View Javadoc

1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  
19  package org.apache.hadoop.hbase.security.access;
20  
21  import static org.junit.Assert.assertEquals;
22  import static org.junit.Assert.assertFalse;
23  import static org.junit.Assert.assertTrue;
24  
25  import java.security.PrivilegedExceptionAction;
26  import java.util.ArrayList;
27  import java.util.List;
28  import java.util.UUID;
29  
30  import org.apache.hadoop.conf.Configuration;
31  import org.apache.hadoop.hbase.HBaseTestingUtility;
32  import org.apache.hadoop.hbase.HConstants;
33  import org.apache.hadoop.hbase.testclassification.LargeTests;
34  import org.apache.hadoop.hbase.TableName;
35  import org.apache.hadoop.hbase.client.HTable;
36  import org.apache.hadoop.hbase.client.Put;
37  import org.apache.hadoop.hbase.client.Result;
38  import org.apache.hadoop.hbase.client.ResultScanner;
39  import org.apache.hadoop.hbase.client.Scan;
40  import org.apache.hadoop.hbase.client.Table;
41  import org.apache.hadoop.hbase.security.User;
42  import org.apache.hadoop.hbase.util.Bytes;
43  import org.junit.AfterClass;
44  import org.junit.Before;
45  import org.junit.BeforeClass;
46  import org.junit.Rule;
47  import org.junit.Test;
48  import org.junit.experimental.categories.Category;
49  import org.junit.rules.TestName;
50  
51  @Category(LargeTests.class)
52  public class TestAccessControlFilter extends SecureTestUtil {
53    @Rule public TestName name = new TestName();
54    private static HBaseTestingUtility TEST_UTIL;
55  
56    private static User READER;
57    private static User LIMITED;
58    private static User DENIED;
59  
60    private static TableName TABLE;
61    private static byte[] FAMILY = Bytes.toBytes("f1");
62    private static byte[] PRIVATE_COL = Bytes.toBytes("private");
63    private static byte[] PUBLIC_COL = Bytes.toBytes("public");
64  
65    @Before 
66    public void setup () {
67      TABLE = TableName.valueOf(name.getMethodName());
68    }
69    
70    @BeforeClass
71    public static void setupBeforeClass() throws Exception {
72      TEST_UTIL = new HBaseTestingUtility();
73      Configuration conf = TEST_UTIL.getConfiguration();
74      // Up the handlers; this test needs more than usual.
75      conf.setInt(HConstants.REGION_SERVER_HIGH_PRIORITY_HANDLER_COUNT, 10);
76      enableSecurity(conf);
77      verifyConfiguration(conf);
78  
79      // We expect 0.98 scanning semantics
80      conf.setBoolean(AccessControlConstants.CF_ATTRIBUTE_EARLY_OUT, false);
81  
82      TEST_UTIL.startMiniCluster();
83      TEST_UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME.getName(), 50000);
84  
85      READER = User.createUserForTesting(conf, "reader", new String[0]);
86      LIMITED = User.createUserForTesting(conf, "limited", new String[0]);
87      DENIED = User.createUserForTesting(conf, "denied", new String[0]);
88    }
89  
90    @AfterClass
91    public static void tearDownAfterClass() throws Exception {
92      TEST_UTIL.shutdownMiniCluster();
93    }
94  
95    @Test (timeout=180000)
96    public void testQualifierAccess() throws Exception {
97      final Table table = createTable(TEST_UTIL, TABLE, new byte[][] { FAMILY });
98      TEST_UTIL.waitUntilAllRegionsAssigned(TABLE);
99      try {
100       doQualifierAccess(table);
101     } finally {
102       table.close();
103     }
104   }
105 
106   private void doQualifierAccess(final Table table) throws Exception {
107     // set permissions
108     SecureTestUtil.grantOnTable(TEST_UTIL, READER.getShortName(), TABLE, null, null,
109       Permission.Action.READ);
110     SecureTestUtil.grantOnTable(TEST_UTIL, LIMITED.getShortName(), TABLE, FAMILY, PUBLIC_COL,
111       Permission.Action.READ);
112 
113     // put some test data
114     List<Put> puts = new ArrayList<Put>(100);
115     for (int i=0; i<100; i++) {
116       Put p = new Put(Bytes.toBytes(i));
117       p.add(FAMILY, PRIVATE_COL, Bytes.toBytes("secret "+i));
118       p.add(FAMILY, PUBLIC_COL, Bytes.toBytes("info "+i));
119       puts.add(p);
120     }
121     table.put(puts);
122 
123     // test read
124     READER.runAs(new PrivilegedExceptionAction<Object>() {
125       public Object run() throws Exception {
126         Configuration conf = new Configuration(TEST_UTIL.getConfiguration());
127         // force a new RS connection
128         conf.set("testkey", UUID.randomUUID().toString());
129         Table t = new HTable(conf, TABLE);
130         try {
131           ResultScanner rs = t.getScanner(new Scan());
132           int rowcnt = 0;
133           for (Result r : rs) {
134             rowcnt++;
135             int rownum = Bytes.toInt(r.getRow());
136             assertTrue(r.containsColumn(FAMILY, PRIVATE_COL));
137             assertEquals("secret "+rownum, Bytes.toString(r.getValue(FAMILY, PRIVATE_COL)));
138             assertTrue(r.containsColumn(FAMILY, PUBLIC_COL));
139             assertEquals("info "+rownum, Bytes.toString(r.getValue(FAMILY, PUBLIC_COL)));
140           }
141           assertEquals("Expected 100 rows returned", 100, rowcnt);
142           return null;
143         } finally {
144           t.close();
145         }
146       }
147     });
148 
149     // test read with qualifier filter
150     LIMITED.runAs(new PrivilegedExceptionAction<Object>() {
151       public Object run() throws Exception {
152         Configuration conf = new Configuration(TEST_UTIL.getConfiguration());
153         // force a new RS connection
154         conf.set("testkey", UUID.randomUUID().toString());
155         Table t = new HTable(conf, TABLE);
156         try {
157           ResultScanner rs = t.getScanner(new Scan());
158           int rowcnt = 0;
159           for (Result r : rs) {
160             rowcnt++;
161             int rownum = Bytes.toInt(r.getRow());
162             assertFalse(r.containsColumn(FAMILY, PRIVATE_COL));
163             assertTrue(r.containsColumn(FAMILY, PUBLIC_COL));
164             assertEquals("info " + rownum, Bytes.toString(r.getValue(FAMILY, PUBLIC_COL)));
165           }
166           assertEquals("Expected 100 rows returned", 100, rowcnt);
167           return null;
168         } finally {
169           t.close();
170         }
171       }
172     });
173 
174     // test as user with no permission
175     DENIED.runAs(new PrivilegedExceptionAction<Object>(){
176       public Object run() throws Exception {
177         Configuration conf = new Configuration(TEST_UTIL.getConfiguration());
178         // force a new RS connection
179         conf.set("testkey", UUID.randomUUID().toString());
180         Table t = new HTable(conf, TABLE);
181         try {
182           ResultScanner rs = t.getScanner(new Scan());
183           int rowcnt = 0;
184           for (Result r : rs) {
185             rowcnt++;
186             int rownum = Bytes.toInt(r.getRow());
187             assertFalse(r.containsColumn(FAMILY, PRIVATE_COL));
188             assertTrue(r.containsColumn(FAMILY, PUBLIC_COL));
189             assertEquals("info " + rownum, Bytes.toString(r.getValue(FAMILY, PUBLIC_COL)));
190           }
191           assertEquals("Expected 0 rows returned", 0, rowcnt);
192           return null;
193         } finally {
194           t.close();
195         }
196       }
197     });
198   }
199 }