View Javadoc

1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  
19  package org.apache.hadoop.hbase.security.access;
20  
21  import static org.junit.Assert.assertEquals;
22  import static org.junit.Assert.assertFalse;
23  import static org.junit.Assert.assertTrue;
24  
25  import java.security.PrivilegedExceptionAction;
26  import java.util.ArrayList;
27  import java.util.List;
28  import java.util.UUID;
29  
30  import org.apache.hadoop.conf.Configuration;
31  import org.apache.hadoop.hbase.HBaseTestingUtility;
32  import org.apache.hadoop.hbase.LargeTests;
33  import org.apache.hadoop.hbase.TableName;
34  import org.apache.hadoop.hbase.client.HTable;
35  import org.apache.hadoop.hbase.client.Put;
36  import org.apache.hadoop.hbase.client.Result;
37  import org.apache.hadoop.hbase.client.ResultScanner;
38  import org.apache.hadoop.hbase.client.Scan;
39  import org.apache.hadoop.hbase.security.User;
40  import org.apache.hadoop.hbase.util.Bytes;
41  import org.junit.AfterClass;
42  import org.junit.Before;
43  import org.junit.BeforeClass;
44  import org.junit.Rule;
45  import org.junit.Test;
46  import org.junit.experimental.categories.Category;
47  import org.junit.rules.TestName;
48  
49  @Category(LargeTests.class)
50  public class TestAccessControlFilter {
51    @Rule public TestName name = new TestName();
52    private static HBaseTestingUtility TEST_UTIL;
53  
54    private static User READER;
55    private static User LIMITED;
56    private static User DENIED;
57  
58    private static TableName TABLE;
59    private static byte[] FAMILY = Bytes.toBytes("f1");
60    private static byte[] PRIVATE_COL = Bytes.toBytes("private");
61    private static byte[] PUBLIC_COL = Bytes.toBytes("public");
62  
63    @Before 
64    public void setup () {
65      TABLE = TableName.valueOf(name.getMethodName());
66    }
67    
68    @BeforeClass
69    public static void setupBeforeClass() throws Exception {
70      TEST_UTIL = new HBaseTestingUtility();
71      Configuration conf = TEST_UTIL.getConfiguration();
72      SecureTestUtil.enableSecurity(conf);
73      String baseuser = User.getCurrent().getShortName();
74      conf.set("hbase.superuser", conf.get("hbase.superuser", "") +
75          String.format(",%s.hfs.0,%s.hfs.1,%s.hfs.2", baseuser, baseuser, baseuser));
76      TEST_UTIL.startMiniCluster();
77      TEST_UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME.getName());
78  
79      READER = User.createUserForTesting(conf, "reader", new String[0]);
80      LIMITED = User.createUserForTesting(conf, "limited", new String[0]);
81      DENIED = User.createUserForTesting(conf, "denied", new String[0]);
82    }
83  
84    @AfterClass
85    public static void tearDownAfterClass() throws Exception {
86      TEST_UTIL.shutdownMiniCluster();
87    }
88  
89    @Test
90    public void testQualifierAccess() throws Exception {
91      final HTable table = TEST_UTIL.createTable(TABLE, FAMILY);
92      try {
93        doQualifierAccess(table);
94      } finally {
95        table.close();
96      }
97    }
98  
99    private void doQualifierAccess(final HTable table) throws Exception {
100     // set permissions
101     SecureTestUtil.grantOnTable(TEST_UTIL, READER.getShortName(), TABLE, null, null,
102       Permission.Action.READ);
103     SecureTestUtil.grantOnTable(TEST_UTIL, LIMITED.getShortName(), TABLE, FAMILY, PUBLIC_COL,
104       Permission.Action.READ);
105 
106     // put some test data
107     List<Put> puts = new ArrayList<Put>(100);
108     for (int i=0; i<100; i++) {
109       Put p = new Put(Bytes.toBytes(i));
110       p.add(FAMILY, PRIVATE_COL, Bytes.toBytes("secret "+i));
111       p.add(FAMILY, PUBLIC_COL, Bytes.toBytes("info "+i));
112       puts.add(p);
113     }
114     table.put(puts);
115 
116     // test read
117     READER.runAs(new PrivilegedExceptionAction<Object>() {
118       public Object run() throws Exception {
119         Configuration conf = new Configuration(TEST_UTIL.getConfiguration());
120         // force a new RS connection
121         conf.set("testkey", UUID.randomUUID().toString());
122         HTable t = new HTable(conf, TABLE);
123         try {
124           ResultScanner rs = t.getScanner(new Scan());
125           int rowcnt = 0;
126           for (Result r : rs) {
127             rowcnt++;
128             int rownum = Bytes.toInt(r.getRow());
129             assertTrue(r.containsColumn(FAMILY, PRIVATE_COL));
130             assertEquals("secret "+rownum, Bytes.toString(r.getValue(FAMILY, PRIVATE_COL)));
131             assertTrue(r.containsColumn(FAMILY, PUBLIC_COL));
132             assertEquals("info "+rownum, Bytes.toString(r.getValue(FAMILY, PUBLIC_COL)));
133           }
134           assertEquals("Expected 100 rows returned", 100, rowcnt);
135           return null;
136         } finally {
137           t.close();
138         }
139       }
140     });
141 
142     // test read with qualifier filter
143     LIMITED.runAs(new PrivilegedExceptionAction<Object>() {
144       public Object run() throws Exception {
145         Configuration conf = new Configuration(TEST_UTIL.getConfiguration());
146         // force a new RS connection
147         conf.set("testkey", UUID.randomUUID().toString());
148         HTable t = new HTable(conf, TABLE);
149         try {
150           ResultScanner rs = t.getScanner(new Scan());
151           int rowcnt = 0;
152           for (Result r : rs) {
153             rowcnt++;
154             int rownum = Bytes.toInt(r.getRow());
155             assertFalse(r.containsColumn(FAMILY, PRIVATE_COL));
156             assertTrue(r.containsColumn(FAMILY, PUBLIC_COL));
157             assertEquals("info " + rownum, Bytes.toString(r.getValue(FAMILY, PUBLIC_COL)));
158           }
159           assertEquals("Expected 100 rows returned", 100, rowcnt);
160           return null;
161         } finally {
162           t.close();
163         }
164       }
165     });
166 
167     // test as user with no permission
168     DENIED.runAs(new PrivilegedExceptionAction<Object>(){
169       public Object run() throws Exception {
170         Configuration conf = new Configuration(TEST_UTIL.getConfiguration());
171         // force a new RS connection
172         conf.set("testkey", UUID.randomUUID().toString());
173         HTable t = new HTable(conf, TABLE);
174         try {
175           ResultScanner rs = t.getScanner(new Scan());
176           int rowcnt = 0;
177           for (Result r : rs) {
178             rowcnt++;
179             int rownum = Bytes.toInt(r.getRow());
180             assertFalse(r.containsColumn(FAMILY, PRIVATE_COL));
181             assertTrue(r.containsColumn(FAMILY, PUBLIC_COL));
182             assertEquals("info " + rownum, Bytes.toString(r.getValue(FAMILY, PUBLIC_COL)));
183           }
184           assertEquals("Expected 0 rows returned", 0, rowcnt);
185           return null;
186         } finally {
187           t.close();
188         }
189       }
190     });
191   }
192 }