Refine search
@Test public void testListLabelsWithRegEx() throws Throwable { PrivilegedExceptionAction<ListLabelsResponse> action = new PrivilegedExceptionAction<ListLabelsResponse>() { @Override public ListLabelsResponse run() throws Exception { ListLabelsResponse response = null; try (Connection conn = ConnectionFactory.createConnection(conf)) { response = VisibilityClient.listLabels(conn, ".*secret"); } catch (Throwable e) { throw new IOException(e); } // Only return the labels that end with 'secret' List<ByteString> labels = response.getLabelList(); assertEquals(2, labels.size()); assertTrue(labels.contains(ByteString.copyFrom(Bytes.toBytes(SECRET)))); assertTrue(labels.contains(ByteString.copyFrom(Bytes.toBytes(TOPSECRET)))); return null; } }; SUPERUSER.runAs(action); }
@Test public void testListLabels() throws Throwable { PrivilegedExceptionAction<ListLabelsResponse> action = new PrivilegedExceptionAction<ListLabelsResponse>() { @Override public ListLabelsResponse run() throws Exception { ListLabelsResponse response = null; try (Connection conn = ConnectionFactory.createConnection(conf)) { response = VisibilityClient.listLabels(conn, null); } catch (Throwable e) { throw new IOException(e); } // The addLabels() in setup added: // { SECRET, TOPSECRET, CONFIDENTIAL, PUBLIC, PRIVATE, COPYRIGHT, ACCENT, // UNICODE_VIS_TAG, UC1, UC2 }; // The previous tests added 2 more labels: ABC, XYZ // The 'system' label is excluded. List<ByteString> labels = response.getLabelList(); assertEquals(12, labels.size()); assertTrue(labels.contains(ByteString.copyFrom(Bytes.toBytes(SECRET)))); assertTrue(labels.contains(ByteString.copyFrom(Bytes.toBytes(TOPSECRET)))); assertTrue(labels.contains(ByteString.copyFrom(Bytes.toBytes(CONFIDENTIAL)))); assertTrue(labels.contains(ByteString.copyFrom(Bytes.toBytes("ABC")))); assertTrue(labels.contains(ByteString.copyFrom(Bytes.toBytes("XYZ")))); assertFalse(labels.contains(ByteString.copyFrom(Bytes.toBytes(SYSTEM_LABEL)))); return null; } }; SUPERUSER.runAs(action); }
@Test public void testAddLabels() throws Throwable { PrivilegedExceptionAction<VisibilityLabelsResponse> action = new PrivilegedExceptionAction<VisibilityLabelsResponse>() { @Override public VisibilityLabelsResponse run() throws Exception { String[] labels = { "L1", SECRET, "L2", "invalid~", "L3" }; VisibilityLabelsResponse response = null; try (Connection conn = ConnectionFactory.createConnection(conf)) { response = VisibilityClient.addLabels(conn, labels); } catch (Throwable e) { throw new IOException(e); } List<RegionActionResult> resultList = response.getResultList(); assertEquals(5, resultList.size()); assertTrue(resultList.get(0).getException().getValue().isEmpty()); assertEquals("org.apache.hadoop.hbase.DoNotRetryIOException", resultList.get(1) .getException().getName()); assertTrue(Bytes.toString(resultList.get(1).getException().getValue().toByteArray()) .contains( "org.apache.hadoop.hbase.security.visibility.LabelAlreadyExistsException: " + "Label 'secret' already exists")); assertTrue(resultList.get(2).getException().getValue().isEmpty()); assertTrue(resultList.get(3).getException().getValue().isEmpty()); assertTrue(resultList.get(4).getException().getValue().isEmpty()); return null; } }; SUPERUSER.runAs(action); }
@Test public void testListNamespaces() throws Exception { AccessTestAction listAction = new AccessTestAction() { assertEquals(4, ((List)SUPERUSER.runAs(listAction)).size()); assertEquals(4, ((List)USER_GLOBAL_ADMIN.runAs(listAction)).size()); assertEquals(4, ((List)USER_GROUP_ADMIN.runAs(listAction)).size()); assertEquals(2, ((List)USER_NS_ADMIN.runAs(listAction)).size()); assertEquals(0, ((List)USER_GLOBAL_CREATE.runAs(listAction)).size()); assertEquals(0, ((List)USER_GLOBAL_WRITE.runAs(listAction)).size()); assertEquals(0, ((List)USER_GLOBAL_READ.runAs(listAction)).size()); assertEquals(0, ((List)USER_GLOBAL_EXEC.runAs(listAction)).size()); assertEquals(0, ((List)USER_NS_CREATE.runAs(listAction)).size()); assertEquals(0, ((List)USER_NS_WRITE.runAs(listAction)).size()); assertEquals(0, ((List)USER_NS_READ.runAs(listAction)).size()); assertEquals(0, ((List)USER_NS_EXEC.runAs(listAction)).size()); assertEquals(0, ((List)USER_TABLE_CREATE.runAs(listAction)).size()); assertEquals(0, ((List)USER_TABLE_WRITE.runAs(listAction)).size()); assertEquals(0, ((List)USER_GROUP_CREATE.runAs(listAction)).size()); assertEquals(0, ((List)USER_GROUP_READ.runAs(listAction)).size()); assertEquals(0, ((List)USER_GROUP_WRITE.runAs(listAction)).size());
@Test public void testRunAs() throws Exception { Configuration conf = HBaseConfiguration.create(); String username = user.runAs(action); assertEquals("Current user within runAs() should match", "testuser", username); String username2 = user2.runAs(action); assertEquals("Second username should match second user", "testuser2", username2); username = user.runAs(new PrivilegedExceptionAction<String>(){ @Override public String run() throws Exception { user2.runAs(new PrivilegedExceptionAction<Object>(){ @Override public Object run() throws IOException, InterruptedException{ username = user.runAs(new PrivilegedAction<String>(){ String result = null; @Override
@Test public void testVerifyAccessDeniedForInvalidUserAuths() throws Exception { PrivilegedExceptionAction<VisibilityLabelsResponse> action = SUPERUSER.runAs(action); final TableName tableName = TableName.valueOf(TEST_NAME.getMethodName()); Admin hBaseAdmin = TEST_UTIL.getAdmin(); USER.runAs(actiona); } catch (Exception e) { throw new IOException(e);
@Test public void testGetForSuperUserWithFewerLabelAuths() throws Throwable { String[] auths = { SECRET }; String user = "admin"; VisibilityClient.setAuths(TEST_UTIL.getConnection(), auths, user); TableName tableName = TableName.valueOf(TEST_NAME.getMethodName()); final Table table = createTableAndWriteDataWithLabels(tableName, SECRET + "&" + CONFIDENTIAL + "&!" + PRIVATE, SECRET + "&!" + PRIVATE); PrivilegedExceptionAction<Void> scanAction = new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { Get g = new Get(row1); g.setAuthorizations(new Authorizations(SECRET, CONFIDENTIAL)); try (Connection connection = ConnectionFactory.createConnection(conf); Table t = connection.getTable(table.getName())) { Result result = t.get(g); assertTrue(!result.isEmpty()); } return null; } }; SUPERUSER.runAs(scanAction); }
@Test public void testScanForSuperUserWithFewerLabelAuths() throws Throwable { String[] auths = { SECRET }; String user = "admin"; try (Connection conn = ConnectionFactory.createConnection(conf)) { VisibilityClient.setAuths(conn, auths, user); } TableName tableName = TableName.valueOf(TEST_NAME.getMethodName()); final Table table = createTableAndWriteDataWithLabels(tableName, SECRET + "&" + CONFIDENTIAL + "&!" + PRIVATE, SECRET + "&!" + PRIVATE); PrivilegedExceptionAction<Void> scanAction = new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { Scan s = new Scan(); s.setAuthorizations(new Authorizations(SECRET, CONFIDENTIAL)); try (Connection connection = ConnectionFactory.createConnection(conf); Table t = connection.getTable(table.getName())) { ResultScanner scanner = t.getScanner(s); Result[] result = scanner.next(5); assertTrue(result.length == 2); } return null; } }; SUPERUSER.runAs(scanAction); }
@Test public void testAccessControllerUserPermsRegexHandling() throws Exception { User testRegexHandler = User.createUserForTesting(conf, "testRegexHandling", new String[0]); assertEquals(5, SUPERUSER.runAs(getPrivilegedAction(aclTableName)).size()); assertEquals(0, testRegexHandler.runAs(getPrivilegedAction(aclTableName)).size()); assertEquals(0, testRegexHandler.runAs(getPrivilegedAction(REGEX_ALL_TABLES)).size()); grantOnTable(TEST_UTIL, testRegexHandler.getShortName(), table1, null, null, Action.ADMIN); assertEquals(2, testRegexHandler.runAs(getPrivilegedAction(REGEX_ALL_TABLES)).size()); grantOnTable(TEST_UTIL, testRegexHandler.getShortName(), table2, null, null, Action.ADMIN); assertEquals(4, testRegexHandler.runAs(getPrivilegedAction(REGEX_ALL_TABLES)).size()); assertEquals(2, testRegexHandler.runAs(getPrivilegedAction(tableName)).size()); assertEquals(2, testRegexHandler.runAs(getPrivilegedAction( NamespaceDescriptor.DEFAULT_NAMESPACE_NAME_STR + TableName.NAMESPACE_DELIM + tableName) ).size()); assertEquals(2, testRegexHandler.runAs(getPrivilegedAction( ns + TableName.NAMESPACE_DELIM + tableName)).size()); assertEquals(0, testRegexHandler.runAs(getPrivilegedAction("notMatchingAny")).size());
@Test public void testAccessControlClientUserPerms() throws Exception { final TableName tableName = TableName.valueOf(name.getMethodName()); createTestTable(tableName); try { final String regex = tableName.getNameWithNamespaceInclAsString(); User testUserPerms = User.createUserForTesting(conf, "testUserPerms", new String[0]); assertEquals(0, testUserPerms.runAs(getPrivilegedAction(regex)).size()); // Grant TABLE ADMIN privs to testUserPerms grantOnTable(TEST_UTIL, testUserPerms.getShortName(), tableName, null, null, Action.ADMIN); List<UserPermission> perms = testUserPerms.runAs(getPrivilegedAction(regex)); assertNotNull(perms); // Superuser, testUserPerms assertEquals(2, perms.size()); } finally { deleteTable(TEST_UTIL, tableName); } }
@Test public void testScanForUserWithFewerLabelAuthsThanLabelsInScanAuthorizations() throws Throwable { String[] auths = { SECRET }; String user = "user2"; VisibilityClient.setAuths(TEST_UTIL.getConnection(), auths, user); TableName tableName = TableName.valueOf(TEST_NAME.getMethodName()); final Table table = createTableAndWriteDataWithLabels(tableName, SECRET + "&" + CONFIDENTIAL + "&!" + PRIVATE, SECRET + "&!" + PRIVATE); SecureTestUtil.grantOnTable(TEST_UTIL, NORMAL_USER2.getShortName(), tableName, null, null, Permission.Action.READ); PrivilegedExceptionAction<Void> scanAction = new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { Scan s = new Scan(); s.setAuthorizations(new Authorizations(SECRET, CONFIDENTIAL)); try (Connection connection = ConnectionFactory.createConnection(conf); Table t = connection.getTable(table.getName())) { ResultScanner scanner = t.getScanner(s); Result result = scanner.next(); assertTrue(!result.isEmpty()); assertTrue(Bytes.equals(Bytes.toBytes("row2"), result.getRow())); result = scanner.next(); assertNull(result); } return null; } }; NORMAL_USER2.runAs(scanAction); }
@Test public void testBulkLoadWithoutWritePermission() throws Exception { // Use the USER_CREATE to initialize the source directory. Path testDataDir0 = TEST_UTIL.getDataTestDirOnTestFS("testBulkLoadWithoutWritePermission0"); Path testDataDir1 = TEST_UTIL.getDataTestDirOnTestFS("testBulkLoadWithoutWritePermission1"); AccessTestAction bulkLoadAction1 = new BulkLoadAccessTestAction(FsPermission.valueOf("-r-xr-xr-x"), testDataDir0); AccessTestAction bulkLoadAction2 = new BulkLoadAccessTestAction(FS_PERMISSION_ALL, testDataDir1); // Test the incorrect case. BulkLoadHelper.setPermission(TEST_UTIL.getTestFileSystem(), TEST_UTIL.getTestFileSystem().getWorkingDirectory(), FS_PERMISSION_ALL); try { USER_CREATE.runAs(bulkLoadAction1); fail("Should fail because the hbase user has no write permission on hfiles."); } catch (IOException e) { } // Ensure the correct case. USER_CREATE.runAs(bulkLoadAction2); }
@Test public void testRegionMadeOfBulkLoadedFilesOnly() throws IOException, SecurityException, IllegalArgumentException, User user = HBaseTestingUtility.getDifferentUser(newConf, tableName.getNameAsString()); user.runAs(new PrivilegedExceptionAction() { @Override public Object run() throws Exception {