You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by te...@apache.org on 2014/12/13 19:18:02 UTC
hbase git commit: HBASE-12659 Replace the method calls to grant and
revoke in shell scripts with AccessControlClient (Srikanth Srungarapu)
Repository: hbase
Updated Branches:
refs/heads/master b24518562 -> 65830b096
HBASE-12659 Replace the method calls to grant and revoke in shell scripts with AccessControlClient (Srikanth Srungarapu)
Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/65830b09
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/65830b09
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/65830b09
Branch: refs/heads/master
Commit: 65830b096b6f540b7e49ef590dac1ebe2491c126
Parents: b245185
Author: tedyu <yu...@gmail.com>
Authored: Sat Dec 13 10:17:43 2014 -0800
Committer: tedyu <yu...@gmail.com>
Committed: Sat Dec 13 10:17:43 2014 -0800
----------------------------------------------------------------------
.../security/access/AccessControlClient.java | 28 ++++++++++
.../hbase/security/access/SecureTestUtil.java | 42 +++++++++++++++
.../security/access/TestAccessController.java | 42 +++++++++++++++
hbase-shell/src/main/ruby/hbase/security.rb | 57 ++++++--------------
4 files changed, 128 insertions(+), 41 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hbase/blob/65830b09/hbase-client/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlClient.java
----------------------------------------------------------------------
diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlClient.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlClient.java
index 521c58b..d0eb40d 100644
--- a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlClient.java
+++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlClient.java
@@ -100,6 +100,20 @@ public class AccessControlClient {
}
}
+ /**
+ * Grant global permissions for the specified user.
+ */
+ public static void grant(Configuration conf, final String userName,
+ final Permission.Action... actions) throws Throwable {
+ // TODO: Make it so caller passes in a Connection rather than have us do this expensive
+ // setup each time. This class only used in test and shell at moment though.
+ try (Connection connection = ConnectionFactory.createConnection(conf)) {
+ try (Table table = connection.getTable(ACL_TABLE_NAME)) {
+ ProtobufUtil.grant(getAccessControlServiceStub(table), userName, actions);
+ }
+ }
+ }
+
public static boolean isAccessControllerRunning(Configuration conf)
throws MasterNotRunningException, ZooKeeperConnectionException, IOException {
// TODO: Make it so caller passes in a Connection rather than have us do this expensive
@@ -154,6 +168,20 @@ public class AccessControlClient {
}
/**
+ * Revoke global permissions for the specified user.
+ */
+ public static void revoke(Configuration conf, final String userName,
+ final Permission.Action... actions) throws Throwable {
+ // TODO: Make it so caller passes in a Connection rather than have us do this expensive
+ // setup each time. This class only used in test and shell at moment though.
+ try (Connection connection = ConnectionFactory.createConnection(conf)) {
+ try (Table table = connection.getTable(ACL_TABLE_NAME)) {
+ ProtobufUtil.revoke(getAccessControlServiceStub(table), userName, actions);
+ }
+ }
+ }
+
+ /**
* List all the userPermissions matching the given pattern.
* @param conf
* @param tableRegex The regular expression string to match against
http://git-wip-us.apache.org/repos/asf/hbase/blob/65830b09/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
index a66a8e8..ea1baeb 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
@@ -499,6 +499,27 @@ public class SecureTestUtil {
}
/**
+ * Grant global permissions to the given user using AccessControlClient. Will wait until all
+ * active AccessController instances have updated their permissions caches or will
+ * throw an exception upon timeout (10 seconds).
+ */
+ public static void grantGlobalUsingAccessControlClient(final HBaseTestingUtility util,
+ final Configuration conf, final String user, final Permission.Action... actions)
+ throws Exception {
+ SecureTestUtil.updateACLs(util, new Callable<Void>() {
+ @Override
+ public Void call() throws Exception {
+ try {
+ AccessControlClient.grant(conf, user, actions);
+ } catch (Throwable t) {
+ t.printStackTrace();
+ }
+ return null;
+ }
+ });
+ }
+
+ /**
* Revoke permissions on a table from the given user. Will wait until all active
* AccessController instances have updated their permissions caches or will
* throw an exception upon timeout (10 seconds).
@@ -542,4 +563,25 @@ public class SecureTestUtil {
}
});
}
+
+ /**
+ * Revoke global permissions from the given user using AccessControlClient. Will wait until
+ * all active AccessController instances have updated their permissions caches or will
+ * throw an exception upon timeout (10 seconds).
+ */
+ public static void revokeGlobalUsingAccessControlClient(final HBaseTestingUtility util,
+ final Configuration conf, final String user,final Permission.Action... actions)
+ throws Exception {
+ SecureTestUtil.updateACLs(util, new Callable<Void>() {
+ @Override
+ public Void call() throws Exception {
+ try {
+ AccessControlClient.revoke(conf, user, actions);
+ } catch (Throwable t) {
+ t.printStackTrace();
+ }
+ return null;
+ }
+ });
+ }
}
http://git-wip-us.apache.org/repos/asf/hbase/blob/65830b09/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
index fb7af84..28d33d9 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
@@ -2213,6 +2213,48 @@ public class TestAccessController extends SecureTestUtil {
}
@Test
+ public void testAccessControlClientGlobalGrantRevoke() throws Exception {
+ // Create user for testing, who has no READ privileges by default.
+ User testGlobalGrantRevoke = User.createUserForTesting(conf,
+ "testGlobalGrantRevoke", new String[0]);
+ AccessTestAction getAction = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ HTable t = new HTable(conf, TEST_TABLE.getTableName());
+ try {
+ return t.get(new Get(TEST_ROW));
+ } finally {
+ t.close();
+ }
+ }
+ };
+
+ verifyDenied(getAction, testGlobalGrantRevoke);
+
+ // Grant table READ permissions to testGlobalGrantRevoke.
+ try {
+ grantGlobalUsingAccessControlClient(TEST_UTIL, conf, testGlobalGrantRevoke.getShortName(),
+ Permission.Action.READ);
+ } catch (Throwable e) {
+ LOG.error("error during call of AccessControlClient.grant. ", e);
+ }
+
+ // Now testGlobalGrantRevoke should be able to read also
+ verifyAllowed(getAction, testGlobalGrantRevoke);
+
+ // Revoke table READ permission to testGlobalGrantRevoke.
+ try {
+ revokeGlobalUsingAccessControlClient(TEST_UTIL, conf, testGlobalGrantRevoke.getShortName(),
+ Permission.Action.READ);
+ } catch (Throwable e) {
+ LOG.error("error during call of AccessControlClient.revoke ", e);
+ }
+
+ // Now testGlobalGrantRevoke shouldn't be able read
+ verifyDenied(getAction, testGlobalGrantRevoke);
+ }
+
+ @Test
public void testAccessControlClientGrantRevokeOnNamespace() throws Exception {
// Create user for testing, who has no READ privileges by default.
User testNS = User.createUserForTesting(conf, "testNS", new String[0]);
http://git-wip-us.apache.org/repos/asf/hbase/blob/65830b09/hbase-shell/src/main/ruby/hbase/security.rb
----------------------------------------------------------------------
diff --git a/hbase-shell/src/main/ruby/hbase/security.rb b/hbase-shell/src/main/ruby/hbase/security.rb
index 1bd025c..a0d6e91 100644
--- a/hbase-shell/src/main/ruby/hbase/security.rb
+++ b/hbase-shell/src/main/ruby/hbase/security.rb
@@ -38,21 +38,14 @@ module Hbase
# TODO: need to validate user name
begin
- meta_table = @connection.getTable(
- org.apache.hadoop.hbase.security.access.AccessControlLists::ACL_TABLE_NAME)
- service = meta_table.coprocessorService(
- org.apache.hadoop.hbase.HConstants::EMPTY_START_ROW)
-
- protocol = org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos::
- AccessControlService.newBlockingStub(service)
- perm = org.apache.hadoop.hbase.security.access.Permission.new(
- permissions.to_java_bytes)
-
# Verify that the specified permission is valid
if (permissions == nil || permissions.length == 0)
raise(ArgumentError, "Invalid permission: no actions associated with user")
end
+ perm = org.apache.hadoop.hbase.security.access.Permission.new(
+ permissions.to_java_bytes)
+
if (table_name != nil)
tablebytes=table_name.to_java_bytes
#check if the tablename passed is actually a namespace
@@ -62,9 +55,8 @@ module Hbase
raise(ArgumentError, "Can't find a namespace: #{namespace_name}") unless
namespace_exists?(namespace_name)
- # invoke cp endpoint to perform access controlse
- org.apache.hadoop.hbase.protobuf.ProtobufUtil.grant(
- protocol, user, namespace_name, perm.getActions())
+ org.apache.hadoop.hbase.security.access.AccessControlClient.grant(
+ @config, namespace_name, user, perm.getActions())
else
# Table should exist
raise(ArgumentError, "Can't find a table: #{table_name}") unless exists?(table_name)
@@ -79,19 +71,14 @@ module Hbase
fambytes = family.to_java_bytes if (family != nil)
qualbytes = qualifier.to_java_bytes if (qualifier != nil)
- # invoke cp endpoint to perform access controlse
- org.apache.hadoop.hbase.protobuf.ProtobufUtil.grant(
- protocol, user, tableName, fambytes,
- qualbytes, perm.getActions())
+ org.apache.hadoop.hbase.security.access.AccessControlClient.grant(
+ @config, tableName, user, fambytes, qualbytes, perm.getActions())
end
else
- # invoke cp endpoint to perform access controlse
- org.apache.hadoop.hbase.protobuf.ProtobufUtil.grant(
- protocol, user, perm.getActions())
+ # invoke cp endpoint to perform access controls
+ org.apache.hadoop.hbase.security.access.AccessControlClient.grant(
+ @config, user, perm.getActions())
end
-
- ensure
- meta_table.close()
end
end
@@ -102,14 +89,6 @@ module Hbase
# TODO: need to validate user name
begin
- meta_table = @connection.getTable(
- org.apache.hadoop.hbase.security.access.AccessControlLists::ACL_TABLE_NAME)
- service = meta_table.coprocessorService(
- org.apache.hadoop.hbase.HConstants::EMPTY_START_ROW)
-
- protocol = org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos::
- AccessControlService.newBlockingStub(service)
-
if (table_name != nil)
#check if the tablename passed is actually a namespace
if (isNamespace?(table_name))
@@ -118,9 +97,8 @@ module Hbase
raise(ArgumentError, "Can't find a namespace: #{namespace_name}") unless namespace_exists?(namespace_name)
tablebytes=table_name.to_java_bytes
- # invoke cp endpoint to perform access controlse
- org.apache.hadoop.hbase.protobuf.ProtobufUtil.revoke(
- protocol, user, namespace_name)
+ org.apache.hadoop.hbase.security.access.AccessControlClient.revoke(
+ @config, namespace_name, user)
else
# Table should exist
raise(ArgumentError, "Can't find a table: #{table_name}") unless exists?(table_name)
@@ -135,17 +113,14 @@ module Hbase
fambytes = family.to_java_bytes if (family != nil)
qualbytes = qualifier.to_java_bytes if (qualifier != nil)
- # invoke cp endpoint to perform access controlse
- org.apache.hadoop.hbase.protobuf.ProtobufUtil.revoke(
- protocol, user, tableName, fambytes, qualbytes)
+ org.apache.hadoop.hbase.security.access.AccessControlClient.revoke(
+ @config, tableName, user, fambytes, qualbytes)
end
else
- # invoke cp endpoint to perform access controlse
perm = org.apache.hadoop.hbase.security.access.Permission.new(''.to_java_bytes)
- org.apache.hadoop.hbase.protobuf.ProtobufUtil.revoke(protocol, user, perm.getActions())
+ org.apache.hadoop.hbase.security.access.AccessControlClient.revoke(
+ @config, user, perm.getActions())
end
- ensure
- meta_table.close()
end
end