1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.hadoop.hbase.security.access;
20
21 import static org.junit.Assert.assertEquals;
22 import static org.junit.Assert.assertFalse;
23 import static org.junit.Assert.assertTrue;
24 import static org.junit.Assert.fail;
25
26 import java.security.PrivilegedExceptionAction;
27 import java.util.ArrayList;
28 import java.util.List;
29 import java.util.UUID;
30 import java.io.IOException;
31
32 import org.apache.commons.logging.Log;
33 import org.apache.commons.logging.LogFactory;
34 import org.apache.hadoop.conf.Configuration;
35 import org.apache.hadoop.hbase.TableName;
36 import org.apache.hadoop.hbase.HBaseTestingUtility;
37 import org.apache.hadoop.hbase.LargeTests;
38 import org.apache.hadoop.hbase.client.HTable;
39 import org.apache.hadoop.hbase.client.Put;
40 import org.apache.hadoop.hbase.client.Result;
41 import org.apache.hadoop.hbase.client.ResultScanner;
42 import org.apache.hadoop.hbase.client.Scan;
43 import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
44 import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessControlService;
45 import org.apache.hadoop.hbase.security.AccessDeniedException;
46 import org.apache.hadoop.hbase.security.User;
47 import org.apache.hadoop.hbase.util.Bytes;
48 import org.junit.AfterClass;
49 import org.junit.BeforeClass;
50 import org.junit.Test;
51 import org.junit.experimental.categories.Category;
52
53 import com.google.protobuf.BlockingRpcChannel;
54
55 @Category(LargeTests.class)
56 public class TestAccessControlFilter {
57 private static Log LOG = LogFactory.getLog(TestAccessControlFilter.class);
58 private static HBaseTestingUtility TEST_UTIL;
59
60 private static User ADMIN;
61 private static User READER;
62 private static User LIMITED;
63 private static User DENIED;
64
65 private static TableName TABLE =
66 TableName.valueOf("testtable");
67 private static byte[] FAMILY = Bytes.toBytes("f1");
68 private static byte[] PRIVATE_COL = Bytes.toBytes("private");
69 private static byte[] PUBLIC_COL = Bytes.toBytes("public");
70
71 @BeforeClass
72 public static void setupBeforeClass() throws Exception {
73 TEST_UTIL = new HBaseTestingUtility();
74 Configuration conf = TEST_UTIL.getConfiguration();
75 SecureTestUtil.enableSecurity(conf);
76 String baseuser = User.getCurrent().getShortName();
77 conf.set("hbase.superuser", conf.get("hbase.superuser", "") +
78 String.format(",%s.hfs.0,%s.hfs.1,%s.hfs.2", baseuser, baseuser, baseuser));
79 TEST_UTIL.startMiniCluster();
80 TEST_UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME.getName());
81
82 ADMIN = User.createUserForTesting(conf, "admin", new String[]{"supergroup"});
83 READER = User.createUserForTesting(conf, "reader", new String[0]);
84 LIMITED = User.createUserForTesting(conf, "limited", new String[0]);
85 DENIED = User.createUserForTesting(conf, "denied", new String[0]);
86 }
87
88 @AfterClass
89 public static void tearDownAfterClass() throws Exception {
90 TEST_UTIL.shutdownMiniCluster();
91 }
92
93 @Test
94 public void testQualifierAccess() throws Exception {
95 final HTable table = TEST_UTIL.createTable(TABLE, FAMILY);
96 try {
97 doQualifierAccess(table);
98 } finally {
99 table.close();
100 }
101 }
102
103 private void doQualifierAccess(final HTable table) throws IOException, InterruptedException {
104
105 ADMIN.runAs(new PrivilegedExceptionAction<Object>() {
106 @Override
107 public Object run() throws Exception {
108 HTable aclmeta = new HTable(TEST_UTIL.getConfiguration(),
109 AccessControlLists.ACL_TABLE_NAME);
110 byte[] table = Bytes.toBytes("testtable");
111 BlockingRpcChannel service = aclmeta.coprocessorService(table);
112 AccessControlService.BlockingInterface protocol =
113 AccessControlService.newBlockingStub(service);
114 ProtobufUtil.grant(protocol, READER.getShortName(),
115 TABLE, null, null, Permission.Action.READ);
116 ProtobufUtil.grant(protocol, LIMITED.getShortName(),
117 TABLE, FAMILY, PUBLIC_COL, Permission.Action.READ);
118 return null;
119 }
120 });
121
122
123 List<Put> puts = new ArrayList<Put>(100);
124 for (int i=0; i<100; i++) {
125 Put p = new Put(Bytes.toBytes(i));
126 p.add(FAMILY, PRIVATE_COL, Bytes.toBytes("secret "+i));
127 p.add(FAMILY, PUBLIC_COL, Bytes.toBytes("info "+i));
128 puts.add(p);
129 }
130 table.put(puts);
131
132
133 READER.runAs(new PrivilegedExceptionAction<Object>() {
134 public Object run() throws Exception {
135 Configuration conf = new Configuration(TEST_UTIL.getConfiguration());
136
137 conf.set("testkey", UUID.randomUUID().toString());
138 HTable t = new HTable(conf, TABLE);
139 ResultScanner rs = t.getScanner(new Scan());
140 int rowcnt = 0;
141 for (Result r : rs) {
142 rowcnt++;
143 int rownum = Bytes.toInt(r.getRow());
144 assertTrue(r.containsColumn(FAMILY, PRIVATE_COL));
145 assertEquals("secret "+rownum, Bytes.toString(r.getValue(FAMILY, PRIVATE_COL)));
146 assertTrue(r.containsColumn(FAMILY, PUBLIC_COL));
147 assertEquals("info "+rownum, Bytes.toString(r.getValue(FAMILY, PUBLIC_COL)));
148 }
149 assertEquals("Expected 100 rows returned", 100, rowcnt);
150 return null;
151 }
152 });
153
154
155 LIMITED.runAs(new PrivilegedExceptionAction<Object>() {
156 public Object run() throws Exception {
157 Configuration conf = new Configuration(TEST_UTIL.getConfiguration());
158
159 conf.set("testkey", UUID.randomUUID().toString());
160 HTable t = new HTable(conf, TABLE);
161 ResultScanner rs = t.getScanner(new Scan());
162 int rowcnt = 0;
163 for (Result r : rs) {
164 rowcnt++;
165 int rownum = Bytes.toInt(r.getRow());
166 assertFalse(r.containsColumn(FAMILY, PRIVATE_COL));
167 assertTrue(r.containsColumn(FAMILY, PUBLIC_COL));
168 assertEquals("info " + rownum, Bytes.toString(r.getValue(FAMILY, PUBLIC_COL)));
169 }
170 assertEquals("Expected 100 rows returned", 100, rowcnt);
171 return null;
172 }
173 });
174
175
176 DENIED.runAs(new PrivilegedExceptionAction(){
177 public Object run() throws Exception {
178 try {
179 Configuration conf = new Configuration(TEST_UTIL.getConfiguration());
180
181 conf.set("testkey", UUID.randomUUID().toString());
182 HTable t = new HTable(conf, TABLE);
183 ResultScanner rs = t.getScanner(new Scan());
184 fail("Attempt to open scanner should have been denied");
185 } catch (AccessDeniedException ade) {
186
187 }
188 return null;
189 }
190 });
191 }
192 }