View Javadoc

1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  package org.apache.hadoop.hbase.security.access;
19  
20  import static org.apache.hadoop.hbase.AuthUtil.toGroupEntry;
21  import static org.junit.Assert.assertEquals;
22  import static org.junit.Assert.assertTrue;
23  
24  import java.util.List;
25  import java.util.Arrays;
26  import java.util.Map;
27  
28  import org.apache.commons.logging.Log;
29  import org.apache.commons.logging.LogFactory;
30  import org.apache.hadoop.conf.Configuration;
31  import org.apache.hadoop.hbase.HBaseTestingUtility;
32  import org.apache.hadoop.hbase.HColumnDescriptor;
33  import org.apache.hadoop.hbase.HConstants;
34  import org.apache.hadoop.hbase.HTableDescriptor;
35  import org.apache.hadoop.hbase.NamespaceDescriptor;
36  import org.apache.hadoop.hbase.testclassification.MediumTests;
37  import org.apache.hadoop.hbase.TableName;
38  import org.apache.hadoop.hbase.client.Admin;
39  import org.apache.hadoop.hbase.client.Connection;
40  import org.apache.hadoop.hbase.client.ConnectionFactory;
41  import org.apache.hadoop.hbase.client.Get;
42  import org.apache.hadoop.hbase.client.Result;
43  import org.apache.hadoop.hbase.client.Table;
44  import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment;
45  import org.apache.hadoop.hbase.coprocessor.ObserverContext;
46  import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
47  import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessControlService;
48  import org.apache.hadoop.hbase.security.User;
49  import org.apache.hadoop.hbase.security.access.Permission.Action;
50  import org.apache.hadoop.hbase.util.Bytes;
51  import org.junit.AfterClass;
52  import org.junit.BeforeClass;
53  import org.junit.Ignore;
54  import org.junit.Test;
55  import org.junit.experimental.categories.Category;
56  
57  import com.google.common.collect.ListMultimap;
58  import com.google.protobuf.BlockingRpcChannel;
59  
60  @Category(MediumTests.class)
61  public class TestNamespaceCommands extends SecureTestUtil {
62    private static HBaseTestingUtility UTIL = new HBaseTestingUtility();
63    private static final Log LOG = LogFactory.getLog(TestNamespaceCommands.class);
64    private static String TEST_NAMESPACE = "ns1";
65    private static String TEST_NAMESPACE2 = "ns2";
66    private static Configuration conf;
67    private static MasterCoprocessorEnvironment CP_ENV;
68    private static AccessController ACCESS_CONTROLLER;
69  
70    // user with all permissions
71    private static User SUPERUSER;
72  
73    // user with A permission on global
74    private static User USER_GLOBAL_ADMIN;
75    // user with C permission on global
76    private static User USER_GLOBAL_CREATE;
77    // user with W permission on global
78    private static User USER_GLOBAL_WRITE;
79    // user with R permission on global
80    private static User USER_GLOBAL_READ;
81    // user with X permission on global
82    private static User USER_GLOBAL_EXEC;
83  
84    // user with A permission on namespace
85    private static User USER_NS_ADMIN;
86    // user with C permission on namespace
87    private static User USER_NS_CREATE;
88    // user with W permission on namespace
89    private static User USER_NS_WRITE;
90    // user with R permission on namespace.
91    private static User USER_NS_READ;
92    // user with X permission on namespace.
93    private static User USER_NS_EXEC;
94  
95    // user with rw permissions
96    private static User USER_TABLE_WRITE;  // TODO: WE DO NOT GIVE ANY PERMS TO THIS USER
97    //user with create table permissions alone
98    private static User USER_TABLE_CREATE; // TODO: WE DO NOT GIVE ANY PERMS TO THIS USER
99  
100   private static final String GROUP_ADMIN = "group_admin";
101   private static final String GROUP_NS_ADMIN = "group_ns_admin";
102   private static final String GROUP_CREATE = "group_create";
103   private static final String GROUP_READ = "group_read";
104   private static final String GROUP_WRITE = "group_write";
105 
106   private static User USER_GROUP_ADMIN;
107   private static User USER_GROUP_NS_ADMIN;
108   private static User USER_GROUP_CREATE;
109   private static User USER_GROUP_READ;
110   private static User USER_GROUP_WRITE;
111 
112   private static String TEST_TABLE = TEST_NAMESPACE + ":testtable";
113   private static byte[] TEST_FAMILY = Bytes.toBytes("f1");
114 
115   @BeforeClass
116   public static void beforeClass() throws Exception {
117     conf = UTIL.getConfiguration();
118     conf.setInt(HConstants.REGION_SERVER_HIGH_PRIORITY_HANDLER_COUNT, 10);
119     enableSecurity(conf);
120 
121     SUPERUSER = User.createUserForTesting(conf, "admin", new String[] { "supergroup" });
122     // Users with global permissions
123     USER_GLOBAL_ADMIN = User.createUserForTesting(conf, "global_admin", new String[0]);
124     USER_GLOBAL_CREATE = User.createUserForTesting(conf, "global_create", new String[0]);
125     USER_GLOBAL_WRITE = User.createUserForTesting(conf, "global_write", new String[0]);
126     USER_GLOBAL_READ = User.createUserForTesting(conf, "global_read", new String[0]);
127     USER_GLOBAL_EXEC = User.createUserForTesting(conf, "global_exec", new String[0]);
128 
129     USER_NS_ADMIN = User.createUserForTesting(conf, "namespace_admin", new String[0]);
130     USER_NS_CREATE = User.createUserForTesting(conf, "namespace_create", new String[0]);
131     USER_NS_WRITE = User.createUserForTesting(conf, "namespace_write", new String[0]);
132     USER_NS_READ = User.createUserForTesting(conf, "namespace_read", new String[0]);
133     USER_NS_EXEC = User.createUserForTesting(conf, "namespace_exec", new String[0]);
134 
135     USER_TABLE_CREATE = User.createUserForTesting(conf, "table_create", new String[0]);
136     USER_TABLE_WRITE = User.createUserForTesting(conf, "table_write", new String[0]);
137 
138     USER_GROUP_ADMIN =
139         User.createUserForTesting(conf, "user_group_admin", new String[] { GROUP_ADMIN });
140     USER_GROUP_NS_ADMIN =
141         User.createUserForTesting(conf, "user_group_ns_admin", new String[] { GROUP_NS_ADMIN });
142     USER_GROUP_CREATE =
143         User.createUserForTesting(conf, "user_group_create", new String[] { GROUP_CREATE });
144     USER_GROUP_READ =
145         User.createUserForTesting(conf, "user_group_read", new String[] { GROUP_READ });
146     USER_GROUP_WRITE =
147         User.createUserForTesting(conf, "user_group_write", new String[] { GROUP_WRITE });
148     // TODO: other table perms
149 
150     UTIL.startMiniCluster();
151     // Wait for the ACL table to become available
152     UTIL.waitTableAvailable(AccessControlLists.ACL_TABLE_NAME.getName(), 30 * 1000);
153 
154     ACCESS_CONTROLLER = (AccessController) UTIL.getMiniHBaseCluster().getMaster()
155       .getMasterCoprocessorHost()
156         .findCoprocessor(AccessController.class.getName());
157 
158     UTIL.getHBaseAdmin().createNamespace(NamespaceDescriptor.create(TEST_NAMESPACE).build());
159     UTIL.getHBaseAdmin().createNamespace(NamespaceDescriptor.create(TEST_NAMESPACE2).build());
160 
161     // grants on global
162     grantGlobal(UTIL, USER_GLOBAL_ADMIN.getShortName(),  Permission.Action.ADMIN);
163     grantGlobal(UTIL, USER_GLOBAL_CREATE.getShortName(), Permission.Action.CREATE);
164     grantGlobal(UTIL, USER_GLOBAL_WRITE.getShortName(),  Permission.Action.WRITE);
165     grantGlobal(UTIL, USER_GLOBAL_READ.getShortName(),   Permission.Action.READ);
166     grantGlobal(UTIL, USER_GLOBAL_EXEC.getShortName(),   Permission.Action.EXEC);
167 
168     // grants on namespace
169     grantOnNamespace(UTIL, USER_NS_ADMIN.getShortName(),  TEST_NAMESPACE, Permission.Action.ADMIN);
170     grantOnNamespace(UTIL, USER_NS_CREATE.getShortName(), TEST_NAMESPACE, Permission.Action.CREATE);
171     grantOnNamespace(UTIL, USER_NS_WRITE.getShortName(),  TEST_NAMESPACE, Permission.Action.WRITE);
172     grantOnNamespace(UTIL, USER_NS_READ.getShortName(),   TEST_NAMESPACE, Permission.Action.READ);
173     grantOnNamespace(UTIL, USER_NS_EXEC.getShortName(),   TEST_NAMESPACE, Permission.Action.EXEC);
174     grantOnNamespace(UTIL, toGroupEntry(GROUP_NS_ADMIN), TEST_NAMESPACE, Permission.Action.ADMIN);
175 
176     grantOnNamespace(UTIL, USER_NS_ADMIN.getShortName(), TEST_NAMESPACE2, Permission.Action.ADMIN);
177 
178     grantGlobal(UTIL, toGroupEntry(GROUP_ADMIN), Permission.Action.ADMIN);
179     grantGlobal(UTIL, toGroupEntry(GROUP_CREATE), Permission.Action.CREATE);
180     grantGlobal(UTIL, toGroupEntry(GROUP_READ), Permission.Action.READ);
181     grantGlobal(UTIL, toGroupEntry(GROUP_WRITE), Permission.Action.WRITE);
182   }
183 
184   @AfterClass
185   public static void afterClass() throws Exception {
186     UTIL.getHBaseAdmin().deleteNamespace(TEST_NAMESPACE);
187     UTIL.getHBaseAdmin().deleteNamespace(TEST_NAMESPACE2);
188     UTIL.shutdownMiniCluster();
189   }
190 
191   @Ignore @Test
192   public void testAclTableEntries() throws Exception {
193     String userTestNamespace = "userTestNsp";
194     try(Connection conn = ConnectionFactory.createConnection(conf);
195         Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
196       ListMultimap<String, TablePermission> perms =
197           AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE);
198 
199       perms = AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE);
200       for (Map.Entry<String, TablePermission> entry : perms.entries()) {
201         LOG.debug(entry);
202       }
203       assertEquals(6, perms.size());
204 
205       // Grant and check state in ACL table
206       grantOnNamespace(UTIL, userTestNamespace, TEST_NAMESPACE,
207         Permission.Action.WRITE);
208 
209       Result result = acl.get(new Get(Bytes.toBytes(userTestNamespace)));
210       assertTrue(result != null);
211       perms = AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE);
212       assertEquals(7, perms.size());
213       List<TablePermission> namespacePerms = perms.get(userTestNamespace);
214       assertTrue(perms.containsKey(userTestNamespace));
215       assertEquals(1, namespacePerms.size());
216       assertEquals(TEST_NAMESPACE,
217         namespacePerms.get(0).getNamespace());
218       assertEquals(null, namespacePerms.get(0).getFamily());
219       assertEquals(null, namespacePerms.get(0).getQualifier());
220       assertEquals(1, namespacePerms.get(0).getActions().length);
221       assertEquals(Permission.Action.WRITE, namespacePerms.get(0).getActions()[0]);
222 
223       // Revoke and check state in ACL table
224       revokeFromNamespace(UTIL, userTestNamespace, TEST_NAMESPACE,
225         Permission.Action.WRITE);
226 
227       perms = AccessControlLists.getNamespacePermissions(conf, TEST_NAMESPACE);
228       assertEquals(6, perms.size());
229     }
230   }
231 
232   @Ignore @Test
233   public void testModifyNamespace() throws Exception {
234     AccessTestAction modifyNamespace = new AccessTestAction() {
235       @Override
236       public Object run() throws Exception {
237         ACCESS_CONTROLLER.preModifyNamespace(ObserverContext.createAndPrepare(CP_ENV, null),
238           NamespaceDescriptor.create(TEST_NAMESPACE).addConfiguration("abc", "156").build());
239         return null;
240       }
241     };
242 
243     // modifyNamespace: superuser | global(A) | NS(A)
244     verifyAllowed(modifyNamespace, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
245     verifyDenied(modifyNamespace, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
246       USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
247       USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
248   }
249 
250   @Ignore @Test
251   public void testCreateAndDeleteNamespace() throws Exception {
252     AccessTestAction createNamespace = new AccessTestAction() {
253       @Override
254       public Object run() throws Exception {
255         ACCESS_CONTROLLER.preCreateNamespace(ObserverContext.createAndPrepare(CP_ENV, null),
256           NamespaceDescriptor.create(TEST_NAMESPACE2).build());
257         return null;
258       }
259     };
260 
261     AccessTestAction deleteNamespace = new AccessTestAction() {
262       @Override
263       public Object run() throws Exception {
264         ACCESS_CONTROLLER.preDeleteNamespace(ObserverContext.createAndPrepare(CP_ENV, null),
265           TEST_NAMESPACE2);
266         return null;
267       }
268     };
269 
270     // createNamespace: superuser | global(A)
271     verifyAllowed(createNamespace, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
272     // all others should be denied
273     verifyDenied(createNamespace, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
274       USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
275       USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
276 
277     // deleteNamespace: superuser | global(A) | NS(A)
278     verifyAllowed(deleteNamespace, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN);
279     verifyDenied(deleteNamespace, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
280       USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
281       USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
282   }
283 
284   @Ignore @Test
285   public void testGetNamespaceDescriptor() throws Exception {
286     AccessTestAction getNamespaceAction = new AccessTestAction() {
287       @Override
288       public Object run() throws Exception {
289         ACCESS_CONTROLLER.preGetNamespaceDescriptor(ObserverContext.createAndPrepare(CP_ENV, null),
290           TEST_NAMESPACE);
291         return null;
292       }
293     };
294     // getNamespaceDescriptor : superuser | global(A) | NS(A)
295     verifyAllowed(getNamespaceAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_NS_ADMIN,
296       USER_GROUP_ADMIN);
297     verifyDenied(getNamespaceAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
298       USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
299       USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
300   }
301 
302   @Ignore @Test
303   public void testListNamespaces() throws Exception {
304     AccessTestAction listAction = new AccessTestAction() {
305       @Override
306       public Object run() throws Exception {
307         Connection unmanagedConnection =
308             ConnectionFactory.createConnection(UTIL.getConfiguration());
309         Admin admin = unmanagedConnection.getAdmin();
310         try {
311           return Arrays.asList(admin.listNamespaceDescriptors());
312         } finally {
313           admin.close();
314           unmanagedConnection.close();
315         }
316       }
317     };
318 
319     // listNamespaces         : All access*
320     // * Returned list will only show what you can call getNamespaceDescriptor()
321 
322     verifyAllowed(listAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_NS_ADMIN, USER_GROUP_ADMIN);
323 
324     // we have 3 namespaces: [default, hbase, TEST_NAMESPACE, TEST_NAMESPACE2]
325     assertEquals(4, ((List)SUPERUSER.runAs(listAction)).size());
326     assertEquals(4, ((List)USER_GLOBAL_ADMIN.runAs(listAction)).size());
327     assertEquals(4, ((List)USER_GROUP_ADMIN.runAs(listAction)).size());
328 
329     assertEquals(2, ((List)USER_NS_ADMIN.runAs(listAction)).size());
330 
331     assertEquals(0, ((List)USER_GLOBAL_CREATE.runAs(listAction)).size());
332     assertEquals(0, ((List)USER_GLOBAL_WRITE.runAs(listAction)).size());
333     assertEquals(0, ((List)USER_GLOBAL_READ.runAs(listAction)).size());
334     assertEquals(0, ((List)USER_GLOBAL_EXEC.runAs(listAction)).size());
335     assertEquals(0, ((List)USER_NS_CREATE.runAs(listAction)).size());
336     assertEquals(0, ((List)USER_NS_WRITE.runAs(listAction)).size());
337     assertEquals(0, ((List)USER_NS_READ.runAs(listAction)).size());
338     assertEquals(0, ((List)USER_NS_EXEC.runAs(listAction)).size());
339     assertEquals(0, ((List)USER_TABLE_CREATE.runAs(listAction)).size());
340     assertEquals(0, ((List)USER_TABLE_WRITE.runAs(listAction)).size());
341     assertEquals(0, ((List)USER_GROUP_CREATE.runAs(listAction)).size());
342     assertEquals(0, ((List)USER_GROUP_READ.runAs(listAction)).size());
343     assertEquals(0, ((List)USER_GROUP_WRITE.runAs(listAction)).size());
344   }
345 
346   @Ignore @Test
347   public void testGrantRevoke() throws Exception{
348     final String testUser = "testUser";
349 
350     // Test if client API actions are authorized
351 
352     AccessTestAction grantAction = new AccessTestAction() {
353       @Override
354       public Object run() throws Exception {
355         try(Connection conn = ConnectionFactory.createConnection(conf);
356             Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
357           BlockingRpcChannel service =
358               acl.coprocessorService(HConstants.EMPTY_START_ROW);
359           AccessControlService.BlockingInterface protocol =
360             AccessControlService.newBlockingStub(service);
361           ProtobufUtil.grant(null, protocol, testUser, TEST_NAMESPACE, Action.WRITE);
362         }
363         return null;
364       }
365     };
366 
367     AccessTestAction grantNamespaceAction = new AccessTestAction() {
368       @Override
369       public Object run() throws Exception {
370         try(Connection conn = ConnectionFactory.createConnection(conf);
371             Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
372           BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
373           AccessControlService.BlockingInterface protocol =
374             AccessControlService.newBlockingStub(service);
375           ProtobufUtil.grant(null, protocol, USER_GROUP_NS_ADMIN.getShortName(),
376             TEST_NAMESPACE, Action.READ);
377         }
378         return null;
379       }
380     };
381 
382     AccessTestAction revokeAction = new AccessTestAction() {
383       @Override
384       public Object run() throws Exception {
385         try(Connection conn = ConnectionFactory.createConnection(conf);
386             Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
387           BlockingRpcChannel service =
388               acl.coprocessorService(HConstants.EMPTY_START_ROW);
389           AccessControlService.BlockingInterface protocol =
390             AccessControlService.newBlockingStub(service);
391           ProtobufUtil.revoke(null, protocol, testUser, TEST_NAMESPACE, Action.WRITE);
392         }
393         return null;
394       }
395     };
396 
397     AccessTestAction revokeNamespaceAction = new AccessTestAction() {
398       @Override
399       public Object run() throws Exception {
400         Connection connection = ConnectionFactory.createConnection(conf);
401         Table acl = connection.getTable(AccessControlLists.ACL_TABLE_NAME);
402         try {
403           BlockingRpcChannel service =
404               acl.coprocessorService(HConstants.EMPTY_START_ROW);
405           AccessControlService.BlockingInterface protocol =
406             AccessControlService.newBlockingStub(service);
407           ProtobufUtil.revoke(null, protocol, USER_GROUP_NS_ADMIN.getShortName(),
408             TEST_NAMESPACE, Action.READ);
409         } finally {
410           acl.close();
411           connection.close();
412         }
413         return null;
414       }
415     };
416 
417     AccessTestAction getPermissionsAction = new AccessTestAction() {
418       @Override
419       public Object run() throws Exception {
420         try(Connection conn = ConnectionFactory.createConnection(conf);
421             Table acl = conn.getTable(AccessControlLists.ACL_TABLE_NAME)) {
422           BlockingRpcChannel service = acl.coprocessorService(HConstants.EMPTY_START_ROW);
423           AccessControlService.BlockingInterface protocol =
424             AccessControlService.newBlockingStub(service);
425           ProtobufUtil.getUserPermissions(null, protocol, Bytes.toBytes(TEST_NAMESPACE));
426         }
427         return null;
428       }
429     };
430 
431     verifyAllowed(grantAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN, USER_NS_ADMIN);
432     verifyDenied(grantAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
433       USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
434       USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
435 
436     verifyAllowed(grantNamespaceAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN,
437       USER_NS_ADMIN, USER_GROUP_NS_ADMIN);
438     verifyDenied(grantNamespaceAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
439       USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
440       USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
441 
442     verifyAllowed(revokeAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN, USER_NS_ADMIN);
443     verifyDenied(revokeAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
444       USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
445       USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
446 
447     verifyAllowed(revokeNamespaceAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_GROUP_ADMIN,
448       USER_NS_ADMIN, USER_GROUP_NS_ADMIN);
449     verifyDenied(revokeNamespaceAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
450       USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
451       USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
452 
453     verifyAllowed(getPermissionsAction, SUPERUSER, USER_GLOBAL_ADMIN, USER_NS_ADMIN,
454       USER_GROUP_ADMIN);
455     verifyDenied(getPermissionsAction, USER_GLOBAL_CREATE, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
456       USER_GLOBAL_EXEC, USER_NS_CREATE, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
457       USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_CREATE);
458   }
459 
460   @Ignore @Test
461   public void testCreateTableWithNamespace() throws Exception {
462     AccessTestAction createTable = new AccessTestAction() {
463       @Override
464       public Object run() throws Exception {
465         HTableDescriptor htd = new HTableDescriptor(TableName.valueOf(TEST_TABLE));
466         htd.addFamily(new HColumnDescriptor(TEST_FAMILY));
467         ACCESS_CONTROLLER.preCreateTable(ObserverContext.createAndPrepare(CP_ENV, null), htd, null);
468         return null;
469       }
470     };
471 
472     //createTable            : superuser | global(C) | NS(C)
473     verifyAllowed(createTable, SUPERUSER, USER_GLOBAL_CREATE, USER_NS_CREATE, USER_GROUP_CREATE);
474     verifyDenied(createTable, USER_GLOBAL_ADMIN, USER_GLOBAL_WRITE, USER_GLOBAL_READ,
475       USER_GLOBAL_EXEC, USER_NS_ADMIN, USER_NS_WRITE, USER_NS_READ, USER_NS_EXEC,
476       USER_TABLE_CREATE, USER_TABLE_WRITE, USER_GROUP_READ, USER_GROUP_WRITE, USER_GROUP_ADMIN);
477   }
478 }