View Javadoc

1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  package org.apache.hadoop.hbase.security.visibility;
19  
20  import static org.apache.hadoop.hbase.security.visibility.VisibilityConstants.LABELS_TABLE_NAME;
21  import static org.junit.Assert.assertEquals;
22  import static org.junit.Assert.assertTrue;
23  
24  import java.io.IOException;
25  import java.security.PrivilegedExceptionAction;
26  import java.util.ArrayList;
27  import java.util.List;
28  
29  import org.apache.hadoop.conf.Configuration;
30  import org.apache.hadoop.hbase.HBaseTestingUtility;
31  import org.apache.hadoop.hbase.testclassification.MediumTests;
32  import org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.GetAuthsResponse;
33  import org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse;
34  import org.apache.hadoop.hbase.security.User;
35  import org.apache.hadoop.hbase.util.Bytes;
36  import org.junit.AfterClass;
37  import org.junit.BeforeClass;
38  import org.junit.Rule;
39  import org.junit.Test;
40  import org.junit.experimental.categories.Category;
41  import org.junit.rules.TestName;
42  
43  import com.google.protobuf.ByteString;
44  
45  @Category(MediumTests.class)
46  public class TestVisibilityLabelsOpWithDifferentUsersNoACL {
47    private static final String PRIVATE = "private";
48    private static final String CONFIDENTIAL = "confidential";
49    private static final String SECRET = "secret";
50    private static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();
51    private static Configuration conf;
52  
53    @Rule
54    public final TestName TEST_NAME = new TestName();
55    private static User SUPERUSER;
56    private static User NORMAL_USER;
57    private static User NORMAL_USER1;
58  
59    @BeforeClass
60    public static void setupBeforeClass() throws Exception {
61      // setup configuration
62      conf = TEST_UTIL.getConfiguration();
63      VisibilityTestUtil.enableVisiblityLabels(conf);
64      String currentUser = User.getCurrent().getName();
65      conf.set("hbase.superuser", "admin,"+currentUser);
66      TEST_UTIL.startMiniCluster(2);
67  
68      // Wait for the labels table to become available
69      TEST_UTIL.waitTableEnabled(LABELS_TABLE_NAME.getName(), 50000);
70      SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
71      NORMAL_USER = User.createUserForTesting(conf, "user1", new String[] {});
72      NORMAL_USER1 = User.createUserForTesting(conf, "user2", new String[] {});
73      addLabels();
74    }
75  
76    @AfterClass
77    public static void tearDownAfterClass() throws Exception {
78      TEST_UTIL.shutdownMiniCluster();
79    }
80  
81    @Test
82    public void testLabelsTableOpsWithDifferentUsers() throws Throwable {
83      PrivilegedExceptionAction<VisibilityLabelsResponse> action =
84          new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
85        public VisibilityLabelsResponse run() throws Exception {
86          try {
87            return VisibilityClient.setAuths(conf, new String[] { CONFIDENTIAL, PRIVATE }, "user1");
88          } catch (Throwable e) {
89          }
90          return null;
91        }
92      };
93      VisibilityLabelsResponse response = SUPERUSER.runAs(action);
94      assertTrue(response.getResult(0).getException().getValue().isEmpty());
95      assertTrue(response.getResult(1).getException().getValue().isEmpty());
96      
97      // Ideally this should not be allowed.  this operation should fail or do nothing.
98      action = new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
99        public VisibilityLabelsResponse run() throws Exception {
100         try {
101           return VisibilityClient.setAuths(conf, new String[] { CONFIDENTIAL, PRIVATE }, "user3");
102         } catch (Throwable e) {
103         }
104         return null;
105       }
106     };
107     response = NORMAL_USER1.runAs(action);
108     assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response
109         .getResult(0).getException().getName());
110     assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response
111         .getResult(1).getException().getName());
112 
113     PrivilegedExceptionAction<GetAuthsResponse> action1 =
114         new PrivilegedExceptionAction<GetAuthsResponse>() {
115       public GetAuthsResponse run() throws Exception {
116         try {
117           return VisibilityClient.getAuths(conf, "user1");
118         } catch (Throwable e) {
119         }
120         return null;
121       }
122     };
123     GetAuthsResponse authsResponse = NORMAL_USER.runAs(action1);
124     assertTrue(authsResponse.getAuthList().isEmpty());
125     authsResponse = NORMAL_USER1.runAs(action1);
126     assertTrue(authsResponse.getAuthList().isEmpty());
127     authsResponse = SUPERUSER.runAs(action1);
128     List<String> authsList = new ArrayList<String>();
129     for (ByteString authBS : authsResponse.getAuthList()) {
130       authsList.add(Bytes.toString(authBS.toByteArray()));
131     }
132     assertEquals(2, authsList.size());
133     assertTrue(authsList.contains(CONFIDENTIAL));
134     assertTrue(authsList.contains(PRIVATE));
135 
136     PrivilegedExceptionAction<VisibilityLabelsResponse> action2 = 
137         new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
138       public VisibilityLabelsResponse run() throws Exception {
139         try {
140           return VisibilityClient.clearAuths(conf, new String[] { CONFIDENTIAL, PRIVATE }, "user1");
141         } catch (Throwable e) {
142         }
143         return null;
144       }
145     };
146     response = NORMAL_USER1.runAs(action2);
147     assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response
148         .getResult(0).getException().getName());
149     assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response
150         .getResult(1).getException().getName());
151     response = SUPERUSER.runAs(action2);
152     assertTrue(response.getResult(0).getException().getValue().isEmpty());
153     assertTrue(response.getResult(1).getException().getValue().isEmpty());
154     authsResponse = SUPERUSER.runAs(action1);
155     assertTrue(authsResponse.getAuthList().isEmpty());
156   }
157 
158   private static void addLabels() throws Exception {
159     PrivilegedExceptionAction<VisibilityLabelsResponse> action = 
160         new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
161       public VisibilityLabelsResponse run() throws Exception {
162         String[] labels = { SECRET, CONFIDENTIAL, PRIVATE };
163         try {
164           VisibilityClient.addLabels(conf, labels);
165         } catch (Throwable t) {
166           throw new IOException(t);
167         }
168         return null;
169       }
170     };
171     SUPERUSER.runAs(action);
172   }
173 }