1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.hadoop.hbase.security.access;
20
21 import static org.junit.Assert.assertEquals;
22 import static org.junit.Assert.assertFalse;
23 import static org.junit.Assert.assertTrue;
24
25 import java.security.PrivilegedExceptionAction;
26 import java.util.ArrayList;
27 import java.util.List;
28 import java.util.UUID;
29
30 import org.apache.hadoop.conf.Configuration;
31 import org.apache.hadoop.hbase.HBaseTestingUtility;
32 import org.apache.hadoop.hbase.LargeTests;
33 import org.apache.hadoop.hbase.TableName;
34 import org.apache.hadoop.hbase.client.HTable;
35 import org.apache.hadoop.hbase.client.Put;
36 import org.apache.hadoop.hbase.client.Result;
37 import org.apache.hadoop.hbase.client.ResultScanner;
38 import org.apache.hadoop.hbase.client.Scan;
39 import org.apache.hadoop.hbase.security.User;
40 import org.apache.hadoop.hbase.util.Bytes;
41 import org.junit.AfterClass;
42 import org.junit.Before;
43 import org.junit.BeforeClass;
44 import org.junit.Rule;
45 import org.junit.Test;
46 import org.junit.experimental.categories.Category;
47 import org.junit.rules.TestName;
48
49 @Category(LargeTests.class)
50 public class TestAccessControlFilter {
51 @Rule public TestName name = new TestName();
52 private static HBaseTestingUtility TEST_UTIL;
53
54 private static User READER;
55 private static User LIMITED;
56 private static User DENIED;
57
58 private static TableName TABLE;
59 private static byte[] FAMILY = Bytes.toBytes("f1");
60 private static byte[] PRIVATE_COL = Bytes.toBytes("private");
61 private static byte[] PUBLIC_COL = Bytes.toBytes("public");
62
63 @Before
64 public void setup () {
65 TABLE = TableName.valueOf(name.getMethodName());
66 }
67
68 @BeforeClass
69 public static void setupBeforeClass() throws Exception {
70 TEST_UTIL = new HBaseTestingUtility();
71 Configuration conf = TEST_UTIL.getConfiguration();
72 SecureTestUtil.enableSecurity(conf);
73 String baseuser = User.getCurrent().getShortName();
74 conf.set("hbase.superuser", conf.get("hbase.superuser", "") +
75 String.format(",%s.hfs.0,%s.hfs.1,%s.hfs.2", baseuser, baseuser, baseuser));
76 TEST_UTIL.startMiniCluster();
77 TEST_UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME.getName());
78
79 READER = User.createUserForTesting(conf, "reader", new String[0]);
80 LIMITED = User.createUserForTesting(conf, "limited", new String[0]);
81 DENIED = User.createUserForTesting(conf, "denied", new String[0]);
82 }
83
84 @AfterClass
85 public static void tearDownAfterClass() throws Exception {
86 TEST_UTIL.shutdownMiniCluster();
87 }
88
89 @Test
90 public void testQualifierAccess() throws Exception {
91 final HTable table = TEST_UTIL.createTable(TABLE, FAMILY);
92 try {
93 doQualifierAccess(table);
94 } finally {
95 table.close();
96 }
97 }
98
99 private void doQualifierAccess(final HTable table) throws Exception {
100
101 SecureTestUtil.grantOnTable(TEST_UTIL, READER.getShortName(), TABLE, null, null,
102 Permission.Action.READ);
103 SecureTestUtil.grantOnTable(TEST_UTIL, LIMITED.getShortName(), TABLE, FAMILY, PUBLIC_COL,
104 Permission.Action.READ);
105
106
107 List<Put> puts = new ArrayList<Put>(100);
108 for (int i=0; i<100; i++) {
109 Put p = new Put(Bytes.toBytes(i));
110 p.add(FAMILY, PRIVATE_COL, Bytes.toBytes("secret "+i));
111 p.add(FAMILY, PUBLIC_COL, Bytes.toBytes("info "+i));
112 puts.add(p);
113 }
114 table.put(puts);
115
116
117 READER.runAs(new PrivilegedExceptionAction<Object>() {
118 public Object run() throws Exception {
119 Configuration conf = new Configuration(TEST_UTIL.getConfiguration());
120
121 conf.set("testkey", UUID.randomUUID().toString());
122 HTable t = new HTable(conf, TABLE);
123 try {
124 ResultScanner rs = t.getScanner(new Scan());
125 int rowcnt = 0;
126 for (Result r : rs) {
127 rowcnt++;
128 int rownum = Bytes.toInt(r.getRow());
129 assertTrue(r.containsColumn(FAMILY, PRIVATE_COL));
130 assertEquals("secret "+rownum, Bytes.toString(r.getValue(FAMILY, PRIVATE_COL)));
131 assertTrue(r.containsColumn(FAMILY, PUBLIC_COL));
132 assertEquals("info "+rownum, Bytes.toString(r.getValue(FAMILY, PUBLIC_COL)));
133 }
134 assertEquals("Expected 100 rows returned", 100, rowcnt);
135 return null;
136 } finally {
137 t.close();
138 }
139 }
140 });
141
142
143 LIMITED.runAs(new PrivilegedExceptionAction<Object>() {
144 public Object run() throws Exception {
145 Configuration conf = new Configuration(TEST_UTIL.getConfiguration());
146
147 conf.set("testkey", UUID.randomUUID().toString());
148 HTable t = new HTable(conf, TABLE);
149 try {
150 ResultScanner rs = t.getScanner(new Scan());
151 int rowcnt = 0;
152 for (Result r : rs) {
153 rowcnt++;
154 int rownum = Bytes.toInt(r.getRow());
155 assertFalse(r.containsColumn(FAMILY, PRIVATE_COL));
156 assertTrue(r.containsColumn(FAMILY, PUBLIC_COL));
157 assertEquals("info " + rownum, Bytes.toString(r.getValue(FAMILY, PUBLIC_COL)));
158 }
159 assertEquals("Expected 100 rows returned", 100, rowcnt);
160 return null;
161 } finally {
162 t.close();
163 }
164 }
165 });
166
167
168 DENIED.runAs(new PrivilegedExceptionAction<Object>(){
169 public Object run() throws Exception {
170 Configuration conf = new Configuration(TEST_UTIL.getConfiguration());
171
172 conf.set("testkey", UUID.randomUUID().toString());
173 HTable t = new HTable(conf, TABLE);
174 try {
175 ResultScanner rs = t.getScanner(new Scan());
176 int rowcnt = 0;
177 for (Result r : rs) {
178 rowcnt++;
179 int rownum = Bytes.toInt(r.getRow());
180 assertFalse(r.containsColumn(FAMILY, PRIVATE_COL));
181 assertTrue(r.containsColumn(FAMILY, PUBLIC_COL));
182 assertEquals("info " + rownum, Bytes.toString(r.getValue(FAMILY, PUBLIC_COL)));
183 }
184 assertEquals("Expected 0 rows returned", 0, rowcnt);
185 return null;
186 } finally {
187 t.close();
188 }
189 }
190 });
191 }
192 }