public void checkGlobalPerms(Permission.Action... actions) throws IOException { Permission[] perms = new Permission[actions.length]; for (int i = 0; i < actions.length; i++) { perms[i] = new Permission(actions[i]); } HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); try { AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class, new byte[0]); protocol.checkPermissions(perms); } finally { acl.close(); } }
public void checkTablePerms(byte[] table, Permission... perms) throws IOException { HTable acl = new HTable(conf, table); try { AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class, new byte[0]); protocol.checkPermissions(perms); } finally { acl.close(); } }
@BeforeClass public static void setupBeforeClass() throws Exception { // setup configuration conf = TEST_UTIL.getConfiguration(); conf.set("hbase.master.hfilecleaner.plugins", "org.apache.hadoop.hbase.master.cleaner.HFileLinkCleaner," + "org.apache.hadoop.hbase.master.snapshot.SnapshotHFileCleaner"); conf.set("hbase.master.logcleaner.plugins", "org.apache.hadoop.hbase.master.snapshot.SnapshotLogCleaner"); SecureTestUtil.enableSecurity(conf); TEST_UTIL.startMiniCluster(); MasterCoprocessorHost cpHost = TEST_UTIL.getMiniHBaseCluster().getMaster().getCoprocessorHost(); cpHost.load(AccessController.class, Coprocessor.PRIORITY_HIGHEST, conf); ACCESS_CONTROLLER = (AccessController) cpHost.findCoprocessor(AccessController.class.getName()); CP_ENV = cpHost.createEnvironment(AccessController.class, ACCESS_CONTROLLER, Coprocessor.PRIORITY_HIGHEST, 1, conf); RegionServerCoprocessorHost rsHost = TEST_UTIL.getMiniHBaseCluster().getRegionServer(0) .getCoprocessorHost(); RSCP_ENV = rsHost.createEnvironment(AccessController.class, ACCESS_CONTROLLER, Coprocessor.PRIORITY_HIGHEST, 1, conf); // Wait for the ACL table to become available TEST_UTIL.waitTableAvailable(AccessControlLists.ACL_TABLE_NAME, 5000); // create a set of test users SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" }); USER_ADMIN = User.createUserForTesting(conf, "admin2", new String[0]); USER_RW = User.createUserForTesting(conf, "rwuser", new String[0]); USER_RO = User.createUserForTesting(conf, "rouser", new String[0]); USER_RW_ON_TABLE = User.createUserForTesting(conf, "rwuser_1", new String[0]); USER_OWNER = User.createUserForTesting(conf, "owner", new String[0]); USER_CREATE = User.createUserForTesting(conf, "tbl_create", new String[0]); USER_NONE = User.createUserForTesting(conf, "nouser", new String[0]); HBaseAdmin admin = TEST_UTIL.getHBaseAdmin(); HTableDescriptor htd = new HTableDescriptor(TEST_TABLE); htd.addFamily(new HColumnDescriptor(TEST_FAMILY)); htd.setOwner(USER_OWNER); admin.createTable(htd); TEST_UTIL.waitTableEnabled(TEST_TABLE, 5000); HRegion region = TEST_UTIL.getHBaseCluster().getRegions(TEST_TABLE).get(0); RegionCoprocessorHost rcpHost = region.getCoprocessorHost(); RCP_ENV = rcpHost.createEnvironment(AccessController.class, ACCESS_CONTROLLER, Coprocessor.PRIORITY_HIGHEST, 1, conf); // initilize access control HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); try { AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class, TEST_TABLE); protocol.grant(new UserPermission(Bytes.toBytes(USER_ADMIN.getShortName()), Permission.Action.ADMIN, Permission.Action.CREATE, Permission.Action.READ, Permission.Action.WRITE)); protocol.grant(new UserPermission(Bytes.toBytes(USER_RW.getShortName()), TEST_TABLE, TEST_FAMILY, Permission.Action.READ, Permission.Action.WRITE)); protocol.grant(new UserPermission(Bytes.toBytes(USER_RO.getShortName()), TEST_TABLE, TEST_FAMILY, Permission.Action.READ)); protocol.grant(new UserPermission(Bytes.toBytes(USER_CREATE.getShortName()), TEST_TABLE, null, Permission.Action.CREATE)); protocol.grant(new UserPermission(Bytes.toBytes(USER_RW_ON_TABLE.getShortName()), TEST_TABLE, null, Permission.Action.READ, Permission.Action.WRITE)); } finally { acl.close(); } }
public void grant(AccessControllerProtocol protocol, User user, byte[] t, byte[] f, byte[] q, Permission.Action... actions) throws IOException { protocol.grant(new UserPermission(Bytes.toBytes(user.getShortName()), t, f, q, actions)); }
@Test public void testGlobalAuthorizationForNewRegisteredRS() throws Exception { LOG.debug("Test for global authorization for a new registered RegionServer."); MiniHBaseCluster hbaseCluster = TEST_UTIL.getHBaseCluster(); final HRegionServer oldRs = hbaseCluster.getRegionServer(0); // Since each RegionServer running on different user, add global // permissions for the new user. HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME); try { AccessControllerProtocol protocol = acl.coprocessorProxy( AccessControllerProtocol.class, TEST_TABLE); String currentUser = User.getCurrent().getShortName(); // User name for the new RegionServer we plan to add. String activeUserForNewRs = currentUser + ".hfs." + hbaseCluster.getLiveRegionServerThreads().size(); protocol.grant(new UserPermission(Bytes.toBytes(activeUserForNewRs), Permission.Action.ADMIN, Permission.Action.CREATE, Permission.Action.READ, Permission.Action.WRITE)); } finally { acl.close(); } final HBaseAdmin admin = TEST_UTIL.getHBaseAdmin(); HTableDescriptor htd = new HTableDescriptor(TEST_TABLE2); htd.addFamily(new HColumnDescriptor(TEST_FAMILY)); htd.setOwner(USER_OWNER); admin.createTable(htd); // Starting a new RegionServer. JVMClusterUtil.RegionServerThread newRsThread = hbaseCluster .startRegionServer(); final HRegionServer newRs = newRsThread.getRegionServer(); // Move region to the new RegionServer. final HTable table = new HTable(TEST_UTIL.getConfiguration(), TEST_TABLE2); try { NavigableMap<HRegionInfo, ServerName> regions = table .getRegionLocations(); final Map.Entry<HRegionInfo, ServerName> firstRegion = regions.entrySet() .iterator().next(); PrivilegedExceptionAction moveAction = new PrivilegedExceptionAction() { public Object run() throws Exception { admin.move(firstRegion.getKey().getEncodedNameAsBytes(), Bytes.toBytes(newRs.getServerName().getServerName())); return null; } }; SUPERUSER.runAs(moveAction); final int RETRIES_LIMIT = 10; int retries = 0; while (newRs.getOnlineRegions().size() < 1 && retries < RETRIES_LIMIT) { LOG.debug("Waiting for region to be opened. Already retried " + retries + " times."); try { Thread.sleep(200); } catch (InterruptedException e) { } retries++; if (retries == RETRIES_LIMIT - 1) { fail("Retry exhaust for waiting region to be opened."); } } // Verify write permission for user "admin2" who has the global // permissions. PrivilegedExceptionAction putAction = new PrivilegedExceptionAction() { public Object run() throws Exception { Put put = new Put(Bytes.toBytes("test")); put.add(TEST_FAMILY, Bytes.toBytes("qual"), Bytes.toBytes("value")); table.put(put); return null; } }; USER_ADMIN.runAs(putAction); } finally { table.close(); } }
