Java Code Examples for org.apache.hadoop.hbase.security.User#createUserForTesting()

The following examples show how to use org.apache.hadoop.hbase.security.User#createUserForTesting() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: TestAccessController2.java    From hbase with Apache License 2.0 6 votes vote down vote up
@BeforeClass
public static void setupBeforeClass() throws Exception {
  conf = TEST_UTIL.getConfiguration();
  // Up the handlers; this test needs more than usual.
  conf.setInt(HConstants.REGION_SERVER_HIGH_PRIORITY_HANDLER_COUNT, 10);
  // Enable security
  enableSecurity(conf);
  // Verify enableSecurity sets up what we require
  verifyConfiguration(conf);
  TEST_UTIL.startMiniCluster();
  // Wait for the ACL table to become available
  TEST_UTIL.waitUntilAllRegionsAssigned(PermissionStorage.ACL_TABLE_NAME);

  TESTGROUP_1_NAME = toGroupEntry(TESTGROUP_1);
  TESTGROUP1_USER1 =
      User.createUserForTesting(conf, "testgroup1_user1", new String[] { TESTGROUP_1 });
  TESTGROUP2_USER1 =
      User.createUserForTesting(conf, "testgroup2_user2", new String[] { TESTGROUP_2 });

  systemUserConnection = ConnectionFactory.createConnection(conf);
}
 
Example 2
Source File: TestTokenAuthentication.java    From hbase with Apache License 2.0 6 votes vote down vote up
@Test
public void testUseExistingToken() throws Exception {
  User user = User.createUserForTesting(TEST_UTIL.getConfiguration(), "testuser2",
      new String[]{"testgroup"});
  Token<AuthenticationTokenIdentifier> token =
      secretManager.generateToken(user.getName());
  assertNotNull(token);
  user.addToken(token);

  // make sure we got a token
  Token<AuthenticationTokenIdentifier> firstToken =
      new AuthenticationTokenSelector().selectToken(token.getService(), user.getTokens());
  assertNotNull(firstToken);
  assertEquals(token, firstToken);

  Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
  try {
    assertFalse(TokenUtil.addTokenIfMissing(conn, user));
    // make sure we still have the same token
    Token<AuthenticationTokenIdentifier> secondToken =
        new AuthenticationTokenSelector().selectToken(token.getService(), user.getTokens());
    assertEquals(firstToken, secondToken);
  } finally {
    conn.close();
  }
}
 
Example 3
Source File: TestVisibilityWithCheckAuths.java    From hbase with Apache License 2.0 6 votes vote down vote up
@BeforeClass
public static void setupBeforeClass() throws Exception {
  // setup configuration
  conf = TEST_UTIL.getConfiguration();
  VisibilityTestUtil.enableVisiblityLabels(conf);
  conf.setBoolean(VisibilityConstants.CHECK_AUTHS_FOR_MUTATION, true);
  conf.setClass(VisibilityUtils.VISIBILITY_LABEL_GENERATOR_CLASS, SimpleScanLabelGenerator.class,
      ScanLabelGenerator.class);
  conf.set("hbase.superuser", "admin");
  TEST_UTIL.startMiniCluster(2);
  SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
  USER = User.createUserForTesting(conf, "user", new String[]{});
  // Wait for the labels table to become available
  TEST_UTIL.waitTableEnabled(LABELS_TABLE_NAME.getName(), 50000);
  addLabels();
}
 
Example 4
Source File: TestVisibilityLabelsOpWithDifferentUsersNoACL.java    From hbase with Apache License 2.0 6 votes vote down vote up
@BeforeClass
public static void setupBeforeClass() throws Exception {
  // setup configuration
  conf = TEST_UTIL.getConfiguration();
  VisibilityTestUtil.enableVisiblityLabels(conf);
  String currentUser = User.getCurrent().getName();
  conf.set("hbase.superuser", "admin,"+currentUser);
  TEST_UTIL.startMiniCluster(2);

  // Wait for the labels table to become available
  TEST_UTIL.waitTableEnabled(LABELS_TABLE_NAME.getName(), 50000);
  SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
  NORMAL_USER = User.createUserForTesting(conf, "user1", new String[] {});
  NORMAL_USER1 = User.createUserForTesting(conf, "user2", new String[] {});
  addLabels();
}
 
Example 5
Source File: TestThriftHBaseServiceHandlerWithLabels.java    From hbase with Apache License 2.0 6 votes vote down vote up
@BeforeClass
public static void beforeClass() throws Exception {
  SUPERUSER = User.createUserForTesting(conf, "admin",
      new String[] { "supergroup" });
  conf = UTIL.getConfiguration();
  conf.setClass(VisibilityUtils.VISIBILITY_LABEL_GENERATOR_CLASS,
      SimpleScanLabelGenerator.class, ScanLabelGenerator.class);
  conf.set("hbase.superuser", SUPERUSER.getShortName());
  VisibilityTestUtil.enableVisiblityLabels(conf);
  UTIL.startMiniCluster(1);
  // Wait for the labels table to become available
  UTIL.waitTableEnabled(VisibilityConstants.LABELS_TABLE_NAME.getName(), 50000);
  createLabels();
  Admin admin = UTIL.getAdmin();
  TableDescriptorBuilder.ModifyableTableDescriptor tableDescriptor =
    new TableDescriptorBuilder.ModifyableTableDescriptor(TableName.valueOf(tableAname));
  for (ColumnFamilyDescriptorBuilder.ModifyableColumnFamilyDescriptor family : families) {
    tableDescriptor.setColumnFamily(family);
  }
  admin.createTable(tableDescriptor);
  admin.close();
  setAuths();
}
 
Example 6
Source File: HBaseTestingUtility.java    From hbase with Apache License 2.0 6 votes vote down vote up
/**
 * This method clones the passed <code>c</code> configuration setting a new
 * user into the clone.  Use it getting new instances of FileSystem.  Only
 * works for DistributedFileSystem w/o Kerberos.
 * @param c Initial configuration
 * @param differentiatingSuffix Suffix to differentiate this user from others.
 * @return A new configuration instance with a different user set into it.
 * @throws IOException
 */
public static User getDifferentUser(final Configuration c,
  final String differentiatingSuffix)
throws IOException {
  FileSystem currentfs = FileSystem.get(c);
  if (!(currentfs instanceof DistributedFileSystem) || User.isHBaseSecurityEnabled(c)) {
    return User.getCurrent();
  }
  // Else distributed filesystem.  Make a new instance per daemon.  Below
  // code is taken from the AppendTestUtil over in hdfs.
  String username = User.getCurrent().getName() +
    differentiatingSuffix;
  User user = User.createUserForTesting(c, username,
      new String[]{"supergroup"});
  return user;
}
 
Example 7
Source File: TestDefaultScanLabelGeneratorStack.java    From hbase with Apache License 2.0 5 votes vote down vote up
@BeforeClass
public static void setupBeforeClass() throws Exception {
  // setup configuration
  conf = TEST_UTIL.getConfiguration();
  VisibilityTestUtil.enableVisiblityLabels(conf);
  // Not setting any SLG class. This means to use the default behavior.
  conf.set("hbase.superuser", "admin");
  TEST_UTIL.startMiniCluster(1);
  SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
  TESTUSER = User.createUserForTesting(conf, "test", new String[] { });

  // Wait for the labels table to become available
  TEST_UTIL.waitTableEnabled(LABELS_TABLE_NAME.getName(), 50000);

  // Set up for the test
  SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() {
    @Override
    public Void run() throws Exception {
      try (Connection conn = ConnectionFactory.createConnection(conf)) {
        VisibilityClient.addLabels(conn, new String[] { SECRET, CONFIDENTIAL });
        VisibilityClient.setAuths(conn, new String[] { CONFIDENTIAL }, TESTUSER.getShortName());
      } catch (Throwable t) {
        throw new IOException(t);
      }
      return null;
    }
  });
}
 
Example 8
Source File: TestSnapshotScannerHDFSAclController.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Test
public void testGrantGlobal3() throws Exception {
  final String grantUserName = name.getMethodName();
  User grantUser = User.createUserForTesting(conf, grantUserName, new String[] {});
  String namespace = name.getMethodName();
  TableName table1 = TableName.valueOf(namespace, name.getMethodName() + ".1");
  TableName table2 = TableName.valueOf(namespace, name.getMethodName() + ".2");
  String snapshot1 = namespace + "s1";
  String snapshot2 = namespace + "s2";
  // grant G(R)
  SecureTestUtil.grantGlobal(TEST_UTIL, grantUserName, READ);
  // grant table1(R)
  TestHDFSAclHelper.createTableAndPut(TEST_UTIL, table1);
  snapshotAndWait(snapshot1, table1);
  TestHDFSAclHelper.grantOnTable(TEST_UTIL, grantUserName, table1, READ);
  // grant G(W)
  SecureTestUtil.grantGlobal(TEST_UTIL, grantUserName, WRITE);
  TestHDFSAclHelper.createTableAndPut(TEST_UTIL, table2);
  snapshotAndWait(snapshot2, table2);
  // check scan snapshot
  TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot1, 6);
  TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot2, -1);
  assertFalse(hasUserGlobalHdfsAcl(aclTable, grantUserName));
  assertFalse(hasUserNamespaceHdfsAcl(aclTable, grantUserName, namespace));
  assertTrue(hasUserTableHdfsAcl(aclTable, grantUserName, table1));
  assertFalse(hasUserTableHdfsAcl(aclTable, grantUserName, table2));
  checkUserAclEntry(FS, helper.getGlobalRootPaths(), grantUserName, false, false);
  checkUserAclEntry(FS, helper.getTableRootPaths(table2, false), grantUserName, false, false);
  checkUserAclEntry(FS, helper.getTableRootPaths(table1, false), grantUserName, true, true);
  deleteTable(table1);
  deleteTable(table2);
}
 
Example 9
Source File: TestSnapshotScannerHDFSAclController.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Test
public void testGrantGlobal2() throws Exception {
  final String grantUserName = name.getMethodName();
  User grantUser = User.createUserForTesting(conf, grantUserName, new String[] {});
  String namespace1 = name.getMethodName();
  TableName table1 = TableName.valueOf(namespace1, name.getMethodName() + ".1");
  String namespace2 = namespace1 + "2";
  TableName table2 = TableName.valueOf(namespace2, name.getMethodName() + ".2");
  String snapshot1 = namespace1 + "s1";
  String snapshot2 = namespace2 + "s2";

  // grant G(R), grant namespace1(R)
  SecureTestUtil.grantGlobal(TEST_UTIL, grantUserName, READ);
  // create table in namespace1 and snapshot
  TestHDFSAclHelper.createTableAndPut(TEST_UTIL, table1);
  snapshotAndWait(snapshot1, table1);
  admin.grant(new UserPermission(grantUserName,
      Permission.newBuilder(namespace1).withActions(READ).build()),
    false);
  // grant G(W)
  SecureTestUtil.grantGlobal(TEST_UTIL, grantUserName, WRITE);
  // create table in namespace2 and snapshot
  TestHDFSAclHelper.createTableAndPut(TEST_UTIL, table2);
  snapshotAndWait(snapshot2, table2);
  // check scan snapshot
  TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot1, 6);
  TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot2, -1);
  assertFalse(hasUserGlobalHdfsAcl(aclTable, grantUserName));
  assertTrue(hasUserNamespaceHdfsAcl(aclTable, grantUserName, namespace1));
  assertFalse(hasUserNamespaceHdfsAcl(aclTable, grantUserName, namespace2));
  checkUserAclEntry(FS, helper.getGlobalRootPaths(), grantUserName, false, false);
  checkUserAclEntry(FS, helper.getNamespaceRootPaths(namespace1), grantUserName, true, true);
  checkUserAclEntry(FS, helper.getNamespaceRootPaths(namespace2), grantUserName, false, false);
  deleteTable(table1);
  deleteTable(table2);
}
 
Example 10
Source File: TestSnapshotScannerHDFSAclController.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Test
public void testRevokeNamespace1() throws Exception {
  String grantUserName = name.getMethodName();
  User grantUser = User.createUserForTesting(conf, grantUserName, new String[] {});
  String namespace = name.getMethodName();
  TableName table1 = TableName.valueOf(namespace, name.getMethodName());
  String snapshot1 = namespace + "s1";
  TestHDFSAclHelper.createTableAndPut(TEST_UTIL, table1);
  snapshotAndWait(snapshot1, table1);

  // revoke N(R)
  SecureTestUtil.grantOnNamespace(TEST_UTIL, grantUserName, namespace, READ);
  admin.revoke(new UserPermission(grantUserName, Permission.newBuilder(namespace).build()));
  // check scan snapshot
  TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot1, -1);
  assertFalse(hasUserNamespaceHdfsAcl(aclTable, grantUserName, namespace));
  checkUserAclEntry(FS, helper.getNamespaceRootPaths(namespace), grantUserName, false, false);

  // grant N(R), grant G(R) -> revoke N(R)
  SecureTestUtil.grantOnNamespace(TEST_UTIL, grantUserName, namespace, READ);
  SecureTestUtil.grantGlobal(TEST_UTIL, grantUserName, READ);
  admin.revoke(new UserPermission(grantUserName, Permission.newBuilder(namespace).build()));
  // check scan snapshot
  TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot1, 6);
  assertFalse(hasUserNamespaceHdfsAcl(aclTable, grantUserName, namespace));
  checkUserAclEntry(FS, helper.getNamespaceRootPaths(namespace), grantUserName, true, true);
  deleteTable(table1);
}
 
Example 11
Source File: TestSnapshotScannerHDFSAclController.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Test
public void testTruncateTable() throws Exception {
  String grantUserName = name.getMethodName();
  User grantUser = User.createUserForTesting(conf, grantUserName, new String[] {});
  String grantUserName2 = grantUserName + "2";
  User grantUser2 = User.createUserForTesting(conf, grantUserName2, new String[] {});

  String namespace = name.getMethodName();
  TableName tableName = TableName.valueOf(namespace, name.getMethodName());
  String snapshot = namespace + "s1";
  String snapshot2 = namespace + "s2";
  try (Table t = TestHDFSAclHelper.createTable(TEST_UTIL, tableName)) {
    TestHDFSAclHelper.put(t);
    // snapshot
    snapshotAndWait(snapshot, tableName);
    // grant user2 namespace permission
    SecureTestUtil.grantOnNamespace(TEST_UTIL, grantUserName2, namespace, READ);
    // grant user table permission
    TestHDFSAclHelper.grantOnTable(TEST_UTIL, grantUserName, tableName, READ);
    // truncate table
    admin.disableTable(tableName);
    admin.truncateTable(tableName, true);
    TestHDFSAclHelper.put2(t);
    // snapshot
    snapshotAndWait(snapshot2, tableName);
    // check scan snapshot
    TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot, 6);
    TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser2, snapshot, 6);
    TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot2, 9);
    TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser2, snapshot2, 9);
    assertTrue(hasUserNamespaceHdfsAcl(aclTable, grantUserName2, namespace));
    checkUserAclEntry(FS, helper.getNamespaceRootPaths(namespace), grantUserName2, true, true);
    assertTrue(hasUserTableHdfsAcl(aclTable, grantUserName, tableName));
    checkUserAclEntry(FS, helper.getTableRootPaths(tableName, false), grantUserName, true, true);
    checkUserAclEntry(FS, helper.getNamespaceRootPaths(namespace), grantUserName, true, false);
  }
  deleteTable(tableName);
}
 
Example 12
Source File: TestCellACLs.java    From hbase with Apache License 2.0 5 votes vote down vote up
@BeforeClass
public static void setupBeforeClass() throws Exception {
  // setup configuration
  conf = TEST_UTIL.getConfiguration();
  conf.setInt(HConstants.REGION_SERVER_HIGH_PRIORITY_HANDLER_COUNT, 10);
  // Enable security
  enableSecurity(conf);
  // Verify enableSecurity sets up what we require
  verifyConfiguration(conf);

  // We expect 0.98 cell ACL semantics
  conf.setBoolean(AccessControlConstants.CF_ATTRIBUTE_EARLY_OUT, false);

  TEST_UTIL.startMiniCluster();
  MasterCoprocessorHost cpHost = TEST_UTIL.getMiniHBaseCluster().getMaster()
      .getMasterCoprocessorHost();
  cpHost.load(AccessController.class, Coprocessor.PRIORITY_HIGHEST, conf);
  AccessController ac = cpHost.findCoprocessor(AccessController.class);
  cpHost.createEnvironment(ac, Coprocessor.PRIORITY_HIGHEST, 1, conf);
  RegionServerCoprocessorHost rsHost = TEST_UTIL.getMiniHBaseCluster().getRegionServer(0)
      .getRegionServerCoprocessorHost();
  rsHost.createEnvironment(ac, Coprocessor.PRIORITY_HIGHEST, 1, conf);

  // Wait for the ACL table to become available
  TEST_UTIL.waitTableEnabled(PermissionStorage.ACL_TABLE_NAME);

  // create a set of test users
  USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]);
  USER_OTHER = User.createUserForTesting(conf, "other", new String[0]);
  GROUP_USER = User.createUserForTesting(conf, "group_user", new String[] { GROUP });

  usersAndGroups = new String[] { USER_OTHER.getShortName(), AuthUtil.toGroupEntry(GROUP) };
}
 
Example 13
Source File: VisibilityLabelsWithDeletesTestBase.java    From hbase with Apache License 2.0 5 votes vote down vote up
@BeforeClass
public static void setupBeforeClass() throws Exception {
  // setup configuration
  conf = TEST_UTIL.getConfiguration();
  VisibilityTestUtil.enableVisiblityLabels(conf);
  conf.setClass(VisibilityUtils.VISIBILITY_LABEL_GENERATOR_CLASS, SimpleScanLabelGenerator.class,
    ScanLabelGenerator.class);
  conf.set("hbase.superuser", "admin");
  TEST_UTIL.startMiniCluster(2);
  SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });

  // Wait for the labels table to become available
  TEST_UTIL.waitTableEnabled(LABELS_TABLE_NAME.getName(), 50000);
  addLabels();
}
 
Example 14
Source File: TestWALSplit.java    From hbase with Apache License 2.0 5 votes vote down vote up
public ZombieLastLogWriterRegionServer(AtomicLong counter, AtomicBoolean stop,
    final String region, final int writers)
    throws IOException, InterruptedException {
  super("ZombieLastLogWriterRegionServer");
  setDaemon(true);
  this.stop = stop;
  this.editsCount = counter;
  this.region = region;
  this.user = User.createUserForTesting(conf, ZOMBIE, GROUP);
  numOfWriters = writers;
}
 
Example 15
Source File: TestAccessController2.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Test
public void testCreateWithCorrectOwner() throws Exception {
  // Create a test user
  final User testUser = User.createUserForTesting(TEST_UTIL.getConfiguration(), "TestUser",
    new String[0]);
  // Grant the test user the ability to create tables
  SecureTestUtil.grantGlobal(TEST_UTIL, testUser.getShortName(), Action.CREATE);
  verifyAllowed(new AccessTestAction() {
    @Override
    public Object run() throws Exception {
      TableDescriptorBuilder.ModifyableTableDescriptor tableDescriptor =
        new TableDescriptorBuilder.ModifyableTableDescriptor(testTable.getTableName());
      tableDescriptor.setColumnFamily(
        new ColumnFamilyDescriptorBuilder.ModifyableColumnFamilyDescriptor(TEST_FAMILY));
      try (Connection connection =
          ConnectionFactory.createConnection(TEST_UTIL.getConfiguration(), testUser)) {
        try (Admin admin = connection.getAdmin()) {
          createTable(TEST_UTIL, admin, tableDescriptor);
        }
      }
      return null;
    }
  }, testUser);
  TEST_UTIL.waitTableAvailable(testTable.getTableName());
  // Verify that owner permissions have been granted to the test user on the
  // table just created
  List<UserPermission> perms = PermissionStorage
      .getTablePermissions(conf, testTable.getTableName()).get(testUser.getShortName());
  assertNotNull(perms);
  assertFalse(perms.isEmpty());
  // Should be RWXCA
  assertTrue(perms.get(0).getPermission().implies(Permission.Action.READ));
  assertTrue(perms.get(0).getPermission().implies(Permission.Action.WRITE));
  assertTrue(perms.get(0).getPermission().implies(Permission.Action.EXEC));
  assertTrue(perms.get(0).getPermission().implies(Permission.Action.CREATE));
  assertTrue(perms.get(0).getPermission().implies(Permission.Action.ADMIN));
}
 
Example 16
Source File: TestSnapshotScannerHDFSAclController2.java    From hbase with Apache License 2.0 4 votes vote down vote up
@Test
public void testRestoreSnapshot() throws Exception {
  final String grantUserName = name.getMethodName();
  User grantUser = User.createUserForTesting(conf, grantUserName, new String[] {});
  String namespace = name.getMethodName();
  TableName table = TableName.valueOf(namespace, name.getMethodName());
  String snapshot = namespace + "s1";
  String snapshot2 = namespace + "s2";
  String snapshot3 = namespace + "s3";

  LOG.info("Create {}", table);
  try (Table t = TestHDFSAclHelper.createTable(TEST_UTIL, table)) {
    TestHDFSAclHelper.put(t);
    // grant t1, snapshot
    LOG.info("Grant {}", table);
    TestHDFSAclHelper.grantOnTable(TEST_UTIL, grantUserName, table, READ);
    admin.snapshot(snapshot, table);
    // delete
    admin.disableTable(table);
    admin.deleteTable(table);
    LOG.info("Before scan of shapshot! {}", table);
    TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot, -1);

    // restore snapshot and restore acl
    admin.restoreSnapshot(snapshot, true, true);
    TestHDFSAclHelper.put2(t);
    // snapshot
    admin.snapshot(snapshot2, table);
    TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot, 6);
    TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot2, 10);
    assertTrue(hasUserTableHdfsAcl(aclTable, grantUserName, table));
    TestSnapshotScannerHDFSAclController.
      checkUserAclEntry(FS, helper.getTableRootPaths(table, false),
        grantUserName, true, true);

    // delete
    admin.disableTable(table);
    admin.deleteTable(table);
    // restore snapshot and skip restore acl
    admin.restoreSnapshot(snapshot);
    admin.snapshot(snapshot3, table);

    LOG.info("CHECK");
    TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot, -1);
    TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot2, -1);
    TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot3, -1);
    assertFalse(hasUserTableHdfsAcl(aclTable, grantUserName, table));
    TestSnapshotScannerHDFSAclController.
      checkUserAclEntry(FS, helper.getPathHelper().getDataTableDir(table),
        grantUserName, false, false);
    TestSnapshotScannerHDFSAclController.
      checkUserAclEntry(FS, helper.getPathHelper().getArchiveTableDir(table),
        grantUserName, true, false);
  }
}
 
Example 17
Source File: TestZKPermissionWatcher.java    From hbase with Apache License 2.0 4 votes vote down vote up
@Test
public void testPermissionsWatcher() throws Exception {
  Configuration conf = UTIL.getConfiguration();
  User george = User.createUserForTesting(conf, "george", new String[] { });
  User hubert = User.createUserForTesting(conf, "hubert", new String[] { });

  assertFalse(AUTH_A.authorizeUserTable(george, TEST_TABLE, Permission.Action.READ));
  assertFalse(AUTH_A.authorizeUserTable(george, TEST_TABLE, Permission.Action.WRITE));
  assertFalse(AUTH_A.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.READ));
  assertFalse(AUTH_A.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.WRITE));

  assertFalse(AUTH_B.authorizeUserTable(george, TEST_TABLE, Permission.Action.READ));
  assertFalse(AUTH_B.authorizeUserTable(george, TEST_TABLE, Permission.Action.WRITE));
  assertFalse(AUTH_B.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.READ));
  assertFalse(AUTH_B.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.WRITE));

  // update ACL: george RW
  List<UserPermission> acl = new ArrayList<>(1);
  acl.add(new UserPermission(george.getShortName(), Permission.newBuilder(TEST_TABLE)
      .withActions(Permission.Action.READ, Permission.Action.WRITE).build()));
  ListMultimap<String, UserPermission> multimap = ArrayListMultimap.create();
  multimap.putAll(george.getShortName(), acl);
  byte[] serialized = PermissionStorage.writePermissionsAsBytes(multimap, conf);
  WATCHER_A.writeToZookeeper(TEST_TABLE.getName(), serialized);
  final long mtimeB = AUTH_B.getMTime();
  // Wait for the update to propagate
  UTIL.waitFor(10000, 100, new Predicate<Exception>() {
    @Override
    public boolean evaluate() throws Exception {
      return AUTH_B.getMTime() > mtimeB;
    }
  });
  Thread.sleep(1000);

  // check it
  assertTrue(AUTH_A.authorizeUserTable(george, TEST_TABLE, Permission.Action.READ));
  assertTrue(AUTH_A.authorizeUserTable(george, TEST_TABLE, Permission.Action.WRITE));
  assertTrue(AUTH_B.authorizeUserTable(george, TEST_TABLE, Permission.Action.READ));
  assertTrue(AUTH_B.authorizeUserTable(george, TEST_TABLE, Permission.Action.WRITE));
  assertFalse(AUTH_A.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.READ));
  assertFalse(AUTH_A.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.WRITE));
  assertFalse(AUTH_B.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.READ));
  assertFalse(AUTH_B.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.WRITE));

  // update ACL: hubert R
  List<UserPermission> acl2 = new ArrayList<>(1);
  acl2.add(new UserPermission(hubert.getShortName(),
      Permission.newBuilder(TEST_TABLE).withActions(TablePermission.Action.READ).build()));
  final long mtimeA = AUTH_A.getMTime();
  multimap.putAll(hubert.getShortName(), acl2);
  byte[] serialized2 = PermissionStorage.writePermissionsAsBytes(multimap, conf);
  WATCHER_B.writeToZookeeper(TEST_TABLE.getName(), serialized2);
  // Wait for the update to propagate
  UTIL.waitFor(10000, 100, new Predicate<Exception>() {
    @Override
    public boolean evaluate() throws Exception {
      return AUTH_A.getMTime() > mtimeA;
    }
  });
  Thread.sleep(1000);

  // check it
  assertTrue(AUTH_A.authorizeUserTable(george, TEST_TABLE, Permission.Action.READ));
  assertTrue(AUTH_A.authorizeUserTable(george, TEST_TABLE, Permission.Action.WRITE));
  assertTrue(AUTH_B.authorizeUserTable(george, TEST_TABLE, Permission.Action.READ));
  assertTrue(AUTH_B.authorizeUserTable(george, TEST_TABLE, Permission.Action.WRITE));
  assertTrue(AUTH_A.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.READ));
  assertFalse(AUTH_A.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.WRITE));
  assertTrue(AUTH_B.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.READ));
  assertFalse(AUTH_B.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.WRITE));
}
 
Example 18
Source File: TestVisibilityLabelReplicationWithExpAsString.java    From hbase with Apache License 2.0 4 votes vote down vote up
@Override
@Before
public void setup() throws Exception {
  expected[0] = 4;
  expected[1] = 6;
  expected[2] = 4;
  expected[3] = 0;
  expected[3] = 3;
  expectedVisString[0] = "(\"public\"&\"secret\"&\"topsecret\")|(\"confidential\"&\"topsecret\")";
  expectedVisString[1] = "(\"private\"&\"public\")|(\"private\"&\"topsecret\")|"
      + "(\"confidential\"&\"public\")|(\"confidential\"&\"topsecret\")";
  expectedVisString[2] = "(!\"topsecret\"&\"secret\")|(!\"topsecret\"&\"confidential\")";
  expectedVisString[3] = "(\"secret\"&\"" + COPYRIGHT + "\\\"" + ACCENT + "\\\\" + SECRET
      + "\\\"" + "\u0027&\\\\" + "\")";
  // setup configuration
  conf = HBaseConfiguration.create();
  conf.setInt("hfile.format.version", 3);
  conf.set(HConstants.ZOOKEEPER_ZNODE_PARENT, "/1");
  conf.setInt("replication.source.size.capacity", 10240);
  conf.setLong("replication.source.sleepforretries", 100);
  conf.setInt("hbase.regionserver.maxlogs", 10);
  conf.setLong("hbase.master.logcleaner.ttl", 10);
  conf.setInt("zookeeper.recovery.retry", 1);
  conf.setInt("zookeeper.recovery.retry.intervalmill", 10);
  conf.setLong(HConstants.THREAD_WAKE_FREQUENCY, 100);
  conf.setInt("replication.stats.thread.period.seconds", 5);
  conf.setBoolean("hbase.tests.use.shortcircuit.reads", false);
  setVisibilityLabelServiceImpl(conf, ExpAsStringVisibilityLabelServiceImpl.class);
  conf.setStrings(HConstants.REPLICATION_CODEC_CONF_KEY, KeyValueCodecWithTags.class.getName());
  VisibilityTestUtil.enableVisiblityLabels(conf);
  conf.set(CoprocessorHost.REGIONSERVER_COPROCESSOR_CONF_KEY,
      VisibilityReplication.class.getName());
  conf.setStrings(CoprocessorHost.USER_REGION_COPROCESSOR_CONF_KEY,
      SimpleCP.class.getName());
  // Have to reset conf1 in case zk cluster location different
  // than default
  conf.setClass(VisibilityUtils.VISIBILITY_LABEL_GENERATOR_CLASS, SimpleScanLabelGenerator.class,
          ScanLabelGenerator.class);
  conf.set("hbase.superuser", "admin");
  conf.set("hbase.superuser", User.getCurrent().getShortName());
  SUPERUSER = User.createUserForTesting(conf, User.getCurrent().getShortName(),
      new String[] { "supergroup" });
  User.createUserForTesting(conf,
      User.getCurrent().getShortName(), new String[] { "supergroup" });
  USER1 = User.createUserForTesting(conf, "user1", new String[] {});
  TEST_UTIL = new HBaseTestingUtility(conf);
  TEST_UTIL.startMiniZKCluster();
  MiniZooKeeperCluster miniZK = TEST_UTIL.getZkCluster();
  zkw1 = new ZKWatcher(conf, "cluster1", null, true);

  // Base conf2 on conf1 so it gets the right zk cluster.
  conf1 = HBaseConfiguration.create(conf);
  conf1.setInt("hfile.format.version", 3);
  conf1.set(HConstants.ZOOKEEPER_ZNODE_PARENT, "/2");
  conf1.setInt(HConstants.HBASE_CLIENT_RETRIES_NUMBER, 6);
  conf1.setBoolean("hbase.tests.use.shortcircuit.reads", false);
  conf1.setStrings(HConstants.REPLICATION_CODEC_CONF_KEY, KeyValueCodecWithTags.class.getName());
  conf1.setStrings(CoprocessorHost.USER_REGION_COPROCESSOR_CONF_KEY,
          TestCoprocessorForTagsAtSink.class.getName());
  setVisibilityLabelServiceImpl(conf1, ExpAsStringVisibilityLabelServiceImpl.class);
  TEST_UTIL1 = new HBaseTestingUtility(conf1);
  TEST_UTIL1.setZkCluster(miniZK);
  zkw2 = new ZKWatcher(conf1, "cluster2", null, true);

  TEST_UTIL.startMiniCluster(1);
  // Wait for the labels table to become available
  TEST_UTIL.waitTableEnabled(LABELS_TABLE_NAME.getName(), 50000);
  TEST_UTIL1.startMiniCluster(1);

  admin = TEST_UTIL.getAdmin();
  ReplicationPeerConfig rpc = new ReplicationPeerConfig();
  rpc.setClusterKey(TEST_UTIL1.getClusterKey());
  admin.addReplicationPeer("2", rpc);

  TableDescriptorBuilder.ModifyableTableDescriptor tableDescriptor =
    new TableDescriptorBuilder.ModifyableTableDescriptor(TABLE_NAME);
  ColumnFamilyDescriptorBuilder.ModifyableColumnFamilyDescriptor familyDescriptor =
    new ColumnFamilyDescriptorBuilder.ModifyableColumnFamilyDescriptor(fam);
  familyDescriptor.setScope(HConstants.REPLICATION_SCOPE_GLOBAL);
  tableDescriptor.setColumnFamily(familyDescriptor);
  try (Admin hBaseAdmin = TEST_UTIL.getAdmin()) {
    hBaseAdmin.createTable(tableDescriptor);
  }
  try (Admin hBaseAdmin1 = TEST_UTIL1.getAdmin()){
    hBaseAdmin1.createTable(tableDescriptor);
  }
  addLabels();
  setAuths(conf);
  setAuths(conf1);
}
 
Example 19
Source File: TestHStore.java    From hbase with Apache License 2.0 4 votes vote down vote up
@Test
public void testHandleErrorsInFlush() throws Exception {
  LOG.info("Setting up a faulty file system that cannot write");

  final Configuration conf = HBaseConfiguration.create(TEST_UTIL.getConfiguration());
  User user = User.createUserForTesting(conf,
      "testhandleerrorsinflush", new String[]{"foo"});
  // Inject our faulty LocalFileSystem
  conf.setClass("fs.file.impl", FaultyFileSystem.class,
      FileSystem.class);
  user.runAs(new PrivilegedExceptionAction<Object>() {
    @Override
    public Object run() throws Exception {
      // Make sure it worked (above is sensitive to caching details in hadoop core)
      FileSystem fs = FileSystem.get(conf);
      assertEquals(FaultyFileSystem.class, fs.getClass());

      // Initialize region
      init(name.getMethodName(), conf);

      LOG.info("Adding some data");
      store.add(new KeyValue(row, family, qf1, 1, (byte[])null), null);
      store.add(new KeyValue(row, family, qf2, 1, (byte[])null), null);
      store.add(new KeyValue(row, family, qf3, 1, (byte[])null), null);

      LOG.info("Before flush, we should have no files");

      Collection<StoreFileInfo> files =
        store.getRegionFileSystem().getStoreFiles(store.getColumnFamilyName());
      assertEquals(0, files != null ? files.size() : 0);

      //flush
      try {
        LOG.info("Flushing");
        flush(1);
        fail("Didn't bubble up IOE!");
      } catch (IOException ioe) {
        assertTrue(ioe.getMessage().contains("Fault injected"));
      }

      LOG.info("After failed flush, we should still have no files!");
      files = store.getRegionFileSystem().getStoreFiles(store.getColumnFamilyName());
      assertEquals(0, files != null ? files.size() : 0);
      store.getHRegion().getWAL().close();
      return null;
    }
  });
  FileSystem.closeAllForUGI(user.getUGI());
}
 
Example 20
Source File: TestNamespaceCommands.java    From hbase with Apache License 2.0 4 votes vote down vote up
@BeforeClass
public static void beforeClass() throws Exception {
  conf = UTIL.getConfiguration();
  enableSecurity(conf);

  SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
  // Users with global permissions
  USER_GLOBAL_ADMIN = User.createUserForTesting(conf, "global_admin", new String[0]);
  USER_GLOBAL_CREATE = User.createUserForTesting(conf, "global_create", new String[0]);
  USER_GLOBAL_WRITE = User.createUserForTesting(conf, "global_write", new String[0]);
  USER_GLOBAL_READ = User.createUserForTesting(conf, "global_read", new String[0]);
  USER_GLOBAL_EXEC = User.createUserForTesting(conf, "global_exec", new String[0]);

  USER_NS_ADMIN = User.createUserForTesting(conf, "namespace_admin", new String[0]);
  USER_NS_CREATE = User.createUserForTesting(conf, "namespace_create", new String[0]);
  USER_NS_WRITE = User.createUserForTesting(conf, "namespace_write", new String[0]);
  USER_NS_READ = User.createUserForTesting(conf, "namespace_read", new String[0]);
  USER_NS_EXEC = User.createUserForTesting(conf, "namespace_exec", new String[0]);

  USER_TABLE_CREATE = User.createUserForTesting(conf, "table_create", new String[0]);
  USER_TABLE_WRITE = User.createUserForTesting(conf, "table_write", new String[0]);

  USER_GROUP_ADMIN =
      User.createUserForTesting(conf, "user_group_admin", new String[] { GROUP_ADMIN });
  USER_GROUP_NS_ADMIN =
      User.createUserForTesting(conf, "user_group_ns_admin", new String[] { GROUP_NS_ADMIN });
  USER_GROUP_CREATE =
      User.createUserForTesting(conf, "user_group_create", new String[] { GROUP_CREATE });
  USER_GROUP_READ =
      User.createUserForTesting(conf, "user_group_read", new String[] { GROUP_READ });
  USER_GROUP_WRITE =
      User.createUserForTesting(conf, "user_group_write", new String[] { GROUP_WRITE });
  // TODO: other table perms

  UTIL.getConfiguration().setInt(HConstants.HBASE_CLIENT_RETRIES_NUMBER, 2);
  UTIL.startMiniCluster();
  // Wait for the ACL table to become available
  UTIL.waitTableAvailable(PermissionStorage.ACL_TABLE_NAME.getName(), 30 * 1000);

  // Find the Access Controller CP. Could be on master or if master is not serving regions, is
  // on an arbitrary server.
  for (JVMClusterUtil.RegionServerThread rst:
      UTIL.getMiniHBaseCluster().getLiveRegionServerThreads()) {
    ACCESS_CONTROLLER = rst.getRegionServer().getRegionServerCoprocessorHost().
      findCoprocessor(AccessController.class);
    if (ACCESS_CONTROLLER != null) {
      break;
    }
  }
  if (ACCESS_CONTROLLER == null) {
    throw new NullPointerException();
  }

  UTIL.getAdmin().createNamespace(NamespaceDescriptor.create(TEST_NAMESPACE).build());
  UTIL.getAdmin().createNamespace(NamespaceDescriptor.create(TEST_NAMESPACE2).build());

  // grants on global
  grantGlobal(UTIL, USER_GLOBAL_ADMIN.getShortName(),  Permission.Action.ADMIN);
  grantGlobal(UTIL, USER_GLOBAL_CREATE.getShortName(), Permission.Action.CREATE);
  grantGlobal(UTIL, USER_GLOBAL_WRITE.getShortName(),  Permission.Action.WRITE);
  grantGlobal(UTIL, USER_GLOBAL_READ.getShortName(),   Permission.Action.READ);
  grantGlobal(UTIL, USER_GLOBAL_EXEC.getShortName(),   Permission.Action.EXEC);

  // grants on namespace
  grantOnNamespace(UTIL, USER_NS_ADMIN.getShortName(),  TEST_NAMESPACE, Permission.Action.ADMIN);
  grantOnNamespace(UTIL, USER_NS_CREATE.getShortName(), TEST_NAMESPACE, Permission.Action.CREATE);
  grantOnNamespace(UTIL, USER_NS_WRITE.getShortName(),  TEST_NAMESPACE, Permission.Action.WRITE);
  grantOnNamespace(UTIL, USER_NS_READ.getShortName(),   TEST_NAMESPACE, Permission.Action.READ);
  grantOnNamespace(UTIL, USER_NS_EXEC.getShortName(),   TEST_NAMESPACE, Permission.Action.EXEC);
  grantOnNamespace(UTIL, toGroupEntry(GROUP_NS_ADMIN), TEST_NAMESPACE, Permission.Action.ADMIN);

  grantOnNamespace(UTIL, USER_NS_ADMIN.getShortName(), TEST_NAMESPACE2, Permission.Action.ADMIN);

  grantGlobal(UTIL, toGroupEntry(GROUP_ADMIN), Permission.Action.ADMIN);
  grantGlobal(UTIL, toGroupEntry(GROUP_CREATE), Permission.Action.CREATE);
  grantGlobal(UTIL, toGroupEntry(GROUP_READ), Permission.Action.READ);
  grantGlobal(UTIL, toGroupEntry(GROUP_WRITE), Permission.Action.WRITE);
}