Search in sources :

Example 1 with BUCKET

use of org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.BUCKET in project ozone by apache.

the class TestOzoneNativeAuthorizer method resetAclsAndValidateAccess.

private void resetAclsAndValidateAccess(OzoneObj obj, ACLIdentityType accessType, OzoneManagerProtocol aclImplementor) throws IOException {
    List<OzoneAcl> acls;
    String user = testUgi.getUserName();
    String group = (testUgi.getGroups().size() > 0) ? testUgi.getGroups().get(0) : "";
    RequestContext.Builder builder = new RequestContext.Builder().setClientUgi(testUgi).setAclType(accessType);
    // Get all acls.
    List<ACLType> allAcls = Arrays.stream(ACLType.values()).collect(Collectors.toList());
    /**
     * 1. Reset default acls to an acl.
     * 2. Test if user/group has access only to it.
     * 3. Add remaining acls one by one and then test
     *    if user/group has access to them.
     */
    for (ACLType a1 : allAcls) {
        OzoneAcl newAcl = new OzoneAcl(accessType, getAclName(accessType), a1, ACCESS);
        // Reset acls to only one right.
        if (obj.getResourceType() == VOLUME) {
            setVolumeAcl(Collections.singletonList(newAcl));
        } else if (obj.getResourceType() == BUCKET) {
            setBucketAcl(Collections.singletonList(newAcl));
        } else {
            aclImplementor.setAcl(obj, Collections.singletonList(newAcl));
        }
        // Fetch current acls and validate.
        acls = aclImplementor.getAcl(obj);
        assertTrue(acls.size() == 1);
        assertTrue(acls.contains(newAcl));
        // Special handling for ALL.
        if (a1.equals(ALL)) {
            validateAll(obj, builder);
            continue;
        }
        // Special handling for NONE.
        if (a1.equals(NONE)) {
            validateNone(obj, builder);
            continue;
        }
        String msg = "Acl to check:" + a1 + " accessType:" + accessType + " path:" + obj.getPath();
        if (a1.equals(CREATE) && obj.getResourceType().equals(VOLUME)) {
            assertEquals(msg, nativeAuthorizer.getOzoneAdmins().contains(user), nativeAuthorizer.checkAccess(obj, builder.setAclRights(a1).build()));
        } else {
            assertEquals(msg, expectedAclResult, nativeAuthorizer.checkAccess(obj, builder.setAclRights(a1).build()));
        }
        List<ACLType> aclsToBeValidated = Arrays.stream(ACLType.values()).collect(Collectors.toList());
        List<ACLType> aclsToBeAdded = Arrays.stream(ACLType.values()).collect(Collectors.toList());
        aclsToBeValidated.remove(NONE);
        // Do not validate "WRITE" since write acl type requires object to be
        // present in OpenKeyTable.
        aclsToBeValidated.remove(WRITE);
        aclsToBeValidated.remove(a1);
        aclsToBeAdded.remove(NONE);
        aclsToBeAdded.remove(ALL);
        // AclType "CREATE" is skipped from access check on objects
        // since the object will not exist during access check.
        aclsToBeAdded.remove(CREATE);
        // AclType "WRITE" is removed from being tested here,
        // because object must always be present in OpenKeyTable for write
        // acl requests. But, here the objects are already committed
        // and will move to keyTable.
        aclsToBeAdded.remove(WRITE);
        // Fetch acls again.
        for (ACLType a2 : aclsToBeAdded) {
            if (!a2.equals(a1)) {
                acls = aclImplementor.getAcl(obj);
                List right = acls.stream().map(a -> a.getAclList()).collect(Collectors.toList());
                assertFalse("Did not expect client to have " + a2 + " acl. " + "Current acls found:" + right + ". Type:" + accessType + "," + " name:" + (accessType == USER ? user : group), nativeAuthorizer.checkAccess(obj, builder.setAclRights(a2).build()));
                // Randomize next type.
                int type = RandomUtils.nextInt(0, 3);
                ACLIdentityType identityType = ACLIdentityType.values()[type];
                // Add remaining acls one by one and then check access.
                OzoneAcl addAcl = new OzoneAcl(identityType, getAclName(identityType), a2, ACCESS);
                // only DB not cache.
                if (obj.getResourceType() == VOLUME) {
                    addVolumeAcl(addAcl);
                } else if (obj.getResourceType() == BUCKET) {
                    addBucketAcl(addAcl);
                } else {
                    aclImplementor.addAcl(obj, addAcl);
                }
                // Fetch acls again.
                acls = aclImplementor.getAcl(obj);
                boolean a2AclFound = false;
                boolean a1AclFound = false;
                for (OzoneAcl acl : acls) {
                    if (acl.getAclList().contains(a2)) {
                        a2AclFound = true;
                    }
                    if (acl.getAclList().contains(a1)) {
                        a1AclFound = true;
                    }
                }
                assertTrue("Current acls :" + acls + ". " + "Type:" + accessType + ", name:" + (accessType == USER ? user : group) + " acl:" + a2, a2AclFound);
                assertTrue("Expected client to have " + a1 + " acl. Current acls " + "found:" + acls + ". Type:" + accessType + ", name:" + (accessType == USER ? user : group), a1AclFound);
                assertEquals("Current acls " + acls + ". Expect acl:" + a2 + " to be set? " + expectedAclResult + " accessType:" + accessType, expectedAclResult, nativeAuthorizer.checkAccess(obj, builder.setAclRights(a2).build()));
                aclsToBeValidated.remove(a2);
                for (ACLType a3 : aclsToBeValidated) {
                    if (!a3.equals(a1) && !a3.equals(a2) && !a3.equals(CREATE)) {
                        assertFalse("User shouldn't have right " + a3 + ". " + "Current acl rights for user:" + a1 + "," + a2, nativeAuthorizer.checkAccess(obj, builder.setAclRights(a3).build()));
                    }
                }
            }
        }
    }
}
Also used : HddsProtos(org.apache.hadoop.hdds.protocol.proto.HddsProtos) Arrays(java.util.Arrays) VolumeManager(org.apache.hadoop.ozone.om.VolumeManager) OMRequestTestUtils(org.apache.hadoop.ozone.om.request.OMRequestTestUtils) OzoneManagerProtocol(org.apache.hadoop.ozone.om.protocol.OzoneManagerProtocol) OmKeyArgs(org.apache.hadoop.ozone.om.helpers.OmKeyArgs) VOLUME(org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.VOLUME) Optional(com.google.common.base.Optional) CacheValue(org.apache.hadoop.hdds.utils.db.cache.CacheValue) ALL(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.ALL) OzoneAcl(org.apache.hadoop.ozone.OzoneAcl) Parameterized(org.junit.runners.Parameterized) USER(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType.USER) OZONE_METADATA_DIRS(org.apache.hadoop.hdds.HddsConfigKeys.OZONE_METADATA_DIRS) OmBucketInfo(org.apache.hadoop.ozone.om.helpers.OmBucketInfo) BucketManager(org.apache.hadoop.ozone.om.BucketManager) Collection(java.util.Collection) Collectors(java.util.stream.Collectors) List(java.util.List) ANONYMOUS(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType.ANONYMOUS) PrefixManager(org.apache.hadoop.ozone.om.PrefixManager) OMException(org.apache.hadoop.ozone.om.exceptions.OMException) ACLType(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType) OmTestManagers(org.apache.hadoop.ozone.om.OmTestManagers) Assert.assertFalse(org.junit.Assert.assertFalse) OZONE_ACL_AUTHORIZER_CLASS_NATIVE(org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS_NATIVE) GenericTestUtils(org.apache.ozone.test.GenericTestUtils) CREATE(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.CREATE) RandomUtils(org.apache.commons.lang3.RandomUtils) OzoneConfiguration(org.apache.hadoop.hdds.conf.OzoneConfiguration) OZONE_ADMINISTRATORS(org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS) OZONE_URI_DELIMITER(org.apache.hadoop.ozone.OzoneConsts.OZONE_URI_DELIMITER) BeforeClass(org.junit.BeforeClass) OZONE(org.apache.hadoop.ozone.security.acl.OzoneObj.StoreType.OZONE) KeyManager(org.apache.hadoop.ozone.om.KeyManager) WRITE(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.WRITE) RunWith(org.junit.runner.RunWith) ArrayList(java.util.ArrayList) ACCESS(org.apache.hadoop.ozone.OzoneAcl.AclScope.ACCESS) BUCKET(org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.BUCKET) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) OzoneAclUtil(org.apache.hadoop.ozone.om.helpers.OzoneAclUtil) NONE(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType.NONE) PREFIX(org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.PREFIX) GROUP(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType.GROUP) OpenKeySession(org.apache.hadoop.ozone.om.helpers.OpenKeySession) Assert.assertTrue(org.junit.Assert.assertTrue) Test(org.junit.Test) IOException(java.io.IOException) WORLD(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType.WORLD) OmVolumeArgs(org.apache.hadoop.ozone.om.helpers.OmVolumeArgs) File(java.io.File) KEY(org.apache.hadoop.ozone.security.acl.OzoneObj.ResourceType.KEY) StandaloneReplicationConfig(org.apache.hadoop.hdds.client.StandaloneReplicationConfig) CacheKey(org.apache.hadoop.hdds.utils.db.cache.CacheKey) OZONE_ACL_AUTHORIZER_CLASS(org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS) Collections(java.util.Collections) ACLIdentityType(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType) Assert.assertEquals(org.junit.Assert.assertEquals) OMMetadataManager(org.apache.hadoop.ozone.om.OMMetadataManager) ACLIdentityType(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType) ACLType(org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLType) OzoneAcl(org.apache.hadoop.ozone.OzoneAcl) List(java.util.List) ArrayList(java.util.ArrayList)

Aggregations

Optional (com.google.common.base.Optional)1 File (java.io.File)1 IOException (java.io.IOException)1 ArrayList (java.util.ArrayList)1 Arrays (java.util.Arrays)1 Collection (java.util.Collection)1 Collections (java.util.Collections)1 List (java.util.List)1 Collectors (java.util.stream.Collectors)1 RandomUtils (org.apache.commons.lang3.RandomUtils)1 OZONE_METADATA_DIRS (org.apache.hadoop.hdds.HddsConfigKeys.OZONE_METADATA_DIRS)1 StandaloneReplicationConfig (org.apache.hadoop.hdds.client.StandaloneReplicationConfig)1 OzoneConfiguration (org.apache.hadoop.hdds.conf.OzoneConfiguration)1 HddsProtos (org.apache.hadoop.hdds.protocol.proto.HddsProtos)1 CacheKey (org.apache.hadoop.hdds.utils.db.cache.CacheKey)1 CacheValue (org.apache.hadoop.hdds.utils.db.cache.CacheValue)1 OzoneAcl (org.apache.hadoop.ozone.OzoneAcl)1 ACCESS (org.apache.hadoop.ozone.OzoneAcl.AclScope.ACCESS)1 OZONE_ACL_AUTHORIZER_CLASS (org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS)1 OZONE_ACL_AUTHORIZER_CLASS_NATIVE (org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS_NATIVE)1