You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by ap...@apache.org on 2015/06/11 06:39:42 UTC
[1/5] hbase git commit: HBASE-13828 Add group permissions testing
coverage to AC
Repository: hbase
Updated Branches:
refs/heads/0.98 211f8bdd1 -> 95cc075a8
refs/heads/branch-1 f49f29618 -> c4054de40
refs/heads/branch-1.0 b56dc3d6d -> 904ec1e4c
refs/heads/branch-1.1 c2371e651 -> 7125dd4f9
refs/heads/master 399fddddc -> 349cbe102
HBASE-13828 Add group permissions testing coverage to AC
Signed-off-by: Andrew Purtell <ap...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/349cbe10
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/349cbe10
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/349cbe10
Branch: refs/heads/master
Commit: 349cbe102a130b50852201e84dc7ac3bea4fc1f5
Parents: 399fddd
Author: Ashish Singhi <as...@huawei.com>
Authored: Wed Jun 10 22:13:54 2015 +0530
Committer: Andrew Purtell <ap...@apache.org>
Committed: Wed Jun 10 17:47:04 2015 -0700
----------------------------------------------------------------------
.../security/access/TestAccessController.java | 299 ++++++++++++-------
.../security/access/TestAccessController2.java | 135 +++++----
.../security/access/TestNamespaceCommands.java | 197 ++++--------
3 files changed, 329 insertions(+), 302 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hbase/blob/349cbe10/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
index f2d3dff..2a9d126 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
@@ -160,6 +160,16 @@ public class TestAccessController extends SecureTestUtil {
// user with admin rights on the column family
private static User USER_ADMIN_CF;
+ private static final String GROUP_ADMIN = "group_admin";
+ private static final String GROUP_CREATE = "group_create";
+ private static final String GROUP_READ = "group_read";
+ private static final String GROUP_WRITE = "group_write";
+
+ private static User USER_GROUP_ADMIN;
+ private static User USER_GROUP_CREATE;
+ private static User USER_GROUP_READ;
+ private static User USER_GROUP_WRITE;
+
// TODO: convert this test to cover the full matrix in
// https://hbase.apache.org/book/appendix_acl_matrix.html
// creating all Scope x Permission combinations
@@ -214,6 +224,15 @@ public class TestAccessController extends SecureTestUtil {
USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]);
USER_ADMIN_CF = User.createUserForTesting(conf, "col_family_admin", new String[0]);
+ USER_GROUP_ADMIN =
+ User.createUserForTesting(conf, "user_group_admin", new String[] { GROUP_ADMIN });
+ USER_GROUP_CREATE =
+ User.createUserForTesting(conf, "user_group_create", new String[] { GROUP_CREATE });
+ USER_GROUP_READ =
+ User.createUserForTesting(conf, "user_group_read", new String[] { GROUP_READ });
+ USER_GROUP_WRITE =
+ User.createUserForTesting(conf, "user_group_write", new String[] { GROUP_WRITE });
+
systemUserConnection = TEST_UTIL.getConnection();
setUpTableAndUserPermissions();
}
@@ -265,6 +284,11 @@ public class TestAccessController extends SecureTestUtil {
TEST_TABLE, TEST_FAMILY,
null, Permission.Action.ADMIN, Permission.Action.CREATE);
+ grantGlobal(TEST_UTIL, convertToGroup(GROUP_ADMIN), Permission.Action.ADMIN);
+ grantGlobal(TEST_UTIL, convertToGroup(GROUP_CREATE), Permission.Action.CREATE);
+ grantGlobal(TEST_UTIL, convertToGroup(GROUP_READ), Permission.Action.READ);
+ grantGlobal(TEST_UTIL, convertToGroup(GROUP_WRITE), Permission.Action.WRITE);
+
assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size());
try {
assertEquals(5, AccessControlClient.getUserPermissions(systemUserConnection,
@@ -303,10 +327,11 @@ public class TestAccessController extends SecureTestUtil {
};
// verify that superuser can create tables
- verifyAllowed(createTable, SUPERUSER, USER_ADMIN);
+ verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE);
// all others should be denied
- verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_ADMIN,
+ USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -323,8 +348,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(modifyTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
- verifyDenied(modifyTable, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(modifyTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(modifyTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -338,8 +364,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(deleteTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
- verifyDenied(deleteTable, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(deleteTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(deleteTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -354,8 +381,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
- verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -370,8 +398,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
- verifyDenied(action, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -387,8 +416,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF);
- verifyDenied(action, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF,
+ USER_GROUP_CREATE, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -402,8 +432,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF);
- verifyDenied(action, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF,
+ USER_GROUP_CREATE, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -426,11 +457,13 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(disableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
- verifyDenied(disableTable, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(disableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(disableTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
// No user should be allowed to disable _acl_ table
- verifyDenied(disableAclTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW, USER_RO);
+ verifyDenied(disableAclTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW, USER_RO,
+ USER_GROUP_CREATE, USER_GROUP_ADMIN, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -444,8 +477,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(enableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
- verifyDenied(enableTable, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(enableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(enableTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -466,8 +500,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -486,8 +521,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -506,8 +542,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -526,8 +563,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -540,8 +578,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -554,8 +593,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -568,8 +608,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -582,13 +623,15 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
private void verifyWrite(AccessTestAction action) throws Exception {
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW);
- verifyDenied(action, USER_NONE, USER_RO);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW,
+ USER_GROUP_WRITE);
+ verifyDenied(action, USER_NONE, USER_RO, USER_GROUP_ADMIN, USER_GROUP_READ, USER_GROUP_CREATE);
}
@Test
@@ -601,8 +644,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -617,8 +661,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -638,8 +683,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
} finally {
deleteTable(TEST_UTIL, tname);
}
@@ -655,8 +701,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE);
- verifyDenied(action, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -670,18 +717,21 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE);
- verifyDenied(action, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
private void verifyRead(AccessTestAction action) throws Exception {
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, USER_RO);
- verifyDenied(action, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, USER_RO,
+ USER_GROUP_READ);
+ verifyDenied(action, USER_NONE, USER_GROUP_CREATE, USER_GROUP_ADMIN, USER_GROUP_WRITE);
}
private void verifyReadWrite(AccessTestAction action) throws Exception {
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW);
- verifyDenied(action, USER_NONE, USER_RO);
+ verifyDenied(action, USER_NONE, USER_RO, USER_GROUP_ADMIN, USER_GROUP_CREATE, USER_GROUP_READ,
+ USER_GROUP_WRITE);
}
@Test
@@ -837,8 +887,10 @@ public class TestAccessController extends SecureTestUtil {
// User performing bulk loads must have privilege to read table metadata
// (ADMIN or CREATE)
- verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE);
- verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO);
+ verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE,
+ USER_GROUP_CREATE);
+ verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO, USER_GROUP_READ, USER_GROUP_WRITE,
+ USER_GROUP_ADMIN);
} finally {
// Reinit after the bulk upload
TEST_UTIL.getHBaseAdmin().disableTable(TEST_TABLE);
@@ -943,8 +995,10 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(appendAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW);
- verifyDenied(appendAction, USER_RO, USER_NONE);
+ verifyAllowed(appendAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW,
+ USER_GROUP_WRITE);
+ verifyDenied(appendAction, USER_RO, USER_NONE, USER_GROUP_CREATE, USER_GROUP_READ,
+ USER_GROUP_ADMIN);
}
@Test
@@ -1007,18 +1061,21 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
try {
- verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
- verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
- verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN);
+ verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
verifyDenied(getGlobalPermissionsAction, USER_CREATE, USER_OWNER, USER_RW, USER_RO,
- USER_NONE);
+ USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
} finally {
// Cleanup, Grant the revoked permission back to the user
grantOnTable(TEST_UTIL, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null,
@@ -1524,8 +1581,8 @@ public class TestAccessController extends SecureTestUtil {
}
UserPermission adminPerm = new UserPermission(Bytes.toBytes(USER_ADMIN.getShortName()),
AccessControlLists.ACL_TABLE_NAME, null, null, Bytes.toBytes("ACRW"));
- assertTrue("Only user admin has permission on table _acl_ per setup",
- perms.size() == 1 && hasFoundUserPermission(adminPerm, perms));
+ assertTrue("Only global users and user admin has permission on table _acl_ per setup",
+ perms.size() == 5 && hasFoundUserPermission(adminPerm, perms));
}
/** global operations */
@@ -1712,8 +1769,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -1726,8 +1784,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -1740,8 +1799,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -1754,8 +1814,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -1802,17 +1863,21 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
- verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN);
- verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
- verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN);
- verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
- verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN);
- verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -1832,8 +1897,9 @@ public class TestAccessController extends SecureTestUtil {
return null;
}
};
- verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
AccessTestAction deleteAction = new AccessTestAction() {
@Override
@@ -1843,8 +1909,9 @@ public class TestAccessController extends SecureTestUtil {
return null;
}
};
- verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
AccessTestAction restoreAction = new AccessTestAction() {
@Override
@@ -1854,8 +1921,9 @@ public class TestAccessController extends SecureTestUtil {
return null;
}
};
- verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
AccessTestAction cloneAction = new AccessTestAction() {
@Override
@@ -1867,8 +1935,9 @@ public class TestAccessController extends SecureTestUtil {
};
// Clone by snapshot owner is not allowed , because clone operation creates a new table,
// which needs global admin permission.
- verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN);
- verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -1962,12 +2031,15 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN);
- verifyIfEmptyList(listTablesAction, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN,
+ USER_GROUP_CREATE, USER_GROUP_ADMIN);
+ verifyIfEmptyList(listTablesAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE);
verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER,
- TABLE_ADMIN);
- verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE);
+ TABLE_ADMIN, USER_GROUP_CREATE, USER_GROUP_ADMIN);
+ verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE);
} finally {
// Cleanup, revoke TABLE ADMIN privs
revokeFromTable(TEST_UTIL, TABLE_ADMIN.getShortName(), TEST_TABLE, null, null,
@@ -1992,8 +2064,8 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER,
- USER_RW, USER_RO);
+ verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW,
+ USER_RO, USER_GROUP_CREATE, USER_GROUP_ADMIN, USER_GROUP_READ, USER_GROUP_WRITE);
verifyIfEmptyList(listTablesAction, USER_NONE);
}
@@ -2022,7 +2094,8 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyDenied(deleteTableAction, USER_RW, USER_RO, USER_NONE);
+ verifyDenied(deleteTableAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE);
verifyAllowed(deleteTableAction, TABLE_ADMIN);
}
@@ -2354,21 +2427,24 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(setUserQuotaAction, SUPERUSER, USER_ADMIN);
- verifyDenied(setUserQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(setUserQuotaAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(setUserQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
- verifyAllowed(setUserTableQuotaAction, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(setUserTableQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(setUserTableQuotaAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(setUserTableQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
- verifyAllowed(setUserNamespaceQuotaAction, SUPERUSER, USER_ADMIN);
- verifyDenied(setUserNamespaceQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE,
- USER_OWNER);
+ verifyAllowed(setUserNamespaceQuotaAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(setUserNamespaceQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
- verifyAllowed(setTableQuotaAction, SUPERUSER, USER_ADMIN, USER_OWNER);
+ verifyAllowed(setTableQuotaAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(setTableQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
- verifyAllowed(setNamespaceQuotaAction, SUPERUSER, USER_ADMIN);
- verifyDenied(setNamespaceQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(setNamespaceQuotaAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(setNamespaceQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -2466,7 +2542,7 @@ public class TestAccessController extends SecureTestUtil {
// Verify that we can read sys-tables
String aclTableName = AccessControlLists.ACL_TABLE_NAME.getNameAsString();
- assertEquals(1, SUPERUSER.runAs(getPrivilegedAction(aclTableName)).size());
+ assertEquals(5, SUPERUSER.runAs(getPrivilegedAction(aclTableName)).size());
assertEquals(0, testRegexHandler.runAs(getPrivilegedAction(aclTableName)).size());
// Grant TABLE ADMIN privs to testUserPerms
@@ -2491,8 +2567,10 @@ public class TestAccessController extends SecureTestUtil {
}
private void verifyAnyCreate(AccessTestAction action) throws Exception {
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF);
- verifyDenied(action, USER_NONE, USER_RO, USER_RW);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF,
+ USER_GROUP_CREATE);
+ verifyDenied(action, USER_NONE, USER_RO, USER_RW, USER_GROUP_READ, USER_GROUP_WRITE,
+ USER_GROUP_ADMIN);
}
@Test
@@ -2530,7 +2608,8 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(replicateLogEntriesAction, SUPERUSER, USER_ADMIN);
- verifyDenied(replicateLogEntriesAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(replicateLogEntriesAction, SUPERUSER, USER_ADMIN, USER_GROUP_WRITE);
+ verifyDenied(replicateLogEntriesAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
+ USER_GROUP_READ, USER_GROUP_ADMIN, USER_GROUP_CREATE);
}
}
http://git-wip-us.apache.org/repos/asf/hbase/blob/349cbe10/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
index ecb3136..2685144 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
@@ -42,7 +42,6 @@ import org.apache.hadoop.hbase.client.Result;
import org.apache.hadoop.hbase.client.ResultScanner;
import org.apache.hadoop.hbase.client.Scan;
import org.apache.hadoop.hbase.client.Table;
-import org.apache.hadoop.hbase.master.HMaster;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.access.Permission.Action;
import org.apache.hadoop.hbase.testclassification.LargeTests;
@@ -97,6 +96,7 @@ public class TestAccessController2 extends SecureTestUtil {
private String namespace = "testNamespace";
private String tname = namespace + ":testtable1";
private TableName tableName = TableName.valueOf(tname);
+ private static String TESTGROUP_1_NAME;
@BeforeClass
public static void setupBeforeClass() throws Exception {
@@ -109,6 +109,7 @@ public class TestAccessController2 extends SecureTestUtil {
// Wait for the ACL table to become available
TEST_UTIL.waitUntilAllRegionsAssigned(AccessControlLists.ACL_TABLE_NAME);
+ TESTGROUP_1_NAME = convertToGroup(TESTGROUP_1);
TESTGROUP1_USER1 =
User.createUserForTesting(conf, "testgroup1_user1", new String[] { TESTGROUP_1 });
TESTGROUP2_USER1 =
@@ -200,23 +201,27 @@ public class TestAccessController2 extends SecureTestUtil {
@Test
public void testCreateTableWithGroupPermissions() throws Exception {
- grantGlobal(TEST_UTIL, convertToGroup(TESTGROUP_1), Action.CREATE);
- AccessTestAction createAction = new AccessTestAction() {
- @Override
- public Object run() throws Exception {
- HTableDescriptor desc = new HTableDescriptor(TEST_TABLE.getTableName());
- desc.addFamily(new HColumnDescriptor(TEST_FAMILY));
- try (Connection connection = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) {
- try (Admin admin = connection.getAdmin()) {
- admin.createTable(desc);
+ grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.CREATE);
+ try {
+ AccessTestAction createAction = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ HTableDescriptor desc = new HTableDescriptor(TEST_TABLE.getTableName());
+ desc.addFamily(new HColumnDescriptor(TEST_FAMILY));
+ try (Connection connection =
+ ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) {
+ try (Admin admin = connection.getAdmin()) {
+ admin.createTable(desc);
+ }
}
+ return null;
}
- return null;
- }
- };
- verifyAllowed(createAction, TESTGROUP1_USER1);
- verifyDenied(createAction, TESTGROUP2_USER1);
- revokeGlobal(TEST_UTIL, convertToGroup(TESTGROUP_1), Action.CREATE);
+ };
+ verifyAllowed(createAction, TESTGROUP1_USER1);
+ verifyDenied(createAction, TESTGROUP2_USER1);
+ } finally {
+ revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.CREATE);
+ }
}
@Test
@@ -264,55 +269,65 @@ public class TestAccessController2 extends SecureTestUtil {
SecureTestUtil.grantOnTable(TEST_UTIL, tableAdmin.getShortName(),
TEST_TABLE.getTableName(), null, null, Action.ADMIN);
- // Write tests
+ grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.WRITE);
+ try {
+ // Write tests
- AccessTestAction writeAction = new AccessTestAction() {
- @Override
- public Object run() throws Exception {
+ AccessTestAction writeAction = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
- try(Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
- t.put(new Put(TEST_ROW).add(AccessControlLists.ACL_LIST_FAMILY, TEST_QUALIFIER,
- TEST_VALUE));
- return null;
- } finally {
+ try (Connection conn = ConnectionFactory.createConnection(conf);
+ Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
+ t.put(new Put(TEST_ROW).add(AccessControlLists.ACL_LIST_FAMILY, TEST_QUALIFIER,
+ TEST_VALUE));
+ return null;
+ } finally {
+ }
}
- }
- };
-
- // All writes to ACL table denied except for GLOBAL WRITE permission and superuser
+ };
- verifyDenied(writeAction, globalAdmin, globalCreate, globalRead);
- verifyDenied(writeAction, nsAdmin, nsCreate, nsRead, nsWrite);
- verifyDenied(writeAction, tableAdmin, tableCreate, tableRead, tableWrite);
- verifyAllowed(writeAction, superUser, globalWrite);
+ // All writes to ACL table denied except for GLOBAL WRITE permission and superuser
- // Read tests
+ verifyDenied(writeAction, globalAdmin, globalCreate, globalRead, TESTGROUP2_USER1);
+ verifyDenied(writeAction, nsAdmin, nsCreate, nsRead, nsWrite);
+ verifyDenied(writeAction, tableAdmin, tableCreate, tableRead, tableWrite);
+ verifyAllowed(writeAction, superUser, globalWrite, TESTGROUP1_USER1);
+ } finally {
+ revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.WRITE);
+ }
- AccessTestAction scanAction = new AccessTestAction() {
- @Override
- public Object run() throws Exception {
- try(Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
- ResultScanner s = t.getScanner(new Scan());
- try {
- for (Result r = s.next(); r != null; r = s.next()) {
- // do nothing
+ grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.READ);
+ try {
+ // Read tests
+
+ AccessTestAction scanAction = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ try (Connection conn = ConnectionFactory.createConnection(conf);
+ Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
+ ResultScanner s = t.getScanner(new Scan());
+ try {
+ for (Result r = s.next(); r != null; r = s.next()) {
+ // do nothing
+ }
+ } finally {
+ s.close();
}
- } finally {
- s.close();
+ return null;
}
- return null;
}
- }
- };
+ };
- // All reads from ACL table denied except for GLOBAL READ and superuser
+ // All reads from ACL table denied except for GLOBAL READ and superuser
- verifyDenied(scanAction, globalAdmin, globalCreate, globalWrite);
- verifyDenied(scanAction, nsCreate, nsAdmin, nsRead, nsWrite);
- verifyDenied(scanAction, tableCreate, tableAdmin, tableRead, tableWrite);
- verifyAllowed(scanAction, superUser, globalRead);
+ verifyDenied(scanAction, globalAdmin, globalCreate, globalWrite, TESTGROUP2_USER1);
+ verifyDenied(scanAction, nsCreate, nsAdmin, nsRead, nsWrite);
+ verifyDenied(scanAction, tableCreate, tableAdmin, tableRead, tableWrite);
+ verifyAllowed(scanAction, superUser, globalRead, TESTGROUP1_USER1);
+ } finally {
+ revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.READ);
+ }
}
/*
@@ -412,17 +427,17 @@ public class TestAccessController2 extends SecureTestUtil {
// Verify user from a group which has table level access can read all the data and group which
// has no access can't read any data.
- grantOnTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, null, null, Action.READ);
+ grantOnTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, null, null, Action.READ);
verifyAllowed(TESTGROUP1_USER1, scanTableActionForGroupWithTableLevelAccess);
verifyDenied(TESTGROUP2_USER1, scanTableActionForGroupWithTableLevelAccess);
// Verify user from a group whose table level access has been revoked can't read any data.
- revokeFromTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, null, null);
+ revokeFromTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, null, null);
verifyDenied(TESTGROUP1_USER1, scanTableActionForGroupWithTableLevelAccess);
// Verify user from a group which has column family level access can read all the data
// belonging to that family and group which has no access can't read any data.
- grantOnTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, null,
+ grantOnTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, TEST_FAMILY, null,
Permission.Action.READ);
verifyAllowed(TESTGROUP1_USER1, scanTableActionForGroupWithFamilyLevelAccess);
verifyDenied(TESTGROUP1_USER1, scanFamilyActionForGroupWithFamilyLevelAccess);
@@ -431,12 +446,12 @@ public class TestAccessController2 extends SecureTestUtil {
// Verify user from a group whose column family level access has been revoked can't read any
// data from that family.
- revokeFromTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, null);
+ revokeFromTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, TEST_FAMILY, null);
verifyDenied(TESTGROUP1_USER1, scanTableActionForGroupWithFamilyLevelAccess);
// Verify user from a group which has column qualifier level access can read data that has this
// family and qualifier, and group which has no access can't read any data.
- grantOnTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, Q1, Action.READ);
+ grantOnTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, TEST_FAMILY, Q1, Action.READ);
verifyAllowed(TESTGROUP1_USER1, scanTableActionForGroupWithQualifierLevelAccess);
verifyDenied(TESTGROUP1_USER1, scanFamilyActionForGroupWithQualifierLevelAccess);
verifyDenied(TESTGROUP1_USER1, scanQualifierActionForGroupWithQualifierLevelAccess);
@@ -446,7 +461,7 @@ public class TestAccessController2 extends SecureTestUtil {
// Verify user from a group whose column qualifier level access has been revoked can't read the
// data having this column family and qualifier.
- revokeFromTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, Q1);
+ revokeFromTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, TEST_FAMILY, Q1);
verifyDenied(TESTGROUP1_USER1, scanTableActionForGroupWithQualifierLevelAccess);
}
http://git-wip-us.apache.org/repos/asf/hbase/blob/349cbe10/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
index 457bb3b..bccd64f 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
@@ -92,6 +92,16 @@ public class TestNamespaceCommands extends SecureTestUtil {
//user with create table permissions alone
private static User USER_TABLE_CREATE; // TODO: WE DO NOT GIVE ANY PERMS TO THIS USER
+ private static final String GROUP_ADMIN = "group_admin";
+ private static final String GROUP_CREATE = "group_create";
+ private static final String GROUP_READ = "group_read";
+ private static final String GROUP_WRITE = "group_write";
+
+ private static User USER_GROUP_ADMIN;
+ private static User USER_GROUP_CREATE;
+ private static User USER_GROUP_READ;
+ private static User USER_GROUP_WRITE;
+
private static String TEST_TABLE = TEST_NAMESPACE + ":testtable";
private static byte[] TEST_FAMILY = Bytes.toBytes("f1");
@@ -116,6 +126,15 @@ public class TestNamespaceCommands extends SecureTestUtil {
USER_TABLE_CREATE = User.createUserForTesting(conf, "table_create", new String[0]);
USER_TABLE_WRITE = User.createUserForTesting(conf, "table_write", new String[0]);
+
+ USER_GROUP_ADMIN =
+ User.createUserForTesting(conf, "user_group_admin", new String[] { GROUP_ADMIN });
+ USER_GROUP_CREATE =
+ User.createUserForTesting(conf, "user_group_create", new String[] { GROUP_CREATE });
+ USER_GROUP_READ =
+ User.createUserForTesting(conf, "user_group_read", new String[] { GROUP_READ });
+ USER_GROUP_WRITE =
+ User.createUserForTesting(conf, "user_group_write", new String[] { GROUP_WRITE });
// TODO: other table perms
UTIL.startMiniCluster();
@@ -144,6 +163,11 @@ public class TestNamespaceCommands extends SecureTestUtil {
grantOnNamespace(UTIL, USER_NS_EXEC.getShortName(), TEST_NAMESPACE, Permission.Action.EXEC);
grantOnNamespace(UTIL, USER_NS_ADMIN.getShortName(), TEST_NAMESPACE2, Permission.Action.ADMIN);
+
+ grantGlobal(UTIL, convertToGroup(GROUP_ADMIN), Permission.Action.ADMIN);
+ grantGlobal(UTIL, convertToGroup(GROUP_CREATE), Permission.Action.CREATE);
+ grantGlobal(UTIL, convertToGroup(GROUP_READ), Permission.Action.READ);
+ grantGlobal(UTIL, convertToGroup(GROUP_WRITE), Permission.Action.WRITE);
}
@AfterClass
@@ -204,20 +228,10 @@ public class TestNamespaceCommands extends SecureTestUtil {
};
// modifyNamespace: superuser | global(A) | NS(A)
- verifyAllowed(modifyNamespace,
- SUPERUSER,
- USER_GLOBAL_ADMIN);
-
- verifyDenied(modifyNamespace,
- USER_GLOBAL_CREATE,
- USER_GLOBAL_WRITE,
- USER_GLOBAL_READ,
- USER_GLOBAL_EXEC,
- USER_NS_ADMIN,
- USER_NS_CREATE,
- USER_NS_WRITE,
- USER_NS_READ,
- USER_NS_EXEC);
+ verifyAllowed(modifyNamespace, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(modifyNamespace, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+ USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -241,41 +255,17 @@ public class TestNamespaceCommands extends SecureTestUtil {
};
// createNamespace: superuser | global(A)
- verifyAllowed(createNamespace,
- SUPERUSER,
- USER_GLOBAL_ADMIN);
-
+ verifyAllowed(createNamespace, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
// all others should be denied
- verifyDenied(createNamespace,
- USER_GLOBAL_CREATE,
- USER_GLOBAL_WRITE,
- USER_GLOBAL_READ,
- USER_GLOBAL_EXEC,
- USER_NS_ADMIN,
- USER_NS_CREATE,
- USER_NS_WRITE,
- USER_NS_READ,
- USER_NS_EXEC,
- USER_TABLE_CREATE,
- USER_TABLE_WRITE);
+ verifyDenied(createNamespace, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+ USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+ USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
// deleteNamespace: superuser | global(A) | NS(A)
- verifyAllowed(deleteNamespace,
- SUPERUSER,
- USER_GLOBAL_ADMIN);
-
- verifyDenied(deleteNamespace,
- USER_GLOBAL_CREATE,
- USER_GLOBAL_WRITE,
- USER_GLOBAL_READ,
- USER_GLOBAL_EXEC,
- USER_NS_ADMIN,
- USER_NS_CREATE,
- USER_NS_WRITE,
- USER_NS_READ,
- USER_NS_EXEC,
- USER_TABLE_CREATE,
- USER_TABLE_WRITE);
+ verifyAllowed(deleteNamespace, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(deleteNamespace, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+ USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+ USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -289,22 +279,11 @@ public class TestNamespaceCommands extends SecureTestUtil {
}
};
// getNamespaceDescriptor : superuser | global(A) | NS(A)
- verifyAllowed(getNamespaceAction,
- SUPERUSER,
- USER_GLOBAL_ADMIN,
- USER_NS_ADMIN);
-
- verifyDenied(getNamespaceAction,
- USER_GLOBAL_CREATE,
- USER_GLOBAL_WRITE,
- USER_GLOBAL_READ,
- USER_GLOBAL_EXEC,
- USER_NS_CREATE,
- USER_NS_WRITE,
- USER_NS_READ,
- USER_NS_EXEC,
- USER_TABLE_CREATE,
- USER_TABLE_WRITE);
+ verifyAllowed(getNamespaceAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_NS_ADMIN,
+ USER_GROUP_ADMIN);
+ verifyDenied(getNamespaceAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+ USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+ USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -327,14 +306,12 @@ public class TestNamespaceCommands extends SecureTestUtil {
// listNamespaces : All access*
// * Returned list will only show what you can call getNamespaceDescriptor()
- verifyAllowed(listAction,
- SUPERUSER,
- USER_GLOBAL_ADMIN,
- USER_NS_ADMIN);
+ verifyAllowed(listAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_NS_ADMIN, USER_GROUP_ADMIN);
// we have 3 namespaces: [default, hbase, TEST_NAMESPACE, TEST_NAMESPACE2]
assertEquals(4, ((List)SUPERUSER.runAs(listAction)).size());
assertEquals(4, ((List)USER_GLOBAL_ADMIN.runAs(listAction)).size());
+ assertEquals(4, ((List)USER_GROUP_ADMIN.runAs(listAction)).size());
assertEquals(2, ((List)USER_NS_ADMIN.runAs(listAction)).size());
@@ -348,6 +325,9 @@ public class TestNamespaceCommands extends SecureTestUtil {
assertEquals(0, ((List)USER_NS_EXEC.runAs(listAction)).size());
assertEquals(0, ((List)USER_TABLE_CREATE.runAs(listAction)).size());
assertEquals(0, ((List)USER_TABLE_WRITE.runAs(listAction)).size());
+ assertEquals(0, ((List)USER_GROUP_CREATE.runAs(listAction)).size());
+ assertEquals(0, ((List)USER_GROUP_READ.runAs(listAction)).size());
+ assertEquals(0, ((List)USER_GROUP_WRITE.runAs(listAction)).size());
}
@Test
@@ -411,56 +391,21 @@ public class TestNamespaceCommands extends SecureTestUtil {
}
};
- verifyAllowed(grantAction,
- SUPERUSER,
- USER_GLOBAL_ADMIN);
-
- verifyDenied(grantAction,
- USER_GLOBAL_CREATE,
- USER_GLOBAL_WRITE,
- USER_GLOBAL_READ,
- USER_GLOBAL_EXEC,
- USER_NS_ADMIN,
- USER_NS_CREATE,
- USER_NS_WRITE,
- USER_NS_READ,
- USER_NS_EXEC,
- USER_TABLE_CREATE,
- USER_TABLE_WRITE);
-
- verifyAllowed(revokeAction,
- SUPERUSER,
- USER_GLOBAL_ADMIN);
-
- verifyDenied(revokeAction,
- USER_GLOBAL_CREATE,
- USER_GLOBAL_WRITE,
- USER_GLOBAL_READ,
- USER_GLOBAL_EXEC,
- USER_NS_ADMIN,
- USER_NS_CREATE,
- USER_NS_WRITE,
- USER_NS_READ,
- USER_NS_EXEC,
- USER_TABLE_CREATE,
- USER_TABLE_WRITE);
-
- verifyAllowed(getPermissionsAction,
- SUPERUSER,
- USER_GLOBAL_ADMIN,
- USER_NS_ADMIN);
-
- verifyDenied(getPermissionsAction,
- USER_GLOBAL_CREATE,
- USER_GLOBAL_WRITE,
- USER_GLOBAL_READ,
- USER_GLOBAL_EXEC,
- USER_NS_CREATE,
- USER_NS_WRITE,
- USER_NS_READ,
- USER_NS_EXEC,
- USER_TABLE_CREATE,
- USER_TABLE_WRITE);
+ verifyAllowed(grantAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(grantAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+ USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+ USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
+
+ verifyAllowed(revokeAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(revokeAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+ USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+ USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
+
+ verifyAllowed(getPermissionsAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_NS_ADMIN,
+ USER_GROUP_ADMIN);
+ verifyDenied(getPermissionsAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+ USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+ USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -476,21 +421,9 @@ public class TestNamespaceCommands extends SecureTestUtil {
};
//createTable : superuser | global(C) | NS(C)
- verifyAllowed(createTable,
- SUPERUSER,
- USER_GLOBAL_CREATE,
- USER_NS_CREATE);
-
- verifyDenied(createTable,
- USER_GLOBAL_ADMIN,
- USER_GLOBAL_WRITE,
- USER_GLOBAL_READ,
- USER_GLOBAL_EXEC,
- USER_NS_ADMIN,
- USER_NS_WRITE,
- USER_NS_READ,
- USER_NS_EXEC,
- USER_TABLE_CREATE,
- USER_TABLE_WRITE);
+ verifyAllowed(createTable, SUPERUSER, USER_GLOBAL_CREATE, USER_NS_CREATE, USER_GROUP_CREATE);
+ verifyDenied(createTable, USER_GLOBAL_ADMIN, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+ USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+ USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_ADMIN);
}
}
[5/5] hbase git commit: HBASE-13828 Add group permissions testing
coverage to AC
Posted by ap...@apache.org.
HBASE-13828 Add group permissions testing coverage to AC
Signed-off-by: Andrew Purtell <ap...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/95cc075a
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/95cc075a
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/95cc075a
Branch: refs/heads/0.98
Commit: 95cc075a8acbe6313852c37836b8ed145cfdbb33
Parents: 211f8bdd
Author: Ashish Singhi <as...@huawei.com>
Authored: Wed Jun 10 21:39:26 2015 -0700
Committer: Andrew Purtell <ap...@apache.org>
Committed: Wed Jun 10 21:39:26 2015 -0700
----------------------------------------------------------------------
.../security/access/TestAccessController.java | 235 ++++++++++++-------
.../security/access/TestAccessController2.java | 125 +++++-----
.../security/access/TestNamespaceCommands.java | 61 +++--
3 files changed, 269 insertions(+), 152 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hbase/blob/95cc075a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
index d4fe59b..56af4a3 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
@@ -146,6 +146,16 @@ public class TestAccessController extends SecureTestUtil {
// user with admin rights on the column family
private static User USER_ADMIN_CF;
+ private static final String GROUP_ADMIN = "group_admin";
+ private static final String GROUP_CREATE = "group_create";
+ private static final String GROUP_READ = "group_read";
+ private static final String GROUP_WRITE = "group_write";
+
+ private static User USER_GROUP_ADMIN;
+ private static User USER_GROUP_CREATE;
+ private static User USER_GROUP_READ;
+ private static User USER_GROUP_WRITE;
+
// TODO: convert this test to cover the full matrix in
// https://hbase.apache.org/book/appendix_acl_matrix.html
// creating all Scope x Permission combinations
@@ -203,6 +213,16 @@ public class TestAccessController extends SecureTestUtil {
USER_CREATE = User.createUserForTesting(conf, "tbl_create", new String[0]);
USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]);
USER_ADMIN_CF = User.createUserForTesting(conf, "col_family_admin", new String[0]);
+
+ USER_GROUP_ADMIN =
+ User.createUserForTesting(conf, "user_group_admin", new String[] { GROUP_ADMIN });
+ USER_GROUP_CREATE =
+ User.createUserForTesting(conf, "user_group_create", new String[] { GROUP_CREATE });
+ USER_GROUP_READ =
+ User.createUserForTesting(conf, "user_group_read", new String[] { GROUP_READ });
+ USER_GROUP_WRITE =
+ User.createUserForTesting(conf, "user_group_write", new String[] { GROUP_WRITE });
+
setUpTableAndUserPermissions();
}
@@ -255,6 +275,11 @@ public class TestAccessController extends SecureTestUtil {
TEST_TABLE, TEST_FAMILY,
null, Permission.Action.ADMIN, Permission.Action.CREATE);
+ grantGlobal(TEST_UTIL, convertToGroup(GROUP_ADMIN), Permission.Action.ADMIN);
+ grantGlobal(TEST_UTIL, convertToGroup(GROUP_CREATE), Permission.Action.CREATE);
+ grantGlobal(TEST_UTIL, convertToGroup(GROUP_READ), Permission.Action.READ);
+ grantGlobal(TEST_UTIL, convertToGroup(GROUP_WRITE), Permission.Action.WRITE);
+
assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size());
try {
assertEquals(5, AccessControlClient.getUserPermissions(conf, TEST_TABLE.toString()).size());
@@ -287,10 +312,11 @@ public class TestAccessController extends SecureTestUtil {
};
// verify that superuser can create tables
- verifyAllowed(createTable, SUPERUSER, USER_ADMIN);
+ verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE);
// all others should be denied
- verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_ADMIN,
+ USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -307,8 +333,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(modifyTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
- verifyDenied(modifyTable, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(modifyTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(modifyTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -322,8 +349,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(deleteTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
- verifyDenied(deleteTable, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(deleteTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(deleteTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -338,8 +366,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
- verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -354,8 +383,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
- verifyDenied(action, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -371,8 +401,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF);
- verifyDenied(action, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF,
+ USER_GROUP_CREATE, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -386,8 +417,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF);
- verifyDenied(action, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF,
+ USER_GROUP_CREATE, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -410,11 +442,13 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(disableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
- verifyDenied(disableTable, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(disableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(disableTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
// No user should be allowed to disable _acl_ table
- verifyDenied(disableAclTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW, USER_RO);
+ verifyDenied(disableAclTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW, USER_RO,
+ USER_GROUP_CREATE, USER_GROUP_ADMIN, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -428,8 +462,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(enableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
- verifyDenied(enableTable, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(enableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(enableTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -452,8 +487,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -476,8 +512,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -500,8 +537,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -524,8 +562,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -538,8 +577,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -552,8 +592,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -566,8 +607,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -580,13 +622,15 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
private void verifyWrite(AccessTestAction action) throws Exception {
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW);
- verifyDenied(action, USER_NONE, USER_RO);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW,
+ USER_GROUP_WRITE);
+ verifyDenied(action, USER_NONE, USER_RO, USER_GROUP_ADMIN, USER_GROUP_READ, USER_GROUP_CREATE);
}
@Test
@@ -599,8 +643,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -615,8 +660,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -635,8 +681,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
} finally {
TEST_UTIL.deleteTable(tname);
}
@@ -661,8 +708,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE);
- verifyDenied(action, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -676,18 +724,21 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE);
- verifyDenied(action, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
private void verifyRead(AccessTestAction action) throws Exception {
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, USER_RO);
- verifyDenied(action, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, USER_RO,
+ USER_GROUP_READ);
+ verifyDenied(action, USER_NONE, USER_GROUP_CREATE, USER_GROUP_ADMIN, USER_GROUP_WRITE);
}
private void verifyReadWrite(AccessTestAction action) throws Exception {
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW);
- verifyDenied(action, USER_NONE, USER_RO);
+ verifyDenied(action, USER_NONE, USER_RO, USER_GROUP_ADMIN, USER_GROUP_CREATE, USER_GROUP_READ,
+ USER_GROUP_WRITE);
}
@Test
@@ -859,8 +910,10 @@ public class TestAccessController extends SecureTestUtil {
// User performing bulk loads must have privilege to read table metadata
// (ADMIN or CREATE)
- verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE);
- verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO);
+ verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE,
+ USER_GROUP_CREATE);
+ verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO, USER_GROUP_READ, USER_GROUP_WRITE,
+ USER_GROUP_ADMIN);
} finally {
// Reinit after the bulk upload
@@ -970,8 +1023,10 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(appendAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW);
- verifyDenied(appendAction, USER_RO, USER_NONE);
+ verifyAllowed(appendAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW,
+ USER_GROUP_WRITE);
+ verifyDenied(appendAction, USER_RO, USER_NONE, USER_GROUP_CREATE, USER_GROUP_READ,
+ USER_GROUP_ADMIN);
}
@Test
@@ -1042,17 +1097,21 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
try {
- verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
- verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
- verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN);
- verifyDenied(getGlobalPermissionsAction, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(getGlobalPermissionsAction, USER_CREATE, USER_OWNER, USER_RW, USER_RO,
+ USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
} finally {
// Cleanup, Grant the revoked permission back to the user
grantOnTable(TEST_UTIL, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null,
@@ -1236,7 +1295,8 @@ public class TestAccessController extends SecureTestUtil {
// grant table read permission
grantGlobal(TEST_UTIL, gblUser.getShortName(), Permission.Action.READ);
- grantOnTable(TEST_UTIL, tblUser.getShortName(), tableName, null, null, Permission.Action.READ);
+ grantOnTable(TEST_UTIL, tblUser.getShortName(), tableName, null, null,
+ Permission.Action.READ);
// check
verifyAllowed(tblUser, getActionAll, getAction1, getAction2);
@@ -1602,8 +1662,8 @@ public class TestAccessController extends SecureTestUtil {
}
UserPermission adminPerm = new UserPermission(Bytes.toBytes(USER_ADMIN.getShortName()),
AccessControlLists.ACL_TABLE_NAME, null, null, Bytes.toBytes("ACRW"));
- assertTrue("Only user admin has permission on table _acl_ per setup",
- perms.size() == 1 && hasFoundUserPermission(adminPerm, perms));
+ assertTrue("Only global users and user admin has permission on table _acl_ per setup",
+ perms.size() == 5 && hasFoundUserPermission(adminPerm, perms));
}
/** global operations */
@@ -1788,8 +1848,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -1802,8 +1863,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -1816,8 +1878,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -1830,8 +1893,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -1994,11 +2058,14 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN);
- verifyDenied(listTablesAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, TABLE_ADMIN);
+ verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(listTablesAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, TABLE_ADMIN,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
- verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN);
- verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER,
+ TABLE_ADMIN, USER_GROUP_ADMIN, USER_GROUP_CREATE);
+ verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE);
} finally {
// Cleanup, revoke TABLE ADMIN privs
revokeFromTable(TEST_UTIL, TABLE_ADMIN.getShortName(), TEST_TABLE, null, null,
@@ -2029,7 +2096,8 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyDenied(deleteTableAction, USER_RW, USER_RO, USER_NONE);
+ verifyDenied(deleteTableAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE);
verifyAllowed(deleteTableAction, TABLE_ADMIN);
}
@@ -2352,8 +2420,10 @@ public class TestAccessController extends SecureTestUtil {
}
private void verifyAnyCreate(AccessTestAction action) throws Exception {
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF);
- verifyDenied(action, USER_NONE, USER_RO, USER_RW);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF,
+ USER_GROUP_CREATE);
+ verifyDenied(action, USER_NONE, USER_RO, USER_RW, USER_GROUP_READ, USER_GROUP_WRITE,
+ USER_GROUP_ADMIN);
}
@Test
@@ -2389,7 +2459,8 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(replicateLogEntriesAction, SUPERUSER, USER_ADMIN);
- verifyDenied(replicateLogEntriesAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(replicateLogEntriesAction, SUPERUSER, USER_ADMIN, USER_GROUP_WRITE);
+ verifyDenied(replicateLogEntriesAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
+ USER_GROUP_READ, USER_GROUP_ADMIN, USER_GROUP_CREATE);
}
}
http://git-wip-us.apache.org/repos/asf/hbase/blob/95cc075a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
index e8eb51b..a296d89 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
@@ -85,6 +85,7 @@ public class TestAccessController2 extends SecureTestUtil {
private String namespace = "testNamespace";
private String tname = namespace + ":testtable1";
private byte[] tableName = Bytes.toBytes(tname);
+ private static String TESTGROUP_1_NAME;
@BeforeClass
public static void setupBeforeClass() throws Exception {
@@ -97,6 +98,7 @@ public class TestAccessController2 extends SecureTestUtil {
// Wait for the ACL table to become available
TEST_UTIL.waitUntilAllRegionsAssigned(AccessControlLists.ACL_TABLE_NAME);
+ TESTGROUP_1_NAME = convertToGroup(TESTGROUP_1);
TESTGROUP1_USER1 =
User.createUserForTesting(conf, "testgroup1_user1", new String[] { TESTGROUP_1 });
TESTGROUP2_USER1 =
@@ -189,24 +191,27 @@ public class TestAccessController2 extends SecureTestUtil {
@Test
public void testCreateTableWithGroupPermissions() throws Exception {
- grantGlobal(TEST_UTIL, convertToGroup(TESTGROUP_1), Action.CREATE);
- AccessTestAction createAction = new AccessTestAction() {
- @Override
- public Object run() throws Exception {
- HBaseAdmin admin = new HBaseAdmin(TEST_UTIL.getConfiguration());
- HTableDescriptor desc = new HTableDescriptor(TEST_TABLE.getTableName());
- desc.addFamily(new HColumnDescriptor(TEST_FAMILY));
- try {
- admin.createTable(desc);
- } finally {
- admin.close();
+ grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.CREATE);
+ try {
+ AccessTestAction createAction = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ HBaseAdmin admin = new HBaseAdmin(TEST_UTIL.getConfiguration());
+ HTableDescriptor desc = new HTableDescriptor(TEST_TABLE.getTableName());
+ desc.addFamily(new HColumnDescriptor(TEST_FAMILY));
+ try {
+ admin.createTable(desc);
+ } finally {
+ admin.close();
+ }
+ return null;
}
- return null;
- }
- };
- verifyAllowed(createAction, TESTGROUP1_USER1);
- verifyDenied(createAction, TESTGROUP2_USER1);
- revokeGlobal(TEST_UTIL, convertToGroup(TESTGROUP_1), Action.CREATE);
+ };
+ verifyAllowed(createAction, TESTGROUP1_USER1);
+ verifyDenied(createAction, TESTGROUP2_USER1);
+ } finally {
+ revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.CREATE);
+ }
}
@Test
@@ -254,57 +259,67 @@ public class TestAccessController2 extends SecureTestUtil {
SecureTestUtil.grantOnTable(TEST_UTIL, tableAdmin.getShortName(),
TEST_TABLE.getTableName(), null, null, Action.ADMIN);
- // Write tests
+ grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.WRITE);
+ try {
+ // Write tests
- AccessTestAction writeAction = new AccessTestAction() {
- @Override
- public Object run() throws Exception {
- HTable t = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
- try {
- t.put(new Put(TEST_ROW).add(AccessControlLists.ACL_LIST_FAMILY, TEST_QUALIFIER,
- TEST_VALUE));
- return null;
- } finally {
- t.close();
+ AccessTestAction writeAction = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ HTable t = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
+ try {
+ t.put(new Put(TEST_ROW).add(AccessControlLists.ACL_LIST_FAMILY, TEST_QUALIFIER,
+ TEST_VALUE));
+ return null;
+ } finally {
+ t.close();
+ }
}
- }
- };
+ };
- // All writes to ACL table denied except for GLOBAL WRITE permission and superuser
+ // All writes to ACL table denied except for GLOBAL WRITE permission and superuser
- verifyDenied(writeAction, globalAdmin, globalCreate, globalRead);
- verifyDenied(writeAction, nsAdmin, nsCreate, nsRead, nsWrite);
- verifyDenied(writeAction, tableAdmin, tableCreate, tableRead, tableWrite);
- verifyAllowed(writeAction, superUser, globalWrite);
+ verifyDenied(writeAction, globalAdmin, globalCreate, globalRead, TESTGROUP2_USER1);
+ verifyDenied(writeAction, nsAdmin, nsCreate, nsRead, nsWrite);
+ verifyDenied(writeAction, tableAdmin, tableCreate, tableRead, tableWrite);
+ verifyAllowed(writeAction, superUser, globalWrite, TESTGROUP1_USER1);
+ } finally {
+ revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.WRITE);
+ }
- // Read tests
+ grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.READ);
+ try {
+ // Read tests
- AccessTestAction scanAction = new AccessTestAction() {
- @Override
- public Object run() throws Exception {
- HTable t = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
- try {
- ResultScanner s = t.getScanner(new Scan());
+ AccessTestAction scanAction = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ HTable t = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
try {
- for (Result r = s.next(); r != null; r = s.next()) {
- // do nothing
+ ResultScanner s = t.getScanner(new Scan());
+ try {
+ for (Result r = s.next(); r != null; r = s.next()) {
+ // do nothing
+ }
+ } finally {
+ s.close();
}
+ return null;
} finally {
- s.close();
+ t.close();
}
- return null;
- } finally {
- t.close();
}
- }
- };
+ };
- // All reads from ACL table denied except for GLOBAL READ and superuser
+ // All reads from ACL table denied except for GLOBAL READ and superuser
- verifyDenied(scanAction, globalAdmin, globalCreate, globalWrite);
- verifyDenied(scanAction, nsCreate, nsAdmin, nsRead, nsWrite);
- verifyDenied(scanAction, tableCreate, tableAdmin, tableRead, tableWrite);
- verifyAllowed(scanAction, superUser, globalRead);
+ verifyDenied(scanAction, globalAdmin, globalCreate, globalWrite, TESTGROUP2_USER1);
+ verifyDenied(scanAction, nsCreate, nsAdmin, nsRead, nsWrite);
+ verifyDenied(scanAction, tableCreate, tableAdmin, tableRead, tableWrite);
+ verifyAllowed(scanAction, superUser, globalRead, TESTGROUP1_USER1);
+ } finally {
+ revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.READ);
+ }
}
/*
http://git-wip-us.apache.org/repos/asf/hbase/blob/95cc075a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
index 62a8935..b283afb 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
@@ -68,6 +68,16 @@ public class TestNamespaceCommands extends SecureTestUtil {
// user with admin permission on namespace.
private static User USER_NSP_ADMIN;
+ private static final String GROUP_ADMIN = "group_admin";
+ private static final String GROUP_CREATE = "group_create";
+ private static final String GROUP_READ = "group_read";
+ private static final String GROUP_WRITE = "group_write";
+
+ private static User USER_GROUP_ADMIN;
+ private static User USER_GROUP_CREATE;
+ private static User USER_GROUP_READ;
+ private static User USER_GROUP_WRITE;
+
private static String TEST_TABLE = TEST_NAMESPACE + ":testtable";
private static byte[] TEST_FAMILY = Bytes.toBytes("f1");
@@ -82,6 +92,15 @@ public class TestNamespaceCommands extends SecureTestUtil {
USER_NSP_WRITE = User.createUserForTesting(conf, "namespace_write", new String[0]);
USER_NSP_ADMIN = User.createUserForTesting(conf, "namespace_admin", new String[0]);
+ USER_GROUP_ADMIN =
+ User.createUserForTesting(conf, "user_group_admin", new String[] { GROUP_ADMIN });
+ USER_GROUP_CREATE =
+ User.createUserForTesting(conf, "user_group_create", new String[] { GROUP_CREATE });
+ USER_GROUP_READ =
+ User.createUserForTesting(conf, "user_group_read", new String[] { GROUP_READ });
+ USER_GROUP_WRITE =
+ User.createUserForTesting(conf, "user_group_write", new String[] { GROUP_WRITE });
+
UTIL.startMiniCluster();
// Wait for the ACL table to become available
UTIL.waitTableAvailable(AccessControlLists.ACL_TABLE_NAME.getName(), 30 * 1000);
@@ -98,6 +117,11 @@ public class TestNamespaceCommands extends SecureTestUtil {
grantOnNamespace(UTIL, USER_NSP_ADMIN.getShortName(), TEST_NAMESPACE, Permission.Action.ADMIN);
grantOnNamespace(UTIL, USER_NSP_ADMIN.getShortName(), TEST_NAMESPACE2, Permission.Action.ADMIN);
+
+ grantGlobal(UTIL, convertToGroup(GROUP_ADMIN), Permission.Action.ADMIN);
+ grantGlobal(UTIL, convertToGroup(GROUP_CREATE), Permission.Action.CREATE);
+ grantGlobal(UTIL, convertToGroup(GROUP_READ), Permission.Action.READ);
+ grantGlobal(UTIL, convertToGroup(GROUP_WRITE), Permission.Action.WRITE);
}
@AfterClass
@@ -152,9 +176,10 @@ public class TestNamespaceCommands extends SecureTestUtil {
}
};
// verify that superuser or hbase admin can modify namespaces.
- verifyAllowed(modifyNamespace, SUPERUSER, USER_NSP_ADMIN);
+ verifyAllowed(modifyNamespace, SUPERUSER, USER_NSP_ADMIN, USER_GROUP_ADMIN);
// all others should be denied
- verifyDenied(modifyNamespace, USER_NSP_WRITE, USER_CREATE, USER_RW);
+ verifyDenied(modifyNamespace, USER_NSP_WRITE, USER_CREATE, USER_RW, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -176,13 +201,15 @@ public class TestNamespaceCommands extends SecureTestUtil {
};
// verify that only superuser can create namespaces.
- verifyAllowed(createNamespace, SUPERUSER);
- // verify that superuser or hbase admin can delete namespaces.
- verifyAllowed(deleteNamespace, SUPERUSER, USER_NSP_ADMIN);
+ verifyAllowed(createNamespace, SUPERUSER, USER_GROUP_ADMIN);
+ // verify that superuser or hbase admin can delete namespaces.
+ verifyAllowed(deleteNamespace, SUPERUSER, USER_NSP_ADMIN, USER_GROUP_ADMIN);
// all others should be denied
- verifyDenied(createNamespace, USER_NSP_WRITE, USER_CREATE, USER_RW, USER_NSP_ADMIN);
- verifyDenied(deleteNamespace, USER_NSP_WRITE, USER_CREATE, USER_RW);
+ verifyDenied(createNamespace, USER_NSP_WRITE, USER_CREATE, USER_RW, USER_NSP_ADMIN,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
+ verifyDenied(deleteNamespace, USER_NSP_WRITE, USER_CREATE, USER_RW, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -241,14 +268,17 @@ public class TestNamespaceCommands extends SecureTestUtil {
// Only HBase super user should be able to grant and revoke permissions to
// namespaces
- verifyAllowed(grantAction, SUPERUSER, USER_NSP_ADMIN);
- verifyDenied(grantAction, USER_CREATE, USER_RW);
- verifyAllowed(revokeAction, SUPERUSER, USER_NSP_ADMIN);
- verifyDenied(revokeAction, USER_CREATE, USER_RW);
+ verifyAllowed(grantAction, SUPERUSER, USER_NSP_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(grantAction, USER_CREATE, USER_RW, USER_GROUP_READ, USER_GROUP_WRITE,
+ USER_GROUP_CREATE);
+ verifyAllowed(revokeAction, SUPERUSER, USER_NSP_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_GROUP_READ, USER_GROUP_WRITE,
+ USER_GROUP_CREATE);
// Only an admin should be able to get the user permission
- verifyAllowed(revokeAction, SUPERUSER, USER_NSP_ADMIN);
- verifyDenied(revokeAction, USER_CREATE, USER_RW);
+ verifyAllowed(revokeAction, SUPERUSER, USER_NSP_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_GROUP_READ, USER_GROUP_WRITE,
+ USER_GROUP_CREATE);
}
@Test
@@ -264,9 +294,10 @@ public class TestNamespaceCommands extends SecureTestUtil {
};
// Only users with create permissions on namespace should be able to create a new table
- verifyAllowed(createTable, SUPERUSER, USER_NSP_WRITE);
+ verifyAllowed(createTable, SUPERUSER, USER_NSP_WRITE, USER_GROUP_CREATE);
// all others should be denied
- verifyDenied(createTable, USER_CREATE, USER_RW);
+ verifyDenied(createTable, USER_CREATE, USER_RW, USER_GROUP_READ, USER_GROUP_WRITE,
+ USER_GROUP_ADMIN);
}
}
[4/5] hbase git commit: HBASE-13828 Add group permissions testing
coverage to AC
Posted by ap...@apache.org.
HBASE-13828 Add group permissions testing coverage to AC
Signed-off-by: Andrew Purtell <ap...@apache.org>
Conflicts:
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/904ec1e4
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/904ec1e4
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/904ec1e4
Branch: refs/heads/branch-1.0
Commit: 904ec1e4c3e7556b6ce290180c62f22469a8a608
Parents: b56dc3d
Author: Ashish Singhi <as...@huawei.com>
Authored: Wed Jun 10 22:13:54 2015 +0530
Committer: Andrew Purtell <ap...@apache.org>
Committed: Wed Jun 10 21:20:57 2015 -0700
----------------------------------------------------------------------
.../security/access/TestAccessController.java | 256 ++++++++++++-------
.../security/access/TestAccessController2.java | 136 +++++-----
.../security/access/TestNamespaceCommands.java | 197 +++++---------
3 files changed, 305 insertions(+), 284 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hbase/blob/904ec1e4/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
index ce4aa68..2d78b74 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
@@ -156,6 +156,16 @@ public class TestAccessController extends SecureTestUtil {
// user with admin rights on the column family
private static User USER_ADMIN_CF;
+ private static final String GROUP_ADMIN = "group_admin";
+ private static final String GROUP_CREATE = "group_create";
+ private static final String GROUP_READ = "group_read";
+ private static final String GROUP_WRITE = "group_write";
+
+ private static User USER_GROUP_ADMIN;
+ private static User USER_GROUP_CREATE;
+ private static User USER_GROUP_READ;
+ private static User USER_GROUP_WRITE;
+
// TODO: convert this test to cover the full matrix in
// https://hbase.apache.org/book/appendix_acl_matrix.html
// creating all Scope x Permission combinations
@@ -215,6 +225,15 @@ public class TestAccessController extends SecureTestUtil {
USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]);
USER_ADMIN_CF = User.createUserForTesting(conf, "col_family_admin", new String[0]);
+ USER_GROUP_ADMIN =
+ User.createUserForTesting(conf, "user_group_admin", new String[] { GROUP_ADMIN });
+ USER_GROUP_CREATE =
+ User.createUserForTesting(conf, "user_group_create", new String[] { GROUP_CREATE });
+ USER_GROUP_READ =
+ User.createUserForTesting(conf, "user_group_read", new String[] { GROUP_READ });
+ USER_GROUP_WRITE =
+ User.createUserForTesting(conf, "user_group_write", new String[] { GROUP_WRITE });
+
systemUserConnection = TEST_UTIL.getConnection();
setUpTableAndUserPermissions();
}
@@ -269,6 +288,11 @@ public class TestAccessController extends SecureTestUtil {
TEST_TABLE, TEST_FAMILY,
null, Permission.Action.ADMIN, Permission.Action.CREATE);
+ grantGlobal(TEST_UTIL, convertToGroup(GROUP_ADMIN), Permission.Action.ADMIN);
+ grantGlobal(TEST_UTIL, convertToGroup(GROUP_CREATE), Permission.Action.CREATE);
+ grantGlobal(TEST_UTIL, convertToGroup(GROUP_READ), Permission.Action.READ);
+ grantGlobal(TEST_UTIL, convertToGroup(GROUP_WRITE), Permission.Action.WRITE);
+
assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size());
try {
assertEquals(5, AccessControlClient.getUserPermissions(systemUserConnection,
@@ -305,10 +329,11 @@ public class TestAccessController extends SecureTestUtil {
};
// verify that superuser can create tables
- verifyAllowed(createTable, SUPERUSER, USER_ADMIN);
+ verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE);
// all others should be denied
- verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_ADMIN,
+ USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -325,8 +350,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(modifyTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
- verifyDenied(modifyTable, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(modifyTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(modifyTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -340,8 +366,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(deleteTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
- verifyDenied(deleteTable, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(deleteTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(deleteTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -356,8 +383,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
- verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -372,8 +400,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
- verifyDenied(action, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -389,8 +418,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF);
- verifyDenied(action, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF,
+ USER_GROUP_CREATE, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -404,8 +434,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF);
- verifyDenied(action, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF,
+ USER_GROUP_CREATE, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -428,11 +459,13 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(disableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
- verifyDenied(disableTable, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(disableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(disableTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
// No user should be allowed to disable _acl_ table
- verifyDenied(disableAclTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW, USER_RO);
+ verifyDenied(disableAclTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW, USER_RO,
+ USER_GROUP_CREATE, USER_GROUP_ADMIN, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -446,8 +479,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(enableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
- verifyDenied(enableTable, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(enableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(enableTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -468,8 +502,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -488,8 +523,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -508,8 +544,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -528,8 +565,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -542,8 +580,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -556,8 +595,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -570,8 +610,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -584,13 +625,15 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
private void verifyWrite(AccessTestAction action) throws Exception {
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW);
- verifyDenied(action, USER_NONE, USER_RO);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW,
+ USER_GROUP_WRITE);
+ verifyDenied(action, USER_NONE, USER_RO, USER_GROUP_ADMIN, USER_GROUP_READ, USER_GROUP_CREATE);
}
@Test
@@ -603,8 +646,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -619,8 +663,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -639,8 +684,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
} finally {
TEST_UTIL.deleteTable(tname);
}
@@ -656,8 +702,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE);
- verifyDenied(action, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -671,18 +718,21 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE);
- verifyDenied(action, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
private void verifyRead(AccessTestAction action) throws Exception {
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, USER_RO);
- verifyDenied(action, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, USER_RO,
+ USER_GROUP_READ);
+ verifyDenied(action, USER_NONE, USER_GROUP_CREATE, USER_GROUP_ADMIN, USER_GROUP_WRITE);
}
private void verifyReadWrite(AccessTestAction action) throws Exception {
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW);
- verifyDenied(action, USER_NONE, USER_RO);
+ verifyDenied(action, USER_NONE, USER_RO, USER_GROUP_ADMIN, USER_GROUP_CREATE, USER_GROUP_READ,
+ USER_GROUP_WRITE);
}
@Test
@@ -838,8 +888,10 @@ public class TestAccessController extends SecureTestUtil {
// User performing bulk loads must have privilege to read table metadata
// (ADMIN or CREATE)
- verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE);
- verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO);
+ verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE,
+ USER_GROUP_CREATE);
+ verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO, USER_GROUP_READ, USER_GROUP_WRITE,
+ USER_GROUP_ADMIN);
} finally {
// Reinit after the bulk upload
TEST_UTIL.getHBaseAdmin().disableTable(TEST_TABLE);
@@ -943,8 +995,10 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(appendAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW);
- verifyDenied(appendAction, USER_RO, USER_NONE);
+ verifyAllowed(appendAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW,
+ USER_GROUP_WRITE);
+ verifyDenied(appendAction, USER_RO, USER_NONE, USER_GROUP_CREATE, USER_GROUP_READ,
+ USER_GROUP_ADMIN);
}
@Test
@@ -1007,18 +1061,21 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
try {
- verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
- verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
- verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN);
+ verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
verifyDenied(getGlobalPermissionsAction, USER_CREATE, USER_OWNER, USER_RW, USER_RO,
- USER_NONE);
+ USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
} finally {
// Cleanup, Grant the revoked permission back to the user
grantOnTable(TEST_UTIL, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null,
@@ -1531,8 +1588,8 @@ public class TestAccessController extends SecureTestUtil {
}
UserPermission adminPerm = new UserPermission(Bytes.toBytes(USER_ADMIN.getShortName()),
AccessControlLists.ACL_TABLE_NAME, null, null, Bytes.toBytes("ACRW"));
- assertTrue("Only user admin has permission on table _acl_ per setup",
- perms.size() == 1 && hasFoundUserPermission(adminPerm, perms));
+ assertTrue("Only global users and user admin has permission on table _acl_ per setup",
+ perms.size() == 5 && hasFoundUserPermission(adminPerm, perms));
}
/** global operations */
@@ -1719,8 +1776,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -1733,8 +1791,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -1747,8 +1806,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -1761,8 +1821,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -1803,17 +1864,21 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN);
- verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
- verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN);
- verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
- verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN);
- verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
- verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN);
- verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -1908,12 +1973,15 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN);
- verifyIfEmptyList(listTablesAction, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN,
+ USER_GROUP_CREATE, USER_GROUP_ADMIN);
+ verifyIfEmptyList(listTablesAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE);
verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER,
- TABLE_ADMIN);
- verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE);
+ TABLE_ADMIN, USER_GROUP_CREATE, USER_GROUP_ADMIN);
+ verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE);
} finally {
// Cleanup, revoke TABLE ADMIN privs
revokeFromTable(TEST_UTIL, TABLE_ADMIN.getShortName(), TEST_TABLE, null, null,
@@ -1938,8 +2006,8 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER,
- USER_RW, USER_RO);
+ verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW,
+ USER_RO, USER_GROUP_CREATE, USER_GROUP_ADMIN, USER_GROUP_READ, USER_GROUP_WRITE);
verifyIfEmptyList(listTablesAction, USER_NONE);
}
@@ -1970,7 +2038,8 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyDenied(deleteTableAction, USER_RW, USER_RO, USER_NONE);
+ verifyDenied(deleteTableAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE);
verifyAllowed(deleteTableAction, TABLE_ADMIN);
}
@@ -2355,7 +2424,7 @@ public class TestAccessController extends SecureTestUtil {
// Verify that we can read sys-tables
String aclTableName = AccessControlLists.ACL_TABLE_NAME.getNameAsString();
- assertEquals(1, SUPERUSER.runAs(getPrivilegedAction(aclTableName)).size());
+ assertEquals(5, SUPERUSER.runAs(getPrivilegedAction(aclTableName)).size());
assertEquals(0, testRegexHandler.runAs(getPrivilegedAction(aclTableName)).size());
// Grant TABLE ADMIN privs to testUserPerms
@@ -2380,8 +2449,10 @@ public class TestAccessController extends SecureTestUtil {
}
private void verifyAnyCreate(AccessTestAction action) throws Exception {
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF);
- verifyDenied(action, USER_NONE, USER_RO, USER_RW);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF,
+ USER_GROUP_CREATE);
+ verifyDenied(action, USER_NONE, USER_RO, USER_RW, USER_GROUP_READ, USER_GROUP_WRITE,
+ USER_GROUP_ADMIN);
}
@Test
@@ -2419,7 +2490,8 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(replicateLogEntriesAction, SUPERUSER, USER_ADMIN);
- verifyDenied(replicateLogEntriesAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(replicateLogEntriesAction, SUPERUSER, USER_ADMIN, USER_GROUP_WRITE);
+ verifyDenied(replicateLogEntriesAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
+ USER_GROUP_READ, USER_GROUP_ADMIN, USER_GROUP_CREATE);
}
}
http://git-wip-us.apache.org/repos/asf/hbase/blob/904ec1e4/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
index 78a7ba9..d9fd8a8 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
@@ -94,6 +94,7 @@ public class TestAccessController2 extends SecureTestUtil {
private String namespace = "testNamespace";
private String tname = namespace + ":testtable1";
private TableName tableName = TableName.valueOf(tname);
+ private static String TESTGROUP_1_NAME;
@BeforeClass
public static void setupBeforeClass() throws Exception {
@@ -106,6 +107,7 @@ public class TestAccessController2 extends SecureTestUtil {
// Wait for the ACL table to become available
TEST_UTIL.waitUntilAllRegionsAssigned(AccessControlLists.ACL_TABLE_NAME);
+ TESTGROUP_1_NAME = convertToGroup(TESTGROUP_1);
TESTGROUP1_USER1 =
User.createUserForTesting(conf, "testgroup1_user1", new String[] { TESTGROUP_1 });
TESTGROUP2_USER1 =
@@ -192,23 +194,27 @@ public class TestAccessController2 extends SecureTestUtil {
@Test
public void testCreateTableWithGroupPermissions() throws Exception {
- grantGlobal(TEST_UTIL, convertToGroup(TESTGROUP_1), Action.CREATE);
- AccessTestAction createAction = new AccessTestAction() {
- @Override
- public Object run() throws Exception {
- HTableDescriptor desc = new HTableDescriptor(TEST_TABLE.getTableName());
- desc.addFamily(new HColumnDescriptor(TEST_FAMILY));
- try (Connection connection = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) {
- try (Admin admin = connection.getAdmin()) {
- admin.createTable(desc);
+ grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.CREATE);
+ try {
+ AccessTestAction createAction = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ HTableDescriptor desc = new HTableDescriptor(TEST_TABLE.getTableName());
+ desc.addFamily(new HColumnDescriptor(TEST_FAMILY));
+ try (Connection connection =
+ ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) {
+ try (Admin admin = connection.getAdmin()) {
+ admin.createTable(desc);
+ }
}
+ return null;
}
- return null;
- }
- };
- verifyAllowed(createAction, TESTGROUP1_USER1);
- verifyDenied(createAction, TESTGROUP2_USER1);
- revokeGlobal(TEST_UTIL, convertToGroup(TESTGROUP_1), Action.CREATE);
+ };
+ verifyAllowed(createAction, TESTGROUP1_USER1);
+ verifyDenied(createAction, TESTGROUP2_USER1);
+ } finally {
+ revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.CREATE);
+ }
}
@Test
@@ -256,54 +262,64 @@ public class TestAccessController2 extends SecureTestUtil {
SecureTestUtil.grantOnTable(TEST_UTIL, tableAdmin.getShortName(),
TEST_TABLE.getTableName(), null, null, Action.ADMIN);
- // Write tests
-
- AccessTestAction writeAction = new AccessTestAction() {
- @Override
- public Object run() throws Exception {
- try(Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
- t.put(new Put(TEST_ROW).add(AccessControlLists.ACL_LIST_FAMILY, TEST_QUALIFIER,
- TEST_VALUE));
- return null;
- } finally {
+ grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.WRITE);
+ try {
+ // Write tests
+
+ AccessTestAction writeAction = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ try (Connection conn = ConnectionFactory.createConnection(conf);
+ Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
+ t.put(new Put(TEST_ROW).addColumn(AccessControlLists.ACL_LIST_FAMILY, TEST_QUALIFIER,
+ TEST_VALUE));
+ return null;
+ } finally {
+ }
}
- }
- };
+ };
- // All writes to ACL table denied except for GLOBAL WRITE permission and superuser
+ // All writes to ACL table denied except for GLOBAL WRITE permission and superuser
- verifyDenied(writeAction, globalAdmin, globalCreate, globalRead);
- verifyDenied(writeAction, nsAdmin, nsCreate, nsRead, nsWrite);
- verifyDenied(writeAction, tableAdmin, tableCreate, tableRead, tableWrite);
- verifyAllowed(writeAction, superUser, globalWrite);
-
- // Read tests
+ verifyDenied(writeAction, globalAdmin, globalCreate, globalRead, TESTGROUP2_USER1);
+ verifyDenied(writeAction, nsAdmin, nsCreate, nsRead, nsWrite);
+ verifyDenied(writeAction, tableAdmin, tableCreate, tableRead, tableWrite);
+ verifyAllowed(writeAction, superUser, globalWrite, TESTGROUP1_USER1);
+ } finally {
+ revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.WRITE);
+ }
- AccessTestAction scanAction = new AccessTestAction() {
- @Override
- public Object run() throws Exception {
- try(Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
- ResultScanner s = t.getScanner(new Scan());
- try {
- for (Result r = s.next(); r != null; r = s.next()) {
- // do nothing
+ grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.READ);
+ try {
+ // Read tests
+
+ AccessTestAction scanAction = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ try (Connection conn = ConnectionFactory.createConnection(conf);
+ Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
+ ResultScanner s = t.getScanner(new Scan());
+ try {
+ for (Result r = s.next(); r != null; r = s.next()) {
+ // do nothing
+ }
+ } finally {
+ s.close();
}
- } finally {
- s.close();
+ return null;
}
- return null;
}
- }
- };
+ };
- // All reads from ACL table denied except for GLOBAL READ and superuser
+ // All reads from ACL table denied except for GLOBAL READ and superuser
- verifyDenied(scanAction, globalAdmin, globalCreate, globalWrite);
- verifyDenied(scanAction, nsCreate, nsAdmin, nsRead, nsWrite);
- verifyDenied(scanAction, tableCreate, tableAdmin, tableRead, tableWrite);
- verifyAllowed(scanAction, superUser, globalRead);
+ verifyDenied(scanAction, globalAdmin, globalCreate, globalWrite, TESTGROUP2_USER1);
+ verifyDenied(scanAction, nsCreate, nsAdmin, nsRead, nsWrite);
+ verifyDenied(scanAction, tableCreate, tableAdmin, tableRead, tableWrite);
+ verifyAllowed(scanAction, superUser, globalRead, TESTGROUP1_USER1);
+ } finally {
+ revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.READ);
+ }
}
/*
@@ -403,17 +419,17 @@ public class TestAccessController2 extends SecureTestUtil {
// Verify user from a group which has table level access can read all the data and group which
// has no access can't read any data.
- grantOnTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, null, null, Action.READ);
+ grantOnTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, null, null, Action.READ);
verifyAllowed(TESTGROUP1_USER1, scanTableActionForGroupWithTableLevelAccess);
verifyDenied(TESTGROUP2_USER1, scanTableActionForGroupWithTableLevelAccess);
// Verify user from a group whose table level access has been revoked can't read any data.
- revokeFromTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, null, null);
+ revokeFromTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, null, null);
verifyDenied(TESTGROUP1_USER1, scanTableActionForGroupWithTableLevelAccess);
// Verify user from a group which has column family level access can read all the data
// belonging to that family and group which has no access can't read any data.
- grantOnTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, null,
+ grantOnTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, TEST_FAMILY, null,
Permission.Action.READ);
verifyAllowed(TESTGROUP1_USER1, scanTableActionForGroupWithFamilyLevelAccess);
verifyDenied(TESTGROUP1_USER1, scanFamilyActionForGroupWithFamilyLevelAccess);
@@ -422,12 +438,12 @@ public class TestAccessController2 extends SecureTestUtil {
// Verify user from a group whose column family level access has been revoked can't read any
// data from that family.
- revokeFromTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, null);
+ revokeFromTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, TEST_FAMILY, null);
verifyDenied(TESTGROUP1_USER1, scanTableActionForGroupWithFamilyLevelAccess);
// Verify user from a group which has column qualifier level access can read data that has this
// family and qualifier, and group which has no access can't read any data.
- grantOnTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, Q1, Action.READ);
+ grantOnTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, TEST_FAMILY, Q1, Action.READ);
verifyAllowed(TESTGROUP1_USER1, scanTableActionForGroupWithQualifierLevelAccess);
verifyDenied(TESTGROUP1_USER1, scanFamilyActionForGroupWithQualifierLevelAccess);
verifyDenied(TESTGROUP1_USER1, scanQualifierActionForGroupWithQualifierLevelAccess);
@@ -437,7 +453,7 @@ public class TestAccessController2 extends SecureTestUtil {
// Verify user from a group whose column qualifier level access has been revoked can't read the
// data having this column family and qualifier.
- revokeFromTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, Q1);
+ revokeFromTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, TEST_FAMILY, Q1);
verifyDenied(TESTGROUP1_USER1, scanTableActionForGroupWithQualifierLevelAccess);
}
http://git-wip-us.apache.org/repos/asf/hbase/blob/904ec1e4/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
index 2aabeed..bd174f3 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
@@ -91,6 +91,16 @@ public class TestNamespaceCommands extends SecureTestUtil {
//user with create table permissions alone
private static User USER_TABLE_CREATE; // TODO: WE DO NOT GIVE ANY PERMS TO THIS USER
+ private static final String GROUP_ADMIN = "group_admin";
+ private static final String GROUP_CREATE = "group_create";
+ private static final String GROUP_READ = "group_read";
+ private static final String GROUP_WRITE = "group_write";
+
+ private static User USER_GROUP_ADMIN;
+ private static User USER_GROUP_CREATE;
+ private static User USER_GROUP_READ;
+ private static User USER_GROUP_WRITE;
+
private static String TEST_TABLE = TEST_NAMESPACE + ":testtable";
private static byte[] TEST_FAMILY = Bytes.toBytes("f1");
@@ -115,6 +125,15 @@ public class TestNamespaceCommands extends SecureTestUtil {
USER_TABLE_CREATE = User.createUserForTesting(conf, "table_create", new String[0]);
USER_TABLE_WRITE = User.createUserForTesting(conf, "table_write", new String[0]);
+
+ USER_GROUP_ADMIN =
+ User.createUserForTesting(conf, "user_group_admin", new String[] { GROUP_ADMIN });
+ USER_GROUP_CREATE =
+ User.createUserForTesting(conf, "user_group_create", new String[] { GROUP_CREATE });
+ USER_GROUP_READ =
+ User.createUserForTesting(conf, "user_group_read", new String[] { GROUP_READ });
+ USER_GROUP_WRITE =
+ User.createUserForTesting(conf, "user_group_write", new String[] { GROUP_WRITE });
// TODO: other table perms
UTIL.startMiniCluster();
@@ -143,6 +162,11 @@ public class TestNamespaceCommands extends SecureTestUtil {
grantOnNamespace(UTIL, USER_NS_EXEC.getShortName(), TEST_NAMESPACE, Permission.Action.EXEC);
grantOnNamespace(UTIL, USER_NS_ADMIN.getShortName(), TEST_NAMESPACE2, Permission.Action.ADMIN);
+
+ grantGlobal(UTIL, convertToGroup(GROUP_ADMIN), Permission.Action.ADMIN);
+ grantGlobal(UTIL, convertToGroup(GROUP_CREATE), Permission.Action.CREATE);
+ grantGlobal(UTIL, convertToGroup(GROUP_READ), Permission.Action.READ);
+ grantGlobal(UTIL, convertToGroup(GROUP_WRITE), Permission.Action.WRITE);
}
@AfterClass
@@ -201,20 +225,10 @@ public class TestNamespaceCommands extends SecureTestUtil {
};
// modifyNamespace: superuser | global(A) | NS(A)
- verifyAllowed(modifyNamespace,
- SUPERUSER,
- USER_GLOBAL_ADMIN);
-
- verifyDenied(modifyNamespace,
- USER_GLOBAL_CREATE,
- USER_GLOBAL_WRITE,
- USER_GLOBAL_READ,
- USER_GLOBAL_EXEC,
- USER_NS_ADMIN,
- USER_NS_CREATE,
- USER_NS_WRITE,
- USER_NS_READ,
- USER_NS_EXEC);
+ verifyAllowed(modifyNamespace, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(modifyNamespace, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+ USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -238,41 +252,17 @@ public class TestNamespaceCommands extends SecureTestUtil {
};
// createNamespace: superuser | global(A)
- verifyAllowed(createNamespace,
- SUPERUSER,
- USER_GLOBAL_ADMIN);
-
+ verifyAllowed(createNamespace, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
// all others should be denied
- verifyDenied(createNamespace,
- USER_GLOBAL_CREATE,
- USER_GLOBAL_WRITE,
- USER_GLOBAL_READ,
- USER_GLOBAL_EXEC,
- USER_NS_ADMIN,
- USER_NS_CREATE,
- USER_NS_WRITE,
- USER_NS_READ,
- USER_NS_EXEC,
- USER_TABLE_CREATE,
- USER_TABLE_WRITE);
+ verifyDenied(createNamespace, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+ USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+ USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
// deleteNamespace: superuser | global(A) | NS(A)
- verifyAllowed(deleteNamespace,
- SUPERUSER,
- USER_GLOBAL_ADMIN);
-
- verifyDenied(deleteNamespace,
- USER_GLOBAL_CREATE,
- USER_GLOBAL_WRITE,
- USER_GLOBAL_READ,
- USER_GLOBAL_EXEC,
- USER_NS_ADMIN,
- USER_NS_CREATE,
- USER_NS_WRITE,
- USER_NS_READ,
- USER_NS_EXEC,
- USER_TABLE_CREATE,
- USER_TABLE_WRITE);
+ verifyAllowed(deleteNamespace, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(deleteNamespace, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+ USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+ USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -286,22 +276,11 @@ public class TestNamespaceCommands extends SecureTestUtil {
}
};
// getNamespaceDescriptor : superuser | global(A) | NS(A)
- verifyAllowed(getNamespaceAction,
- SUPERUSER,
- USER_GLOBAL_ADMIN,
- USER_NS_ADMIN);
-
- verifyDenied(getNamespaceAction,
- USER_GLOBAL_CREATE,
- USER_GLOBAL_WRITE,
- USER_GLOBAL_READ,
- USER_GLOBAL_EXEC,
- USER_NS_CREATE,
- USER_NS_WRITE,
- USER_NS_READ,
- USER_NS_EXEC,
- USER_TABLE_CREATE,
- USER_TABLE_WRITE);
+ verifyAllowed(getNamespaceAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_NS_ADMIN,
+ USER_GROUP_ADMIN);
+ verifyDenied(getNamespaceAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+ USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+ USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -324,14 +303,12 @@ public class TestNamespaceCommands extends SecureTestUtil {
// listNamespaces : All access*
// * Returned list will only show what you can call getNamespaceDescriptor()
- verifyAllowed(listAction,
- SUPERUSER,
- USER_GLOBAL_ADMIN,
- USER_NS_ADMIN);
+ verifyAllowed(listAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_NS_ADMIN, USER_GROUP_ADMIN);
// we have 3 namespaces: [default, hbase, TEST_NAMESPACE, TEST_NAMESPACE2]
assertEquals(4, ((List)SUPERUSER.runAs(listAction)).size());
assertEquals(4, ((List)USER_GLOBAL_ADMIN.runAs(listAction)).size());
+ assertEquals(4, ((List)USER_GROUP_ADMIN.runAs(listAction)).size());
assertEquals(2, ((List)USER_NS_ADMIN.runAs(listAction)).size());
@@ -345,6 +322,9 @@ public class TestNamespaceCommands extends SecureTestUtil {
assertEquals(0, ((List)USER_NS_EXEC.runAs(listAction)).size());
assertEquals(0, ((List)USER_TABLE_CREATE.runAs(listAction)).size());
assertEquals(0, ((List)USER_TABLE_WRITE.runAs(listAction)).size());
+ assertEquals(0, ((List)USER_GROUP_CREATE.runAs(listAction)).size());
+ assertEquals(0, ((List)USER_GROUP_READ.runAs(listAction)).size());
+ assertEquals(0, ((List)USER_GROUP_WRITE.runAs(listAction)).size());
}
@Test
@@ -396,56 +376,21 @@ public class TestNamespaceCommands extends SecureTestUtil {
}
};
- verifyAllowed(grantAction,
- SUPERUSER,
- USER_GLOBAL_ADMIN);
-
- verifyDenied(grantAction,
- USER_GLOBAL_CREATE,
- USER_GLOBAL_WRITE,
- USER_GLOBAL_READ,
- USER_GLOBAL_EXEC,
- USER_NS_ADMIN,
- USER_NS_CREATE,
- USER_NS_WRITE,
- USER_NS_READ,
- USER_NS_EXEC,
- USER_TABLE_CREATE,
- USER_TABLE_WRITE);
-
- verifyAllowed(revokeAction,
- SUPERUSER,
- USER_GLOBAL_ADMIN);
-
- verifyDenied(revokeAction,
- USER_GLOBAL_CREATE,
- USER_GLOBAL_WRITE,
- USER_GLOBAL_READ,
- USER_GLOBAL_EXEC,
- USER_NS_ADMIN,
- USER_NS_CREATE,
- USER_NS_WRITE,
- USER_NS_READ,
- USER_NS_EXEC,
- USER_TABLE_CREATE,
- USER_TABLE_WRITE);
-
- verifyAllowed(getPermissionsAction,
- SUPERUSER,
- USER_GLOBAL_ADMIN,
- USER_NS_ADMIN);
-
- verifyDenied(getPermissionsAction,
- USER_GLOBAL_CREATE,
- USER_GLOBAL_WRITE,
- USER_GLOBAL_READ,
- USER_GLOBAL_EXEC,
- USER_NS_CREATE,
- USER_NS_WRITE,
- USER_NS_READ,
- USER_NS_EXEC,
- USER_TABLE_CREATE,
- USER_TABLE_WRITE);
+ verifyAllowed(grantAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(grantAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+ USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+ USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
+
+ verifyAllowed(revokeAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(revokeAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+ USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+ USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
+
+ verifyAllowed(getPermissionsAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_NS_ADMIN,
+ USER_GROUP_ADMIN);
+ verifyDenied(getPermissionsAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+ USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+ USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -461,21 +406,9 @@ public class TestNamespaceCommands extends SecureTestUtil {
};
//createTable : superuser | global(C) | NS(C)
- verifyAllowed(createTable,
- SUPERUSER,
- USER_GLOBAL_CREATE,
- USER_NS_CREATE);
-
- verifyDenied(createTable,
- USER_GLOBAL_ADMIN,
- USER_GLOBAL_WRITE,
- USER_GLOBAL_READ,
- USER_GLOBAL_EXEC,
- USER_NS_ADMIN,
- USER_NS_WRITE,
- USER_NS_READ,
- USER_NS_EXEC,
- USER_TABLE_CREATE,
- USER_TABLE_WRITE);
+ verifyAllowed(createTable, SUPERUSER, USER_GLOBAL_CREATE, USER_NS_CREATE, USER_GROUP_CREATE);
+ verifyDenied(createTable, USER_GLOBAL_ADMIN, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+ USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+ USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_ADMIN);
}
}
[3/5] hbase git commit: HBASE-13828 Add group permissions testing
coverage to AC
Posted by ap...@apache.org.
HBASE-13828 Add group permissions testing coverage to AC
Signed-off-by: Andrew Purtell <ap...@apache.org>
Conflicts:
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/7125dd4f
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/7125dd4f
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/7125dd4f
Branch: refs/heads/branch-1.1
Commit: 7125dd4f97cb691462a9b79c2a818534c5c2de17
Parents: c2371e6
Author: Ashish Singhi <as...@huawei.com>
Authored: Wed Jun 10 22:13:54 2015 +0530
Committer: Andrew Purtell <ap...@apache.org>
Committed: Wed Jun 10 19:38:50 2015 -0700
----------------------------------------------------------------------
.../security/access/TestAccessController.java | 308 ++++++++++++-------
.../security/access/TestAccessController2.java | 135 ++++----
.../security/access/TestNamespaceCommands.java | 197 ++++--------
3 files changed, 334 insertions(+), 306 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hbase/blob/7125dd4f/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
index 8996677..009f4b1 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
@@ -159,6 +159,16 @@ public class TestAccessController extends SecureTestUtil {
// user with admin rights on the column family
private static User USER_ADMIN_CF;
+ private static final String GROUP_ADMIN = "group_admin";
+ private static final String GROUP_CREATE = "group_create";
+ private static final String GROUP_READ = "group_read";
+ private static final String GROUP_WRITE = "group_write";
+
+ private static User USER_GROUP_ADMIN;
+ private static User USER_GROUP_CREATE;
+ private static User USER_GROUP_READ;
+ private static User USER_GROUP_WRITE;
+
// TODO: convert this test to cover the full matrix in
// https://hbase.apache.org/book/appendix_acl_matrix.html
// creating all Scope x Permission combinations
@@ -213,6 +223,15 @@ public class TestAccessController extends SecureTestUtil {
USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]);
USER_ADMIN_CF = User.createUserForTesting(conf, "col_family_admin", new String[0]);
+ USER_GROUP_ADMIN =
+ User.createUserForTesting(conf, "user_group_admin", new String[] { GROUP_ADMIN });
+ USER_GROUP_CREATE =
+ User.createUserForTesting(conf, "user_group_create", new String[] { GROUP_CREATE });
+ USER_GROUP_READ =
+ User.createUserForTesting(conf, "user_group_read", new String[] { GROUP_READ });
+ USER_GROUP_WRITE =
+ User.createUserForTesting(conf, "user_group_write", new String[] { GROUP_WRITE });
+
systemUserConnection = TEST_UTIL.getConnection();
setUpTableAndUserPermissions();
}
@@ -264,6 +283,11 @@ public class TestAccessController extends SecureTestUtil {
TEST_TABLE, TEST_FAMILY,
null, Permission.Action.ADMIN, Permission.Action.CREATE);
+ grantGlobal(TEST_UTIL, convertToGroup(GROUP_ADMIN), Permission.Action.ADMIN);
+ grantGlobal(TEST_UTIL, convertToGroup(GROUP_CREATE), Permission.Action.CREATE);
+ grantGlobal(TEST_UTIL, convertToGroup(GROUP_READ), Permission.Action.READ);
+ grantGlobal(TEST_UTIL, convertToGroup(GROUP_WRITE), Permission.Action.WRITE);
+
assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size());
try {
assertEquals(5, AccessControlClient.getUserPermissions(systemUserConnection,
@@ -302,10 +326,11 @@ public class TestAccessController extends SecureTestUtil {
};
// verify that superuser can create tables
- verifyAllowed(createTable, SUPERUSER, USER_ADMIN);
+ verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE);
// all others should be denied
- verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_ADMIN,
+ USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -322,8 +347,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(modifyTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
- verifyDenied(modifyTable, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(modifyTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(modifyTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -337,8 +363,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(deleteTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
- verifyDenied(deleteTable, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(deleteTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(deleteTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -353,8 +380,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
- verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -369,8 +397,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
- verifyDenied(action, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -386,8 +415,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF);
- verifyDenied(action, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF,
+ USER_GROUP_CREATE, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -401,8 +431,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF);
- verifyDenied(action, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF,
+ USER_GROUP_CREATE, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -425,11 +456,13 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(disableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
- verifyDenied(disableTable, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(disableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(disableTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
// No user should be allowed to disable _acl_ table
- verifyDenied(disableAclTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW, USER_RO);
+ verifyDenied(disableAclTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW, USER_RO,
+ USER_GROUP_CREATE, USER_GROUP_ADMIN, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -443,8 +476,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(enableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
- verifyDenied(enableTable, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(enableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(enableTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -465,8 +499,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -485,8 +520,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -505,8 +541,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -525,8 +562,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -539,8 +577,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -553,8 +592,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -567,8 +607,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -581,13 +622,15 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
private void verifyWrite(AccessTestAction action) throws Exception {
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW);
- verifyDenied(action, USER_NONE, USER_RO);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW,
+ USER_GROUP_WRITE);
+ verifyDenied(action, USER_NONE, USER_RO, USER_GROUP_ADMIN, USER_GROUP_READ, USER_GROUP_CREATE);
}
@Test
@@ -600,8 +643,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -616,8 +660,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -636,8 +681,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
} finally {
TEST_UTIL.deleteTable(tname);
}
@@ -653,8 +699,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE);
- verifyDenied(action, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -668,18 +715,21 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE);
- verifyDenied(action, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
private void verifyRead(AccessTestAction action) throws Exception {
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, USER_RO);
- verifyDenied(action, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, USER_RO,
+ USER_GROUP_READ);
+ verifyDenied(action, USER_NONE, USER_GROUP_CREATE, USER_GROUP_ADMIN, USER_GROUP_WRITE);
}
private void verifyReadWrite(AccessTestAction action) throws Exception {
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW);
- verifyDenied(action, USER_NONE, USER_RO);
+ verifyDenied(action, USER_NONE, USER_RO, USER_GROUP_ADMIN, USER_GROUP_CREATE, USER_GROUP_READ,
+ USER_GROUP_WRITE);
}
@Test
@@ -836,8 +886,10 @@ public class TestAccessController extends SecureTestUtil {
// User performing bulk loads must have privilege to read table metadata
// (ADMIN or CREATE)
- verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE);
- verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO);
+ verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE,
+ USER_GROUP_CREATE);
+ verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO, USER_GROUP_READ, USER_GROUP_WRITE,
+ USER_GROUP_ADMIN);
} finally {
// Reinit after the bulk upload
TEST_UTIL.getHBaseAdmin().disableTable(TEST_TABLE);
@@ -941,8 +993,10 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(appendAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW);
- verifyDenied(appendAction, USER_RO, USER_NONE);
+ verifyAllowed(appendAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW,
+ USER_GROUP_WRITE);
+ verifyDenied(appendAction, USER_RO, USER_NONE, USER_GROUP_CREATE, USER_GROUP_READ,
+ USER_GROUP_ADMIN);
}
@Test
@@ -1005,18 +1059,21 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
try {
- verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
- verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
- verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN);
+ verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
verifyDenied(getGlobalPermissionsAction, USER_CREATE, USER_OWNER, USER_RW, USER_RO,
- USER_NONE);
+ USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
} finally {
// Cleanup, Grant the revoked permission back to the user
grantOnTable(TEST_UTIL, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null,
@@ -1522,8 +1579,8 @@ public class TestAccessController extends SecureTestUtil {
}
UserPermission adminPerm = new UserPermission(Bytes.toBytes(USER_ADMIN.getShortName()),
AccessControlLists.ACL_TABLE_NAME, null, null, Bytes.toBytes("ACRW"));
- assertTrue("Only user admin has permission on table _acl_ per setup",
- perms.size() == 1 && hasFoundUserPermission(adminPerm, perms));
+ assertTrue("Only global users and user admin has permission on table _acl_ per setup",
+ perms.size() == 5 && hasFoundUserPermission(adminPerm, perms));
}
/** global operations */
@@ -1710,8 +1767,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -1724,8 +1782,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -1738,8 +1797,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -1752,8 +1812,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -1800,17 +1861,21 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
- verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN);
- verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
- verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN);
- verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
- verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN);
- verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -1830,8 +1895,9 @@ public class TestAccessController extends SecureTestUtil {
return null;
}
};
- verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
AccessTestAction deleteAction = new AccessTestAction() {
@Override
@@ -1841,8 +1907,9 @@ public class TestAccessController extends SecureTestUtil {
return null;
}
};
- verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
AccessTestAction restoreAction = new AccessTestAction() {
@Override
@@ -1852,8 +1919,9 @@ public class TestAccessController extends SecureTestUtil {
return null;
}
};
- verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
AccessTestAction cloneAction = new AccessTestAction() {
@Override
@@ -1865,8 +1933,9 @@ public class TestAccessController extends SecureTestUtil {
};
// Clone by snapshot owner is not allowed , because clone operation creates a new table,
// which needs global admin permission.
- verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN);
- verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -1961,11 +2030,15 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, TABLE_ADMIN);
- verifyIfEmptyList(listTablesAction, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN,
+ USER_GROUP_CREATE, USER_GROUP_ADMIN);
+ verifyIfEmptyList(listTablesAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE);
- verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, TABLE_ADMIN);
- verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER,
+ TABLE_ADMIN, USER_GROUP_CREATE, USER_GROUP_ADMIN);
+ verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE);
} finally {
// Cleanup, revoke TABLE ADMIN privs
revokeFromTable(TEST_UTIL, TABLE_ADMIN.getShortName(), TEST_TABLE, null, null,
@@ -1990,7 +2063,8 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_RW, USER_RO);
+ verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW,
+ USER_RO, USER_GROUP_CREATE, USER_GROUP_ADMIN, USER_GROUP_READ, USER_GROUP_WRITE);
verifyIfEmptyList(listTablesAction, USER_NONE);
}
@@ -2020,7 +2094,8 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyDenied(deleteTableAction, USER_RW, USER_RO, USER_NONE);
+ verifyDenied(deleteTableAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE);
verifyAllowed(deleteTableAction, TABLE_ADMIN);
}
@@ -2311,22 +2386,22 @@ public class TestAccessController extends SecureTestUtil {
verifyDenied(putWithReservedTag, USER_OWNER, USER_ADMIN, USER_CREATE, USER_RW, USER_RO);
}
- @Test
- public void testGetNamespacePermission() throws Exception {
- String namespace = "testGetNamespacePermission";
- NamespaceDescriptor desc = NamespaceDescriptor.create(namespace).build();
- createNamespace(TEST_UTIL, desc);
- grantOnNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ);
- try {
- List<UserPermission> namespacePermissions = AccessControlClient.getUserPermissions(
- systemUserConnection, AccessControlLists.toNamespaceEntry(namespace));
- assertTrue(namespacePermissions != null);
- assertTrue(namespacePermissions.size() == 1);
- } catch (Throwable thw) {
- throw new HBaseException(thw);
- }
- deleteNamespace(TEST_UTIL, namespace);
- }
+ @Test
+ public void testGetNamespacePermission() throws Exception {
+ String namespace = "testGetNamespacePermission";
+ NamespaceDescriptor desc = NamespaceDescriptor.create(namespace).build();
+ createNamespace(TEST_UTIL, desc);
+ grantOnNamespace(TEST_UTIL, USER_NONE.getShortName(), namespace, Permission.Action.READ);
+ try {
+ List<UserPermission> namespacePermissions = AccessControlClient.getUserPermissions(
+ systemUserConnection, AccessControlLists.toNamespaceEntry(namespace));
+ assertTrue(namespacePermissions != null);
+ assertTrue(namespacePermissions.size() == 1);
+ } catch (Throwable thw) {
+ throw new HBaseException(thw);
+ }
+ deleteNamespace(TEST_UTIL, namespace);
+ }
@Test
public void testTruncatePerms() throws Throwable {
@@ -2404,7 +2479,7 @@ public class TestAccessController extends SecureTestUtil {
// Verify that we can read sys-tables
String aclTableName = AccessControlLists.ACL_TABLE_NAME.getNameAsString();
- assertEquals(1, SUPERUSER.runAs(getPrivilegedAction(aclTableName)).size());
+ assertEquals(5, SUPERUSER.runAs(getPrivilegedAction(aclTableName)).size());
assertEquals(0, testRegexHandler.runAs(getPrivilegedAction(aclTableName)).size());
// Grant TABLE ADMIN privs to testUserPerms
@@ -2429,8 +2504,10 @@ public class TestAccessController extends SecureTestUtil {
}
private void verifyAnyCreate(AccessTestAction action) throws Exception {
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF);
- verifyDenied(action, USER_NONE, USER_RO, USER_RW);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF,
+ USER_GROUP_CREATE);
+ verifyDenied(action, USER_NONE, USER_RO, USER_RW, USER_GROUP_READ, USER_GROUP_WRITE,
+ USER_GROUP_ADMIN);
}
@Test
@@ -2468,8 +2545,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(replicateLogEntriesAction, SUPERUSER, USER_ADMIN);
- verifyDenied(replicateLogEntriesAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(replicateLogEntriesAction, SUPERUSER, USER_ADMIN, USER_GROUP_WRITE);
+ verifyDenied(replicateLogEntriesAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
+ USER_GROUP_READ, USER_GROUP_ADMIN, USER_GROUP_CREATE);
}
@Test
http://git-wip-us.apache.org/repos/asf/hbase/blob/7125dd4f/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
index 01a45bc..119283c 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
@@ -95,6 +95,7 @@ public class TestAccessController2 extends SecureTestUtil {
private String namespace = "testNamespace";
private String tname = namespace + ":testtable1";
private TableName tableName = TableName.valueOf(tname);
+ private static String TESTGROUP_1_NAME;
@BeforeClass
public static void setupBeforeClass() throws Exception {
@@ -107,6 +108,7 @@ public class TestAccessController2 extends SecureTestUtil {
// Wait for the ACL table to become available
TEST_UTIL.waitUntilAllRegionsAssigned(AccessControlLists.ACL_TABLE_NAME);
+ TESTGROUP_1_NAME = convertToGroup(TESTGROUP_1);
TESTGROUP1_USER1 =
User.createUserForTesting(conf, "testgroup1_user1", new String[] { TESTGROUP_1 });
TESTGROUP2_USER1 =
@@ -197,23 +199,27 @@ public class TestAccessController2 extends SecureTestUtil {
@Test
public void testCreateTableWithGroupPermissions() throws Exception {
- grantGlobal(TEST_UTIL, convertToGroup(TESTGROUP_1), Action.CREATE);
- AccessTestAction createAction = new AccessTestAction() {
- @Override
- public Object run() throws Exception {
- HTableDescriptor desc = new HTableDescriptor(TEST_TABLE.getTableName());
- desc.addFamily(new HColumnDescriptor(TEST_FAMILY));
- try (Connection connection = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) {
- try (Admin admin = connection.getAdmin()) {
- admin.createTable(desc);
+ grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.CREATE);
+ try {
+ AccessTestAction createAction = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ HTableDescriptor desc = new HTableDescriptor(TEST_TABLE.getTableName());
+ desc.addFamily(new HColumnDescriptor(TEST_FAMILY));
+ try (Connection connection =
+ ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) {
+ try (Admin admin = connection.getAdmin()) {
+ admin.createTable(desc);
+ }
}
+ return null;
}
- return null;
- }
- };
- verifyAllowed(createAction, TESTGROUP1_USER1);
- verifyDenied(createAction, TESTGROUP2_USER1);
- revokeGlobal(TEST_UTIL, convertToGroup(TESTGROUP_1), Action.CREATE);
+ };
+ verifyAllowed(createAction, TESTGROUP1_USER1);
+ verifyDenied(createAction, TESTGROUP2_USER1);
+ } finally {
+ revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.CREATE);
+ }
}
@Test
@@ -261,53 +267,64 @@ public class TestAccessController2 extends SecureTestUtil {
SecureTestUtil.grantOnTable(TEST_UTIL, tableAdmin.getShortName(),
TEST_TABLE.getTableName(), null, null, Action.ADMIN);
- // Write tests
-
- AccessTestAction writeAction = new AccessTestAction() {
- @Override
- public Object run() throws Exception {
- try(Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
- t.put(new Put(TEST_ROW).add(AccessControlLists.ACL_LIST_FAMILY, TEST_QUALIFIER,
- TEST_VALUE));
- return null;
+ grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.WRITE);
+ try {
+ // Write tests
+
+ AccessTestAction writeAction = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ try (Connection conn = ConnectionFactory.createConnection(conf);
+ Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
+ t.put(new Put(TEST_ROW).addColumn(AccessControlLists.ACL_LIST_FAMILY, TEST_QUALIFIER,
+ TEST_VALUE));
+ return null;
+ } finally {
+ }
}
- }
- };
-
- // All writes to ACL table denied except for GLOBAL WRITE permission and superuser
+ };
- verifyDenied(writeAction, globalAdmin, globalCreate, globalRead);
- verifyDenied(writeAction, nsAdmin, nsCreate, nsRead, nsWrite);
- verifyDenied(writeAction, tableAdmin, tableCreate, tableRead, tableWrite);
- verifyAllowed(writeAction, superUser, globalWrite);
+ // All writes to ACL table denied except for GLOBAL WRITE permission and superuser
- // Read tests
+ verifyDenied(writeAction, globalAdmin, globalCreate, globalRead, TESTGROUP2_USER1);
+ verifyDenied(writeAction, nsAdmin, nsCreate, nsRead, nsWrite);
+ verifyDenied(writeAction, tableAdmin, tableCreate, tableRead, tableWrite);
+ verifyAllowed(writeAction, superUser, globalWrite, TESTGROUP1_USER1);
+ } finally {
+ revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.WRITE);
+ }
- AccessTestAction scanAction = new AccessTestAction() {
- @Override
- public Object run() throws Exception {
- try(Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
- ResultScanner s = t.getScanner(new Scan());
- try {
- for (Result r = s.next(); r != null; r = s.next()) {
- // do nothing
+ grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.READ);
+ try {
+ // Read tests
+
+ AccessTestAction scanAction = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ try (Connection conn = ConnectionFactory.createConnection(conf);
+ Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
+ ResultScanner s = t.getScanner(new Scan());
+ try {
+ for (Result r = s.next(); r != null; r = s.next()) {
+ // do nothing
+ }
+ } finally {
+ s.close();
}
- } finally {
- s.close();
+ return null;
}
- return null;
}
- }
- };
+ };
- // All reads from ACL table denied except for GLOBAL READ and superuser
+ // All reads from ACL table denied except for GLOBAL READ and superuser
- verifyDenied(scanAction, globalAdmin, globalCreate, globalWrite);
- verifyDenied(scanAction, nsCreate, nsAdmin, nsRead, nsWrite);
- verifyDenied(scanAction, tableCreate, tableAdmin, tableRead, tableWrite);
- verifyAllowed(scanAction, superUser, globalRead);
+ verifyDenied(scanAction, globalAdmin, globalCreate, globalWrite, TESTGROUP2_USER1);
+ verifyDenied(scanAction, nsCreate, nsAdmin, nsRead, nsWrite);
+ verifyDenied(scanAction, tableCreate, tableAdmin, tableRead, tableWrite);
+ verifyAllowed(scanAction, superUser, globalRead, TESTGROUP1_USER1);
+ } finally {
+ revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.READ);
+ }
}
/*
@@ -407,17 +424,17 @@ public class TestAccessController2 extends SecureTestUtil {
// Verify user from a group which has table level access can read all the data and group which
// has no access can't read any data.
- grantOnTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, null, null, Action.READ);
+ grantOnTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, null, null, Action.READ);
verifyAllowed(TESTGROUP1_USER1, scanTableActionForGroupWithTableLevelAccess);
verifyDenied(TESTGROUP2_USER1, scanTableActionForGroupWithTableLevelAccess);
// Verify user from a group whose table level access has been revoked can't read any data.
- revokeFromTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, null, null);
+ revokeFromTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, null, null);
verifyDenied(TESTGROUP1_USER1, scanTableActionForGroupWithTableLevelAccess);
// Verify user from a group which has column family level access can read all the data
// belonging to that family and group which has no access can't read any data.
- grantOnTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, null,
+ grantOnTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, TEST_FAMILY, null,
Permission.Action.READ);
verifyAllowed(TESTGROUP1_USER1, scanTableActionForGroupWithFamilyLevelAccess);
verifyDenied(TESTGROUP1_USER1, scanFamilyActionForGroupWithFamilyLevelAccess);
@@ -426,12 +443,12 @@ public class TestAccessController2 extends SecureTestUtil {
// Verify user from a group whose column family level access has been revoked can't read any
// data from that family.
- revokeFromTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, null);
+ revokeFromTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, TEST_FAMILY, null);
verifyDenied(TESTGROUP1_USER1, scanTableActionForGroupWithFamilyLevelAccess);
// Verify user from a group which has column qualifier level access can read data that has this
// family and qualifier, and group which has no access can't read any data.
- grantOnTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, Q1, Action.READ);
+ grantOnTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, TEST_FAMILY, Q1, Action.READ);
verifyAllowed(TESTGROUP1_USER1, scanTableActionForGroupWithQualifierLevelAccess);
verifyDenied(TESTGROUP1_USER1, scanFamilyActionForGroupWithQualifierLevelAccess);
verifyDenied(TESTGROUP1_USER1, scanQualifierActionForGroupWithQualifierLevelAccess);
@@ -441,7 +458,7 @@ public class TestAccessController2 extends SecureTestUtil {
// Verify user from a group whose column qualifier level access has been revoked can't read the
// data having this column family and qualifier.
- revokeFromTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, Q1);
+ revokeFromTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, TEST_FAMILY, Q1);
verifyDenied(TESTGROUP1_USER1, scanTableActionForGroupWithQualifierLevelAccess);
}
http://git-wip-us.apache.org/repos/asf/hbase/blob/7125dd4f/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
index 4576260..8861a6c 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
@@ -91,6 +91,16 @@ public class TestNamespaceCommands extends SecureTestUtil {
//user with create table permissions alone
private static User USER_TABLE_CREATE; // TODO: WE DO NOT GIVE ANY PERMS TO THIS USER
+ private static final String GROUP_ADMIN = "group_admin";
+ private static final String GROUP_CREATE = "group_create";
+ private static final String GROUP_READ = "group_read";
+ private static final String GROUP_WRITE = "group_write";
+
+ private static User USER_GROUP_ADMIN;
+ private static User USER_GROUP_CREATE;
+ private static User USER_GROUP_READ;
+ private static User USER_GROUP_WRITE;
+
private static String TEST_TABLE = TEST_NAMESPACE + ":testtable";
private static byte[] TEST_FAMILY = Bytes.toBytes("f1");
@@ -115,6 +125,15 @@ public class TestNamespaceCommands extends SecureTestUtil {
USER_TABLE_CREATE = User.createUserForTesting(conf, "table_create", new String[0]);
USER_TABLE_WRITE = User.createUserForTesting(conf, "table_write", new String[0]);
+
+ USER_GROUP_ADMIN =
+ User.createUserForTesting(conf, "user_group_admin", new String[] { GROUP_ADMIN });
+ USER_GROUP_CREATE =
+ User.createUserForTesting(conf, "user_group_create", new String[] { GROUP_CREATE });
+ USER_GROUP_READ =
+ User.createUserForTesting(conf, "user_group_read", new String[] { GROUP_READ });
+ USER_GROUP_WRITE =
+ User.createUserForTesting(conf, "user_group_write", new String[] { GROUP_WRITE });
// TODO: other table perms
UTIL.startMiniCluster();
@@ -143,6 +162,11 @@ public class TestNamespaceCommands extends SecureTestUtil {
grantOnNamespace(UTIL, USER_NS_EXEC.getShortName(), TEST_NAMESPACE, Permission.Action.EXEC);
grantOnNamespace(UTIL, USER_NS_ADMIN.getShortName(), TEST_NAMESPACE2, Permission.Action.ADMIN);
+
+ grantGlobal(UTIL, convertToGroup(GROUP_ADMIN), Permission.Action.ADMIN);
+ grantGlobal(UTIL, convertToGroup(GROUP_CREATE), Permission.Action.CREATE);
+ grantGlobal(UTIL, convertToGroup(GROUP_READ), Permission.Action.READ);
+ grantGlobal(UTIL, convertToGroup(GROUP_WRITE), Permission.Action.WRITE);
}
@AfterClass
@@ -201,20 +225,10 @@ public class TestNamespaceCommands extends SecureTestUtil {
};
// modifyNamespace: superuser | global(A) | NS(A)
- verifyAllowed(modifyNamespace,
- SUPERUSER,
- USER_GLOBAL_ADMIN);
-
- verifyDenied(modifyNamespace,
- USER_GLOBAL_CREATE,
- USER_GLOBAL_WRITE,
- USER_GLOBAL_READ,
- USER_GLOBAL_EXEC,
- USER_NS_ADMIN,
- USER_NS_CREATE,
- USER_NS_WRITE,
- USER_NS_READ,
- USER_NS_EXEC);
+ verifyAllowed(modifyNamespace, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(modifyNamespace, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+ USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -238,41 +252,17 @@ public class TestNamespaceCommands extends SecureTestUtil {
};
// createNamespace: superuser | global(A)
- verifyAllowed(createNamespace,
- SUPERUSER,
- USER_GLOBAL_ADMIN);
-
+ verifyAllowed(createNamespace, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
// all others should be denied
- verifyDenied(createNamespace,
- USER_GLOBAL_CREATE,
- USER_GLOBAL_WRITE,
- USER_GLOBAL_READ,
- USER_GLOBAL_EXEC,
- USER_NS_ADMIN,
- USER_NS_CREATE,
- USER_NS_WRITE,
- USER_NS_READ,
- USER_NS_EXEC,
- USER_TABLE_CREATE,
- USER_TABLE_WRITE);
+ verifyDenied(createNamespace, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+ USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+ USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
// deleteNamespace: superuser | global(A) | NS(A)
- verifyAllowed(deleteNamespace,
- SUPERUSER,
- USER_GLOBAL_ADMIN);
-
- verifyDenied(deleteNamespace,
- USER_GLOBAL_CREATE,
- USER_GLOBAL_WRITE,
- USER_GLOBAL_READ,
- USER_GLOBAL_EXEC,
- USER_NS_ADMIN,
- USER_NS_CREATE,
- USER_NS_WRITE,
- USER_NS_READ,
- USER_NS_EXEC,
- USER_TABLE_CREATE,
- USER_TABLE_WRITE);
+ verifyAllowed(deleteNamespace, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(deleteNamespace, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+ USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+ USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -286,22 +276,11 @@ public class TestNamespaceCommands extends SecureTestUtil {
}
};
// getNamespaceDescriptor : superuser | global(A) | NS(A)
- verifyAllowed(getNamespaceAction,
- SUPERUSER,
- USER_GLOBAL_ADMIN,
- USER_NS_ADMIN);
-
- verifyDenied(getNamespaceAction,
- USER_GLOBAL_CREATE,
- USER_GLOBAL_WRITE,
- USER_GLOBAL_READ,
- USER_GLOBAL_EXEC,
- USER_NS_CREATE,
- USER_NS_WRITE,
- USER_NS_READ,
- USER_NS_EXEC,
- USER_TABLE_CREATE,
- USER_TABLE_WRITE);
+ verifyAllowed(getNamespaceAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_NS_ADMIN,
+ USER_GROUP_ADMIN);
+ verifyDenied(getNamespaceAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+ USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+ USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -324,14 +303,12 @@ public class TestNamespaceCommands extends SecureTestUtil {
// listNamespaces : All access*
// * Returned list will only show what you can call getNamespaceDescriptor()
- verifyAllowed(listAction,
- SUPERUSER,
- USER_GLOBAL_ADMIN,
- USER_NS_ADMIN);
+ verifyAllowed(listAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_NS_ADMIN, USER_GROUP_ADMIN);
// we have 3 namespaces: [default, hbase, TEST_NAMESPACE, TEST_NAMESPACE2]
assertEquals(4, ((List)SUPERUSER.runAs(listAction)).size());
assertEquals(4, ((List)USER_GLOBAL_ADMIN.runAs(listAction)).size());
+ assertEquals(4, ((List)USER_GROUP_ADMIN.runAs(listAction)).size());
assertEquals(2, ((List)USER_NS_ADMIN.runAs(listAction)).size());
@@ -345,6 +322,9 @@ public class TestNamespaceCommands extends SecureTestUtil {
assertEquals(0, ((List)USER_NS_EXEC.runAs(listAction)).size());
assertEquals(0, ((List)USER_TABLE_CREATE.runAs(listAction)).size());
assertEquals(0, ((List)USER_TABLE_WRITE.runAs(listAction)).size());
+ assertEquals(0, ((List)USER_GROUP_CREATE.runAs(listAction)).size());
+ assertEquals(0, ((List)USER_GROUP_READ.runAs(listAction)).size());
+ assertEquals(0, ((List)USER_GROUP_WRITE.runAs(listAction)).size());
}
@Test
@@ -396,56 +376,21 @@ public class TestNamespaceCommands extends SecureTestUtil {
}
};
- verifyAllowed(grantAction,
- SUPERUSER,
- USER_GLOBAL_ADMIN);
-
- verifyDenied(grantAction,
- USER_GLOBAL_CREATE,
- USER_GLOBAL_WRITE,
- USER_GLOBAL_READ,
- USER_GLOBAL_EXEC,
- USER_NS_ADMIN,
- USER_NS_CREATE,
- USER_NS_WRITE,
- USER_NS_READ,
- USER_NS_EXEC,
- USER_TABLE_CREATE,
- USER_TABLE_WRITE);
-
- verifyAllowed(revokeAction,
- SUPERUSER,
- USER_GLOBAL_ADMIN);
-
- verifyDenied(revokeAction,
- USER_GLOBAL_CREATE,
- USER_GLOBAL_WRITE,
- USER_GLOBAL_READ,
- USER_GLOBAL_EXEC,
- USER_NS_ADMIN,
- USER_NS_CREATE,
- USER_NS_WRITE,
- USER_NS_READ,
- USER_NS_EXEC,
- USER_TABLE_CREATE,
- USER_TABLE_WRITE);
-
- verifyAllowed(getPermissionsAction,
- SUPERUSER,
- USER_GLOBAL_ADMIN,
- USER_NS_ADMIN);
-
- verifyDenied(getPermissionsAction,
- USER_GLOBAL_CREATE,
- USER_GLOBAL_WRITE,
- USER_GLOBAL_READ,
- USER_GLOBAL_EXEC,
- USER_NS_CREATE,
- USER_NS_WRITE,
- USER_NS_READ,
- USER_NS_EXEC,
- USER_TABLE_CREATE,
- USER_TABLE_WRITE);
+ verifyAllowed(grantAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(grantAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+ USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+ USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
+
+ verifyAllowed(revokeAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(revokeAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+ USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+ USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
+
+ verifyAllowed(getPermissionsAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_NS_ADMIN,
+ USER_GROUP_ADMIN);
+ verifyDenied(getPermissionsAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+ USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+ USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -461,21 +406,9 @@ public class TestNamespaceCommands extends SecureTestUtil {
};
//createTable : superuser | global(C) | NS(C)
- verifyAllowed(createTable,
- SUPERUSER,
- USER_GLOBAL_CREATE,
- USER_NS_CREATE);
-
- verifyDenied(createTable,
- USER_GLOBAL_ADMIN,
- USER_GLOBAL_WRITE,
- USER_GLOBAL_READ,
- USER_GLOBAL_EXEC,
- USER_NS_ADMIN,
- USER_NS_WRITE,
- USER_NS_READ,
- USER_NS_EXEC,
- USER_TABLE_CREATE,
- USER_TABLE_WRITE);
+ verifyAllowed(createTable, SUPERUSER, USER_GLOBAL_CREATE, USER_NS_CREATE, USER_GROUP_CREATE);
+ verifyDenied(createTable, USER_GLOBAL_ADMIN, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+ USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+ USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_ADMIN);
}
}
[2/5] hbase git commit: HBASE-13828 Add group permissions testing
coverage to AC
Posted by ap...@apache.org.
HBASE-13828 Add group permissions testing coverage to AC
Signed-off-by: Andrew Purtell <ap...@apache.org>
Conflicts:
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/c4054de4
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/c4054de4
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/c4054de4
Branch: refs/heads/branch-1
Commit: c4054de40c945ab8b2b39b096894b4679c8afb15
Parents: f49f296
Author: Ashish Singhi <as...@huawei.com>
Authored: Wed Jun 10 22:13:54 2015 +0530
Committer: Andrew Purtell <ap...@apache.org>
Committed: Wed Jun 10 18:25:13 2015 -0700
----------------------------------------------------------------------
.../security/access/TestAccessController.java | 299 ++++++++++++-------
.../security/access/TestAccessController2.java | 135 +++++----
.../security/access/TestNamespaceCommands.java | 197 ++++--------
3 files changed, 330 insertions(+), 301 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hbase/blob/c4054de4/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
index 3b91554..222935f 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
@@ -160,6 +160,16 @@ public class TestAccessController extends SecureTestUtil {
// user with admin rights on the column family
private static User USER_ADMIN_CF;
+ private static final String GROUP_ADMIN = "group_admin";
+ private static final String GROUP_CREATE = "group_create";
+ private static final String GROUP_READ = "group_read";
+ private static final String GROUP_WRITE = "group_write";
+
+ private static User USER_GROUP_ADMIN;
+ private static User USER_GROUP_CREATE;
+ private static User USER_GROUP_READ;
+ private static User USER_GROUP_WRITE;
+
// TODO: convert this test to cover the full matrix in
// https://hbase.apache.org/book/appendix_acl_matrix.html
// creating all Scope x Permission combinations
@@ -214,6 +224,15 @@ public class TestAccessController extends SecureTestUtil {
USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]);
USER_ADMIN_CF = User.createUserForTesting(conf, "col_family_admin", new String[0]);
+ USER_GROUP_ADMIN =
+ User.createUserForTesting(conf, "user_group_admin", new String[] { GROUP_ADMIN });
+ USER_GROUP_CREATE =
+ User.createUserForTesting(conf, "user_group_create", new String[] { GROUP_CREATE });
+ USER_GROUP_READ =
+ User.createUserForTesting(conf, "user_group_read", new String[] { GROUP_READ });
+ USER_GROUP_WRITE =
+ User.createUserForTesting(conf, "user_group_write", new String[] { GROUP_WRITE });
+
systemUserConnection = TEST_UTIL.getConnection();
setUpTableAndUserPermissions();
}
@@ -265,6 +284,11 @@ public class TestAccessController extends SecureTestUtil {
TEST_TABLE, TEST_FAMILY,
null, Permission.Action.ADMIN, Permission.Action.CREATE);
+ grantGlobal(TEST_UTIL, convertToGroup(GROUP_ADMIN), Permission.Action.ADMIN);
+ grantGlobal(TEST_UTIL, convertToGroup(GROUP_CREATE), Permission.Action.CREATE);
+ grantGlobal(TEST_UTIL, convertToGroup(GROUP_READ), Permission.Action.READ);
+ grantGlobal(TEST_UTIL, convertToGroup(GROUP_WRITE), Permission.Action.WRITE);
+
assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE).size());
try {
assertEquals(5, AccessControlClient.getUserPermissions(systemUserConnection,
@@ -303,10 +327,11 @@ public class TestAccessController extends SecureTestUtil {
};
// verify that superuser can create tables
- verifyAllowed(createTable, SUPERUSER, USER_ADMIN);
+ verifyAllowed(createTable, SUPERUSER, USER_ADMIN, USER_GROUP_CREATE);
// all others should be denied
- verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyDenied(createTable, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_ADMIN,
+ USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -323,8 +348,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(modifyTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
- verifyDenied(modifyTable, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(modifyTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(modifyTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -338,8 +364,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(deleteTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
- verifyDenied(deleteTable, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(deleteTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(deleteTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -354,8 +381,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
- verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(truncateTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(truncateTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -370,8 +398,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
- verifyDenied(action, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -387,8 +416,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF);
- verifyDenied(action, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF,
+ USER_GROUP_CREATE, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -402,8 +432,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF);
- verifyDenied(action, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_ADMIN_CF,
+ USER_GROUP_CREATE, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -426,11 +457,13 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(disableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
- verifyDenied(disableTable, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(disableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(disableTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
// No user should be allowed to disable _acl_ table
- verifyDenied(disableAclTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW, USER_RO);
+ verifyDenied(disableAclTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW, USER_RO,
+ USER_GROUP_CREATE, USER_GROUP_ADMIN, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -444,8 +477,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(enableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER);
- verifyDenied(enableTable, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(enableTable, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(enableTable, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -466,8 +500,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -486,8 +521,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -506,8 +542,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -526,8 +563,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -540,8 +578,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -554,8 +593,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -568,8 +608,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -582,13 +623,15 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
private void verifyWrite(AccessTestAction action) throws Exception {
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW);
- verifyDenied(action, USER_NONE, USER_RO);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW,
+ USER_GROUP_WRITE);
+ verifyDenied(action, USER_NONE, USER_RO, USER_GROUP_ADMIN, USER_GROUP_READ, USER_GROUP_CREATE);
}
@Test
@@ -601,8 +644,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -617,8 +661,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -638,8 +683,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
} finally {
deleteTable(TEST_UTIL, tname);
}
@@ -655,8 +701,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE);
- verifyDenied(action, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -670,18 +717,21 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE);
- verifyDenied(action, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_GROUP_CREATE,
+ USER_GROUP_ADMIN);
+ verifyDenied(action, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE);
}
private void verifyRead(AccessTestAction action) throws Exception {
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, USER_RO);
- verifyDenied(action, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW, USER_RO,
+ USER_GROUP_READ);
+ verifyDenied(action, USER_NONE, USER_GROUP_CREATE, USER_GROUP_ADMIN, USER_GROUP_WRITE);
}
private void verifyReadWrite(AccessTestAction action) throws Exception {
verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW);
- verifyDenied(action, USER_NONE, USER_RO);
+ verifyDenied(action, USER_NONE, USER_RO, USER_GROUP_ADMIN, USER_GROUP_CREATE, USER_GROUP_READ,
+ USER_GROUP_WRITE);
}
@Test
@@ -838,8 +888,10 @@ public class TestAccessController extends SecureTestUtil {
// User performing bulk loads must have privilege to read table metadata
// (ADMIN or CREATE)
- verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE);
- verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO);
+ verifyAllowed(bulkLoadAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE,
+ USER_GROUP_CREATE);
+ verifyDenied(bulkLoadAction, USER_RW, USER_NONE, USER_RO, USER_GROUP_READ, USER_GROUP_WRITE,
+ USER_GROUP_ADMIN);
} finally {
// Reinit after the bulk upload
TEST_UTIL.getHBaseAdmin().disableTable(TEST_TABLE);
@@ -943,8 +995,10 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(appendAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW);
- verifyDenied(appendAction, USER_RO, USER_NONE);
+ verifyAllowed(appendAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_RW,
+ USER_GROUP_WRITE);
+ verifyDenied(appendAction, USER_RO, USER_NONE, USER_GROUP_CREATE, USER_GROUP_READ,
+ USER_GROUP_ADMIN);
}
@Test
@@ -1007,18 +1061,21 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(grantAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(grantAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
try {
- verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(revokeAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(revokeAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
- verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(getTablePermissionsAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(getTablePermissionsAction, USER_CREATE, USER_RW, USER_RO, USER_NONE,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
- verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN);
+ verifyAllowed(getGlobalPermissionsAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
verifyDenied(getGlobalPermissionsAction, USER_CREATE, USER_OWNER, USER_RW, USER_RO,
- USER_NONE);
+ USER_NONE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
} finally {
// Cleanup, Grant the revoked permission back to the user
grantOnTable(TEST_UTIL, USER_RO.getShortName(), TEST_TABLE, TEST_FAMILY, null,
@@ -1523,8 +1580,8 @@ public class TestAccessController extends SecureTestUtil {
}
UserPermission adminPerm = new UserPermission(Bytes.toBytes(USER_ADMIN.getShortName()),
AccessControlLists.ACL_TABLE_NAME, null, null, Bytes.toBytes("ACRW"));
- assertTrue("Only user admin has permission on table _acl_ per setup",
- perms.size() == 1 && hasFoundUserPermission(adminPerm, perms));
+ assertTrue("Only global users and user admin has permission on table _acl_ per setup",
+ perms.size() == 5 && hasFoundUserPermission(adminPerm, perms));
}
/** global operations */
@@ -1711,8 +1768,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -1725,8 +1783,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -1739,8 +1798,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -1753,8 +1813,9 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(action, SUPERUSER, USER_ADMIN);
- verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(action, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER, USER_GROUP_CREATE,
+ USER_GROUP_READ, USER_GROUP_WRITE);
}
@Test
@@ -1801,17 +1862,21 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
- verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN);
- verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
- verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN);
- verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
- verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN);
- verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -1831,8 +1896,9 @@ public class TestAccessController extends SecureTestUtil {
return null;
}
};
- verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(snapshotAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(snapshotAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
AccessTestAction deleteAction = new AccessTestAction() {
@Override
@@ -1842,8 +1908,9 @@ public class TestAccessController extends SecureTestUtil {
return null;
}
};
- verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(deleteAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(deleteAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
AccessTestAction restoreAction = new AccessTestAction() {
@Override
@@ -1853,8 +1920,9 @@ public class TestAccessController extends SecureTestUtil {
return null;
}
};
- verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(restoreAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(restoreAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE, USER_GROUP_CREATE);
AccessTestAction cloneAction = new AccessTestAction() {
@Override
@@ -1866,8 +1934,9 @@ public class TestAccessController extends SecureTestUtil {
};
// Clone by snapshot owner is not allowed , because clone operation creates a new table,
// which needs global admin permission.
- verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN);
- verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(cloneAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(cloneAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -1961,12 +2030,15 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN);
- verifyIfEmptyList(listTablesAction, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, TABLE_ADMIN,
+ USER_GROUP_CREATE, USER_GROUP_ADMIN);
+ verifyIfEmptyList(listTablesAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE);
verifyAllowed(getTableDescAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER,
- TABLE_ADMIN);
- verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE);
+ TABLE_ADMIN, USER_GROUP_CREATE, USER_GROUP_ADMIN);
+ verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE);
} finally {
// Cleanup, revoke TABLE ADMIN privs
revokeFromTable(TEST_UTIL, TABLE_ADMIN.getShortName(), TEST_TABLE, null, null,
@@ -1991,8 +2063,8 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER,
- USER_RW, USER_RO);
+ verifyAllowed(listTablesAction, SUPERUSER, USER_ADMIN, USER_CREATE, USER_OWNER, USER_RW,
+ USER_RO, USER_GROUP_CREATE, USER_GROUP_ADMIN, USER_GROUP_READ, USER_GROUP_WRITE);
verifyIfEmptyList(listTablesAction, USER_NONE);
}
@@ -2021,7 +2093,8 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyDenied(deleteTableAction, USER_RW, USER_RO, USER_NONE);
+ verifyDenied(deleteTableAction, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,
+ USER_GROUP_WRITE);
verifyAllowed(deleteTableAction, TABLE_ADMIN);
}
@@ -2353,21 +2426,24 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(setUserQuotaAction, SUPERUSER, USER_ADMIN);
- verifyDenied(setUserQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(setUserQuotaAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(setUserQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
- verifyAllowed(setUserTableQuotaAction, SUPERUSER, USER_ADMIN, USER_OWNER);
- verifyDenied(setUserTableQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
+ verifyAllowed(setUserTableQuotaAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
+ verifyDenied(setUserTableQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
- verifyAllowed(setUserNamespaceQuotaAction, SUPERUSER, USER_ADMIN);
- verifyDenied(setUserNamespaceQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE,
- USER_OWNER);
+ verifyAllowed(setUserNamespaceQuotaAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(setUserNamespaceQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
- verifyAllowed(setTableQuotaAction, SUPERUSER, USER_ADMIN, USER_OWNER);
+ verifyAllowed(setTableQuotaAction, SUPERUSER, USER_ADMIN, USER_OWNER, USER_GROUP_ADMIN);
verifyDenied(setTableQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE);
- verifyAllowed(setNamespaceQuotaAction, SUPERUSER, USER_ADMIN);
- verifyDenied(setNamespaceQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(setNamespaceQuotaAction, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(setNamespaceQuotaAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -2465,7 +2541,7 @@ public class TestAccessController extends SecureTestUtil {
// Verify that we can read sys-tables
String aclTableName = AccessControlLists.ACL_TABLE_NAME.getNameAsString();
- assertEquals(1, SUPERUSER.runAs(getPrivilegedAction(aclTableName)).size());
+ assertEquals(5, SUPERUSER.runAs(getPrivilegedAction(aclTableName)).size());
assertEquals(0, testRegexHandler.runAs(getPrivilegedAction(aclTableName)).size());
// Grant TABLE ADMIN privs to testUserPerms
@@ -2490,8 +2566,10 @@ public class TestAccessController extends SecureTestUtil {
}
private void verifyAnyCreate(AccessTestAction action) throws Exception {
- verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF);
- verifyDenied(action, USER_NONE, USER_RO, USER_RW);
+ verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF,
+ USER_GROUP_CREATE);
+ verifyDenied(action, USER_NONE, USER_RO, USER_RW, USER_GROUP_READ, USER_GROUP_WRITE,
+ USER_GROUP_ADMIN);
}
@Test
@@ -2529,7 +2607,8 @@ public class TestAccessController extends SecureTestUtil {
}
};
- verifyAllowed(replicateLogEntriesAction, SUPERUSER, USER_ADMIN);
- verifyDenied(replicateLogEntriesAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
+ verifyAllowed(replicateLogEntriesAction, SUPERUSER, USER_ADMIN, USER_GROUP_WRITE);
+ verifyDenied(replicateLogEntriesAction, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER,
+ USER_GROUP_READ, USER_GROUP_ADMIN, USER_GROUP_CREATE);
}
}
http://git-wip-us.apache.org/repos/asf/hbase/blob/c4054de4/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
index 01a45bc..119283c 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java
@@ -95,6 +95,7 @@ public class TestAccessController2 extends SecureTestUtil {
private String namespace = "testNamespace";
private String tname = namespace + ":testtable1";
private TableName tableName = TableName.valueOf(tname);
+ private static String TESTGROUP_1_NAME;
@BeforeClass
public static void setupBeforeClass() throws Exception {
@@ -107,6 +108,7 @@ public class TestAccessController2 extends SecureTestUtil {
// Wait for the ACL table to become available
TEST_UTIL.waitUntilAllRegionsAssigned(AccessControlLists.ACL_TABLE_NAME);
+ TESTGROUP_1_NAME = convertToGroup(TESTGROUP_1);
TESTGROUP1_USER1 =
User.createUserForTesting(conf, "testgroup1_user1", new String[] { TESTGROUP_1 });
TESTGROUP2_USER1 =
@@ -197,23 +199,27 @@ public class TestAccessController2 extends SecureTestUtil {
@Test
public void testCreateTableWithGroupPermissions() throws Exception {
- grantGlobal(TEST_UTIL, convertToGroup(TESTGROUP_1), Action.CREATE);
- AccessTestAction createAction = new AccessTestAction() {
- @Override
- public Object run() throws Exception {
- HTableDescriptor desc = new HTableDescriptor(TEST_TABLE.getTableName());
- desc.addFamily(new HColumnDescriptor(TEST_FAMILY));
- try (Connection connection = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) {
- try (Admin admin = connection.getAdmin()) {
- admin.createTable(desc);
+ grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.CREATE);
+ try {
+ AccessTestAction createAction = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ HTableDescriptor desc = new HTableDescriptor(TEST_TABLE.getTableName());
+ desc.addFamily(new HColumnDescriptor(TEST_FAMILY));
+ try (Connection connection =
+ ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) {
+ try (Admin admin = connection.getAdmin()) {
+ admin.createTable(desc);
+ }
}
+ return null;
}
- return null;
- }
- };
- verifyAllowed(createAction, TESTGROUP1_USER1);
- verifyDenied(createAction, TESTGROUP2_USER1);
- revokeGlobal(TEST_UTIL, convertToGroup(TESTGROUP_1), Action.CREATE);
+ };
+ verifyAllowed(createAction, TESTGROUP1_USER1);
+ verifyDenied(createAction, TESTGROUP2_USER1);
+ } finally {
+ revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.CREATE);
+ }
}
@Test
@@ -261,53 +267,64 @@ public class TestAccessController2 extends SecureTestUtil {
SecureTestUtil.grantOnTable(TEST_UTIL, tableAdmin.getShortName(),
TEST_TABLE.getTableName(), null, null, Action.ADMIN);
- // Write tests
-
- AccessTestAction writeAction = new AccessTestAction() {
- @Override
- public Object run() throws Exception {
- try(Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
- t.put(new Put(TEST_ROW).add(AccessControlLists.ACL_LIST_FAMILY, TEST_QUALIFIER,
- TEST_VALUE));
- return null;
+ grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.WRITE);
+ try {
+ // Write tests
+
+ AccessTestAction writeAction = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ try (Connection conn = ConnectionFactory.createConnection(conf);
+ Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
+ t.put(new Put(TEST_ROW).addColumn(AccessControlLists.ACL_LIST_FAMILY, TEST_QUALIFIER,
+ TEST_VALUE));
+ return null;
+ } finally {
+ }
}
- }
- };
-
- // All writes to ACL table denied except for GLOBAL WRITE permission and superuser
+ };
- verifyDenied(writeAction, globalAdmin, globalCreate, globalRead);
- verifyDenied(writeAction, nsAdmin, nsCreate, nsRead, nsWrite);
- verifyDenied(writeAction, tableAdmin, tableCreate, tableRead, tableWrite);
- verifyAllowed(writeAction, superUser, globalWrite);
+ // All writes to ACL table denied except for GLOBAL WRITE permission and superuser
- // Read tests
+ verifyDenied(writeAction, globalAdmin, globalCreate, globalRead, TESTGROUP2_USER1);
+ verifyDenied(writeAction, nsAdmin, nsCreate, nsRead, nsWrite);
+ verifyDenied(writeAction, tableAdmin, tableCreate, tableRead, tableWrite);
+ verifyAllowed(writeAction, superUser, globalWrite, TESTGROUP1_USER1);
+ } finally {
+ revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.WRITE);
+ }
- AccessTestAction scanAction = new AccessTestAction() {
- @Override
- public Object run() throws Exception {
- try(Connection conn = ConnectionFactory.createConnection(conf);
- Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
- ResultScanner s = t.getScanner(new Scan());
- try {
- for (Result r = s.next(); r != null; r = s.next()) {
- // do nothing
+ grantGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.READ);
+ try {
+ // Read tests
+
+ AccessTestAction scanAction = new AccessTestAction() {
+ @Override
+ public Object run() throws Exception {
+ try (Connection conn = ConnectionFactory.createConnection(conf);
+ Table t = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
+ ResultScanner s = t.getScanner(new Scan());
+ try {
+ for (Result r = s.next(); r != null; r = s.next()) {
+ // do nothing
+ }
+ } finally {
+ s.close();
}
- } finally {
- s.close();
+ return null;
}
- return null;
}
- }
- };
+ };
- // All reads from ACL table denied except for GLOBAL READ and superuser
+ // All reads from ACL table denied except for GLOBAL READ and superuser
- verifyDenied(scanAction, globalAdmin, globalCreate, globalWrite);
- verifyDenied(scanAction, nsCreate, nsAdmin, nsRead, nsWrite);
- verifyDenied(scanAction, tableCreate, tableAdmin, tableRead, tableWrite);
- verifyAllowed(scanAction, superUser, globalRead);
+ verifyDenied(scanAction, globalAdmin, globalCreate, globalWrite, TESTGROUP2_USER1);
+ verifyDenied(scanAction, nsCreate, nsAdmin, nsRead, nsWrite);
+ verifyDenied(scanAction, tableCreate, tableAdmin, tableRead, tableWrite);
+ verifyAllowed(scanAction, superUser, globalRead, TESTGROUP1_USER1);
+ } finally {
+ revokeGlobal(TEST_UTIL, TESTGROUP_1_NAME, Action.READ);
+ }
}
/*
@@ -407,17 +424,17 @@ public class TestAccessController2 extends SecureTestUtil {
// Verify user from a group which has table level access can read all the data and group which
// has no access can't read any data.
- grantOnTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, null, null, Action.READ);
+ grantOnTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, null, null, Action.READ);
verifyAllowed(TESTGROUP1_USER1, scanTableActionForGroupWithTableLevelAccess);
verifyDenied(TESTGROUP2_USER1, scanTableActionForGroupWithTableLevelAccess);
// Verify user from a group whose table level access has been revoked can't read any data.
- revokeFromTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, null, null);
+ revokeFromTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, null, null);
verifyDenied(TESTGROUP1_USER1, scanTableActionForGroupWithTableLevelAccess);
// Verify user from a group which has column family level access can read all the data
// belonging to that family and group which has no access can't read any data.
- grantOnTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, null,
+ grantOnTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, TEST_FAMILY, null,
Permission.Action.READ);
verifyAllowed(TESTGROUP1_USER1, scanTableActionForGroupWithFamilyLevelAccess);
verifyDenied(TESTGROUP1_USER1, scanFamilyActionForGroupWithFamilyLevelAccess);
@@ -426,12 +443,12 @@ public class TestAccessController2 extends SecureTestUtil {
// Verify user from a group whose column family level access has been revoked can't read any
// data from that family.
- revokeFromTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, null);
+ revokeFromTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, TEST_FAMILY, null);
verifyDenied(TESTGROUP1_USER1, scanTableActionForGroupWithFamilyLevelAccess);
// Verify user from a group which has column qualifier level access can read data that has this
// family and qualifier, and group which has no access can't read any data.
- grantOnTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, Q1, Action.READ);
+ grantOnTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, TEST_FAMILY, Q1, Action.READ);
verifyAllowed(TESTGROUP1_USER1, scanTableActionForGroupWithQualifierLevelAccess);
verifyDenied(TESTGROUP1_USER1, scanFamilyActionForGroupWithQualifierLevelAccess);
verifyDenied(TESTGROUP1_USER1, scanQualifierActionForGroupWithQualifierLevelAccess);
@@ -441,7 +458,7 @@ public class TestAccessController2 extends SecureTestUtil {
// Verify user from a group whose column qualifier level access has been revoked can't read the
// data having this column family and qualifier.
- revokeFromTable(TEST_UTIL, convertToGroup(TESTGROUP_1), tableName, TEST_FAMILY, Q1);
+ revokeFromTable(TEST_UTIL, TESTGROUP_1_NAME, tableName, TEST_FAMILY, Q1);
verifyDenied(TESTGROUP1_USER1, scanTableActionForGroupWithQualifierLevelAccess);
}
http://git-wip-us.apache.org/repos/asf/hbase/blob/c4054de4/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
index 4576260..8861a6c 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java
@@ -91,6 +91,16 @@ public class TestNamespaceCommands extends SecureTestUtil {
//user with create table permissions alone
private static User USER_TABLE_CREATE; // TODO: WE DO NOT GIVE ANY PERMS TO THIS USER
+ private static final String GROUP_ADMIN = "group_admin";
+ private static final String GROUP_CREATE = "group_create";
+ private static final String GROUP_READ = "group_read";
+ private static final String GROUP_WRITE = "group_write";
+
+ private static User USER_GROUP_ADMIN;
+ private static User USER_GROUP_CREATE;
+ private static User USER_GROUP_READ;
+ private static User USER_GROUP_WRITE;
+
private static String TEST_TABLE = TEST_NAMESPACE + ":testtable";
private static byte[] TEST_FAMILY = Bytes.toBytes("f1");
@@ -115,6 +125,15 @@ public class TestNamespaceCommands extends SecureTestUtil {
USER_TABLE_CREATE = User.createUserForTesting(conf, "table_create", new String[0]);
USER_TABLE_WRITE = User.createUserForTesting(conf, "table_write", new String[0]);
+
+ USER_GROUP_ADMIN =
+ User.createUserForTesting(conf, "user_group_admin", new String[] { GROUP_ADMIN });
+ USER_GROUP_CREATE =
+ User.createUserForTesting(conf, "user_group_create", new String[] { GROUP_CREATE });
+ USER_GROUP_READ =
+ User.createUserForTesting(conf, "user_group_read", new String[] { GROUP_READ });
+ USER_GROUP_WRITE =
+ User.createUserForTesting(conf, "user_group_write", new String[] { GROUP_WRITE });
// TODO: other table perms
UTIL.startMiniCluster();
@@ -143,6 +162,11 @@ public class TestNamespaceCommands extends SecureTestUtil {
grantOnNamespace(UTIL, USER_NS_EXEC.getShortName(), TEST_NAMESPACE, Permission.Action.EXEC);
grantOnNamespace(UTIL, USER_NS_ADMIN.getShortName(), TEST_NAMESPACE2, Permission.Action.ADMIN);
+
+ grantGlobal(UTIL, convertToGroup(GROUP_ADMIN), Permission.Action.ADMIN);
+ grantGlobal(UTIL, convertToGroup(GROUP_CREATE), Permission.Action.CREATE);
+ grantGlobal(UTIL, convertToGroup(GROUP_READ), Permission.Action.READ);
+ grantGlobal(UTIL, convertToGroup(GROUP_WRITE), Permission.Action.WRITE);
}
@AfterClass
@@ -201,20 +225,10 @@ public class TestNamespaceCommands extends SecureTestUtil {
};
// modifyNamespace: superuser | global(A) | NS(A)
- verifyAllowed(modifyNamespace,
- SUPERUSER,
- USER_GLOBAL_ADMIN);
-
- verifyDenied(modifyNamespace,
- USER_GLOBAL_CREATE,
- USER_GLOBAL_WRITE,
- USER_GLOBAL_READ,
- USER_GLOBAL_EXEC,
- USER_NS_ADMIN,
- USER_NS_CREATE,
- USER_NS_WRITE,
- USER_NS_READ,
- USER_NS_EXEC);
+ verifyAllowed(modifyNamespace, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(modifyNamespace, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+ USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+ USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -238,41 +252,17 @@ public class TestNamespaceCommands extends SecureTestUtil {
};
// createNamespace: superuser | global(A)
- verifyAllowed(createNamespace,
- SUPERUSER,
- USER_GLOBAL_ADMIN);
-
+ verifyAllowed(createNamespace, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
// all others should be denied
- verifyDenied(createNamespace,
- USER_GLOBAL_CREATE,
- USER_GLOBAL_WRITE,
- USER_GLOBAL_READ,
- USER_GLOBAL_EXEC,
- USER_NS_ADMIN,
- USER_NS_CREATE,
- USER_NS_WRITE,
- USER_NS_READ,
- USER_NS_EXEC,
- USER_TABLE_CREATE,
- USER_TABLE_WRITE);
+ verifyDenied(createNamespace, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+ USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+ USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
// deleteNamespace: superuser | global(A) | NS(A)
- verifyAllowed(deleteNamespace,
- SUPERUSER,
- USER_GLOBAL_ADMIN);
-
- verifyDenied(deleteNamespace,
- USER_GLOBAL_CREATE,
- USER_GLOBAL_WRITE,
- USER_GLOBAL_READ,
- USER_GLOBAL_EXEC,
- USER_NS_ADMIN,
- USER_NS_CREATE,
- USER_NS_WRITE,
- USER_NS_READ,
- USER_NS_EXEC,
- USER_TABLE_CREATE,
- USER_TABLE_WRITE);
+ verifyAllowed(deleteNamespace, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(deleteNamespace, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+ USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+ USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -286,22 +276,11 @@ public class TestNamespaceCommands extends SecureTestUtil {
}
};
// getNamespaceDescriptor : superuser | global(A) | NS(A)
- verifyAllowed(getNamespaceAction,
- SUPERUSER,
- USER_GLOBAL_ADMIN,
- USER_NS_ADMIN);
-
- verifyDenied(getNamespaceAction,
- USER_GLOBAL_CREATE,
- USER_GLOBAL_WRITE,
- USER_GLOBAL_READ,
- USER_GLOBAL_EXEC,
- USER_NS_CREATE,
- USER_NS_WRITE,
- USER_NS_READ,
- USER_NS_EXEC,
- USER_TABLE_CREATE,
- USER_TABLE_WRITE);
+ verifyAllowed(getNamespaceAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_NS_ADMIN,
+ USER_GROUP_ADMIN);
+ verifyDenied(getNamespaceAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+ USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+ USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -324,14 +303,12 @@ public class TestNamespaceCommands extends SecureTestUtil {
// listNamespaces : All access*
// * Returned list will only show what you can call getNamespaceDescriptor()
- verifyAllowed(listAction,
- SUPERUSER,
- USER_GLOBAL_ADMIN,
- USER_NS_ADMIN);
+ verifyAllowed(listAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_NS_ADMIN, USER_GROUP_ADMIN);
// we have 3 namespaces: [default, hbase, TEST_NAMESPACE, TEST_NAMESPACE2]
assertEquals(4, ((List)SUPERUSER.runAs(listAction)).size());
assertEquals(4, ((List)USER_GLOBAL_ADMIN.runAs(listAction)).size());
+ assertEquals(4, ((List)USER_GROUP_ADMIN.runAs(listAction)).size());
assertEquals(2, ((List)USER_NS_ADMIN.runAs(listAction)).size());
@@ -345,6 +322,9 @@ public class TestNamespaceCommands extends SecureTestUtil {
assertEquals(0, ((List)USER_NS_EXEC.runAs(listAction)).size());
assertEquals(0, ((List)USER_TABLE_CREATE.runAs(listAction)).size());
assertEquals(0, ((List)USER_TABLE_WRITE.runAs(listAction)).size());
+ assertEquals(0, ((List)USER_GROUP_CREATE.runAs(listAction)).size());
+ assertEquals(0, ((List)USER_GROUP_READ.runAs(listAction)).size());
+ assertEquals(0, ((List)USER_GROUP_WRITE.runAs(listAction)).size());
}
@Test
@@ -396,56 +376,21 @@ public class TestNamespaceCommands extends SecureTestUtil {
}
};
- verifyAllowed(grantAction,
- SUPERUSER,
- USER_GLOBAL_ADMIN);
-
- verifyDenied(grantAction,
- USER_GLOBAL_CREATE,
- USER_GLOBAL_WRITE,
- USER_GLOBAL_READ,
- USER_GLOBAL_EXEC,
- USER_NS_ADMIN,
- USER_NS_CREATE,
- USER_NS_WRITE,
- USER_NS_READ,
- USER_NS_EXEC,
- USER_TABLE_CREATE,
- USER_TABLE_WRITE);
-
- verifyAllowed(revokeAction,
- SUPERUSER,
- USER_GLOBAL_ADMIN);
-
- verifyDenied(revokeAction,
- USER_GLOBAL_CREATE,
- USER_GLOBAL_WRITE,
- USER_GLOBAL_READ,
- USER_GLOBAL_EXEC,
- USER_NS_ADMIN,
- USER_NS_CREATE,
- USER_NS_WRITE,
- USER_NS_READ,
- USER_NS_EXEC,
- USER_TABLE_CREATE,
- USER_TABLE_WRITE);
-
- verifyAllowed(getPermissionsAction,
- SUPERUSER,
- USER_GLOBAL_ADMIN,
- USER_NS_ADMIN);
-
- verifyDenied(getPermissionsAction,
- USER_GLOBAL_CREATE,
- USER_GLOBAL_WRITE,
- USER_GLOBAL_READ,
- USER_GLOBAL_EXEC,
- USER_NS_CREATE,
- USER_NS_WRITE,
- USER_NS_READ,
- USER_NS_EXEC,
- USER_TABLE_CREATE,
- USER_TABLE_WRITE);
+ verifyAllowed(grantAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(grantAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+ USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+ USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
+
+ verifyAllowed(revokeAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
+ verifyDenied(revokeAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+ USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+ USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
+
+ verifyAllowed(getPermissionsAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_NS_ADMIN,
+ USER_GROUP_ADMIN);
+ verifyDenied(getPermissionsAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+ USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+ USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
}
@Test
@@ -461,21 +406,9 @@ public class TestNamespaceCommands extends SecureTestUtil {
};
//createTable : superuser | global(C) | NS(C)
- verifyAllowed(createTable,
- SUPERUSER,
- USER_GLOBAL_CREATE,
- USER_NS_CREATE);
-
- verifyDenied(createTable,
- USER_GLOBAL_ADMIN,
- USER_GLOBAL_WRITE,
- USER_GLOBAL_READ,
- USER_GLOBAL_EXEC,
- USER_NS_ADMIN,
- USER_NS_WRITE,
- USER_NS_READ,
- USER_NS_EXEC,
- USER_TABLE_CREATE,
- USER_TABLE_WRITE);
+ verifyAllowed(createTable, SUPERUSER, USER_GLOBAL_CREATE, USER_NS_CREATE, USER_GROUP_CREATE);
+ verifyDenied(createTable, USER_GLOBAL_ADMIN, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
+ USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
+ USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_ADMIN);
}
}