Java Code Examples for org.apache.hadoop.hbase.security.User#createUserForTesting()

@BeforeClass
public static void setupBeforeClass() throws Exception {
  conf = TEST_UTIL.getConfiguration();
  // Up the handlers; this test needs more than usual.
  conf.setInt(HConstants.REGION_SERVER_HIGH_PRIORITY_HANDLER_COUNT, 10);
  // Enable security
  enableSecurity(conf);
  // Verify enableSecurity sets up what we require
  verifyConfiguration(conf);
  TEST_UTIL.startMiniCluster();
  // Wait for the ACL table to become available
  TEST_UTIL.waitUntilAllRegionsAssigned(PermissionStorage.ACL_TABLE_NAME);

  TESTGROUP_1_NAME = toGroupEntry(TESTGROUP_1);
  TESTGROUP1_USER1 =
      User.createUserForTesting(conf, "testgroup1_user1", new String[] { TESTGROUP_1 });
  TESTGROUP2_USER1 =
      User.createUserForTesting(conf, "testgroup2_user2", new String[] { TESTGROUP_2 });

  systemUserConnection = ConnectionFactory.createConnection(conf);
}
 

@Test
public void testUseExistingToken() throws Exception {
  User user = User.createUserForTesting(TEST_UTIL.getConfiguration(), "testuser2",
      new String[]{"testgroup"});
  Token<AuthenticationTokenIdentifier> token =
      secretManager.generateToken(user.getName());
  assertNotNull(token);
  user.addToken(token);

  // make sure we got a token
  Token<AuthenticationTokenIdentifier> firstToken =
      new AuthenticationTokenSelector().selectToken(token.getService(), user.getTokens());
  assertNotNull(firstToken);
  assertEquals(token, firstToken);

  Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
  try {
    assertFalse(TokenUtil.addTokenIfMissing(conn, user));
    // make sure we still have the same token
    Token<AuthenticationTokenIdentifier> secondToken =
        new AuthenticationTokenSelector().selectToken(token.getService(), user.getTokens());
    assertEquals(firstToken, secondToken);
  } finally {
    conn.close();
  }
}
 

@BeforeClass
public static void setupBeforeClass() throws Exception {
  // setup configuration
  conf = TEST_UTIL.getConfiguration();
  VisibilityTestUtil.enableVisiblityLabels(conf);
  conf.setBoolean(VisibilityConstants.CHECK_AUTHS_FOR_MUTATION, true);
  conf.setClass(VisibilityUtils.VISIBILITY_LABEL_GENERATOR_CLASS, SimpleScanLabelGenerator.class,
      ScanLabelGenerator.class);
  conf.set("hbase.superuser", "admin");
  TEST_UTIL.startMiniCluster(2);
  SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
  USER = User.createUserForTesting(conf, "user", new String[]{});
  // Wait for the labels table to become available
  TEST_UTIL.waitTableEnabled(LABELS_TABLE_NAME.getName(), 50000);
  addLabels();
}
 

@BeforeClass
public static void setupBeforeClass() throws Exception {
  // setup configuration
  conf = TEST_UTIL.getConfiguration();
  VisibilityTestUtil.enableVisiblityLabels(conf);
  String currentUser = User.getCurrent().getName();
  conf.set("hbase.superuser", "admin,"+currentUser);
  TEST_UTIL.startMiniCluster(2);

  // Wait for the labels table to become available
  TEST_UTIL.waitTableEnabled(LABELS_TABLE_NAME.getName(), 50000);
  SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
  NORMAL_USER = User.createUserForTesting(conf, "user1", new String[] {});
  NORMAL_USER1 = User.createUserForTesting(conf, "user2", new String[] {});
  addLabels();
}
 

@BeforeClass
public static void beforeClass() throws Exception {
  SUPERUSER = User.createUserForTesting(conf, "admin",
      new String[] { "supergroup" });
  conf = UTIL.getConfiguration();
  conf.setClass(VisibilityUtils.VISIBILITY_LABEL_GENERATOR_CLASS,
      SimpleScanLabelGenerator.class, ScanLabelGenerator.class);
  conf.set("hbase.superuser", SUPERUSER.getShortName());
  VisibilityTestUtil.enableVisiblityLabels(conf);
  UTIL.startMiniCluster(1);
  // Wait for the labels table to become available
  UTIL.waitTableEnabled(VisibilityConstants.LABELS_TABLE_NAME.getName(), 50000);
  createLabels();
  Admin admin = UTIL.getAdmin();
  TableDescriptorBuilder.ModifyableTableDescriptor tableDescriptor =
    new TableDescriptorBuilder.ModifyableTableDescriptor(TableName.valueOf(tableAname));
  for (ColumnFamilyDescriptorBuilder.ModifyableColumnFamilyDescriptor family : families) {
    tableDescriptor.setColumnFamily(family);
  }
  admin.createTable(tableDescriptor);
  admin.close();
  setAuths();
}
 

/**
 * This method clones the passed <code>c</code> configuration setting a new
 * user into the clone.  Use it getting new instances of FileSystem.  Only
 * works for DistributedFileSystem w/o Kerberos.
 * @param c Initial configuration
 * @param differentiatingSuffix Suffix to differentiate this user from others.
 * @return A new configuration instance with a different user set into it.
 * @throws IOException
 */
public static User getDifferentUser(final Configuration c,
  final String differentiatingSuffix)
throws IOException {
  FileSystem currentfs = FileSystem.get(c);
  if (!(currentfs instanceof DistributedFileSystem) || User.isHBaseSecurityEnabled(c)) {
    return User.getCurrent();
  }
  // Else distributed filesystem.  Make a new instance per daemon.  Below
  // code is taken from the AppendTestUtil over in hdfs.
  String username = User.getCurrent().getName() +
    differentiatingSuffix;
  User user = User.createUserForTesting(c, username,
      new String[]{"supergroup"});
  return user;
}
 

@BeforeClass
public static void setupBeforeClass() throws Exception {
  // setup configuration
  conf = TEST_UTIL.getConfiguration();
  VisibilityTestUtil.enableVisiblityLabels(conf);
  // Not setting any SLG class. This means to use the default behavior.
  conf.set("hbase.superuser", "admin");
  TEST_UTIL.startMiniCluster(1);
  SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
  TESTUSER = User.createUserForTesting(conf, "test", new String[] { });

  // Wait for the labels table to become available
  TEST_UTIL.waitTableEnabled(LABELS_TABLE_NAME.getName(), 50000);

  // Set up for the test
  SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() {
    @Override
    public Void run() throws Exception {
      try (Connection conn = ConnectionFactory.createConnection(conf)) {
        VisibilityClient.addLabels(conn, new String[] { SECRET, CONFIDENTIAL });
        VisibilityClient.setAuths(conn, new String[] { CONFIDENTIAL }, TESTUSER.getShortName());
      } catch (Throwable t) {
        throw new IOException(t);
      }
      return null;
    }
  });
}
 

@Test
public void testGrantGlobal3() throws Exception {
  final String grantUserName = name.getMethodName();
  User grantUser = User.createUserForTesting(conf, grantUserName, new String[] {});
  String namespace = name.getMethodName();
  TableName table1 = TableName.valueOf(namespace, name.getMethodName() + ".1");
  TableName table2 = TableName.valueOf(namespace, name.getMethodName() + ".2");
  String snapshot1 = namespace + "s1";
  String snapshot2 = namespace + "s2";
  // grant G(R)
  SecureTestUtil.grantGlobal(TEST_UTIL, grantUserName, READ);
  // grant table1(R)
  TestHDFSAclHelper.createTableAndPut(TEST_UTIL, table1);
  snapshotAndWait(snapshot1, table1);
  TestHDFSAclHelper.grantOnTable(TEST_UTIL, grantUserName, table1, READ);
  // grant G(W)
  SecureTestUtil.grantGlobal(TEST_UTIL, grantUserName, WRITE);
  TestHDFSAclHelper.createTableAndPut(TEST_UTIL, table2);
  snapshotAndWait(snapshot2, table2);
  // check scan snapshot
  TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot1, 6);
  TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot2, -1);
  assertFalse(hasUserGlobalHdfsAcl(aclTable, grantUserName));
  assertFalse(hasUserNamespaceHdfsAcl(aclTable, grantUserName, namespace));
  assertTrue(hasUserTableHdfsAcl(aclTable, grantUserName, table1));
  assertFalse(hasUserTableHdfsAcl(aclTable, grantUserName, table2));
  checkUserAclEntry(FS, helper.getGlobalRootPaths(), grantUserName, false, false);
  checkUserAclEntry(FS, helper.getTableRootPaths(table2, false), grantUserName, false, false);
  checkUserAclEntry(FS, helper.getTableRootPaths(table1, false), grantUserName, true, true);
  deleteTable(table1);
  deleteTable(table2);
}
 

@Test
public void testGrantGlobal2() throws Exception {
  final String grantUserName = name.getMethodName();
  User grantUser = User.createUserForTesting(conf, grantUserName, new String[] {});
  String namespace1 = name.getMethodName();
  TableName table1 = TableName.valueOf(namespace1, name.getMethodName() + ".1");
  String namespace2 = namespace1 + "2";
  TableName table2 = TableName.valueOf(namespace2, name.getMethodName() + ".2");
  String snapshot1 = namespace1 + "s1";
  String snapshot2 = namespace2 + "s2";

  // grant G(R), grant namespace1(R)
  SecureTestUtil.grantGlobal(TEST_UTIL, grantUserName, READ);
  // create table in namespace1 and snapshot
  TestHDFSAclHelper.createTableAndPut(TEST_UTIL, table1);
  snapshotAndWait(snapshot1, table1);
  admin.grant(new UserPermission(grantUserName,
      Permission.newBuilder(namespace1).withActions(READ).build()),
    false);
  // grant G(W)
  SecureTestUtil.grantGlobal(TEST_UTIL, grantUserName, WRITE);
  // create table in namespace2 and snapshot
  TestHDFSAclHelper.createTableAndPut(TEST_UTIL, table2);
  snapshotAndWait(snapshot2, table2);
  // check scan snapshot
  TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot1, 6);
  TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot2, -1);
  assertFalse(hasUserGlobalHdfsAcl(aclTable, grantUserName));
  assertTrue(hasUserNamespaceHdfsAcl(aclTable, grantUserName, namespace1));
  assertFalse(hasUserNamespaceHdfsAcl(aclTable, grantUserName, namespace2));
  checkUserAclEntry(FS, helper.getGlobalRootPaths(), grantUserName, false, false);
  checkUserAclEntry(FS, helper.getNamespaceRootPaths(namespace1), grantUserName, true, true);
  checkUserAclEntry(FS, helper.getNamespaceRootPaths(namespace2), grantUserName, false, false);
  deleteTable(table1);
  deleteTable(table2);
}
 

@Test
public void testRevokeNamespace1() throws Exception {
  String grantUserName = name.getMethodName();
  User grantUser = User.createUserForTesting(conf, grantUserName, new String[] {});
  String namespace = name.getMethodName();
  TableName table1 = TableName.valueOf(namespace, name.getMethodName());
  String snapshot1 = namespace + "s1";
  TestHDFSAclHelper.createTableAndPut(TEST_UTIL, table1);
  snapshotAndWait(snapshot1, table1);

  // revoke N(R)
  SecureTestUtil.grantOnNamespace(TEST_UTIL, grantUserName, namespace, READ);
  admin.revoke(new UserPermission(grantUserName, Permission.newBuilder(namespace).build()));
  // check scan snapshot
  TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot1, -1);
  assertFalse(hasUserNamespaceHdfsAcl(aclTable, grantUserName, namespace));
  checkUserAclEntry(FS, helper.getNamespaceRootPaths(namespace), grantUserName, false, false);

  // grant N(R), grant G(R) -> revoke N(R)
  SecureTestUtil.grantOnNamespace(TEST_UTIL, grantUserName, namespace, READ);
  SecureTestUtil.grantGlobal(TEST_UTIL, grantUserName, READ);
  admin.revoke(new UserPermission(grantUserName, Permission.newBuilder(namespace).build()));
  // check scan snapshot
  TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot1, 6);
  assertFalse(hasUserNamespaceHdfsAcl(aclTable, grantUserName, namespace));
  checkUserAclEntry(FS, helper.getNamespaceRootPaths(namespace), grantUserName, true, true);
  deleteTable(table1);
}
 

@Test
public void testTruncateTable() throws Exception {
  String grantUserName = name.getMethodName();
  User grantUser = User.createUserForTesting(conf, grantUserName, new String[] {});
  String grantUserName2 = grantUserName + "2";
  User grantUser2 = User.createUserForTesting(conf, grantUserName2, new String[] {});

  String namespace = name.getMethodName();
  TableName tableName = TableName.valueOf(namespace, name.getMethodName());
  String snapshot = namespace + "s1";
  String snapshot2 = namespace + "s2";
  try (Table t = TestHDFSAclHelper.createTable(TEST_UTIL, tableName)) {
    TestHDFSAclHelper.put(t);
    // snapshot
    snapshotAndWait(snapshot, tableName);
    // grant user2 namespace permission
    SecureTestUtil.grantOnNamespace(TEST_UTIL, grantUserName2, namespace, READ);
    // grant user table permission
    TestHDFSAclHelper.grantOnTable(TEST_UTIL, grantUserName, tableName, READ);
    // truncate table
    admin.disableTable(tableName);
    admin.truncateTable(tableName, true);
    TestHDFSAclHelper.put2(t);
    // snapshot
    snapshotAndWait(snapshot2, tableName);
    // check scan snapshot
    TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot, 6);
    TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser2, snapshot, 6);
    TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot2, 9);
    TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser2, snapshot2, 9);
    assertTrue(hasUserNamespaceHdfsAcl(aclTable, grantUserName2, namespace));
    checkUserAclEntry(FS, helper.getNamespaceRootPaths(namespace), grantUserName2, true, true);
    assertTrue(hasUserTableHdfsAcl(aclTable, grantUserName, tableName));
    checkUserAclEntry(FS, helper.getTableRootPaths(tableName, false), grantUserName, true, true);
    checkUserAclEntry(FS, helper.getNamespaceRootPaths(namespace), grantUserName, true, false);
  }
  deleteTable(tableName);
}
 

@BeforeClass
public static void setupBeforeClass() throws Exception {
  // setup configuration
  conf = TEST_UTIL.getConfiguration();
  conf.setInt(HConstants.REGION_SERVER_HIGH_PRIORITY_HANDLER_COUNT, 10);
  // Enable security
  enableSecurity(conf);
  // Verify enableSecurity sets up what we require
  verifyConfiguration(conf);

  // We expect 0.98 cell ACL semantics
  conf.setBoolean(AccessControlConstants.CF_ATTRIBUTE_EARLY_OUT, false);

  TEST_UTIL.startMiniCluster();
  MasterCoprocessorHost cpHost = TEST_UTIL.getMiniHBaseCluster().getMaster()
      .getMasterCoprocessorHost();
  cpHost.load(AccessController.class, Coprocessor.PRIORITY_HIGHEST, conf);
  AccessController ac = cpHost.findCoprocessor(AccessController.class);
  cpHost.createEnvironment(ac, Coprocessor.PRIORITY_HIGHEST, 1, conf);
  RegionServerCoprocessorHost rsHost = TEST_UTIL.getMiniHBaseCluster().getRegionServer(0)
      .getRegionServerCoprocessorHost();
  rsHost.createEnvironment(ac, Coprocessor.PRIORITY_HIGHEST, 1, conf);

  // Wait for the ACL table to become available
  TEST_UTIL.waitTableEnabled(PermissionStorage.ACL_TABLE_NAME);

  // create a set of test users
  USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]);
  USER_OTHER = User.createUserForTesting(conf, "other", new String[0]);
  GROUP_USER = User.createUserForTesting(conf, "group_user", new String[] { GROUP });

  usersAndGroups = new String[] { USER_OTHER.getShortName(), AuthUtil.toGroupEntry(GROUP) };
}
 

@BeforeClass
public static void setupBeforeClass() throws Exception {
  // setup configuration
  conf = TEST_UTIL.getConfiguration();
  VisibilityTestUtil.enableVisiblityLabels(conf);
  conf.setClass(VisibilityUtils.VISIBILITY_LABEL_GENERATOR_CLASS, SimpleScanLabelGenerator.class,
    ScanLabelGenerator.class);
  conf.set("hbase.superuser", "admin");
  TEST_UTIL.startMiniCluster(2);
  SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });

  // Wait for the labels table to become available
  TEST_UTIL.waitTableEnabled(LABELS_TABLE_NAME.getName(), 50000);
  addLabels();
}
 

public ZombieLastLogWriterRegionServer(AtomicLong counter, AtomicBoolean stop,
    final String region, final int writers)
    throws IOException, InterruptedException {
  super("ZombieLastLogWriterRegionServer");
  setDaemon(true);
  this.stop = stop;
  this.editsCount = counter;
  this.region = region;
  this.user = User.createUserForTesting(conf, ZOMBIE, GROUP);
  numOfWriters = writers;
}
 

@Test
public void testCreateWithCorrectOwner() throws Exception {
  // Create a test user
  final User testUser = User.createUserForTesting(TEST_UTIL.getConfiguration(), "TestUser",
    new String[0]);
  // Grant the test user the ability to create tables
  SecureTestUtil.grantGlobal(TEST_UTIL, testUser.getShortName(), Action.CREATE);
  verifyAllowed(new AccessTestAction() {
    @Override
    public Object run() throws Exception {
      TableDescriptorBuilder.ModifyableTableDescriptor tableDescriptor =
        new TableDescriptorBuilder.ModifyableTableDescriptor(testTable.getTableName());
      tableDescriptor.setColumnFamily(
        new ColumnFamilyDescriptorBuilder.ModifyableColumnFamilyDescriptor(TEST_FAMILY));
      try (Connection connection =
          ConnectionFactory.createConnection(TEST_UTIL.getConfiguration(), testUser)) {
        try (Admin admin = connection.getAdmin()) {
          createTable(TEST_UTIL, admin, tableDescriptor);
        }
      }
      return null;
    }
  }, testUser);
  TEST_UTIL.waitTableAvailable(testTable.getTableName());
  // Verify that owner permissions have been granted to the test user on the
  // table just created
  List<UserPermission> perms = PermissionStorage
      .getTablePermissions(conf, testTable.getTableName()).get(testUser.getShortName());
  assertNotNull(perms);
  assertFalse(perms.isEmpty());
  // Should be RWXCA
  assertTrue(perms.get(0).getPermission().implies(Permission.Action.READ));
  assertTrue(perms.get(0).getPermission().implies(Permission.Action.WRITE));
  assertTrue(perms.get(0).getPermission().implies(Permission.Action.EXEC));
  assertTrue(perms.get(0).getPermission().implies(Permission.Action.CREATE));
  assertTrue(perms.get(0).getPermission().implies(Permission.Action.ADMIN));
}
 

@Test
public void testRestoreSnapshot() throws Exception {
  final String grantUserName = name.getMethodName();
  User grantUser = User.createUserForTesting(conf, grantUserName, new String[] {});
  String namespace = name.getMethodName();
  TableName table = TableName.valueOf(namespace, name.getMethodName());
  String snapshot = namespace + "s1";
  String snapshot2 = namespace + "s2";
  String snapshot3 = namespace + "s3";

  LOG.info("Create {}", table);
  try (Table t = TestHDFSAclHelper.createTable(TEST_UTIL, table)) {
    TestHDFSAclHelper.put(t);
    // grant t1, snapshot
    LOG.info("Grant {}", table);
    TestHDFSAclHelper.grantOnTable(TEST_UTIL, grantUserName, table, READ);
    admin.snapshot(snapshot, table);
    // delete
    admin.disableTable(table);
    admin.deleteTable(table);
    LOG.info("Before scan of shapshot! {}", table);
    TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot, -1);

    // restore snapshot and restore acl
    admin.restoreSnapshot(snapshot, true, true);
    TestHDFSAclHelper.put2(t);
    // snapshot
    admin.snapshot(snapshot2, table);
    TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot, 6);
    TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot2, 10);
    assertTrue(hasUserTableHdfsAcl(aclTable, grantUserName, table));
    TestSnapshotScannerHDFSAclController.
      checkUserAclEntry(FS, helper.getTableRootPaths(table, false),
        grantUserName, true, true);

    // delete
    admin.disableTable(table);
    admin.deleteTable(table);
    // restore snapshot and skip restore acl
    admin.restoreSnapshot(snapshot);
    admin.snapshot(snapshot3, table);

    LOG.info("CHECK");
    TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot, -1);
    TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot2, -1);
    TestHDFSAclHelper.canUserScanSnapshot(TEST_UTIL, grantUser, snapshot3, -1);
    assertFalse(hasUserTableHdfsAcl(aclTable, grantUserName, table));
    TestSnapshotScannerHDFSAclController.
      checkUserAclEntry(FS, helper.getPathHelper().getDataTableDir(table),
        grantUserName, false, false);
    TestSnapshotScannerHDFSAclController.
      checkUserAclEntry(FS, helper.getPathHelper().getArchiveTableDir(table),
        grantUserName, true, false);
  }
}
 

@Test
public void testPermissionsWatcher() throws Exception {
  Configuration conf = UTIL.getConfiguration();
  User george = User.createUserForTesting(conf, "george", new String[] { });
  User hubert = User.createUserForTesting(conf, "hubert", new String[] { });

  assertFalse(AUTH_A.authorizeUserTable(george, TEST_TABLE, Permission.Action.READ));
  assertFalse(AUTH_A.authorizeUserTable(george, TEST_TABLE, Permission.Action.WRITE));
  assertFalse(AUTH_A.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.READ));
  assertFalse(AUTH_A.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.WRITE));

  assertFalse(AUTH_B.authorizeUserTable(george, TEST_TABLE, Permission.Action.READ));
  assertFalse(AUTH_B.authorizeUserTable(george, TEST_TABLE, Permission.Action.WRITE));
  assertFalse(AUTH_B.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.READ));
  assertFalse(AUTH_B.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.WRITE));

  // update ACL: george RW
  List<UserPermission> acl = new ArrayList<>(1);
  acl.add(new UserPermission(george.getShortName(), Permission.newBuilder(TEST_TABLE)
      .withActions(Permission.Action.READ, Permission.Action.WRITE).build()));
  ListMultimap<String, UserPermission> multimap = ArrayListMultimap.create();
  multimap.putAll(george.getShortName(), acl);
  byte[] serialized = PermissionStorage.writePermissionsAsBytes(multimap, conf);
  WATCHER_A.writeToZookeeper(TEST_TABLE.getName(), serialized);
  final long mtimeB = AUTH_B.getMTime();
  // Wait for the update to propagate
  UTIL.waitFor(10000, 100, new Predicate<Exception>() {
    @Override
    public boolean evaluate() throws Exception {
      return AUTH_B.getMTime() > mtimeB;
    }
  });
  Thread.sleep(1000);

  // check it
  assertTrue(AUTH_A.authorizeUserTable(george, TEST_TABLE, Permission.Action.READ));
  assertTrue(AUTH_A.authorizeUserTable(george, TEST_TABLE, Permission.Action.WRITE));
  assertTrue(AUTH_B.authorizeUserTable(george, TEST_TABLE, Permission.Action.READ));
  assertTrue(AUTH_B.authorizeUserTable(george, TEST_TABLE, Permission.Action.WRITE));
  assertFalse(AUTH_A.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.READ));
  assertFalse(AUTH_A.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.WRITE));
  assertFalse(AUTH_B.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.READ));
  assertFalse(AUTH_B.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.WRITE));

  // update ACL: hubert R
  List<UserPermission> acl2 = new ArrayList<>(1);
  acl2.add(new UserPermission(hubert.getShortName(),
      Permission.newBuilder(TEST_TABLE).withActions(TablePermission.Action.READ).build()));
  final long mtimeA = AUTH_A.getMTime();
  multimap.putAll(hubert.getShortName(), acl2);
  byte[] serialized2 = PermissionStorage.writePermissionsAsBytes(multimap, conf);
  WATCHER_B.writeToZookeeper(TEST_TABLE.getName(), serialized2);
  // Wait for the update to propagate
  UTIL.waitFor(10000, 100, new Predicate<Exception>() {
    @Override
    public boolean evaluate() throws Exception {
      return AUTH_A.getMTime() > mtimeA;
    }
  });
  Thread.sleep(1000);

  // check it
  assertTrue(AUTH_A.authorizeUserTable(george, TEST_TABLE, Permission.Action.READ));
  assertTrue(AUTH_A.authorizeUserTable(george, TEST_TABLE, Permission.Action.WRITE));
  assertTrue(AUTH_B.authorizeUserTable(george, TEST_TABLE, Permission.Action.READ));
  assertTrue(AUTH_B.authorizeUserTable(george, TEST_TABLE, Permission.Action.WRITE));
  assertTrue(AUTH_A.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.READ));
  assertFalse(AUTH_A.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.WRITE));
  assertTrue(AUTH_B.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.READ));
  assertFalse(AUTH_B.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.WRITE));
}
 

@Override
@Before
public void setup() throws Exception {
  expected[0] = 4;
  expected[1] = 6;
  expected[2] = 4;
  expected[3] = 0;
  expected[3] = 3;
  expectedVisString[0] = "(\"public\"&\"secret\"&\"topsecret\")|(\"confidential\"&\"topsecret\")";
  expectedVisString[1] = "(\"private\"&\"public\")|(\"private\"&\"topsecret\")|"
      + "(\"confidential\"&\"public\")|(\"confidential\"&\"topsecret\")";
  expectedVisString[2] = "(!\"topsecret\"&\"secret\")|(!\"topsecret\"&\"confidential\")";
  expectedVisString[3] = "(\"secret\"&\"" + COPYRIGHT + "\\\"" + ACCENT + "\\\\" + SECRET
      + "\\\"" + "\u0027&\\\\" + "\")";
  // setup configuration
  conf = HBaseConfiguration.create();
  conf.setInt("hfile.format.version", 3);
  conf.set(HConstants.ZOOKEEPER_ZNODE_PARENT, "/1");
  conf.setInt("replication.source.size.capacity", 10240);
  conf.setLong("replication.source.sleepforretries", 100);
  conf.setInt("hbase.regionserver.maxlogs", 10);
  conf.setLong("hbase.master.logcleaner.ttl", 10);
  conf.setInt("zookeeper.recovery.retry", 1);
  conf.setInt("zookeeper.recovery.retry.intervalmill", 10);
  conf.setLong(HConstants.THREAD_WAKE_FREQUENCY, 100);
  conf.setInt("replication.stats.thread.period.seconds", 5);
  conf.setBoolean("hbase.tests.use.shortcircuit.reads", false);
  setVisibilityLabelServiceImpl(conf, ExpAsStringVisibilityLabelServiceImpl.class);
  conf.setStrings(HConstants.REPLICATION_CODEC_CONF_KEY, KeyValueCodecWithTags.class.getName());
  VisibilityTestUtil.enableVisiblityLabels(conf);
  conf.set(CoprocessorHost.REGIONSERVER_COPROCESSOR_CONF_KEY,
      VisibilityReplication.class.getName());
  conf.setStrings(CoprocessorHost.USER_REGION_COPROCESSOR_CONF_KEY,
      SimpleCP.class.getName());
  // Have to reset conf1 in case zk cluster location different
  // than default
  conf.setClass(VisibilityUtils.VISIBILITY_LABEL_GENERATOR_CLASS, SimpleScanLabelGenerator.class,
          ScanLabelGenerator.class);
  conf.set("hbase.superuser", "admin");
  conf.set("hbase.superuser", User.getCurrent().getShortName());
  SUPERUSER = User.createUserForTesting(conf, User.getCurrent().getShortName(),
      new String[] { "supergroup" });
  User.createUserForTesting(conf,
      User.getCurrent().getShortName(), new String[] { "supergroup" });
  USER1 = User.createUserForTesting(conf, "user1", new String[] {});
  TEST_UTIL = new HBaseTestingUtility(conf);
  TEST_UTIL.startMiniZKCluster();
  MiniZooKeeperCluster miniZK = TEST_UTIL.getZkCluster();
  zkw1 = new ZKWatcher(conf, "cluster1", null, true);

  // Base conf2 on conf1 so it gets the right zk cluster.
  conf1 = HBaseConfiguration.create(conf);
  conf1.setInt("hfile.format.version", 3);
  conf1.set(HConstants.ZOOKEEPER_ZNODE_PARENT, "/2");
  conf1.setInt(HConstants.HBASE_CLIENT_RETRIES_NUMBER, 6);
  conf1.setBoolean("hbase.tests.use.shortcircuit.reads", false);
  conf1.setStrings(HConstants.REPLICATION_CODEC_CONF_KEY, KeyValueCodecWithTags.class.getName());
  conf1.setStrings(CoprocessorHost.USER_REGION_COPROCESSOR_CONF_KEY,
          TestCoprocessorForTagsAtSink.class.getName());
  setVisibilityLabelServiceImpl(conf1, ExpAsStringVisibilityLabelServiceImpl.class);
  TEST_UTIL1 = new HBaseTestingUtility(conf1);
  TEST_UTIL1.setZkCluster(miniZK);
  zkw2 = new ZKWatcher(conf1, "cluster2", null, true);

  TEST_UTIL.startMiniCluster(1);
  // Wait for the labels table to become available
  TEST_UTIL.waitTableEnabled(LABELS_TABLE_NAME.getName(), 50000);
  TEST_UTIL1.startMiniCluster(1);

  admin = TEST_UTIL.getAdmin();
  ReplicationPeerConfig rpc = new ReplicationPeerConfig();
  rpc.setClusterKey(TEST_UTIL1.getClusterKey());
  admin.addReplicationPeer("2", rpc);

  TableDescriptorBuilder.ModifyableTableDescriptor tableDescriptor =
    new TableDescriptorBuilder.ModifyableTableDescriptor(TABLE_NAME);
  ColumnFamilyDescriptorBuilder.ModifyableColumnFamilyDescriptor familyDescriptor =
    new ColumnFamilyDescriptorBuilder.ModifyableColumnFamilyDescriptor(fam);
  familyDescriptor.setScope(HConstants.REPLICATION_SCOPE_GLOBAL);
  tableDescriptor.setColumnFamily(familyDescriptor);
  try (Admin hBaseAdmin = TEST_UTIL.getAdmin()) {
    hBaseAdmin.createTable(tableDescriptor);
  }
  try (Admin hBaseAdmin1 = TEST_UTIL1.getAdmin()){
    hBaseAdmin1.createTable(tableDescriptor);
  }
  addLabels();
  setAuths(conf);
  setAuths(conf1);
}
 

@Test
public void testHandleErrorsInFlush() throws Exception {
  LOG.info("Setting up a faulty file system that cannot write");

  final Configuration conf = HBaseConfiguration.create(TEST_UTIL.getConfiguration());
  User user = User.createUserForTesting(conf,
      "testhandleerrorsinflush", new String[]{"foo"});
  // Inject our faulty LocalFileSystem
  conf.setClass("fs.file.impl", FaultyFileSystem.class,
      FileSystem.class);
  user.runAs(new PrivilegedExceptionAction<Object>() {
    @Override
    public Object run() throws Exception {
      // Make sure it worked (above is sensitive to caching details in hadoop core)
      FileSystem fs = FileSystem.get(conf);
      assertEquals(FaultyFileSystem.class, fs.getClass());

      // Initialize region
      init(name.getMethodName(), conf);

      LOG.info("Adding some data");
      store.add(new KeyValue(row, family, qf1, 1, (byte[])null), null);
      store.add(new KeyValue(row, family, qf2, 1, (byte[])null), null);
      store.add(new KeyValue(row, family, qf3, 1, (byte[])null), null);

      LOG.info("Before flush, we should have no files");

      Collection<StoreFileInfo> files =
        store.getRegionFileSystem().getStoreFiles(store.getColumnFamilyName());
      assertEquals(0, files != null ? files.size() : 0);

      //flush
      try {
        LOG.info("Flushing");
        flush(1);
        fail("Didn't bubble up IOE!");
      } catch (IOException ioe) {
        assertTrue(ioe.getMessage().contains("Fault injected"));
      }

      LOG.info("After failed flush, we should still have no files!");
      files = store.getRegionFileSystem().getStoreFiles(store.getColumnFamilyName());
      assertEquals(0, files != null ? files.size() : 0);
      store.getHRegion().getWAL().close();
      return null;
    }
  });
  FileSystem.closeAllForUGI(user.getUGI());
}
 

@BeforeClass
public static void beforeClass() throws Exception {
  conf = UTIL.getConfiguration();
  enableSecurity(conf);

  SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
  // Users with global permissions
  USER_GLOBAL_ADMIN = User.createUserForTesting(conf, "global_admin", new String[0]);
  USER_GLOBAL_CREATE = User.createUserForTesting(conf, "global_create", new String[0]);
  USER_GLOBAL_WRITE = User.createUserForTesting(conf, "global_write", new String[0]);
  USER_GLOBAL_READ = User.createUserForTesting(conf, "global_read", new String[0]);
  USER_GLOBAL_EXEC = User.createUserForTesting(conf, "global_exec", new String[0]);

  USER_NS_ADMIN = User.createUserForTesting(conf, "namespace_admin", new String[0]);
  USER_NS_CREATE = User.createUserForTesting(conf, "namespace_create", new String[0]);
  USER_NS_WRITE = User.createUserForTesting(conf, "namespace_write", new String[0]);
  USER_NS_READ = User.createUserForTesting(conf, "namespace_read", new String[0]);
  USER_NS_EXEC = User.createUserForTesting(conf, "namespace_exec", new String[0]);

  USER_TABLE_CREATE = User.createUserForTesting(conf, "table_create", new String[0]);
  USER_TABLE_WRITE = User.createUserForTesting(conf, "table_write", new String[0]);

  USER_GROUP_ADMIN =
      User.createUserForTesting(conf, "user_group_admin", new String[] { GROUP_ADMIN });
  USER_GROUP_NS_ADMIN =
      User.createUserForTesting(conf, "user_group_ns_admin", new String[] { GROUP_NS_ADMIN });
  USER_GROUP_CREATE =
      User.createUserForTesting(conf, "user_group_create", new String[] { GROUP_CREATE });
  USER_GROUP_READ =
      User.createUserForTesting(conf, "user_group_read", new String[] { GROUP_READ });
  USER_GROUP_WRITE =
      User.createUserForTesting(conf, "user_group_write", new String[] { GROUP_WRITE });
  // TODO: other table perms

  UTIL.getConfiguration().setInt(HConstants.HBASE_CLIENT_RETRIES_NUMBER, 2);
  UTIL.startMiniCluster();
  // Wait for the ACL table to become available
  UTIL.waitTableAvailable(PermissionStorage.ACL_TABLE_NAME.getName(), 30 * 1000);

  // Find the Access Controller CP. Could be on master or if master is not serving regions, is
  // on an arbitrary server.
  for (JVMClusterUtil.RegionServerThread rst:
      UTIL.getMiniHBaseCluster().getLiveRegionServerThreads()) {
    ACCESS_CONTROLLER = rst.getRegionServer().getRegionServerCoprocessorHost().
      findCoprocessor(AccessController.class);
    if (ACCESS_CONTROLLER != null) {
      break;
    }
  }
  if (ACCESS_CONTROLLER == null) {
    throw new NullPointerException();
  }

  UTIL.getAdmin().createNamespace(NamespaceDescriptor.create(TEST_NAMESPACE).build());
  UTIL.getAdmin().createNamespace(NamespaceDescriptor.create(TEST_NAMESPACE2).build());

  // grants on global
  grantGlobal(UTIL, USER_GLOBAL_ADMIN.getShortName(),  Permission.Action.ADMIN);
  grantGlobal(UTIL, USER_GLOBAL_CREATE.getShortName(), Permission.Action.CREATE);
  grantGlobal(UTIL, USER_GLOBAL_WRITE.getShortName(),  Permission.Action.WRITE);
  grantGlobal(UTIL, USER_GLOBAL_READ.getShortName(),   Permission.Action.READ);
  grantGlobal(UTIL, USER_GLOBAL_EXEC.getShortName(),   Permission.Action.EXEC);

  // grants on namespace
  grantOnNamespace(UTIL, USER_NS_ADMIN.getShortName(),  TEST_NAMESPACE, Permission.Action.ADMIN);
  grantOnNamespace(UTIL, USER_NS_CREATE.getShortName(), TEST_NAMESPACE, Permission.Action.CREATE);
  grantOnNamespace(UTIL, USER_NS_WRITE.getShortName(),  TEST_NAMESPACE, Permission.Action.WRITE);
  grantOnNamespace(UTIL, USER_NS_READ.getShortName(),   TEST_NAMESPACE, Permission.Action.READ);
  grantOnNamespace(UTIL, USER_NS_EXEC.getShortName(),   TEST_NAMESPACE, Permission.Action.EXEC);
  grantOnNamespace(UTIL, toGroupEntry(GROUP_NS_ADMIN), TEST_NAMESPACE, Permission.Action.ADMIN);

  grantOnNamespace(UTIL, USER_NS_ADMIN.getShortName(), TEST_NAMESPACE2, Permission.Action.ADMIN);

  grantGlobal(UTIL, toGroupEntry(GROUP_ADMIN), Permission.Action.ADMIN);
  grantGlobal(UTIL, toGroupEntry(GROUP_CREATE), Permission.Action.CREATE);
  grantGlobal(UTIL, toGroupEntry(GROUP_READ), Permission.Action.READ);
  grantGlobal(UTIL, toGroupEntry(GROUP_WRITE), Permission.Action.WRITE);
}