Repository: hbase Updated Branches: refs/heads/0.98 3cb0f6590 -> 8f521775e
HBASE-12659 Replace the method calls to grant and revoke in shell scripts with AccessControlClient (Srikanth Srungarapu) Project: http://git-wip-us.apache.org/repos/asf/hbase/repo Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/8f521775 Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/8f521775 Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/8f521775 Branch: refs/heads/0.98 Commit: 8f521775ea6466d8c133b4f910ace8914fcbe58d Parents: 3cb0f65 Author: tedyu <[email protected]> Authored: Sun Dec 14 05:43:30 2014 -0800 Committer: tedyu <[email protected]> Committed: Sun Dec 14 05:43:30 2014 -0800 ---------------------------------------------------------------------- .../security/access/AccessControlClient.java | 33 +++++++++++++ .../hbase/security/access/SecureTestUtil.java | 42 ++++++++++++++++ .../security/access/TestAccessController.java | 42 ++++++++++++++++ hbase-shell/src/main/ruby/hbase/security.rb | 50 +++++--------------- 4 files changed, 129 insertions(+), 38 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hbase/blob/8f521775/hbase-client/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlClient.java ---------------------------------------------------------------------- diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlClient.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlClient.java index fb008b1..1b44551 100644 --- a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlClient.java +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/access/AccessControlClient.java @@ -105,6 +105,23 @@ public class AccessControlClient { } } } + + /** + * Grant global permissions for the specified user. + */ + public static void grant(Configuration conf, final String userName, + final Permission.Action... actions) throws Throwable { + HTable ht = null; + try { + ht = getAclTable(conf); + ProtobufUtil.grant(getAccessControlServiceStub(ht), userName, actions); + } finally { + if (ht != null) { + ht.close(); + } + } + } + public static boolean isAccessControllerRunning(Configuration conf) throws MasterNotRunningException, ZooKeeperConnectionException, IOException { HBaseAdmin ha = null; @@ -164,6 +181,22 @@ public class AccessControlClient { } /** + * Revoke global permissions for the specified user. + */ + public static void revoke(Configuration conf, final String userName, + final Permission.Action... actions) throws Throwable { + HTable ht = null; + try { + ht = getAclTable(conf); + ProtobufUtil.revoke(getAccessControlServiceStub(ht), userName, actions); + } finally { + if (ht != null) { + ht.close(); + } + } + } + + /** * List all the userPermissions matching the given pattern. * @param conf * @param tableRegex The regular expression string to match against http://git-wip-us.apache.org/repos/asf/hbase/blob/8f521775/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java index af24961..5d979bd 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java @@ -502,6 +502,27 @@ public class SecureTestUtil { } /** + * Grant global permissions to the given user using AccessControlClient. Will wait until all + * active AccessController instances have updated their permissions caches or will + * throw an exception upon timeout (10 seconds). + */ + public static void grantGlobalUsingAccessControlClient(final HBaseTestingUtility util, + final Configuration conf, final String user, final Permission.Action... actions) + throws Exception { + SecureTestUtil.updateACLs(util, new Callable<Void>() { + @Override + public Void call() throws Exception { + try { + AccessControlClient.grant(conf, user, actions); + } catch (Throwable t) { + t.printStackTrace(); + } + return null; + } + }); + } + + /** * Revoke permissions on a table from the given user. Will wait until all active * AccessController instances have updated their permissions caches or will * throw an exception upon timeout (10 seconds). @@ -546,4 +567,25 @@ public class SecureTestUtil { } }); } + + /** + * Revoke global permissions from the given user using AccessControlClient. Will wait until + * all active AccessController instances have updated their permissions caches or will + * throw an exception upon timeout (10 seconds). + */ + public static void revokeGlobalUsingAccessControlClient(final HBaseTestingUtility util, + final Configuration conf, final String user,final Permission.Action... actions) + throws Exception { + SecureTestUtil.updateACLs(util, new Callable<Void>() { + @Override + public Void call() throws Exception { + try { + AccessControlClient.revoke(conf, user, actions); + } catch (Throwable t) { + t.printStackTrace(); + } + return null; + } + }); + } } http://git-wip-us.apache.org/repos/asf/hbase/blob/8f521775/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java index 233d0f9..36e3bce 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java @@ -2126,6 +2126,48 @@ public class TestAccessController extends SecureTestUtil { } @Test + public void testAccessControlClientGlobalGrantRevoke() throws Exception { + // Create user for testing, who has no READ privileges by default. + User testGlobalGrantRevoke = User.createUserForTesting(conf, + "testGlobalGrantRevoke", new String[0]); + AccessTestAction getAction = new AccessTestAction() { + @Override + public Object run() throws Exception { + HTable t = new HTable(conf, TEST_TABLE.getTableName()); + try { + return t.get(new Get(TEST_ROW)); + } finally { + t.close(); + } + } + }; + + verifyDenied(getAction, testGlobalGrantRevoke); + + // Grant table READ permissions to testGlobalGrantRevoke. + try { + grantGlobalUsingAccessControlClient(TEST_UTIL, conf, testGlobalGrantRevoke.getShortName(), + Permission.Action.READ); + } catch (Throwable e) { + LOG.error("error during call of AccessControlClient.grant. ", e); + } + + // Now testGlobalGrantRevoke should be able to read also + verifyAllowed(getAction, testGlobalGrantRevoke); + + // Revoke table READ permission to testGlobalGrantRevoke. + try { + revokeGlobalUsingAccessControlClient(TEST_UTIL, conf, testGlobalGrantRevoke.getShortName(), + Permission.Action.READ); + } catch (Throwable e) { + LOG.error("error during call of AccessControlClient.revoke ", e); + } + + // Now testGlobalGrantRevoke shouldn't be able read + verifyDenied(getAction, testGlobalGrantRevoke); + } + + @Test public void testAccessControlClientGrantRevokeOnNamespace() throws Exception { // Create user for testing, who has no READ privileges by default. User testNS = User.createUserForTesting(conf, "testNS", new String[0]); http://git-wip-us.apache.org/repos/asf/hbase/blob/8f521775/hbase-shell/src/main/ruby/hbase/security.rb ---------------------------------------------------------------------- diff --git a/hbase-shell/src/main/ruby/hbase/security.rb b/hbase-shell/src/main/ruby/hbase/security.rb index 154c5ca..402c004 100644 --- a/hbase-shell/src/main/ruby/hbase/security.rb +++ b/hbase-shell/src/main/ruby/hbase/security.rb @@ -37,13 +37,6 @@ module Hbase # TODO: need to validate user name begin - meta_table = org.apache.hadoop.hbase.client.HTable.new(@config, - org.apache.hadoop.hbase.security.access.AccessControlLists::ACL_TABLE_NAME) - service = meta_table.coprocessorService( - org.apache.hadoop.hbase.HConstants::EMPTY_START_ROW) - - protocol = org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos:: - AccessControlService.newBlockingStub(service) perm = org.apache.hadoop.hbase.security.access.Permission.new( permissions.to_java_bytes) @@ -61,9 +54,8 @@ module Hbase raise(ArgumentError, "Can't find a namespace: #{namespace_name}") unless namespace_exists?(namespace_name) - # invoke cp endpoint to perform access controlse - org.apache.hadoop.hbase.protobuf.ProtobufUtil.grant( - protocol, user, namespace_name, perm.getActions()) + org.apache.hadoop.hbase.security.access.AccessControlClient.grant( + @config, namespace_name, user, perm.getActions()) else # Table should exist raise(ArgumentError, "Can't find a table: #{table_name}") unless exists?(table_name) @@ -78,19 +70,13 @@ module Hbase fambytes = family.to_java_bytes if (family != nil) qualbytes = qualifier.to_java_bytes if (qualifier != nil) - # invoke cp endpoint to perform access controlse - org.apache.hadoop.hbase.protobuf.ProtobufUtil.grant( - protocol, user, tableName, fambytes, - qualbytes, perm.getActions()) + org.apache.hadoop.hbase.security.access.AccessControlClient.grant( + @config, tableName, user, fambytes, qualbytes, perm.getActions()) end else - # invoke cp endpoint to perform access controlse - org.apache.hadoop.hbase.protobuf.ProtobufUtil.grant( - protocol, user, perm.getActions()) + org.apache.hadoop.hbase.security.access.AccessControlClient.grant( + @config, user, perm.getActions()) end - - ensure - meta_table.close() end end @@ -101,14 +87,6 @@ module Hbase # TODO: need to validate user name begin - meta_table = org.apache.hadoop.hbase.client.HTable.new(@config, - org.apache.hadoop.hbase.security.access.AccessControlLists::ACL_TABLE_NAME) - service = meta_table.coprocessorService( - org.apache.hadoop.hbase.HConstants::EMPTY_START_ROW) - - protocol = org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos:: - AccessControlService.newBlockingStub(service) - if (table_name != nil) #check if the tablename passed is actually a namespace if (isNamespace?(table_name)) @@ -117,9 +95,8 @@ module Hbase raise(ArgumentError, "Can't find a namespace: #{namespace_name}") unless namespace_exists?(namespace_name) tablebytes=table_name.to_java_bytes - # invoke cp endpoint to perform access controlse - org.apache.hadoop.hbase.protobuf.ProtobufUtil.revoke( - protocol, user, namespace_name) + org.apache.hadoop.hbase.security.access.AccessControlClient.revoke( + @config, namespace_name, user) else # Table should exist raise(ArgumentError, "Can't find a table: #{table_name}") unless exists?(table_name) @@ -134,17 +111,14 @@ module Hbase fambytes = family.to_java_bytes if (family != nil) qualbytes = qualifier.to_java_bytes if (qualifier != nil) - # invoke cp endpoint to perform access controlse - org.apache.hadoop.hbase.protobuf.ProtobufUtil.revoke( - protocol, user, tableName, fambytes, qualbytes) + org.apache.hadoop.hbase.security.access.AccessControlClient.revoke( + @config, tableName, user, fambytes, qualbytes) end else - # invoke cp endpoint to perform access controlse perm = org.apache.hadoop.hbase.security.access.Permission.new(''.to_java_bytes) - org.apache.hadoop.hbase.protobuf.ProtobufUtil.revoke(protocol, user, perm.getActions()) + org.apache.hadoop.hbase.security.access.AccessControlClient.revoke( + @config, user, perm.getActions()) end - ensure - meta_table.close() end end
