1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18 package org.apache.hadoop.hbase.security.visibility;
19
20 import static org.apache.hadoop.hbase.security.visibility.VisibilityConstants.LABELS_TABLE_NAME;
21 import static org.junit.Assert.*;
22
23 import java.security.PrivilegedExceptionAction;
24 import java.util.ArrayList;
25 import java.util.List;
26
27 import org.apache.hadoop.conf.Configuration;
28 import org.apache.hadoop.hbase.HBaseTestingUtility;
29 import org.apache.hadoop.hbase.HConstants;
30 import org.apache.hadoop.hbase.TableName;
31 import org.apache.hadoop.hbase.client.HTable;
32 import org.apache.hadoop.hbase.client.Put;
33 import org.apache.hadoop.hbase.client.Result;
34 import org.apache.hadoop.hbase.client.ResultScanner;
35 import org.apache.hadoop.hbase.client.Scan;
36 import org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.GetAuthsResponse;
37 import org.apache.hadoop.hbase.security.User;
38 import org.apache.hadoop.hbase.security.access.SecureTestUtil;
39 import org.apache.hadoop.hbase.testclassification.LargeTests;
40 import org.apache.hadoop.hbase.util.Bytes;
41 import org.junit.AfterClass;
42 import org.junit.BeforeClass;
43 import org.junit.Rule;
44 import org.junit.Test;
45 import org.junit.experimental.categories.Category;
46 import org.junit.rules.TestName;
47
48 import com.google.protobuf.ByteString;
49
50 @Category(LargeTests.class)
51 public class TestWithDisabledAuthorization {
52
53 private static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();
54
55 private static final String CONFIDENTIAL = "confidential";
56 private static final String SECRET = "secret";
57 private static final String PRIVATE = "private";
58 private static final byte[] TEST_FAMILY = Bytes.toBytes("test");
59 private static final byte[] TEST_QUALIFIER = Bytes.toBytes("q");
60 private static final byte[] ZERO = Bytes.toBytes(0L);
61
62
63 @Rule
64 public final TestName TEST_NAME = new TestName();
65
66 private static User SUPERUSER;
67 private static User USER_RW;
68
69 @BeforeClass
70 public static void setUpBeforeClass() throws Exception {
71 Configuration conf = TEST_UTIL.getConfiguration();
72
73
74 SecureTestUtil.configureSuperuser(conf);
75
76
77 VisibilityTestUtil.enableVisiblityLabels(conf);
78
79
80 conf.setBoolean(User.HBASE_SECURITY_AUTHORIZATION_CONF_KEY, false);
81
82 TEST_UTIL.startMiniCluster();
83
84
85 TEST_UTIL.waitUntilAllRegionsAssigned(LABELS_TABLE_NAME);
86
87
88 SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
89 USER_RW = User.createUserForTesting(conf, "rwuser", new String[0]);
90
91
92 SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() {
93 public Void run() throws Exception {
94 try {
95 VisibilityClient.addLabels(TEST_UTIL.getConfiguration(),
96 new String[] { SECRET, CONFIDENTIAL, PRIVATE });
97 VisibilityClient.setAuths(TEST_UTIL.getConfiguration(),
98 new String[] { SECRET, CONFIDENTIAL },
99 USER_RW.getShortName());
100 } catch (Throwable t) {
101 fail("Should not have failed");
102 }
103 return null;
104 }
105 });
106 }
107
108 @AfterClass
109 public static void tearDownAfterClass() throws Exception {
110 TEST_UTIL.shutdownMiniCluster();
111 }
112
113 @Test
114 public void testManageUserAuths() throws Throwable {
115
116
117 SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() {
118 public Void run() throws Exception {
119 try {
120 VisibilityClient.setAuths(TEST_UTIL.getConfiguration(),
121 new String[] { SECRET, CONFIDENTIAL },
122 USER_RW.getShortName());
123 } catch (Throwable t) {
124 fail("Should not have failed");
125 }
126 return null;
127 }
128 });
129
130 PrivilegedExceptionAction<List<String>> getAuths =
131 new PrivilegedExceptionAction<List<String>>() {
132 public List<String> run() throws Exception {
133 GetAuthsResponse authsResponse = null;
134 try {
135 authsResponse = VisibilityClient.getAuths(TEST_UTIL.getConfiguration(),
136 USER_RW.getShortName());
137 } catch (Throwable t) {
138 fail("Should not have failed");
139 }
140 List<String> authsList = new ArrayList<String>();
141 for (ByteString authBS : authsResponse.getAuthList()) {
142 authsList.add(Bytes.toString(authBS.toByteArray()));
143 }
144 return authsList;
145 }
146 };
147
148 List<String> authsList = SUPERUSER.runAs(getAuths);
149 assertEquals(2, authsList.size());
150 assertTrue(authsList.contains(SECRET));
151 assertTrue(authsList.contains(CONFIDENTIAL));
152
153 SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() {
154 public Void run() throws Exception {
155 try {
156 VisibilityClient.clearAuths(TEST_UTIL.getConfiguration(),
157 new String[] { SECRET },
158 USER_RW.getShortName());
159 } catch (Throwable t) {
160 fail("Should not have failed");
161 }
162 return null;
163 }
164 });
165
166 authsList = SUPERUSER.runAs(getAuths);
167 assertEquals(1, authsList.size());
168 assertTrue(authsList.contains(CONFIDENTIAL));
169
170 SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() {
171 public Void run() throws Exception {
172 try {
173 VisibilityClient.clearAuths(TEST_UTIL.getConfiguration(),
174 new String[] { CONFIDENTIAL },
175 USER_RW.getShortName());
176 } catch (Throwable t) {
177 fail("Should not have failed");
178 }
179 return null;
180 }
181 });
182
183 authsList = SUPERUSER.runAs(getAuths);
184 assertEquals(0, authsList.size());
185 }
186
187 @Test
188 public void testPassiveVisibility() throws Exception {
189
190 HTable t = createTableAndWriteDataWithLabels(
191 TableName.valueOf(TEST_NAME.getMethodName()),
192 SECRET,
193 PRIVATE,
194 SECRET + "|" + CONFIDENTIAL,
195 PRIVATE + "|" + CONFIDENTIAL);
196 try {
197 Scan s = new Scan();
198 s.setAuthorizations(new Authorizations());
199 ResultScanner scanner = t.getScanner(s);
200 try {
201 Result[] next = scanner.next(10);
202 assertEquals(next.length, 4);
203 } finally {
204 scanner.close();
205 }
206 s = new Scan();
207 s.setAuthorizations(new Authorizations(SECRET));
208 scanner = t.getScanner(s);
209 try {
210 Result[] next = scanner.next(10);
211 assertEquals(next.length, 4);
212 } finally {
213 scanner.close();
214 }
215 s = new Scan();
216 s.setAuthorizations(new Authorizations(SECRET, CONFIDENTIAL));
217 scanner = t.getScanner(s);
218 try {
219 Result[] next = scanner.next(10);
220 assertEquals(next.length, 4);
221 } finally {
222 scanner.close();
223 }
224 s = new Scan();
225 s.setAuthorizations(new Authorizations(SECRET, CONFIDENTIAL, PRIVATE));
226 scanner = t.getScanner(s);
227 try {
228 Result[] next = scanner.next(10);
229 assertEquals(next.length, 4);
230 } finally {
231 scanner.close();
232 }
233 } finally {
234 t.close();
235 }
236 }
237
238 static HTable createTableAndWriteDataWithLabels(TableName tableName, String... labelExps)
239 throws Exception {
240 List<Put> puts = new ArrayList<Put>();
241 for (int i = 0; i < labelExps.length; i++) {
242 Put put = new Put(Bytes.toBytes("row" + (i+1)));
243 put.add(TEST_FAMILY, TEST_QUALIFIER, HConstants.LATEST_TIMESTAMP, ZERO);
244 put.setCellVisibility(new CellVisibility(labelExps[i]));
245 puts.add(put);
246 }
247 HTable table = TEST_UTIL.createTable(tableName, TEST_FAMILY);
248 table.put(puts);
249 return table;
250 }
251 }