Repository: hbase Updated Branches: refs/heads/master 9e42a9e31 -> 130057f13
http://git-wip-us.apache.org/repos/asf/hbase/blob/130057f1/hbase-server/src/main/java/org/apache/hadoop/hbase/snapshot/SnapshotDescriptionUtils.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/snapshot/SnapshotDescriptionUtils.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/snapshot/SnapshotDescriptionUtils.java index fb22ac0..0c1e761 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/snapshot/SnapshotDescriptionUtils.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/snapshot/SnapshotDescriptionUtils.java @@ -35,7 +35,7 @@ import org.apache.hadoop.hbase.client.ConnectionFactory; import org.apache.hadoop.hbase.security.User; import org.apache.hadoop.hbase.security.access.AccessControlLists; import org.apache.hadoop.hbase.security.access.ShadedAccessControlUtil; -import org.apache.hadoop.hbase.security.access.TablePermission; +import org.apache.hadoop.hbase.security.access.UserPermission; import org.apache.hadoop.hbase.util.EnvironmentEdgeManager; import org.apache.hadoop.hbase.util.FSUtils; import org.apache.yetus.audience.InterfaceAudience; @@ -435,10 +435,10 @@ public final class SnapshotDescriptionUtils { private static SnapshotDescription writeAclToSnapshotDescription(SnapshotDescription snapshot, Configuration conf) throws IOException { - ListMultimap<String, TablePermission> perms = - User.runAsLoginUser(new PrivilegedExceptionAction<ListMultimap<String, TablePermission>>() { + ListMultimap<String, UserPermission> perms = + User.runAsLoginUser(new PrivilegedExceptionAction<ListMultimap<String, UserPermission>>() { @Override - public ListMultimap<String, TablePermission> run() throws Exception { + public ListMultimap<String, UserPermission> run() throws Exception { return AccessControlLists.getTablePermissions(conf, TableName.valueOf(snapshot.getTable())); } http://git-wip-us.apache.org/repos/asf/hbase/blob/130057f1/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java index 78bb5f6..1b70054 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java @@ -274,7 +274,7 @@ public class TestAccessController extends SecureTestUtil { public static void tearDownAfterClass() throws Exception { cleanUp(); TEST_UTIL.shutdownMiniCluster(); - int total = TableAuthManager.getTotalRefCount(); + int total = AuthManager.getTotalRefCount(); assertTrue("Unexpected reference count: " + total, total == 0); } @@ -1634,12 +1634,12 @@ public class TestAccessController extends SecureTestUtil { } UserPermission ownerperm = - new UserPermission(Bytes.toBytes(USER_OWNER.getName()), tableName, null, Action.values()); + new UserPermission(USER_OWNER.getName(), tableName, Action.values()); assertTrue("Owner should have all permissions on table", hasFoundUserPermission(ownerperm, perms)); User user = User.createUserForTesting(TEST_UTIL.getConfiguration(), "user", new String[0]); - byte[] userName = Bytes.toBytes(user.getShortName()); + String userName = user.getShortName(); UserPermission up = new UserPermission(userName, tableName, family1, qualifier, Permission.Action.READ); @@ -1725,7 +1725,7 @@ public class TestAccessController extends SecureTestUtil { } UserPermission newOwnerperm = - new UserPermission(Bytes.toBytes(newOwner.getName()), tableName, null, Action.values()); + new UserPermission(newOwner.getName(), tableName, Action.values()); assertTrue("New owner should have all permissions on table", hasFoundUserPermission(newOwnerperm, perms)); } finally { @@ -1749,12 +1749,10 @@ public class TestAccessController extends SecureTestUtil { Collection<String> superUsers = Superusers.getSuperUsers(); List<UserPermission> adminPerms = new ArrayList<>(superUsers.size() + 1); - adminPerms.add(new UserPermission(Bytes.toBytes(USER_ADMIN.getShortName()), - AccessControlLists.ACL_TABLE_NAME, null, null, Bytes.toBytes("ACRW"))); - + adminPerms.add(new UserPermission(USER_ADMIN.getShortName(), Bytes.toBytes("ACRW"))); for(String user: superUsers) { - adminPerms.add(new UserPermission(Bytes.toBytes(user), AccessControlLists.ACL_TABLE_NAME, - null, null, Action.values())); + // Global permission + adminPerms.add(new UserPermission(user, Action.values())); } assertTrue("Only super users, global users and user admin has permission on table hbase:acl " + "per setup", perms.size() == 5 + superUsers.size() && @@ -2432,7 +2430,7 @@ public class TestAccessController extends SecureTestUtil { verifyAllowed(getAction, testGrantRevoke); verifyDenied(putAction, testGrantRevoke); - // Grant global READ permissions to testGrantRevoke. + // Grant global WRITE permissions to testGrantRevoke. try { grantGlobalUsingAccessControlClient(TEST_UTIL, systemUserConnection, userName, Permission.Action.WRITE); @@ -2757,8 +2755,11 @@ public class TestAccessController extends SecureTestUtil { assertTrue(namespacePermissions != null); assertEquals(expectedAmount, namespacePermissions.size()); for (UserPermission namespacePermission : namespacePermissions) { - assertFalse(namespacePermission.isGlobal()); // Verify it is not a global user permission - assertEquals(expectedNamespace, namespacePermission.getNamespace()); // Verify namespace is set + // Verify it is not a global user permission + assertFalse(namespacePermission.getAccessScope() == Permission.Scope.GLOBAL); + // Verify namespace is set + NamespacePermission nsPerm = (NamespacePermission) namespacePermission.getPermission(); + assertEquals(expectedNamespace, nsPerm.getNamespace()); } } catch (Throwable thw) { throw new HBaseException(thw); @@ -3125,8 +3126,8 @@ public class TestAccessController extends SecureTestUtil { Permission.Action[] expectedAction = { Action.READ }; boolean userFound = false; for (UserPermission p : userPermissions) { - if (testUserPerms.getShortName().equals(Bytes.toString(p.getUser()))) { - assertArrayEquals(expectedAction, p.getActions()); + if (testUserPerms.getShortName().equals(p.getUser())) { + assertArrayEquals(expectedAction, p.getPermission().getActions()); userFound = true; break; } @@ -3593,15 +3594,24 @@ public class TestAccessController extends SecureTestUtil { assertEquals(resultCount, userPermissions.size()); for (UserPermission perm : userPermissions) { - if (cf != null) { - assertTrue(Bytes.equals(cf, perm.getFamily())); - } - if (cq != null) { - assertTrue(Bytes.equals(cq, perm.getQualifier())); - } - if (userName != null - && (superUsers == null || !superUsers.contains(Bytes.toString(perm.getUser())))) { - assertTrue(userName.equals(Bytes.toString(perm.getUser()))); + if (perm.getPermission() instanceof TablePermission) { + TablePermission tablePerm = (TablePermission) perm.getPermission(); + if (cf != null) { + assertTrue(Bytes.equals(cf, tablePerm.getFamily())); + } + if (cq != null) { + assertTrue(Bytes.equals(cq, tablePerm.getQualifier())); + } + if (userName != null + && (superUsers == null || !superUsers.contains(perm.getUser()))) { + assertTrue(userName.equals(perm.getUser())); + } + } else if (perm.getPermission() instanceof NamespacePermission || + perm.getPermission() instanceof GlobalPermission) { + if (userName != null && + (superUsers == null || !superUsers.contains(perm.getUser()))) { + assertTrue(userName.equals(perm.getUser())); + } } } } http://git-wip-us.apache.org/repos/asf/hbase/blob/130057f1/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java index 21c1438..eb2a5ac 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController2.java @@ -201,17 +201,17 @@ public class TestAccessController2 extends SecureTestUtil { TEST_UTIL.waitTableAvailable(TEST_TABLE.getTableName()); // Verify that owner permissions have been granted to the test user on the // table just created - List<TablePermission> perms = + List<UserPermission> perms = AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()) .get(testUser.getShortName()); assertNotNull(perms); assertFalse(perms.isEmpty()); // Should be RWXCA - assertTrue(perms.get(0).implies(Permission.Action.READ)); - assertTrue(perms.get(0).implies(Permission.Action.WRITE)); - assertTrue(perms.get(0).implies(Permission.Action.EXEC)); - assertTrue(perms.get(0).implies(Permission.Action.CREATE)); - assertTrue(perms.get(0).implies(Permission.Action.ADMIN)); + assertTrue(perms.get(0).getPermission().implies(Permission.Action.READ)); + assertTrue(perms.get(0).getPermission().implies(Permission.Action.WRITE)); + assertTrue(perms.get(0).getPermission().implies(Permission.Action.EXEC)); + assertTrue(perms.get(0).getPermission().implies(Permission.Action.CREATE)); + assertTrue(perms.get(0).getPermission().implies(Permission.Action.ADMIN)); } @Test http://git-wip-us.apache.org/repos/asf/hbase/blob/130057f1/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController3.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController3.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController3.java index 6ca2ef8..7b10e3f 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController3.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController3.java @@ -57,7 +57,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; /** - * Performs checks for reference counting w.r.t. TableAuthManager which is used by + * Performs checks for reference counting w.r.t. AuthManager which is used by * AccessController. * * NOTE: Only one test in here. In AMv2, there is problem deleting because http://git-wip-us.apache.org/repos/asf/hbase/blob/130057f1/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java index 66e37bc..d37794d 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestNamespaceCommands.java @@ -206,11 +206,9 @@ public class TestNamespaceCommands extends SecureTestUtil { String userTestNamespace = "userTestNsp"; Table acl = UTIL.getConnection().getTable(AccessControlLists.ACL_TABLE_NAME); try { - ListMultimap<String, TablePermission> perms = - AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE); - - perms = AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE); - for (Map.Entry<String, TablePermission> entry : perms.entries()) { + ListMultimap<String, UserPermission> perms = + AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE); + for (Map.Entry<String, UserPermission> entry : perms.entries()) { LOG.debug(Objects.toString(entry)); } assertEquals(6, perms.size()); @@ -223,15 +221,13 @@ public class TestNamespaceCommands extends SecureTestUtil { assertTrue(result != null); perms = AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE); assertEquals(7, perms.size()); - List<TablePermission> namespacePerms = perms.get(userTestNamespace); + List<UserPermission> namespacePerms = perms.get(userTestNamespace); assertTrue(perms.containsKey(userTestNamespace)); assertEquals(1, namespacePerms.size()); assertEquals(TEST_NAMESPACE, - namespacePerms.get(0).getNamespace()); - assertEquals(null, namespacePerms.get(0).getFamily()); - assertEquals(null, namespacePerms.get(0).getQualifier()); - assertEquals(1, namespacePerms.get(0).getActions().length); - assertEquals(Permission.Action.WRITE, namespacePerms.get(0).getActions()[0]); + ((NamespacePermission) namespacePerms.get(0).getPermission()).getNamespace()); + assertEquals(1, namespacePerms.get(0).getPermission().getActions().length); + assertEquals(Permission.Action.WRITE, namespacePerms.get(0).getPermission().getActions()[0]); // Revoke and check state in ACL table revokeFromNamespace(UTIL, userTestNamespace, TEST_NAMESPACE, http://git-wip-us.apache.org/repos/asf/hbase/blob/130057f1/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestRpcAccessChecks.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestRpcAccessChecks.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestRpcAccessChecks.java index 55873bb..5aa9ed6 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestRpcAccessChecks.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestRpcAccessChecks.java @@ -147,8 +147,10 @@ public class TestRpcAccessChecks { User.createUserForTesting(conf, "user_group_admin", new String[] { GROUP_ADMIN }); // Assign permissions to users and groups - SecureTestUtil.grantGlobal(TEST_UTIL, USER_ADMIN.getShortName(), Permission.Action.ADMIN); - SecureTestUtil.grantGlobal(TEST_UTIL, toGroupEntry(GROUP_ADMIN), Permission.Action.ADMIN); + SecureTestUtil.grantGlobal(TEST_UTIL, USER_ADMIN.getShortName(), + Permission.Action.ADMIN, Permission.Action.CREATE); + SecureTestUtil.grantGlobal(TEST_UTIL, toGroupEntry(GROUP_ADMIN), + Permission.Action.ADMIN, Permission.Action.CREATE); // No permissions to USER_NON_ADMIN } http://git-wip-us.apache.org/repos/asf/hbase/blob/130057f1/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestTablePermissions.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestTablePermissions.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestTablePermissions.java index 7243690..1c478b2 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestTablePermissions.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestTablePermissions.java @@ -143,26 +143,24 @@ public class TestTablePermissions { try (Connection connection = ConnectionFactory.createConnection(conf)) { // add some permissions addUserPermission(conf, - new UserPermission(Bytes.toBytes("george"), TEST_TABLE, null, (byte[])null, - UserPermission.Action.READ, UserPermission.Action.WRITE), - connection.getTable(AccessControlLists.ACL_TABLE_NAME)); + new UserPermission("george", TEST_TABLE, Permission.Action.READ, Permission.Action.WRITE), + connection.getTable(AccessControlLists.ACL_TABLE_NAME)); addUserPermission(conf, - new UserPermission(Bytes.toBytes("hubert"), TEST_TABLE, null, (byte[])null, - UserPermission.Action.READ), - connection.getTable(AccessControlLists.ACL_TABLE_NAME)); + new UserPermission("hubert", TEST_TABLE, Permission.Action.READ), + connection.getTable(AccessControlLists.ACL_TABLE_NAME)); addUserPermission(conf, - new UserPermission(Bytes.toBytes("humphrey"), - TEST_TABLE, TEST_FAMILY, TEST_QUALIFIER, - UserPermission.Action.READ), - connection.getTable(AccessControlLists.ACL_TABLE_NAME)); + new UserPermission("humphrey", TEST_TABLE, TEST_FAMILY, TEST_QUALIFIER, + Permission.Action.READ), + connection.getTable(AccessControlLists.ACL_TABLE_NAME)); } // retrieve the same - ListMultimap<String,TablePermission> perms = + ListMultimap<String, UserPermission> perms = AccessControlLists.getTablePermissions(conf, TEST_TABLE); - List<TablePermission> userPerms = perms.get("george"); + List<UserPermission> userPerms = perms.get("george"); assertNotNull("Should have permissions for george", userPerms); assertEquals("Should have 1 permission for george", 1, userPerms.size()); - TablePermission permission = userPerms.get(0); + assertEquals(Permission.Scope.TABLE, userPerms.get(0).getAccessScope()); + TablePermission permission = (TablePermission) userPerms.get(0).getPermission(); assertEquals("Permission should be for " + TEST_TABLE, TEST_TABLE, permission.getTableName()); assertNull("Column family should be empty", permission.getFamily()); @@ -170,14 +168,15 @@ public class TestTablePermissions { // check actions assertNotNull(permission.getActions()); assertEquals(2, permission.getActions().length); - List<TablePermission.Action> actions = Arrays.asList(permission.getActions()); + List<Permission.Action> actions = Arrays.asList(permission.getActions()); assertTrue(actions.contains(TablePermission.Action.READ)); assertTrue(actions.contains(TablePermission.Action.WRITE)); userPerms = perms.get("hubert"); assertNotNull("Should have permissions for hubert", userPerms); assertEquals("Should have 1 permission for hubert", 1, userPerms.size()); - permission = userPerms.get(0); + assertEquals(Permission.Scope.TABLE, userPerms.get(0).getAccessScope()); + permission = (TablePermission) userPerms.get(0).getPermission(); assertEquals("Permission should be for " + TEST_TABLE, TEST_TABLE, permission.getTableName()); assertNull("Column family should be empty", permission.getFamily()); @@ -192,7 +191,8 @@ public class TestTablePermissions { userPerms = perms.get("humphrey"); assertNotNull("Should have permissions for humphrey", userPerms); assertEquals("Should have 1 permission for humphrey", 1, userPerms.size()); - permission = userPerms.get(0); + assertEquals(Permission.Scope.TABLE, userPerms.get(0).getAccessScope()); + permission = (TablePermission) userPerms.get(0).getPermission(); assertEquals("Permission should be for " + TEST_TABLE, TEST_TABLE, permission.getTableName()); assertTrue("Permission should be for family " + Bytes.toString(TEST_FAMILY), @@ -211,11 +211,11 @@ public class TestTablePermissions { try (Connection connection = ConnectionFactory.createConnection(conf); Table table = connection.getTable(AccessControlLists.ACL_TABLE_NAME)) { AccessControlLists.addUserPermission(conf, - new UserPermission(Bytes.toBytes("hubert"), TEST_TABLE2, null, (byte[])null, - TablePermission.Action.READ, TablePermission.Action.WRITE), table); + new UserPermission("hubert", TEST_TABLE2, Permission.Action.READ, Permission.Action.WRITE), + table); } // check full load - Map<byte[], ListMultimap<String,TablePermission>> allPerms = + Map<byte[], ListMultimap<String, UserPermission>> allPerms = AccessControlLists.loadAll(conf); assertEquals("Full permission map should have entries for both test tables", 2, allPerms.size()); @@ -223,20 +223,22 @@ public class TestTablePermissions { userPerms = allPerms.get(TEST_TABLE.getName()).get("hubert"); assertNotNull(userPerms); assertEquals(1, userPerms.size()); - permission = userPerms.get(0); + assertEquals(Permission.Scope.TABLE, userPerms.get(0).getAccessScope()); + permission = (TablePermission) userPerms.get(0).getPermission(); assertEquals(TEST_TABLE, permission.getTableName()); assertEquals(1, permission.getActions().length); - assertEquals(TablePermission.Action.READ, permission.getActions()[0]); + assertEquals(Permission.Action.READ, permission.getActions()[0]); userPerms = allPerms.get(TEST_TABLE2.getName()).get("hubert"); assertNotNull(userPerms); assertEquals(1, userPerms.size()); - permission = userPerms.get(0); + assertEquals(Permission.Scope.TABLE, userPerms.get(0).getAccessScope()); + permission = (TablePermission) userPerms.get(0).getPermission(); assertEquals(TEST_TABLE2, permission.getTableName()); assertEquals(2, permission.getActions().length); actions = Arrays.asList(permission.getActions()); - assertTrue(actions.contains(TablePermission.Action.READ)); - assertTrue(actions.contains(TablePermission.Action.WRITE)); + assertTrue(actions.contains(Permission.Action.READ)); + assertTrue(actions.contains(Permission.Action.WRITE)); } @Test @@ -244,30 +246,27 @@ public class TestTablePermissions { Configuration conf = UTIL.getConfiguration(); try (Connection connection = ConnectionFactory.createConnection(conf)) { addUserPermission(conf, - new UserPermission(Bytes.toBytes("albert"), TEST_TABLE, null, - (byte[])null, TablePermission.Action.READ), connection.getTable(AccessControlLists.ACL_TABLE_NAME)); + new UserPermission("albert", TEST_TABLE, Permission.Action.READ), + connection.getTable(AccessControlLists.ACL_TABLE_NAME)); addUserPermission(conf, - new UserPermission(Bytes.toBytes("betty"), TEST_TABLE, null, - (byte[])null, TablePermission.Action.READ, - TablePermission.Action.WRITE), connection.getTable(AccessControlLists.ACL_TABLE_NAME)); + new UserPermission("betty", TEST_TABLE, Permission.Action.READ, Permission.Action.WRITE), + connection.getTable(AccessControlLists.ACL_TABLE_NAME)); addUserPermission(conf, - new UserPermission(Bytes.toBytes("clark"), - TEST_TABLE, TEST_FAMILY, - TablePermission.Action.READ), connection.getTable(AccessControlLists.ACL_TABLE_NAME)); + new UserPermission("clark", TEST_TABLE, TEST_FAMILY, Permission.Action.READ), + connection.getTable(AccessControlLists.ACL_TABLE_NAME)); addUserPermission(conf, - new UserPermission(Bytes.toBytes("dwight"), - TEST_TABLE, TEST_FAMILY, TEST_QUALIFIER, - TablePermission.Action.WRITE), connection.getTable(AccessControlLists.ACL_TABLE_NAME)); + new UserPermission("dwight", TEST_TABLE, TEST_FAMILY, TEST_QUALIFIER, + Permission.Action.WRITE), connection.getTable(AccessControlLists.ACL_TABLE_NAME)); } // verify permissions survive changes in table metadata - ListMultimap<String,TablePermission> preperms = + ListMultimap<String, UserPermission> preperms = AccessControlLists.getTablePermissions(conf, TEST_TABLE); Table table = UTIL.getConnection().getTable(TEST_TABLE); - table.put(new Put(Bytes.toBytes("row1")) - .addColumn(TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes("v1"))); - table.put(new Put(Bytes.toBytes("row2")) - .addColumn(TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes("v2"))); + table.put( + new Put(Bytes.toBytes("row1")).addColumn(TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes("v1"))); + table.put( + new Put(Bytes.toBytes("row2")).addColumn(TEST_FAMILY, TEST_QUALIFIER, Bytes.toBytes("v2"))); Admin admin = UTIL.getAdmin(); try { admin.split(TEST_TABLE); @@ -283,7 +282,7 @@ public class TestTablePermissions { // wait for split Thread.sleep(10000); - ListMultimap<String,TablePermission> postperms = + ListMultimap<String, UserPermission> postperms = AccessControlLists.getTablePermissions(conf, TEST_TABLE); checkMultimapEqual(preperms, postperms); @@ -292,41 +291,42 @@ public class TestTablePermissions { @Test public void testSerialization() throws Exception { Configuration conf = UTIL.getConfiguration(); - ListMultimap<String,TablePermission> permissions = createPermissions(); + ListMultimap<String, UserPermission> permissions = createPermissions(); byte[] permsData = AccessControlLists.writePermissionsAsBytes(permissions, conf); - ListMultimap<String, TablePermission> copy = - AccessControlLists.readPermissions(permsData, conf); + ListMultimap<String, UserPermission> copy = + AccessControlLists.readUserPermission(permsData, conf); checkMultimapEqual(permissions, copy); } - private ListMultimap<String,TablePermission> createPermissions() { - ListMultimap<String,TablePermission> permissions = ArrayListMultimap.create(); - permissions.put("george", new TablePermission(TEST_TABLE, null, - TablePermission.Action.READ)); - permissions.put("george", new TablePermission(TEST_TABLE, TEST_FAMILY, - TablePermission.Action.WRITE)); - permissions.put("george", new TablePermission(TEST_TABLE2, null, - TablePermission.Action.READ)); - permissions.put("hubert", new TablePermission(TEST_TABLE2, null, - TablePermission.Action.READ, TablePermission.Action.WRITE)); - permissions.put("bruce",new TablePermission(TEST_NAMESPACE, - TablePermission.Action.READ)); + private ListMultimap<String, UserPermission> createPermissions() { + ListMultimap<String, UserPermission> permissions = ArrayListMultimap.create(); + permissions.put("george", + new UserPermission("george", TEST_TABLE, Permission.Action.READ)); + permissions.put("george", + new UserPermission("george", TEST_TABLE, TEST_FAMILY, Permission.Action.WRITE)); + permissions.put("george", + new UserPermission("george", TEST_TABLE2, Permission.Action.READ)); + permissions.put("hubert", + new UserPermission("hubert", TEST_TABLE2, Permission.Action.READ, + Permission.Action.WRITE)); + permissions.put("bruce", + new UserPermission("bruce", TEST_NAMESPACE, Permission.Action.READ)); return permissions; } - public void checkMultimapEqual(ListMultimap<String,TablePermission> first, - ListMultimap<String,TablePermission> second) { + public void checkMultimapEqual(ListMultimap<String, UserPermission> first, + ListMultimap<String, UserPermission> second) { assertEquals(first.size(), second.size()); for (String key : first.keySet()) { - List<TablePermission> firstPerms = first.get(key); - List<TablePermission> secondPerms = second.get(key); + List<UserPermission> firstPerms = first.get(key); + List<UserPermission> secondPerms = second.get(key); assertNotNull(secondPerms); assertEquals(firstPerms.size(), secondPerms.size()); LOG.info("First permissions: "+firstPerms.toString()); LOG.info("Second permissions: "+secondPerms.toString()); - for (TablePermission p : firstPerms) { + for (UserPermission p : firstPerms) { assertTrue("Permission "+p.toString()+" not found", secondPerms.contains(p)); } } @@ -334,13 +334,13 @@ public class TestTablePermissions { @Test public void testEquals() throws Exception { - TablePermission p1 = new TablePermission(TEST_TABLE, null, TablePermission.Action.READ); - TablePermission p2 = new TablePermission(TEST_TABLE, null, TablePermission.Action.READ); + Permission p1 = new TablePermission(TEST_TABLE, Permission.Action.READ); + Permission p2 = new TablePermission(TEST_TABLE, Permission.Action.READ); assertTrue(p1.equals(p2)); assertTrue(p2.equals(p1)); - p1 = new TablePermission(TEST_TABLE, null, TablePermission.Action.READ, TablePermission.Action.WRITE); - p2 = new TablePermission(TEST_TABLE, null, TablePermission.Action.WRITE, TablePermission.Action.READ); + p1 = new TablePermission(TEST_TABLE, TablePermission.Action.READ, TablePermission.Action.WRITE); + p2 = new TablePermission(TEST_TABLE, TablePermission.Action.WRITE, TablePermission.Action.READ); assertTrue(p1.equals(p2)); assertTrue(p2.equals(p1)); @@ -354,34 +354,30 @@ public class TestTablePermissions { assertTrue(p1.equals(p2)); assertTrue(p2.equals(p1)); - p1 = new TablePermission(TEST_TABLE, null, TablePermission.Action.READ); + p1 = new TablePermission(TEST_TABLE, TablePermission.Action.READ); p2 = new TablePermission(TEST_TABLE, TEST_FAMILY, TablePermission.Action.READ); assertFalse(p1.equals(p2)); assertFalse(p2.equals(p1)); - p1 = new TablePermission(TEST_TABLE, null, TablePermission.Action.READ); - p2 = new TablePermission(TEST_TABLE, null, TablePermission.Action.WRITE); + p1 = new TablePermission(TEST_TABLE, TablePermission.Action.READ); + p2 = new TablePermission(TEST_TABLE, TablePermission.Action.WRITE); assertFalse(p1.equals(p2)); assertFalse(p2.equals(p1)); - p2 = new TablePermission(TEST_TABLE, null, TablePermission.Action.READ, TablePermission.Action.WRITE); + p2 = new TablePermission(TEST_TABLE, TablePermission.Action.READ, TablePermission.Action.WRITE); assertFalse(p1.equals(p2)); assertFalse(p2.equals(p1)); - p1 = new TablePermission(TEST_TABLE, null, TablePermission.Action.READ); - p2 = new TablePermission(TEST_TABLE2, null, TablePermission.Action.READ); + p1 = new TablePermission(TEST_TABLE, TablePermission.Action.READ); + p2 = new TablePermission(TEST_TABLE2, TablePermission.Action.READ); assertFalse(p1.equals(p2)); assertFalse(p2.equals(p1)); - p2 = new TablePermission(TEST_TABLE, null); - assertFalse(p1.equals(p2)); - assertFalse(p2.equals(p1)); - - p1 = new TablePermission(TEST_NAMESPACE, TablePermission.Action.READ); - p2 = new TablePermission(TEST_NAMESPACE, TablePermission.Action.READ); + p1 = new NamespacePermission(TEST_NAMESPACE, TablePermission.Action.READ); + p2 = new NamespacePermission(TEST_NAMESPACE, TablePermission.Action.READ); assertEquals(p1, p2); - p1 = new TablePermission(TEST_NAMESPACE, TablePermission.Action.READ); - p2 = new TablePermission(TEST_NAMESPACE2, TablePermission.Action.READ); + p1 = new NamespacePermission(TEST_NAMESPACE, TablePermission.Action.READ); + p2 = new NamespacePermission(TEST_NAMESPACE2, TablePermission.Action.READ); assertFalse(p1.equals(p2)); assertFalse(p2.equals(p1)); } @@ -393,56 +389,58 @@ public class TestTablePermissions { // add some permissions try (Connection connection = ConnectionFactory.createConnection(conf)) { addUserPermission(conf, - new UserPermission(Bytes.toBytes("user1"), + new UserPermission("user1", Permission.Action.READ, Permission.Action.WRITE), connection.getTable(AccessControlLists.ACL_TABLE_NAME)); addUserPermission(conf, - new UserPermission(Bytes.toBytes("user2"), + new UserPermission("user2", Permission.Action.CREATE), connection.getTable(AccessControlLists.ACL_TABLE_NAME)); addUserPermission(conf, - new UserPermission(Bytes.toBytes("user3"), + new UserPermission("user3", Permission.Action.ADMIN, Permission.Action.READ, Permission.Action.CREATE), connection.getTable(AccessControlLists.ACL_TABLE_NAME)); } - ListMultimap<String,TablePermission> perms = AccessControlLists.getTablePermissions(conf, null); - List<TablePermission> user1Perms = perms.get("user1"); + ListMultimap<String, UserPermission> perms = + AccessControlLists.getTablePermissions(conf, null); + List<UserPermission> user1Perms = perms.get("user1"); assertEquals("Should have 1 permission for user1", 1, user1Perms.size()); assertEquals("user1 should have WRITE permission", new Permission.Action[] { Permission.Action.READ, Permission.Action.WRITE }, - user1Perms.get(0).getActions()); + user1Perms.get(0).getPermission().getActions()); - List<TablePermission> user2Perms = perms.get("user2"); + List<UserPermission> user2Perms = perms.get("user2"); assertEquals("Should have 1 permission for user2", 1, user2Perms.size()); assertEquals("user2 should have CREATE permission", new Permission.Action[] { Permission.Action.CREATE }, - user2Perms.get(0).getActions()); + user2Perms.get(0).getPermission().getActions()); - List<TablePermission> user3Perms = perms.get("user3"); + List<UserPermission> user3Perms = perms.get("user3"); assertEquals("Should have 1 permission for user3", 1, user3Perms.size()); assertEquals("user3 should have ADMIN, READ, CREATE permission", new Permission.Action[] { Permission.Action.READ, Permission.Action.CREATE, Permission.Action.ADMIN }, - user3Perms.get(0).getActions()); + user3Perms.get(0).getPermission().getActions()); } @Test public void testAuthManager() throws Exception { Configuration conf = UTIL.getConfiguration(); - /* test a race condition causing TableAuthManager to sometimes fail global permissions checks + /** + * test a race condition causing AuthManager to sometimes fail global permissions checks * when the global cache is being updated */ - TableAuthManager authManager = TableAuthManager.getOrCreate(ZKW, conf); + AuthManager authManager = AuthManager.getOrCreate(ZKW, conf); // currently running user is the system user and should have global admin perms User currentUser = User.getCurrent(); - assertTrue(authManager.authorize(currentUser, Permission.Action.ADMIN)); + assertTrue(authManager.authorizeUserGlobal(currentUser, Permission.Action.ADMIN)); try (Connection connection = ConnectionFactory.createConnection(conf)) { for (int i=1; i<=50; i++) { - addUserPermission(conf, new UserPermission(Bytes.toBytes("testauth"+i), - Permission.Action.ADMIN, Permission.Action.READ, Permission.Action.WRITE), - connection.getTable(AccessControlLists.ACL_TABLE_NAME)); + addUserPermission(conf, new UserPermission("testauth"+i, + Permission.Action.ADMIN, Permission.Action.READ, Permission.Action.WRITE), + connection.getTable(AccessControlLists.ACL_TABLE_NAME)); // make sure the system user still shows as authorized assertTrue("Failed current user auth check on iter "+i, - authManager.authorize(currentUser, Permission.Action.ADMIN)); + authManager.authorizeUserGlobal(currentUser, Permission.Action.ADMIN)); } } } http://git-wip-us.apache.org/repos/asf/hbase/blob/130057f1/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestZKPermissionWatcher.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestZKPermissionWatcher.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestZKPermissionWatcher.java index c8ab863..cfd6512 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestZKPermissionWatcher.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestZKPermissionWatcher.java @@ -41,6 +41,9 @@ import org.junit.experimental.categories.Category; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import org.apache.hbase.thirdparty.com.google.common.collect.ArrayListMultimap; +import org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap; + /** * Test the reading and writing of access permissions to and from zookeeper. */ @@ -53,8 +56,8 @@ public class TestZKPermissionWatcher { private static final Logger LOG = LoggerFactory.getLogger(TestZKPermissionWatcher.class); private static final HBaseTestingUtility UTIL = new HBaseTestingUtility(); - private static TableAuthManager AUTH_A; - private static TableAuthManager AUTH_B; + private static AuthManager AUTH_A; + private static AuthManager AUTH_B; private final static Abortable ABORTABLE = new Abortable() { private final AtomicBoolean abort = new AtomicBoolean(false); @@ -81,9 +84,9 @@ public class TestZKPermissionWatcher { // start minicluster UTIL.startMiniCluster(); - AUTH_A = TableAuthManager.getOrCreate(new ZKWatcher(conf, + AUTH_A = AuthManager.getOrCreate(new ZKWatcher(conf, "TestZKPermissionsWatcher_1", ABORTABLE), conf); - AUTH_B = TableAuthManager.getOrCreate(new ZKWatcher(conf, + AUTH_B = AuthManager.getOrCreate(new ZKWatcher(conf, "TestZKPermissionsWatcher_2", ABORTABLE), conf); } @@ -98,30 +101,25 @@ public class TestZKPermissionWatcher { User george = User.createUserForTesting(conf, "george", new String[] { }); User hubert = User.createUserForTesting(conf, "hubert", new String[] { }); - assertFalse(AUTH_A.authorizeUser(george, TEST_TABLE, null, - TablePermission.Action.READ)); - assertFalse(AUTH_A.authorizeUser(george, TEST_TABLE, null, - TablePermission.Action.WRITE)); - assertFalse(AUTH_A.authorizeUser(hubert, TEST_TABLE, null, - TablePermission.Action.READ)); - assertFalse(AUTH_A.authorizeUser(hubert, TEST_TABLE, null, - TablePermission.Action.WRITE)); - - assertFalse(AUTH_B.authorizeUser(george, TEST_TABLE, null, - TablePermission.Action.READ)); - assertFalse(AUTH_B.authorizeUser(george, TEST_TABLE, null, - TablePermission.Action.WRITE)); - assertFalse(AUTH_B.authorizeUser(hubert, TEST_TABLE, null, - TablePermission.Action.READ)); - assertFalse(AUTH_B.authorizeUser(hubert, TEST_TABLE, null, - TablePermission.Action.WRITE)); + assertFalse(AUTH_A.authorizeUserTable(george, TEST_TABLE, Permission.Action.READ)); + assertFalse(AUTH_A.authorizeUserTable(george, TEST_TABLE, Permission.Action.WRITE)); + assertFalse(AUTH_A.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.READ)); + assertFalse(AUTH_A.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.WRITE)); + + assertFalse(AUTH_B.authorizeUserTable(george, TEST_TABLE, Permission.Action.READ)); + assertFalse(AUTH_B.authorizeUserTable(george, TEST_TABLE, Permission.Action.WRITE)); + assertFalse(AUTH_B.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.READ)); + assertFalse(AUTH_B.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.WRITE)); // update ACL: george RW - List<TablePermission> acl = new ArrayList<>(1); - acl.add(new TablePermission(TEST_TABLE, null, TablePermission.Action.READ, - TablePermission.Action.WRITE)); + List<UserPermission> acl = new ArrayList<>(1); + acl.add(new UserPermission(george.getShortName(), TEST_TABLE, + Permission.Action.READ, Permission.Action.WRITE)); + ListMultimap<String, UserPermission> multimap = ArrayListMultimap.create(); + multimap.putAll(george.getShortName(), acl); + byte[] serialized = AccessControlLists.writePermissionsAsBytes(multimap, conf); + AUTH_A.getZKPermissionWatcher().writeToZookeeper(TEST_TABLE.getName(), serialized); final long mtimeB = AUTH_B.getMTime(); - AUTH_A.setTableUserPermissions(george.getShortName(), TEST_TABLE, acl); // Wait for the update to propagate UTIL.waitFor(10000, 100, new Predicate<Exception>() { @Override @@ -132,28 +130,22 @@ public class TestZKPermissionWatcher { Thread.sleep(1000); // check it - assertTrue(AUTH_A.authorizeUser(george, TEST_TABLE, null, - TablePermission.Action.READ)); - assertTrue(AUTH_A.authorizeUser(george, TEST_TABLE, null, - TablePermission.Action.WRITE)); - assertTrue(AUTH_B.authorizeUser(george, TEST_TABLE, null, - TablePermission.Action.READ)); - assertTrue(AUTH_B.authorizeUser(george, TEST_TABLE, null, - TablePermission.Action.WRITE)); - assertFalse(AUTH_A.authorizeUser(hubert, TEST_TABLE, null, - TablePermission.Action.READ)); - assertFalse(AUTH_A.authorizeUser(hubert, TEST_TABLE, null, - TablePermission.Action.WRITE)); - assertFalse(AUTH_B.authorizeUser(hubert, TEST_TABLE, null, - TablePermission.Action.READ)); - assertFalse(AUTH_B.authorizeUser(hubert, TEST_TABLE, null, - TablePermission.Action.WRITE)); + assertTrue(AUTH_A.authorizeUserTable(george, TEST_TABLE, Permission.Action.READ)); + assertTrue(AUTH_A.authorizeUserTable(george, TEST_TABLE, Permission.Action.WRITE)); + assertTrue(AUTH_B.authorizeUserTable(george, TEST_TABLE, Permission.Action.READ)); + assertTrue(AUTH_B.authorizeUserTable(george, TEST_TABLE, Permission.Action.WRITE)); + assertFalse(AUTH_A.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.READ)); + assertFalse(AUTH_A.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.WRITE)); + assertFalse(AUTH_B.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.READ)); + assertFalse(AUTH_B.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.WRITE)); // update ACL: hubert R - acl = new ArrayList<>(1); - acl.add(new TablePermission(TEST_TABLE, null, TablePermission.Action.READ)); + List<UserPermission> acl2 = new ArrayList<>(1); + acl2.add(new UserPermission(hubert.getShortName(), TEST_TABLE, TablePermission.Action.READ)); final long mtimeA = AUTH_A.getMTime(); - AUTH_B.setTableUserPermissions("hubert", TEST_TABLE, acl); + multimap.putAll(hubert.getShortName(), acl2); + byte[] serialized2 = AccessControlLists.writePermissionsAsBytes(multimap, conf); + AUTH_B.getZKPermissionWatcher().writeToZookeeper(TEST_TABLE.getName(), serialized2); // Wait for the update to propagate UTIL.waitFor(10000, 100, new Predicate<Exception>() { @Override @@ -164,21 +156,13 @@ public class TestZKPermissionWatcher { Thread.sleep(1000); // check it - assertTrue(AUTH_A.authorizeUser(george, TEST_TABLE, null, - TablePermission.Action.READ)); - assertTrue(AUTH_A.authorizeUser(george, TEST_TABLE, null, - TablePermission.Action.WRITE)); - assertTrue(AUTH_B.authorizeUser(george, TEST_TABLE, null, - TablePermission.Action.READ)); - assertTrue(AUTH_B.authorizeUser(george, TEST_TABLE, null, - TablePermission.Action.WRITE)); - assertTrue(AUTH_A.authorizeUser(hubert, TEST_TABLE, null, - TablePermission.Action.READ)); - assertFalse(AUTH_A.authorizeUser(hubert, TEST_TABLE, null, - TablePermission.Action.WRITE)); - assertTrue(AUTH_B.authorizeUser(hubert, TEST_TABLE, null, - TablePermission.Action.READ)); - assertFalse(AUTH_B.authorizeUser(hubert, TEST_TABLE, null, - TablePermission.Action.WRITE)); + assertTrue(AUTH_A.authorizeUserTable(george, TEST_TABLE, Permission.Action.READ)); + assertTrue(AUTH_A.authorizeUserTable(george, TEST_TABLE, Permission.Action.WRITE)); + assertTrue(AUTH_B.authorizeUserTable(george, TEST_TABLE, Permission.Action.READ)); + assertTrue(AUTH_B.authorizeUserTable(george, TEST_TABLE, Permission.Action.WRITE)); + assertTrue(AUTH_A.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.READ)); + assertFalse(AUTH_A.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.WRITE)); + assertTrue(AUTH_B.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.READ)); + assertFalse(AUTH_B.authorizeUserTable(hubert, TEST_TABLE, Permission.Action.WRITE)); } }