You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by ss...@apache.org on 2015/06/03 00:25:34 UTC
[1/2] hbase git commit: HBASE-13658 Improve the test run time for
TestAccessController class (Ashish Singhi)
Repository: hbase
Updated Branches:
refs/heads/branch-1 83d5f3164 -> ce636701f
http://git-wip-us.apache.org/repos/asf/hbase/blob/ce636701/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
index 75971d6..3b91554 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
@@ -38,6 +38,7 @@ import org.apache.hadoop.fs.Path;
import org.apache.hadoop.fs.permission.FsPermission;
import org.apache.hadoop.hbase.Coprocessor;
import org.apache.hadoop.hbase.CoprocessorEnvironment;
+import org.apache.hadoop.hbase.HBaseIOException;
import org.apache.hadoop.hbase.HBaseTestingUtility;
import org.apache.hadoop.hbase.HColumnDescriptor;
import org.apache.hadoop.hbase.HConstants;
@@ -105,14 +106,10 @@ import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.access.Permission.Action;
import org.apache.hadoop.hbase.util.Bytes;
import org.apache.hadoop.hbase.util.JVMClusterUtil;
-import org.apache.hadoop.hbase.util.TestTableName;
import org.apache.log4j.Level;
import org.apache.log4j.Logger;
-import org.junit.After;
import org.junit.AfterClass;
-import org.junit.Before;
import org.junit.BeforeClass;
-import org.junit.Rule;
import org.junit.Test;
import org.junit.experimental.categories.Category;
@@ -136,7 +133,7 @@ public class TestAccessController extends SecureTestUtil {
Logger.getLogger(TableAuthManager.class).setLevel(Level.TRACE);
}
- @Rule public TestTableName TEST_TABLE = new TestTableName();
+ private static TableName TEST_TABLE = TableName.valueOf("testtable1");
private static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();
private static Configuration conf;
@@ -175,7 +172,7 @@ public class TestAccessController extends SecureTestUtil {
private static MasterCoprocessorEnvironment CP_ENV;
private static AccessController ACCESS_CONTROLLER;
private static RegionServerCoprocessorEnvironment RSCP_ENV;
- private RegionCoprocessorEnvironment RCP_ENV;
+ private static RegionCoprocessorEnvironment RCP_ENV;
@BeforeClass
public static void setupBeforeClass() throws Exception {
@@ -218,25 +215,24 @@ public class TestAccessController extends SecureTestUtil {
USER_ADMIN_CF = User.createUserForTesting(conf, "col_family_admin", new String[0]);
systemUserConnection = TEST_UTIL.getConnection();
+ setUpTableAndUserPermissions();
}
@AfterClass
public static void tearDownAfterClass() throws Exception {
+ cleanUp();
TEST_UTIL.shutdownMiniCluster();
}
- @Before
- public void setUp() throws Exception {
- // Create the test table (owner added to the _acl_ table)
- Admin admin = TEST_UTIL.getHBaseAdmin();
- HTableDescriptor htd = new HTableDescriptor(TEST_TABLE.getTableName());
+ private static void setUpTableAndUserPermissions() throws Exception {
+ HTableDescriptor htd = new HTableDescriptor(TEST_TABLE);
HColumnDescriptor hcd = new HColumnDescriptor(TEST_FAMILY);
hcd.setMaxVersions(100);
htd.addFamily(hcd);
htd.setOwner(USER_OWNER);
createTable(TEST_UTIL, htd, new byte[][] { Bytes.toBytes("s") });
- Region region = TEST_UTIL.getHBaseCluster().getRegions(TEST_TABLE.getTableName()).get(0);
+ Region region = TEST_UTIL.getHBaseCluster().getRegions(TEST_TABLE).get(0);
RegionCoprocessorHost rcpHost = region.getCoprocessorHost();
RCP_ENV = rcpHost.createEnvironment(AccessController.class, ACCESS_CONTROLLER,
Coprocessor.PRIORITY_HIGHEST, 1, conf);
@@ -250,26 +246,26 @@ public class TestAccessController extends SecureTestUtil {
Permission.Action.WRITE);
grantOnTable(TEST_UTIL, USER_RW.getShortName(),
- TEST_TABLE.getTableName(), TEST_FAMILY, null,
+ TEST_TABLE, TEST_FAMILY, null,
Permission.Action.READ,
Permission.Action.WRITE);
// USER_CREATE is USER_RW plus CREATE permissions
grantOnTable(TEST_UTIL, USER_CREATE.getShortName(),
- TEST_TABLE.getTableName(), null, null,
+ TEST_TABLE, null, null,
Permission.Action.CREATE,
Permission.Action.READ,
Permission.Action.WRITE);
grantOnTable(TEST_UTIL, USER_RO.getShortName(),
- TEST_TABLE.getTableName(), TEST_FAMILY, null,
+ TEST_TABLE, TEST_FAMILY, null,
Permission.Action.READ);
grantOnTable(TEST_UTIL, USER_ADMIN_CF.getShortName(),
- TEST_TABLE.getTableName(), TEST_FAMILY,
+ TEST_TABLE, TEST_FAMILY,
null, Permission.Action.ADMIN, Permission.Action.CREATE);
- assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size());
+ assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size());
try {
assertEquals(5, AccessControlClient.getUserPermissions(systemUserConnection,
TEST_TABLE.toString()).size());
@@ -278,21 +274,20 @@ public class TestAccessController extends SecureTestUtil {
}
}
- @After
- public void tearDown() throws Exception {
+ private static void cleanUp() throws Exception {
// Clean the _acl_ table
try {
- deleteTable(TEST_UTIL, TEST_TABLE.getTableName());
+ deleteTable(TEST_UTIL, TEST_TABLE);
} catch (TableNotFoundException ex) {
// Test deleted the table, no problem
- LOG.info("Test deleted table " + TEST_TABLE.getTableName());
+ LOG.info("Test deleted table " + TEST_TABLE);
}
// Verify all table/namespace permissions are erased
- assertEquals(0, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size());
+ assertEquals(0, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size());
assertEquals(
- 0,
- AccessControlLists.getNamespacePermissions(conf,
- TEST_TABLE.getTableName().getNamespaceAsString()).size());
+ 0,
+ AccessControlLists.getNamespacePermissions(conf,
+ TEST_TABLE.getNamespaceAsString()).size());
}
@Test
@@ -319,11 +314,11 @@ public class TestAccessController extends SecureTestUtil {
AccessTestAction modifyTable = new AccessTestAction() {
@Override
public Object run() throws Exception {
- HTableDescriptor htd = new HTableDescriptor(TEST_TABLE.getTableName());
+ HTableDescriptor htd = new HTableDescriptor(TEST_TABLE);
htd.addFamily(new HColumnDescriptor(TEST_FAMILY));
htd.addFamily(new HColumnDescriptor("fam_" + User.getCurrent().getShortName()));
ACCESS_CONTROLLER.preModifyTable(ObserverContext.createAndPrepare(CP_ENV, null),
- TEST_TABLE.getTableName(), htd);
+ TEST_TABLE, htd);
return null;
}
};
@@ -338,7 +333,7 @@ public class TestAccessController extends SecureTestUtil {
@Override
public Object run() throws Exception {
ACCESS_CONTROLLER
- .preDeleteTable(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE.getTableName());
+ .preDeleteTable(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE);
return null;
}
};
@@ -354,7 +349,7 @@ public class TestAccessController extends SecureTestUtil {
public Object run() throws Exception {
ACCESS_CONTROLLER
.preTruncateTable(ObserverContext.createAndPrepare(CP_ENV, null),
- TEST_TABLE.getTableName());
+ TEST_TABLE);
return null;
}
};
@@ -369,8 +364,8 @@ public class TestAccessController extends SecureTestUtil {
AccessTestAction action = new AccessTestAction() {
@Override
public Object run() throws Exception {
- ACCESS_CONTROLLER.preAddColumn(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE.getTableName(),
- hcd);
+ ACCESS_CONTROLLER.preAddColumn(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE,
+ hcd);
return null;
}
};
@@ -387,7 +382,7 @@ public class TestAccessController extends SecureTestUtil {
@Override
public Object run() throws Exception {
ACCESS_CONTROLLER.preModifyColumn(ObserverContext.createAndPrepare(CP_ENV, null),
- TEST_TABLE.getTableName(), hcd);
+ TEST_TABLE, hcd);
return null;
}
};
@@ -402,7 +397,7 @@ public class TestAccessController extends SecureTestUtil {
@Override
public Object run() throws Exception {
ACCESS_CONTROLLER.preDeleteColumn(ObserverContext.createAndPrepare(CP_ENV, null),
- TEST_TABLE.getTableName(), TEST_FAMILY);
+ TEST_TABLE, TEST_FAMILY);
return null;
}
};
@@ -417,7 +412,7 @@ public class TestAccessController extends SecureTestUtil {
@Override
public Object run() throws Exception {
ACCESS_CONTROLLER.preDisableTable(ObserverContext.createAndPrepare(CP_ENV, null),
- TEST_TABLE.getTableName());
+ TEST_TABLE);
return null;
}
};
@@ -444,7 +439,7 @@ public class TestAccessController extends SecureTestUtil {
@Override
public Object run() throws Exception {
ACCESS_CONTROLLER
- .preEnableTable(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE.getTableName());
+ .preEnableTable(ObserverContext.createAndPrepare(CP_ENV, null), TEST_TABLE);
return null;
}
};
@@ -456,7 +451,7 @@ public class TestAccessController extends SecureTestUtil {
@Test
public void testMove() throws Exception {
List<HRegionLocation> regions;
- try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) {
+ try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE)) {
regions = locator.getAllRegionLocations();
}
HRegionLocation location = regions.get(0);
@@ -466,7 +461,7 @@ public class TestAccessController extends SecureTestUtil {
@Override
public Object run() throws Exception {
ACCESS_CONTROLLER.preMove(ObserverContext.createAndPrepare(CP_ENV, null),
- hri, server, server);
+ hri, server, server);
return null;
}
};
@@ -478,7 +473,7 @@ public class TestAccessController extends SecureTestUtil {
@Test
public void testAssign() throws Exception {
List<HRegionLocation> regions;
- try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) {
+ try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE)) {
regions = locator.getAllRegionLocations();
}
HRegionLocation location = regions.get(0);
@@ -498,7 +493,7 @@ public class TestAccessController extends SecureTestUtil {
@Test
public void testUnassign() throws Exception {
List<HRegionLocation> regions;
- try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) {
+ try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE)) {
regions = locator.getAllRegionLocations();
}
HRegionLocation location = regions.get(0);
@@ -518,7 +513,7 @@ public class TestAccessController extends SecureTestUtil {
@Test
public void testRegionOffline() throws Exception {
List<HRegionLocation> regions;
- try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE.getTableName())) {
+ try (RegionLocator locator = systemUserConnection.getRegionLocator(TEST_TABLE)) {
regions = locator.getAllRegionLocations();
}
HRegionLocation location = regions.get(0);
@@ -628,21 +623,26 @@ public class TestAccessController extends SecureTestUtil {
@Test
public void testMergeRegions() throws Exception {
- final List<HRegion> regions = TEST_UTIL.getHBaseCluster().findRegionsForTable(TEST_TABLE.getTableName());
- assertTrue("not enough regions: " + regions.size(), regions.size() >= 2);
+ final TableName tname = TableName.valueOf("testMergeRegions");
+ createTestTable(tname);
+ try {
+ final List<HRegion> regions = TEST_UTIL.getHBaseCluster().findRegionsForTable(tname);
+ assertTrue("not enough regions: " + regions.size(), regions.size() >= 2);
- AccessTestAction action = new AccessTestAction() {
- @Override
- public Object run() throws Exception {
- ACCESS_CONTROLLER.preMerge(
- ObserverContext.createAndPrepare(RSCP_ENV, null),
- regions.get(0),regions.get(1));
- return null;
- }
- };
+ AccessTestAction action = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ ACCESS_CONTROLLER.preMerge(ObserverContext.createAndPrepare(RSCP_ENV, null),
+ regions.get(0), regions.get(1));
+ return null;
+ }
+ };
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ } finally {
+ deleteTable(TEST_UTIL, tname);
+ }
}
@Test
@@ -693,7 +693,7 @@ public class TestAccessController extends SecureTestUtil {
Get g = new Get(TEST_ROW);
g.addFamily(TEST_FAMILY);
try(Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(TEST_TABLE.getTableName())) {
+ Table t = conn.getTable(TEST_TABLE)) {
t.get(g);
}
return null;
@@ -709,8 +709,8 @@ public class TestAccessController extends SecureTestUtil {
s.addFamily(TEST_FAMILY);
try(Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(TEST_TABLE.getTableName())) {
- ResultScanner scanner = t.getScanner(s);
+ Table table = conn.getTable(TEST_TABLE)) {
+ ResultScanner scanner = table.getScanner(s);
try {
for (Result r = scanner.next(); r != null; r = scanner.next()) {
// do nothing
@@ -736,7 +736,7 @@ public class TestAccessController extends SecureTestUtil {
Put p = new Put(TEST_ROW);
p.add(TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes(1));
try(Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(TEST_TABLE.getTableName())) {
+ Table t = conn.getTable(TEST_TABLE)) {
t.put(p);
}
return null;
@@ -751,7 +751,7 @@ public class TestAccessController extends SecureTestUtil {
Delete d = new Delete(TEST_ROW);
d.deleteFamily(TEST_FAMILY);
try(Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(TEST_TABLE.getTableName())) {
+ Table t = conn.getTable(TEST_TABLE)) {
t.delete(d);
}
return null;
@@ -766,7 +766,7 @@ public class TestAccessController extends SecureTestUtil {
Increment inc = new Increment(TEST_ROW);
inc.addColumn(TEST_FAMILY, TEST_QUALIFIER, 1);
try(Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(TEST_TABLE.getTableName())) {
+ Table t = conn.getTable(TEST_TABLE);) {
t.increment(inc);
}
return null;
@@ -784,7 +784,7 @@ public class TestAccessController extends SecureTestUtil {
Delete d = new Delete(TEST_ROW);
d.deleteFamily(TEST_FAMILY);
try(Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(TEST_TABLE.getTableName())) {
+ Table t = conn.getTable(TEST_TABLE);) {
t.checkAndDelete(TEST_ROW, TEST_FAMILY, TEST_QUALIFIER,
Bytes.toBytes("test_value"), d);
}
@@ -800,7 +800,7 @@ public class TestAccessController extends SecureTestUtil {
Put p = new Put(TEST_ROW);
p.add(TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes(1));
try(Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(TEST_TABLE.getTableName())) {
+ Table t = conn.getTable(TEST_TABLE);) {
t.checkAndPut(TEST_ROW, TEST_FAMILY, TEST_QUALIFIER,
Bytes.toBytes("test_value"), p);
}
@@ -812,37 +812,39 @@ public class TestAccessController extends SecureTestUtil {
@Test
public void testBulkLoad() throws Exception {
- FileSystem fs = TEST_UTIL.getTestFileSystem();
- final Path dir = TEST_UTIL.getDataTestDirOnTestFS("testBulkLoad");
- fs.mkdirs(dir);
- //need to make it globally writable
- //so users creating HFiles have write permissions
- fs.setPermission(dir, FsPermission.valueOf("-rwxrwxrwx"));
-
- AccessTestAction bulkLoadAction = new AccessTestAction() {
- @Override
- public Object run() throws Exception {
- int numRows = 3;
-
- //Making the assumption that the test table won't split between the range
- byte[][][] hfileRanges = {{{(byte)0}, {(byte)9}}};
+ try {
+ FileSystem fs = TEST_UTIL.getTestFileSystem();
+ final Path dir = TEST_UTIL.getDataTestDirOnTestFS("testBulkLoad");
+ fs.mkdirs(dir);
+ // need to make it globally writable
+ // so users creating HFiles have write permissions
+ fs.setPermission(dir, FsPermission.valueOf("-rwxrwxrwx"));
+
+ AccessTestAction bulkLoadAction = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ int numRows = 3;
- Path bulkLoadBasePath = new Path(dir, new Path(User.getCurrent().getName()));
- new BulkLoadHelper(bulkLoadBasePath)
- .bulkLoadHFile(TEST_TABLE.getTableName(), TEST_FAMILY, TEST_QUALIFIER, hfileRanges, numRows);
+ // Making the assumption that the test table won't split between the range
+ byte[][][] hfileRanges = { { { (byte) 0 }, { (byte) 9 } } };
- return null;
- }
- };
+ Path bulkLoadBasePath = new Path(dir, new Path(User.getCurrent().getName()));
+ new BulkLoadHelper(bulkLoadBasePath).bulkLoadHFile(TEST_TABLE, TEST_FAMILY,
+ TEST_QUALIFIER, hfileRanges, numRows);
- // User performing bulk loads must have privilege to read table metadata
- // (ADMIN or CREATE)
- verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE);
- verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO);
+ return null;
+ }
+ };
- // Reinit after the bulk upload
- TEST_UTIL.getHBaseAdmin().disableTable(TEST_TABLE.getTableName());
- TEST_UTIL.getHBaseAdmin().enableTable(TEST_TABLE.getTableName());
+ // User performing bulk loads must have privilege to read table metadata
+ // (ADMIN or CREATE)
+ verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE);
+ verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO);
+ } finally {
+ // Reinit after the bulk upload
+ TEST_UTIL.getHBaseAdmin().disableTable(TEST_TABLE);
+ TEST_UTIL.getHBaseAdmin().enableTable(TEST_TABLE);
+ }
}
public class BulkLoadHelper {
@@ -933,7 +935,7 @@ public class TestAccessController extends SecureTestUtil {
Append append = new Append(row);
append.add(TEST_FAMILY, qualifier, Bytes.toBytes(2));
try(Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(TEST_TABLE.getTableName())) {
+ Table t = conn.getTable(TEST_TABLE)) {
t.put(put);
t.append(append);
}
@@ -952,11 +954,11 @@ public class TestAccessController extends SecureTestUtil {
public Object run() throws Exception {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
- BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName());
+ BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName());
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
- ProtobufUtil.grant(protocol, USER_RO.getShortName(), TEST_TABLE.getTableName(),
- TEST_FAMILY, null, Action.READ);
+ ProtobufUtil.grant(protocol, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null,
+ Action.READ);
}
return null;
}
@@ -967,11 +969,11 @@ public class TestAccessController extends SecureTestUtil {
public Object run() throws Exception {
try(Connection conn = ConnectionFactory.createConnection(conf);
Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
- BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName());
+ BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName());
AccessControlService.BlockingInterface protocol =
AccessControlService.newBlockingStub(service);
- ProtobufUtil.revoke(protocol, USER_RO.getShortName(), TEST_TABLE.getTableName(),
- TEST_FAMILY, null, Action.READ);
+ ProtobufUtil.revoke(protocol, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null,
+ Action.READ);
}
return null;
}
@@ -981,11 +983,11 @@ public class TestAccessController extends SecureTestUtil {
@Override
public Object run() throws Exception {
try(Connection conn = ConnectionFactory.createConnection(conf);
- Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
- BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getTableName().getName());
+ Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)){
+ BlockingRpcChannel service = acl.coprocessorService(TEST_TABLE.getName());
AccessControlService.BlockingInterface protocol =
- AccessControlService.newBlockingStub(service);
- ProtobufUtil.getUserPermissions(protocol, TEST_TABLE.getTableName());
+ AccessControlService.newBlockingStub(service);
+ ProtobufUtil.getUserPermissions(protocol, TEST_TABLE);
}
return null;
}
@@ -1007,16 +1009,21 @@ public class TestAccessController extends SecureTestUtil {
verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER);
verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ try {
+ verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER);
+ verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
- verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
-
- verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER);
+ verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
- verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN);
- verifyDenied(getGlobalPermissionsAction, USER_CREATE,
- USER_OWNER, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN);
+ verifyDenied(getGlobalPermissionsAction, USER_CREATE, USER_OWNER, USER_RW, USER_RO,
+ USER_NONE);
+ } finally {
+ // Cleanup, Grant the revoked permission back to the user
+ grantOnTable(TEST_UTIL, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null,
+ Permission.Action.READ);
+ }
}
@Test
@@ -1036,237 +1043,231 @@ public class TestAccessController extends SecureTestUtil {
htd.addFamily(new HColumnDescriptor(family1));
htd.addFamily(new HColumnDescriptor(family2));
createTable(TEST_UTIL, htd);
-
- // create temp users
- User tblUser = User
- .createUserForTesting(TEST_UTIL.getConfiguration(), "tbluser", new String[0]);
- User gblUser = User
- .createUserForTesting(TEST_UTIL.getConfiguration(), "gbluser", new String[0]);
-
- // prepare actions:
- AccessTestAction putActionAll = new AccessTestAction() {
- @Override
- public Object run() throws Exception {
- Put p = new Put(Bytes.toBytes("a"));
- p.add(family1, qualifier, Bytes.toBytes("v1"));
- p.add(family2, qualifier, Bytes.toBytes("v2"));
- try(Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(tableName)) {
- t.put(p);
+ try {
+ // create temp users
+ User tblUser =
+ User.createUserForTesting(TEST_UTIL.getConfiguration(), "tbluser", new String[0]);
+ User gblUser =
+ User.createUserForTesting(TEST_UTIL.getConfiguration(), "gbluser", new String[0]);
+
+ // prepare actions:
+ AccessTestAction putActionAll = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ Put p = new Put(Bytes.toBytes("a"));
+ p.add(family1, qualifier, Bytes.toBytes("v1"));
+ p.add(family2, qualifier, Bytes.toBytes("v2"));
+ try (Connection conn = ConnectionFactory.createConnection(conf);
+ Table t = conn.getTable(tableName);) {
+ t.put(p);
+ }
+ return null;
}
- return null;
- }
- };
+ };
- AccessTestAction putAction1 = new AccessTestAction() {
- @Override
- public Object run() throws Exception {
- Put p = new Put(Bytes.toBytes("a"));
- p.add(family1, qualifier, Bytes.toBytes("v1"));
- try(Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(tableName)) {
- t.put(p);
- }
- return null;
- }
- };
+ AccessTestAction putAction1 = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ Put p = new Put(Bytes.toBytes("a"));
+ p.add(family1, qualifier, Bytes.toBytes("v1"));
- AccessTestAction putAction2 = new AccessTestAction() {
- @Override
- public Object run() throws Exception {
- Put p = new Put(Bytes.toBytes("a"));
- p.add(family2, qualifier, Bytes.toBytes("v2"));
- try(Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(tableName)) {
- t.put(p);
+ try (Connection conn = ConnectionFactory.createConnection(conf);
+ Table t = conn.getTable(tableName)) {
+ t.put(p);
+ }
+ return null;
}
- return null;
- }
- };
+ };
- AccessTestAction getActionAll = new AccessTestAction() {
- @Override
- public Object run() throws Exception {
- Get g = new Get(TEST_ROW);
- g.addFamily(family1);
- g.addFamily(family2);
- try(Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(tableName)) {
- t.get(g);
+ AccessTestAction putAction2 = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ Put p = new Put(Bytes.toBytes("a"));
+ p.add(family2, qualifier, Bytes.toBytes("v2"));
+ try (Connection conn = ConnectionFactory.createConnection(conf);
+ Table t = conn.getTable(tableName);) {
+ t.put(p);
+ }
+ return null;
}
- return null;
- }
- };
+ };
- AccessTestAction getAction1 = new AccessTestAction() {
- @Override
- public Object run() throws Exception {
- Get g = new Get(TEST_ROW);
- g.addFamily(family1);
- try(Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(tableName)) {
- t.get(g);
+ AccessTestAction getActionAll = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ Get g = new Get(TEST_ROW);
+ g.addFamily(family1);
+ g.addFamily(family2);
+ try (Connection conn = ConnectionFactory.createConnection(conf);
+ Table t = conn.getTable(tableName);) {
+ t.get(g);
+ }
+ return null;
}
- return null;
- }
- };
+ };
- AccessTestAction getAction2 = new AccessTestAction() {
- @Override
- public Object run() throws Exception {
- Get g = new Get(TEST_ROW);
- g.addFamily(family2);
- try(Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(tableName)) {
- t.get(g);
+ AccessTestAction getAction1 = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ Get g = new Get(TEST_ROW);
+ g.addFamily(family1);
+ try (Connection conn = ConnectionFactory.createConnection(conf);
+ Table t = conn.getTable(tableName)) {
+ t.get(g);
+ }
+ return null;
}
- return null;
- }
- };
+ };
- AccessTestAction deleteActionAll = new AccessTestAction() {
- @Override
- public Object run() throws Exception {
- Delete d = new Delete(TEST_ROW);
- d.deleteFamily(family1);
- d.deleteFamily(family2);
- try(Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(tableName)) {
- t.delete(d);
+ AccessTestAction getAction2 = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ Get g = new Get(TEST_ROW);
+ g.addFamily(family2);
+ try (Connection conn = ConnectionFactory.createConnection(conf);
+ Table t = conn.getTable(tableName)) {
+ t.get(g);
+ }
+ return null;
}
- return null;
- }
- };
+ };
- AccessTestAction deleteAction1 = new AccessTestAction() {
- @Override
- public Object run() throws Exception {
- Delete d = new Delete(TEST_ROW);
- d.deleteFamily(family1);
- try(Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(tableName)) {
- t.delete(d);
+ AccessTestAction deleteActionAll = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ Delete d = new Delete(TEST_ROW);
+ d.deleteFamily(family1);
+ d.deleteFamily(family2);
+ try (Connection conn = ConnectionFactory.createConnection(conf);
+ Table t = conn.getTable(tableName)) {
+ t.delete(d);
+ }
+ return null;
}
- return null;
- }
- };
+ };
- AccessTestAction deleteAction2 = new AccessTestAction() {
- @Override
- public Object run() throws Exception {
- Delete d = new Delete(TEST_ROW);
- d.deleteFamily(family2);
- try(Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(tableName)) {
- t.delete(d);
+ AccessTestAction deleteAction1 = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ Delete d = new Delete(TEST_ROW);
+ d.deleteFamily(family1);
+ try (Connection conn = ConnectionFactory.createConnection(conf);
+ Table t = conn.getTable(tableName)) {
+ t.delete(d);
+ }
+ return null;
}
- return null;
- }
- };
-
- // initial check:
- verifyDenied(tblUser, getActionAll, getAction1, getAction2);
- verifyDenied(tblUser, putActionAll, putAction1, putAction2);
- verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2);
-
- verifyDenied(gblUser, getActionAll, getAction1, getAction2);
- verifyDenied(gblUser, putActionAll, putAction1, putAction2);
- verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);
-
- // grant table read permission
- grantGlobal(TEST_UTIL, gblUser.getShortName(),
- Permission.Action.READ);
- grantOnTable(TEST_UTIL, tblUser.getShortName(),
- tableName, null, null,
- Permission.Action.READ);
-
- // check
- verifyAllowed(tblUser, getActionAll, getAction1, getAction2);
- verifyDenied(tblUser, putActionAll, putAction1, putAction2);
- verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2);
+ };
- verifyAllowed(gblUser, getActionAll, getAction1, getAction2);
- verifyDenied(gblUser, putActionAll, putAction1, putAction2);
- verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);
+ AccessTestAction deleteAction2 = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ Delete d = new Delete(TEST_ROW);
+ d.deleteFamily(family2);
+ try (Connection conn = ConnectionFactory.createConnection(conf);
+ Table t = conn.getTable(tableName)) {
+ t.delete(d);
+ }
+ return null;
+ }
+ };
- // grant table write permission while revoking read permissions
- grantGlobal(TEST_UTIL, gblUser.getShortName(),
- Permission.Action.WRITE);
- grantOnTable(TEST_UTIL, tblUser.getShortName(),
- tableName, null, null,
- Permission.Action.WRITE);
+ // initial check:
+ verifyDenied(tblUser, getActionAll, getAction1, getAction2);
+ verifyDenied(tblUser, putActionAll, putAction1, putAction2);
+ verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2);
- verifyDenied(tblUser, getActionAll, getAction1, getAction2);
- verifyAllowed(tblUser, putActionAll, putAction1, putAction2);
- verifyAllowed(tblUser, deleteActionAll, deleteAction1, deleteAction2);
+ verifyDenied(gblUser, getActionAll, getAction1, getAction2);
+ verifyDenied(gblUser, putActionAll, putAction1, putAction2);
+ verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);
- verifyDenied(gblUser, getActionAll, getAction1, getAction2);
- verifyAllowed(gblUser, putActionAll, putAction1, putAction2);
- verifyAllowed(gblUser, deleteActionAll, deleteAction1, deleteAction2);
+ // grant table read permission
+ grantGlobal(TEST_UTIL, gblUser.getShortName(), Permission.Action.READ);
+ grantOnTable(TEST_UTIL, tblUser.getShortName(), tableName, null, null, Permission.Action.READ);
- // revoke table permissions
- revokeGlobal(TEST_UTIL, gblUser.getShortName());
- revokeFromTable(TEST_UTIL, tblUser.getShortName(),
- tableName, null, null);
+ // check
+ verifyAllowed(tblUser, getActionAll, getAction1, getAction2);
+ verifyDenied(tblUser, putActionAll, putAction1, putAction2);
+ verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2);
- verifyDenied(tblUser, getActionAll, getAction1, getAction2);
- verifyDenied(tblUser, putActionAll, putAction1, putAction2);
- verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2);
+ verifyAllowed(gblUser, getActionAll, getAction1, getAction2);
+ verifyDenied(gblUser, putActionAll, putAction1, putAction2);
+ verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);
- verifyDenied(gblUser, getActionAll, getAction1, getAction2);
- verifyDenied(gblUser, putActionAll, putAction1, putAction2);
- verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);
+ // grant table write permission while revoking read permissions
+ grantGlobal(TEST_UTIL, gblUser.getShortName(), Permission.Action.WRITE);
+ grantOnTable(TEST_UTIL, tblUser.getShortName(), tableName, null, null,
+ Permission.Action.WRITE);
- // grant column family read permission
- grantGlobal(TEST_UTIL, gblUser.getShortName(),
- Permission.Action.READ);
- grantOnTable(TEST_UTIL, tblUser.getShortName(),
- tableName, family1, null, Permission.Action.READ);
+ verifyDenied(tblUser, getActionAll, getAction1, getAction2);
+ verifyAllowed(tblUser, putActionAll, putAction1, putAction2);
+ verifyAllowed(tblUser, deleteActionAll, deleteAction1, deleteAction2);
- // Access should be denied for family2
- verifyAllowed(tblUser, getActionAll, getAction1);
- verifyDenied(tblUser, getAction2);
- verifyDenied(tblUser, putActionAll, putAction1, putAction2);
- verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2);
+ verifyDenied(gblUser, getActionAll, getAction1, getAction2);
+ verifyAllowed(gblUser, putActionAll, putAction1, putAction2);
+ verifyAllowed(gblUser, deleteActionAll, deleteAction1, deleteAction2);
- verifyAllowed(gblUser, getActionAll, getAction1, getAction2);
- verifyDenied(gblUser, putActionAll, putAction1, putAction2);
- verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);
+ // revoke table permissions
+ revokeGlobal(TEST_UTIL, gblUser.getShortName());
+ revokeFromTable(TEST_UTIL, tblUser.getShortName(), tableName, null, null);
- // grant column family write permission
- grantGlobal(TEST_UTIL, gblUser.getShortName(),
- Permission.Action.WRITE);
- grantOnTable(TEST_UTIL, tblUser.getShortName(),
- tableName, family2, null, Permission.Action.WRITE);
+ verifyDenied(tblUser, getActionAll, getAction1, getAction2);
+ verifyDenied(tblUser, putActionAll, putAction1, putAction2);
+ verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2);
- // READ from family1, WRITE to family2 are allowed
- verifyAllowed(tblUser, getActionAll, getAction1);
- verifyAllowed(tblUser, putAction2, deleteAction2);
- verifyDenied(tblUser, getAction2);
- verifyDenied(tblUser, putActionAll, putAction1);
- verifyDenied(tblUser, deleteActionAll, deleteAction1);
+ verifyDenied(gblUser, getActionAll, getAction1, getAction2);
+ verifyDenied(gblUser, putActionAll, putAction1, putAction2);
+ verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);
- verifyDenied(gblUser, getActionAll, getAction1, getAction2);
- verifyAllowed(gblUser, putActionAll, putAction1, putAction2);
- verifyAllowed(gblUser, deleteActionAll, deleteAction1, deleteAction2);
+ // grant column family read permission
+ grantGlobal(TEST_UTIL, gblUser.getShortName(), Permission.Action.READ);
+ grantOnTable(TEST_UTIL, tblUser.getShortName(), tableName, family1, null,
+ Permission.Action.READ);
- // revoke column family permission
- revokeGlobal(TEST_UTIL, gblUser.getShortName());
- revokeFromTable(TEST_UTIL, tblUser.getShortName(), tableName, family2, null);
+ // Access should be denied for family2
+ verifyAllowed(tblUser, getActionAll, getAction1);
+ verifyDenied(tblUser, getAction2);
+ verifyDenied(tblUser, putActionAll, putAction1, putAction2);
+ verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2);
- // Revoke on family2 should not have impact on family1 permissions
- verifyAllowed(tblUser, getActionAll, getAction1);
- verifyDenied(tblUser, getAction2);
- verifyDenied(tblUser, putActionAll, putAction1, putAction2);
- verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2);
+ verifyAllowed(gblUser, getActionAll, getAction1, getAction2);
+ verifyDenied(gblUser, putActionAll, putAction1, putAction2);
+ verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);
- // Should not have access as global permissions are completely revoked
- verifyDenied(gblUser, getActionAll, getAction1, getAction2);
- verifyDenied(gblUser, putActionAll, putAction1, putAction2);
- verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);
+ // grant column family write permission
+ grantGlobal(TEST_UTIL, gblUser.getShortName(), Permission.Action.WRITE);
+ grantOnTable(TEST_UTIL, tblUser.getShortName(), tableName, family2, null,
+ Permission.Action.WRITE);
- // delete table
- deleteTable(TEST_UTIL, tableName);
+ // READ from family1, WRITE to family2 are allowed
+ verifyAllowed(tblUser, getActionAll, getAction1);
+ verifyAllowed(tblUser, putAction2, deleteAction2);
+ verifyDenied(tblUser, getAction2);
+ verifyDenied(tblUser, putActionAll, putAction1);
+ verifyDenied(tblUser, deleteActionAll, deleteAction1);
+
+ verifyDenied(gblUser, getActionAll, getAction1, getAction2);
+ verifyAllowed(gblUser, putActionAll, putAction1, putAction2);
+ verifyAllowed(gblUser, deleteActionAll, deleteAction1, deleteAction2);
+
+ // revoke column family permission
+ revokeGlobal(TEST_UTIL, gblUser.getShortName());
+ revokeFromTable(TEST_UTIL, tblUser.getShortName(), tableName, family2, null);
+
+ // Revoke on family2 should not have impact on family1 permissions
+ verifyAllowed(tblUser, getActionAll, getAction1);
+ verifyDenied(tblUser, getAction2);
+ verifyDenied(tblUser, putActionAll, putAction1, putAction2);
+ verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2);
+
+ // Should not have access as global permissions are completely revoked
+ verifyDenied(gblUser, getActionAll, getAction1, getAction2);
+ verifyDenied(gblUser, putActionAll, putAction1, putAction2);
+ verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);
+ } finally {
+ // delete table
+ deleteTable(TEST_UTIL, tableName);
+ }
}
private boolean hasFoundUserPermission(UserPermission userPermission, List<UserPermission> perms) {
@@ -1291,92 +1292,90 @@ public class TestAccessController extends SecureTestUtil {
htd.addFamily(new HColumnDescriptor(family2));
createTable(TEST_UTIL, htd);
- // create temp users
- User user = User.createUserForTesting(TEST_UTIL.getConfiguration(), "user", new String[0]);
+ try {
+ // create temp users
+ User user = User.createUserForTesting(TEST_UTIL.getConfiguration(), "user", new String[0]);
- AccessTestAction getQualifierAction = new AccessTestAction() {
- @Override
- public Object run() throws Exception {
- Get g = new Get(TEST_ROW);
- g.addColumn(family1, qualifier);
- try(Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(tableName)) {
- t.get(g);
+ AccessTestAction getQualifierAction = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ Get g = new Get(TEST_ROW);
+ g.addColumn(family1, qualifier);
+ try (Connection conn = ConnectionFactory.createConnection(conf);
+ Table t = conn.getTable(tableName)) {
+ t.get(g);
+ }
+ return null;
}
- return null;
- }
- };
+ };
- AccessTestAction putQualifierAction = new AccessTestAction() {
- @Override
- public Object run() throws Exception {
- Put p = new Put(TEST_ROW);
- p.add(family1, qualifier, Bytes.toBytes("v1"));
- try(Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(tableName)) {
- t.put(p);
+ AccessTestAction putQualifierAction = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ Put p = new Put(TEST_ROW);
+ p.add(family1, qualifier, Bytes.toBytes("v1"));
+ try (Connection conn = ConnectionFactory.createConnection(conf);
+ Table t = conn.getTable(tableName)) {
+ t.put(p);
+ }
+ return null;
}
- return null;
- }
- };
+ };
- AccessTestAction deleteQualifierAction = new AccessTestAction() {
- @Override
- public Object run() throws Exception {
- Delete d = new Delete(TEST_ROW);
- d.deleteColumn(family1, qualifier);
- // d.deleteFamily(family1);
- try(Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(tableName)) {
- t.delete(d);
+ AccessTestAction deleteQualifierAction = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ Delete d = new Delete(TEST_ROW);
+ d.deleteColumn(family1, qualifier);
+ // d.deleteFamily(family1);
+ try (Connection conn = ConnectionFactory.createConnection(conf);
+ Table t = conn.getTable(tableName)) {
+ t.delete(d);
+ }
+ return null;
}
- return null;
- }
- };
-
- revokeFromTable(TEST_UTIL, user.getShortName(), tableName, family1, null);
+ };
- verifyDenied(user, getQualifierAction);
- verifyDenied(user, putQualifierAction);
- verifyDenied(user, deleteQualifierAction);
+ revokeFromTable(TEST_UTIL, user.getShortName(), tableName, family1, null);
- grantOnTable(TEST_UTIL, user.getShortName(),
- tableName, family1, qualifier,
- Permission.Action.READ);
+ verifyDenied(user, getQualifierAction);
+ verifyDenied(user, putQualifierAction);
+ verifyDenied(user, deleteQualifierAction);
- verifyAllowed(user, getQualifierAction);
- verifyDenied(user, putQualifierAction);
- verifyDenied(user, deleteQualifierAction);
+ grantOnTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier,
+ Permission.Action.READ);
- // only grant write permission
- // TODO: comment this portion after HBASE-3583
- grantOnTable(TEST_UTIL, user.getShortName(),
- tableName, family1, qualifier,
- Permission.Action.WRITE);
+ verifyAllowed(user, getQualifierAction);
+ verifyDenied(user, putQualifierAction);
+ verifyDenied(user, deleteQualifierAction);
- verifyDenied(user, getQualifierAction);
- verifyAllowed(user, putQualifierAction);
- verifyAllowed(user, deleteQualifierAction);
+ // only grant write permission
+ // TODO: comment this portion after HBASE-3583
+ grantOnTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier,
+ Permission.Action.WRITE);
- // grant both read and write permission
- grantOnTable(TEST_UTIL, user.getShortName(),
- tableName, family1, qualifier,
- Permission.Action.READ, Permission.Action.WRITE);
+ verifyDenied(user, getQualifierAction);
+ verifyAllowed(user, putQualifierAction);
+ verifyAllowed(user, deleteQualifierAction);
- verifyAllowed(user, getQualifierAction);
- verifyAllowed(user, putQualifierAction);
- verifyAllowed(user, deleteQualifierAction);
+ // grant both read and write permission
+ grantOnTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier,
+ Permission.Action.READ, Permission.Action.WRITE);
- // revoke family level permission won't impact column level
- revokeFromTable(TEST_UTIL, user.getShortName(),
- tableName, family1, qualifier);
+ verifyAllowed(user, getQualifierAction);
+ verifyAllowed(user, putQualifierAction);
+ verifyAllowed(user, deleteQualifierAction);
- verifyDenied(user, getQualifierAction);
- verifyDenied(user, putQualifierAction);
- verifyDenied(user, deleteQualifierAction);
+ // revoke family level permission won't impact column level
+ revokeFromTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier);
- // delete table
- deleteTable(TEST_UTIL, tableName);
+ verifyDenied(user, getQualifierAction);
+ verifyDenied(user, putQualifierAction);
+ verifyDenied(user, deleteQualifierAction);
+ } finally {
+ // delete table
+ deleteTable(TEST_UTIL, tableName);
+ }
}
@Test
@@ -1397,117 +1396,117 @@ public class TestAccessController extends SecureTestUtil {
htd.addFamily(new HColumnDescriptor(family2));
htd.setOwner(USER_OWNER);
createTable(TEST_UTIL, htd);
-
- List<UserPermission> perms;
-
- Table acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
try {
- BlockingRpcChannel service = acl.coprocessorService(tableName.getName());
- AccessControlService.BlockingInterface protocol =
- AccessControlService.newBlockingStub(service);
- perms = ProtobufUtil.getUserPermissions(protocol, tableName);
- } finally {
- acl.close();
- }
+ List<UserPermission> perms;
+ Table acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
+ try {
+ BlockingRpcChannel service = acl.coprocessorService(tableName.getName());
+ AccessControlService.BlockingInterface protocol =
+ AccessControlService.newBlockingStub(service);
+ perms = ProtobufUtil.getUserPermissions(protocol, tableName);
+ } finally {
+ acl.close();
+ }
- UserPermission ownerperm = new UserPermission(
- Bytes.toBytes(USER_OWNER.getName()), tableName, null, Action.values());
- assertTrue("Owner should have all permissions on table",
+ UserPermission ownerperm =
+ new UserPermission(Bytes.toBytes(USER_OWNER.getName()), tableName, null, Action.values());
+ assertTrue("Owner should have all permissions on table",
hasFoundUserPermission(ownerperm, perms));
- User user = User.createUserForTesting(TEST_UTIL.getConfiguration(), "user", new String[0]);
- byte[] userName = Bytes.toBytes(user.getShortName());
+ User user = User.createUserForTesting(TEST_UTIL.getConfiguration(), "user", new String[0]);
+ byte[] userName = Bytes.toBytes(user.getShortName());
- UserPermission up = new UserPermission(userName,
- tableName, family1, qualifier, Permission.Action.READ);
- assertFalse("User should not be granted permission: " + up.toString(),
- hasFoundUserPermission(up, perms));
+ UserPermission up =
+ new UserPermission(userName, tableName, family1, qualifier, Permission.Action.READ);
+ assertFalse("User should not be granted permission: " + up.toString(),
+ hasFoundUserPermission(up, perms));
- // grant read permission
- grantOnTable(TEST_UTIL, user.getShortName(),
- tableName, family1, qualifier, Permission.Action.READ);
+ // grant read permission
+ grantOnTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier,
+ Permission.Action.READ);
- acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
- try {
- BlockingRpcChannel service = acl.coprocessorService(tableName.getName());
- AccessControlService.BlockingInterface protocol =
- AccessControlService.newBlockingStub(service);
- perms = ProtobufUtil.getUserPermissions(protocol, tableName);
- } finally {
- acl.close();
- }
+ acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
+ try {
+ BlockingRpcChannel service = acl.coprocessorService(tableName.getName());
+ AccessControlService.BlockingInterface protocol =
+ AccessControlService.newBlockingStub(service);
+ perms = ProtobufUtil.getUserPermissions(protocol, tableName);
+ } finally {
+ acl.close();
+ }
- UserPermission upToVerify = new UserPermission(
- userName, tableName, family1, qualifier, Permission.Action.READ);
- assertTrue("User should be granted permission: " + upToVerify.toString(),
- hasFoundUserPermission(upToVerify, perms));
+ UserPermission upToVerify =
+ new UserPermission(userName, tableName, family1, qualifier, Permission.Action.READ);
+ assertTrue("User should be granted permission: " + upToVerify.toString(),
+ hasFoundUserPermission(upToVerify, perms));
- upToVerify = new UserPermission(
- userName, tableName, family1, qualifier, Permission.Action.WRITE);
- assertFalse("User should not be granted permission: " + upToVerify.toString(),
- hasFoundUserPermission(upToVerify, perms));
+ upToVerify =
+ new UserPermission(userName, tableName, family1, qualifier, Permission.Action.WRITE);
+ assertFalse("User should not be granted permission: " + upToVerify.toString(),
+ hasFoundUserPermission(upToVerify, perms));
- // grant read+write
- grantOnTable(TEST_UTIL, user.getShortName(),
- tableName, family1, qualifier,
- Permission.Action.WRITE, Permission.Action.READ);
+ // grant read+write
+ grantOnTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier,
+ Permission.Action.WRITE, Permission.Action.READ);
- acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
- try {
- BlockingRpcChannel service = acl.coprocessorService(tableName.getName());
- AccessControlService.BlockingInterface protocol =
- AccessControlService.newBlockingStub(service);
- perms = ProtobufUtil.getUserPermissions(protocol, tableName);
- } finally {
- acl.close();
- }
+ acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
+ try {
+ BlockingRpcChannel service = acl.coprocessorService(tableName.getName());
+ AccessControlService.BlockingInterface protocol =
+ AccessControlService.newBlockingStub(service);
+ perms = ProtobufUtil.getUserPermissions(protocol, tableName);
+ } finally {
+ acl.close();
+ }
- upToVerify = new UserPermission(userName, tableName, family1,
- qualifier, Permission.Action.WRITE, Permission.Action.READ);
- assertTrue("User should be granted permission: " + upToVerify.toString(),
- hasFoundUserPermission(upToVerify, perms));
+ upToVerify =
+ new UserPermission(userName, tableName, family1, qualifier, Permission.Action.WRITE,
+ Permission.Action.READ);
+ assertTrue("User should be granted permission: " + upToVerify.toString(),
+ hasFoundUserPermission(upToVerify, perms));
- // revoke
- revokeFromTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier,
- Permission.Action.WRITE, Permission.Action.READ);
+ // revoke
+ revokeFromTable(TEST_UTIL, user.getShortName(), tableName, family1, qualifier,
+ Permission.Action.WRITE, Permission.Action.READ);
- acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
- try {
- BlockingRpcChannel service = acl.coprocessorService(tableName.getName());
- AccessControlService.BlockingInterface protocol =
- AccessControlService.newBlockingStub(service);
- perms = ProtobufUtil.getUserPermissions(protocol, tableName);
- } finally {
- acl.close();
- }
+ acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
+ try {
+ BlockingRpcChannel service = acl.coprocessorService(tableName.getName());
+ AccessControlService.BlockingInterface protocol =
+ AccessControlService.newBlockingStub(service);
+ perms = ProtobufUtil.getUserPermissions(protocol, tableName);
+ } finally {
+ acl.close();
+ }
- assertFalse("User should not be granted permission: " + upToVerify.toString(),
+ assertFalse("User should not be granted permission: " + upToVerify.toString(),
hasFoundUserPermission(upToVerify, perms));
- // disable table before modification
- admin.disableTable(tableName);
+ // disable table before modification
+ admin.disableTable(tableName);
- User newOwner = User.createUserForTesting(conf, "new_owner", new String[] {});
- htd.setOwner(newOwner);
- admin.modifyTable(tableName, htd);
+ User newOwner = User.createUserForTesting(conf, "new_owner", new String[] {});
+ htd.setOwner(newOwner);
+ admin.modifyTable(tableName, htd);
- acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
- try {
- BlockingRpcChannel service = acl.coprocessorService(tableName.getName());
- AccessControlService.BlockingInterface protocol =
- AccessControlService.newBlockingStub(service);
- perms = ProtobufUtil.getUserPermissions(protocol, tableName);
- } finally {
- acl.close();
- }
+ acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
+ try {
+ BlockingRpcChannel service = acl.coprocessorService(tableName.getName());
+ AccessControlService.BlockingInterface protocol =
+ AccessControlService.newBlockingStub(service);
+ perms = ProtobufUtil.getUserPermissions(protocol, tableName);
+ } finally {
+ acl.close();
+ }
- UserPermission newOwnerperm = new UserPermission(
- Bytes.toBytes(newOwner.getName()), tableName, null, Action.values());
- assertTrue("New owner should have all permissions on table",
+ UserPermission newOwnerperm =
+ new UserPermission(Bytes.toBytes(newOwner.getName()), tableName, null, Action.values());
+ assertTrue("New owner should have all permissions on table",
hasFoundUserPermission(newOwnerperm, perms));
-
- // delete table
- deleteTable(TEST_UTIL, tableName);
+ } finally {
+ // delete table
+ deleteTable(TEST_UTIL, tableName);
+ }
}
@Test
@@ -1525,7 +1524,7 @@ public class TestAccessController extends SecureTestUtil {
UserPermission adminPerm = new UserPermission(Bytes.toBytes(USER_ADMIN.getShortName()),
AccessControlLists.ACL_TABLE_NAME, null, null, Bytes.toBytes("ACRW"));
assertTrue("Only user admin has permission on table _acl_ per setup",
- perms.size() == 1 && hasFoundUserPermission(adminPerm, perms));
+ perms.size() == 1 && hasFoundUserPermission(adminPerm, perms));
}
/** global operations */
@@ -1571,127 +1570,134 @@ public class TestAccessController extends SecureTestUtil {
User userQualifier = User.createUserForTesting(conf, "user_check_perms_q", new String[0]);
grantOnTable(TEST_UTIL, userTable.getShortName(),
- TEST_TABLE.getTableName(), null, null,
+ TEST_TABLE, null, null,
Permission.Action.READ);
grantOnTable(TEST_UTIL, userColumn.getShortName(),
- TEST_TABLE.getTableName(), TEST_FAMILY, null,
+ TEST_TABLE, TEST_FAMILY, null,
Permission.Action.READ);
grantOnTable(TEST_UTIL, userQualifier.getShortName(),
- TEST_TABLE.getTableName(), TEST_FAMILY, TEST_Q1,
+ TEST_TABLE, TEST_FAMILY, TEST_Q1,
Permission.Action.READ);
- AccessTestAction tableRead = new AccessTestAction() {
- @Override
- public Void run() throws Exception {
- checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), null, null,
- Permission.Action.READ);
- return null;
- }
- };
-
- AccessTestAction columnRead = new AccessTestAction() {
- @Override
- public Void run() throws Exception {
- checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), TEST_FAMILY, null,
- Permission.Action.READ);
- return null;
- }
- };
+ try {
+ AccessTestAction tableRead = new AccessTestAction() {
+ @Override
+ public Void run() throws Exception {
+ checkTablePerms(TEST_UTIL, TEST_TABLE, null, null, Permission.Action.READ);
+ return null;
+ }
+ };
- AccessTestAction qualifierRead = new AccessTestAction() {
- @Override
- public Void run() throws Exception {
- checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), TEST_FAMILY, TEST_Q1,
- Permission.Action.READ);
- return null;
- }
- };
+ AccessTestAction columnRead = new AccessTestAction() {
+ @Override
+ public Void run() throws Exception {
+ checkTablePerms(TEST_UTIL, TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ);
+ return null;
+ }
+ };
- AccessTestAction multiQualifierRead = new AccessTestAction() {
- @Override
- public Void run() throws Exception {
- checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), new Permission[] {
- new TablePermission(TEST_TABLE.getTableName(), TEST_FAMILY, TEST_Q1,
- Permission.Action.READ),
- new TablePermission(TEST_TABLE.getTableName(), TEST_FAMILY, TEST_Q2,
- Permission.Action.READ), });
- return null;
- }
- };
+ AccessTestAction qualifierRead = new AccessTestAction() {
+ @Override
+ public Void run() throws Exception {
+ checkTablePerms(TEST_UTIL, TEST_TABLE, TEST_FAMILY, TEST_Q1, Permission.Action.READ);
+ return null;
+ }
+ };
- AccessTestAction globalAndTableRead = new AccessTestAction() {
- @Override
- public Void run() throws Exception {
- checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(),
- new Permission[] { new Permission(Permission.Action.READ),
- new TablePermission(TEST_TABLE.getTableName(), null, (byte[]) null,
- Permission.Action.READ), });
- return null;
- }
- };
+ AccessTestAction multiQualifierRead = new AccessTestAction() {
+ @Override
+ public Void run() throws Exception {
+ checkTablePerms(TEST_UTIL, TEST_TABLE, new Permission[] {
+ new TablePermission(TEST_TABLE, TEST_FAMILY, TEST_Q1, Permission.Action.READ),
+ new TablePermission(TEST_TABLE, TEST_FAMILY, TEST_Q2, Permission.Action.READ), });
+ return null;
+ }
+ };
- AccessTestAction noCheck = new AccessTestAction() {
- @Override
- public Void run() throws Exception {
- checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), new Permission[0]);
- return null;
- }
- };
+ AccessTestAction globalAndTableRead = new AccessTestAction() {
+ @Override
+ public Void run() throws Exception {
+ checkTablePerms(TEST_UTIL, TEST_TABLE, new Permission[] {
+ new Permission(Permission.Action.READ),
+ new TablePermission(TEST_TABLE, null, (byte[]) null, Permission.Action.READ), });
+ return null;
+ }
+ };
- verifyAllowed(tableRead, SUPERUSER, userTable);
- verifyDenied(tableRead, userColumn, userQualifier);
+ AccessTestAction noCheck = new AccessTestAction() {
+ @Override
+ public Void run() throws Exception {
+ checkTablePerms(TEST_UTIL, TEST_TABLE, new Permission[0]);
+ return null;
+ }
+ };
- verifyAllowed(columnRead, SUPERUSER, userTable, userColumn);
- verifyDenied(columnRead, userQualifier);
+ verifyAllowed(tableRead, SUPERUSER, userTable);
+ verifyDenied(tableRead, userColumn, userQualifier);
- verifyAllowed(qualifierRead, SUPERUSER, userTable, userColumn, userQualifier);
+ verifyAllowed(columnRead, SUPERUSER, userTable, userColumn);
+ verifyDenied(columnRead, userQualifier);
- verifyAllowed(multiQualifierRead, SUPERUSER, userTable, userColumn);
- verifyDenied(multiQualifierRead, userQualifier);
+ verifyAllowed(qualifierRead, SUPERUSER, userTable, userColumn, userQualifier);
- verifyAllowed(globalAndTableRead, SUPERUSER);
- verifyDenied(globalAndTableRead, userTable, userColumn, userQualifier);
+ verifyAllowed(multiQualifierRead, SUPERUSER, userTable, userColumn);
+ verifyDenied(multiQualifierRead, userQualifier);
- verifyAllowed(noCheck, SUPERUSER, userTable, userColumn, userQualifier);
+ verifyAllowed(globalAndTableRead, SUPERUSER);
+ verifyDenied(globalAndTableRead, userTable, userColumn, userQualifier);
- // --------------------------------------
- // test family level multiple permissions
- AccessTestAction familyReadWrite = new AccessTestAction() {
- @Override
- public Void run() throws Exception {
- checkTablePerms(TEST_UTIL, TEST_TABLE.getTableName(), TEST_FAMILY, null,
- Permission.Action.READ, Permission.Action.WRITE);
- return null;
- }
- };
+ verifyAllowed(noCheck, SUPERUSER, userTable, userColumn, userQualifier);
- verifyAllowed(familyReadWrite, SUPERUSER, USER_OWNER, USER_CREATE, USER_RW);
- verifyDenied(familyReadWrite, USER_NONE, USER_RO);
+ // --------------------------------------
+ // test family level multiple permissions
+ AccessTestAction familyReadWrite = new AccessTestAction() {
+ @Override
+ public Void run() throws Exception {
+ checkTablePerms(TEST_UTIL, TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ,
+ Permission.Action.WRITE);
+ return null;
+ }
+ };
- // --------------------------------------
- // check for wrong table region
- CheckPermissionsRequest checkRequest = CheckPermissionsRequest.newBuilder()
- .addPermission(AccessControlProtos.Permission.newBuilder()
- .setType(AccessControlProtos.Permission.Type.Table)
- .setTablePermission(
- AccessControlProtos.TablePermission.newBuilder()
- .setTableName(ProtobufUtil.toProtoTableName(TEST_TABLE.getTableName()))
- .addAction(AccessControlProtos.Permission.Action.CREATE))
- ).build();
- Table acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
- try {
- BlockingRpcChannel channel = acl.coprocessorService(new byte[0]);
- AccessControlService.BlockingInterface protocol =
- AccessControlService.newBlockingStub(channel);
+ verifyAllowed(familyReadWrite, SUPERUSER, USER_OWNER, USER_CREATE, USER_RW);
+ verifyDenied(familyReadWrite, USER_NONE, USER_RO);
+
+ // --------------------------------------
+ // check for wrong table region
+ CheckPermissionsRequest checkRequest =
+ CheckPermissionsRequest
+ .newBuilder()
+ .addPermission(
+ AccessControlProtos.Permission
+ .newBuilder()
+ .setType(AccessControlProtos.Permission.Type.Table)
+ .setTablePermission(
+ AccessControlProtos.TablePermission.newBuilder()
+ .setTableName(ProtobufUtil.toProtoTableName(TEST_TABLE))
+ .addAction(AccessControlProtos.Permission.Action.CREATE))).build();
+ Table acl = systemUserConnection.getTable(AccessControlLists.ACL_TABLE_NAME);
try {
- // but ask for TablePermissions for TEST_TABLE
- protocol.checkPermissions(null, checkRequest);
- fail("this should have thrown CoprocessorException");
- } catch (ServiceException ex) {
- // expected
+ BlockingRpcChannel channel = acl.coprocessorService(new byte[0]);
+ AccessControlService.BlockingInterface protocol =
+ AccessControlService.newBlockingStub(channel);
+ try {
+ // but ask for TablePermissions for TEST_TABLE
+ protocol.checkPermissions(null, checkRequest);
+ fail("this should have thrown CoprocessorException");
+ } catch (ServiceException ex) {
+ // expected
+ }
+ } finally {
+ acl.close();
}
+
} finally {
- acl.close();
+ revokeFromTable(TEST_UTIL, userTable.getShortName(), TEST_TABLE, null, null,
+ Permission.Action.READ);
+ revokeFromTable(TEST_UTIL, userColumn.getShortName(), TEST_TABLE, TEST_FAMILY, null,
+ Permission.Action.READ);
+ revokeFromTable(TEST_UTIL, userQualifier.getShortName(), TEST_TABLE, TEST_FAMILY, TEST_Q1,
+ Permission.Action.READ);
}
}
@@ -1754,10 +1760,10 @@ public class TestAccessController extends SecureTestUtil {
@Test
public void testSnapshot() throws Exception {
Admin admin = TEST_UTIL.getHBaseAdmin();
- final HTableDescriptor htd = admin.getTableDescriptor(TEST_TABLE.getTableName());
+ final HTableDescriptor htd = admin.getTableDescriptor(TEST_TABLE);
SnapshotDescription.Builder builder = SnapshotDescription.newBuilder();
- builder.setName(TEST_TABLE.getTableName().getNameAsString() + "-snapshot");
- builder.setTable(TEST_TABLE.getTableName().getNameAsString());
+ builder.setName(TEST_TABLE.getNameAsString() + "-snapshot");
+ builder.setTable(TEST_TABLE.getNameAsString());
final SnapshotDescription snapshot = builder.build();
AccessTestAction snapshotAction = new AccessTestAction() {
@Override
@@ -1811,10 +1817,10 @@ public class TestAccessController extends SecureTestUtil {
@Test
public void testSnapshotWithOwner() throws Exception {
Admin admin = TEST_UTIL.getHBaseAdmin();
- final HTableDescriptor htd = admin.getTableDescriptor(TEST_TABLE.getTableName());
+ final HTableDescriptor htd = admin.getTableDescriptor(TEST_TABLE);
SnapshotDescription.Builder builder = SnapshotDescription.newBuilder();
- builder.setName(TEST_TABLE.getTableName().getNameAsString() + "-snapshot");
- builder.setTable(TEST_TABLE.getTableName().getNameAsString());
+ builder.setName(TEST_TABLE.getNameAsString() + "-snapshot");
+ builder.setTable(TEST_TABLE.getNameAsString());
builder.setOwner(USER_OWNER.getName());
final SnapshotDescription snapshot = builder.build();
AccessTestAction snapshotAction = new AccessTestAction() {
@@ -1869,15 +1875,6 @@ public class TestAccessController extends SecureTestUtil {
LOG.debug("Test for global authorization for a new registered RegionServer.");
MiniHBaseCluster hbaseCluster = TEST_UTIL.getHBaseCluster();
- // Since each RegionServer running on different user, add global
- // permissions for the new user.
- String currentUser = User.getCurrent().getShortName();
- String activeUserForNewRs = currentUser + ".hfs." +
- hbaseCluster.getLiveRegionServerThreads().size();
- grantGlobal(TEST_UTIL, activeUserForNewRs,
- Permission.Action.ADMIN, Permission.Action.CREATE, Permission.Action.READ,
- Permission.Action.WRITE);
-
final Admin admin = TEST_UTIL.getHBaseAdmin();
HTableDescriptor htd = new HTableDescriptor(TEST_TABLE2);
htd.addFamily(new HColumnDescriptor(TEST_FAMILY));
@@ -1941,35 +1938,40 @@ public class TestAccessController extends SecureTestUtil {
User TABLE_ADMIN = User.createUserForTesting(conf, "UserA", new String[0]);
// Grant TABLE ADMIN privs
- grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(),
- TEST_TABLE.getTableName(), null, null,
+ grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(), TEST_TABLE, null, null,
Permission.Action.ADMIN);
-
- AccessTestAction listTablesAction = new AccessTestAction() {
- @Override
- public Object run() throws Exception {
- try(Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
- Admin admin = conn.getAdmin()) {
- return Arrays.asList(admin.listTables());
+ try {
+ AccessTestAction listTablesAction = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
+ Admin admin = conn.getAdmin()) {
+ return Arrays.asList(admin.listTables());
+ }
}
- }
- };
+ };
- AccessTestAction getTableDescAction = new AccessTestAction() {
- @Override
- public Object run() throws Exception {
- try(Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
- Admin admin = conn.getAdmin();) {
- return admin.getTableDescriptor(TEST_TABLE.getTableName());
+ AccessTestAction getTableDescAction = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
+ Admin admin = conn.getAdmin();) {
+ return admin.getTableDescriptor(TEST_TABLE);
+ }
}
- }
- };
+ };
- verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN);
- verifyIfEmptyList(listTablesAction, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN);
+ verifyIfEmptyList(listTablesAction, USER_RW, USER_RO, USER_NONE);
- verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN);
- verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER,
+ TABLE_ADMIN);
+ verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE);
+ } finally {
+ // Cleanup, revoke TABLE ADMIN privs
+ revokeFromTable(TEST_UTIL, TABLE_ADMIN.getShortName(), TEST_TABLE, null, null,
+ Permission.Action.ADMIN);
+ }
}
@Test
@@ -1997,19 +1999,20 @@ public class TestAccessController extends SecureTestUtil {
@Test
public void testTableDeletion() throws Exception {
User TABLE_ADMIN = User.createUserForTesting(conf, "TestUser", new String[0]);
+ final TableName tname = TableName.valueOf("testTableDeletion");
+ createTestTable(tname);
// Grant TABLE ADMIN privs
- grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(),
- TEST_TABLE.getTableName(), null, null,
- Permission.Action.ADMIN);
+ grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(), tname, null, null, Permission.Action.ADMIN);
AccessTestAction deleteTableAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
- Connection unmanagedConnection = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
+ Connection unmanagedConnection =
+ ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
Admin admin = unmanagedConnection.getAdmin();
try {
- deleteTable(TEST_UTIL, admin, TEST_TABLE.getTableName());
+ deleteTable(TEST_UTIL, admin, tname);
} finally {
admin.close();
unmanagedConnection.close();
@@ -2022,19 +2025,28 @@ public class TestAccessController extends SecureTestUtil {
verifyAllowed(deleteTableAction, TABLE_ADMIN);
}
+ private void createTestTable(TableName tname) throws Exception {
+ HTableDescriptor htd = new HTableDescriptor(tname);
+ HColumnDescriptor hcd = new HColumnDescriptor(TEST_FAMILY);
+ hcd.setMaxVersions(100);
+ htd.addFamily(hcd);
+ htd.setOwner(USER_OWNER);
+ createTable(TEST_UTIL, htd, new byte[][]{Bytes.toBytes("s")});
+ }
+
@Test
public void testNamespaceUserGrant() throws Exception {
AccessTestAction getAction = new AccessTestAction() {
@Override
public Object run() throws Exception {
try(Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(TEST_TABLE.getTableName());) {
+ Table t = conn.getTable(TEST_TABLE);) {
return t.get(new Get(TEST_ROW));
}
}
};
- String namespace = TEST_TABLE.getTableName().getNamespaceAsString();
+ String namespace = TEST_TABLE.getNamespaceAsString();
// Grant namespace READ to USER_NONE, this should supersede any table permissions
grantOnNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ);
@@ -2054,7 +2066,7 @@ public class TestAccessController extends SecureTestUtil {
@Override
public Object run() throws Exception {
try(Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(TEST_TABLE.getTableName())) {
+ Table t = conn.getTable(TEST_TABLE);) {
return t.get(new Get(TEST_ROW));
}
}
@@ -2064,8 +2076,8 @@ public class TestAccessController extends SecureTestUtil {
// Grant table READ permissions to testGrantRevoke.
try {
- grantOnTableUsingAccessControlClient(TEST_UTIL, systemUserConnection, testGrantRevoke.getShortName(),
- TEST_TABLE.getTableName(), null, null, Permission.Action.READ);
+ grantOnTableUsingAccessControlClient(TEST_UTIL, systemUserConnection,
+ testGrantRevoke.getShortName(), TEST_TABLE, null, null, Permission.Action.READ);
} catch (Throwable e) {
LOG.error("error during call of AccessControlClient.grant. ", e);
}
@@ -2075,8 +2087,8 @@ public class TestAccessController extends SecureTestUtil {
// Revoke table READ permission to testGrantRevoke.
try {
- revokeFromTableUsingAccessControlClient(TEST_UTIL, systemUserConnection, testGrantRevoke.getShortName(),
- TEST_TABLE.getTableName(), null, null, Permission.Action.READ);
+ revokeFromTableUsingAccessControlClient(TEST_UTIL, systemUserConnection,
+ testGrantRevoke.getShortName(), TEST_TABLE, null, null, Permission.Action.READ);
} catch (Throwable e) {
LOG.error("error during call of AccessControlClient.revoke ", e);
}
@@ -2094,7 +2106,7 @@ public class TestAccessController extends SecureTestUtil {
@Override
public Object run() throws Exception {
try(Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(TEST_TABLE.getTableName())) {
+ Table t = conn.getTable(TEST_TABLE)) {
return t.get(new Get(TEST_ROW));
}
}
@@ -2103,26 +2115,30 @@ public class TestAccessController extends SecureTestUtil {
verifyDenied(getAction, testGlobalGrantRevoke);
// Grant table READ permissions to testGlobalGrantRevoke.
+ String userName = testGlobalGrantRevoke.getShortName();
try {
grantGlobalUsingAccessControlClient(TEST_UTIL, systemUserConnection,
- testGlobalGrantRevoke.getShortName(), Permission.Action.READ);
+ userName, Permission.Action.READ);
} catch (Throwable e) {
LOG.error("error during call of AccessControlClient.grant. ", e);
}
+ try {
+ // Now testGlobalGrantRevoke should be able to read also
+ verifyAllowed(getAction, testGlobalGrantRevoke);
- // Now testGlobalGrantRevoke should be able to read also
- verifyAllowed(getAction, testGlobalGrantRevoke);
+ // Revoke table READ permission to testGlobalGrantRevoke.
+ try {
+ revokeGlobalUsingAccessControlClient(TEST_UTIL, systemUserConnection,
+ userName, Permission.Action.READ);
+ } catch (Throwable e) {
+ LOG.error("error during call of AccessControlClient.revoke ", e);
+ }
- // Revoke table READ permission to testGlobalGrantRevoke.
- try {
- revokeGlobalUsingAccessControlClient(TEST_UTIL, systemUserConnection,
- testGlobalGrantRevoke.getShortName(), Permission.Action.READ);
- } catch (Throwable e) {
- LOG.error("error during call of AccessControlClient.revoke ", e);
+ // Now testGlobalGrantRevoke shouldn't be able read
+ verifyDenied(getAction, testGlobalGrantRevoke);
+ } finally {
+ revokeGlobal(TEST_UTIL, userName, Permission.Action.READ);
}
-
- // Now testGlobalGrantRevoke shouldn't be able read
- verifyDenied(getAction, testGlobalGrantRevoke);
}
@Test
@@ -2133,7 +2149,7 @@ public class TestAccessController extends SecureTestUtil {
@Override
public Object run() throws Exception {
try(Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(TEST_TABLE.getTableName())) {
+ Table t = conn.getTable(TEST_TABLE);) {
return t.get(new Get(TEST_ROW));
}
}
@@ -2141,27 +2157,32 @@ public class TestAccessController extends SecureTestUtil {
verifyDenied(getAction, testNS);
+ String userName = testNS.getShortName();
+ String namespace = TEST_TABLE.getNamespaceAsString();
// Grant namespace READ to testNS, this should supersede any table permissions
try {
- grantOnNamespaceUsingAccessControlClient(TEST_UTIL, systemUserConnection, testNS.getShortName(),
- TEST_TABLE.getTableName().getNamespaceAsString(), Permission.Action.READ);
+ grantOnNamespaceUsingAccessControlClient(TEST_UTIL, systemUserConnection, userName,
+ namespace, Permission.Action.READ);
} catch (Throwable e) {
LOG.error("error during call of AccessControlClient.grant. ", e);
}
+ try {
+ // Now testNS should be able to read also
+ verifyAllowed(getAction, testNS);
- // Now testNS should be able to read also
- verifyAllowed(getAction, testNS);
+ // Revoke namespace READ to testNS, this should supersede any table permissions
+ try {
+ revokeFromNamespaceUsingAccessControlClient(TEST_UTIL, systemUserConnection, userName,
+ namespace, Permission.Action.READ);
+ } catch (Throwable e) {
+ LOG.error("error during call of AccessControlClient.revoke ", e);
+ }
- // Revoke namespace READ to testNS, this should supersede any table permissions
- try {
- revokeFromNamespaceUsingAccessControlClient(TEST_UTIL, systemUserConnection, testNS.getShortName(),
- TEST_TABLE.getTableName().getNamespaceAsString(), Permission.Action.READ);
- } catch (Throwable e) {
- LOG.error("error during call of AccessControlClient.revoke ", e);
+ // Now testNS shouldn't be able read
+ verifyDenied(getAction, testNS);
+ } finally {
+ revokeFromNamespace(TEST_UTIL, userName, namespace, Permission.Action.READ);
}
-
- // Now testNS shouldn't be able read
- verifyDenied(getAction, testNS);
}
@@ -2216,7 +2237,7 @@ public class TestAccessController extends SecureTestUtil {
for (JVMClusterUtil.RegionServerThread thread:
TEST_UTIL.getMiniHBaseCluster().getRegionServerThreads()) {
HRegionServer rs = thread.getRegionServer();
- for (Region region: rs.getOnlineRegions(TEST_TABLE.getTableName())) {
+ for (Region region: rs.getOnlineRegions(TEST_TABLE)) {
region.getCoprocessorHost().load(PingCoprocessor.class,
Coprocessor.PRIORITY_USER, conf);
}
@@ -2228,32 +2249,37 @@ public class TestAccessController extends SecureTestUtil {
User userB = User.createUserForTesting(conf, "UserB", new String[0]);
grantOnTable(TEST_UTIL, userA.getShortName(),
- TEST_TABLE.getTableName(), null, null,
+ TEST_TABLE, null, null,
Permission.Action.EXEC);
-
- // Create an action for invoking our test endpoint
- AccessTestAction execEndpointAction = new AccessTestAction() {
- @Override
- public Object run() throws Exception {
- try(Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(TEST_TABLE.getTableName());) {
- BlockingRpcChannel service = t.coprocessorService(HConstants.EMPTY_BYTE_ARRAY);
- PingCoprocessor.newBlockingStub(service).noop(null, NoopRequest.newBuilder().build());
+ try {
+ // Create an action for invoking our test endpoint
+ AccessTestAction execEndpointAction = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ try (Connection conn = ConnectionFactory.createConnection(conf);
+ Table t = conn.getTable(TEST_TABLE);) {
+ BlockingRpcChannel service = t.coprocessorService(HConstants.EMPTY_BYTE_ARRAY);
+ PingCoprocessor.newBlockingStub(service).noop(null, NoopRequest.newBuilder().build());
+ }
+ return null;
}
- return null;
- }
- };
+ };
- String namespace = TEST_TABLE.getTableName().getNamespaceAsString();
- // Now grant EXEC to the entire namespace to user B
- grantOnNamespace(TEST_UTIL, userB.getShortName(), namespace, Permission.Action.EXEC);
- // User B should now be allowed also
- verifyAllowed(execEndpointAction, userA, userB);
+ String namespace = TEST_TABLE.getNamespaceAsString();
+ // Now grant EXEC to the entire namespace to user B
+ grantOnNamespace(TEST_UTIL, userB.getShortName(), namespace, Permission.Action.EXEC);
+ // User B should now be allowed also
+ verifyAllowed(execEndpointAction, userA, userB);
- revokeFromNamespace(TEST_UTIL, userB.getShortName(), namespace, Permission.Action.EXEC);
- // Verify that EXEC permission is checked correctly
- verifyDenied(execEndpointAction, userB);
- verifyAllowed(execEndpointAction, userA);
+ revokeFromNamespace(TEST_UTIL, userB.getShortName(), namespace, Permission.Action.EXEC);
+ // Verify that EXEC permission is checked correctly
+ verifyDenied(execEndpointAction, userB);
+ verifyAllowed(execEndpointAction, userA);
+ } finally {
+ // Cleanup, revoke the userA privileges
+ revokeFromTable(TEST_UTIL, userA.getShortName(), TEST_TABLE, null, null,
+ Permission.Action.EXEC);
+ }
}
@Test
@@ -2261,16 +2287,14 @@ public class TestAccessController extends SecureTestUtil {
AccessTestAction putWithReservedTag = new AccessTestAction() {
@Override
public Object run() throws Exception {
- Table t = new HTable(conf, TEST_TABLE.getTableName());
- try {
+ try(Connection conn = ConnectionFactory.createConnection(conf);
+ Table t = conn.getTable(TEST_TABLE);) {
KeyValue kv = new KeyValue(TEST_ROW, TEST_FAMILY, TEST_QUALIFIER,
HConstants.LATEST_TIMESTAMP, HConstants.EMPTY_BYTE_ARRAY,
new Tag[] { new Tag(AccessControlLists.ACL_TAG_TYPE,
ProtobufUtil.toUsersAndPermissions(USER_OWNER.getShortName(),
new Permission(Permission.Action.READ)).toByteArray()) });
t.put(new Put(TEST_ROW).add(kv));
- } finally {
- t.close();
}
return null;
}
@@ -2282,38 +2306,104 @@ public class TestAccessController extends SecureTestUtil {
verifyDenied(putWithReservedTag, USER_OWNER, USER_ADMIN, USER_CREATE, USER_RW, USER_RO);
}
- @Test
- public void testGetNamespacePermission() throws Exception {
- String namespace = "testGetNamespacePermission";
- NamespaceDescriptor desc = NamespaceDescriptor.create(namespace).build();
- createNamespace(TEST_UTIL, desc);
- grantOnNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ);
- try {
- List<UserPermission> namespacePermissions = AccessControlClient.getUserPermissions(
- systemUserConnection, AccessControlLists.toNamespaceEntry(namespace));
- assertTrue(namespacePermissions != null);
- assertTrue(namespacePermissions.size() == 1);
- } catch (Throwable thw) {
- throw new HBaseException(thw);
- }
- deleteNamespace(TEST_UTIL, namespace);
- }
+ @Test
+ public void testSetQuota() throws Exception {
+ AccessTestAction setUserQuotaAction = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ ACCESS_CONTROLLER.preSetUserQuota(ObserverContext.createAndPrepare(CP_ENV, null),
+ null, null);
+ return null;
+ }
+ };
+
+ AccessTestAction setUserTableQuotaAction = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ ACCESS_CONTROLLER.preSetUserQuota(ObserverContext.createAndPrepare(CP_ENV, null), null,
+ TEST_TABLE, null);
+ return null;
+ }
+ };
+
+ AccessTestAction setUserNamespaceQuotaAction = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ ACCESS_CONTROLLER.preSetUserQuota(ObserverContext.createAndPrepare(CP_ENV, null),
+ null, (String)null, null);
+ return null;
+ }
+ };
+
+ AccessTestAction setTableQuotaAction = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ ACCESS_CONTROLLER.preSetTableQuota(ObserverContext.createAndPrepare(CP_ENV, null),
+ TEST_TABLE, null);
+ return null;
+ }
+ };
+
+ AccessTestAction setNamespaceQuotaAction = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ ACCESS_CONTROLLER.preSetNamespaceQuota(ObserverContext.createAndPrepare(CP_ENV, null),
+ null, null);
+ return null;
+ }
+ };
+
+ verifyAllowed(setUserQuotaAction, SUPERUSER, USER_ADMIN);
+ verifyDenied(setUserQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+
+ verifyAllowed(setUserTableQuotaAction, SUPERUSER, USER_ADMIN, USER_OWNER);
+ verifyDenied(setUserTableQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+
+ verifyAllowed(setUserNamespaceQuotaAction, SUPERUSER, USER_ADMIN);
+ verifyDenied(setUserNamespaceQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE,
<TRUNCATED>
[2/2] hbase git commit: HBASE-13658 Improve the test run time for
TestAccessController class (Ashish Singhi)
Posted by ss...@apache.org.
HBASE-13658 Improve the test run time for TestAccessController class (Ashish Singhi)
Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/ce636701
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/ce636701
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/ce636701
Branch: refs/heads/branch-1
Commit: ce636701ff16e41e957c21c82356c732e9b2fcfb
Parents: 83d5f31
Author: Srikanth Srungarapu <ss...@cloudera.com>
Authored: Tue Jun 2 15:24:59 2015 -0700
Committer: Srikanth Srungarapu <ss...@cloudera.com>
Committed: Tue Jun 2 15:24:59 2015 -0700
----------------------------------------------------------------------
.../security/access/TestAccessController.java | 1584 +++++++++---------
1 file changed, 807 insertions(+), 777 deletions(-)
----------------------------------------------------------------------