/** * Authorizes that the current user has any of the given permissions for the * given table, column family and column qualifier. * @param tableName Table requested * @param family Column family requested * @param qualifier Column qualifier requested * @throws IOException if obtaining the current user fails * @throws AccessDeniedException if user has no authorization */ private void requirePermission(String request, TableName tableName, byte[] family, byte[] qualifier, Action... permissions) throws IOException { User user = getActiveUser(); AuthResult result = null; for (Action permission : permissions) { if (authManager.authorize(user, tableName, family, qualifier, permission)) { result = AuthResult.allow(request, "Table permission granted", user, permission, tableName, family, qualifier); break; } else { // rest of the world result = AuthResult.deny(request, "Insufficient permissions", user, permission, tableName, family, qualifier); } } logResult(result); if (authorizationEnabled && !result.isAllowed()) { throw new AccessDeniedException("Insufficient permissions " + result.toContextString()); } }
private void verifyUserAllowedforCheckAndDelete(final User user, final byte[] row, final byte[] q1, final byte[] value) throws IOException, InterruptedException { user.runAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { try (Connection connection = ConnectionFactory.createConnection(conf)) { try (Table t = connection.getTable(TEST_TABLE.getTableName())) { Delete d = new Delete(row); d.addColumn(TEST_FAMILY1, q1, 120); t.checkAndDelete(row, TEST_FAMILY1, q1, value, d); } } return null; } }); }
private void verifyUserDeniedForDeleteMultipleVersions(final User user, final byte[] row, final byte[] q1, final byte[] q2) throws IOException, InterruptedException { user.runAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { try (Connection connection = ConnectionFactory.createConnection(conf)) { try (Table t = connection.getTable(TEST_TABLE.getTableName())) { Delete d = new Delete(row); d.addColumns(TEST_FAMILY1, q1); d.addColumns(TEST_FAMILY1, q2); t.delete(d); fail(user.getShortName() + " should not be allowed to delete the row"); } catch (Exception e) { } } return null; } }); }
private void verifyUserDeniedForCheckAndDelete(final User user, final byte[] row, final byte[] value) throws IOException, InterruptedException { user.runAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { try (Connection connection = ConnectionFactory.createConnection(conf)) { try (Table t = connection.getTable(TEST_TABLE.getTableName())) { Delete d = new Delete(row); d.addColumns(TEST_FAMILY1, TEST_Q1); t.checkAndDelete(row, TEST_FAMILY1, TEST_Q1, value, d); fail(user.getShortName() + " should not be allowed to do checkAndDelete"); } catch (Exception e) { } } return null; } }); }
/** * This method clones the passed <code>c</code> configuration setting a new * user into the clone. Use it getting new instances of FileSystem. Only * works for DistributedFileSystem w/o Kerberos. * @param c Initial configuration * @param differentiatingSuffix Suffix to differentiate this user from others. * @return A new configuration instance with a different user set into it. * @throws IOException */ public static User getDifferentUser(final Configuration c, final String differentiatingSuffix) throws IOException { FileSystem currentfs = FileSystem.get(c); if (!(currentfs instanceof DistributedFileSystem) || User.isHBaseSecurityEnabled(c)) { return User.getCurrent(); } // Else distributed filesystem. Make a new instance per daemon. Below // code is taken from the AppendTestUtil over in hdfs. String username = User.getCurrent().getName() + differentiatingSuffix; User user = User.createUserForTesting(c, username, new String[]{"supergroup"}); return user; }
HConnectionKey(Configuration conf) { Map<String, String> m = new HashMap<String, String>(); if (conf != null) { for (String property : CONNECTION_PROPERTIES) { String value = conf.get(property); if (value != null) { m.put(property, value); } } } this.properties = Collections.unmodifiableMap(m); try { UserProvider provider = UserProvider.instantiate(conf); User currentUser = provider.getCurrent(); if (currentUser != null) { username = currentUser.getName(); } } catch (IOException ioe) { ConnectionManager.LOG.warn( "Error obtaining current user, skipping username in HConnectionKey", ioe); } }
/** * Authorizes that the current user has any of the given permissions for the * given table, column family and column qualifier. * @param tableName Table requested * @param family Column family param * @param qualifier Column qualifier param * @throws IOException if obtaining the current user fails * @throws AccessDeniedException if user has no authorization */ private void requireTablePermission(String request, TableName tableName, byte[] family, byte[] qualifier, Action... permissions) throws IOException { User user = getActiveUser(); AuthResult result = null; for (Action permission : permissions) { if (authManager.authorize(user, tableName, null, null, permission)) { result = AuthResult.allow(request, "Table permission granted", user, permission, tableName, null, null); result.getParams().setFamily(family).setQualifier(qualifier); break; } else { // rest of the world result = AuthResult.deny(request, "Insufficient permissions", user, permission, tableName, family, qualifier); result.getParams().setFamily(family).setQualifier(qualifier); } } logResult(result); if (authorizationEnabled && !result.isAllowed()) { throw new AccessDeniedException("Insufficient permissions " + result.toContextString()); } }
/** * Checks that the user has the given global permission. The generated * audit log message will contain context information for the operation * being authorized, based on the given parameters. * @param perm Action being requested * @param tableName Affected table name. * @param familyMap Affected column families. */ private void requireGlobalPermission(String request, Action perm, TableName tableName, Map<byte[], ? extends Collection<byte[]>> familyMap) throws IOException { User user = getActiveUser(); AuthResult result = null; if (authManager.authorize(user, perm)) { result = AuthResult.allow(request, "Global check allowed", user, perm, tableName, familyMap); result.getParams().setTableName(tableName).setFamilies(familyMap); logResult(result); } else { result = AuthResult.deny(request, "Global check failed", user, perm, tableName, familyMap); result.getParams().setTableName(tableName).setFamilies(familyMap); logResult(result); if (authorizationEnabled) { throw new AccessDeniedException("Insufficient permissions for user '" + (user != null ? user.getShortName() : "null") +"' (global, action=" + perm.toString() + ")"); } } }
/** * Obtain an authentication token for the given user and add it to the * user's credentials. * @param conn The HBase cluster connection * @param user The user for whom to obtain the token * @throws IOException If making a remote call to the authentication service fails * @throws InterruptedException If executing as the given user is interrupted */ public static void obtainAndCacheToken(final Connection conn, User user) throws IOException, InterruptedException { try { Token<AuthenticationTokenIdentifier> token = obtainToken(conn, user); if (token == null) { throw new IOException("No token returned for user " + user.getName()); } if (LOG.isDebugEnabled()) { LOG.debug("Obtained token " + token.getKind().toString() + " for user " + user.getName()); } user.addToken(token); } catch (IOException ioe) { throw ioe; } catch (InterruptedException ie) { throw ie; } catch (RuntimeException re) { throw re; } catch (Exception e) { throw new UndeclaredThrowableException(e, "Unexpected exception obtaining token for user " + user.getName()); } }
/** * Checks that the user has the given global or namespace permission. * @param namespace * @param permissions Actions being requested */ public void requireNamespacePermission(String request, String namespace, TableName tableName, Map<byte[], ? extends Collection<byte[]>> familyMap, Action... permissions) throws IOException { User user = getActiveUser(); AuthResult result = null; for (Action permission : permissions) { if (authManager.authorize(user, namespace, permission)) { result = AuthResult.allow(request, "Namespace permission granted", user, permission, namespace); result.getParams().setTableName(tableName).setFamilies(familyMap); break; } else { // rest of the world result = AuthResult.deny(request, "Insufficient permissions", user, permission, namespace); result.getParams().setTableName(tableName).setFamilies(familyMap); } } logResult(result); if (authorizationEnabled && !result.isAllowed()) { throw new AccessDeniedException("Insufficient permissions " + result.toContextString()); } }
@Override public void preTruncateTable(ObserverContext<MasterCoprocessorEnvironment> c, final TableName tableName) throws IOException { requirePermission("truncateTable", tableName, null, null, Action.ADMIN, Action.CREATE); final Configuration conf = c.getEnvironment().getConfiguration(); User.runAsLoginUser(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { List<UserPermission> acls = AccessControlLists.getUserTablePermissions(conf, tableName); if (acls != null) { tableAcls.put(tableName, acls); } return null; } }); }
@Override public void postTruncateTable(ObserverContext<MasterCoprocessorEnvironment> ctx, final TableName tableName) throws IOException { final Configuration conf = ctx.getEnvironment().getConfiguration(); User.runAsLoginUser(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { List<UserPermission> perms = tableAcls.get(tableName); if (perms != null) { for (UserPermission perm : perms) { AccessControlLists.addUserPermission(conf, perm); } } tableAcls.remove(tableName); return null; } }); }
@Override public void postListProcedures( ObserverContext<MasterCoprocessorEnvironment> ctx, List<ProcedureInfo> procInfoList) throws IOException { if (procInfoList.isEmpty()) { return; } // Retains only those which passes authorization checks, as the checks weren't done as part // of preListProcedures. Iterator<ProcedureInfo> itr = procInfoList.iterator(); User user = getActiveUser(); while (itr.hasNext()) { ProcedureInfo procInfo = itr.next(); try { if (!ProcedureInfo.isProcedureOwner(procInfo, user)) { // If the user is not the procedure owner, then we should further probe whether // he can see the procedure. requirePermission("listProcedures", Action.ADMIN); } } catch (AccessDeniedException e) { itr.remove(); } } }
@Override public long preIncrementColumnValue(final ObserverContext<RegionCoprocessorEnvironment> c, final byte [] row, final byte [] family, final byte [] qualifier, final long amount, final boolean writeToWAL) throws IOException { // Require WRITE permission to the table, CF, and the KV to be replaced by the // incremented value RegionCoprocessorEnvironment env = c.getEnvironment(); Map<byte[],? extends Collection<byte[]>> families = makeFamilyMap(family, qualifier); User user = getActiveUser(); AuthResult authResult = permissionGranted(OpType.INCREMENT_COLUMN_VALUE, user, env, families, Action.WRITE); if (!authResult.isAllowed() && cellFeaturesEnabled && !compatibleEarlyTermination) { authResult.setAllowed(checkCoveringPermission(OpType.INCREMENT_COLUMN_VALUE, env, row, families, HConstants.LATEST_TIMESTAMP, Action.WRITE)); authResult.setReason("Covering cell set"); } logResult(authResult); if (authorizationEnabled && !authResult.isAllowed()) { throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString()); } return -1; }
/** * Constructor for netty RPC channel * * @param bootstrap to construct channel on * @param client to connect with * @param ticket of user which uses connection * @param serviceName name of service to connect to * @param address to connect to */ public AsyncRpcChannel(Bootstrap bootstrap, final AsyncRpcClient client, User ticket, String serviceName, InetSocketAddress address) { this.client = client; this.ticket = ticket; this.serviceName = serviceName; this.address = address; this.channel = connect(bootstrap).channel(); name = ("IPC Client (" + channel.hashCode() + ") to " + address.toString() + ((ticket == null) ? " from unknown user" : (" from " + ticket.getName()))); }
/** * Verify arbitrary compaction. * @param policy Policy to test. * @param si Stripe information pre-set with stripes to test. * @param sfs Files that should be compacted. * @param dropDeletesFrom Row from which to drop deletes. * @param dropDeletesTo Row to which to drop deletes. * @param boundaries Expected target stripe boundaries. */ private void verifyCompaction(StripeCompactionPolicy policy, StripeInformationProvider si, Collection<StoreFile> sfs, byte[] dropDeletesFrom, byte[] dropDeletesTo, final List<byte[]> boundaries) throws Exception { StripeCompactor sc = mock(StripeCompactor.class); assertTrue(policy.needsCompactions(si, al())); StripeCompactionPolicy.StripeCompactionRequest scr = policy.selectCompaction(si, al(), false); verifyCollectionsEqual(sfs, scr.getRequest().getFiles()); scr.execute(sc, NoLimitCompactionThroughputController.INSTANCE, null); verify(sc, times(1)).compact(eq(scr.getRequest()), argThat(new ArgumentMatcher<List<byte[]>>() { @Override public boolean matches(Object argument) { @SuppressWarnings("unchecked") List<byte[]> other = (List<byte[]>) argument; if (other.size() != boundaries.size()) return false; for (int i = 0; i < other.size(); ++i) { if (!Bytes.equals(other.get(i), boundaries.get(i))) return false; } return true; } }), dropDeletesFrom == null ? isNull(byte[].class) : aryEq(dropDeletesFrom), dropDeletesTo == null ? isNull(byte[].class) : aryEq(dropDeletesTo), any(NoLimitCompactionThroughputController.class), any(User.class)); }
@Test(timeout = 60000) public void testUserNamespaceThrottle() throws Exception { final Admin admin = TEST_UTIL.getHBaseAdmin(); final String userName = User.getCurrent().getShortName(); final String NAMESPACE = "default"; // Add 6req/min limit admin.setQuota(QuotaSettingsFactory.throttleUser(userName, NAMESPACE, ThrottleType.REQUEST_NUMBER, 6, TimeUnit.MINUTES)); triggerUserCacheRefresh(false, TABLE_NAMES[0]); // should execute at max 6 requests on tables[0] and have no limit on tables[1] assertEquals(6, doPuts(100, tables[0])); // wait a minute and you should get other 6 requests executed waitMinuteQuota(); assertEquals(6, doPuts(100, tables[1])); // Remove all the limits admin.setQuota(QuotaSettingsFactory.unthrottleUser(userName, NAMESPACE)); triggerUserCacheRefresh(true, TABLE_NAMES); assertEquals(60, doPuts(60, tables)); assertEquals(60, doGets(60, tables)); }
@Override public void setUpCluster() throws Exception { util = getTestingUtil(null); Configuration conf = util.getConfiguration(); conf.setInt(HFile.FORMAT_VERSION_KEY, 3); conf.set("hbase.coprocessor.master.classes", VisibilityController.class.getName()); conf.set("hbase.coprocessor.region.classes", VisibilityController.class.getName()); conf.set("hbase.superuser", User.getCurrent().getName()); conf.setBoolean("dfs.permissions", false); super.setUpCluster(); String[] users = userNames.split(","); if (users.length != 2) { System.err.println(ERROR_STR); throw new IOException(ERROR_STR); } System.out.println(userNames + " "+users[0]+ " "+users[1]); USER1 = User.createUserForTesting(conf, users[0], new String[] {}); USER2 = User.createUserForTesting(conf, users[1], new String[] {}); addLabelsAndAuths(); }
/** This fails only in case of ADE or empty list for any of the actions. */ public static void verifyAllowed(User user, AccessTestAction... actions) throws Exception { for (AccessTestAction action : actions) { try { Object obj = user.runAs(action); if (obj != null && obj instanceof List<?>) { List<?> results = (List<?>) obj; if (results != null && results.isEmpty()) { fail("Empty non null results from action for user '" + user.getShortName() + "'"); } } } catch (AccessDeniedException ade) { fail("Expected action to pass for user '" + user.getShortName() + "' but was denied"); } } }
/** * Returns a new {@code PermissionCache} initialized with permission assignments * from the {@code hbase.superuser} configuration key. */ private PermissionCache<Permission> initGlobal(Configuration conf) throws IOException { UserProvider userProvider = UserProvider.instantiate(conf); User user = userProvider.getCurrent(); if (user == null) { throw new IOException("Unable to obtain the current user, " + "authorization checks for internal operations will not work correctly!"); } PermissionCache<Permission> newCache = new PermissionCache<Permission>(); String currentUser = user.getShortName(); // the system user is always included List<String> superusers = Lists.asList(currentUser, conf.getStrings( Superusers.SUPERUSER_CONF_KEY, new String[0])); if (superusers != null) { for (String name : superusers) { if (AuthUtil.isGroupPrincipal(name)) { newCache.putGroup(AuthUtil.getGroupName(name), new Permission(Permission.Action.values())); } else { newCache.putUser(name, new Permission(Permission.Action.values())); } } } return newCache; }
/** * Authorize a global permission based on ACLs for the given user and the * user's groups. * @param user * @param action * @return true if known and authorized, false otherwise */ public boolean authorize(User user, Permission.Action action) { if (user == null) { return false; } if (authorize(globalCache.getUser(user.getShortName()), action)) { return true; } String[] groups = user.getGroupNames(); if (groups != null) { for (String group : groups) { if (authorize(globalCache.getGroup(group), action)) { return true; } } } return false; }
public boolean authorize(User user, String namespace, Permission.Action action) { // Global authorizations supercede namespace level if (authorize(user, action)) { return true; } // Check namespace permissions PermissionCache<TablePermission> tablePerms = nsCache.get(namespace); if (tablePerms != null) { List<TablePermission> userPerms = tablePerms.getUser(user.getShortName()); if (authorize(userPerms, namespace, action)) { return true; } String[] groupNames = user.getGroupNames(); if (groupNames != null) { for (String group : groupNames) { List<TablePermission> groupPerms = tablePerms.getGroup(group); if (authorize(groupPerms, namespace, action)) { return true; } } } } return false; }
/** * Get the authentication token of the user for the cluster specified in the configuration * @return null if the user does not have the token, otherwise the auth token for the cluster. */ private static Token<AuthenticationTokenIdentifier> getAuthToken(Configuration conf, User user) throws IOException, InterruptedException { ZooKeeperWatcher zkw = new ZooKeeperWatcher(conf, "TokenUtil-getAuthToken", null); try { String clusterId = ZKClusterId.readClusterIdZNode(zkw); if (clusterId == null) { throw new IOException("Failed to get cluster ID"); } return new AuthenticationTokenSelector().selectToken(new Text(clusterId), user.getTokens()); } catch (KeeperException e) { throw new IOException(e); } finally { zkw.close(); } }
public synchronized void requestSplit(final Region r, byte[] midKey, User user) { if (midKey == null) { LOG.debug("Region " + r.getRegionInfo().getRegionNameAsString() + " not splittable because midkey=null"); if (((HRegion)r).shouldForceSplit()) { ((HRegion)r).clearSplit(); } return; } try { this.splits.execute(new SplitRequest(r, midKey, this.server, user)); if (LOG.isDebugEnabled()) { LOG.debug("Split requested for " + r + ". " + this); } } catch (RejectedExecutionException ree) { LOG.info("Could not execute split for " + r, ree); } }
@Test public void testRTEDuringConnectionSetup() throws Exception { Configuration conf = HBaseConfiguration.create(); TestRpcServer rpcServer = new TestRpcServer(); AbstractRpcClient client = createRpcClientRTEDuringConnectionSetup(conf); try { rpcServer.start(); MethodDescriptor md = SERVICE.getDescriptorForType().findMethodByName("echo"); EchoRequestProto param = EchoRequestProto.newBuilder().setMessage("hello").build(); InetSocketAddress address = rpcServer.getListenerAddress(); if (address == null) { throw new IOException("Listener channel is closed"); } client.call(null, md, param, null, User.getCurrent(), address, new MetricsConnection.CallStats()); fail("Expected an exception to have been thrown!"); } catch (Exception e) { LOG.info("Caught expected exception: " + e.toString()); assertTrue(StringUtils.stringifyException(e).contains("Injected fault")); } finally { client.close(); rpcServer.stop(); } }
private CompactionContext selectCompaction(final Region r, final Store s, int priority, CompactionRequest request, User user) throws IOException { CompactionContext compaction = s.requestCompaction(priority, request, user); if (compaction == null) { if(LOG.isDebugEnabled() && r.getRegionInfo() != null) { LOG.debug("Not compacting " + r.getRegionInfo().getRegionNameAsString() + " because compaction request was cancelled"); } return null; } assert compaction.hasSelection(); if (priority != Store.NO_PRIORITY) { compaction.getRequest().setPriority(priority); } return compaction; }
@BeforeClass public static void setupBeforeClass() throws Exception { // setup configuration conf = TEST_UTIL.getConfiguration(); conf.setBoolean(HConstants.DISTRIBUTED_LOG_REPLAY_KEY, false); conf.setBoolean("hbase.online.schema.update.enable", true); VisibilityTestUtil.enableVisiblityLabels(conf); conf.setClass(VisibilityUtils.VISIBILITY_LABEL_GENERATOR_CLASS, SimpleScanLabelGenerator.class, ScanLabelGenerator.class); conf.set("hbase.superuser", "admin"); TEST_UTIL.startMiniCluster(2); SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" }); USER1 = User.createUserForTesting(conf, "user1", new String[] {}); // Wait for the labels table to become available TEST_UTIL.waitTableEnabled(LABELS_TABLE_NAME.getName(), 50000); addLabels(); }
private void verifyUserDeniedForIncrementMultipleVersions(final User user, final byte[] row, final byte[] q1) throws IOException, InterruptedException { user.runAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { try (Connection connection = ConnectionFactory.createConnection(conf)) { try (Table t = connection.getTable(TEST_TABLE.getTableName())) { Increment inc = new Increment(row); inc.setTimeRange(0, 127); inc.addColumn(TEST_FAMILY1, q1, 2L); t.increment(inc); fail(user.getShortName() + " cannot do the increment."); } catch (Exception e) { } } return null; } }); }
@BeforeClass public static void beforeClass() throws Exception { SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" }); conf = UTIL.getConfiguration(); conf.setClass(VisibilityUtils.VISIBILITY_LABEL_GENERATOR_CLASS, SimpleScanLabelGenerator.class, ScanLabelGenerator.class); conf.set("hbase.superuser", SUPERUSER.getShortName()); conf.set("hbase.coprocessor.master.classes", VisibilityController.class.getName()); conf.set("hbase.coprocessor.region.classes", VisibilityController.class.getName()); conf.setInt("hfile.format.version", 3); UTIL.startMiniCluster(1); // Wait for the labels table to become available UTIL.waitTableEnabled(VisibilityConstants.LABELS_TABLE_NAME.getName(), 50000); createLabels(); Admin admin = new HBaseAdmin(UTIL.getConfiguration()); HTableDescriptor tableDescriptor = new HTableDescriptor( TableName.valueOf(tableAname)); for (HColumnDescriptor family : families) { tableDescriptor.addFamily(family); } admin.createTable(tableDescriptor); admin.close(); setAuths(); }
private static void setAuths() throws IOException { String[] labels = { SECRET, CONFIDENTIAL, PRIVATE, PUBLIC, TOPSECRET }; try { VisibilityClient.setAuths(UTIL.getConnection(), labels, User.getCurrent().getShortName()); } catch (Throwable t) { throw new IOException(t); } }
@Override public List<String> getLabels(User user, Authorizations authorizations) { if (authorizations != null) { return authorizations.getLabels(); } return null; }
@Override public RegionScanner postScannerOpen(final ObserverContext<RegionCoprocessorEnvironment> c, final Scan scan, final RegionScanner s) throws IOException { User user = VisibilityUtils.getActiveUser(); if (user != null && user.getShortName() != null) { scannerOwners.put(s, user.getShortName()); } return s; }
private void logResult(boolean isAllowed, String request, String reason, byte[] user, List<byte[]> labelAuths, String regex) { if (AUDITLOG.isTraceEnabled()) { // This is more duplicated code! InetAddress remoteAddr = RpcServer.getRemoteAddress(); List<String> labelAuthsStr = new ArrayList<>(); if (labelAuths != null) { int labelAuthsSize = labelAuths.size(); labelAuthsStr = new ArrayList<>(labelAuthsSize); for (int i = 0; i < labelAuthsSize; i++) { labelAuthsStr.add(Bytes.toString(labelAuths.get(i))); } } User requestingUser = null; try { requestingUser = VisibilityUtils.getActiveUser(); } catch (IOException e) { LOG.warn("Failed to get active system user."); LOG.debug("Details on failure to get active system user.", e); } AUDITLOG.trace("Access " + (isAllowed ? "allowed" : "denied") + " for user " + (requestingUser != null ? requestingUser.getShortName() : "UNKNOWN") + "; reason: " + reason + "; remote address: " + (remoteAddr != null ? remoteAddr : "") + "; request: " + request + "; user: " + (user != null ? Bytes.toShort(user) : "null") + "; labels: " + labelAuthsStr + "; regex: " + regex); } }
/** * Check if the user is this procedure's owner * @param owner the owner field of the procedure * @param user the user * @return true if the user is the owner of the procedure, * false otherwise or the owner is unknown. */ @InterfaceAudience.Private public static boolean isProcedureOwner(final ProcedureInfo procInfo, final User user) { if (user == null) { return false; } String procOwner = procInfo.getProcOwner(); if (procOwner == null) { return false; } return procOwner.equals(user.getShortName()); }
@Override public List<String> getLabels(User user, Authorizations authorizations) { String userName = user.getShortName(); if (authorizations != null) { LOG.warn("Dropping authorizations requested by user " + userName + ": " + authorizations); } Set<String> auths = new HashSet<String>(); auths.addAll(this.labelsCache.getUserAuths(userName)); auths.addAll(this.labelsCache.getGroupAuths(user.getGroupNames())); return new ArrayList<String>(auths); }
@Override public List<Tag> createVisibilityExpTags(String visExpression, boolean withSerializationFormat, boolean checkAuths) throws IOException { Set<Integer> auths = new HashSet<Integer>(); if (checkAuths) { User user = VisibilityUtils.getActiveUser(); auths.addAll(this.labelsCache.getUserAuthsAsOrdinals(user.getShortName())); auths.addAll(this.labelsCache.getGroupAuthsAsOrdinals(user.getGroupNames())); } return VisibilityUtils.createVisibilityExpTags(visExpression, withSerializationFormat, checkAuths, auths, labelsCache); }
@BeforeClass public static void setupBeforeClass() throws Exception { // setup configuration conf = TEST_UTIL.getConfiguration(); VisibilityTestUtil.enableVisiblityLabels(conf); String classes = DefinedSetFilterScanLabelGenerator.class.getCanonicalName() + " , " + EnforcingScanLabelGenerator.class.getCanonicalName(); conf.setStrings(VisibilityUtils.VISIBILITY_LABEL_GENERATOR_CLASS, classes); conf.set("hbase.superuser", "admin"); TEST_UTIL.startMiniCluster(1); SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" }); TESTUSER = User.createUserForTesting(conf, "test", new String[] { }); // Wait for the labels table to become available TEST_UTIL.waitTableEnabled(LABELS_TABLE_NAME.getName(), 50000); // Set up for the test SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { try (Connection conn = ConnectionFactory.createConnection(conf)) { VisibilityClient.addLabels(conn, new String[] { SECRET, CONFIDENTIAL }); VisibilityClient.setAuths(conn, new String[] { CONFIDENTIAL, }, TESTUSER.getShortName()); } catch (Throwable t) { throw new IOException(t); } return null; } }); }
@Override public void getAuthenticationToken(RpcController controller, AuthenticationProtos.GetAuthenticationTokenRequest request, RpcCallback<AuthenticationProtos.GetAuthenticationTokenResponse> done) { AuthenticationProtos.GetAuthenticationTokenResponse.Builder response = AuthenticationProtos.GetAuthenticationTokenResponse.newBuilder(); try { if (secretManager == null) { throw new IOException( "No secret manager configured for token authentication"); } User currentUser = RpcServer.getRequestUser(); UserGroupInformation ugi = null; if (currentUser != null) { ugi = currentUser.getUGI(); } if (currentUser == null) { throw new AccessDeniedException("No authenticated user for request!"); } else if (!isAllowedDelegationTokenOp(ugi)) { LOG.warn("Token generation denied for user="+currentUser.getName() +", authMethod="+ugi.getAuthenticationMethod()); throw new AccessDeniedException( "Token generation only allowed for Kerberos authenticated clients"); } Token<AuthenticationTokenIdentifier> token = secretManager.generateToken(currentUser.getName()); response.setToken(ProtobufUtil.toToken(token)).build(); } catch (IOException ioe) { ResponseConverter.setControllerException(controller, ioe); } done.run(response.build()); }
/** * Starts a master thread running * * @throws IOException * @return New RegionServerThread */ public JVMClusterUtil.MasterThread startMaster() throws IOException { Configuration c = HBaseConfiguration.create(conf); User user = HBaseTestingUtility.getDifferentUser(c, ".hfs."+index++); JVMClusterUtil.MasterThread t = null; try { t = hbaseCluster.addMaster(c, hbaseCluster.getMasters().size(), user); t.start(); } catch (InterruptedException ie) { throw new IOException("Interrupted adding master to cluster", ie); } return t; }
/** * Verify arbitrary compaction. * @param policy Policy to test. * @param si Stripe information pre-set with stripes to test. * @param sfs Files that should be compacted. * @param dropDeletes Whether to drop deletes from compaction range. * @param count Expected # of resulting stripes, null if not checked. * @param size Expected target stripe size, null if not checked. * @param start Left boundary of the compaction. * @param righr Right boundary of the compaction. */ private void verifyCompaction(StripeCompactionPolicy policy, StripeInformationProvider si, Collection<StoreFile> sfs, Boolean dropDeletes, Integer count, Long size, byte[] start, byte[] end, boolean needsCompaction) throws IOException { StripeCompactor sc = mock(StripeCompactor.class); assertTrue(!needsCompaction || policy.needsCompactions(si, al())); StripeCompactionPolicy.StripeCompactionRequest scr = policy.selectCompaction(si, al(), false); verifyCollectionsEqual(sfs, scr.getRequest().getFiles()); scr.execute(sc, NoLimitCompactionThroughputController.INSTANCE, null); verify(sc, times(1)).compact(eq(scr.getRequest()), count == null ? anyInt() : eq(count.intValue()), size == null ? anyLong() : eq(size.longValue()), aryEq(start), aryEq(end), dropDeletesMatcher(dropDeletes, start), dropDeletesMatcher(dropDeletes, end), any(NoLimitCompactionThroughputController.class), any(User.class)); }