if (cl.hasOption(systemOpt.getOpt()) && permission[0].equalsIgnoreCase("System")) { try { shellState.getAccumuloClient().securityOperations().revokeSystemPermission(user, SystemPermission.valueOf(permission[1])); Shell.log.debug("Revoked from " + user + " the " + permission[1] + " permission");
private void changeSystemPermission(Connector conn, Random rand, String userName) throws AccumuloException, AccumuloSecurityException { EnumSet<SystemPermission> perms = EnumSet.noneOf(SystemPermission.class); for (SystemPermission p : SystemPermission.values()) { if (conn.securityOperations().hasSystemPermission(userName, p)) perms.add(p); } EnumSet<SystemPermission> more = EnumSet.allOf(SystemPermission.class); more.removeAll(perms); more.remove(SystemPermission.GRANT); if (rand.nextBoolean() && more.size() > 0) { List<SystemPermission> moreList = new ArrayList<>(more); SystemPermission choice = moreList.get(rand.nextInt(moreList.size())); log.debug("adding permission " + choice); conn.securityOperations().grantSystemPermission(userName, choice); } else { if (perms.size() > 0) { List<SystemPermission> permList = new ArrayList<>(perms); SystemPermission choice = permList.get(rand.nextInt(permList.size())); log.debug("removing permission " + choice); conn.securityOperations().revokeSystemPermission(userName, choice); } } }
if (cl.hasOption(systemOpt.getOpt()) && permission[0].equalsIgnoreCase("System")) { try { shellState.getConnector().securityOperations().revokeSystemPermission(user, SystemPermission.valueOf(permission[1])); Shell.log.debug("Revoked from " + user + " the " + permission[1] + " permission");
@Override public void revokeSystemPermission(ByteBuffer login, String user, org.apache.accumulo.proxy.thrift.SystemPermission perm) throws org.apache.accumulo.proxy.thrift.AccumuloException, org.apache.accumulo.proxy.thrift.AccumuloSecurityException, TException { try { getConnector(login).securityOperations().revokeSystemPermission(user, SystemPermission.getPermissionById((byte) perm.getValue())); } catch (Exception e) { handleException(e); } }
connection = connectionFactory.getConnection(AccumuloConnectionFactory.Priority.ADMIN, trackingMap); SecurityOperations ops = connection.securityOperations(); ops.revokeSystemPermission(userName, SystemPermission.valueOf(permission)); } catch (AccumuloSecurityException e) { log.error(e.getMessage(), e);
@Test(expected = AccumuloSecurityException.class) public void testRootUserHasIrrevocablePermissions() throws Exception { // Login as the client (provided to `accumulo init` as the "root" user) UserGroupInformation.loginUserFromKeytab(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath()); final Connector conn = mac.getConnector(rootUser.getPrincipal(), new KerberosToken()); // The server-side implementation should prevent the revocation of the 'root' user's systems // permissions // because once they're gone, it's possible that they could never be restored. conn.securityOperations().revokeSystemPermission(rootUser.getPrincipal(), SystemPermission.GRANT); }
@Test public void testFailedAudits() throws AccumuloSecurityException, AccumuloException, TableExistsException, TableNotFoundException, IOException, InterruptedException { // Start testing activities // Test that we get a few "failed" audit messages come through when we tell it to do dumb stuff // We don't want the thrown exceptions to stop our tests, and we are not testing that the // Exceptions are thrown. try { conn.securityOperations().dropLocalUser(AUDIT_USER_2); } catch (AccumuloSecurityException ex) {} try { conn.securityOperations().revokeSystemPermission(AUDIT_USER_2, SystemPermission.ALTER_TABLE); } catch (AccumuloSecurityException ex) {} try { conn.securityOperations().createLocalUser("root", new PasswordToken("super secret")); } catch (AccumuloSecurityException ex) {} ArrayList<String> auditMessages = getAuditMessages("testFailedAudits"); // ... that will do for now. // End of testing activities // We're permitted to drop this user, but it fails because the user doesn't actually exist. assertEquals(2, findAuditMessage(auditMessages, String.format(AuditedSecurityOperation.DROP_USER_AUDIT_TEMPLATE, AUDIT_USER_2)).size()); assertEquals(1, findAuditMessage(auditMessages, String.format(AuditedSecurityOperation.REVOKE_SYSTEM_PERMISSION_AUDIT_TEMPLATE, SystemPermission.ALTER_TABLE, AUDIT_USER_2)).size()); assertEquals(1, findAuditMessage(auditMessages, String.format(AuditedSecurityOperation.CREATE_USER_AUDIT_TEMPLATE, "root", "")).size()); }
conn.securityOperations().revokeSystemPermission(targetUser, sysPerm); } catch (AccumuloSecurityException ae) { switch (ae.getSecurityErrorCode()) {
conn.securityOperations().revokeSystemPermission(AUDIT_USER_2, SystemPermission.ALTER_TABLE); auditConnector.tableOperations().create(NEW_TEST_TABLE_NAME); conn.securityOperations().grantTablePermission(AUDIT_USER_2, NEW_TEST_TABLE_NAME,
assertTrue("Test user should have GRANT", root_conn.securityOperations() .hasSystemPermission(testUser.getPrincipal(), SystemPermission.GRANT)); root_conn.securityOperations().revokeSystemPermission(testUser.getPrincipal(), SystemPermission.CREATE_TABLE); break;
testGrantedSystemPermission(tableNamePrefix, c, rootUser, test_user_conn, testUser, perm); loginAs(rootUser); c.securityOperations().revokeSystemPermission(principal, perm); verifyHasNoSystemPermissions(c, principal, perm);
user1Con.namespaceOperations().create(n2); loginAs(root); c.securityOperations().revokeSystemPermission(u1, SystemPermission.CREATE_NAMESPACE); user1Con.namespaceOperations().delete(n2); loginAs(root); c.securityOperations().revokeSystemPermission(u1, SystemPermission.DROP_NAMESPACE); user1Con.namespaceOperations().removeProperty(n1, Property.TABLE_FILE_MAX.getKey()); loginAs(root); c.securityOperations().revokeSystemPermission(u1, SystemPermission.ALTER_NAMESPACE);