Package org.apache.hadoop.hbase.security

Examples of org.apache.hadoop.hbase.security.User


    // --------------------------------------
    // table/column/qualifier level permissions
    final byte[] TEST_Q1 = Bytes.toBytes("q1");
    final byte[] TEST_Q2 = Bytes.toBytes("q2");

    User userTable = User.createUserForTesting(conf, "user_check_perms_table", new String[0]);
    User userColumn = User.createUserForTesting(conf, "user_check_perms_family", new String[0]);
    User userQualifier = User.createUserForTesting(conf, "user_check_perms_q", new String[0]);

    SecureTestUtil.grantOnTable(TEST_UTIL, userTable.getShortName(),
      TEST_TABLE.getTableName(), null, null,
      Permission.Action.READ);
    SecureTestUtil.grantOnTable(TEST_UTIL, userColumn.getShortName(),
      TEST_TABLE.getTableName(), TEST_FAMILY, null,
      Permission.Action.READ);
    SecureTestUtil.grantOnTable(TEST_UTIL, userQualifier.getShortName(),
      TEST_TABLE.getTableName(), TEST_FAMILY, TEST_Q1,
      Permission.Action.READ);

    AccessTestAction tableRead = new AccessTestAction() {
      @Override
View Full Code Here


    }
  }

  @Test
  public void testTableDescriptorsEnumeration() throws Exception {
    User TABLE_ADMIN = User.createUserForTesting(conf, "UserA", new String[0]);

    // Grant TABLE ADMIN privs
    SecureTestUtil.grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(),
      TEST_TABLE.getTableName(), null, null,
      Permission.Action.ADMIN);

    AccessTestAction listTablesAction = new AccessTestAction() {
      @Override
View Full Code Here

    verifyDenied(getTableDescAction, USER_RW, USER_RO, USER_NONE);
  }

  @Test
  public void testTableDeletion() throws Exception {
    User TABLE_ADMIN = User.createUserForTesting(conf, "TestUser", new String[0]);

    // Grant TABLE ADMIN privs
    SecureTestUtil.grantOnTable(TEST_UTIL, TABLE_ADMIN.getShortName(),
      TEST_TABLE.getTableName(), null, null,
      Permission.Action.ADMIN);

    AccessTestAction deleteTableAction = new AccessTestAction() {
      @Override
View Full Code Here

      }
    }

    // Create users for testing, and grant EXEC privileges on our test table
    // only to user A
    User userA = User.createUserForTesting(conf, "UserA", new String[0]);
    User userB = User.createUserForTesting(conf, "UserB", new String[0]);

    SecureTestUtil.grantOnTable(TEST_UTIL, userA.getShortName(),
      TEST_TABLE.getTableName(), null, null,
      Permission.Action.EXEC);

    // Create an action for invoking our test endpoint
    AccessTestAction execEndpointAction = new AccessTestAction() {
      @Override
      public Object run() throws Exception {
        HTable t = new HTable(conf, TEST_TABLE.getTableName());
        try {
          BlockingRpcChannel service = t.coprocessorService(HConstants.EMPTY_BYTE_ARRAY);
          PingCoprocessor.newBlockingStub(service).noop(null, NoopRequest.newBuilder().build());
        } finally {
          t.close();
        }
        return null;
      }
    };

    // Verify that EXEC permission is checked correctly
    verifyDenied(execEndpointAction, userB);
    verifyAllowed(execEndpointAction, userA);

    // Now grant EXEC to the entire namespace to user B
    SecureTestUtil.grantOnNamespace(TEST_UTIL, userB.getShortName(),
      TEST_TABLE.getTableName().getNamespaceAsString(),
      Permission.Action.EXEC);

    // User B should now be allowed also
    verifyAllowed(execEndpointAction, userA, userB);
View Full Code Here

      if (remoteId.getAddress().isUnresolved()) {
        throw new UnknownHostException("unknown host: " +
                                       remoteId.getAddress().getHostName());
      }
      this.remoteId = remoteId;
      User ticket = remoteId.getTicket();
      Class<? extends VersionedProtocol> protocol = remoteId.getProtocol();

      header = new ConnectionHeader(
          protocol == null ? null : protocol.getName(), ticket);

      this.setName("IPC Client (" + socketFactory.hashCode() +") connection to " +
        remoteId.getAddress().toString() +
        ((ticket==null)?" from an unknown user": (" from " + ticket.getName())));
      this.setDaemon(true);
    }
View Full Code Here

          try {
            if (!started)
              throw new ServerNotRunningYetException("Server is not running yet");

            if (LOG.isDebugEnabled()) {
              User remoteUser = call.connection.ticket;
              LOG.debug(getName() + ": call #" + call.id + " executing as "
                  + (remoteUser == null ? "NULL principal" : remoteUser.getName()));
            }

            RequestContext.set(call.connection.ticket, getRemoteIp(),
                call.connection.protocol);
            // make the call
View Full Code Here

    }
    wal.append(hri, tableName, edit, now, htd);
    // sync to fs.
    wal.sync();

    User user = HBaseTestingUtility.getDifferentUser(newConf,
        ".replay.wal.secondtime");
    user.runAs(new PrivilegedExceptionAction() {
      public Object run() throws Exception {
        Path p = runWALSplit(newConf);
        LOG.info("WALSplit path == " + p);
        FileSystem newFS = FileSystem.get(newConf);
        // Make a new wal for new region open.
View Full Code Here

            activeRpcCount.increment();
            if (!started)
              throw new ServerNotRunningYetException("Server is not running yet");

            if (LOG.isDebugEnabled()) {
              User remoteUser = call.connection.ticket;
              LOG.debug(getName() + ": call #" + call.id + " executing as "
                  + (remoteUser == null ? "NULL principal" : remoteUser.getName()));
            }

            RequestContext.set(call.connection.ticket, getRemoteIp(),
                call.connection.protocol);
            // make the call
View Full Code Here

    htd.addFamily(new HColumnDescriptor(family1));
    htd.addFamily(new HColumnDescriptor(family2));
    admin.createTable(htd);

    // create temp users
    User tblUser = User
        .createUserForTesting(TEST_UTIL.getConfiguration(), "tbluser", new String[0]);
    User gblUser = User
        .createUserForTesting(TEST_UTIL.getConfiguration(), "gbluser", new String[0]);

    // prepare actions:
    PrivilegedExceptionAction putActionAll = new PrivilegedExceptionAction() {
      public Object run() throws Exception {
        Put p = new Put(Bytes.toBytes("a"));
        p.add(family1, qualifier, Bytes.toBytes("v1"));
        p.add(family2, qualifier, Bytes.toBytes("v2"));
        HTable t = new HTable(conf, tableName);
        try {
          t.put(p);
        } finally {
          t.close();
        }
        return null;
      }
    };
    PrivilegedExceptionAction putAction1 = new PrivilegedExceptionAction() {
      public Object run() throws Exception {
        Put p = new Put(Bytes.toBytes("a"));
        p.add(family1, qualifier, Bytes.toBytes("v1"));
        HTable t = new HTable(conf, tableName);
        try {
          t.put(p);
        } finally {
          t.close();
        }
        return null;
      }
    };
    PrivilegedExceptionAction putAction2 = new PrivilegedExceptionAction() {
      public Object run() throws Exception {
        Put p = new Put(Bytes.toBytes("a"));
        p.add(family2, qualifier, Bytes.toBytes("v2"));
        HTable t = new HTable(conf, tableName);
        try {
          t.put(p);
        } finally {
          t.close();
        }
        return null;
      }
    };
    PrivilegedExceptionAction getActionAll = new PrivilegedExceptionAction() {
      public Object run() throws Exception {
        Get g = new Get(Bytes.toBytes("random_row"));
        g.addFamily(family1);
        g.addFamily(family2);
        HTable t = new HTable(conf, tableName);
        try {
          t.get(g);
        } finally {
          t.close();
        }
        return null;
      }
    };
    PrivilegedExceptionAction getAction1 = new PrivilegedExceptionAction() {
      public Object run() throws Exception {
        Get g = new Get(Bytes.toBytes("random_row"));
        g.addFamily(family1);
        HTable t = new HTable(conf, tableName);
        try {
          t.get(g);
        } finally {
          t.close();
        }
        return null;
      }
    };
    PrivilegedExceptionAction getAction2 = new PrivilegedExceptionAction() {
      public Object run() throws Exception {
        Get g = new Get(Bytes.toBytes("random_row"));
        g.addFamily(family2);
        HTable t = new HTable(conf, tableName);
        try {
          t.get(g);
        } finally {
          t.close();
        }
        return null;
      }
    };
    PrivilegedExceptionAction deleteActionAll = new PrivilegedExceptionAction() {
      public Object run() throws Exception {
        Delete d = new Delete(Bytes.toBytes("random_row"));
        d.deleteFamily(family1);
        d.deleteFamily(family2);
        HTable t = new HTable(conf, tableName);
        try {
          t.delete(d);
        } finally {
          t.close();
        }
        return null;
      }
    };
    PrivilegedExceptionAction deleteAction1 = new PrivilegedExceptionAction() {
      public Object run() throws Exception {
        Delete d = new Delete(Bytes.toBytes("random_row"));
        d.deleteFamily(family1);
        HTable t = new HTable(conf, tableName);
        try {
          t.delete(d);
        } finally {
          t.close();
        }
        return null;
      }
    };
    PrivilegedExceptionAction deleteAction2 = new PrivilegedExceptionAction() {
      public Object run() throws Exception {
        Delete d = new Delete(Bytes.toBytes("random_row"));
        d.deleteFamily(family2);
        HTable t = new HTable(conf, tableName);
        try {
          t.delete(d);
        } finally {
          t.close();
        }
        return null;
      }
    };

    // initial check:
    verifyDenied(tblUser, getActionAll, getAction1, getAction2);
    verifyDenied(tblUser, putActionAll, putAction1, putAction2);
    verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2);

    verifyDenied(gblUser, getActionAll, getAction1, getAction2);
    verifyDenied(gblUser, putActionAll, putAction1, putAction2);
    verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);

    // grant table read permission
    HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
    try {
      AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
        tableName);
      protocol.grant(new UserPermission(Bytes.toBytes(tblUser.getShortName()), tableName, null,
        Permission.Action.READ));
      protocol.grant(new UserPermission(Bytes.toBytes(gblUser.getShortName()),
        Permission.Action.READ));
    } finally {
      acl.close();
    }

    Thread.sleep(100);

    // check
    verifyAllowed(tblUser, getActionAll, getAction1, getAction2);
    verifyDenied(tblUser, putActionAll, putAction1, putAction2);
    verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2);

    verifyAllowed(gblUser, getActionAll, getAction1, getAction2);
    verifyDenied(gblUser, putActionAll, putAction1, putAction2);
    verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);

    // grant table write permission
    acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
    try {
      AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
        tableName);
      protocol.grant(new UserPermission(Bytes.toBytes(tblUser.getShortName()), tableName, null,
        Permission.Action.WRITE));
      protocol.grant(new UserPermission(Bytes.toBytes(gblUser.getShortName()),
        Permission.Action.WRITE));
    } finally {
      acl.close();
    }

    Thread.sleep(100);

    verifyDenied(tblUser, getActionAll, getAction1, getAction2);
    verifyAllowed(tblUser, putActionAll, putAction1, putAction2);
    verifyAllowed(tblUser, deleteActionAll, deleteAction1, deleteAction2);

    verifyDenied(gblUser, getActionAll, getAction1, getAction2);
    verifyAllowed(gblUser, putActionAll, putAction1, putAction2);
    verifyAllowed(gblUser, deleteActionAll, deleteAction1, deleteAction2);

    // revoke table permission
    acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
    try {
      AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
        tableName);
      protocol.grant(new UserPermission(Bytes.toBytes(tblUser.getShortName()), tableName, null,
        Permission.Action.READ, Permission.Action.WRITE));
      protocol.revoke(new UserPermission(Bytes.toBytes(tblUser.getShortName()), tableName, null));
      protocol.revoke(new UserPermission(Bytes.toBytes(gblUser.getShortName())));
    } finally {
      acl.close();
    }

    Thread.sleep(100);

    verifyDenied(tblUser, getActionAll, getAction1, getAction2);
    verifyDenied(tblUser, putActionAll, putAction1, putAction2);
    verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2);

    verifyDenied(gblUser, getActionAll, getAction1, getAction2);
    verifyDenied(gblUser, putActionAll, putAction1, putAction2);
    verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);

    // grant column family read permission
    acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
    try {
      AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
        tableName);
      protocol.grant(new UserPermission(Bytes.toBytes(tblUser.getShortName()), tableName, family1,
        Permission.Action.READ));
      protocol.grant(new UserPermission(Bytes.toBytes(gblUser.getShortName()),
        Permission.Action.READ));
    } finally {
      acl.close();
    }

    Thread.sleep(100);

    // Access should be denied for family2
    verifyAllowed(tblUser, getActionAll, getAction1);
    verifyDenied(tblUser, getAction2);
    verifyDenied(tblUser, putActionAll, putAction1, putAction2);
    verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2);

    verifyAllowed(gblUser, getActionAll, getAction1, getAction2);
    verifyDenied(gblUser, putActionAll, putAction1, putAction2);
    verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);

    // grant column family write permission
    acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
    try {
      AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
        tableName);
      protocol.grant(new UserPermission(Bytes.toBytes(tblUser.getShortName()), tableName, family2,
        Permission.Action.WRITE));
      protocol.grant(new UserPermission(Bytes.toBytes(gblUser.getShortName()),
        Permission.Action.WRITE));
    } finally {
      acl.close();
    }

    Thread.sleep(100);

    // READ from family1, WRITE to family2 are allowed
    verifyAllowed(tblUser, getActionAll, getAction1);
    verifyAllowed(tblUser, putAction2, deleteAction2);
    verifyDenied(tblUser, getAction2);
    verifyDenied(tblUser, putActionAll, putAction1);
    verifyDenied(tblUser, deleteActionAll, deleteAction1);

    verifyDenied(gblUser, getActionAll, getAction1, getAction2);
    verifyAllowed(gblUser, putActionAll, putAction1, putAction2);
    verifyAllowed(gblUser, deleteActionAll, deleteAction1, deleteAction2);

    // revoke column family permission
    acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
    try {
      AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
        tableName);
      protocol.revoke(new UserPermission(Bytes.toBytes(tblUser.getShortName()), tableName, family2));
      protocol.revoke(new UserPermission(Bytes.toBytes(gblUser.getShortName())));
    } finally {
      acl.close();
    }

    Thread.sleep(100);
View Full Code Here

    htd.addFamily(new HColumnDescriptor(family1));
    htd.addFamily(new HColumnDescriptor(family2));
    admin.createTable(htd);

    // create temp users
    User user = User.createUserForTesting(TEST_UTIL.getConfiguration(), "user", new String[0]);

    PrivilegedExceptionAction getQualifierAction = new PrivilegedExceptionAction() {
      public Object run() throws Exception {
        Get g = new Get(Bytes.toBytes("random_row"));
        g.addColumn(family1, qualifier);
        HTable t = new HTable(conf, tableName);
        try {
          t.get(g);
        } finally {
          t.close();
        }
        return null;
      }
    };
    PrivilegedExceptionAction putQualifierAction = new PrivilegedExceptionAction() {
      public Object run() throws Exception {
        Put p = new Put(Bytes.toBytes("random_row"));
        p.add(family1, qualifier, Bytes.toBytes("v1"));
        HTable t = new HTable(conf, tableName);
        try {
          t.put(p);
        } finally {
          t.close();
        }
        return null;
      }
    };
    PrivilegedExceptionAction deleteQualifierAction = new PrivilegedExceptionAction() {
      public Object run() throws Exception {
        Delete d = new Delete(Bytes.toBytes("random_row"));
        d.deleteColumn(family1, qualifier);
        // d.deleteFamily(family1);
        HTable t = new HTable(conf, tableName);
        try {
          t.delete(d);
        } finally {
          t.close();
        }
        return null;
      }
    };

    HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
    try {
      AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
        tableName);
      protocol.revoke(new UserPermission(Bytes.toBytes(user.getShortName()), tableName, family1));
    } finally {
      acl.close();
    }

    verifyDenied(user, getQualifierAction);
    verifyDenied(user, putQualifierAction);
    verifyDenied(user, deleteQualifierAction);

    acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
    try {
      AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
        tableName);
      protocol.grant(new UserPermission(Bytes.toBytes(user.getShortName()), tableName, family1,
        qualifier, Permission.Action.READ));
    } finally {
      acl.close();
    }

    Thread.sleep(100);

    verifyAllowed(user, getQualifierAction);
    verifyDenied(user, putQualifierAction);
    verifyDenied(user, deleteQualifierAction);

    // only grant write permission
    // TODO: comment this portion after HBASE-3583
    acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
    try {
      AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
        tableName);
      protocol.grant(new UserPermission(Bytes.toBytes(user.getShortName()), tableName, family1,
        qualifier, Permission.Action.WRITE));
    } finally {
      acl.close();
    }

    Thread.sleep(100);

    verifyDenied(user, getQualifierAction);
    verifyAllowed(user, putQualifierAction);
    verifyAllowed(user, deleteQualifierAction);

    // grant both read and write permission.
    acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
    try {
      AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
        tableName);
      protocol.grant(new UserPermission(Bytes.toBytes(user.getShortName()), tableName, family1,
        qualifier, Permission.Action.READ, Permission.Action.WRITE));
    } finally {
      acl.close();
    }

    Thread.sleep(100);

    verifyAllowed(user, getQualifierAction);
    verifyAllowed(user, putQualifierAction);
    verifyAllowed(user, deleteQualifierAction);

    // revoke family level permission won't impact column level.
    acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
    try {
      AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
        tableName);
      protocol.revoke(new UserPermission(Bytes.toBytes(user.getShortName()), tableName, family1,
        qualifier));
    } finally {
      acl.close();
    }
View Full Code Here

TOP

Related Classes of org.apache.hadoop.hbase.security.User

Copyright © 2018 www.massapicom. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.