1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18 package org.apache.hadoop.hbase.security.visibility;
19
20 import static org.apache.hadoop.hbase.security.visibility.VisibilityConstants.LABELS_TABLE_NAME;
21 import static org.junit.Assert.assertEquals;
22 import static org.junit.Assert.assertTrue;
23
24 import java.io.IOException;
25 import java.security.PrivilegedExceptionAction;
26 import java.util.ArrayList;
27 import java.util.List;
28
29 import org.apache.hadoop.conf.Configuration;
30 import org.apache.hadoop.hbase.HBaseTestingUtility;
31 import org.apache.hadoop.hbase.MediumTests;
32 import org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.GetAuthsResponse;
33 import org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse;
34 import org.apache.hadoop.hbase.security.User;
35 import org.apache.hadoop.hbase.util.Bytes;
36 import org.junit.AfterClass;
37 import org.junit.BeforeClass;
38 import org.junit.Rule;
39 import org.junit.Test;
40 import org.junit.experimental.categories.Category;
41 import org.junit.rules.TestName;
42
43 import com.google.protobuf.ByteString;
44
45 @Category(MediumTests.class)
46 public class TestVisibilityLabelsOpWithDifferentUsersNoACL {
47 private static final String PRIVATE = "private";
48 private static final String CONFIDENTIAL = "confidential";
49 private static final String SECRET = "secret";
50 private static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();
51 private static Configuration conf;
52
53 @Rule
54 public final TestName TEST_NAME = new TestName();
55 private static User SUPERUSER;
56 private static User NORMAL_USER;
57 private static User NORMAL_USER1;
58
59 @BeforeClass
60 public static void setupBeforeClass() throws Exception {
61
62 conf = TEST_UTIL.getConfiguration();
63 conf.setInt("hfile.format.version", 3);
64 String currentUser = User.getCurrent().getName();
65 conf.set("hbase.superuser", "admin,"+currentUser);
66 conf.set("hbase.coprocessor.master.classes", VisibilityController.class.getName());
67 conf.set("hbase.coprocessor.region.classes", VisibilityController.class.getName());
68 TEST_UTIL.startMiniCluster(2);
69
70
71 TEST_UTIL.waitTableEnabled(LABELS_TABLE_NAME.getName(), 50000);
72 SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
73 NORMAL_USER = User.createUserForTesting(conf, "user1", new String[] {});
74 NORMAL_USER1 = User.createUserForTesting(conf, "user2", new String[] {});
75 addLabels();
76 }
77
78 @AfterClass
79 public static void tearDownAfterClass() throws Exception {
80 TEST_UTIL.shutdownMiniCluster();
81 }
82
83 @Test
84 public void testLabelsTableOpsWithDifferentUsers() throws Throwable {
85 PrivilegedExceptionAction<VisibilityLabelsResponse> action =
86 new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
87 public VisibilityLabelsResponse run() throws Exception {
88 try {
89 return VisibilityClient.setAuths(conf, new String[] { CONFIDENTIAL, PRIVATE }, "user1");
90 } catch (Throwable e) {
91 }
92 return null;
93 }
94 };
95 VisibilityLabelsResponse response = SUPERUSER.runAs(action);
96 assertTrue(response.getResult(0).getException().getValue().isEmpty());
97 assertTrue(response.getResult(1).getException().getValue().isEmpty());
98
99
100 action = new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
101 public VisibilityLabelsResponse run() throws Exception {
102 try {
103 return VisibilityClient.setAuths(conf, new String[] { CONFIDENTIAL, PRIVATE }, "user3");
104 } catch (Throwable e) {
105 }
106 return null;
107 }
108 };
109 response = NORMAL_USER1.runAs(action);
110 assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response
111 .getResult(0).getException().getName());
112 assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response
113 .getResult(1).getException().getName());
114
115 PrivilegedExceptionAction<GetAuthsResponse> action1 =
116 new PrivilegedExceptionAction<GetAuthsResponse>() {
117 public GetAuthsResponse run() throws Exception {
118 try {
119 return VisibilityClient.getAuths(conf, "user1");
120 } catch (Throwable e) {
121 }
122 return null;
123 }
124 };
125 GetAuthsResponse authsResponse = NORMAL_USER.runAs(action1);
126 assertTrue(authsResponse.getAuthList().isEmpty());
127 authsResponse = NORMAL_USER1.runAs(action1);
128 assertTrue(authsResponse.getAuthList().isEmpty());
129 authsResponse = SUPERUSER.runAs(action1);
130 List<String> authsList = new ArrayList<String>();
131 for (ByteString authBS : authsResponse.getAuthList()) {
132 authsList.add(Bytes.toString(authBS.toByteArray()));
133 }
134 assertEquals(2, authsList.size());
135 assertTrue(authsList.contains(CONFIDENTIAL));
136 assertTrue(authsList.contains(PRIVATE));
137
138 PrivilegedExceptionAction<VisibilityLabelsResponse> action2 =
139 new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
140 public VisibilityLabelsResponse run() throws Exception {
141 try {
142 return VisibilityClient.clearAuths(conf, new String[] { CONFIDENTIAL, PRIVATE }, "user1");
143 } catch (Throwable e) {
144 }
145 return null;
146 }
147 };
148 response = NORMAL_USER1.runAs(action2);
149 assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response
150 .getResult(0).getException().getName());
151 assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response
152 .getResult(1).getException().getName());
153 response = SUPERUSER.runAs(action2);
154 assertTrue(response.getResult(0).getException().getValue().isEmpty());
155 assertTrue(response.getResult(1).getException().getValue().isEmpty());
156 authsResponse = SUPERUSER.runAs(action1);
157 assertTrue(authsResponse.getAuthList().isEmpty());
158 }
159
160 private static void addLabels() throws Exception {
161 PrivilegedExceptionAction<VisibilityLabelsResponse> action =
162 new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
163 public VisibilityLabelsResponse run() throws Exception {
164 String[] labels = { SECRET, CONFIDENTIAL, PRIVATE };
165 try {
166 VisibilityClient.addLabels(conf, labels);
167 } catch (Throwable t) {
168 throw new IOException(t);
169 }
170 return null;
171 }
172 };
173 SUPERUSER.runAs(action);
174 }
175 }