Package org.apache.hadoop.hbase.security.access

Examples of org.apache.hadoop.hbase.security.access.AccessControllerProtocol


      Coprocessor.PRIORITY_HIGHEST, 1, conf);

    // initilize access control
    HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
    try {
      AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
        TEST_TABLE);

     protocol.grant(new UserPermission(Bytes.toBytes(USER_ADMIN.getShortName()),
        Permission.Action.ADMIN, Permission.Action.CREATE, Permission.Action.READ,
        Permission.Action.WRITE));

      protocol.grant(new UserPermission(Bytes.toBytes(USER_RW.getShortName()), TEST_TABLE,
        TEST_FAMILY, Permission.Action.READ, Permission.Action.WRITE));

      protocol.grant(new UserPermission(Bytes.toBytes(USER_RO.getShortName()), TEST_TABLE,
        TEST_FAMILY, Permission.Action.READ));

      protocol.grant(new UserPermission(Bytes.toBytes(USER_CREATE.getShortName()), TEST_TABLE, null,
        Permission.Action.CREATE));
   
      protocol.grant(new UserPermission(Bytes.toBytes(USER_RW_ON_TABLE.getShortName()), TEST_TABLE,
        null, Permission.Action.READ, Permission.Action.WRITE));
    } finally {
      acl.close();
    }
  }
View Full Code Here


    PrivilegedExceptionAction grantAction = new PrivilegedExceptionAction() {
      public Object run() throws Exception {
        HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
        try {
          AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
            TEST_TABLE);
          protocol.grant(new UserPermission(Bytes.toBytes(USER_RO.getShortName()), TEST_TABLE,
            TEST_FAMILY, (byte[]) null, Action.READ));
        } finally {
          acl.close();
        }
        return null;
      }
    };

    PrivilegedExceptionAction revokeAction = new PrivilegedExceptionAction() {
      public Object run() throws Exception {
        HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
        try {
          AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
            TEST_TABLE);
          protocol.revoke(new UserPermission(Bytes.toBytes(USER_RO.getShortName()), TEST_TABLE,
            TEST_FAMILY, (byte[]) null, Action.READ));
        } finally {
          acl.close();
        }
        return null;
      }
    };

    PrivilegedExceptionAction getPermissionsAction = new PrivilegedExceptionAction() {
      public Object run() throws Exception {
        HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
        try {
          AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
            TEST_TABLE);
          protocol.getUserPermissions(TEST_TABLE);
        } finally {
          acl.close();
        }
        return null;
      }
View Full Code Here

    verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);

    // grant table read permission
    HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
    try {
      AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
        tableName);
      protocol.grant(new UserPermission(Bytes.toBytes(tblUser.getShortName()), tableName, null,
        Permission.Action.READ));
      protocol.grant(new UserPermission(Bytes.toBytes(gblUser.getShortName()),
        Permission.Action.READ));
    } finally {
      acl.close();
    }

    Thread.sleep(100);

    // check
    verifyAllowed(tblUser, getActionAll, getAction1, getAction2);
    verifyDenied(tblUser, putActionAll, putAction1, putAction2);
    verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2);

    verifyAllowed(gblUser, getActionAll, getAction1, getAction2);
    verifyDenied(gblUser, putActionAll, putAction1, putAction2);
    verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);

    // grant table write permission
    acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
    try {
      AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
        tableName);
      protocol.grant(new UserPermission(Bytes.toBytes(tblUser.getShortName()), tableName, null,
        Permission.Action.WRITE));
      protocol.grant(new UserPermission(Bytes.toBytes(gblUser.getShortName()),
        Permission.Action.WRITE));
    } finally {
      acl.close();
    }

    Thread.sleep(100);

    verifyDenied(tblUser, getActionAll, getAction1, getAction2);
    verifyAllowed(tblUser, putActionAll, putAction1, putAction2);
    verifyAllowed(tblUser, deleteActionAll, deleteAction1, deleteAction2);

    verifyDenied(gblUser, getActionAll, getAction1, getAction2);
    verifyAllowed(gblUser, putActionAll, putAction1, putAction2);
    verifyAllowed(gblUser, deleteActionAll, deleteAction1, deleteAction2);

    // revoke table permission
    acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
    try {
      AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
        tableName);
      protocol.grant(new UserPermission(Bytes.toBytes(tblUser.getShortName()), tableName, null,
        Permission.Action.READ, Permission.Action.WRITE));
      protocol.revoke(new UserPermission(Bytes.toBytes(tblUser.getShortName()), tableName, null));
      protocol.revoke(new UserPermission(Bytes.toBytes(gblUser.getShortName())));
    } finally {
      acl.close();
    }

    Thread.sleep(100);

    verifyDenied(tblUser, getActionAll, getAction1, getAction2);
    verifyDenied(tblUser, putActionAll, putAction1, putAction2);
    verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2);

    verifyDenied(gblUser, getActionAll, getAction1, getAction2);
    verifyDenied(gblUser, putActionAll, putAction1, putAction2);
    verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);

    // grant column family read permission
    acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
    try {
      AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
        tableName);
      protocol.grant(new UserPermission(Bytes.toBytes(tblUser.getShortName()), tableName, family1,
        Permission.Action.READ));
      protocol.grant(new UserPermission(Bytes.toBytes(gblUser.getShortName()),
        Permission.Action.READ));
    } finally {
      acl.close();
    }

    Thread.sleep(100);

    // Access should be denied for family2
    verifyAllowed(tblUser, getActionAll, getAction1);
    verifyDenied(tblUser, getAction2);
    verifyDenied(tblUser, putActionAll, putAction1, putAction2);
    verifyDenied(tblUser, deleteActionAll, deleteAction1, deleteAction2);

    verifyAllowed(gblUser, getActionAll, getAction1, getAction2);
    verifyDenied(gblUser, putActionAll, putAction1, putAction2);
    verifyDenied(gblUser, deleteActionAll, deleteAction1, deleteAction2);

    // grant column family write permission
    acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
    try {
      AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
        tableName);
      protocol.grant(new UserPermission(Bytes.toBytes(tblUser.getShortName()), tableName, family2,
        Permission.Action.WRITE));
      protocol.grant(new UserPermission(Bytes.toBytes(gblUser.getShortName()),
        Permission.Action.WRITE));
    } finally {
      acl.close();
    }

    Thread.sleep(100);

    // READ from family1, WRITE to family2 are allowed
    verifyAllowed(tblUser, getActionAll, getAction1);
    verifyAllowed(tblUser, putAction2, deleteAction2);
    verifyDenied(tblUser, getAction2);
    verifyDenied(tblUser, putActionAll, putAction1);
    verifyDenied(tblUser, deleteActionAll, deleteAction1);

    verifyDenied(gblUser, getActionAll, getAction1, getAction2);
    verifyAllowed(gblUser, putActionAll, putAction1, putAction2);
    verifyAllowed(gblUser, deleteActionAll, deleteAction1, deleteAction2);

    // revoke column family permission
    acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
    try {
      AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
        tableName);
      protocol.revoke(new UserPermission(Bytes.toBytes(tblUser.getShortName()), tableName, family2));
      protocol.revoke(new UserPermission(Bytes.toBytes(gblUser.getShortName())));
    } finally {
      acl.close();
    }

    Thread.sleep(100);
View Full Code Here

      }
    };

    HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
    try {
      AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
        tableName);
      protocol.revoke(new UserPermission(Bytes.toBytes(user.getShortName()), tableName, family1));
    } finally {
      acl.close();
    }

    verifyDenied(user, getQualifierAction);
    verifyDenied(user, putQualifierAction);
    verifyDenied(user, deleteQualifierAction);

    acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
    try {
      AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
        tableName);
      protocol.grant(new UserPermission(Bytes.toBytes(user.getShortName()), tableName, family1,
        qualifier, Permission.Action.READ));
    } finally {
      acl.close();
    }

    Thread.sleep(100);

    verifyAllowed(user, getQualifierAction);
    verifyDenied(user, putQualifierAction);
    verifyDenied(user, deleteQualifierAction);

    // only grant write permission
    // TODO: comment this portion after HBASE-3583
    acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
    try {
      AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
        tableName);
      protocol.grant(new UserPermission(Bytes.toBytes(user.getShortName()), tableName, family1,
        qualifier, Permission.Action.WRITE));
    } finally {
      acl.close();
    }

    Thread.sleep(100);

    verifyDenied(user, getQualifierAction);
    verifyAllowed(user, putQualifierAction);
    verifyAllowed(user, deleteQualifierAction);

    // grant both read and write permission.
    acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
    try {
      AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
        tableName);
      protocol.grant(new UserPermission(Bytes.toBytes(user.getShortName()), tableName, family1,
        qualifier, Permission.Action.READ, Permission.Action.WRITE));
    } finally {
      acl.close();
    }

    Thread.sleep(100);

    verifyAllowed(user, getQualifierAction);
    verifyAllowed(user, putQualifierAction);
    verifyAllowed(user, deleteQualifierAction);

    // revoke family level permission won't impact column level.
    acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
    try {
      AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
        tableName);
      protocol.revoke(new UserPermission(Bytes.toBytes(user.getShortName()), tableName, family1,
        qualifier));
    } finally {
      acl.close();
    }
View Full Code Here

    admin.createTable(htd);

    List<UserPermission> perms;
    HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
    try {
      AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
        tableName);
      perms = protocol.getUserPermissions(tableName);
    } finally {
      acl.close();
    }

    UserPermission ownerperm = new UserPermission(Bytes.toBytes(USER_OWNER.getName()), tableName,
        null, Action.values());
    assertTrue("Owner should have all permissions on table",
      hasFoundUserPermission(ownerperm, perms));

    UserPermission up = new UserPermission(user, tableName, family1, qualifier,
        Permission.Action.READ);
    assertFalse("User should not be granted permission: " + up.toString(),
      hasFoundUserPermission(up, perms));

    // grant read permission
    UserPermission upToSet = new UserPermission(user, tableName, family1, qualifier,
        Permission.Action.READ);

    acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
    try {
      AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
        tableName);
      protocol.grant(upToSet);
      perms = protocol.getUserPermissions(tableName);
    } finally {
      acl.close();
    }

    UserPermission upToVerify = new UserPermission(user, tableName, family1, qualifier,
        Permission.Action.READ);
    assertTrue("User should be granted permission: " + upToVerify.toString(),
      hasFoundUserPermission(upToVerify, perms));

    upToVerify = new UserPermission(user, tableName, family1, qualifier, Permission.Action.WRITE);
    assertFalse("User should not be granted permission: " + upToVerify.toString(),
      hasFoundUserPermission(upToVerify, perms));

    // grant read+write
    upToSet = new UserPermission(user, tableName, family1, qualifier, Permission.Action.WRITE,
        Permission.Action.READ);
    acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
    try {
      AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
        tableName);
      protocol.grant(upToSet);
      perms = protocol.getUserPermissions(tableName);
    } finally {
      acl.close();
    }

    upToVerify = new UserPermission(user, tableName, family1, qualifier, Permission.Action.WRITE,
        Permission.Action.READ);
    assertTrue("User should be granted permission: " + upToVerify.toString(),
      hasFoundUserPermission(upToVerify, perms));

    acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
    try {
      AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
        tableName);
      protocol.revoke(upToSet);
      perms = protocol.getUserPermissions(tableName);
    } finally {
      acl.close();
    }

    assertFalse("User should not be granted permission: " + upToVerify.toString(),
      hasFoundUserPermission(upToVerify, perms));

    // disable table before modification
    admin.disableTable(tableName);

    User newOwner = User.createUserForTesting(conf, "new_owner", new String[] {});
    htd.setOwner(newOwner);
    admin.modifyTable(tableName, htd);

    acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
    try {
      AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
        tableName);
      perms = protocol.getUserPermissions(tableName);
    } finally {
      acl.close();
    }

    UserPermission newOwnerperm = new UserPermission(Bytes.toBytes(newOwner.getName()), tableName,
View Full Code Here

    for (int i = 0; i < actions.length; i++) {
      perms[i] = new Permission(actions[i]);
    }
    HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
    try {
      AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
        new byte[0]);
      protocol.checkPermissions(perms);
    } finally {
      acl.close();
    }
  }
View Full Code Here

  }

  public void checkTablePerms(byte[] table, Permission... perms) throws IOException {
    HTable acl = new HTable(conf, table);
    try {
      AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
        new byte[0]);
      protocol.checkPermissions(perms);
    } finally {
      acl.close();
    }
  }
View Full Code Here

    User userColumn = User.createUserForTesting(conf, "user_check_perms_family", new String[0]);
    User userQualifier = User.createUserForTesting(conf, "user_check_perms_q", new String[0]);

    HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
    try {
      AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
        TEST_TABLE);
      grant(protocol, userTable, TEST_TABLE, null, null, Permission.Action.READ);
      grant(protocol, userColumn, TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ);
      grant(protocol, userQualifier, TEST_TABLE, TEST_FAMILY, TEST_Q1, Permission.Action.READ);
    } finally {
      acl.close();
    }

    PrivilegedExceptionAction<Void> tableRead = new PrivilegedExceptionAction<Void>() {
      @Override
      public Void run() throws Exception {
        checkTablePerms(TEST_TABLE, null, null, Permission.Action.READ);
        return null;
      }
    };

    PrivilegedExceptionAction<Void> columnRead = new PrivilegedExceptionAction<Void>() {
      @Override
      public Void run() throws Exception {
        checkTablePerms(TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ);
        return null;
      }
    };

    PrivilegedExceptionAction<Void> qualifierRead = new PrivilegedExceptionAction<Void>() {
      @Override
      public Void run() throws Exception {
        checkTablePerms(TEST_TABLE, TEST_FAMILY, TEST_Q1, Permission.Action.READ);
        return null;
      }
    };

    PrivilegedExceptionAction<Void> multiQualifierRead = new PrivilegedExceptionAction<Void>() {
      @Override
      public Void run() throws Exception {
        checkTablePerms(TEST_TABLE, new Permission[] {
            new TablePermission(TEST_TABLE, TEST_FAMILY, TEST_Q1, Permission.Action.READ),
            new TablePermission(TEST_TABLE, TEST_FAMILY, TEST_Q2, Permission.Action.READ), });
        return null;
      }
    };

    PrivilegedExceptionAction<Void> globalAndTableRead = new PrivilegedExceptionAction<Void>() {
      @Override
      public Void run() throws Exception {
        checkTablePerms(TEST_TABLE, new Permission[] { new Permission(Permission.Action.READ),
            new TablePermission(TEST_TABLE, null, (byte[]) null, Permission.Action.READ), });
        return null;
      }
    };

    PrivilegedExceptionAction<Void> noCheck = new PrivilegedExceptionAction<Void>() {
      @Override
      public Void run() throws Exception {
        checkTablePerms(TEST_TABLE, new Permission[0]);
        return null;
      }
    };

    verifyAllowed(tableRead, SUPERUSER, userTable);
    verifyDenied(tableRead, userColumn, userQualifier);

    verifyAllowed(columnRead, SUPERUSER, userTable, userColumn);
    verifyDenied(columnRead, userQualifier);

    verifyAllowed(qualifierRead, SUPERUSER, userTable, userColumn, userQualifier);

    verifyAllowed(multiQualifierRead, SUPERUSER, userTable, userColumn);
    verifyDenied(multiQualifierRead, userQualifier);

    verifyAllowed(globalAndTableRead, SUPERUSER);
    verifyDenied(globalAndTableRead, userTable, userColumn, userQualifier);

    verifyAllowed(noCheck, SUPERUSER, userTable, userColumn, userQualifier);

    // --------------------------------------
    // test family level multiple permissions
    PrivilegedExceptionAction<Void> familyReadWrite = new PrivilegedExceptionAction<Void>() {
      @Override
      public Void run() throws Exception {
        checkTablePerms(TEST_TABLE, TEST_FAMILY, null, Permission.Action.READ,
          Permission.Action.WRITE);
        return null;
      }
    };

    verifyAllowed(familyReadWrite, SUPERUSER, USER_OWNER, USER_RW);
    verifyDenied(familyReadWrite, USER_NONE, USER_CREATE, USER_RO);

    // --------------------------------------
    // check for wrong table region
    acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
    try {
      AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
        TEST_TABLE);
      try {
        // but ask for TablePermissions for TEST_TABLE
        protocol.checkPermissions(new Permission[] { (Permission) new TablePermission(TEST_TABLE,
          null, (byte[]) null, Permission.Action.CREATE) });
        fail("this should have thrown CoprocessorException");
      } catch (CoprocessorException ex) {
        // expected
      }
View Full Code Here

      Coprocessor.PRIORITY_HIGHEST, 1, conf);

    // initilize access control
    HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
    try {
      AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
        TEST_TABLE);

     protocol.grant(new UserPermission(Bytes.toBytes(USER_ADMIN.getShortName()),
        Permission.Action.ADMIN, Permission.Action.CREATE, Permission.Action.READ,
        Permission.Action.WRITE));

      protocol.grant(new UserPermission(Bytes.toBytes(USER_RW.getShortName()), TEST_TABLE,
        TEST_FAMILY, Permission.Action.READ, Permission.Action.WRITE));

      protocol.grant(new UserPermission(Bytes.toBytes(USER_RO.getShortName()), TEST_TABLE,
        TEST_FAMILY, Permission.Action.READ));

      protocol.grant(new UserPermission(Bytes.toBytes(USER_CREATE.getShortName()), TEST_TABLE, null,
        Permission.Action.CREATE));
   
      protocol.grant(new UserPermission(Bytes.toBytes(USER_RW_ON_TABLE.getShortName()), TEST_TABLE,
        null, Permission.Action.READ, Permission.Action.WRITE));
    } finally {
      acl.close();
    }
  }
View Full Code Here

    PrivilegedExceptionAction grantAction = new PrivilegedExceptionAction() {
      public Object run() throws Exception {
        HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
        try {
          AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
            TEST_TABLE);
          protocol.grant(new UserPermission(Bytes.toBytes(USER_RO.getShortName()), TEST_TABLE,
            TEST_FAMILY, (byte[]) null, Action.READ));
        } finally {
          acl.close();
        }
        return null;
      }
    };

    PrivilegedExceptionAction revokeAction = new PrivilegedExceptionAction() {
      public Object run() throws Exception {
        HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
        try {
          AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
            TEST_TABLE);
          protocol.revoke(new UserPermission(Bytes.toBytes(USER_RO.getShortName()), TEST_TABLE,
            TEST_FAMILY, (byte[]) null, Action.READ));
        } finally {
          acl.close();
        }
        return null;
      }
    };

    PrivilegedExceptionAction getPermissionsAction = new PrivilegedExceptionAction() {
      public Object run() throws Exception {
        HTable acl = new HTable(conf, AccessControlLists.ACL_TABLE_NAME);
        try {
          AccessControllerProtocol protocol = acl.coprocessorProxy(AccessControllerProtocol.class,
            TEST_TABLE);
          protocol.getUserPermissions(TEST_TABLE);
        } finally {
          acl.close();
        }
        return null;
      }
View Full Code Here

TOP

Related Classes of org.apache.hadoop.hbase.security.access.AccessControllerProtocol

Copyright © 2018 www.massapicom. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.