1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18 package org.apache.hadoop.hbase.zookeeper;
19
20 import static org.junit.Assert.assertEquals;
21 import static org.junit.Assert.assertTrue;
22
23 import java.io.File;
24 import java.io.FileWriter;
25 import java.io.IOException;
26 import java.util.List;
27
28 import org.apache.commons.logging.Log;
29 import org.apache.commons.logging.LogFactory;
30 import org.apache.hadoop.conf.Configuration;
31 import org.apache.hadoop.hbase.*;
32 import org.apache.hadoop.hbase.zookeeper.ZKUtil;
33 import org.apache.hadoop.hbase.zookeeper.ZooKeeperWatcher;
34 import org.apache.zookeeper.ZooDefs;
35 import org.apache.zookeeper.data.ACL;
36 import org.apache.zookeeper.data.Stat;
37
38 import org.junit.AfterClass;
39 import org.junit.Before;
40 import org.junit.BeforeClass;
41 import org.junit.Test;
42 import org.junit.experimental.categories.Category;
43
44 @Category(MediumTests.class)
45 public class TestZooKeeperACL {
46 private final static Log LOG = LogFactory.getLog(TestZooKeeperACL.class);
47 private final static HBaseTestingUtility TEST_UTIL =
48 new HBaseTestingUtility();
49
50 private static ZooKeeperWatcher zkw;
51 private static boolean secureZKAvailable;
52
53 @BeforeClass
54 public static void setUpBeforeClass() throws Exception {
55 File saslConfFile = File.createTempFile("tmp", "jaas.conf");
56 FileWriter fwriter = new FileWriter(saslConfFile);
57
58 fwriter.write("" +
59 "Server {\n" +
60 "org.apache.zookeeper.server.auth.DigestLoginModule required\n" +
61 "user_hbase=\"secret\";\n" +
62 "};\n" +
63 "Client {\n" +
64 "org.apache.zookeeper.server.auth.DigestLoginModule required\n" +
65 "username=\"hbase\"\n" +
66 "password=\"secret\";\n" +
67 "};" + "\n");
68 fwriter.close();
69 System.setProperty("java.security.auth.login.config",
70 saslConfFile.getAbsolutePath());
71 System.setProperty("zookeeper.authProvider.1",
72 "org.apache.zookeeper.server.auth.SASLAuthenticationProvider");
73
74 TEST_UTIL.getConfiguration().setBoolean("dfs.support.append", true);
75 TEST_UTIL.getConfiguration().setInt("hbase.zookeeper.property.maxClientCnxns", 1000);
76
77
78
79 try {
80 TEST_UTIL.startMiniCluster();
81 } catch (IOException e) {
82 LOG.warn("Hadoop is missing HADOOP-7070", e);
83 secureZKAvailable = false;
84 return;
85 }
86 zkw = new ZooKeeperWatcher(
87 new Configuration(TEST_UTIL.getConfiguration()),
88 TestZooKeeper.class.getName(), null);
89 }
90
91
92
93
94 @AfterClass
95 public static void tearDownAfterClass() throws Exception {
96 if (!secureZKAvailable) {
97 return;
98 }
99 TEST_UTIL.shutdownMiniCluster();
100 }
101
102
103
104
105 @Before
106 public void setUp() throws Exception {
107 if (!secureZKAvailable) {
108 return;
109 }
110 TEST_UTIL.ensureSomeRegionServersAvailable(2);
111 }
112
113
114
115
116
117
118
119
120
121
122
123
124
125 @Test (timeout=30000)
126 public void testHBaseRootZNodeACL() throws Exception {
127 if (!secureZKAvailable) {
128 return;
129 }
130
131 List<ACL> acls = zkw.getRecoverableZooKeeper().getZooKeeper()
132 .getACL("/hbase", new Stat());
133 assertEquals(acls.size(),1);
134 assertEquals(acls.get(0).getId().getScheme(),"sasl");
135 assertEquals(acls.get(0).getId().getId(),"hbase");
136 assertEquals(acls.get(0).getPerms(), ZooDefs.Perms.ALL);
137 }
138
139
140
141
142
143
144 @Test (timeout=30000)
145 public void testHBaseRootRegionServerZNodeACL() throws Exception {
146 if (!secureZKAvailable) {
147 return;
148 }
149
150 List<ACL> acls = zkw.getRecoverableZooKeeper().getZooKeeper()
151 .getACL("/hbase/root-region-server", new Stat());
152 assertEquals(acls.size(),2);
153
154 boolean foundWorldReadableAcl = false;
155 boolean foundHBaseOwnerAcl = false;
156 for(int i = 0; i < 2; i++) {
157 if (acls.get(i).getId().getScheme().equals("world") == true) {
158 assertEquals(acls.get(0).getId().getId(),"anyone");
159 assertEquals(acls.get(0).getPerms(), ZooDefs.Perms.READ);
160 foundWorldReadableAcl = true;
161 }
162 else {
163 if (acls.get(i).getId().getScheme().equals("sasl") == true) {
164 assertEquals(acls.get(1).getId().getId(),"hbase");
165 assertEquals(acls.get(1).getId().getScheme(),"sasl");
166 foundHBaseOwnerAcl = true;
167 } else {
168 assertTrue(false);
169 }
170 }
171 }
172 assertTrue(foundWorldReadableAcl);
173 assertTrue(foundHBaseOwnerAcl);
174 }
175
176
177
178
179
180
181 @Test (timeout=30000)
182 public void testHBaseMasterServerZNodeACL() throws Exception {
183 if (!secureZKAvailable) {
184 return;
185 }
186
187 List<ACL> acls = zkw.getRecoverableZooKeeper().getZooKeeper()
188 .getACL("/hbase/master", new Stat());
189 assertEquals(acls.size(),2);
190
191 boolean foundWorldReadableAcl = false;
192 boolean foundHBaseOwnerAcl = false;
193 for(int i = 0; i < 2; i++) {
194 if (acls.get(i).getId().getScheme().equals("world") == true) {
195 assertEquals(acls.get(0).getId().getId(),"anyone");
196 assertEquals(acls.get(0).getPerms(), ZooDefs.Perms.READ);
197 foundWorldReadableAcl = true;
198 } else {
199 if (acls.get(i).getId().getScheme().equals("sasl") == true) {
200 assertEquals(acls.get(1).getId().getId(),"hbase");
201 assertEquals(acls.get(1).getId().getScheme(),"sasl");
202 foundHBaseOwnerAcl = true;
203 } else {
204 assertTrue(false);
205 }
206 }
207 }
208 assertTrue(foundWorldReadableAcl);
209 assertTrue(foundHBaseOwnerAcl);
210 }
211
212
213
214
215
216
217 @Test (timeout=30000)
218 public void testHBaseIDZNodeACL() throws Exception {
219 if (!secureZKAvailable) {
220 return;
221 }
222
223 List<ACL> acls = zkw.getRecoverableZooKeeper().getZooKeeper()
224 .getACL("/hbase/hbaseid", new Stat());
225 assertEquals(acls.size(),2);
226
227 boolean foundWorldReadableAcl = false;
228 boolean foundHBaseOwnerAcl = false;
229 for(int i = 0; i < 2; i++) {
230 if (acls.get(i).getId().getScheme().equals("world") == true) {
231 assertEquals(acls.get(0).getId().getId(),"anyone");
232 assertEquals(acls.get(0).getPerms(), ZooDefs.Perms.READ);
233 foundWorldReadableAcl = true;
234 } else {
235 if (acls.get(i).getId().getScheme().equals("sasl") == true) {
236 assertEquals(acls.get(1).getId().getId(),"hbase");
237 assertEquals(acls.get(1).getId().getScheme(),"sasl");
238 foundHBaseOwnerAcl = true;
239 } else {
240 assertTrue(false);
241 }
242 }
243 }
244 assertTrue(foundWorldReadableAcl);
245 assertTrue(foundHBaseOwnerAcl);
246 }
247
248
249
250
251
252 @Test
253 public void testOutsideHBaseNodeACL() throws Exception {
254 if (!secureZKAvailable) {
255 return;
256 }
257
258 ZKUtil.createWithParents(zkw, "/testACLNode");
259 List<ACL> acls = zkw.getRecoverableZooKeeper().getZooKeeper()
260 .getACL("/testACLNode", new Stat());
261 assertEquals(acls.size(),1);
262 assertEquals(acls.get(0).getId().getScheme(),"sasl");
263 assertEquals(acls.get(0).getId().getId(),"hbase");
264 assertEquals(acls.get(0).getPerms(), ZooDefs.Perms.ALL);
265 }
266
267
268
269
270 @Test
271 public void testIsZooKeeperSecure() throws Exception {
272 boolean testJaasConfig = ZKUtil.isSecureZooKeeper(new Configuration(TEST_UTIL.getConfiguration()));
273 assertEquals(testJaasConfig, secureZKAvailable);
274
275 File saslConfFile = File.createTempFile("tmp", "fakeJaas.conf");
276 FileWriter fwriter = new FileWriter(saslConfFile);
277
278 fwriter.write("");
279 fwriter.close();
280 System.setProperty("java.security.auth.login.config",
281 saslConfFile.getAbsolutePath());
282
283 testJaasConfig = ZKUtil.isSecureZooKeeper(new Configuration(TEST_UTIL.getConfiguration()));
284 assertEquals(testJaasConfig, false);
285 saslConfFile.delete();
286 }
287 }
288