Example 1 with BUCKET
use of org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.BUCKET in project ozone by apache.
the class TestOzoneNativeAuthorizer method resetAclsAndValidateAccess.
private void resetAclsAndValidateAccess(OzoneObj obj, ACLIdentityType accessType, OzoneManagerProtocol aclImplementor) throws IOException {
List<OzoneAcl> acls;
String user = testUgi.getUserName();
String group = (testUgi.getGroups().size() > 0) ? testUgi.getGroups().get(0) : "";
RequestContext.Builder builder = new RequestContext.Builder().setClientUgi(testUgi).setAclType(accessType);
// Get all acls.
List<ACLType> allAcls = Arrays.stream(ACLType.values()).collect(Collectors.toList());
/**
* 1. Reset default acls to an acl.
* 2. Test if user/group has access only to it.
* 3. Add remaining acls one by one and then test
* if user/group has access to them.
*/
for (ACLType a1 : allAcls) {
OzoneAcl newAcl = new OzoneAcl(accessType, getAclName(accessType), a1, ACCESS);
// Reset acls to only one right.
if (obj.getResourceType() == VOLUME) {
setVolumeAcl(Collections.singletonList(newAcl));
} else if (obj.getResourceType() == BUCKET) {
setBucketAcl(Collections.singletonList(newAcl));
} else {
aclImplementor.setAcl(obj, Collections.singletonList(newAcl));
}
// Fetch current acls and validate.
acls = aclImplementor.getAcl(obj);
assertTrue(acls.size() == 1);
assertTrue(acls.contains(newAcl));
// Special handling for ALL.
if (a1.equals(ALL)) {
validateAll(obj, builder);
continue;
}
// Special handling for NONE.
if (a1.equals(NONE)) {
validateNone(obj, builder);
continue;
}
String msg = "Acl to check:" + a1 + " accessType:" + accessType + " path:" + obj.getPath();
if (a1.equals(CREATE) && obj.getResourceType().equals(VOLUME)) {
assertEquals(msg, nativeAuthorizer.getOzoneAdmins().contains(user), nativeAuthorizer.checkAccess(obj, builder.setAclRights(a1).build()));
} else {
assertEquals(msg, expectedAclResult, nativeAuthorizer.checkAccess(obj, builder.setAclRights(a1).build()));
}
List<ACLType> aclsToBeValidated = Arrays.stream(ACLType.values()).collect(Collectors.toList());
List<ACLType> aclsToBeAdded = Arrays.stream(ACLType.values()).collect(Collectors.toList());
aclsToBeValidated.remove(NONE);
// Do not validate "WRITE" since write acl type requires object to be
// present in OpenKeyTable.
aclsToBeValidated.remove(WRITE);
aclsToBeValidated.remove(a1);
aclsToBeAdded.remove(NONE);
aclsToBeAdded.remove(ALL);
// AclType "CREATE" is skipped from access check on objects
// since the object will not exist during access check.
aclsToBeAdded.remove(CREATE);
// AclType "WRITE" is removed from being tested here,
// because object must always be present in OpenKeyTable for write
// acl requests. But, here the objects are already committed
// and will move to keyTable.
aclsToBeAdded.remove(WRITE);
// Fetch acls again.
for (ACLType a2 : aclsToBeAdded) {
if (!a2.equals(a1)) {
acls = aclImplementor.getAcl(obj);
List right = acls.stream().map(a -> a.getAclList()).collect(Collectors.toList());
assertFalse("Did not expect client to have " + a2 + " acl. " + "Current acls found:" + right + ". Type:" + accessType + "," + " name:" + (accessType == USER ? user : group), nativeAuthorizer.checkAccess(obj, builder.setAclRights(a2).build()));
// Randomize next type.
int type = RandomUtils.nextInt(0, 3);
ACLIdentityType identityType = ACLIdentityType.values()[type];
// Add remaining acls one by one and then check access.
OzoneAcl addAcl = new OzoneAcl(identityType, getAclName(identityType), a2, ACCESS);
// only DB not cache.
if (obj.getResourceType() == VOLUME) {
addVolumeAcl(addAcl);
} else if (obj.getResourceType() == BUCKET) {
addBucketAcl(addAcl);
} else {
aclImplementor.addAcl(obj, addAcl);
}
// Fetch acls again.
acls = aclImplementor.getAcl(obj);
boolean a2AclFound = false;
boolean a1AclFound = false;
for (OzoneAcl acl : acls) {
if (acl.getAclList().contains(a2)) {
a2AclFound = true;
}
if (acl.getAclList().contains(a1)) {
a1AclFound = true;
}
}
assertTrue("Current acls :" + acls + ". " + "Type:" + accessType + ", name:" + (accessType == USER ? user : group) + " acl:" + a2, a2AclFound);
assertTrue("Expected client to have " + a1 + " acl. Current acls " + "found:" + acls + ". Type:" + accessType + ", name:" + (accessType == USER ? user : group), a1AclFound);
assertEquals("Current acls " + acls + ". Expect acl:" + a2 + " to be set? " + expectedAclResult + " accessType:" + accessType, expectedAclResult, nativeAuthorizer.checkAccess(obj, builder.setAclRights(a2).build()));
aclsToBeValidated.remove(a2);
for (ACLType a3 : aclsToBeValidated) {
if (!a3.equals(a1) && !a3.equals(a2) && !a3.equals(CREATE)) {
assertFalse("User shouldn't have right " + a3 + ". " + "Current acl rights for user:" + a1 + "," + a2, nativeAuthorizer.checkAccess(obj, builder.setAclRights(a3).build()));
}
}
}
}
}
}
Also used :
HddsProtos(org.apache.hadoop.hdds.protocol.proto.HddsProtos)
Arrays(java.util.Arrays)
VolumeManager(org.apache.hadoop.ozone.om.VolumeManager)
OMRequestTestUtils(org.apache.hadoop.ozone.om.request.OMRequestTestUtils)
OzoneManagerProtocol(org.apache.hadoop.ozone.om.protocol.OzoneManagerProtocol)
OmKeyArgs(org.apache.hadoop.ozone.om.helpers.OmKeyArgs)
VOLUME(org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.VOLUME)
Optional(com.google.common.base.Optional)
CacheValue(org.apache.hadoop.hdds.utils.db.cache.CacheValue)
ALL(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.ALL)
OzoneAcl(org.apache.hadoop.ozone.OzoneAcl)
Parameterized(org.junit.runners.Parameterized)
USER(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType.USER)
OZONE_METADATA_DIRS(org.apache.hadoop.hdds.HddsConfigKeys.OZONE_METADATA_DIRS)
OmBucketInfo(org.apache.hadoop.ozone.om.helpers.OmBucketInfo)
BucketManager(org.apache.hadoop.ozone.om.BucketManager)
Collection(java.util.Collection)
Collectors(java.util.stream.Collectors)
List(java.util.List)
ANONYMOUS(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType.ANONYMOUS)
PrefixManager(org.apache.hadoop.ozone.om.PrefixManager)
OMException(org.apache.hadoop.ozone.om.exceptions.OMException)
ACLType(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType)
OmTestManagers(org.apache.hadoop.ozone.om.OmTestManagers)
Assert.assertFalse(org.junit.Assert.assertFalse)
OZONE_ACL_AUTHORIZER_CLASS_NATIVE(org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS_NATIVE)
GenericTestUtils(org.apache.ozone.test.GenericTestUtils)
CREATE(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.CREATE)
RandomUtils(org.apache.commons.lang3.RandomUtils)
OzoneConfiguration(org.apache.hadoop.hdds.conf.OzoneConfiguration)
OZONE_ADMINISTRATORS(org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS)
OZONE_URI_DELIMITER(org.apache.hadoop.ozone.OzoneConsts.OZONE_URI_DELIMITER)
BeforeClass(org.junit.BeforeClass)
OZONE(org.apache.hadoop.ozone.security.acl.OzoneObj.StoreType.OZONE)
KeyManager(org.apache.hadoop.ozone.om.KeyManager)
WRITE(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.WRITE)
RunWith(org.junit.runner.RunWith)
ArrayList(java.util.ArrayList)
ACCESS(org.apache.hadoop.ozone.OzoneAcl.AclScope.ACCESS)
BUCKET(org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.BUCKET)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
OzoneAclUtil(org.apache.hadoop.ozone.om.helpers.OzoneAclUtil)
NONE(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.NONE)
PREFIX(org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.PREFIX)
GROUP(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType.GROUP)
OpenKeySession(org.apache.hadoop.ozone.om.helpers.OpenKeySession)
Assert.assertTrue(org.junit.Assert.assertTrue)
Test(org.junit.Test)
IOException(java.io.IOException)
WORLD(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType.WORLD)
OmVolumeArgs(org.apache.hadoop.ozone.om.helpers.OmVolumeArgs)
File(java.io.File)
KEY(org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.KEY)
StandaloneReplicationConfig(org.apache.hadoop.hdds.client.StandaloneReplicationConfig)
CacheKey(org.apache.hadoop.hdds.utils.db.cache.CacheKey)
OZONE_ACL_AUTHORIZER_CLASS(org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS)
Collections(java.util.Collections)
ACLIdentityType(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType)
Assert.assertEquals(org.junit.Assert.assertEquals)
OMMetadataManager(org.apache.hadoop.ozone.om.OMMetadataManager)
ACLIdentityType(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType)
ACLType(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType)
OzoneAcl(org.apache.hadoop.ozone.OzoneAcl)
List(java.util.List)
ArrayList(java.util.ArrayList)
Aggregations
Optional (com.google.common.base.Optional)1
File (java.io.File)1
IOException (java.io.IOException)1
ArrayList (java.util.ArrayList)1
Arrays (java.util.Arrays)1
Collection (java.util.Collection)1
Collections (java.util.Collections)1
List (java.util.List)1
Collectors (java.util.stream.Collectors)1
RandomUtils (org.apache.commons.lang3.RandomUtils)1
OZONE_METADATA_DIRS (org.apache.hadoop.hdds.HddsConfigKeys.OZONE_METADATA_DIRS)1
StandaloneReplicationConfig (org.apache.hadoop.hdds.client.StandaloneReplicationConfig)1
OzoneConfiguration (org.apache.hadoop.hdds.conf.OzoneConfiguration)1
HddsProtos (org.apache.hadoop.hdds.protocol.proto.HddsProtos)1
CacheKey (org.apache.hadoop.hdds.utils.db.cache.CacheKey)1
CacheValue (org.apache.hadoop.hdds.utils.db.cache.CacheValue)1
OzoneAcl (org.apache.hadoop.ozone.OzoneAcl)1
ACCESS (org.apache.hadoop.ozone.OzoneAcl.AclScope.ACCESS)1
OZONE_ACL_AUTHORIZER_CLASS (org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS)1
OZONE_ACL_AUTHORIZER_CLASS_NATIVE (org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS_NATIVE)1
