1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18 package org.apache.hadoop.hbase.security.visibility;
19
20 import static org.apache.hadoop.hbase.security.visibility.VisibilityConstants.LABELS_TABLE_NAME;
21 import static org.junit.Assert.assertEquals;
22 import static org.junit.Assert.assertTrue;
23
24 import java.io.IOException;
25 import java.security.PrivilegedExceptionAction;
26 import java.util.ArrayList;
27 import java.util.List;
28
29 import org.apache.hadoop.conf.Configuration;
30 import org.apache.hadoop.hbase.HBaseTestingUtility;
31 import org.apache.hadoop.hbase.testclassification.MediumTests;
32 import org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.GetAuthsResponse;
33 import org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse;
34 import org.apache.hadoop.hbase.security.User;
35 import org.apache.hadoop.hbase.util.Bytes;
36 import org.junit.AfterClass;
37 import org.junit.BeforeClass;
38 import org.junit.Rule;
39 import org.junit.Test;
40 import org.junit.experimental.categories.Category;
41 import org.junit.rules.TestName;
42
43 import com.google.protobuf.ByteString;
44
45 @Category(MediumTests.class)
46 public class TestVisibilityLabelsOpWithDifferentUsersNoACL {
47 private static final String PRIVATE = "private";
48 private static final String CONFIDENTIAL = "confidential";
49 private static final String SECRET = "secret";
50 private static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();
51 private static Configuration conf;
52
53 @Rule
54 public final TestName TEST_NAME = new TestName();
55 private static User SUPERUSER;
56 private static User NORMAL_USER;
57 private static User NORMAL_USER1;
58
59 @BeforeClass
60 public static void setupBeforeClass() throws Exception {
61
62 conf = TEST_UTIL.getConfiguration();
63 VisibilityTestUtil.enableVisiblityLabels(conf);
64 String currentUser = User.getCurrent().getName();
65 conf.set("hbase.superuser", "admin,"+currentUser);
66 TEST_UTIL.startMiniCluster(2);
67
68
69 TEST_UTIL.waitTableEnabled(LABELS_TABLE_NAME.getName(), 50000);
70 SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
71 NORMAL_USER = User.createUserForTesting(conf, "user1", new String[] {});
72 NORMAL_USER1 = User.createUserForTesting(conf, "user2", new String[] {});
73 addLabels();
74 }
75
76 @AfterClass
77 public static void tearDownAfterClass() throws Exception {
78 TEST_UTIL.shutdownMiniCluster();
79 }
80
81 @Test
82 public void testLabelsTableOpsWithDifferentUsers() throws Throwable {
83 PrivilegedExceptionAction<VisibilityLabelsResponse> action =
84 new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
85 public VisibilityLabelsResponse run() throws Exception {
86 try {
87 return VisibilityClient.setAuths(conf, new String[] { CONFIDENTIAL, PRIVATE }, "user1");
88 } catch (Throwable e) {
89 }
90 return null;
91 }
92 };
93 VisibilityLabelsResponse response = SUPERUSER.runAs(action);
94 assertTrue(response.getResult(0).getException().getValue().isEmpty());
95 assertTrue(response.getResult(1).getException().getValue().isEmpty());
96
97
98 action = new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
99 public VisibilityLabelsResponse run() throws Exception {
100 try {
101 return VisibilityClient.setAuths(conf, new String[] { CONFIDENTIAL, PRIVATE }, "user3");
102 } catch (Throwable e) {
103 }
104 return null;
105 }
106 };
107 response = NORMAL_USER1.runAs(action);
108 assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response
109 .getResult(0).getException().getName());
110 assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response
111 .getResult(1).getException().getName());
112
113 PrivilegedExceptionAction<GetAuthsResponse> action1 =
114 new PrivilegedExceptionAction<GetAuthsResponse>() {
115 public GetAuthsResponse run() throws Exception {
116 try {
117 return VisibilityClient.getAuths(conf, "user1");
118 } catch (Throwable e) {
119 }
120 return null;
121 }
122 };
123 GetAuthsResponse authsResponse = NORMAL_USER.runAs(action1);
124 assertTrue(authsResponse.getAuthList().isEmpty());
125 authsResponse = NORMAL_USER1.runAs(action1);
126 assertTrue(authsResponse.getAuthList().isEmpty());
127 authsResponse = SUPERUSER.runAs(action1);
128 List<String> authsList = new ArrayList<String>();
129 for (ByteString authBS : authsResponse.getAuthList()) {
130 authsList.add(Bytes.toString(authBS.toByteArray()));
131 }
132 assertEquals(2, authsList.size());
133 assertTrue(authsList.contains(CONFIDENTIAL));
134 assertTrue(authsList.contains(PRIVATE));
135
136 PrivilegedExceptionAction<VisibilityLabelsResponse> action2 =
137 new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
138 public VisibilityLabelsResponse run() throws Exception {
139 try {
140 return VisibilityClient.clearAuths(conf, new String[] { CONFIDENTIAL, PRIVATE }, "user1");
141 } catch (Throwable e) {
142 }
143 return null;
144 }
145 };
146 response = NORMAL_USER1.runAs(action2);
147 assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response
148 .getResult(0).getException().getName());
149 assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", response
150 .getResult(1).getException().getName());
151 response = SUPERUSER.runAs(action2);
152 assertTrue(response.getResult(0).getException().getValue().isEmpty());
153 assertTrue(response.getResult(1).getException().getValue().isEmpty());
154 authsResponse = SUPERUSER.runAs(action1);
155 assertTrue(authsResponse.getAuthList().isEmpty());
156 }
157
158 private static void addLabels() throws Exception {
159 PrivilegedExceptionAction<VisibilityLabelsResponse> action =
160 new PrivilegedExceptionAction<VisibilityLabelsResponse>() {
161 public VisibilityLabelsResponse run() throws Exception {
162 String[] labels = { SECRET, CONFIDENTIAL, PRIVATE };
163 try {
164 VisibilityClient.addLabels(conf, labels);
165 } catch (Throwable t) {
166 throw new IOException(t);
167 }
168 return null;
169 }
170 };
171 SUPERUSER.runAs(action);
172 }
173 }