadoop.hbase.client.Connection) ArrayList(java.util.ArrayList) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) ByteString(org.apache.hbase.thirdparty.com.google.protobuf.ByteString) IOException(java.io.IOException) GetAuthsResponse(org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos.GetAuthsResponse) VisibilityLabelsResponse(org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse) Test(org.junit.Test)

Example 8 with GetAuthsResponse

use of org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos.GetAuthsResponse in project hbase by apache.

the class TestVisibilityLablesWithGroups method testGroupAuths.

@Test
public void testGroupAuths() throws Exception {
    final TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
    // create the table
    TEST_UTIL.createTable(tableName, CF);
    // put the data.
    SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            try (Connection connection = ConnectionFactory.createConnection(conf);
                Table table = connection.getTable(tableName)) {
                Put put = new Put(ROW_1);
                put.addColumn(CF, Q1, HConstants.LATEST_TIMESTAMP, value1);
                put.setCellVisibility(new CellVisibility(SECRET));
                table.put(put);
                put = new Put(ROW_1);
                put.addColumn(CF, Q2, HConstants.LATEST_TIMESTAMP, value2);
                put.setCellVisibility(new CellVisibility(CONFIDENTIAL));
                table.put(put);
                put = new Put(ROW_1);
                put.addColumn(CF, Q3, HConstants.LATEST_TIMESTAMP, value3);
                table.put(put);
            }
            return null;
        }
    });
    // 'admin' user is part of 'supergroup', thus can see all the cells.
    SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            try (Connection connection = ConnectionFactory.createConnection(conf);
                Table table = connection.getTable(tableName)) {
                Scan s = new Scan();
                ResultScanner scanner = table.getScanner(s);
                Result[] next = scanner.next(1);
                // Test that super user can see all the cells.
                assertTrue(next.length == 1);
                CellScanner cellScanner = next[0].cellScanner();
                cellScanner.advance();
                Cell current = cellScanner.current();
                assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), current.getRowLength(), ROW_1, 0, ROW_1.length));
                assertTrue(Bytes.equals(current.getQualifierArray(), current.getQualifierOffset(), current.getQualifierLength(), Q1, 0, Q1.length));
                assertTrue(Bytes.equals(current.getValueArray(), current.getValueOffset(), current.getValueLength(), value1, 0, value1.length));
                cellScanner.advance();
                current = cellScanner.current();
                assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), current.getRowLength(), ROW_1, 0, ROW_1.length));
                assertTrue(Bytes.equals(current.getQualifierArray(), current.getQualifierOffset(), current.getQualifierLength(), Q2, 0, Q2.length));
                assertTrue(Bytes.equals(current.getValueArray(), current.getValueOffset(), current.getValueLength(), value2, 0, value2.length));
                cellScanner.advance();
                current = cellScanner.current();
                assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), current.getRowLength(), ROW_1, 0, ROW_1.length));
                assertTrue(Bytes.equals(current.getQualifierArray(), current.getQualifierOffset(), current.getQualifierLength(), Q3, 0, Q3.length));
                assertTrue(Bytes.equals(current.getValueArray(), current.getValueOffset(), current.getValueLength(), value3, 0, value3.length));
            }
            return null;
        }
    });
    // Get testgroup's labels.
    SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            GetAuthsResponse authsResponse = null;
            try (Connection conn = ConnectionFactory.createConnection(conf)) {
                authsResponse = VisibilityClient.getAuths(conn, "@testgroup");
            } catch (Throwable e) {
                fail("Should not have failed");
            }
            List<String> authsList = new ArrayList<>(authsResponse.getAuthList().size());
            for (ByteString authBS : authsResponse.getAuthList()) {
                authsList.add(Bytes.toString(authBS.toByteArray()));
            }
            assertEquals(1, authsList.size());
            assertTrue(authsList.contains(CONFIDENTIAL));
            return null;
        }
    });
    // Test that test user can see what 'testgroup' has been authorized to.
    TESTUSER.runAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            try (Connection connection = ConnectionFactory.createConnection(conf);
                Table table = connection.getTable(tableName)) {
                // Test scan with no auth attribute
                Scan s = new Scan();
                ResultScanner scanner = table.getScanner(s);
                Result[] next = scanner.next(1);
                assertTrue(next.length == 1);
                CellScanner cellScanner = next[0].cellScanner();
                cellScanner.advance();
                Cell current = cellScanner.current();
                // test user can see value2 (CONFIDENTIAL) and value3 (no label)
                assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), current.getRowLength(), ROW_1, 0, ROW_1.length));
                assertTrue(Bytes.equals(current.getQualifierArray(), current.getQualifierOffset(), current.getQualifierLength(), Q2, 0, Q2.length));
                assertTrue(Bytes.equals(current.getValueArray(), current.getValueOffset(), current.getValueLength(), value2, 0, value2.length));
                cellScanner.advance();
                current = cellScanner.current();
                // test user can see value2 (CONFIDENTIAL) and value3 (no label)
                assertTrue(Bytes.equals(current.getRowArray(), current.getRowOffset(), current.getRowLength(), ROW_1, 0, ROW_1.length));
                assertTrue(Bytes.equals(current.getQualifierArray(), current.getQualifierOffset(), current.getQualifierLength(), Q3, 0, Q3.length));
                assertTrue(Bytes.equals(current.getValueArray(), current.getValueOffset(), current.getValueLength(), value3, 0, value3.length));
                // Test scan with correct auth attribute for test user
                Scan s1 = new Scan();
                // test user is entitled to 'CONFIDENTIAL'.
                // If we set both labels in the scan, 'SECRET' will be dropped by the SLGs.
                s1.setAuthorizations(new Authorizations(new String[] { SECRET, CONFIDENTIAL }));
                ResultScanner scanner1 = table.getScanner(s1);
                Result[] next1 = scanner1.next(1);
                assertTrue(next1.length == 1);
                CellScanner cellScanner1 = next1[0].cellScanner();
                cellScanner1.advance();
                Cell current1 = cellScanner1.current();
                // test user can see value2 (CONFIDENTIAL) and value3 (no label)
                assertTrue(Bytes.equals(current1.getRowArray(), current1.getRowOffset(), current1.getRowLength(), ROW_1, 0, ROW_1.length));
                assertTrue(Bytes.equals(current1.getQualifierArray(), current1.getQualifierOffset(), current1.getQualifierLength(), Q2, 0, Q2.length));
                assertTrue(Bytes.equals(current1.getValueArray(), current1.getValueOffset(), current1.getValueLength(), value2, 0, value2.length));
                cellScanner1.advance();
                current1 = cellScanner1.current();
                // test user can see value2 (CONFIDENTIAL) and value3 (no label)
                assertTrue(Bytes.equals(current1.getRowArray(), current1.getRowOffset(), current1.getRowLength(), ROW_1, 0, ROW_1.length));
                assertTrue(Bytes.equals(current1.getQualifierArray(), current1.getQualifierOffset(), current1.getQualifierLength(), Q3, 0, Q3.length));
                assertTrue(Bytes.equals(current1.getValueArray(), current1.getValueOffset(), current1.getValueLength(), value3, 0, value3.length));
                // Test scan with incorrect auth attribute for test user
                Scan s2 = new Scan();
                // test user is entitled to 'CONFIDENTIAL'.
                // If we set 'SECRET', it will be dropped by the SLGs.
                s2.setAuthorizations(new Authorizations(new String[] { SECRET }));
                ResultScanner scanner2 = table.getScanner(s2);
                Result next2 = scanner2.next();
                CellScanner cellScanner2 = next2.cellScanner();
                cellScanner2.advance();
                Cell current2 = cellScanner2.current();
                // This scan will only see value3 (no label)
                assertTrue(Bytes.equals(current2.getRowArray(), current2.getRowOffset(), current2.getRowLength(), ROW_1, 0, ROW_1.length));
                assertTrue(Bytes.equals(current2.getQualifierArray(), current2.getQualifierOffset(), current2.getQualifierLength(), Q3, 0, Q3.length));
                assertTrue(Bytes.equals(current2.getValueArray(), current2.getValueOffset(), current2.getValueLength(), value3, 0, value3.length));
                assertFalse(cellScanner2.advance());
            }
            return null;
        }
    });
    // Clear 'testgroup' of CONFIDENTIAL label.
    SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            VisibilityLabelsResponse response = null;
            try (Connection conn = ConnectionFactory.createConnection(conf)) {
                response = VisibilityClient.clearAuths(conn, new String[] { CONFIDENTIAL }, "@testgroup");
            } catch (Throwable e) {
                fail("Should not have failed");
            }
            return null;
        }
    });
    // Get testgroup's labels.  No label is returned.
    SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            GetAuthsResponse authsResponse = null;
            try (Connection conn = ConnectionFactory.createConnection(conf)) {
                authsResponse = VisibilityClient.getAuths(conn, "@testgroup");
            } catch (Throwable e) {
                fail("Should not have failed");
            }
            List<String> authsList = new ArrayList<>(authsResponse.getAuthList().size());
            for (ByteString authBS : authsResponse.getAuthList()) {
                authsList.add(Bytes.toString(authBS.toByteArray()));
            }
            assertEquals(0, authsList.size());
            return null;
        }
    });
    // Test that test user cannot see the cells with the labels anymore.
    TESTUSER.runAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            try (Connection connection = ConnectionFactory.createConnection(conf);
                Table table = connection.getTable(tableName)) {
                Scan s1 = new Scan();
                // test user is not entitled to 'CONFIDENTIAL' anymore since we dropped
                // testgroup's label.  test user has no auth labels now.
                // scan's labels will be dropped on the server side.
                s1.setAuthorizations(new Authorizations(new String[] { SECRET, CONFIDENTIAL }));
                ResultScanner scanner1 = table.getScanner(s1);
                Result[] next1 = scanner1.next(1);
                assertTrue(next1.length == 1);
                CellScanner cellScanner1 = next1[0].cellScanner();
                cellScanner1.advance();
                Cell current1 = cellScanner1.current();
                // test user can only see value3 (no label)
                assertTrue(Bytes.equals(current1.getRowArray(), current1.getRowOffset(), current1.getRowLength(), ROW_1, 0, ROW_1.length));
                assertTrue(Bytes.equals(current1.getQualifierArray(), current1.getQualifierOffset(), current1.getQualifierLength(), Q3, 0, Q3.length));
                assertTrue(Bytes.equals(current1.getValueArray(), current1.getValueOffset(), current1.getValueLength(), value3, 0, value3.length));
                assertFalse(cellScanner1.advance());
            }
            return null;
        }
    });
}
Also used : Table(org.apache.hadoop.hbase.client.Table) ResultScanner(org.apache.hadoop.hbase.client.ResultScanner) ByteString(org.apache.hbase.thirdparty.com.google.protobuf.ByteString) Connection(org.apache.hadoop.hbase.client.Connection) CellScanner(org.apache.hadoop.hbase.CellScanner) IOException(java.io.IOException) Put(org.apache.hadoop.hbase.client.Put) Result(org.apache.hadoop.hbase.client.Result) TableName(org.apache.hadoop.hbase.TableName) GetAuthsResponse(org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos.GetAuthsResponse) Scan(org.apache.hadoop.hbase.client.Scan) ArrayList(java.util.ArrayList) List(java.util.List) Cell(org.apache.hadoop.hbase.Cell) VisibilityLabelsResponse(org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse) Test(org.junit.Test)

Aggregations

GetAuthsResponse (org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos.GetAuthsResponse)8 ByteString (org.apache.hbase.thirdparty.com.google.protobuf.ByteString)7 IOException (java.io.IOException)6 ArrayList (java.util.ArrayList)6 Connection (org.apache.hadoop.hbase.client.Connection)6 Test (org.junit.Test)6 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)5 Table (org.apache.hadoop.hbase.client.Table)4 VisibilityLabelsResponse (org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse)4 List (java.util.List)3 Result (org.apache.hadoop.hbase.client.Result)3 ResultScanner (org.apache.hadoop.hbase.client.ResultScanner)3 Scan (org.apache.hadoop.hbase.client.Scan)3 RegionActionResult (org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos.RegionActionResult)2 Cell (org.apache.hadoop.hbase.Cell)1 CellScanner (org.apache.hadoop.hbase.CellScanner)1 DoNotRetryIOException (org.apache.hadoop.hbase.DoNotRetryIOException)1 TableName (org.apache.hadoop.hbase.TableName)1 Put (org.apache.hadoop.hbase.client.Put)1 Batch (org.apache.hadoop.hbase.client.coprocessor.Batch)1