1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18 package org.apache.hadoop.hbase.security.visibility;
19
20 import static org.apache.hadoop.hbase.security.visibility.VisibilityConstants.LABELS_TABLE_NAME;
21 import static org.junit.Assert.assertFalse;
22 import static org.junit.Assert.assertTrue;
23
24 import java.io.IOException;
25 import java.security.PrivilegedExceptionAction;
26
27 import org.apache.hadoop.conf.Configuration;
28 import org.apache.hadoop.hbase.HBaseTestingUtility;
29 import org.apache.hadoop.hbase.HConstants;
30 import org.apache.hadoop.hbase.testclassification.MediumTests;
31 import org.apache.hadoop.hbase.TableName;
32 import org.apache.hadoop.hbase.client.Get;
33 import org.apache.hadoop.hbase.client.HTable;
34 import org.apache.hadoop.hbase.client.Put;
35 import org.apache.hadoop.hbase.client.Result;
36 import org.apache.hadoop.hbase.security.User;
37 import org.apache.hadoop.hbase.util.Bytes;
38 import org.junit.AfterClass;
39 import org.junit.BeforeClass;
40 import org.junit.Rule;
41 import org.junit.Test;
42 import org.junit.experimental.categories.Category;
43 import org.junit.rules.TestName;
44
45 @Category(MediumTests.class)
46 public class TestEnforcingScanLabelGenerator {
47
48 public static final String CONFIDENTIAL = "confidential";
49 private static final String SECRET = "secret";
50 public static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();
51 private static final byte[] ROW_1 = Bytes.toBytes("row1");
52 private final static byte[] CF = Bytes.toBytes("f");
53 private final static byte[] Q1 = Bytes.toBytes("q1");
54 private final static byte[] Q2 = Bytes.toBytes("q2");
55 private final static byte[] Q3 = Bytes.toBytes("q3");
56 private final static byte[] value = Bytes.toBytes("value");
57 public static Configuration conf;
58
59 @Rule
60 public final TestName TEST_NAME = new TestName();
61 public static User SUPERUSER;
62 public static User TESTUSER;
63
64 @BeforeClass
65 public static void setupBeforeClass() throws Exception {
66
67 conf = TEST_UTIL.getConfiguration();
68 VisibilityTestUtil.enableVisiblityLabels(conf);
69 String classes = DefinedSetFilterScanLabelGenerator.class.getCanonicalName() + " , "
70 + EnforcingScanLabelGenerator.class.getCanonicalName();
71 conf.setStrings(VisibilityUtils.VISIBILITY_LABEL_GENERATOR_CLASS, classes);
72 conf.set("hbase.superuser", "admin");
73 TEST_UTIL.startMiniCluster(1);
74 SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
75 TESTUSER = User.createUserForTesting(conf, "test", new String[] { });
76
77
78 TEST_UTIL.waitTableEnabled(LABELS_TABLE_NAME.getName(), 50000);
79
80
81 SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() {
82 public Void run() throws Exception {
83 try {
84 VisibilityClient.addLabels(conf, new String[] { SECRET, CONFIDENTIAL });
85 VisibilityClient.setAuths(conf, new String[] { CONFIDENTIAL, }, TESTUSER.getShortName());
86 } catch (Throwable t) {
87 throw new IOException(t);
88 }
89 return null;
90 }
91 });
92 }
93
94 @Test
95 public void testEnforcingScanLabelGenerator() throws Exception {
96 final TableName tableName = TableName.valueOf(TEST_NAME.getMethodName());
97
98 SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() {
99 public Void run() throws Exception {
100 HTable table = TEST_UTIL.createTable(tableName, CF);
101 try {
102 Put put = new Put(ROW_1);
103 put.add(CF, Q1, HConstants.LATEST_TIMESTAMP, value);
104 put.setCellVisibility(new CellVisibility(SECRET));
105 table.put(put);
106 put = new Put(ROW_1);
107 put.add(CF, Q2, HConstants.LATEST_TIMESTAMP, value);
108 put.setCellVisibility(new CellVisibility(CONFIDENTIAL));
109 table.put(put);
110 put = new Put(ROW_1);
111 put.add(CF, Q3, HConstants.LATEST_TIMESTAMP, value);
112 table.put(put);
113 return null;
114 } finally {
115 table.close();
116 }
117 }
118 });
119
120
121 SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() {
122 public Void run() throws Exception {
123 HTable table = new HTable(conf, tableName);
124 try {
125
126 Get get = new Get(ROW_1);
127 Result result = table.get(get);
128 assertTrue("Missing authorization", result.containsColumn(CF, Q1));
129 assertTrue("Missing authorization", result.containsColumn(CF, Q2));
130 assertTrue("Missing authorization", result.containsColumn(CF, Q3));
131 return null;
132 } finally {
133 table.close();
134 }
135 }
136 });
137
138 TESTUSER.runAs(new PrivilegedExceptionAction<Void>() {
139 public Void run() throws Exception {
140 HTable table = new HTable(conf, tableName);
141 try {
142
143 Get get = new Get(ROW_1);
144 get.setAuthorizations(new Authorizations(new String[] { SECRET, CONFIDENTIAL }));
145 Result result = table.get(get);
146 assertFalse("Inappropriate authorization", result.containsColumn(CF, Q1));
147 assertTrue("Missing authorization", result.containsColumn(CF, Q2));
148 assertTrue("Inappropriate filtering", result.containsColumn(CF, Q3));
149
150 get = new Get(ROW_1);
151 result = table.get(get);
152 assertFalse("Inappropriate authorization", result.containsColumn(CF, Q1));
153 assertTrue("Missing authorization", result.containsColumn(CF, Q2));
154 assertTrue("Inappropriate filtering", result.containsColumn(CF, Q3));
155 return null;
156 } finally {
157 table.close();
158 }
159 }
160 });
161
162 }
163
164 @AfterClass
165 public static void tearDownAfterClass() throws Exception {
166 TEST_UTIL.shutdownMiniCluster();
167 }
168 }