1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.hadoop.hbase.security.access;
20
21 import static org.junit.Assert.assertEquals;
22 import static org.junit.Assert.assertFalse;
23 import static org.junit.Assert.assertTrue;
24
25 import java.security.PrivilegedExceptionAction;
26 import java.util.ArrayList;
27 import java.util.List;
28 import java.util.UUID;
29
30 import org.apache.hadoop.conf.Configuration;
31 import org.apache.hadoop.hbase.HBaseTestingUtility;
32 import org.apache.hadoop.hbase.LargeTests;
33 import org.apache.hadoop.hbase.TableName;
34 import org.apache.hadoop.hbase.client.HTable;
35 import org.apache.hadoop.hbase.client.Put;
36 import org.apache.hadoop.hbase.client.Result;
37 import org.apache.hadoop.hbase.client.ResultScanner;
38 import org.apache.hadoop.hbase.client.Scan;
39 import org.apache.hadoop.hbase.security.User;
40 import org.apache.hadoop.hbase.util.Bytes;
41 import org.junit.AfterClass;
42 import org.junit.Before;
43 import org.junit.BeforeClass;
44 import org.junit.Rule;
45 import org.junit.Test;
46 import org.junit.experimental.categories.Category;
47 import org.junit.rules.TestName;
48
49 @Category(LargeTests.class)
50 public class TestAccessControlFilter extends SecureTestUtil {
51 @Rule public TestName name = new TestName();
52 private static HBaseTestingUtility TEST_UTIL;
53
54 private static User READER;
55 private static User LIMITED;
56 private static User DENIED;
57
58 private static TableName TABLE;
59 private static byte[] FAMILY = Bytes.toBytes("f1");
60 private static byte[] PRIVATE_COL = Bytes.toBytes("private");
61 private static byte[] PUBLIC_COL = Bytes.toBytes("public");
62
63 @Before
64 public void setup () {
65 TABLE = TableName.valueOf(name.getMethodName());
66 }
67
68 @BeforeClass
69 public static void setupBeforeClass() throws Exception {
70 TEST_UTIL = new HBaseTestingUtility();
71 Configuration conf = TEST_UTIL.getConfiguration();
72 enableSecurity(conf);
73 verifyConfiguration(conf);
74
75
76 conf.setBoolean(AccessControlConstants.CF_ATTRIBUTE_EARLY_OUT, false);
77
78 TEST_UTIL.startMiniCluster();
79 TEST_UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME.getName(), 50000);
80
81 READER = User.createUserForTesting(conf, "reader", new String[0]);
82 LIMITED = User.createUserForTesting(conf, "limited", new String[0]);
83 DENIED = User.createUserForTesting(conf, "denied", new String[0]);
84 }
85
86 @AfterClass
87 public static void tearDownAfterClass() throws Exception {
88 TEST_UTIL.shutdownMiniCluster();
89 }
90
91 @Test
92 public void testQualifierAccess() throws Exception {
93 final HTable table = TEST_UTIL.createTable(TABLE, FAMILY);
94 try {
95 doQualifierAccess(table);
96 } finally {
97 table.close();
98 }
99 }
100
101 private void doQualifierAccess(final HTable table) throws Exception {
102
103 SecureTestUtil.grantOnTable(TEST_UTIL, READER.getShortName(), TABLE, null, null,
104 Permission.Action.READ);
105 SecureTestUtil.grantOnTable(TEST_UTIL, LIMITED.getShortName(), TABLE, FAMILY, PUBLIC_COL,
106 Permission.Action.READ);
107
108
109 List<Put> puts = new ArrayList<Put>(100);
110 for (int i=0; i<100; i++) {
111 Put p = new Put(Bytes.toBytes(i));
112 p.add(FAMILY, PRIVATE_COL, Bytes.toBytes("secret "+i));
113 p.add(FAMILY, PUBLIC_COL, Bytes.toBytes("info "+i));
114 puts.add(p);
115 }
116 table.put(puts);
117
118
119 READER.runAs(new PrivilegedExceptionAction<Object>() {
120 public Object run() throws Exception {
121 Configuration conf = new Configuration(TEST_UTIL.getConfiguration());
122
123 conf.set("testkey", UUID.randomUUID().toString());
124 HTable t = new HTable(conf, TABLE);
125 try {
126 ResultScanner rs = t.getScanner(new Scan());
127 int rowcnt = 0;
128 for (Result r : rs) {
129 rowcnt++;
130 int rownum = Bytes.toInt(r.getRow());
131 assertTrue(r.containsColumn(FAMILY, PRIVATE_COL));
132 assertEquals("secret "+rownum, Bytes.toString(r.getValue(FAMILY, PRIVATE_COL)));
133 assertTrue(r.containsColumn(FAMILY, PUBLIC_COL));
134 assertEquals("info "+rownum, Bytes.toString(r.getValue(FAMILY, PUBLIC_COL)));
135 }
136 assertEquals("Expected 100 rows returned", 100, rowcnt);
137 return null;
138 } finally {
139 t.close();
140 }
141 }
142 });
143
144
145 LIMITED.runAs(new PrivilegedExceptionAction<Object>() {
146 public Object run() throws Exception {
147 Configuration conf = new Configuration(TEST_UTIL.getConfiguration());
148
149 conf.set("testkey", UUID.randomUUID().toString());
150 HTable t = new HTable(conf, TABLE);
151 try {
152 ResultScanner rs = t.getScanner(new Scan());
153 int rowcnt = 0;
154 for (Result r : rs) {
155 rowcnt++;
156 int rownum = Bytes.toInt(r.getRow());
157 assertFalse(r.containsColumn(FAMILY, PRIVATE_COL));
158 assertTrue(r.containsColumn(FAMILY, PUBLIC_COL));
159 assertEquals("info " + rownum, Bytes.toString(r.getValue(FAMILY, PUBLIC_COL)));
160 }
161 assertEquals("Expected 100 rows returned", 100, rowcnt);
162 return null;
163 } finally {
164 t.close();
165 }
166 }
167 });
168
169
170 DENIED.runAs(new PrivilegedExceptionAction<Object>(){
171 public Object run() throws Exception {
172 Configuration conf = new Configuration(TEST_UTIL.getConfiguration());
173
174 conf.set("testkey", UUID.randomUUID().toString());
175 HTable t = new HTable(conf, TABLE);
176 try {
177 ResultScanner rs = t.getScanner(new Scan());
178 int rowcnt = 0;
179 for (Result r : rs) {
180 rowcnt++;
181 int rownum = Bytes.toInt(r.getRow());
182 assertFalse(r.containsColumn(FAMILY, PRIVATE_COL));
183 assertTrue(r.containsColumn(FAMILY, PUBLIC_COL));
184 assertEquals("info " + rownum, Bytes.toString(r.getValue(FAMILY, PUBLIC_COL)));
185 }
186 assertEquals("Expected 0 rows returned", 0, rowcnt);
187 return null;
188 } finally {
189 t.close();
190 }
191 }
192 });
193 }
194 }